2

I have a mail server (Postfix/Dovecot) set up with the following configuration: email goes to a local mailbox for each virtual user, and is also forwarded to a Google Apps address (e.g. user@domain.org.test-google-a.com).

This all works correctly and mail is delivered to the server mailbox & to Google.

However, a weird problem is showing up in the logs. After the server routes the mail, it then receives a connection from the Google Apps servers referencing the email they have just recieved - which it rejects as "Relay access denied". I'm not certain why this is happening and what sort of response Google is sending.

It's not a major issue, but I am intrigued as to what it is... I have a suspicion it is something really obvious I have overlooked, but my search-fu is eluding me!

Example (sanitised) mail log:

Mar 20 13:51:03 services postfix/pipe[15363]: 076BF13A005: to=<123@domain.org>, relay=dovecot, delay=0.93, delays=0.45/0.01/0/0.47, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 20 13:51:04 services postfix/smtp[15364]: 076BF13A005: to=<123@domain.org.test-google-a.com>, orig_to=<123@domain.org>, relay=gmail-smtp-in.l.google.com[173.194.78.27]:25, delay=1.1, delays=0.45/0.01/0.09/0.57, dsn=2.0.0, status=sent (250 2.0.0 OK 1363787301 fu5si2128331wib.94 - gsmtp)
Mar 20 13:51:04 services postfix/qmgr[20596]: 076BF13A005: removed
Mar 20 13:51:05 services postfix/smtpd[15356]: connect from mail-la0-f69.google.com[209.85.215.69]
Mar 20 13:51:05 services postfix/smtpd[15356]: NOQUEUE: reject: RCPT from mail-la0-f69.google.com[209.85.215.69]: 554 5.7.1 <123@domain.org.test-google-a.com>: Relay access denied; from=<xyz@origin.com> to=<123@domain.org.test-google-a.com> proto=ESMTP helo=<mail-la0-f69.google.com>
Mar 20 13:51:05 services postfix/smtpd[15356]: disconnect from mail-la0-f69.google.com[209.85.215.69]

And postconf -n output:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases,hash:/var/lib/mailman/data/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mailman_destination_recipient_limit = 1
mydestination = (localservername), localhost.(localservername), www.$mydomain, localhost
mydomain = domain.org
myhostname = (localservername)
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 localhost
myorigin = /etc/mailname
owner_request_special = no
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_delay_reject = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
smtpd_tls_key_file = /etc/ssl/private/postfix.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,hash:/var/lib/mailman/data/virtual-mailman
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = dovecot
Errant
  • 115
  • 1
  • 7
  • Did you accidentally set up your Google Apps user to forward its mail? – Michael Hampton Mar 20 '13 at 14:04
  • Nope; there are about 25 accounts set up on the server/Apps & they all display the same issue. – Errant Mar 20 '13 at 14:15
  • I would ask Google what's going on. – Michael Hampton Mar 20 '13 at 14:17
  • Automatic read report replies? – NickW Mar 20 '13 at 14:39
  • 2
    Possibly they are testing servers that connect to them, to check whether the servers are open relays. Back in my days as email sysadmin, that technique was under discussion but generally frowned upon. – Jenny D Mar 20 '13 at 15:02
  • @NickW seems unlikely, it happens for every email, pretty much instantly. Jenny D; interesting, that could be it... but seems odd. – Errant Mar 20 '13 at 15:03
  • Yeah, I figured it wasn't likely, but sometimes dumb suggestions start interesting trains of thought :) – NickW Mar 20 '13 at 15:11
  • Errant, can you determine what the message content is? I don't know of a good way to do that; maybe temporarily configure your server to receive email to the address that Google tries to send back to? – depquid Mar 25 '13 at 00:02
  • @depquid I've been trying to do this... I set up a rule to store my domain.org.test-google-a.com address in a local mailbox, then briefly set it up as an open relay - but it didn't seem to work! – Errant Mar 26 '13 at 13:16
  • @Errant I don't think you should have to make your server an open relay; it should be the destination server. Figuring out how to capture the content of a bouncing message sounds like the topic for a new question. – depquid Mar 26 '13 at 13:21

3 Answers3

3

"connect from" indicates a client connection to your server. See this link for configuring client restrictions. Essentially, you've asked postfix for this behavior with: 

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

mail-la0-f69.google.com[209.85.215.69] is not in:

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 localhost

nor is it sasl authenticated, causing it fallback to the final option, reject_unauth_destination.

slm
  • 7,355
  • 16
  • 54
  • 72
Thai Wood
  • 353
  • 2
  • 8
0

It seems that google is trying to use your email server to try and send a message. How are you forwarding the messages to google? That may be part of the problem.

darkstar2002
  • 1
  • 2
  • It's a standard Postfix/Dovecot setup; virtual addresses stored in mysql, and Dovecot handles the forwarding – Errant Mar 26 '13 at 13:13
0

The log seems to indicate that Google is forwarding the message send to it back to you. This message is being rejected because, being an unauthenticated message from a foreign network to a foreign domain, it doesn't pass smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination.

You should look at your Google Apps setup and the MX record for domain.org.test-google-a.com .

84104
  • 12,698
  • 6
  • 43
  • 75