# [SOLVED] Mail system will not relay for virtual domains.

## quag7

I followed the Virtual Mailhosting with Postfix guide almost to the letter. (Postfix, Courier-imapd, cyrus-sasl, etc. --> http://www.gentoo.org/doc/en/virt-mail-howto.xml) and the following work:

(*) local/console delivery to both domains (one virtual, one not)

(*) delivery from anywhere to the non-virtual domain

What doesn't work is, any time an external mail comes in to the server targeted toward an address in the virtual domain, the message is rejected back to me:

If I mail jroberts@dicketry.net (the virtual domain):

My Comcast account:

 *Quote:*   

> The following addresses had delivery problems:
> 
> <jroberts@dicketry.net>
> 
>         Permanent Failure: 550_5.7.1_<jroberts@dicketry.net>..._Relaying_denied._Proper_authentication_required.
> ...

 

SMTP server on another provider, another domain:

 *Quote:*   

> 
> 
> ----- The following addresses had permanent fatal errors -----
> 
> <quag7@dicketry.net>
> ...

 

This is probably from resends.

In the MySQL transport table, I have:

 *Quote:*   

> dicketry.net    virtual:
> 
> 

 

In the user table:

 *Quote:*   

> jroberts@dicketry.net  	joespw  	Joe Roberts  	1001  	1001  	/home/vmail  	/home/vmail/dicketry.net/jroberts/.maildir/  	   	y
> 
> 

 

The guide is a little sketchy about what to do to add virtual domains once everything is installed.  I've read a few dozen threads here on the forums but none seem to fix my problem.  I've modified these files in about a hundred permutations, at this point I am stabbing around wildly.

More frustrating is I can't get any smtp logging to occur for these failed/relaying denied attempts.  Somewhere, something is set to "quiet" and shouldn't be.  If mail comes in for the non-virtual domain, it shows up, but no trace of any incoming smtpd connection if the mail is bound for the virtual domain.

Setup is:

domain/machine hosted on: hyperqueef.net (it's postmodern, not vulgar, I assure you)

virtual: dicketry.net (not postmodern, vulgar.)

I have one user created in the virtual domain so far - quag7@dicketry.net

```

alias_maps = mysql:/etc/postfix/mysql-aliases.cf

biff = no

broken_sasl_auth_clients = yes

command_directory = /usr/sbin

config_directory = /etc/postfix

content_filter = smtp-amavis:[127.0.0.1]:10024

daemon_directory = /usr/lib/postfix

debug_peer_level = 2

default_destination_concurrency_limit = 10

empty_address_recipient = MAILER-DAEMON

home_mailbox = .maildir/

html_directory = /usr/share/doc/postfix-2.3.6/html

inet_interfaces = all

local_destination_concurrency_limit = 2

local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname

local_transport = local

mail_owner = postfix

mailq_path = /usr/bin/mailq

manpage_directory = /usr/share/man

mydestination = $myhostname, localhost.$mydomain, $mydomain

mydomain = hyperqueef.net

myhostname = revolt.hyperqueef.net

mynetworks_style = host

myorigin = $mydomain

newaliases_path = /usr/bin/newaliases

queue_directory = /var/spool/postfix

queue_minfree = 120000000

readme_directory = /usr/share/doc/postfix-2.3.6/readme

relocated_maps = mysql:/etc/postfix/mysql-relocated.cf

sample_directory = /etc/postfix

sendmail_path = /usr/sbin/sendmail

setgid_group = postdrop

smtp_tls_note_starttls_offer = yes

smtp_use_tls = yes

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain =

smtpd_sasl_security_options = noanonymous

smtpd_tls_CAfile = /etc/postfix/cacert.pem

smtpd_tls_auth_only = yes

smtpd_tls_cert_file = /etc/postfix/newcert.pem

smtpd_tls_key_file = /etc/postfix/newkey.pem

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

smtpd_use_tls = yes

tls_random_source = dev:/dev/urandom

transport_maps = mysql:/etc/postfix/virtual_transport_maps.cf

unknown_local_recipient_reject_code = 550

virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf

virtual_gid_maps = static:1001

virtual_mailbox_base = /

virtual_mailbox_domains = dicketry.net

virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf

virtual_minimum_uid = 1000

virtual_transport = virtual

virtual_uid_maps = static:1001

```

UPDATED: Wow, that is better.

All of my mysql-virtual files are unchanged from the guide, with the exception of course of the proper password.

I've read several posts mentioning the /etc/postfix/transport file, but I'm not sure exactly what to put in there and it isn't mentioned in the guide.  I did try putting a few things in there but they didn't seem to make any difference (and I did run the postmap command afterward to make sure it created the database). - not really sure what I'm doing there.

If anyone could make some suggestions about what to look at next, I'd appreciate it, as well as how to get some decent log reporting on authentication failed/relaying denied SMTP attempts from other mail servers.

Let me know if there are any other configuration files that might be helpful.  Also the jroberts@dicketry.net is valid, if anyone wants to try it out (if you can tell something from your side)

----------

## steveb

```
The following addresses had delivery problems:

<jroberts@dicketry.net>

Permanent Failure: 550_5.7.1_<jroberts@dicketry.net>..._Relaying_denied._Proper_authentication_required.

Delivery last attempted at Thu, 13 Sep 2007 17:10:21 -0000
```

Looks like SMTP AUTH is not working the way it should. Have you set up SMTP AUTH the proper way? Post the configuration if possible.

// SteveB

----------

## kashani

```

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination 

```

Put permit_mynetworks first. The way you have it setup even localhost can't relay properly. Also edit your post and remove that giant config and replace with a postconf -n which is far more readable. 

kashani

----------

## quag7

/etc/sasl2/smtpd.conf:

```

# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.sasl,v 1.2 2004/07/18 03:26:56 dragonheart Exp $

mech_list: PLAIN LOGIN

pwcheck_method: saslauthd

```

/etc/postfix/master.cf:

```

#

# Postfix master process configuration file.  For details on the format

# of the file, see the master(5) manual page (command: "man 5 master").

#

# ==========================================================================

# service type  private unpriv  chroot  wakeup  maxproc command + args

#               (yes)   (yes)   (yes)   (never) (100)

# ==========================================================================

smtp      inet  n       -       n       -       -       smtpd -v

#submission inet n       -       n       -       -       smtpd

#  -o smtpd_enforce_tls=yes

#  -o smtpd_sasl_auth_enable=yes

#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

#smtps     inet  n       -       n       -       -       smtpd

#  -o smtpd_tls_wrappermode=yes

#  -o smtpd_sasl_auth_enable=yes

#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

#628      inet  n       -       n       -       -       qmqpd

pickup    fifo  n       -       n       60      1       pickup

cleanup   unix  n       -       n       -       0       cleanup

qmgr      fifo  n       -       n       300     1       qmgr

#qmgr     fifo  n       -       n       300     1       oqmgr

tlsmgr    unix  -       -       n       1000?   1       tlsmgr

rewrite   unix  -       -       n       -       -       trivial-rewrite

bounce    unix  -       -       n       -       0       bounce

defer     unix  -       -       n       -       0       bounce

trace     unix  -       -       n       -       0       bounce

verify    unix  -       -       n       -       1       verify

flush     unix  n       -       n       1000?   0       flush

proxymap  unix  -       -       n       -       -       proxymap

smtp      unix  -       -       n       -       -       smtp

# When relaying mail as backup MX, disable fallback_relay to avoid MX loops

relay     unix  -       -       n       -       -       smtp

   -o fallback_relay=

#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5

showq     unix  n       -       n       -       -       showq

error     unix  -       -       n       -       -       error

discard   unix  -       -       n       -       -       discard

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual -vv

lmtp      unix  -       -       n       -       -       lmtp

anvil     unix  -       -       n       -       1       anvil

scache     unix   -   -   n   -   1   scache

#

# ====================================================================

# Interfaces to non-Postfix software. Be sure to examine the manual

# pages of the non-Postfix software to find out what options it wants.

#

# Many of the following services use the Postfix pipe(8) delivery

# agent.  See the pipe(8) man page for information about ${recipient}

# and other message envelope options.

# ====================================================================

#

# maildrop. See the Postfix MAILDROP_README file for details.

# Also specify in main.cf: maildrop_destination_recipient_limit=1

#

maildrop  unix  -       n       n       -       -       pipe

  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

#

# The Cyrus deliver program has changed incompatibly, multiple times.

#

old-cyrus unix  -       n       n       -       -       pipe

  flags=R user=cyrus argv=/usr/lib/cyrus/deliver -e -m ${extension} ${user}

# Cyrus 2.1.5 (Amos Gouaux)

# Also specify in main.cf: cyrus_destination_recipient_limit=1

cyrus     unix  -       n       n       -       -       pipe

  flags=hu user=cyrus argv=/usr/lib/cyrus/deliver -e -r ${sender} -m ${extension} ${user}

# Cyrus with "virtdomains: yes"

# Also specify in main.cf: virtual_transport = virt-cyrus

virt-cyrus     unix  -       n       n       -       -       pipe

  flags=hu user=cyrus argv=/usr/lib/cyrus/deliver -e -r ${sender} -m ${recipient} ${user}

#

# See the Postfix UUCP_README file for configuration details.

#

uucp      unix  -       n       n       -       -       pipe

  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

#

# Other external delivery methods.

#

ifmail    unix  -       n       n       -       -       pipe

  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)

bsmtp     unix  -       n       n       -       -       pipe

  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

#Quag7

smtp-amavis     unix -        -       n     -       2  smtp 

  -o smtp_data_done_timeout=1200

  -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n        -       n     -       -  smtpd

  -o content_filter=

  -o local_recipient_maps=

  -o relay_recipient_maps=

  -o smtpd_restriction_classes=

  -o smtpd_client_restrictions=

  -o smtpd_helo_restrictions=

  -o smtpd_sender_restrictions=

  -o smtpd_recipient_restrictions=permit_mynetworks,reject

  -o mynetworks=127.0.0.0/8

  -o strict_rfc821_envelopes=yes

  -o smtpd_error_sleep_time=0

  -o smtpd_soft_error_limit=1001

  -o smtpd_hard_error_limit=1000

```

/etc/conf.d/saslauthd

```

# $Header: /var/cvsroot/gentoo-x86/dev-libs/cyrus-sasl/files/saslauthd-2.1.21.conf,v 1.2 2007/04/07 13:03:55 chtekk Exp $

# Config file for /etc/init.d/saslauthd

# Initial (empty) options.

SASLAUTHD_OPTS=""

# Specify the authentications mechanism.

# **NOTE** For a list see: saslauthd -v

# Since 2.1.19, add "-r" to options for old behavior,

# ie. reassemble user and realm to user@realm form.

#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -a pam -r"

SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -a pam"

# Specify the hostname for remote IMAP server.

# **NOTE** Only needed if rimap auth mechanism is used.

SASLAUTHD_OPTS="${SASLAUTH_MECH} -a rimap -r"

SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -O localhost"

# Specify the number of worker processes to create.

#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -n 5"

# Enable credential cache, set cache size and timeout.

# **NOTE** Size is measured in kilobytes.

#          Timeout is measured in seconds.

#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -c -s 128 -t 30"

```

Thank you for having a look.  If I missed posting anything that would be useful, let me know, but I think this covers it.

----------

## steveb

How about enabling submission and smtps in master.cf?

// SteveB

----------

## quag7

Enabled those and restarted the whole thing (I actually have a script that restarts all of those services now since I'm doing it so often just to eliminate any chance of a configuration file not being read), and I'm getting the same behavior/errors.

I really wish the logs would yield more information.

Does /etc/postfix/transport come into play here, and if so, how, or should that all be via the MySQL transport table?

Doesn't mention it in the guide, is why I ask.

There's so much going on here, I feel like I'm in over my head, but I've got everything else working, so it'd be a shame to quit now.  It's going to wind up being something stupid, I know it.

----------

## steveb

Yes. It is the missing transport. You need to add into main.cf the following:

```
transport_maps = mysql:$config_directory/virtual_transport_maps.cf
```

Then create the file /etc/postfix/virtual_transport_maps.cf with the following content:

```
# /etc/postfix/virtual_transport_maps.cf

#

# virtual_mailbox_domains = mysql:/etc/postfix/virtual_transport_maps.cf

user                    = mailsql

password                = $password

dbname                  = mailsql

#hosts                  = localhost

hosts                   = unix:/var/run/mysqld/mysqld.sock

# Postfix < 2.2

#table                  = transport

#select_field           = destination

#where_field            = domain

#additional_conditions  = 

# Postfix >= 2.2

query                   = SELECT destination FROM transport WHERE domain='%s'
```

Reload Postfix and try again.

// SteveB

----------

## steveb

 *kashani wrote:*   

> 
> 
> ```
> 
> smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination 
> ...

 

Sorry kashani but this is not true. The restrictions are evaluated from top down, from left to right. So his restriction would result for localhost into:

permit_sasl_authenticated -> DUNNO

permit_mynetworks -> OK

<no processing anymore since localhost is in mynetworks>

// SteveB

----------

## quag7

Thank you again for your suggestions, though, infuriatingly, same behavior.

I have updated the first post with postconf -n as requested to its latest state, with the /etc/postfix/virtual_transport_maps.cf added.  I noticed that there was a commented-out directive following it:

```

#relay_domains = $mydestination,$transport_maps

```

I tried it both with this enabled, and disabled, reloading postfix each time.  Somewhere on these forums was a discussion as to whether postfix needs it or not.  Any comment here would be appreciated.

I also noticed that as part of the guide, I was to create a file called mysql-transport.cf:

```

# mysql-transport.cf

user            = mailsql

password        = daspassword

dbname          = mailsql

table           = transport

select_field    = destination

where_field     = domain

hosts           = unix:/var/run/mysqld/mysqld.sock

```

This appears to be much the same, with the exception that it contains table = transport.  I was wondering if this file was intended to serve the same purpose.  The /etc/postfix/virtual_transport_maps.cf file has:

```

# Postfix >= 2.2

query                   = SELECT destination FROM transport WHERE domain='%s'

```

I added in the table = transport statement here and commented out the query; same result.

The postfix configuration is restored to where it would have been had I not tried all of these other things and just followed steveb's advice and reflected in the first message in this thread, in the posconf-n dump.

What is interesting to me is that:

(1) If I use mailx to mail the address in the virtual domain from the same box the mail server is running on, that continues to work without a problem.  Only other SMTP servers cannot connect to this one.

(2) Still no sign in the logs of unsuccessful SMTP attempts from all of these test messages I have been sending.

----------

## steveb

Okay. What is the IP of that server where you try to send mail to?

Can you please execute the following command and post your result:

```
postmap -q dicketry.net mysql:/etc/postfix/virtual_transport_maps.cf
```

And remove that table= stuff again. The MySQL lookup has changed in Postfix and the Gentoo how-to page is ultra-old. Read here about the new map file format. And since you use Postfix 2.3.6 I know that the new query directive works for you.

Can you post the output of:

```
postconf -m
```

// SteveB

----------

## quag7

Also wanted to add that the other server's error looks like this, in case it shakes any ideas loose:

```

----- Transcript of session follows -----

554 5.4.6 Too many hops 26 (25 max): from <qusgeven@frostwarning.com> via oreos.theideaweb.biz, to <quag7@dicketry.net>

unnamed

Return-Path: <quagseven@frostwarning.com>

Received: from oreos.theideaweb.biz (oreos.theideaweb.biz [72.21.46.218])

        by oreos.theideaweb.biz (8.13.1/8.13.1) with ESMTP id l8DNLJul028690

        for <quag7@dicketry.net>; Thu, 13 Sep 2007 18:21:19 -0500

Received: from oreos.theideaweb.biz (oreos.theideaweb.biz [72.21.46.218])

        by oreos.theideaweb.biz (8.13.1/8.13.1) with ESMTP id l8DNLIiJ028676

        for <quag7@dicketry.net>; Thu, 13 Sep 2007 18:21:18 -0500

Received: from oreos.theideaweb.biz (oreos.theideaweb.biz [72.21.46.218])

        by oreos.theideaweb.biz (8.13.1/8.13.1) with ESMTP id l8DNLI6B028670

        for <quag7@dicketry.net>; Thu, 13 Sep 2007 18:21:18 -0500

```

This repeats many more times.

----------

## steveb

I don't get it. The server behind the domain dicketry.net is a Sendmail system. Where is your Postfix?

```
callisto ~ # dig +short in mx dicketry.net

0 dataswamp.net.

callisto ~ # dig +short in a dataswamp.net

72.21.46.218

callisto ~ # telnet 72.21.46.218 25

Trying 72.21.46.218...

Connected to 72.21.46.218.

Escape character is '^]'.

220 oreos.theideaweb.biz ESMTP Sendmail Secure/Rabid; Thu, 13 Sep 2007 18:42:25 -0500

QUIT

221 2.0.0 oreos.theideaweb.biz closing connection

Connection closed by foreign host.

callisto ~ #
```

Steve

----------

## quag7

 *steveb wrote:*   

> Okay. What is the IP of that server where you try to send mail to?

 

```
65.111.174.154
```

 *steveb wrote:*   

> Output of postmap -q dicketry.net mysql:/etc/postfix/virtual_transport_maps.cf :

 

```
root@revolt.hyperqueef.net /etc/postfix : postmap -q dicketry.net mysql:/etc/postfix/virtual_transport_maps.cf

virtual:
```

 *steveb wrote:*   

> 
> 
> And remove that table= stuff again. The MySQL lookup has changed in Postfix and the Gentoo how-to page is ultra-old. Read here about the new map file format. And since you use Postfix 2.3.6 I know that the new query directive works for you.
> 
> 

 

Yeah, it's out.  Two other files seem to be called by main.cf which have the old style in them:

virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf

```

user            = mailsql

password        = daspw

dbname          = mailsql

table           = users

select_field    = maildir

where_field     = email

additional_conditions = and postfix = 'y'

hosts           = unix:/var/run/mysqld/mysqld.sock

```

and

virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf

```

user            = mailsql

password        = daspw

dbname          = mailsql

table           = virtual

select_field    = destination

where_field     = email

hosts           = unix:/var/run/mysqld/mysqld.sock

```

 *steveb wrote:*   

> Output of: postconf -m

 

```
root@revolt.hyperqueef.net /etc/postfix : postconf -m

btree

cidr

environ

hash

mysql

pcre

proxy

regexp

static

unix

root@revolt.h

```

----------

## quag7

 *steveb wrote:*   

> I don't get it. The server behind the domain dicketry.net is a Sendmail system. Where is your Postfix?
> 
> ```
> callisto ~ # dig +short in mx dicketry.net
> 
> ...

 

Wow.  I have no idea what's up with that.  dataswamp.net is another domain I have on another system in another state with another provider.  That may well run sendmail (I don't run the server there - my purpose here is to move my domains on to my own machine completely).  As to why dig thinks they're somehow related, I don't know, but I think obviously this is a DNS issue of some sort since all of that is handled by my registrar.  I will log on to the site and see what's up, but it's the first I'm aware of it.  Rest assured though, that dicketry.net/hyperqueef.net

(I am going to interject here at this point that I REALLY wish I had used two more...flattering domain names for this.  Sorry for that)

As I was saying, rest assured that the system we're concerned with is exclusively postfix - it is a fresh Gentoo system  :Smile: 

----------

## steveb

I tested on the command line and it works:

```
callisto ~ # telnet 65.111.174.154 25

Trying 65.111.174.154...

Connected to 65.111.174.154.

Escape character is '^]'.

220 revolt.hyperqueef.net ESMTP Postfix

ehlo localhost

250-revolt.hyperqueef.net

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

mail from:<>

250 2.1.0 Ok

rcpt to:<quag7@dicketry.net>

250 2.1.5 Ok

data

354 End data with <CR><LF>.<CR><LF>

subject: test with telnet

cheers

Steve

.

250 2.0.0 Ok: queued as 5A90AA7BE6

quit

221 2.0.0 Bye

Connection closed by foreign host.

callisto ~ #
```

Did you got that mail? If so, then the problem is NOT Postfix but the Sendmail server behind the MX record for the domain dicketry.net.

// SteveB

----------

## quag7

Well, I am HORRIBLY embarrassed.

I did a good 30 hour run without sleep getting that system up and running.  The last thing I was working on was the first virtual domain, mainly as a test.  Apparently the sleep debt zen isn't so zen anymore, and I stupidly entered dataswamp.net into the MX record for dicketry.net.  Why?  Because dataswamp.net is my primary domain and I'm so USED to entering it into the stupid configuration console for other things.

It is a mistake so incredibly stupid, that it wouldn't have even occurred to me to check.

I am *DEEPLY* sorry if this has all been a waste of your time.  I am waiting for the change to propagate and we'll see if things have changed.  Given the nature of the error, I strongly suspect it will.

Sheepishly but grateful,

Quag7

----------

## steveb

No problem! Things happen. In German we use to say: Wo gehobelt wird, da fallen Spähne.

Anyway... Have you considered to use a frontend for managing your users? I could recommend Postfix.Admin. It is nice and clean.

// SteveB

----------

## quag7

 *steveb wrote:*   

> No problem! Things happen. In German we use to say: Wo gehobelt wird, da fallen Spähne.
> 
> Anyway... Have you considered to use a frontend for managing your users? I could recommend Postfix.Admin. It is nice and clean.
> 
> 

 

It works!  Got my first mail through, and it was that ridiculous MX record.    I have been on this for about 7 HOURS.  Egad!  I'm going to marked this thread solved once I run some more tests.

As for a frontend, I've just been using phpmyadmin to populate the user database, which is pretty simple.  As you can tell, I'm sort of new to postfix (I have been running it for years as a simple way to move my crontab/system-related alerts around my LAN here, but basically I haven't looked much at it until now).  I'd read about postfix.admin - I'll give it a look as soon as I'm done sanity checking here  :Smile: 

----------

## steveb

Cool  :Smile: 

If you need more help just let us know.

// SteveB

----------

