postfix says: "mail for domain.tld loops back to myself"

  • Hi guys,


    i-MSCP is on the latest version, installed on Debian Jessie 64-bit.
    i-MSCP is behind nat.
    i-MSCP ist configured as a master dns server, syncing with 3 slave dns servers working.
    i-MSCP is configured to not use it's own dns server for name resolution. The Debian dns-client is configured to use the firewall as dns-server, which provides split-dns.


    A Customer has a Domain which is configured for external mailserver. and mx record is configured in i-MSCP and synced to the other nameservers viewable from outside.
    The Customers contact e-Mailaddress is mailbox hosted on this external mailserver: [email protected]
    the customer can communicate well with with other people.


    The problem is, that i-mscp self cannot send mail to this customer (e.g. in case of password recovery).


    Logfile in postfix:


    Code
    1. Mar 1 11:10:00 hosting postfix/qmgr[1286]: 9493621618: from=<[email protected]>, size=1033, nrcpt=1 (queue active)
    2. Mar 1 11:10:00 hosting postfix/smtp[1324]: 9493621618: to=<[email protected]>, relay=none, delay=15, delays=15/0.04/0/0, dsn=5.4.6, status=bounced (mail for customerdomain.tld loops back to myself)
    3. Mar 1 11:10:00 hosting postfix/cleanup[1290]: 923C524F8F: message-id=<[email protected]>
    4. Mar 1 11:10:00 hosting postfix/bounce[1325]: 9493621618: sender non-delivery notification: 923C524F8F
    5. Mar 1 11:10:00 hosting postfix/qmgr[1286]: 923C524F8F: from=<>, size=3239, nrcpt=1 (queue active)
    6. Mar 1 11:10:00 hosting postfix/qmgr[1286]: 9493621618: removed
    7. Mar 1 11:10:00 hosting postfix/local[1327]: 923C524F8F: to=<[email protected]>, relay=local, delay=0.04, delays=0.01/0.01/0/0.01, dsn=5.1.1, status=bounced (unknown user: "noreply")
    8. Mar 1 11:10:00 hosting postfix/qmgr[1286]: 923C524F8F: removed
    9. Mar 1 11:10:00 hosting spamd[1020]: prefork: child states: II

    Why is postfix not delivering the mail to the external mailserver?


    Thank you for your time!

  • I did some research with an other Coustumer. In this case, the Mailserver ip of the customer domain, which not works, is a RFC1918 private ip, because this mailserver is in our datacenter behind an other firewall. If the ip is a public ip, it works.


    So it seems, that postfix ignores private ips in mx records.


    Where is the right position, to modify the postfix config, and don't get overwritten by i-mscp update?

  • @cmcologne


    From the i-MSCP server, what is the result of the following commands:


    Code
    1. # dig mx customerdomain.tld


    Here, I expect external MX with correct private IP as you mentionned.


    Also: Be sure that customerdomain.tld is listed in the /etc/postfix/imscp/relay_domains table
    Also, Be sure that customerdomain.tld is not listed in the /etc/postfix/imscp/domains table

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Thank you @Nuxwin for your quick response.


    dig mx customerdomain.tld
    gives me no answer. But it is asking the firewall (where runs dns for splitdns) on the right ip. When i specifiy the nameserver with @8.8.8.8 to ask google instead, I get the right mx record.


    The a record of the fqdn of the mailserver is resolving perfect, giving me the rfc1918 ip of the mailserver.


    I will now investigate in pfsense, where the problem is. After fixing the name resolution issue in the firewall, I will test again and report.


    The Cause auf a problem is everytime... the one tiny important thing, you don't check first...

  • @cmcologne


    You're welcome.


    BTW: I've edited my answer (last two lines were wrong).

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @Nuxwin



    I did restart the dns service on pfsense to clear cache.
    loglevel is on the highest level configured for the dns server, running on the firewall.


    192.168.181.33 is the firewall and dns-server configured for the machine.
    192.168.181.34 is the i-mscp machine itself


    when I try to get mx records for google.de:

    Code
    1. root@hosting:~# dig mx google.de +all; <<>> DiG 9.9.5-9+deb8u9-Debian <<>> mx google.de +all;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15111;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;google.de. IN MX;; ANSWER SECTION:google.de. 587 IN MX 10 aspmx.l.google.com.google.de. 587 IN MX 20 alt1.aspmx.l.google.com.google.de. 587 IN MX 40 alt3.aspmx.l.google.com.google.de. 587 IN MX 50 alt4.aspmx.l.google.com.google.de. 587 IN MX 30 alt2.aspmx.l.google.com.;; Query time: 4 msec;; SERVER: 192.168.181.33#53(192.168.181.33);; WHEN: Thu Mar 02 11:46:07 CET 2017;; MSG SIZE rcvd: 156


    I get an answer and I get massive logging in the dns-server:



    Code
    1. Mar 2 11:49:47 unbound 29530:3 info: receive_udp on interface: 192.168.181.33Mar 2 11:49:47 unbound 29530:3 debug: udp request from ip4 192.168.181.34 port 51850 (len 16)... resolving part very detailed, therefore cuted. ...Mar 2 11:49:47 unbound 29530:3 info: send_udp over interface: 192.168.181.33

    So the dns-server gets a request, it is resolving it, and answering back.




    when I try to resolve for the problematic customer domain. I get no answer and in the dns-server logfile there is not even a "unbound 29530:3 debug: udp request from ip4 192.168.181.34", there is nothing. It looks like, dig did never ask.



    Quote from Nuxwin

    Also: Be sure that customerdomain.tld is listed in the /etc/postfix/imscp/relay_domains table
    Also, Be sure that customerdomain.tld is not listed in the /etc/postfix/imscp/domains table

    listed in /etc/postfix/imscp/relay_domains
    not listed in /etc/postfix/imscp/domains

  • @cmcologne


    From pfsense host, what is the result when you dig on customerdomain.tld ?

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • when I try to resolve for the problematic customer domain. I get no answer and in the dns-server logfile there is not even a "unbound 29530:3 debug: udp request from ip4 192.168.181.34", there is nothing. It looks like, dig did never ask.

    There is nothing in the logfile.

  • @cmcologne


    Please, just answer my question. You did a dig via your i-MSCP server (hosting host). Connect to your pfsense host (192.168.181.33) and do:


    Code
    1. # dig mx customerdomain.tld +all

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • yes I did. And at the bottom is written, that it talks to the firewall:

    • ;; Query time: 0 msec
    • ;; SERVER: 192.168.181.33#53(192.168.181.33)
    • ;; WHEN: Thu Mar 02 11:46:17 CET 2017
    • ;; MSG SIZE rcvd: 41

    I'm now kicking out split-dns in pfsense an move to Pure NAT, because the issue should be related to the firewall, not logging the request and not answering it correct. That allows me using the public ip for internal connections.


    E-Mail routing is now working well. Thanks for your time!