On Wed, Nov 23, 2011 at 10:29:54AM -0600, Stan Hoeppner wrote:
> On 11/23/2011 9:52 AM, Islam, Towhid wrote:
> > I have been puzzled over this for a while and do not know what causes the
> > problem or what is really happening.
> >
> > I have two internet mail relay servers, let's call them mr1 and mr2. Both
> > are identical in configuration but have different host names and ip
> > addresses are running simultaneously. Every now and then I notice that
> > some incoming mail is stuck in mr1's mail queue because it tries to
> > contact/send the mail to mr2 where it times out. Something like:
> >
> > 6E60C5F3CAF 2784 Wed Nov 23 10:26:04
> > tis...@yahoo.com<mailto:tis...@yahoo.com>
> > (connect to mr2.junk.com[xx.xxx.xx.xx]:25:
> > Operation timed out)
> >
> > My question is why does this happen? Why does mr1 try to
> > connect to mr2 where it times out for some reason? Why does it
> > not accept (receive) the (incoming) mail from yahoo itself and
> > process for delivery (to the next hop which is located on the other
> > side of the firewall)? How do the resolve the problem? Thanks.
Perhaps missing proxy_interfaces definitions on servers behind a
NAT firewall, so the two servers don't know that they are MX hosts
for the domain (the IPs don't match), and may attempt to forward
to each other, using external addresses that they can't reach.
There may also be issues with inet_interfaces and smtp_bind_address
(the OP should read the documentation for these parameters) if the
machines have multiple network interfaces.
http://www.postfix.org/postconf.5.html#inet_interfaces
http://www.postfix.org/postconf.5.html#proxy_interfaces
http://www.postfix.org/postconf.5.html#smtp_bind_address
Typically this also means that the DNS view of the domain's MX
records as seen by the servers is likely the external one, but
they probably need an internal view that presents only the internal
SMTP servers for the domain. The OP must either implement a suitable
internal DNS view or make sure transport settings are properly defined
for inbound domains.
http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall
--
Viktor.
