8 Replies Latest reply: Nov 3, 2009 4:06 AM by pterobyte
Paul Derby Level 1 Level 1
After giving up on doing an upgrade from OS X Server 10.5.6 to 10.6.1, I bought a second Mini with Snow Leopard Server installed and am configuring it to eventually replace the 10.5.6 server.

I have email working just fine, except that when I change the delivery address in Postini from the Leopard server host name to the Snow Leopard Server host name, my incoming mail gets "bounced" due to too many hops.

If I change the delivery address back to the Leopard server host name, everything works just fine.

Here is the SMTP log from Snow Leopard:

Nov 2 10:38:32 testserve postfix/smtp[62796]: DFF1D4FA90: to=<pderby@pderby.com>, relay=pderby.com.s7a1.psmtp.com[]:25, delay=1.9, delays=0/0.01/0.39/1.5, dsn=5.0.0, status=bounced (host pderby.com.s7a1.psmtp.com[] said: 554 Too many hops - psmtp (in reply to end of DATA command))
Nov 2 10:38:32 testserve postfix/cleanup[62802]: C6D134FA93: message-id=<20091102153832.C6D134FA93@testserve.pderby.com>

Several postings in various groups indicated this could be due to MX record problems resulting in looping. I changed the Postini destination address from the domain name to the Snow Leopard IP address and get the same bounce due to too many hops.

A DIG on the MX records for the host name of the Snow Leopard Server looks just fine.

The DNS records that I have on both servers and on zoneedit look just fine.

I checked both Postfix config files and I don't see anything that would cause problems. I think the bounce is coming from Postini, not from the Snow Leopard Server.... but not sure since Postini is logging to the SMTP log on the Snow Leopard Server.

Anyone else experiencing this same problem using Postini for SPAM filtering ahead of mail deliver?

Any ideas on how to resolve this problems would be appreciated.

Message was edited by: Paul Derby

Two Mac Mini's running OS X Server, Mac OS X (10.6.1)
  • pterobyte Level 6 Level 6
    Servers Enterprise
    Sounds like your message is being bounced back and forth between postini and your server. Most likely because your mail server does not think it is responsible for mail to your domain/user.

    First thing to check is that your mail server does accept mail for the mail addresses needed. Try and send local mail or change the mx record to point to your mail server directly.

    Once it does work locally and if you still have issues, please post the output of postconf -n of your server.

    Message was edited by: pterobyte
  • Paul Derby Level 1 Level 1
    I can send email directly to my new server with no problems. I set the firewall to allow a port 25 connection from my ISP to the server and was able to send email both via the internet and via the local LAN.

    Here is the postfix configuration file followed by a DIG for the MX records for my domain:

    admin$ postconf -n
    biff = no
    command_directory = /usr/sbin
    config_directory = /etc/postfix
    content_filter = smtp-amavis:[]:10024
    daemon_directory = /usr/libexec/postfix
    debugpeerlevel = 2
    enableserveroptions = yes
    header_checks = pcre:/etc/postfix/customheaderchecks
    html_directory = /usr/share/doc/postfix/html
    inet_interfaces = all
    mail_owner = _postfix
    mailboxsizelimit = 0
    mailbox_transport = dovecot
    mailq_path = /usr/bin/mailq
    manpage_directory = /usr/share/man
    messagesizelimit = 10485760
    mydestination = $myhostname, localhost.$mydomain, localhost
    mydomain = pderby.com
    mydomain_fallback = localhost
    myhostname = testserve.pderby.com
    mynetworks =,,,, 30,,,,,,20,,,,,66.2 51.110.0/24
    newaliases_path = /usr/bin/newaliases
    queue_directory = /private/var/spool/postfix
    readme_directory = /usr/share/doc/postfix
    recipient_delimiter = +
    relayhost =
    sample_directory = /usr/share/doc/postfix/examples
    sendmail_path = /usr/sbin/sendmail
    setgid_group = _postdrop
    smtpdclientrestrictions = permit_mynetworks permitsaslauthenticated permit
    smtpdenforcetls = no
    smtpdhelorequired = yes
    smtpdhelorestrictions = rejectinvalid_helohostname rejectnon_fqdn_helohostname
    smtpdpw_server_securityoptions = login,gssapi,cram-md5
    smtpdrecipientrestrictions = permitsaslauthenticated permit_mynetworks rejectunauthdestination checkpolicyservice unix:private/policy permit
    smtpdsasl_authenable = yes
    smtpdtlsCAfile = /etc/certificates/testserve.pderby.com.E725ED0E355F2649871E4256C1F86657A9840ABC .chain.pem
    smtpdtls_certfile = /etc/certificates/testserve.pderby.com.E725ED0E355F2649871E4256C1F86657A9840ABC .cert.pem
    smtpdtls_excludeciphers = SSLv2, aNULL, ADH, eNULL
    smtpdtls_keyfile = /etc/certificates/testserve.pderby.com.E725ED0E355F2649871E4256C1F86657A9840ABC .key.pem
    smtpduse_pwserver = yes
    smtpdusetls = yes
    unknownlocal_recipient_rejectcode = 550
    virtualaliasmaps =

    macbookpro-2:~ pderby$ dig pderby.com mx

    ; <<>> DiG 9.6.0-APPLE-P2 <<>> pderby.com mx
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24819
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2

    ;pderby.com. IN MX

    pderby.com. 7200 IN MX 0 pderby.com.s7a1.psmtp.com.
    pderby.com. 7200 IN MX 5 pderby.com.s7a2.psmtp.com.
    pderby.com. 7200 IN MX 10 pderby.com.s7b1.psmtp.com.
    pderby.com. 7200 IN MX 15 pderby.com.s7b2.psmtp.com.
    pderby.com. 7200 IN MX 100 mx2.zoneedit.com.

    pderby.com. 7200 IN NS ns8.zoneedit.com.
    pderby.com. 7200 IN NS ns13.zoneedit.com.

    mx2.zoneedit.com. 171 IN A
    ns13.zoneedit.com. 159 IN A

    ;; Query time: 65 msec
    ;; SERVER:
    ;; WHEN: Mon Nov 2 13:18:30 2009
    ;; MSG SIZE rcvd: 260

    macbookpro-2:~ pderby$
  • Camelot Level 8 Level 8
    Mac OS X
    The problem is clearly:

    mydestination = $myhostname, localhost.$mydomain, localhost

    So your server isn't set to only accept mail addressed to username@testserve.pderby.com, username@localhost.pderby.com, or username@localhost

    This is the default setup in Snow Leopard Mail Server. You need to add 'pderby.com' as an additional domain that your mail server accepts mail for (Server Admin -> Mail -> Advanced -> Hosting -> Local Host Aliases.

    This is the field that tells postfix what domains to accept mail for.
  • pterobyte Level 6 Level 6
    Servers Enterprise
    According to the output of postconf -n, your mail server is not set to accept mail for pderby.com. You need to add pderby.com to the local host aliases in Server Admin (or add it to mydestination in main.cf).

    Also, I would not recommend having external IPs in mynetworks unless absolutely necessary. I didn't check the IPs, but I would think you also added Postini's IP. This is why mail to your server for pderby.com was not rejected, but since it is not a final destination for your domain, your server tried to deliver back to Postini (as per the MX records).

    You should also disable greylisting since you have mail filtered by Postini already.


    P.S. Camelot was faster

    Message was edited by: pterobyte
  • Paul Derby Level 1 Level 1
    Thank you both! It works just fine now. I missed that I had to add the host name to the local host aliases.

    I had the external IP's in the list for testing only. Now that it works, I'll lock down the list to just the ones I need.

    It would seem reasonable to me that Snow Leopard would default to generating a config file with your domain name already added to the local host aliases...
  • Camelot Level 8 Level 8
    Mac OS X
    It would seem reasonable to me that Snow Leopard would default to generating a config file with your domain name already added to the local host aliases...

    I thought that too, at first, but have since changed my thinking...

    While this might seem to make sense at one level, you can get into a lot of trouble setting up a mail server without thinking about all the parts and pieces. Spam filters, relay rules, quotas, authentication etc. all need to be setup before your mail server is ready, and everyone's settings are going to be different.

    Therefore, since you have to go through additional steps anyway before you can run your own mail server it doesn't hurt to include setting the domain name as one of those steps.

    By setting the mail server to only accept a specific set of hostnames by default you can test your mail environment safely before opening it up to the wide world.

    I have no idea if that was the thinking behind the Snow Leopard's developer teams, but it seems reasonable.
  • Paul Derby Level 1 Level 1
    Well, we differ in our thinking. Of course one has to pay attention to a lot of details, especially details that are external to the machine such as user names, groups, dns machine records, etc. etc. But the domain name is integral to the machine and is specified as part of the install process using the configuration "tool" that gets executed when you first boot up Snow Leopard. Propagating this name into the Postfix configuration files seems completely reasonable. When would you not put the domain name into the configuration file? It seems that most times you would, so why not go ahead and let the startup too add it when Snow Leopard builds the initial config file for the machine. The idea is to get people going in a hurry, not to have them surf google to find out what is wrong from examining log entries.

    If Apple isn't going to add the domain name automatically as part of the startup configuration process, then it should be documented that you HAVE to do this instead of relying on memory that this step has to be done manually.

    I think I found at least 25 postings of this Postini "hop" situation using Google to search for the symptoms. Not one single posting that I found had the solution of adding the domain name to the configuration file. There was all sorts of speculation about having correct DNS entries and circular MX records... So I spent the better part of yesterday checking and rechecking my DNS stuff.

    Just my opinion as someone that picked OS X Server hoping to minimize my work....

    But I do thank you both for pointing out the missing setting. Without your help I would still be trying to figure out what I did wrong in my DNS settings.

    Message was edited by: Paul Derby
  • pterobyte Level 6 Level 6
    Servers Enterprise
    Actually, I think Apple has made it quite easy to include the server's domain name. There's even a checkbox "Include server's domain as local host alias" above the list of local host aliases in Server Admin.