Postfix delivers messages locally despite configuration for discovering external agent

[brainchild]

A small node operates several web applications attached to a domain.

The same domain is used for mailboxes, hosted off site by a commercial service.

On the name server operated by the registrar, A, AAAA, and CNAME records are used to resolve the web server, whereas MX records are used to resolve the commercial mail service.

Applications on the web server must deliver mail addressed within the same domain.

Postfix runs on the server, and correctly transfers messages for addresses of other domains based on resolving their MX records. However, messages detected as addressed for a local domain are not transferred to external delivery agents, but rather retained for local delivery, despite that the MX records for the domain give an alternative domain corresponding to the commercial service.

The documentation for Postfix suggests that the desired behavior may be realized by setting a value for the configuration parameter mydestination that excludes as an item in the value list $mydomain.

An answer posted on the StackExchange network gives a similar suggestion, of setting the configuration as follows:

mydestination = $myhostname, localhost.$mydomain, localhost

In fact, such is the actual value currently set, being the default provided by the software stack operating on the host.

Log output is shown below for a message processed by Postfix. The machine host name is substituted with myhostname.myhostplace.tld, and the domain name configured in the mail subsystem is substituted with example.tld, with the mail account used in the message represented as testuser.

Given that the assigned local domain is not included in the criteria for identifying addresses for local delivery of messages, why are messages addressed within the local domain nonetheless still being locally delivered?

---

postfix/smtpd[11339]: warning: No server certs available. TLS won't be enabled
postfix/smtpd[11339]: connect from localhost[::1]
postfix/smtpd[11339]: F41793F5F: client=localhost[::1], sasl_method=PLAIN, [email protected]
postfix/cleanup[11344]: F41793F5F: message-id=<[email protected]>
postfix/qmgr[10533]: F41793F5F: from=<[email protected]>, size=795, nrcpt=1 (queue active)
postfix/smtpd[11339]: disconnect from localhost[::1] ehlo=1 auth=1 mail=1 rcpt=1 data=1 commands=5
postfix/lmtp[11346]: F41793F5F: to=<[email protected]>, relay=myhostname.myhostplace.tld[private/dovecot-lmtp], delay=0.32, delays=0.28/0.01/0.02/0.01, dsn=2.0.0, status=sent (250 2.0.0 <[email protected]> IKcXErUp3WRTLAAAcQihng Saved)
postfix/qmgr[10533]: F41793F5F: removed

postfix/pickup[17489]: 72E744073: uid=0 from=<[email protected]>
postfix/cleanup[19587]: 72E744073: message-id=<[email protected]>
postfix/qmgr[10533]: 72E744073: from=<[email protected]>, size=3595, nrcpt=1 (queue active)
postfix/smtp[19589]: 72E744073: to=<root@localhost>, relay=none, delay=1.3, delays=1.3/0.01/0/0, dsn=5.4.6, status=bounced (mail for localhost loops back to myself)
postfix/cleanup[19587]: AAD6A4165: message-id=<[email protected]>
postfix/bounce[19590]: 72E744073: sender non-delivery notification: AAD6A4165
postfix/qmgr[10533]: AAD6A4165: from=<>, size=5766, nrcpt=1 (queue active)
postfix/qmgr[10533]: 72E744073: removed
postfix/smtp[19589]: AAD6A4165: to=<[email protected]>, relay=none, delay=0.01, delays=0/0/0/0, dsn=5.4.6, status=bounced (mail for myhostname.myhostplace.tld loops back to myself)
postfix/qmgr[10533]: AAD6A4165: removed
postfix/pickup[17489]: 5BF2E4073: uid=0 from=<[email protected]>
postfix/cleanup[19775]: 5BF2E4073: message-id=<[email protected]>
postfix/qmgr[10533]: 5BF2E4073: from=<[email protected]>, size=3696, nrcpt=1 (queue active)
postfix/smtp[19777]: 5BF2E4073: to=<root@localhost>, relay=none, delay=0.77, delays=0.76/0.01/0/0, dsn=5.4.6, status=bounced (mail for localhost loops back to myself)
postfix/cleanup[19775]: A02D04165: message-id=<[email protected]>
postfix/bounce[19778]: 5BF2E4073: sender non-delivery notification: A02D04165
postfix/qmgr[10533]: A02D04165: from=<>, size=5867, nrcpt=1 (queue active)
postfix/qmgr[10533]: 5BF2E4073: removed
postfix/smtp[19777]: A02D04165: to=<[email protected]>, relay=none, delay=0, delays=0/0/0/0, dsn=5.4.6, status=bounced (mail for myhostname.myhostplace.tld loops back to myself)

 

[dcbrown73]

I'm not super clear on what you did / trying to do.

What I usually do is setup my Linux servers (and locally installed Postfix) as mail forwarders which forward all mail they get to a mail-relay server that then sends email out to it's real destination. The local postfix does not open port 25, it uses local rpc sockets to talk to postfix. Then the local server;s postfix opens a port to 25 on the mail-relay server.

I don't find it particularly secure to have so many mail servers sending mail on a network. It's easily to secure a small group of SMTP relay servers and then have all local servers forward all mail to those relay servers.

I forgot to mention, I don't run full fledged mail servers anymore either. Given the rate of attacks on them, it's a full time job to protect them. I just outsource the actual mail server to someone with a email security team and configure my mail relay servers to relay to them.

 

[f33dm3bits]

postfix/lmtp[11346]: F41793F5F: to=<[email protected]>, relay=myhostname.myhostplace.tld[private/dovecot-lmtp], delay=0.32, delays=0.28/0.01/0.02/0.01, dsn=2.0.0, status=sent (250 2.0.0 <[email protected]> IKcXErUp3WRTLAAAcQihng Saved) postfix/qmgr[10533]: F41793F5F: removed

postfix/smtp[19777]: A02D04165: to=<[email protected]>, relay=none, delay=0, delays=0/0/0/0, dsn=5.4.6, status=bounced (mail for myhostname.myhostplace.tld loops back to myself)

While knowing nothing about your setup or configuration. It seems to be on the first log line quoted your mail server is using the mx records to lookup where to deliver the mail because it's using "relay=myhostname.myhostplace.tld" to deliver the mail and not "relay=local" or "relay=none".

In the second log line quoted your are seeing none-delivery mail sent to the root account, which is delivered locally because you see "relay=none". In /etc/aliases you can configure to which real email address local system users should send their mail to.

So my first question would be what mail servers are defined in the MX record of example.tld? Without knowing the answer to that you can override the current delivery by using relay_domains and transport_maps. That would look something like this.

In main.cf:

relay_domains = example.tld
transport_maps = hash:/etc/postfix/transport

In transport:

example.tld smtp:[relay.myhostplace.tld]

Or if it's just the one local domain you are wanting to relay and not others you could als just relayhost instead of relay_domains. Then you wouldn't need a transport file and your main.cf would look something like this.

relay_domains = example.tld
relayhost =  relay.myhostplay.tld

I haven't tested this you will have to test this yourself first, however as mentioned before I would first check wat mail servers are defined in example.tld.

 

[f33dm3bits]

postfix/lmtp[11346]: F41793F5F: to=<[email protected]>, relay=myhostname.myhostplace.tld[private/dovecot-lmtp], delay=0.32, delays=0.28/0.01/0.02/0.01, dsn=2.0.0, status=sent (250 2.0.0 <[email protected]> IKcXErUp3WRTLAAAcQihng Saved) postfix/qmgr[10533]: F41793F5F: removed

While knowing nothing about your setup or configuration. It seems to be on the first log line quoted your mail server is using the mx records to lookup where to deliver the mail because it's using "relay=myhostname.myhostplace.tld" to deliver the mail and not "relay=local".

So my first question would be what mail servers are defined in the MX record of example.tld? Without knowing the answer to that you can override the current delivery by using relay_domains and transport_maps. That would look something like this.

In main.cf:

relay_domains = example.tld
transport_maps = hash:/etc/postfix/transport

In transport:

example.tld smtp:[relay.myhostplace.tld]

Or if it's just the one local domain you are wanting to relay and not others you could als just relayhost instead of relay_domains. Then you wouldn't need a transport file and your main.cf would look something like this.

relay_domains = example.tld
relayhost =  relay.myhostplay.tld

I haven't tested this you will have to test this yourself first, however as mentioned before I would first check wat mail servers are defined in example.tld.

postfix/pickup[17489]: 72E744073: uid=0 from=<[email protected]> postfix/cleanup[19587]: 72E744073: message-id=<[email protected]> postfix/qmgr[10533]: 72E744073: from=<[email protected]>, size=3595, nrcpt=1 (queue active) postfix/smtp[19589]: 72E744073: to=<root@localhost>, relay=none, delay=1.3, delays=1.3/0.01/0/0, dsn=5.4.6, status=bounced (mail for localhost loops back to myself)

For this log line it seems it's complaining it being a loop sending from itself to receiving to itself, you can define in /etc/aliases to where local system user accounts mail should be delivered. Which would look like this in main.cf.

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

At the bottom of /etc/aliases you would can add a line that looks something like this.

root:  [email protected]

And then edit /etc/aliases and run the command "newaliases".