Postfix + Unknown user errors (config seems OK)

Discussion in 'Server Operation' started by dimitry, Mar 30, 2008.

  1. dimitry

    dimitry New Member

    Well, after 2 days of trying to get this to work, I give up and I hope you guys can help me.

    I seem to have everything working, TLS, SALS, etc. I have courier-imap that works well too (running ubuntu gusty).

    I can receive emails fine and I can send email fine to gmail, yahoo, etc. but NOT all servers. From some servers I get:
    Code:
    host SOME_DOMAIN.com[SOME_IP] said:
        550-Verification failed for <noreply@arrivalalert.com> 550-No Such User
        Here 550 Sender verify failed (in reply to RCPT TO command)
    
    From mail.log
    Code:
    ar 30 01:42:39 dimitry postfix/smtp[5732]: 950D21D86A5: to=<USER@SOME_DOMAIN.com>, relay= SOME_DOMAIN.com[SOME_IP]:25, delay=3.5, delays=0.09/0/2.2/1.1, dsn=5.0.0, status=bounced (host SOME_DOMAIN.com[SOME_IP] said: 550-Verification failed for <noreply@arrivalalert.com> 550-No Such User Here 550 Sender verify failed (in reply to RCPT TO command))
    
    Domain name is 'arrivalalert.com' and DNS config SEEMS to be proper, though I'm fairly new to this.

    /etc/postfix/main.cf
    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
    smtpd_tls_key_file = /etc/ssl/private/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    myhostname = mail.arrivalalert.com
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination = mail.arrivalalert.com, localhost.arrivalalet.com, localhost.localdomain, localhost, arrivalalert.com
    relayhost =
    mynetworks = 127.0.0.0/8
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    home_mailbox = Maildir/
    mailbox_command =
    
    /etc/hosts
    Code:
    127.0.0.1       localhost localhost.localdomain
    209.20.64.86    mail.arrivalalert.com mail
    
    telnet localhost 25
    Code:
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    220 mail.arrivalalert.com ESMTP Postfix (Ubuntu)
    ehlo localhost
    250-mail.arrivalalert.com
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-AUTH PLAIN LOGIN
    250-AUTH=PLAIN LOGIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    
    dig arrivalalert.com mx
    Code:
    ; <<>> DiG 9.4.1-P1 <<>> arrivalalert.com mx
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11855
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;arrivalalert.com.		IN	MX
    
    ;; ANSWER SECTION:
    arrivalalert.com.	3596	IN	MX	0 mail.arrivalalert.com.
    
    ;; Query time: 2 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Sat Mar 29 17:08:53 2008
    ;; MSG SIZE  rcvd: 55
    
    dig -x 209.20.64.86
    Code:
    ; <<>> DiG 9.4.1-P1 <<>> -x 209.20.64.86
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14766
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;86.64.20.209.in-addr.arpa.	IN	PTR
    
    ;; ANSWER SECTION:
    86.64.20.209.in-addr.arpa. 86400 IN	PTR	mail.arrivalalert.com.
    
    ;; Query time: 600 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Sat Mar 29 17:09:41 2008
    ;; MSG SIZE  rcvd: 78
    
    Any ideas?

    Thank you so much
     
  2. topdog

    topdog HowtoForge Supporter

    I am guessing the account noreply does not exist on your server, as the remote server is trying to verify that the sender address exists but since it does not thats why you get the 550
     
  3. dimitry

    dimitry New Member

    It does exist though as I can login and check that account.

    I created a unix user called 'noreply', 'abuse' and some other ones, so I definitely know they exist.

    In fact, bounced emails are found in noreply's Inbox.

    This is really confusing...
     
  4. topdog

    topdog HowtoForge Supporter

    have you changed your hosts recently, could be dns cached that is still pointing to the old host
     
  5. dimitry

    dimitry New Member

    The domain and site are brand new. So is the VPS box I got for it (SliceHost).

    I'm wondering if I didn't setup DNS properly since its my first time messing around with that. Here's a copy from everydns.net:

    Code:
    arrivalalert.com
    A
    209.20.64.86
    3600
    [delete]
    
    arrivalalert.com
    NS
    ns1.slicehost.net
    3600
    [delete]
    
    arrivalalert.com
    NS
    ns2.slicehost.net
    3600
    [delete]
    
    arrivalalert.com
    NS
    ns3.slicehost.net
    3600
    [delete]
    
    arrivalalert.com
    MX
    mail.arrivalalert.com
    0
    3600
    [delete]
    
    mail.arrivalalert.com
    A
    209.20.64.86
    3600
    [delete]
    
    www.arrivalalert.com
    CNAME
    arrivalalert.com
    3600
    [delete]
    
     
  6. dimitry

    dimitry New Member

    Important observation. As soon as I send an email to that server that always fails, this is what I see in the log a second later (in between outgoing email and bounced email coming back)

    Mar 30 07:44:55 dimitry postfix/smtp[6575]: certificate verification failed for SOME_DOMAIN.com: num=18:self signed certificate

    So it tries to ping my server to see if 'noreply' account exists, but it doesn't pass certificate checks and gets cut off. What configuration in Postfix makes cert verification necessary?

    Thanks for your help!
     
  7. topdog

    topdog HowtoForge Supporter

    change this
    Code:
    smtpd_use_tls = yes
    to this
    Code:
    smtpd_use_tls = no
     
  8. dimitry

    dimitry New Member

    Unfortunately, that didn't work.

    Here's the full log from start of sending message to the bounce

    Code:
    Mar 30 21:52:57 dimitry postfix/smtpd[7025]: connect from c-IP-ADDRESS.hsd1.ca.comcast.net[IP-ADDRESS]
    Mar 30 21:52:57 dimitry postfix/smtpd[7025]: setting up TLS connection from c-IP-ADDRESS.hsd1.ca.comcast.net[IP-ADDRESS]
    Mar 30 21:52:57 dimitry postfix/smtpd[7025]: TLS connection established from c-IP-ADDRESS.hsd1.ca.comcast.net[IP-ADDRESS]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
    Mar 30 21:52:57 dimitry postfix/smtpd[7025]: 84E251D86B2: client=c-IP-ADDRESS.hsd1.ca.comcast.net[IP-ADDRESS], sasl_method=PLAIN, sasl_username=noreply
    Mar 30 21:52:57 dimitry postfix/cleanup[7029]: 84E251D86B2: message-id=<47F00BB8.9060605@arrivalalert.com>
    Mar 30 21:52:57 dimitry postfix/qmgr[7005]: 84E251D86B2: from=<noreply@arrivalalert.com>, size=682, nrcpt=1 (queue active)
    Mar 30 21:52:57 dimitry postfix/smtpd[7031]: connect from localhost[127.0.0.1]
    Mar 30 21:52:57 dimitry postfix/smtpd[7025]: disconnect from c-IP-ADDRESS.hsd1.ca.comcast.net[IP-ADDRESS]
    Mar 30 21:52:57 dimitry postfix/smtp[7030]: discarding EHLO keywords: 8BITMIME STARTTLS
    Mar 30 21:52:57 dimitry postfix/smtpd[7031]: BF3901D86B3: client=c-IP-ADDRESS.hsd1.ca.comcast.net[IP-ADDRESS]
    Mar 30 21:52:57 dimitry dkimproxy.out[2368]: DKIM signing - signed; message-id=<47F00BB8.9060605@arrivalalert.com>, signer=<noreply@arrivalalert.com>, from=<noreply@arrivalalert.com> 
    Mar 30 21:52:57 dimitry postfix/cleanup[7029]: BF3901D86B3: message-id=<47F00BB8.9060605@arrivalalert.com>
    Mar 30 21:52:57 dimitry postfix/qmgr[7005]: BF3901D86B3: from=<noreply@arrivalalert.com>, size=1643, nrcpt=1 (queue active)
    Mar 30 21:52:57 dimitry postfix/smtp[7030]: 84E251D86B2: to=<email@domain.com>, relay=127.0.0.1[127.0.0.1]:10027, delay=0.39, delays=0.22/0.02/0.05/0.1, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as BF3901D86B3)
    Mar 30 21:52:57 dimitry postfix/smtpd[7031]: disconnect from localhost[127.0.0.1]
    Mar 30 21:52:57 dimitry postfix/qmgr[7005]: 84E251D86B2: removed
    Mar 30 21:53:00 dimitry postfix/smtp[7032]: certificate verification failed for domain.com: num=18:self signed certificate
    Mar 30 21:53:02 dimitry postfix/smtp[7032]: BF3901D86B3: to=<email@domain.com>, relay=domain.com[THEIR-IP-ADDRESS]:25, delay=5, delays=0.09/0.01/2.2/2.6, dsn=5.0.0, status=bounced (host domain.com[THEIR-IP-ADDRESS] said: 550-Verification failed for <noreply@arrivalalert.com> 550-No Such User Here 550 Sender verify failed (in reply to RCPT TO command))
    Mar 30 21:53:02 dimitry postfix/cleanup[7029]: C16361D86B5: message-id=<20080330215302.C16361D86B5@mail.arrivalalert.com>
    Mar 30 21:53:02 dimitry postfix/qmgr[7005]: C16361D86B5: from=<>, size=3740, nrcpt=1 (queue active)
    Mar 30 21:53:02 dimitry postfix/bounce[7033]: BF3901D86B3: sender non-delivery notification: C16361D86B5
    Mar 30 21:53:02 dimitry postfix/qmgr[7005]: BF3901D86B3: removed
    Mar 30 21:53:02 dimitry postfix/local[7034]: C16361D86B5: to=<noreply@arrivalalert.com>, relay=local, delay=0.09, delays=0.03/0.01/0/0.05, dsn=2.0.0, status=sent (delivered to maildir)
    Mar 30 21:53:02 dimitry postfix/qmgr[7005]: C16361D86B5: removed
    
    Some interesting lines:
    dimitry postfix/smtp[7032]: certificate verification failed for domain.com: num=18:self signed certificate

    dimitry postfix/smtp[7032]: BF3901D86B3: to=<email@domain.com>, relay=domain.com[64.22.83.117]:25, delay=5, delays=0.09/0.01/2.2/2.6, dsn=5.0.0, status=bounced (host domain.com[64.22.83.117] said: 550-Verification failed for <noreply@arrivalalert.com> 550-No Such User Here 550 Sender verify failed (in reply to RCPT TO command))

    Thank you
    Dimitry
     
    Last edited: Mar 31, 2008
  9. dimitry

    dimitry New Member

    It's worth noting that I use DKIM outgoing mail signing. Not sure if that could be an issue or not.
     
  10. falko

    falko Super Moderator

  11. dimitry

    dimitry New Member

    Wow, ok, finally figured it out.

    Our domain used to be hosted on the server I was trying to send an email to. We moved it to the new box, updated the DNS, but never actually deleted the account on that old hosting account (on which my buddy's other site and email (email@domain.com) are hosted).

    I guess the receiving server was getting confused and was trying to verify if 'noreply' account exists on the old server. GRRRR

    So sorry guys. At least I got a chance to learn what every single configuration does in Postfix! Thanks for helping me out.
     

Share This Page