Bounced email getting rejected by mail server.

[Ajecu]

When a user example@local.com sends an email to an address that defers the email(greylist) gfitest@gfitest.com the PMG sends the bounce back to the email server but the email server blocks the bounce:
NOQUEUE: reject: RCPT from pmg.local[<local ip>]: 554 5.7.1 <gfitest@gfitest.com>: Relay access denied; from=<example@local.com> to=<gfitest@gfitest.com> proto=ESMTP helo=<pmg.local>

The pmg.local addres is in mynetworks on the mail server and i have tested and pmg.local can relay via the mail server(tested with telnet using the same from and to),but bounced emails get rejected.

If i do not use PMG as a relayhost the problem dose not appear.

Is there special consideration given to deferred/bounced emails so the mail server can receive the bounce and retry.
Should the retry be attempted by PMG?

 

[hata_ph]

Is the mail server same network segment with PMG?
Try add your mail server network/cidr to trusted network.

 

[Ajecu]

"Is the mail server same network segment with PMG?"
Yes it is and the network segment is in the trusted networks.

And in the mail server pmg is in mynetworks and via telnet i can send relay messages,but the bounced messages that pmg forwards to the mail server get reject: RCPT from pmg.local.

This is what i do not understand,since i can do mail relay from pmg to mailserver and it is accepted what is different in the way bounced messages are sent.

 

[Ajecu]

If i add the "gfitest.com" domain to the relay_domains parameter in main.cf then the bounced messages are no longer getting relay access denied.
How can i accept for relay bounced messages matching the addreses/domains of sent messages?

 

[Stoiko Ivanov]

When a user example@local.com sends an email to an address that defers the email(greylist) gfitest@gfitest.com the PMG sends the bounce back to the email server

No - when PMG greylists a mail it simply replies with a temporary error code (4xx) to the sending server - the sending server then needs to retry delivery (usually it does so within 5 minutes)

please post the complete logs of the mail (and try to not remove information necessary for following the mail-flow)

 

[Ajecu]

PMG is not doing the greylisting,the other server is.And when PMG forwards the greylisted message back to the mail server it refuses the greylisted message with "Relay access denied;",but if i do not use PMG as a relay host then the issue dose not appear.

 

[Stoiko Ivanov]

And when PMG forwards the greylisted message back to the mail server it refuses the greylisted message with "Relay access denied;",but if i do not use PMG as a relay host then the issue dose not appear.

Seems to me this is an issue with the receiving servers configuration then?
Check it's config and logs - or contact it's administrator - to find out why mails get accepted from the downstream server but not from PMG

 

[Ajecu]

But should the greylisted messages return to the server or should PMG retry to send after a while?

 

[Stoiko Ivanov]

But should the greylisted messages return to the server or should PMG retry to send after a while?

Greylisted messages usually means that the receiving server sent a 4xx temporary response code - in that case pmg will queue the mail and try to redeliver it at a later timepoint.

 

[Ajecu]

Example of log:
Sep 12 12:09:13 mail7 postfix/smtpd[998464]: connect from unknown[localMailServer] Sep 12 12:09:13 mail7 postfix/smtpd[998464]: A1AD7120EF9: client=unknown[localMailServer] Sep 12 12:09:13 mail7 postfix/cleanup[999848]: A1AD7120EF9: message-id=<9f39ee5b-ca2f-61eb-a121-7d29fe26681e@localdomain> Sep 12 12:09:13 mail7 postfix/qmgr[408]: A1AD7120EF9: from=<sender@localdomain>, size=4157890, nrcpt=2 (queue active) Sep 12 12:09:13 mail7 postfix/smtpd[998464]: disconnect from unknown[localMailServer] ehlo=2 starttls=1 mail=1 rcpt=2 data=1 quit=1 commands=8 Sep 12 12:09:13 mail7 pmg-smtp-filter[999854]: 121A07631EF739AE06D: new mail message-id=<9f39ee5b-ca2f-61eb-a121-7d29fe26681e@localdomain>#012 Sep 12 12:09:17 mail7 pmg-smtp-filter[999854]: 121A07631EF739AE06D: SA score=0/5 time=0.692 bayes=0.00 autolearn=no autolearn_force=no hits=ALL_TRUSTED(-1),AWL(-0.235),BAYES_00(-1.9),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_NUMSUBJECT(0.5),T_SCC_BODY_TEXT_LINE(-0.01) Sep 12 12:09:17 mail7 postfix/smtpd[999858]: connect from localhost[127.0.0.1] Sep 12 12:09:17 mail7 postfix/smtpd[999858]: BDC39121A15: client=localhost[127.0.0.1], orig_client=unknown[localMailServer] Sep 12 12:09:17 mail7 postfix/cleanup[999847]: BDC39121A15: message-id=<9f39ee5b-ca2f-61eb-a121-7d29fe26681e@localdomain> Sep 12 12:09:17 mail7 postfix/qmgr[408]: BDC39121A15: from=<sender@localdomain>, size=4157543, nrcpt=2 (queue active) Sep 12 12:09:17 mail7 postfix/smtpd[999858]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=2 data=1 commands=6 Sep 12 12:09:17 mail7 pmg-smtp-filter[999854]: 121A07631EF739AE06D: accept mail to <reciever@externaldomain> (BDC39121A15) (rule: default-accept) Sep 12 12:09:17 mail7 pmg-smtp-filter[999854]: 121A07631EF739AE06D: accept mail to <santi@externaldomain> (BDC39121A15) (rule: default-accept) Sep 12 12:09:17 mail7 pmg-smtp-filter[999854]: 121A07631EF739AE06D: processing time: 4.143 seconds (0.692, 3.253, 0) Sep 12 12:09:17 mail7 postfix/lmtp[997851]: A1AD7120EF9: to=<reciever@externaldomain>, relay=127.0.0.1[127.0.0.1]:10023, delay=4.3, delays=0.05/0/0/4.2, dsn=2.5.0, status=sent (250 2.5.0 OK (121A07631EF739AE06D)) Sep 12 12:09:17 mail7 postfix/lmtp[997851]: A1AD7120EF9: to=<santi@externaldomain>, relay=127.0.0.1[127.0.0.1]:10023, delay=4.3, delays=0.05/0/0/4.2, dsn=2.5.0, status=sent (250 2.5.0 OK (121A07631EF739AE06D)) Sep 12 12:09:17 mail7 postfix/qmgr[408]: A1AD7120EF9: removed Sep 12 12:09:19 mail7 postfix/smtp[998528]: BDC39121A15: host mx01.dns-servicios.com[82.194.66.207] said: 451 4.7.1 Greylisting in action, please come back later (in reply to RCPT TO command) Sep 12 12:09:19 mail7 postfix/smtp[998528]: BDC39121A15: host mx01.dns-servicios.com[82.194.66.207] said: 451 4.7.1 Greylisting in action, please come back later (in reply to RCPT TO command) Sep 12 12:09:20 mail7 postfix/smtp[998528]: BDC39121A15: host mx00.dns-servicios.com[82.194.66.208] said: 451 4.7.1 Greylisting in action, please come back later (in reply to RCPT TO command) Sep 12 12:09:20 mail7 postfix/smtp[998528]: BDC39121A15: host mx00.dns-servicios.com[82.194.66.208] said: 451 4.7.1 Greylisting in action, please come back later (in reply to RCPT TO command) Sep 12 12:09:20 mail7 postfix/smtp[998528]: BDC39121A15: to=<reciever@externaldomain>, relay=localMailServer[localMailServer]:25, delay=2.4, delays=0.14/0/2.2/0.01, dsn=5.7.1, status=bounced (host localMailServer[localMailServer] said: 554 5.7.1 <reciever@externaldomain>: Relay access denied (in reply to RCPT TO command)) Sep 12 12:09:20 mail7 postfix/smtp[998528]: BDC39121A15: to=<santi@externaldomain>, relay=localMailServer[localMailServer]:25, delay=2.4, delays=0.14/0/2.2/0.02, dsn=5.7.1, status=bounced (host localMailServer[localMailServer] said: 554 5.7.1 <santi@externaldomain>: Relay access denied (in reply to RCPT TO command)) Sep 12 12:09:20 mail7 postfix/qmgr[408]: BDC39121A15: removed

 

[Stoiko Ivanov]

Sep 12 12:09:13 mail7 postfix/smtpd[998464]: connect from unknown[localPMGip]

this looks odd - if mail7 is your PMG - what is localPMGip? - in other words - why does pmg connect with it's "external" ip to smtpd on PMG?

 

[Ajecu]

Mistake in the sanitation of the log,i have edited to correct.

 

[Stoiko Ivanov]

still looks odd

to=<reciever@externaldomain>, relay=localMailServer[localMailServer]:2

why does pmg think that externaldomain needs to be relayed to localMailserver?!

 

[Ajecu]

This is where i am stuck.
I should not relay to localmailserver a bounced message.

 

[Ajecu]

This issue only shows up for bounced/greylisted messages.All other traffic is fine.

 

[Stoiko Ivanov]

I should not relay to localmailserver a bounced message.

the issue - from what i can see is not that it's a bounce but that your config tries to send mails to externaldomain to your internal server

please make sure that you setup your relay domains correctly - your transport entries (if needed) are correct, and that you did not by accident specify your internal relay as 'smart host'...

 

[Ajecu]

If there was any miss-configuration then all emails should be sent to internal server,since there is no per domain rules setup.
There are no smart hosts and no transports are needed.
And this only happens with bounced messaged,greylisted or with other issues.

 

[Ajecu]

Is there a debuging loglevel i can enable for further testing?

 

[Stoiko Ivanov]

do you have any modifications to the postfix configuration? (changed templates: https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine)

Is there a debuging loglevel i can enable for further testing?

yes - see https://www.postfix.org/DEBUG_README.html#debug_peer (and the other hints in the howto)

 

[Ajecu]

There are just custom certificates setup.The rest is standard with the relay domains setup and the relay host setup on the local mail server.

I will try to debug when there is less traffic on the server and i get a fresh issue.