I have had a postfix server running flawlessly for three months now. Users log in to the server in their respective mail clients by connecting to mail.mydomain.com (with SSL) and there's never been any issues with that setup.
However, about a week ago I needed to set up another domain on this server. It already hosts multiple domains, but everyone connects through mail.mydomain.com. Even though their email address may be them@mydomain2.com, they log into the server at mail.mydomain.com. For this new domain, however, it is necessary for the users to login to mail.theirdomain.com.
So, the A record was set - mail.theirdomain.com points to my IP address, certbot got me a multi-domain certificate just fine, and we should be off to the races. They can login to IMAP and see their mail perfectly. However, sending mail is a different story.
When a user is logged into mail.mydomain.com and they send an email, the following is printed to /var/log/mail.log:
postfix/smtpd[29147]: connect from myPC.lan[192.168.0.241]
postfix/smtps/smtpd[30562]: Anonymous TLS connection established from myPC.lan[192.168.0.241]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchan>
postfix/smtps/smtpd[30562]: 9A9DC20E15: client=myPC.lan[192.168.0.241], sasl_method=PLAIN, sasl_username=them
postfix/cleanup[30580]: 9A9DC20E15: message-id=<ff9ef6f6-975a-0827-1f48-968e6cd31847@theirdomain.com>
opendkim[517]: 9A9DC20E15: DKIM-Signature field added (s=default, d=theirdomain.com)
mail-pi postfix/qmgr[30134]: 9A9DC20E15: from=<them@theirdomain.com>, size=835, nrcpt=1 (queue active)
postfix/smtp[30581]: 9A9DC20E15: to=<testAccount@outlook.com>, relay=outlook-com.olc.protection.outlook.com[104.47.13.33]:25, delay=7.4, delays=0.1/0.07/3.3/3.9, dsn=2>
postfix/qmgr[30134]: 9A9DC20E15: removed
However when trying to perform the exact same action with the mail client configured to use mail.theirdomain.com;
postfix/smtpd[29147]: connect from myPC.lan[192.168.0.241]
postfix/smtpd[29147]: Anonymous TLS connection established from myPC.lan[192.168.0.241]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25>
postfix/smtpd[29147]: NOQUEUE: reject: RCPT from myPC.lan[192.168.0.241]: 554 5.7.1 <testAccount@outlook.com>: Relay access denied; from=<them@theirdomain.com> to=<testAccount@outlook.com> proto=ESMTP helo=<[192.168.0.241]>
They can, however, send mail internally around the server. Mail from them@theirdomain.com sends just fine to me@mydomain.com.
Two key things stick out to me:
- The helo hostname is just an IP address, or (depending on the client) something like
smtpclient.apple- should it be? I was under the impression that we should be sending helo as mail.mydomain.com. - There is no SASL authentication happening, leading to the rejection of the message (as
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination)
I don't believe the first point is an issue, as I also have set that
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname
check_helo_access hash:/etc/postfix/helo_access
So provided we can fix SASL, the HELO restrictions should clear as well, based on the second criteria in that list.
But here I'm at a bit of a loss. Why wouldn't SASL work if we're logging in from a different domain? It's still the same IP address on the other side of the A record. Why is it treated differently? Have I missed a configuration option somewhere?
