1 Topic by das654rbc

  • das654rbc
  • Member
  • Offline
  • Registered: 2024-11-30
  • Posts: 9

Topic: Recipient address rejected: undeliverable address: Address lookup fail

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.7.1
- Deployed with iRedMail Easy or the downloadable installer? installer
- Linux/BSD distribution name and version: Ubuntu 24.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PGSQL
- Web server (Apache or Nginx): Ngnix
- Manage mail accounts with iRedAdmin-Pro? Y
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
I have installed iRedMail at VPS hosting, to serve smtps/imaps/webmail clients. iRedMail must replace current mail hosting (running Haraka 3.0.3) because of its poor antivirus protection.
iRedMail server (as well as current mail hosting server) is located behind Kaspersky Secure Mail Gateway 2.0.1.6960 (KSMG), to use its antivirus/antifishing benefits.
Incoming mail arrives to KSMG [*.*.94.122] by MX record, and then some rule relays e-mail, addressed to one user (for testing purposes), to iRedMail [*.*.190.132].
But iRedMail fails to receive this mail:
Here is iRedMail log (mail from d*****@mail.ru, addressed to ds****@sf*******.com, being forwarded to iRedMail:

2024-11-30T18:25:41.815402+02:00 ubnt postfix/postscreen[7963]: CONNECT from [*.*.94.122]:38240 to [*.*.190.132]:25
2024-11-30T18:25:47.957990+02:00 ubnt postfix/postscreen[7963]: PASS OLD [*.*.94.122]:38240
2024-11-30T18:25:48.051005+02:00 ubnt postfix/smtpd[7966]: connect from ksmg.s********l.ee[*.*.94.122]
2024-11-30T18:25:48.069453+02:00 ubnt postfix/smtpd[7966]: discarding EHLO keywords: CHUNKING
2024-11-30T18:25:48.113299+02:00 ubnt postfix/smtpd[7966]: Anonymous TLS connection established from ksmg.s********l.ee[*.*.94.122]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
2024-11-30T18:25:48.127127+02:00 ubnt postfix/smtpd[7966]: discarding EHLO keywords: CHUNKING
2024-11-30T18:25:48.239300+02:00 ubnt postfix/smtpd[7966]: NOQUEUE: reject: RCPT from ksmg.s********l.ee[*.*.94.122]: 550 5.1.0 <double-bounce@s********l.ee>: Sender address rejected: User unknown; from=<double-bounce@********.ee> to=<ds****@sf*******.com> proto=ESMTP helo=<ksmg.s*********l.ee>
2024-11-30T18:25:48.239359+02:00 ubnt postfix/smtpd[7966]: disconnect from ksmg.s********l.ee[*.*.94.122] ehlo=2 starttls=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=6/7

iRedmail serves 2 domains: s********l.ee and sf*******.com, and I have added KSMG ip [*.*.94.122] to whitelist of both domains.
How shoud I make iRedMail not to reject internal mail? Maybe, adjust some config file instead of iRedAdmin?
Thanks in advance, Dmitry.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by das654rbc (edited by das654rbc 2024-12-01 04:47:41)

  • das654rbc
  • Member
  • Offline
  • Registered: 2024-11-30
  • Posts: 9

Re: Recipient address rejected: undeliverable address: Address lookup fail

I suppose that this may be related to some postfix settings, like mydestination in /etc/postfix/main.cf

3 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 914

Re: Recipient address rejected: undeliverable address: Address lookup fail

sender is double-bounce, and if you don't have such a mail account, mail gets rejected

also, even if mail would receive at your server, amavis would throw it trogh vius and spam scanner again, so i don't see that much value in your setup

4 Reply by das654rbc (edited by das654rbc 2024-12-01 16:54:30)

  • das654rbc
  • Member
  • Offline
  • Registered: 2024-11-30
  • Posts: 9

Re: Recipient address rejected: undeliverable address: Address lookup fail

Cthulhu wrote:

sender is double-bounce, and if you don't have such a mail account, mail gets rejected

also, even if mail would receive at your server, amavis would throw it trogh vius and spam scanner again, so i don't see that much value in your setup

Thank you, Cthulhu
I dont have idea, what for fake "double-bounce" mail account is used while real mail transfer. But I made double-bounce@********.ee account it iRedMail server, no changes.

Kaspersky has much more antivirus/antifishing base then Clam, and nice reporting instruments. And it is already paid, as well as hosting for KSMG.
But mail is nor received by my iRedMail server yet ((

5 Reply by das654rbc (edited by das654rbc 2024-12-01 19:38:35)

  • das654rbc
  • Member
  • Offline
  • Registered: 2024-11-30
  • Posts: 9

Re: Recipient address rejected: undeliverable address: Address lookup fail

Well, I have made double-bounce@********.ee account it iRedMail server once more - and WOW!! now mail is received by iRedMail:

2024-12-01T11:29:24.341833+02:00 ubnt postfix/postscreen[88343]: CONNECT from [*.*.94.122]:40756 to [*.*.190.132]:25
2024-12-01T11:29:24.345751+02:00 ubnt postfix/dnsblog[88344]: addr *.*.94.122 listed by domain zen.spamhaus.org as 127.255.255.254
2024-12-01T11:29:24.650665+02:00 ubnt postfix/postscreen[88343]: PASS OLD [*.*.94.122]:40756
2024-12-01T11:29:24.677501+02:00 ubnt postfix/smtpd[88346]: connect from ksmg.s********l.ee[*.*.94.122]
2024-12-01T11:29:24.694320+02:00 ubnt postfix/smtpd[88346]: discarding EHLO keywords: CHUNKING
2024-12-01T11:29:24.738512+02:00 ubnt postfix/smtpd[88346]: Anonymous TLS connection established from ksmg.s********l.ee[*.*.94.122]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
2024-12-01T11:29:24.752407+02:00 ubnt postfix/smtpd[88346]: discarding EHLO keywords: CHUNKING
2024-12-01T11:29:24.919389+02:00 ubnt postfix/smtpd[88346]: 4Y1M7S6WxGz47rL: client=ksmg.s********l.ee[*.*.94.122]
2024-12-01T11:29:24.960164+02:00 ubnt postfix/cleanup[88363]: 4Y1M7S6WxGz47rL: message-id=<13554699-e332-43fe-a79a-717c5d4f52db@gmail.com>
2024-12-01T11:29:24.961512+02:00 ubnt postfix/qmgr[1613]: 4Y1M7S6WxGz47rL: from=<d*******c@gmail.com>, size=4935, nrcpt=1 (queue active)
2024-12-01T11:29:24.961565+02:00 ubnt postfix/smtpd[88346]: disconnect from ksmg.s********l.ee[*.*.94.122] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
2024-12-01T11:29:25.503582+02:00 ubnt postfix/10025/smtpd[88371]: connect from localhost[127.0.0.1]
2024-12-01T11:29:25.503891+02:00 ubnt postfix/10025/smtpd[88371]: discarding EHLO keywords: CHUNKING
2024-12-01T11:29:25.510091+02:00 ubnt postfix/10025/smtpd[88371]: 4Y1M7T3cc3z47rm: client=localhost[127.0.0.1]
2024-12-01T11:29:25.510945+02:00 ubnt postfix/cleanup[88363]: 4Y1M7T3cc3z47rm: message-id=<13554699-e332-43fe-a79a-717c5d4f52db@gmail.com>
2024-12-01T11:29:25.512022+02:00 ubnt postfix/10025/smtpd[88371]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
2024-12-01T11:29:25.512078+02:00 ubnt postfix/qmgr[1613]: 4Y1M7T3cc3z47rm: from=<d*******c@gmail.com>, size=5500, nrcpt=1 (queue active)
2024-12-01T11:29:25.517704+02:00 ubnt amavis[1923]: (01923-03) Passed CLEAN {RelayedInbound}, [*.*.94.122]:40756 [188.143.140.228] ESMTP/ESMTP <d*******c@gmail.com> -> <d****v@s*****t.com>, (ESMTPS://[*.*.94.122]:40756 < ESMTPS://209.85.167.46 < ESMTPSA://188.143.140.228), Queue-ID: 4Y1M7S6WxGz47rL, Message-ID: <13554699-e332-43fe-a79a-717c5d4f52db@gmail.com>, mail_id: a6nNE-eNUily, b: rYh6xNAHG, Hits: -2.942, size: 4933, queued_as: 4Y1M7T3cc3z47rm, Subject: "test20", From: <d*******c@gmail.com> (dkim:AUTHOR), User-Agent: Mozilla_Thunderbird, helo=ksmg.s********l.ee, Tests: [DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,DKIM_VALID_EF=-0.1,DMARC_PASS=-0.001,FREEMAIL_FROM=0.001,RCVD_IN_VALIDITY_CERTIFIED=-3,RCVD_IN_VALIDITY_RPBL=1.284,RCVD_IN_VALIDITY_SAFE=-2,SPF_HELO_NONE=0.001,SPF_SOFTFAIL=0.972,TVD_SPACE_RATIO=0.001], autolearn=ham autolearn_force=no, autolearnscore=-2.942, dkim_i=@gmail.com, dkim_sd=20230601:gmail.com, 535 ms
2024-12-01T11:29:25.522929+02:00 ubnt postfix/amavis/smtp[88368]: 4Y1M7S6WxGz47rL: to=<d****v@s*****t.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.68, delays=0.12/0.02/0.01/0.54, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4Y1M7T3cc3z47rm)
2024-12-01T11:29:25.522993+02:00 ubnt postfix/qmgr[1613]: 4Y1M7S6WxGz47rL: removed
2024-12-01T11:29:25.585285+02:00 ubnt postfix/pipe[88372]: 4Y1M7T3cc3z47rm: to=<d****v@s*****t.com>, relay=dovecot, delay=0.08, delays=0/0.01/0/0.06, dsn=2.0.0, status=sent (delivered via dovecot service)
2024-12-01T11:29:25.585425+02:00 ubnt postfix/qmgr[1613]: 4Y1M7T3cc3z47rm: removed

What secret mechanism I have touched?? Maybe anyone knows, what "double-bounce" fake account is for?

6 Reply by das654rbc (edited by das654rbc 2024-12-01 23:25:27)

  • das654rbc
  • Member
  • Offline
  • Registered: 2024-11-30
  • Posts: 9

Re: Recipient address rejected: undeliverable address: Address lookup fail

double-bounce messages are used by postfix for address verification.
Found theese Postfix settings:
www_postfix_org/ADDRESS_VERIFICATION_README.html

Maybe I should switch off verifying a remote address at KSMG, but is this possible, and would it be safe?

Upd: I can set an alias for double-bounce mail account at both domains, this should do the trick.

7 Reply by das654rbc (edited by das654rbc 2024-12-01 23:49:06)

  • das654rbc
  • Member
  • Offline
  • Registered: 2024-11-30
  • Posts: 9

Re: Recipient address rejected: undeliverable address: Address lookup fail

My plan is: both MTA (KSMG and iRedMail) are located on different hostings on the Internet. Both domains served are considered by KSMG as local (in the "domains" setting), and mail, received by KSMG according to mx, is routed to iRedMail. Clients receive/send mail via imaps/smtps/https, communicating with iRedMail, which distributes local mail internally, and relays external mail to KSMG. iRedMail's IP is added to the "trusted networks" on KSMG. ONLY KSMG will be engaged in the  spf/dkim/dmarc mail protection mechanism. On the iRedMail side, I would like to disable dkim, so that there would be no confusion with double signatures for external recipients.
How can I disable dkim at iRedMail side - some Postfix settings?

Upd:
sudo nano /etc/amavis/conf.d/50-user
search for few

enable_dkim_signing => 1

and set this to 0, then restart amavis service.