1 (edited by horia 2013-01-31 05:07:30)

Topic: Sending mail from outlook vDomain2 to vDomain1 fails

==== Required information ====
- iRedMail version: 0.8.3
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Ubuntu 12.4.1
- Related log if you're reporting an issue: postconf -n
====

Hello,

I have set up a iRedMail server on a new vanilla Ubuntu Server.
The hostname (fqdn) is mail.domain1.com

I have set up 2 domains on it: domain1.com and domain2.com

When i user Roundcube everything works great, but if i user Outlook from different locations with different IPs i have the following situation:

Sender                        Receiver                             Result
domain1.com              domain1.com                      ok
domain2.com              domain2.com                      ok
domain1.com              domain2.com                      ok
domain2.com              domain1.com                      NOK
domain2.com              google.com                        ok

I receive an instant messagelike this:

From: System Administrator
Sent: Wednesday, January 30, 2013 1:21 PM
To: user@domain2.com
Subject: Undeliverable: {Subject}


Your message did not reach some or all of the intended recipients.

      Subject:  FW: {Subject}

      Sent:     1/30/2013 1:21 PM


The following recipient(s) cannot be reached:

      User (user@domain1.com) on 1/30/2013 1:21 PM

            Server error: '554 5.7.1 <user@domain1.com>: Recipient address rejected: Invalid HELO/EHLO; Must be a FQDN or an address literal, not 'ALEXANDRAPC''

      User2 (user2@domain1.com) on 1/30/2013 1:21 PM

            Server error: '554 5.7.1 <user2@domain1.com>: Recipient address rejected: Invalid HELO/EHLO; Must be a FQDN or an address literal, not 'ALEXANDRAPC''

ALEXANDRAPC is the computername of the client.


Does anyone have knowledge how to solve this?

Thank you very much!

BR,
Horia


PS: This is "postconf -n":

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 0h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
maximal_backoff_time = 4000s
maximal_queue_lifetime = 1d
message_size_limit = 15728640
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname, domain1.com, domain2.com
mydomain = domain1.com
myhostname = mail.domain1.com
mynetworks = 127.0.0.0/8
mynetworks_style = subnet
myorigin = mail.domain1.com
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_run_delay = 300s
readme_directory = no
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
relayhost =
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
smtp-amavis_destination_recipient_limit = 1
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
smtpd_tls_key_file = /etc/ssl/private/postfix.pem
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:1001
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 1001
virtual_transport = dovecot
virtual_uid_maps = static:1001

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Sending mail from outlook vDomain2 to vDomain1 fails

horia wrote:

I receive an instant messagelike this:

From: System Administrator
Sent: Wednesday, January 30, 2013 1:21 PM
To: user@domain2.com
Subject: Undeliverable: {Subject}

            Server error: '554 5.7.1 <user@domain1.com>: Recipient address rejected: Invalid HELO/EHLO; Must be a FQDN or an address literal, not 'ALEXANDRAPC''

1) iRedMail won't send non-delivery notification with these mail headers.
2) If you configure the Outlook to perform SMTP login before sending email, then client FQDN check will be bypassed.

So this is not rejected by iRedMail at all. Please check whether it was connecting to a different mail server while you sending mail from domain2.com to domain1.com, maybe caused by DNS cache in local network. For example, check DNS response with command "nslookup", "dig", etc.

domain2.com              domain1.com                      NOK

3

Re: Sending mail from outlook vDomain2 to vDomain1 fails

Sorry for hijacking this thread but I have the same problem, but no third party SMTP server involved.
Have anyone seen this problem before?

Note I understand it's most likely MUA related (MS Outlook).

My user sends in the same day (note timestamps) following emails:

May 28 10:06:51 email2 postfix/smtpd[3937]: connect from <censored>
May 28 10:06:51 email2 postfix/smtpd[3937]: 5904F35E61D5: client=<censored>, sasl_method=LOGIN, sasl_username=<clients_address>
May 28 10:06:52 email2 postfix/cleanup[6289]: 5904F35E61D5: message-id=<004101ce5b7a$4c6b4800$e541d800$@cz>
May 28 10:06:52 email2 postfix/qmgr[5326]: 5904F35E61D5: from=<clients_address>, size=1676, nrcpt=1 (queue active)
etc... correct delivery

So far it's OK / client is using SMTP AUTH and sent an email to third party SMTP server...

But now, he sends email to myself (account on the same server):

May 28 10:16:43 email2 postfix/smtpd[3936]: connect from <censored>
May 28 10:16:43 email2 postfix/smtpd[3936]: NOQUEUE: reject: RCPT from <censored>: 554 5.7.1 <my_address>: Recipient address rejected: Invalid HELO/EHLO; Must be a FQDN or an address literal, not 'xxx'; from=<clients_address> to=<my_address> proto=ESMTP helo=<xxx>
May 28 10:16:45 email2 postfix/smtpd[3936]: disconnect from <censored>

Problem / it seems the email client is not using SMTP AUTH and got rejected due wrong hostname of client's windows machine (which is very common).

Does anyone have an idea why is this? Is it possible outlook is not using SMTP AUTH for my domain but does use it for others?
Is possible the problem is that my email address is in the same domain as the iRedMail's hostname used in outlook configuration?

I would appreciate any input!

4

Re: Sending mail from outlook vDomain2 to vDomain1 fails

FIRST OF ALL, don't hijack other's thread. Just create a new forum topic, clearly explain your issue and paste related log to help troubleshoot.

Looks like it doesn't perform SMTP AUTH at all. Is it possible to enable debug in Postfix for (just) this client? You can achieve it with below steps:

*) Set below settings in Postfix main.cf:

debug_peer_level = 2
debug_peer_list = xx.xx.xx.xx         # <- This is IP address of the end user which has issue

*) Reload postfix service, then check its log file.
*) Try to reproduce this issue by sending a testing mail from this end user to you(?), paste full smtp session log in Postfix log related to this testing email here.

5

Re: Sending mail from outlook vDomain2 to vDomain1 fails

OK, I set the debugging for client and will come back with resulting log.

6 (edited by camel1cz 2013-05-29 21:07:08)

Re: Sending mail from outlook vDomain2 to vDomain1 fails

So I turned on debugging and asked the client to send me email and guess what - it worked! The only thing I changed was one switch and I have moved permit_sasl_authenticated toward beginning of recipient checks:

smtpd_tls_always_issue_session_ids = no
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, reject_unauth_destination

But I'm pretty sure I tried it before and it didn't work... Now it works even w/o the debugging options...

@Zhang: do you think, the changes in configuration noted above could be the reason of this problem? Remember it was not working only for the one domain and from only specific MUAs (2 clients overall).

7

Re: Sending mail from outlook vDomain2 to vDomain1 fails

No idea at all, sorry.

*) You can see what "permit_sasl_authenticated" means here: http://www.postfix.org/postconf.5.html# … henticated
So it should apply to ALL clients, not just this domain and specify MUAs. Not sure whether it's a MUA issue or not.

*) Could you please paste output of command "postconf -n" here to help troubleshoot? The original reject message means it's rejected in HELO stage, let's check your Postfix settings to try to figure it out.

8

Re: Sending mail from outlook vDomain2 to vDomain1 fails

Thank you for your effort! See the output of postconf -n below.

Also note, the example.com domain is NOT the problematic one. example.com is alias for the problematic domain.

(of course example.com is replacement for my real domain name)

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 0h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 15728640
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
mydomain = example.com
myhostname = email2.example.com
mynetworks = 127.0.0.0/8
mynetworks_style = subnet
myorigin = email2.example.com
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_run_delay = 300s
readme_directory = no
recipient_bcc_maps = proxy:pgsql:/etc/postfix/pgsql/recipient_bcc_maps_user.cf, proxy:pgsql:/etc/postfix/pgsql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:pgsql:/etc/postfix/pgsql/relay_domains.cf
relayhost =
sender_bcc_maps = proxy:pgsql:/etc/postfix/pgsql/sender_bcc_maps_user.cf, proxy:pgsql:/etc/postfix/pgsql/sender_bcc_maps_domain.cf
smtp-amavis_destination_recipient_limit = 1
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:pgsql:/etc/postfix/pgsql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, reject_authenticated_sender_login_mismatch, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_always_issue_session_ids = no
smtpd_tls_cert_file = /etc/ssl/certs/example.com-combined.crt
smtpd_tls_key_file = /etc/ssl/private/example.com.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:pgsql:/etc/postfix/pgsql/transport_maps_user.cf, proxy:pgsql:/etc/postfix/pgsql/transport_maps_domain.cf
virtual_alias_domains =
virtual_alias_maps = proxy:pgsql:/etc/postfix/pgsql/virtual_alias_maps.cf, proxy:pgsql:/etc/postfix/pgsql/domain_alias_maps.cf, proxy:pgsql:/etc/postfix/pgsql/catchall_maps.cf, proxy:pgsql:/etc/postfix/pgsql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = proxy:pgsql:/etc/postfix/pgsql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

9

Re: Sending mail from outlook vDomain2 to vDomain1 fails

Check below parameters:

smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, reject_unauth_destination
smtpd_sender_restrictions = permit_mynetworks, reject_authenticated_sender_login_mismatch, permit_sasl_authenticated

Postfix performs restriction rules in order, so If your client perform SMTP AUTH to send email, it won't check HELO/EHLO identity at all. Still no idea yet about why it happened. Sorry.

10

Re: Sending mail from outlook vDomain2 to vDomain1 fails

If I understand the postfix config corectly, the first line from your reply:

smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre

says: if client is coming from a trusted IP or is logged in, don't check HELO/EHLO... so it doesn't make any sense.

I found from logs only three clients (two from the same company, third from other, all  from different ISPs, cities, ...) had this issue and only sending mail to my domain. But ALL are using MS Outlook 2007. I tried to use one of these accounts to send email to my address using simple testing script (with SMTP AUTH) and it worked correctly...

I would blame MS Outlook 2007 - it simply didn't issue "AUTH LOGIN" for some reason, but for other emails few seconds before and also after the problematic mail it DID issue the "AUTH LOGIN"...

May it be it's SSL/TLS related problem? Is there a way how to find out from mail.log if the user is using SSL/TLS? (I have no chance to find out the settings, they are just nontechnical users). There could be some correlation between the target domain and SSL certificate?

11

Re: Sending mail from outlook vDomain2 to vDomain1 fails

*) Did you find related log of these 3 clients in Postfix log files? paste here.
*) Again, if you want to know what happened during smtp session, check my previous reply: http://www.iredmail.org/forum/post22325.html#p22325

12

Re: Sending mail from outlook vDomain2 to vDomain1 fails

ZhangHuangbin wrote:

*) Did you find related log of these 3 clients in Postfix log files? paste here.

Yes, but w/o debugging enabled or not in the erroneous condition. w/o debugging the log is quoted in one of my previous posts, the degugging version:

May 29 08:53:58 email2 postfix/smtpd[31259]: < CLIENTHOST: EHLO ooaseva
May 29 08:53:58 email2 postfix/smtpd[31259]: match_list_match: CLIENTHOST: no match
May 29 08:53:58 email2 postfix/smtpd[31259]: > CLIENTHOST: 250-email2.example.com
May 29 08:53:58 email2 postfix/smtpd[31259]: > CLIENTHOST: 250-PIPELINING
May 29 08:53:58 email2 postfix/smtpd[31259]: > CLIENTHOST: 250-SIZE 15728640
May 29 08:53:58 email2 postfix/smtpd[31259]: > CLIENTHOST: 250-ETRN
May 29 08:53:58 email2 postfix/smtpd[31259]: > CLIENTHOST: 250-STARTTLS
May 29 08:53:58 email2 postfix/smtpd[31259]: > CLIENTHOST: 250-AUTH PLAIN LOGIN
May 29 08:53:58 email2 postfix/smtpd[31259]: > CLIENTHOST: 250-AUTH=PLAIN LOGIN
May 29 08:53:58 email2 postfix/smtpd[31259]: > CLIENTHOST: 250-ENHANCEDSTATUSCODES
May 29 08:53:58 email2 postfix/smtpd[31259]: > CLIENTHOST: 250-8BITMIME
May 29 08:53:58 email2 postfix/smtpd[31259]: > CLIENTHOST: 250 DSN
May 29 08:53:58 email2 postfix/smtpd[31259]: < CLIENTHOST: AUTH LOGIN

So there is no STARTTLS involved, correct? What about SSL? I'm really on end of my ideas...

ZhangHuangbin wrote:

*) Again, if you want to know what happened during smtp session, check my previous reply: http://www.iredmail.org/forum/post22325.html#p22325

Yes, the debugging is very useful, thank you! I just didn't catch the problem while debugging enabled. The problem simply vanished w/o clear reason.

13

Re: Sending mail from outlook vDomain2 to vDomain1 fails

Sorry, no idea yet.
SMTP AUTH without STARTTLS should be fine too, but it's insecure.

14 (edited by camel1cz 2013-05-30 19:28:26)

Re: Sending mail from outlook vDomain2 to vDomain1 fails

OK, hope it keeps working as it is right now... if not, I know how to debug the connection and try to find out some more info. Thank you very much for your effort!

ZhangHuangbin wrote:

SMTP AUTH without STARTTLS should be fine too, but it's insecure.

I'm avare of that - I just cannot disable plain text SMTP AUTH - to support reconfiguration of all clients would be a nightmare, you know :-)

Btw. I want to say here, how good I think about iRedMail and your support. it's really amazing how simple is the installation/configuration and how good is the support! One big THANK YOU to all iRedMail staff!

15

Re: Sending mail from outlook vDomain2 to vDomain1 fails

camel1cz wrote:

Btw. I want to say here, how good I think about iRedMail and your support. it's really amazing how simple is the installation/configuration and how good is the support! One big THANK YOU to all iRedMail staff!

Enjoy. smile

P.S. It would be great if you can share your iRedMail story in this forum (and/or your blog), it helps spread iRedMail. smile
A template: http://www.iredmail.org/forum/topic25-i … story.html