2

I have a Postfix installed and working with SPF check and SRS-rewriting. When it forwards email for an external address, sometimes its smtp denies relaying the mail with the message: Relay access denied 550 Sender verification failed Other systems accept these emails without any problems.

Is it some disallowed-character-problem in the SRS-rewritten MAIL FROM address?

The rewritten mail from addresses look like:

SRS0=47InG7z-zA=XJ=original.domain=john.doe@srs.my.domain

A response:

Apr  9 16:08:37 postfix/smtp[21401]: 9D894323C43E: to=<forward.address@example.com>, orig_to=<orig.address@my.domain>, relay=example.com[256.256.256.256]:25, delay=2, delays=0.37/0.49/1/0.1, dsn=5.0.0, status=bounced (host example.com[256.256.256.256] said: 550-Verification failed for<SRS0=47InG7z-zA=XJ=original.domain=john.doe@srs.my.domain>  550-Called:   1.2.3.4 550-Sent:     RCPT TO:<SRS0=47InG7z-zA=XJ=original.domain=john.doe@srs.my.domain>  550-Response: 554 5.7.1<SRS0=47InG7z-zA=XJ=original.domain=john.doe@srs.my.domain>: Relay access denied 550 Sender verify failed (in reply to RCPT TO command))
petIQe
  • 23
  • 1
  • 1
  • 4
  • How about some examples of the denied mail, and log entires? – NickW Apr 10 '14 at 11:10
  • Oh, yes, I updated it. – petIQe Apr 10 '14 at 11:41
  • Seems like your server is saying that the from address isn't valid, so the remote server won't accept it. The solutions seem pretty simple, either don't rewrite headers for mail headed there, or say that the re-written From user is valid.. – NickW Apr 10 '14 at 12:06
  • No, it's the response from the other server. This particular email has been forwarded to a lot of domains and all of them accepted it, except this one and another one. I replaced the other servers hostname to example.com and my server's hostname to my.domain. – petIQe Apr 10 '14 at 12:09
  • Yes, because the other server does `sender verification` and your server sees the rewritten From address and says "I have no idea who that is". Read about it here: http://www.postfix.org/ADDRESS_VERIFICATION_README.html – NickW Apr 10 '14 at 12:11
  • Is it possible that these two systems do it only? Google, Yahoo and all the "big" providers accept mails forwarded by this machine. Also, there is reverse-srs installed, so my server must know the original mail-from address. And it knows, since it can handle bounces and forward them to the originator. – petIQe Apr 10 '14 at 12:21
  • Yeah, if you read the page, most people don't do sender verification, because (strangely enough) people don't like other systems probing their systems. You may want to look at `address_verify_relay_transport ` , though I promise you, the problem here is your SRS. – NickW Apr 10 '14 at 12:58
  • Ok, the problem is with my SRS, but only when sending to these two domains? And... What could be that problem with it? Anyway, I read that sender verification for all email is not recommended, since you might lose incoming email messages, so if I put it this way, it's the "other side's" problem. – petIQe Apr 10 '14 at 15:31
  • Yeah, it is the other side's problem that they're using sender verification, you may want to chat with their admins and see if they can provide you with some way to relay mail to them that doesn't involve sender verification (smtp auth maybe?). – NickW Apr 10 '14 at 15:35

2 Answers2

0

Primarily the problem is theirs, but partially yours also. On the remote side, they have implemented sender address verification, and since you are doing SRS, it's possible that postfix will not reply favorably to a probe for the re-written sender address (or for ANY sender address verification probe). You should probably be able to see the probe in your maillog, there will be a connection from that server and a RCPT TO: SRS0=47InG7z-zA=XJ=original.domain=john.doe@srs.my.domain

I'd try and get into contact with their mail admin, and see if you can't work out an amicable solution, SAV enabled for all domains is counterproductive, as there's no guarantee that a positive return means the sender address exists, or that a negative means the address is nonexistent.

NickW
  • 10,263
  • 1
  • 20
  • 27
  • Oh, finally I got it! I don't see any connections from the receiving (not receiving) server, but I tried to telnet my smtp from another system and it really denies relaying to the rewritten address. So, what should I do now? – petIQe Apr 10 '14 at 19:19
  • I really don't know tons about SRS, but I think you're probably going to have more luck talking to the admins on the other side, explain what you are doing, possibly they can whitelist your server, or maybe they can provide some sort of credentials for you to do smtp auth. The other option is setting up a different transport for those destinations.. – NickW Apr 11 '14 at 08:33
  • In theory SRS should reply positively to those probes, but I'm wondering, since you're actually rewriting addresses which don't belong to you, whether postfix is correct in saying it isn't responsible. – NickW Apr 11 '14 at 08:35
  • What if I add these rewritten addresses to some "fake" recipient table, then remove them after the mail has been delivered via the receiving server? – petIQe Apr 11 '14 at 12:26
  • That could work, but it sounds like a lot of work for you (for two hosts who are the ones doing the wrong thing), I'd really make an attempt to find a human solution.. – NickW Apr 11 '14 at 12:55
  • I tried to contact them, but they haven't replied yet. Anyway, it's two hosts now, but who knows how many others will come up later? – petIQe Apr 11 '14 at 12:58
  • Ok, the key was that we set different srs-secret files on the two mx servers and the sender verification came to the other one, not on the sender that actually did the rewriting. Obviously, that machine failed to decode it... – petIQe Apr 18 '14 at 11:44
0

I was receiving a similar issue when relaying my local postmail to my own SMTP server.

The error I received was

550-The mail server could not deliver mail to daemon@macbook.local. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries. 550 Sender verify failed (in reply to RCPT TO command))

After doing some research, I found that my SMTP was blocking any email that did not have a DNS configured.

What I had to do was set postfix to send as a different address.

Rewrite your Email will solve this

Open Terminal (OS X) and run this command

sudo echo "@macbook.local realemail@myserver.com >> /etc/postfix/generic

Change @macbook.local with your machine name. Using this format will allow any outbound email from postfix to work, provided it has @macbook.local at the end. Use the mail log to see what the outbound address is : tail -f /var/log/mail.log

Change realemail@myserver.com with a real email that you have authority over

Next Steps - Configure main.cf and passwords

Steps 2 onward in this tutorial will guide you through what you need if you need to setup postfix from scratch:

http://blog.anupamsg.me/2012/02/14/enabling-postfix-for-outbound-relay-via-gmail-on-os-x-lion-11/

Moe
  • 167
  • 1
  • 1
  • 8