Apple Event: May 7th at 7 am PT
For some reason, the mail server bounces the email sent to local network users and returns a "user unknown" error. The same error is received when an email from an external domain is sent to one of the open directory associated email addresses.
However, sending email from these accounts works just fine, just like sending and receiving email associated with the diradmin account.
OS X Server
Hi LexCur70,
Did you verify that every open directory is indeed an open directory user? Use dscl in the terminal to verify that a user is present in the LDAP database and not locally.
You can use Directory Utility in the Server.app utilities menu, go to last tab "directory editor" and check that every user has the correct mailaddress.
Also what are your dns settings and for which domain does the server accept mail?
For the first couple of hours when you have the mailserver starting with spamfiltering and virusfiltering the greylist might be active and external clients might be put on hold to verify that your server isn't being spammed. You can turn that greylisting off, but first verify with serveradmin:
sudo serveradmin settings mail
then you can disable greylist if it is active
sudo serveradmin settings mail:postfix:greylist_enabled = no
Sending is usually not the problem, but receiving when DNS is not OK could cause issues like you describe.
What is the response when you use: sudo changeip -checkhostname?
It should say:
The names match. There is nothing to change.
Goodluck!
Jeffrey
StarPine Support
The $ signs in the following indicate the command-line prompt for the command — don't enter that character. Enter what follows it, and then confirm the responses are as expected.
First thing is to check DNS, that's always a target for these errors. In addition to the suggested
sudo changeip -checkhostname
command, you'll also want to verify the internal and public MX records for the mail server. Assume the domain example.com in the following, and your mail server is on the foo.example.org server, and 10.20.30.40 is whatever IP address is associated with your mail server — use whatever address you got back from the command as input into the subsequent reverse (-x) command:
$ dig +short MX example.com
foo.example.org
$ dig +short foo.example.org
10.20.30.40
$ dig +short -x 10.20.30.40
foo.example.org
$
Also check the same for your internal DNS configuration, and your internal host name. (If you're using the same domain inside and outside your gateway-firewall-router-NAT box, then things are going to get somewhat more complex to configure and troubleshoot.)
As for troubleshooting, please generate the rejection from the mail server — try the mail message to the failing address — then use Console.app from Applications > Utilities to view the mail server log — Server.app can be used here, as well. Expurgate private details, then post up the relevant log entries here. (Or post the DNS domain and related detail, and we can verify it for you — the spammers have already found the open TCP port 25 connection and the MX record, so that's not a factor. But if you'ld prefer to obfuscate this information, please replace your doman — just your domain, consistently — with example.com or (when it's a host) with mail.example.com — and replace your public static IP address with 10.20.30.40 — and please perform this replacement consistently.)
jepping also mentions greylisting, and that's not likely going to trigger this; this is the difference between "450 Requested mail action not taken: mailbox unavailable (e.g., mailbox busy or temporarily blocked for policy reasons)" of greylisting and "550 Requested action not taken: mailbox unavailable (e.g., mailbox not found, no access, or command rejected for policy reasons)". The difference there is that the 400-series code means it's a transient error, where a 500 series code means it's a permanent error. Greylisting works by intentionally generating those transient errors. Further, rejecting messages from local clients also should not encounter greylisting in general — that rejection could arise there's a second domain in use internally, and the mail server is not configured to virtually host that domain.
DNS general --> The names match. There is nothing to change.
dig +short MX example.com
foo.example.org --> no issues here
$ dig +short foo.example.org
10.20.30.40 --> no ip returned
Please note this is a test server that uses hosted DNS from Dyn in combination with dynamic host update. However, as the sdmin mail account does work fine, both sending and receiving, I think something else triggers this error.
Server.app recent mail server error log:
Apr 19 16:57:24 auth: Error: od[getpwnam_ext](lex): No record for user
Apr 19 17:06:35 auth: Error: od[getpwnam_ext](lex): No record for user
Apr 19 17:16:28 auth: Error: od[getpwnam_ext](lex): No record for user
Apr 19 17:23:46 auth: Error: od[sacl check](lexvanderwerff,173.255.184.152,<Wiqh4Wv3DgCt/7iY>): mbr_user_name_to_uuid(lexvanderwerff, guid) failed: (2) No such file or directory
Apr 19 17:23:46 auth: Error: od(lexvanderwerff,173.255.184.152,<Wiqh4Wv3DgCt/7iY>): validate response: lookup failed for user: lexvanderwerff
Apr 19 17:23:52 auth: Error: od[getpwnam_ext](lexvanderwerff,173.255.184.152,<Wiqh4Wv3DgCt/7iY>): No record for user
Apr 19 17:32:43 auth: Error: od[getpwnam_ext](lex): No record for user
Apr 19 22:16:52 auth: Error: od[getpwnam_ext](lex): No record for user
Apr 19 22:24:22 auth: Error: od[getpwnam_ext](lex): No record for user
Apr 19 22:48:55 auth: Error: od[getpwnam_ext](lex): No record for user
Apr 19 22:49:29 auth: Error: od[getpwnam_ext](lex): No record for user
Apr 19 23:06:37 auth: Error: od[getpwnam_ext](lex): No record for user
Apr 20 15:56:08 auth: Error: od[getpwnam_ext](lex): No record for user
Apr 20 15:56:09 auth: Error: od[getpwnam_ext](lex): No record for user
Apr 20 15:56:26 auth: Error: od[getpwnam_ext](lex): No record for user
Thanks!
Lex
LexCur70 wrote:
$ dig +short foo.example.org
10.20.30.40 --> no ip returned
Please note this is a test server that uses hosted DNS from Dyn in combination with dynamic host update.
Test server or not, mail servers configured at dynamic IP addresses are increasingly assumed to be spam engines by receiving mail servers — this if the ISP has not gone a step further and explicitly flagged the address in a policy block list — and mail from those servers will increasingly not be accepted by receiving mail servers. Put another way, this configuration will be unreliable at best, and variously won't work.
The cited address looks to be static, and the reverse DNS translation would be established by the ISP controlling that IP address space. If there's no reverse translation, then DNS is incorrect, and the mail server is one of the components that generally is going to get confused when that happens. Correct DNS is central to mail operations. Authentication also tends to get confused, including Open Directory. DNS is also central to distributed authentication.
The following implies the local network configuration is having configuration or connectivity issues; I wouldn't expect there to be a public IP address there — unless this system is operating at a public IP address of course.
<Wiqh4Wv3DgCt/7iY>): mbr_user_name_to_uuid(lexvanderwerff, guid) failed: (2) No such file or directory
Apr 19 17:23:46 auth: Error: od(lexvanderwerff,173.255.184.152,<Wiqh4Wv3DgCt/7iY>): validate response: lookup failed for user: lexvanderwerff
Apr 19 17:23:52 auth: Error: od[getpwnam_ext](lexvanderwerff,173.255.184.152,<Wiqh4Wv3DgCt/7iY>): No record for user
I'd address the DNS translations and Open Directory, then look at mail, and work from there.
Thank you for your feedback.
However, the user unknown error only concerns other accounts than the diradmin account. LIke I mentioned before, he diradmin account works just fine.
The error concerns e-mail sent from the diradmin account to any other e-mail account within the same domain, and also encompasses e-mail sent from external domains to e-mail adresses within this domain with the expection of the diradmin account.
I therefore think the problem is not primarily just DNS related.
Lex
Hi Lex,
The one thing that wouldn't concern me if the diradmin user did not work. Right now it's the only account that does work. So either something is wrong with DNS or your domain setup for mail or vital information is missing in the user account setup.
I would go for the same advice, check DNS especially when it's configured dynamically and then go to OpenDirectory. What does dscl say about the created users? Is there a mailaddress present in the settings?
Let me know, and goodluck!
Jeffrey
StarPine Support
Hello Jeffrey,
Thank you for your support, please read the dscl results below.
Regards,
Lex
-----
/LDAPv3 > read
NodePath: LDAPv3
ReadOnlyNode: ReadOnly
RealName: LDAPv3
SubNodes: 127.0.0.1
TrustInformation: Anonymous
/LDAPv3 >
[3]+ Stopped dscl
juffrouwjannie:~ xandstorm-juffrpuw-jannie$ dscl /LDAPv3/127.0.0.1 -read /Users/*erff
dsAttrTypeNative:objectClass: person inetOrgPerson organizationalPerson posixAccount shadowAccount top extensibleObject apple-user
AltSecurityIdentities: Kerberos:lexvanderwerff@JUFFROUWJANNIE.VANDERWERFF.NET
AppleMetaNodeLocation: /LDAPv3/127.0.0.1
AppleMetaRecordName: uid=lexvanderwerff,cn=users,dc=juffrouwjannie,dc=vanderwerff,dc=net
AuthenticationAuthority:
;ApplePasswordServer;
root@juffrouwjannie.vanderwerff.net:10.0.0.3
;Kerberosv5;;lexvanderwerff@JUFFROUWJANNIE.VANDERWERFF.NET;JUFFROUWJANNIE.VANDERWERFF.NET;
EMailAddress: lex@vanderwerff.net
FirstName:
Lex van der
GeneratedUID: 48CD91A9-1FEC-42EB-9D8B-5FFA035D9AA7
LastName: Werff
NFSHomeDirectory: /Users/lexvanderwerff
Password:
PrimaryGroupID: 20
RealName:
Lex van der Werff
RecordName: lexvanderwerff
RecordType: dsRecTypeStandard:Users
UniqueID: 1027
UserShell: /bin/bash
Hi Lex,
Emailaddress appears to be ok, but externally the domain points towards mail.vanderwerff.net but is responded to by juffrouwjannie.vanderwerff.net, that might be an issue. You should an A record in the vanderwerff.net domain and point to your local server.
Please check DNS setup once again.
What domain is setup in the mailserver?
Does it contain the correct domain?
Can you show an export from "sudo serveradmin settings mail"?
Also SSH port 22 seems to be open, which I would strongly recommend to close eh forever...
Goodluck!
Jeffrey
Hi Jeffrey,
Changed the mx record to the juffrou......net domain, without succes.
Please find the export below.
Regards,
Lex
-----
juffrouwjannie:~ xandstorm-juffrpuw-jannie$ sudo serveradmin settings mail
Password:
mail:postfix:smtpd_pw_server_security_options:_array_index:0 = "cram-md5"
mail:postfix:smtpd_pw_server_security_options:_array_index:1 = "digest-md5"
mail:postfix:smtpd_pw_server_security_options:_array_index:2 = "gssapi"
mail:postfix:smtpd_pw_server_security_options:_array_index:3 = "login"
mail:postfix:smtpd_pw_server_security_options:_array_index:4 = "plain"
mail:postfix:spam_quarantine = "junk-quarantine@example.com"
mail:postfix:smtp_reject_list_enabled = no
mail:postfix:smtp_sasl_auth_enable = no
mail:postfix:submit_cred:juffrouwjannie.vanderwerff.net:username = "submit"
mail:postfix:submit_cred:juffrouwjannie.vanderwerff.net:password = "lvFBZ9973YcUBWtAPEX7Dq"
mail:postfix:submit_cred:XANDSTORM-JUFFRPUW-JANNIEs-Mac-mini.local:username = "submit"
mail:postfix:submit_cred:XANDSTORM-JUFFRPUW-JANNIEs-Mac-mini.local:password = ""
mail:postfix:smtp_auth_relay_dict:smtp_auth_relay_userid = ""
mail:postfix:smtp_auth_relay_dict:smtp_auth_relay_pwd = ""
mail:postfix:smtp_auth_relay_dict:smtp_auth_relay_host = ""
mail:postfix:client_permit_mynetworks = yes
mail:postfix:smtpd_tls_cert_file = "/etc/certificates/juffrouwjannie.vanderwerff.net.69F8227930804D0241A279CBC08AF DFBA687F300.cert.pem"
mail:postfix:maps_rbl_domains_enabled = yes
mail:postfix:spam_subject_tag = "***JUNK MAIL*** "
mail:postfix:smtpd_tls_CAfile = "/etc/certificates/juffrouwjannie.vanderwerff.net.69F8227930804D0241A279CBC08AF DFBA687F300.chain.pem"
mail:postfix:message_size_limit_enabled = yes
mail:postfix:virus_db_last_update = "2014-04-19 19:50:45 +0000"
mail:postfix:mail_enabled_groups = _empty_array
mail:postfix:add_whitelist_domain:_array_index:0 = "XANDSTORM-JUFFRPUW-JANNIEs-Mac-mini.local"
mail:postfix:add_whitelist_domain:_array_index:1 = "vanderwerff.net"
mail:postfix:virus_scan_enabled = no
mail:postfix:spam_notify_admin_email = "junk-admin@example.com"
mail:postfix:virus_db_log_level = "info"
mail:postfix:black_hole_domains:_array_index:0 = "zen.spamhaus.org"
mail:postfix:spam_ok_locales = "en"
mail:postfix:spam_scan_enabled = yes
mail:postfix:virus_quarantine = "virus-quarantine@example.com"
mail:postfix:reject_unauth_piplining_enabled = no
mail:postfix:spam_rewrite_subject = yes
mail:postfix:message_size_limit = 10485760
mail:postfix:mynetworks:_array_index:0 = "127.0.0.0/8"
mail:postfix:mynetworks:_array_index:1 = "[::1]/128"
mail:postfix:virus_log_level = "info"
mail:postfix:host_whitelist:_array_index:0 = "juffrouwjannie.vanderwerff.net"
mail:postfix:rbl_override_list = _empty_array
mail:postfix:greylist_enabled = no
mail:postfix:list_server_log_level = "info"
mail:postfix:group_expansion:start_interval = 10
mail:postfix:group_expansion:enable_group_expansion = no
mail:postfix:virus_notify_recipients = no
mail:postfix:luser_relay_enabled = no
mail:postfix:mydomain = "vanderwerff.net"
mail:postfix:enable_list_server = yes
mail:postfix:mydestination:_array_index:0 = "localhost"
mail:postfix:mydestination:_array_index:1 = "$mydomain"
mail:postfix:virus_notify_admin_email = "virus-admin@example.com"
mail:postfix:enable_virtual_domains = no
mail:postfix:spam_notify_admin = no
mail:postfix:required_hits = 6
mail:postfix:add_whitelist_host:_array_index:0 = "juffrouwjannie.vanderwerff.net"
mail:postfix:always_bcc_enabled = no
mail:postfix:enable_var_mail = no
mail:postfix:enable_smtp = yes
mail:postfix:smtpd_tls_key_file = "/etc/certificates/juffrouwjannie.vanderwerff.net.69F8227930804D0241A279CBC08AF DFBA687F300.key.pem"
mail:postfix:relayhost = ""
mail:postfix:mynetworks_enabled = no
mail:postfix:virtual_domains = _empty_array
mail:postfix:spam_ok_languages = "en"
mail:postfix:rbl_override_enabled = no
mail:postfix:log_rolling_days = 1
mail:postfix:enable_smtp_in = yes
mail:postfix:virtual_users_maps = _empty_array
mail:postfix:tls_server_options = "require"
mail:postfix:spam_action = "deliver"
mail:postfix:log_rolling_days_enabled = yes
mail:postfix:list_server_post_to_archve = no
mail:postfix:spam_log_level = "warn"
mail:postfix:smtp_uce_controlls = 1
mail:postfix:relayhost_enabled = no
mail:postfix:list_server_share_archives = no
mail:postfix:virus_action = "delete"
mail:postfix:virus_db_update_days = 12
mail:postfix:virus_notify_admin = no
mail:postfix:domain_whitelist:_array_index:0 = "XANDSTORM-JUFFRPUW-JANNIEs-Mac-mini.local"
mail:postfix:domain_whitelist:_array_index:1 = "vanderwerff.net"
mail:postfix:enable_smtp_out = yes
mail:postfix:text_only_attachments = no
mail:postfix:reject_unknown_client_enabled = no
mail:postfix:log_level = "info"
mail:postfix:myhostname = "juffrouwjannie.vanderwerff.net"
mail:global:auto_auth = no
mail:global:skip_enable_service_check = no
mail:global:service_data_path = "/Library/Server/Mail"
mail:imap:aps_topic = "com.apple.mail.XServer.0051960a-2429-481a-b784-c073eed597e1"
mail:imap:servername = ""
mail:imap:imap_auth_clear = yes
mail:imap:auth_gssapi_hostname = ""
mail:imap:admins = _empty_array
mail:imap:lmtp_luser_relay_enabled = no
mail:imap:lmtp_luser_relay = ""
mail:imap:pop_auth_clear = yes
mail:imap:enable_listid_autosave = "no"
mail:imap:max_imap_connections = 1000
mail:imap:log_level = "info"
mail:imap:tls_key_file = "/etc/certificates/juffrouwjannie.vanderwerff.net.69F8227930804D0241A279CBC08AF DFBA687F300.key.pem"
mail:imap:imap_auth_plain = yes
mail:imap:postmaster_address = "postmaster@juffrouwjannie.vanderwerff.net"
mail:imap:quotawarn = 80
mail:imap:enable_quota_warnings = no
mail:imap:pop_auth_gssapi = no
mail:imap:junk_mail_userid = "junkmail"
mail:imap:global_quota = 0
mail:imap:partitions = _empty_array
mail:imap:tls_ca_file = "/etc/certificates/juffrouwjannie.vanderwerff.net.69F8227930804D0241A279CBC08AF DFBA687F300.chain.pem"
mail:imap:enforce_quotas = no
mail:imap:not_junk_mail_userid = "notjunkmail"
mail:imap:imap_auth_digest_md5 = yes
mail:imap:request_enable_webmail = no
mail:imap:client_cert_enabled = no
mail:imap:aps_topic_enabled = yes
mail:imap:imap_auth_gssapi = no
mail:imap:tls_server_options = "require"
mail:imap:pop_auth_apop = yes
mail:imap:quota_full_tempfail = yes
mail:imap:imap_urlauth_host = " "
mail:imap:enable_imap = yes
mail:imap:postmaster = "postmaster"
mail:imap:enable_pop = yes
mail:imap:partition-default = "/Library/Server/Mail/Data/mail"
mail:imap:imap_auth_login = yes
mail:imap:enable_sieve = yes
mail:imap:imap_auth_cram_md5 = yes
mail:imap:notification_server_enabled = yes
mail:imap:tls_cert_file = "/etc/certificates/juffrouwjannie.vanderwerff.net.69F8227930804D0241A279CBC08AF DFBA687F300.cert.pem"
Hi Lex,
When I do a mx record lookup with mxtoolbox.com then there is no mx record present for vanderwerff.net, so no external mailserver knows where to deliver the mail.
Fixing that issue should resolve your issue for mail only.
Also locally looks like your hostname is XANDSTORM-JUFFRPUW-JANNIEs-Mac-mini.local which should really be just juffrouwjannie.vanderwerff.net, so locally and externally the same hostname.
Considering there issues, you might want to start over at this point, when it is just a testserver, set it up right the first time and stop fixing issues later on. These errors will come back every single time when you activate a new service like profilemanager.
Goodluck
Jeffrey
StarPine Support
I'm not the equivilent of a rocket scientist in these matters but I'm having the same issue and I've gone through my dns with a fine tooth comb. IMHO, it isn't necessarily the DNS. Notice that the error is telling you that there is no record for user "lex". Is that the full name of an actual user that is associated with the email address or is that the local-name of the email address itself? I've reached the conclusion that the reason it can't find the record is because the user name does not exactly correspond to the local name of the email address itself. I'm not having the same problem with all email users - only those with non-matching email addresses. Now if only I had an answer to why that is. The search continues.
Using .local as your internal domain is not reliable.
You can operate OS X Server and the mail server in a different (internal) domain for the host, and have it configured to virtually host the external domain name — this also avoids having to run split-horizon DNS.
I just discussed this with Apple Support. This might be helpful:
https://discussions.apple.com/thread/6382555?answerId=26141304022#26141304022
I just had this issue on a server out of the blue, and only with some network user accounts. A bizarre fix for me was to use Workgroup Manager to add an alias to the affected accounts, and then it magically started working again.
Mavericks mail server "user unknown" error
