Postfix/Dovecot blocking outgoing local email

Hi!

I've folllowed this guide, to setup our own e-mail server:

https://www.linode.com/docs/email/email … -and-mysql">https://www.linode.com/docs/email/email-with-postfix-dovecot-and-mysql

Everything is working good, I can both send and receive emails to my Linode.

The problem is since this was setup, the root user cannot send logs etc. anymore, they are blocked: Aug 4 04:54:35 liXXX-ZZ postfix/smtp[20601]: connect to my.domain.tld[xxx.yy.156.151]:25: Connection refused Aug 4 04:54:35 liXXX-ZZ postfix/error[20593]: 286A7B26598: to=<root@my.domain.tld>, orig_to=<root>, relay=none, delay=13182, delays=13182/0.01/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to my.domain.tld[xxx.yy.156.151]:25: Connection refused)</root></root@my.domain.tld>

How can I allow the root user to still send these emails?

Thanks!

12 Replies

Solved it!

In /etc/postfix/main.cf I changed:````
mydestination = localhost

To:````
mydestination = localhost, my.domain.tld

And all the queued emails are sent! But does this make it more vulnerable, i.e. will anyone using my adress as smtp be able to send emails without logging onto the server, or does it only allow emails created by root/the system?

Because 'mydestination' is just Postfix's way of saying "Oh, I'm supposed to serve mail for that domain," it's supposed to be set to localhost and your domain name.

Spoofing, which is what I believe you are inquiring about, can be prevented by adding either SPF or DKIM records that will allow other mail servers to verify whether or not the e-mail is coming from your server or someone trying to pretend to be you.

DKIM: https://www.linode.com/docs/networking/ … cords#dkim">https://www.linode.com/docs/networking/dns/introduction-to-dns-records#dkim

SPF: https://www.linode.com/docs/networking/ … ecords#spf">https://www.linode.com/docs/networking/dns/introduction-to-dns-records#spf

Thanks,

Dave.

Hi Dave and thanks for the reply!

I already setup SPF as well as DKIM for all outging emails. It seems to work fine. Also tried to connect to my smtp @ linode from another box without username/password and get the desired error messages in return, i.e. "Relay not allowed" or similar. When I connect using an existing email account it's working fine, just like I want to.

It would be a little disturbing if Postfix (or any MTA) let you log into an account that didn't exist :) However, as long as you have SPF and DKIM working, you won't need to worry (as much) about spoofing, so you should be all set.

Thanks,

Dave.

Thanks again! No experience from this since it's the first time setting up and environment like that, so all help is appreciated.

I also followed this tutorial to setup some rate limiting:

http://steam.io/2013/04/01/postfix-rate-limiting/

Another question, now when everything is up and running, I should adjust my hostname of the box. Right now it's liXXX and the FQDN is liXXX.members.linode.com. I wan't to change it to email.mydomain.tld which is the same address all emails are sent from (read that this will increase my reputation faster).

How do I achieve this? I've read some guides but are a bit nervous that other services will be affected. Thanks!

This is going to depend entirely on your distribution. But, I'd start here:

https://www.linode.com/docs/getting-sta … e-hostname">https://www.linode.com/docs/getting-started#setting-the-hostname

You'll most likely want to change it to 'mydomain.tld' because your e-mails are actually being sent from @mydomain.tld. Unless you actually are sending e-mails as @mail.mydomain.tld. However, adjusting the hostname only isn't going to help your reputation. You'll also want to set up an A record, and then rDNS. See more about that here:

https://www.linode.com/docs/networking/ … ecords#ptr">https://www.linode.com/docs/networking/dns/introduction-to-dns-records#ptr

Thanks,

Dave.

Ok, I'm running Debian 6 (Squeeze).

The domain name mails are sent from is mail.domain.tld. I've got an A record as well as MX pointed to the box using that domain, so I guess I'll setup reverse DNS for the sub domain?

Also, should the FQDN be "mail.domain.tld"? In that case, what should the hostname be, it has to be "something" related to the FQDN, or can it be whatever?

Thanks!

Hello,

Thanks for that information. The rDNS should likely be your actual domain, unless this is JUST a mail server. So, for example, if your domain is 'yourdomain.com' that would be your rDNS. Even though you're sending mail from 'mail.yourdomain.com' you can still have your rDNS to yourdomain.com.

Now, if you are using this server strictly for e-mails (which can be the case), then yes, you should have both your hostname and rDNS as mail.yourdomain.com.

Regarding the hostname, you can set this to anything, yes, but I would recommend having it set to something related to yourdomain.com. So for example, 'server1.yourdomain.com'. You could then set up an A record that goes directly to your IP address for server1.yourdomain.com.

In conclusion, this is going to entirely depend on what you're using the server for, but in most cases you will not want to have your rDNS as 'mail.yourdomain.com' as you will be specifying this specifically for the mail server. In my experience, setting the rDNS the same as the hostname has worked for Exim (and PostFix, when I used it). You could also set the rDNS to just 'yourdomain.com'.

Thanks,

Dave.

Hi,

Thanks!

The server is only used for two things:

1) As a "backup cluster" in our network, all backups made from our app servers as well as a mysql server is saved on this box.

2) As the email server for all outgoing emails in the network, emails are on sent from the app server, i.e. invoice notifications, newsletters etc. No personal emails.

I.e. it's not used for any applications, except from Nagios for monitoring the whole network (4 linodes).

So you mean I should really use "mail.mydomain.tld" as both Hostname and FQDN? The domain are delegated somewhere else, and there is A, MX (mail.mydomain.tld) pointing to the box, and SPF and DKIM for the sub domain only. I setup rDNS yesterday towards mail.mydomain.tld and it's working fine. As of now the FQND is "backup.mydomain.tld".

You can set the FQDN to 'mail.yourdomain.tld', but the hostname should be 'mail' as the hostname isn't going to be a FQDN. You could also keep it 'backup.mydomain.tld' and the hostname 'backup'. That's up to you.

Thanks,

Dave.

Now I've changed my hostname and FQDN and all seems to work still. But, emails sent to root (cron jobs reports etc.) aren't delivered anymore. Before they were sent to 2nd-line@domain.tld, since it's setup that way in both /etc/mailname and /etc/aliases.

Now these emails are sent to root@mail.domain.tld, and the log says "User doesn't exist in the users table".

So, I added root@mail.domain.tld to my mysql table "users", and mail are delivered, but to that address, not the external one as before. The goal is to sent/redirect all root's mail to an external address. Have been Googleing all morning but cannot find the answer.

Thanks!

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct