postfix/smtpd Error : Recipient address rejected: [smtp.sendgrid.net]:2525

Question

I am trying to figure what is the problem with my mail server on Google Cloud Platform.

The problem is that none of the user can send mail out of the box, but they can send/receive email each other in spite of being on different domain on the same server, also, mail go outside the box into internet.

Some background: I had a VM setup on Google Cloud Platform, box running CentoOS7, The box comes with one dedicated IP and one internal IP. "CentOS web panel" is been use to manage couple of different website. All things relating to website work perfectly except for mail delivery outside the box.

I make use of the tutorial available on this link to integrate sendgrid on the said instance.

Because, GPC does not allow VM to use port 25 for sending email, I subscribe to one of email provider on GCP, sendgrid and I was provide with its SMTP URL that can use any port aside the block port of VM

Currently below is the content of my postfix main.cf

    # Postfix master process configuration file.  For details on the format
    # of the file, see the Postfix master(5) manual page.
    #
    # ***** Unused items removed *****
    # ==========================================================================
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (yes)   (never) (100)
    # ==========================================================================
    smtp      inet  n       -       n       -       -       smtpd
    587       inet  n       -       -       -       -       smtpd
    2525      inet  n       -       -       -       -       smtpd
    #  -o content_filter=smtp-amavis:127.0.0.1:10024
    #  -o receive_override_options=no_address_mappings
    #
    ## Enable SMTP on port 587 only for authenticated/TLS clients
    submission inet n       -       n       -       -       smtpd
      -o smtpd_enforce_tls=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
      -o smtpd_recipient_restrictions=permit_mynetworks, permit_sasl_authenticated,reject
     #
     ## Enable SMTP on port 465 only for authenticated/SSL clients
     smtps     inet  n       -       n       -       -       smtpd
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
     #
     pickup    fifo  n       -       n       60      1       pickup
        -o content_filter=
         -o receive_override_options=no_header_body_checks
     cleanup   unix  n       -       n       -       0       cleanup
     qmgr      fifo  n       -       n       300     1       qmgr
     #qmgr     fifo  n       -       n       300     1       oqmgr
     tlsmgr    unix  -       -       n       1000?   1       tlsmgr
     rewrite   unix  -       -       n       -       -       trivial-rewrite
     bounce    unix  -       -       n       -       0       bounce
     defer     unix  -       -       n       -       0       bounce
     trace     unix  -       -       n       -       0       bounce
     verify    unix  -       -       n       -       1       verify
     flush     unix  n       -       n       1000?   0       flush
     proxymap  unix  -       -       n       -       -       proxymap
     smtp      unix  -       -       n       -       -       smtp
     # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
     relay     unix  -       -       n       -       -       smtp
         -o fallback_relay=
     #        -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
     showq     unix  n       -       n       -       -       showq
     error     unix  -       -       n       -       -       error
     discard   unix  -       -       n       -       -       discard
     local     unix  -       n       n       -       -       local
     virtual   unix  -       n       n       -       -       virtual
     lmtp      unix  -       -       n       -       -       lmtp
     anvil     unix  -       -       n       -       1       anvil
     scache    unix  -       -       n       -       1       scache
     #
     # ====================================================================
     # Interfaces to non-Postfix software. Be sure to examine the manual
     # pages of the non-Postfix software to find out what options it wants.
     # pages of the non-Postfix software to find out what options it wants.
     # ====================================================================
     maildrop  unix  -       n       n       -       -       pipe
       flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
     uucp      unix  -       n       n       -       -       pipe
       flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
     ifmail    unix  -       n       n       -       -       pipe
       flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
     bsmtp     unix  -       n       n       -       -       pipe
       flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
     #
     # spam/virus section
     #
     smtp-amavis  unix  -    -       y       -       2       smtp
       -o smtp_data_done_timeout=1200
       -o disable_dns_lookups=yes
       -o smtp_send_xforward_command=yes
    127.0.0.1:10025 inet n  -       y       -       -       smtpd
       -o content_filter=
       -o smtpd_helo_restrictions=
       -o smtpd_sender_restrictions=
       -o smtpd_recipient_restrictions=permit_mynetworks,reject
       -o mynetworks=127.0.0.0/8
       -o smtpd_error_sleep_time=0
       -o smtpd_soft_error_limit=1001
       -o smtpd_soft_error_limit=1001
       -o smtpd_hard_error_limit=1000
       -o receive_override_options=no_header_body_checks
       -o smtpd_helo_required=no
       -o smtpd_client_restrictions=
       -o smtpd_restriction_classes=
       -o disable_vrfy_command=no
       -o strict_rfc821_envelopes=yes
     #
     # Dovecot LDA
     dovecot   unix  -       n       n       -       -       pipe
       flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -d ${recipient}
     #
     # SPF check
     spfpolicy unix  -       n       n       -       -       spawn
      user=nobody argv=/usr/bin/python /usr/libexec/postfix/policyd-spf

and below is my main.cf is as below

    # uncomment for debugging if needed
    #soft_bounce=yes
    # postfix main
    mail_owner = postfix
    setgid_group = postdrop
    delay_warning_time = 4
    # postfix paths
    html_directory = no
    command_directory = /usr/sbin
    daemon_directory = /usr/libexec/postfix
    queue_directory = /var/spool/postfix
    sendmail_path = /usr/sbin/sendmail.postfix
    newaliases_path = /usr/bin/newaliases.postfix
    mailq_path = /usr/bin/mailq.postfix
    manpage_directory = /usr/share/man
    # network settings
    inet_interfaces = all
    inet_protocols = ipv4
     mydomain = domain.com
     myhostname = srv1.domain.com
     mynetworks = 127.0.0.0/8 [::1]/128 30.0.0.0/32
      mydestination = $mydomain, localhost.$mydomain, localhost
      relay_domains = proxy:mysql:/etc/postfix/mysql-relay_domains_maps.cf
     # mail delivery
     recipient_delimiter = +
     # mappings
     alias_maps = hash:/etc/aliases
     transport_maps = hash:/etc/postfix/transport
     #local_recipient_maps =
     # virtual setup
     virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_alias_default_maps.cf,         proxy:mysql:/etc/postfix/mysq$
     virtual_mailbox_base = /var/vmail
     virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains_maps.cf
     virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf, proxy:mysql:/etc/postfix/mysql-vi$
     virtual_minimum_uid = 101
     virtual_uid_maps = static:101
     virtual_gid_maps = static:12
     virtual_transport = dovecot
     dovecot_destination_recipient_limit = 1
     # debugging
     debug_peer_level = 3
     debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
                 xxgdb $daemon_directory/$process_name $process_id & sleep 5
      # authentication
      smtpd_sasl_auth_enable = yes
     smtpd_sasl_security_options = noanonymous
     smtpd_sasl_local_domain = $mydomain, srv1.domain.com
     broken_sasl_auth_clients = yes
     smtpd_sasl_type = dovecot
     smtpd_sasl_path = private/auth
     smtpd_recipient_restrictions =permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
     smtpd_sender_restrictions = reject_unknown_sender_domain
     # tls config
     smtp_use_tls = yes
     smtpd_use_tls = yes
     smtpd_tls_security_level = may
     smtpd_tls_loglevel = 1
     smtpd_tls_received_header = yes
     smtpd_tls_session_cache_timeout = 3600s
     tls_random_source = dev:/dev/urandom
     smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
     # Change mail.example.com.* to your host name
     smtpd_tls_key_file = /etc/pki/tls/private/hostname.key
     smtpd_tls_cert_file = /etc/pki/tls/certs/hostname.bundle
     # rules restrictions
     smtpd_helo_restrictions =
     smtpd_sender_restrictions =
     # uncomment for realtime black list checks
     # ,reject_rbl_client zen.spamhaus.org
     # ,reject_rbl_client bl.spamcop.net
     # ,reject_rbl_client dnsbl.sorbs.net
     smtpd_helo_required = yes
     unknown_local_recipient_reject_code = 550
     disable_vrfy_command = yes
     smtpd_data_restrictions = reject_unauth_pipelining
     # Other options
     message_size_limit = 204800000
     mailbox_size_limit = 2048000000
      # Vacation Scripts
      vacation_destination_recipient_limit = 1
      recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_vacation.cf
      # smtpd_milters setting
      milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type}
      smtpd_milters = inet:127.0.0.1:8891
      non_smtpd_milters = $smtpd_milters
      milter_default_action = accept
      milter_protocol = 6
      # specify SMTP relay host
      default_transport = error
      relay_transport = error
      relayhost = [smtp.sendgrid.net]:2525
      smtp_tls_security_level = encrypt
      smtp_sasl_auth_enable = yes
      smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
      header_size_limit = 4096000
      smtp_sasl_security_options = noanonymous
      smtp_sasl_mechanism_filter = login
      smtpd_banner = $myhostname

and the content of >postconf -n is as below:

      alias_maps = hash:/etc/aliases
      broken_sasl_auth_clients = yes
      command_directory = /usr/sbin
      config_directory = /etc/postfix
      daemon_directory = /usr/libexec/postfix
      debug_peer_level = 3
      debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb      $daemon_directory/$process_name $proces s_id & sleep 5
      default_transport = error
      delay_warning_time = 4
      disable_vrfy_command = yes
      dovecot_destination_recipient_limit = 1
      header_size_limit = 4096000
      html_directory = no
      inet_interfaces = all
      inet_protocols = ipv4
      mail_owner = postfix
      mailbox_size_limit = 2048000000
      mailq_path = /usr/bin/mailq.postfix
      manpage_directory = /usr/share/man
      message_size_limit = 204800000
      milter_default_action = accept
      milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type}
      milter_protocol = 6
      mydestination = $mydomain, localhost.$mydomain, localhost
      mydomain = domain.com
      myhostname = srv1.domain.com
      mynetworks = 127.0.0.0/8 [::1]/128 30.0.0.0/32
      myorigin = $mydomain
      newaliases_path = /usr/bin/newaliases.postfix
      non_smtpd_milters = $smtpd_milters
      queue_directory = /var/spool/postfix
      recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_vacation.cf
      recipient_delimiter = +
      relay_domains = proxy:mysql:/etc/postfix/mysql-relay_domains_maps.cf
      relay_transport = error
      relayhost = [smtp.sendgrid.net]:2525
      sendmail_path = /usr/sbin/sendmail.postfix
      setgid_group = postdrop
      smtp_sasl_auth_enable = yes
      smtp_sasl_mechanism_filter = login
      smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
      smtp_sasl_security_options = noanonymous
      smtp_tls_security_level = encrypt
      smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
      smtp_use_tls = yes
      smtpd_banner = $myhostname
      smtpd_data_restrictions = reject_unauth_pipelining
      smtpd_helo_required = yes
      smtpd_helo_restrictions =
      smtpd_milters = inet:127.0.0.1:8891
      smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_local_domain = $mydomain, srv1.domain.com
      smtpd_sasl_path = private/auth
      smtpd_sasl_security_options = noanonymous
      smtpd_sasl_type = dovecot
      smtpd_sender_restrictions =
      smtpd_tls_cert_file = /etc/pki/tls/certs/hostname.bundle
      smtpd_tls_key_file = /etc/pki/tls/private/hostname.key
      smtpd_tls_loglevel = 1
      smtpd_tls_received_header = yes
      smtpd_tls_security_level = may
      smtpd_tls_session_cache_timeout = 3600s
      smtpd_use_tls = yes
      tls_random_source = dev:/dev/urandom
      transport_maps = hash:/etc/postfix/transport
      unknown_local_recipient_reject_code = 550
      vacation_destination_recipient_limit = 1
      virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_alias_default_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, regexp:/etc/postfix/virtual_regexp
      virtual_gid_maps = static:12
      virtual_mailbox_base = /var/vmail
      virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains_maps.cf
      virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_pipe_maps.cf
      virtual_minimum_uid = 101
      virtual_transport = dovecot
      virtual_uid_maps = static:101

Whenever I attempt to send mail outside the server to either gmail/yahoo other from round cube, I got the following error in roundcube interface,

SMTP Error (550): Failed to add recipient "user@gmail.com" (5.1.1 <user@gmail.com>: Recipient address rejected: [smtp.sendgrid.net]:2525).

and in the maillog tail -f /var/log/maillog I got this section of error:

host postfix/smtpd[31362]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 550 5.1.1 <user@gmail.com>: Recipient address rejected: [smtp.sendgrid.net]:2525; from=<info@domain.com> to=<user@gmail.com> proto=ESMTP helo=<localhost>

evidence of port 2525 openingin firewalll

Answer 1

You are unable to send emails outside because Google Cloud used thirdparty relay in your case SendGrid. All the configurations are perfect. Its just that your PostFix still uses the default transport even if u have set up a thirdparty transport. That's why you should ignore it Default_Transport errors inorder to let you postfix move ahead to see your third party Relay.

Comment out these line in your main.conf by putting "#" hash symbol at the start of both lines.

"#default_transport = error"

"#relay_transport = error"

And then restart postfix.

sudo service postfix restart

And you are good to go.

Answer 2

Did you properly opened the Firewall rules for port 2525? Can you reproduce the error with any other email(not @gmail.com)?

The error suggests the recipient either doesn't exist. It is malformed or could be signs that the recipient may be blocking the email due to aggressive spam policies.

Please note that for sending email from an instance, port 25 is always blocked and can't be used, even through an SMTP relay using G Suite.