Another 'expanded to zero recipients' problem

A customer who we will call "" complained that he was seeing Kerio Connect log entries that looked like this:

[15/Apr/2015 06:11:06] No local mailbox, expanded from
[15/Apr/2015 06:11:06] Address <> expanded to zero recipients

In this case, James used to be an employee but was no longer. Getting these messages is hardly unusual in such cases; outside mail may trickle in for months or even longer. But this wasn't outside mail; it would happen when internal email was sent to a "managers" group. Yes, of course James had been removed from that group.

Moreover, it was only when the email came from one particular machine that this would happen. That machine was generating these email itself, generating purchase orders from sales activity. Any other email sent to the group would not cause that log entry.

I suspected the machine, but to be sure I asked for a copy of their users.cfg file and did a "grep james" against it. James was not to be found, so it HAD to be the machine, right?

Nope. I had them turn on SMTP server in Debug and that showed that the email was only sent to the group address. The group didn't include James any more, but that 'expanded to zero recipients' still showed up in the logs. But if I or anyone else sent to that group address, no such entry appeared.

I was baffled and even went so far as to open a ticket with Kerio. A scant few hours after doing that, I realized what this had to be. Heve you figured it out yet? If not, there's a big hint at Kerio Connect Mailbox alias could not be expanded.

I realized this had to be a filter rule. I asked the customer to check each group members filter.siv file for anything referencing James. This turned up:

if header :contains "Subject" "Purchase Order" {
  redirect "";

Why? Why would one of the managers forward to another when the group entry was already doing that? I don't know - maybe he set that up years ago when only two of them needed to see the Purchase Orders. I also wonder why James never complained that he was getting two copies of each email. Maybe he did and no one examined the headers, which would have shown why instantly.

A forgotten filter

Well, mystery solved. I should have had them check that first thing, but I was thrown off by there being no reason to have such a filter. That just proves that "Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth." (Arthur Conan Doyle).

