Narcissistic Mail Server
I'm testing a new mail server configuration and have developed a fatal problem I’m unable to puzzle out on my own. The real life configuration involves four servers, but I’m starting with two to simplify testing. I have an existing configuration using 10.5 which works fine, but want to migrate to 10.6, which doesn’t. I’ve a good knowledge of OS X Server, and am familiar but not expert with postfix.
I run an ISP-style setup. Each server should act as MX backup for the other. Both test servers use virtual domains and OS X Server style aliases held in Open Directory. All other services on both servers appear to be running clean and happy.
With the names altered to try to make this more comprehensible, it all looks like this:
*Test Server #1*
ip: 111.111.111.111
main domain: glutinous.com
host name: wheat.glutinous.com
test virtual domain: sourdough.com
test account: bryan sourdoughcom
test address: bryan@sourdough.com
virtual_domains: sourdough.com
relay_domains: pumpernickle.com
*Test Server #2*
ip: 222.222.222.222
main domain: glutinous.com
host name: rye.glutinous.com
test virtual domain: pumpernickle.com
test account: bryan pumpernicklecom
test address: bryan@pumpernickle.com
virtual_domains: pumpernickle.com
relay_domains: sourdough.com
DNS
DNS for all hosts and virtual domains resolve correctly. MX records look like this:
sourdough.com. 3600 IN MX 10 mail.wheat.glutinous.com.
sourdough.com. 3600 IN MX 20 mail.rye.glutinous.com.
pumpernickle.com. 3600 IN MX 10 mail.rye.glutinous.com.
pumpernickle.com. 3600 IN MX 20 mail.wheat.glutinous.com.
*And Now, Some Pain*
The hosts of bryan@sourdough.com and bryan@pumpernickle.com happily exchange mail with any server on earth except for each other.
If bryan@sourdough.com sends mail to bryan@pumpernickle.com, its host wheat.glutinous.com creates the account bryanpumpernicklecom on itself, and receives the message itself. It never contacts the destination host of bryan@pumpernickle.com (rye.glutinous.com) at all.
And vice versa. When asked to speak to each other, the two servers become neurotically introspect, stare into their own navels, and send test messages to themselves.
*A Clue*
Continuing the example above, if I create the following entry in virtual_users, the problem vanishes and everything works.
bryan@sourdough.com bryan@sourdough.com
*But Still Clueless*
My reach has exceeded my grasp, my brain is fried, and I just don’t get it. I particularly don’t understand why telling wheat.glutinous.com that bryan@sourdough.com should be forwarded to itself persuades it to send the message of to rye.glutinous.com.
The output of +postconf -n+ is below.
I’m going take a break, repair the espresso machine, and pray I can depend on the kindness of strangers.
Thanks,
Bryan
+postconf -n+ for wheat.glutinous.com:
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug peerlevel = 2
disable vrfycommand = yes
enable serveroptions = yes
header_checks = pcre:/etc/postfix/custom headerchecks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = localhost
mail_owner = _postfix
mailbox sizelimit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps rbldomains =
message sizelimit = 52428800
mydomain = sourdough.com
mydomain_fallback = localhost
myhostname = wheat.glutinous.com
mynetworks = 127.0.0.0/8 111.111.111.111 222.222.222.222
newaliases_path = /usr/bin/newaliases
owner requestspecial = no
permit mx_backupnetworks = $mynetworks
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = hash:/etc/postfix/relay_domains
relay recipientmaps =
relayhost =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd clientrestrictions = permit saslauthenticated permit_mynetworks reject rblclient zen.spamhaus.org permit
smtpd datarestrictions = permit_mynetworks reject unauthpipelining reject multi_recipientbounce permit
smtpd enforcetls = no
smtpd helorequired = yes
smtpd helorestrictions = permit saslauthenticated permit_mynetworks check heloaccess hash:/etc/postfix/helo_access reject non_fqdn_helohostname reject invalid_helohostname permit
smtpd pw_server_securityoptions = cram-md5 login plain
smtpd recipientrestrictions = reject non_fqdnrecipient reject non_fqdnsender reject unknown_senderdomain reject unknown_recipientdomain permit_mynetworks permit saslauthenticated permit mxbackup reject unauthdestination reject non_fqdnhostname reject invalidhostname reject unlistedrecipient reject rhsblrecipient zen.spamhaus.org permit
smtpd sasl_authenable = yes
smtpd senderrestrictions = permit saslauthenticated permit_mynetworks reject non_fqdnsender reject rhsblsender zen.spamhaus.org reject unknown_senderdomain permit
smtpd tlsCAfile = /etc/certificates/wheat.glutinous.com.B5E2C62A67054B9826A2F9E30921B8812B17EA4E. chain.pem
smtpd tls_certfile = /etc/certificates/wheat.glutinous.com.B5E2C62A67054B9826A2F9E30921B8812B17EA4E. cert.pem
smtpd tls_excludeciphers = SSLv2 aNULL ADH eNULL
smtpd tls_keyfile = /etc/certificates/wheat.glutinous.com.B5E2C62A67054B9826A2F9E30921B8812B17EA4E. key.pem
smtpd tlsloglevel = 0
smtpd use_pwserver = yes
smtpd usetls = yes
soft_bounce = no
tls randomsource = dev:/dev/urandom
unknown local_recipient_rejectcode = 550
virtual aliasdomains = $virtual aliasmaps hash:/etc/postfix/virtual_domains
virtual aliasmaps = $virtual_maps hash:/etc/postfix/virtual_users
I run an ISP-style setup. Each server should act as MX backup for the other. Both test servers use virtual domains and OS X Server style aliases held in Open Directory. All other services on both servers appear to be running clean and happy.
With the names altered to try to make this more comprehensible, it all looks like this:
*Test Server #1*
ip: 111.111.111.111
main domain: glutinous.com
host name: wheat.glutinous.com
test virtual domain: sourdough.com
test account: bryan sourdoughcom
test address: bryan@sourdough.com
virtual_domains: sourdough.com
relay_domains: pumpernickle.com
*Test Server #2*
ip: 222.222.222.222
main domain: glutinous.com
host name: rye.glutinous.com
test virtual domain: pumpernickle.com
test account: bryan pumpernicklecom
test address: bryan@pumpernickle.com
virtual_domains: pumpernickle.com
relay_domains: sourdough.com
DNS
DNS for all hosts and virtual domains resolve correctly. MX records look like this:
sourdough.com. 3600 IN MX 10 mail.wheat.glutinous.com.
sourdough.com. 3600 IN MX 20 mail.rye.glutinous.com.
pumpernickle.com. 3600 IN MX 10 mail.rye.glutinous.com.
pumpernickle.com. 3600 IN MX 20 mail.wheat.glutinous.com.
*And Now, Some Pain*
The hosts of bryan@sourdough.com and bryan@pumpernickle.com happily exchange mail with any server on earth except for each other.
If bryan@sourdough.com sends mail to bryan@pumpernickle.com, its host wheat.glutinous.com creates the account bryanpumpernicklecom on itself, and receives the message itself. It never contacts the destination host of bryan@pumpernickle.com (rye.glutinous.com) at all.
And vice versa. When asked to speak to each other, the two servers become neurotically introspect, stare into their own navels, and send test messages to themselves.
*A Clue*
Continuing the example above, if I create the following entry in virtual_users, the problem vanishes and everything works.
bryan@sourdough.com bryan@sourdough.com
*But Still Clueless*
My reach has exceeded my grasp, my brain is fried, and I just don’t get it. I particularly don’t understand why telling wheat.glutinous.com that bryan@sourdough.com should be forwarded to itself persuades it to send the message of to rye.glutinous.com.
The output of +postconf -n+ is below.
I’m going take a break, repair the espresso machine, and pray I can depend on the kindness of strangers.
Thanks,
Bryan
+postconf -n+ for wheat.glutinous.com:
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug peerlevel = 2
disable vrfycommand = yes
enable serveroptions = yes
header_checks = pcre:/etc/postfix/custom headerchecks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = localhost
mail_owner = _postfix
mailbox sizelimit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps rbldomains =
message sizelimit = 52428800
mydomain = sourdough.com
mydomain_fallback = localhost
myhostname = wheat.glutinous.com
mynetworks = 127.0.0.0/8 111.111.111.111 222.222.222.222
newaliases_path = /usr/bin/newaliases
owner requestspecial = no
permit mx_backupnetworks = $mynetworks
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = hash:/etc/postfix/relay_domains
relay recipientmaps =
relayhost =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd clientrestrictions = permit saslauthenticated permit_mynetworks reject rblclient zen.spamhaus.org permit
smtpd datarestrictions = permit_mynetworks reject unauthpipelining reject multi_recipientbounce permit
smtpd enforcetls = no
smtpd helorequired = yes
smtpd helorestrictions = permit saslauthenticated permit_mynetworks check heloaccess hash:/etc/postfix/helo_access reject non_fqdn_helohostname reject invalid_helohostname permit
smtpd pw_server_securityoptions = cram-md5 login plain
smtpd recipientrestrictions = reject non_fqdnrecipient reject non_fqdnsender reject unknown_senderdomain reject unknown_recipientdomain permit_mynetworks permit saslauthenticated permit mxbackup reject unauthdestination reject non_fqdnhostname reject invalidhostname reject unlistedrecipient reject rhsblrecipient zen.spamhaus.org permit
smtpd sasl_authenable = yes
smtpd senderrestrictions = permit saslauthenticated permit_mynetworks reject non_fqdnsender reject rhsblsender zen.spamhaus.org reject unknown_senderdomain permit
smtpd tlsCAfile = /etc/certificates/wheat.glutinous.com.B5E2C62A67054B9826A2F9E30921B8812B17EA4E. chain.pem
smtpd tls_certfile = /etc/certificates/wheat.glutinous.com.B5E2C62A67054B9826A2F9E30921B8812B17EA4E. cert.pem
smtpd tls_excludeciphers = SSLv2 aNULL ADH eNULL
smtpd tls_keyfile = /etc/certificates/wheat.glutinous.com.B5E2C62A67054B9826A2F9E30921B8812B17EA4E. key.pem
smtpd tlsloglevel = 0
smtpd use_pwserver = yes
smtpd usetls = yes
soft_bounce = no
tls randomsource = dev:/dev/urandom
unknown local_recipient_rejectcode = 550
virtual aliasdomains = $virtual aliasmaps hash:/etc/postfix/virtual_domains
virtual aliasmaps = $virtual_maps hash:/etc/postfix/virtual_users
Mac Pro 2x2.26 Quad, et al, Mac OS X (10.6.4), OS X Server 10.6.4