4

I have spent the last couple of days going through SO questions and the Postfix documentation but have not succeeded in figuring out what I'm doing wrong. My situation is as follows:

  • I have a server running Postfix that has it's own FQDN (DomainA). Mail for DomainA is relayed through MailGun.
  • The server hosts multiple website domains and the plan is to now ensure that mail for these domains is relayed through MailGun but as a separate domain. This will create separate bounce addresses etc. Call this DomainB
  • Depending on which domain is present in the Header, configure Postfix to pick the appropriate SASL authentication ensuring the appropriate headers get added.

Version info: Postfix 2.11.2 on Debian 7 (Wheezy)

Output of postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_at_myorigin = no
append_dot_mydomain = no
biff = no
canonical_maps = regexp:/etc/postfix/canonical
canonical_classes = envelope_sender, header_sender
config_directory = /etc/postfix
inet_interfaces = localhost
inet_protocols = ipv4
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = localhost.com, localhost
myhostname = DomainA.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_map
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

Contents of relayhost_map file:

@DomainA.com      [smtp.mailgun.org]:587
@DomainB.name     [smtp.mailgun.org]:587

Try #1 of canonical_maps- all email addresses re-written to sender@DomainB.name

/./ post@domainB.name

Output of mail.log when sending an email from command-line:

    Aug 18 01:55:12 DomainA postfix/pickup[3572]: C72492A00B8: uid=0 from=<root>
    Aug 18 01:55:12 DomainA postfix/cleanup[3591]: C72492A00B8: message-id=<20150818055512.GA3580@DomainA.com>
    Aug 18 01:55:12 DomainA postfix/qmgr[3573]: C72492A00B8: from=<post@DomainB.name>, size=437, nrcpt=1 (queue active)
    Aug 18 01:55:13 DomainA postfix/smtp[3593]: C72492A00B8: to=<me@DomainB.name>, relay=smtp.mailgun.org[50.56.21.178]:587, delay=0.28, delays=0.02/0.02/0.16/0.08, dsn=2.0.0, status=sent (250 Great success)

Email headers when received by mail client:

Delivered-To: me@DomainB.name
Return-Path: <bounce+0a2943.d031c-me=DomainB.name@DomainA.com>
[snip]
Sender: post=DomainB.name@DomainA.com
[snip]
From: Primary Root <post@DomainB.name>
To: me@DomainB.name
Subject: test mail #5

Two things stick out to me as being very wrong:

  1. Why is Sender address set to post=DomainB.name@DomainA.com even though Postfix has been set as:

    append_at_myorigin = no append_dot_mydomain = no

  2. Due to Sender address having DomainA.com appended to it, it seems like Postfix chose to relay mail using SASL details for DomainA - confirmed by reviewing logs on MailGun dashboard. This is causing the bounce address to be set to DomainA as well.

Try #2 of canoncial_maps- only email addresses ending with DomainB.com are re-written to email@DomainB.com

/@DomainB.name/ email@DomainB.name

.muttrc file setup to force From email address as DomainB.com

set from="mutt@DomainB.name"
set use_from=yes
set use_envelope_from = yes

Output of mail.log:

Aug 18 03:40:49 DomainA postfix/qmgr[8809]: 2BEB92A00D3: from=<mutt@DomainB.name>, size=441, nrcpt=1 (queue active)
Aug 18 03:40:49 DomainA postfix/smtp[8824]: 2BEB92A00D3: to=<me@DomainB.name>, relay=smtp.mailgun.org[104.130.177.23]:587, delay=0.58, delays=0.01/0.02/0.37/0.17, dsn=2.0.0, status=sent (250 Great success)

Email headers when received by mail client:

Delivered-To: me@DomainB.name
[snip]
Return-Path: <bounce+0a2943.d031c-me=DomainB.name@DomainA.com>
[snip]
Sender: email=DomainB.name@DomainA.com
[snip]
From: Primary Root <email@DomainB.name>
To: me@DomainB.name
Subject: test mail hdr #7
  1. From this test, I can see that the canonical mapping isn't the issue. The rewrite is happening correctly. However, Postfix seems to not recognize the output as a valid email address and appends the FQDN which causes the relaying to break.

Any suggestions/ideas on how to fix this are most welcome!

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
avggeek
  • 451
  • 3
  • 10
  • I have also tried the configuration listed as a response here: http://serverfault.com/a/680009/50737 but there is no change in the mail.log output or client headers. – avggeek Aug 18 '15 at 09:37

1 Answers1

4

In an effort to get a fresh perspective on this problem, I started to configure a similar relayhost setup on another server and it was during that process that I finally traced what the source of the problem. Turns out in my sasl_passwd file I was missing a crucial character.

sasl_passwd file before the fix:

DomainB.name        relay@DomainB.name:somepassword
#Fallback
[smtp.mailgun.org]:587  relay@DomainA.com:anotherpasswd

sasl_passwd file after the fix:

@DomainB.name        relay@DomainB.name:somepassword
#Fallback
[smtp.mailgun.org]:587  relay@DomainA.com:anotherpasswd

The problem was the single missing "@" character before the virtual DomainB. The fallback entry was why it proved so hard to debug this issue as all mail was getting delivered through this route when Postfix failed to match any other entry.

As it may prove useful, I'm also including the setup of my canonical maps file once my relayhost configuration started working correctly:

/(.*@)DomainB.name/ ${1}DomainB.name
/(.*@)DomainA.com/ ${1}DomainA.com

The above regex ensures that the Envelope sender is updated to match the From sender, avoiding any "via DomainA" in my email client.

As a postscript, it turns out that in Ubuntu 14.04 it is not sufficient to have just the following rows in main.cf:

canonical_maps = regexp:/etc/postfix/canonical
canonical_classes = envelope_sender, header_sender

The following line must also be included:

sender_canonical_maps = regexp:/etc/postfix/canonical_sender

The contents of the second file can be identical to the first but it must be present to avoid "via Domain" headers when relaying email in Ubuntu.

Gaia
  • 1,777
  • 4
  • 32
  • 58
avggeek
  • 451
  • 3
  • 10