Postfix Virtual Domain - mail is send by second server

Question

i setup postfix on a VPS with two domains (each one with own ip)

domain1 - 194.xxx.xxx.1

domain2 - 194.xxx.xxx.2

when i send a mail via domain2 - i am getting dmarc reports that the mail uses the mailserver from domain1. And the mail is blocked.

i have no idea why this happend ... the header of the mails looks like this one:

Return-Path 
X-Spam-Checker-Version SpamAssassin 3.4.0 (2014-02-07) on server1.domain1.com
X-Spam-Level 
X-Spam-Status No, score=0.0 required=5.0 tests=NO_RELAYS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0
X-Original-To user@domain2.com
Delivered-To user@server1.domain1.com
Received by server1.domain1.com (Postfix)
    id xyz Thu,  7 Jul 2016 164833 +0200 (CEST)
Date Thu,  7 Jul 2016 164833 +0200 (CEST)
From MAILER-DAEMON@server1.domain1.com (Mail Delivery System)
Subject Undelivered Mail Returned to Sender
To user@domain2.com

my master-cf entry:

194.xxx.xxx.1:submission    inet    n   -   -   -   -   smtpd
    -o myhostname=server1.domain1.com
    -o smtpd_sasl_auth_enable=yes 

194.xxx.xxx.2:submission    inet    n   -   -   -   -   smtpd
        -o smtp_helo_name=mail.domain2.com
        -o myhostname=mail.domain2.com
        -o smtpd_tls_security_level=encrypt    
        -o smtpd_sasl_auth_enable=yes

main.cf

# Disable SSLv2 and SSLv3 leaving TLSv1, TLSv1.1 and TLSv1.2 enabled.
smtpd_tls_mandatory_protocols = SSLv3, TLSv1

# Configure the allowed cipher list
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

# Enable EECDH key exchange for Forward Security
smtpd_tls_eecdh_grade=ultra

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
myorigin = /etc/mailname
append_dot_mydomain = no
readme_directory = no
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
#myhostname = server1.domain1.com
#mydestination = server1.domain1.com, localhost.domain1.com, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

## server will announce STARTTLS ##
smtp_tls_note_starttls_offer = yes 

# TLS parameters
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

# HELO parameters
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
     reject_non_fqdn_hostname,
     reject_invalid_hostname,
     permit

# 'encrypt' will enforce SSL. Not recommended for live servers ##
smtpd_tls_security_level = may
#smtpd_tls_security_level = encrypt 

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# neue restrictions 10.06.16
disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_recipient_restrictions =
   permit_sasl_authenticated,
   reject_invalid_hostname,
   reject_non_fqdn_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   permit_mynetworks,
   reject_rbl_client sbl.spamhaus.org,
   reject_rbl_client cbl.abuseat.org,
   reject_rbl_client dul.dnsbl.sorbs.net,
   permit
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
# smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
relayhost = 
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
home_mailbox = Maildir/
allow_percent_hack = no
tls_random_source = dev:/dev/urandom

# multi ip on für not resolve meldubg im log
import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C RESOLV_MULTI=on

thankfull for any help or pointing me in the right direction !

mic

---

!!Edit!!

i send a mail to gmx.net (german freemailer) and to hotmail. On gmx i have this header (mail passed)

Return-Path: <user@domain2.com>
Received: from server1.domain1.com ([194.xxx.xxx.1]) by mx-ha.gmx.net
 (mxgmx110) with ESMTPS (Nemesis) id 0Llpue-1amr0r3TPM-00ZNcb for
 <mic@gmx.net>; Sat, 09 Jul 2016 18:02:49 +0200
Received: from [192.168.xxx.xxx] (cli-5b7ee90b [91.xx.xx.xx])
    by mail.domain2.com (Postfix) with ESMTPSA id E1D9512027A
    for <mic@gmx.net>; Sat,  9 Jul 2016 18:02:47 +0200 (CEST)
To: "R.T." <mic@gmx.net>
From: User <user@domain2.com>
Subject: test666

As you can see the Return-Path is the correct one : domain2.com

but the first "Received: from server1.domain1.com ([194.xxx.xxx.1]) " points to the server of domain1.com

and the second "Received: from [192.168.xxx.xxx] (cli-5b7ee90b [91.xx.xx.xx]) by mail.domain2.com (Postfix)"

comes from the right server : mail.domain2.com.

i tried everything - i checked everything - i have no idea why this heppend - i checked the header from mails of server1.domain1.com and they are all fine - this happens only when using smtp on mail.domain2.com.

and as the reports say - mail is refused because the header is from domain2 but sender&ip are from domain1

but. hotmail, yahoo, apple & google are blocking my mails from domain2.

Answer 1

None of the configuration you provide relates to the issue you're getting.

Mail being rejected based on DMARC rules means that the SPF rules are not respected. You should revise your SPF for both domains to include the other one so that both servers can send for both domains.

When doing SPF changes, it's always a good idea to loosen the DMARC rules so that the messages do not get rejected when they fail SPF validation. That way you can monitor and troubleshoot issues with it before making it more strict.