Solved Mail does not go to an external address

Solved issue

deminart

New Member
Joined
May 23, 2023
Messages
15
Reaction score
4
Credits
140
I apologize in advance for my language, it is not native) Colleagues, please help with the problem. There is a domain mail on Yandex, conventionally denoted by the name yagroup.com With the same name yagroup.com internal domain. Raised the mail server Debian 11, postfix 3.5.18 at the second level of the domain with the name gkgroup.com The situation is as follows, when sending to external Yandex mail, with the same domain name as the internal domain (yagroup.com), the server knocks on cd, as a result I get Connection refused, status=deferred and a letter hanging in the queue. In all other cases, everything works fine ...

May 23 13:17:22 mail postfix/submission/smtpd[3036]: connect from localhost[127.0.0.1]

May 23 13:17:22 mail postfix/submission/smtpd[3036]: Anonymous TLS connection established from localhost[127.0.0.1]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signa>

May 23 13:17:22 mail postfix/submission/smtpd[3036]: 4QQTH65NNZz3cq6H: client=localhost[127.0.0.1], sasl_method=LOGIN, sasl_username=[email protected]

May 23 13:17:22 mail postfix/cleanup[3052]: 4QQTH65NNZz3cq6H: message-id=<[email protected]>

May 23 13:17:22 mail postfix/qmgr[2057]: 4QQTH65NNZz3cq6H: from=<[email protected]>, size=659, nrcpt=1 (queue active)

May 23 13:17:22 mail roundcube: <tl39kq6a> User [email protected] [192.168.0.50]; Message <[email protected]> for [email protected]; 250: 2.0.0 Ok: queued as 4QQTH65NNZz3cq6H

May 23 13:17:22 mail postfix/submission/smtpd[3036]: disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8

May 23 13:17:23 mail postfix/10025/smtpd[3063]: connect from localhost[127.0.0.1]

May 23 13:17:23 mail postfix/10025/smtpd[3063]: 4QQTH72QbLz3cqfS: client=localhost[127.0.0.1]

May 23 13:17:23 mail postfix/cleanup[3052]: 4QQTH72QbLz3cqfS: message-id=<[email protected]>

May 23 13:17:23 mail postfix/10025/smtpd[3063]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

May 23 13:17:23 mail postfix/qmgr[2057]: 4QQTH72QbLz3cqfS: from=<[email protected]>, size=1954, nrcpt=1 (queue active)

May 23 13:17:23 mail amavis[2179]: (02179-01) Passed CLEAN {RelayedInternal}, ORIGINATING/MYNETS LOCAL [127.0.0.1]:49942 ESMTP/ESMTP <[email protected]> -> <[email protected]>, (), Queue-ID: 4QQTH65NNZz3cq6H,>

May 23 13:17:23 mail postfix/amavis/smtp[3057]: 4QQTH65NNZz3cq6H: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.76, delays=0.2/0.03/0.02/0.51, dsn=2.0.0, status=sent (250 2.0.0 from MTA>

May 23 13:17:23 mail postfix/smtp[3064]: connect to yagroup.ru[192.168.0.2]:25: Connection refused

May 23 13:17:23 mail postfix/smtp[3064]: connect to yagroup.ru[192.168.0.3]:25: Connection refused

May 23 13:17:23 mail postfix/smtp[3064]: connect to yagroup.ru[192.168.0.4]:25: Connection refused

May 23 13:17:23 mail postfix/qmgr[2057]: 4QQTH65NNZz3cq6H: removed

May 23 13:17:23 mail postfix/smtp[3064]: 4QQTH72QbLz3cqfS: to=<[email protected]>, relay=none, delay=0.05, delays=0.01/0.03/0/0, dsn=4.4.1, status=deferred (connect to yagroup.ru[192.168.0.4]:25: Connect>

May 23 13:18:33 mail postfix/postsuper[3147]: Deleted: 1 message



; <<>> DiG 9.16.37-Debian <<>> gkgroup.ru MX

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18341

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1



;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4000

;; QUESTION SECTION:

;gkgroup.ru. IN MX



;; AUTHORITY SECTION:

gkgroup.ru. 3600 IN SOA dc2.yagroup.ru.ru. hostmaster.yagroup.ru 25 900 600 86400 3600



;; Query time: 0 msec

;; SERVER: 192.168.0.6#53(192.168.0.6)

;; WHEN: Tue May 23 13:48:24 +04 2023

;; MSG SIZE rcvd: 97





; <<>> DiG 9.16.37-Debian <<>> mail.gkgroup.ru MX

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56903

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 3



;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4000

;; QUESTION SECTION:

;mail.gkgroup.ru. IN MX



;; ANSWER SECTION:

mail.gkgroup.ru. 3600 IN MX 10 mail.gkgroup.ru.



;; ADDITIONAL SECTION:

mail.gkgroup.ru. 3600 IN A 192.168.0.200

mail.gkgroup.ru. 3600 IN A 11.0.111.11



;; Query time: 0 msec

;; SERVER: 192.168.0.6#53(192.168.0.6)

;; WHEN: Tue May 23 13:50:49 +04 2023

;; MSG SIZE rcvd: 90
Без-имени-2.jpg
 
Last edited:


May 23 13:17:23 mail postfix/smtp[3064]: 4QQTH72QbLz3cqfS: to=<[email protected]>, relay=none, delay=0.05, delays=0.01/0.03/0/0, dsn=4.4.1, status=deferred (connect to yagroup.ru[192.168.0.4]:25: Connect>
Since only posted dns output for gkgroup.ru and mail.gkgroup.ru I am assuming that the internal domain yagroup.ru isn't used for mail, since normally when there are no MX records available the MTA will try to deliver it to an A record and since that is timing out I am assuming there is no mail service running there.
What you could do is setup a transport on the mailserver that you posted the logs from, that all the mail that arrives there should be delivered to the real yahgroup.ru mailserver.
Code:
;; ANSWER SECTION:
yagroup.ru.        300    IN    MX    10 mx.yandex.net.

;; ANSWER SECTION:
mx.yandex.net.        541    IN    A    77.88.21.249
Aside from that it's not really smart to be using an internal domain that is already being used by something else on the internet to avoid problems like this, the better option would have been to use sub-domains of already existing domains or names with a whole different name. But I guess management didn't listen or something like that.
 
Since only posted dns output for gkgroup.ru and mail.gkgroup.ru I am assuming that the internal domain yagroup.ru isn't used for mail, since normally when there are no MX records available the MTA will try to deliver it to an A record and since that is timing out I am assuming there is no mail service running there.
What you could do is setup a transport on the mailserver that you posted the logs from, that all the mail that arrives there should be delivered to the real yahgroup.ru mailserver.
Yes, in fact, you understood everything correctly, the internal domain yagroup.ru is not used to send mail, only by an external service, our mail server has a different subdomain. I so understand it already by means of postfix it is necessary to adjust? I still assume that the problem is somewhere in the dns ... But there is not enough experience to determine exactly where the problem is ...
 
Aside from that it's not really smart to be using an internal domain that is already being used by something else on the internet to avoid problems like this, the better option would have been to use sub-domains of already existing domains or names with a whole different name. But I guess management didn't listen or something like that.
It is not used by anyone but us. Those domains and ip what I wrote here are not real, but the problem and errors are real)
 
I so understand it already by means of postfix it is necessary to adjust? I still assume that the problem is somewhere in the dns ... But there is not enough experience to determine exactly where the problem is ...
MTA's will first look up MX records for delivering mail and if it' can't find those it will lookup A records to see if it can find MX records it will then look up A records for the domain. If it can't find the MX records but can find an A record it will then try to deliver the mail to the A record, which it what you are seeing in the case you are describing.
May 23 13:17:23 mail postfix/smtp[3064]: 4QQTH72QbLz3cqfS: to=<[email protected]>, relay=none, delay=0.05, delays=0.01/0.03/0/0, dsn=4.4.1, status=deferred (connect to yagroup.ru[192.168.0.4]:25: Connect>
The mail can't be delivered because of now mailservice running on that server. It would be interesting to see the dig output of the following from the mailserver where the mail.log output is from.
Code:
dig -t MX yagroup.ru
dig -t A yagroup.ru
dig -t CNAME yagroup.ru
 
MTA's will first look up MX records for delivering mail and if it' can't find those it will lookup A records to see if it can find MX records it will then look up A records for the domain. If it can't find the MX records but can find an A record it will then try to deliver the mail to the A record, which it what you are seeing in the case you are describing.

The mail can't be delivered because of now mailservice running on that server. It would be interesting to see the dig output of the following from the mailserver where the mail.log output is from.
Code:
dig -t MX yagroup.ru
dig -t A yagroup.ru
dig -t CNAME yagroup.ru
Once again, just in case, I'll clarify. yagroup.ru is the name of the local domain and external mail, located not at all with us, i.e. is on the purchased service. group.ru is already our internal subdomain, the mail.group.ru mail server is located there Now I have standard records (soa, ns name servers) in my secondary domain zone, and those that I created with pens, A-records and MX, that's all... What other entries does he need, similar entries are also registered in the hosting panel, well, + dkim, spf, etc. Another point, in the local dns you need two A-records with the name of the mailer, with external and internal ip only with external?

; <<>> DiG 9.16.37-Debian <<>> -t MX yagroup.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22977
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;yagroup.ru. IN MX

;; AUTHORITY SECTION:
yagroup.ru. 3600 IN SOA dc2.yagroup.ru. abuse.yagroup.ru. 353400 900 600 86400 3600

;; Query time: 0 msec
;; SERVER: 192.168.0.6#53(192.168.0.6)
;; WHEN: Wed May 24 09:50:57 +04 2023
;; MSG SIZE rcvd: 86

; <<>> DiG 9.16.37-Debian <<>> -t A yagroup.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16111
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;yagroup.ru. IN A

;; ANSWER SECTION:
yagroup.ru. 600 IN A 192.168.0.3
yagroup.ru. 600 IN A 192.168.0.23
yagroup.ru. 600 IN A 192.168.0.6

;; Query time: 0 msec
;; SERVER: 192.168.0.6#53(192.168.0.6)
;; WHEN: Wed May 24 09:52:55 +04 2023
;; MSG SIZE rcvd: 88

; <<>> DiG 9.16.37-Debian <<>> -t CNAME yagroup.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30294
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;yagroup.ru. IN CNAME

;; AUTHORITY SECTION:
yagroup.ru. 3600 IN SOA dc2.yagroup.ru. abuse.yagroup.ru. 353400 900 600 86400 3600

;; Query time: 0 msec
;; SERVER: 192.168.0.6#53(192.168.0.6)
;; WHEN: Wed May 24 09:53:11 +04 2023
;; MSG SIZE rcvd: 86
 
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;yagroup.ru. IN A

;; ANSWER SECTION:
yagroup.ru. 600 IN A 192.168.0.3
yagroup.ru. 600 IN A 192.168.0.23
yagroup.ru. 600 IN A 192.168.0.6
Like I said in my other reply since the MTA can't find MX records for yagroup.ru it will then lookup A records, it will then try to deliver the mail to one of the A records above.
Once again, just in case, I'll clarify. yagroup.ru is the name of the local domain and external mail, located not at all with us, i.e. is on the purchased service.
I understood that part.
group.ru is already our internal subdomain, the mail.group.ru mail server is located there Now I have standard records (soa, ns name servers) in my secondary domain zone, and those that I created with pens, A-records and MX, that's all...
So where the all the internal mail from gkgroup.ru is being delivered to to is mail.gkgroup.ru, which then delivers it to the next location either internal or external location? Am I understanding you correctly so far?
 
So where the all the internal mail from gkgroup.ru is being delivered to to is mail.gkgroup.ru, which then delivers it to the next location either internal or external location? Am I understanding you correctly so far?
I didn’t understand the question a little) Language barrier) There is a gkgroup subdomain, there is a mail server mail.gkgrup.ru All mail from it should go to the outside and inside the network. It normally goes to the outside and inside the network it also goes normally, but it goes anywhere, on Google mail, to any other address except for the yagroup address ... But I can’t create an entry with the name gkroup in the main domain yagroup I just don’t understand why everything works fine with a normal send with other names, but here it’s not clear which way it goes ... How to make him walk correctly? Specify that yagroup is an external mail and not an internal domain network name?...
 
I didn’t understand the question a little) Language barrier) There is a gkgroup subdomain, there is a mail server mail.gkgrup.ru All mail from it should go to the outside and inside the network.
That answers my question, all internal and external mail goes through this mail server.
It normally goes to the outside and inside the network it also goes normally, but it goes anywhere, on Google mail, to any other address except for the yagroup address.
The only mail you are having trouble with sending from the mailserver mail.gkgroup.ru is yagroup.ru because this domain is also an external domain and also an internal domain.
But I can’t create an entry with the name gkroup in the main domain yagroup
You are talking about the external domain yagroup.ru here, it's because it's not your domain that you can't change anything in that domain.
I just don’t understand why everything works fine with a normal send with other names, but here it’s not clear which way it goes ... How to make him walk correctly? Specify that yagroup is an external mail and not an internal domain network name?...
From the dig output you shared which is from mail.gkgroup.ru.
;; ANSWER SECTION:
yagroup.ru. 600 IN A 192.168.0.3
yagroup.ru. 600 IN A 192.168.0.23
yagroup.ru. 600 IN A 192.168.0.6
It shows that your mailserver is using an internal dns server because you are getting back private ip addresses when yagroup.ru is resolved from the mailserver. Then to one of those addresses the mailserver will then try to deliver mail for yagroup.ru for, since yagroup.ru is an internal domain with no mailservice running you then get a deferred because it's not excepting mail for that domain.
May 23 13:17:23 mail postfix/smtp[3064]: 4QQTH72QbLz3cqfS: to=<[email protected]>, relay=none, delay=0.05, delays=0.01/0.03/0/0, dsn=4.4.1, status=deferred (connect to yagroup.ru[192.168.0.4]:25: Connect>
In order to have the mailserver mail.gkgroup.ru deliver mail to the correct mailserver for yagroup.ru you need to setup a transport on your mailserver.
In /etc/postfix/main.cf add the following.
transport_maps = hash:/etc/postfix/relay_transport
Then restart postfix and then in /etc/postfix/transport add the following.
yagroup.ru. smtp:[mx.yandex.net]
Replacing yagroup.ru with whatever domain you want to send mail (in this case being the external domain that is also an internal domain since this mail is currently being failed to delivered)to and mx.yandex.net with whatever mailserver is the real external mailserver for that domain. Then run "postmap/etc/postfix/transport and then mail for the external domain yagroup.ru should now be delivered to the correct mailserver instead of being delivered to one of the internal addresses for the internal domain yagroup.ru.
 
Thank you very much! I suffered for three days! I also understood that it was necessary to add the command postmap /etc/postfix/transport_map

Thank you again!
 
Thank you very much! I suffered for three days! I also understood that it was necessary to add the command postmap /etc/postfix/transport_map

Thank you again!
So it's working now and you are able to send mail to that external domain yagroup.ru? I forgot to mention, the file "transport_map" can be named anything I just just named it that normally it's called "transport" but the name doesn't really mater as long as it's the same as in your main.cf file.
 
So it's working now and you are able to send mail to that external domain yagroup.ru? I forgot to mention, the file "transport_map" can be named anything I just just named it that normally it's called "transport" but the name doesn't really mater as long as it's the same as in your main.cf file.
Yes, I checked everything, it comes and goes. Everything works great! Yes, I created a file with this name transport_map
 
Yes, I checked everything, it comes and goes. Everything works great! Yes, I created a file with this name transport_map
Awesome! Glad that it's working! I just meant to say the name of the transport file doesn't matter as long as the file name for the transport used in main.cf is the same as the filename where you defined your transport.
 
If you edit your first post, you can use the drop down menu to change the flag to 'solved'.
 

Members online


Latest posts

Top