On Sat, Jan 16, 2021 at 03:11:58PM -0700, Gary Aitken wrote:
> I'm trying to set up a postfix-server on a google-compute-engine vm that
> works as follows:
>
> * outgoing mail from local machine (aaa.xxx.com) to a select few specific
> addresses and any address on a specific domain (yyy.com)
> * incoming mail from a single domain only (yyy.com)
>
> DNS is set with MX as aaa.xxx.com, although the IP on the ipv4 interface is
> an internal google address, not the one returned for aaa.xxx.com.
>
> I've set the following:
> /etc/aliases
> postmaster: root
> root: m...@yyy.com
> foo-admin: u...@yyy.com,u...@yyy.com
>
> /etc/mailname:
> xxx.com
>
> /etc/postfix/access
> xxx.com OK
> yyy.com OK
> * 5.2.1 No incoming mail allowed
You say *outgoing* mail to these domains, but from which sources?
Just "mynetworks"?
> /etc/postfix/main.cf:
> smtpd_tls_cert_file=/path/to/fullchain.pem
> smtpd_tls_key_file=/path/to/privkey.pem
> smtpd_use_tls=yes
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
It seems you intend to receive some mail via inbound SMTP...
> recipient_restrictions = check_recipient_access hash:/etc/postfix/access
There is no such parameter in Postfix. Perhaps you wanted
"smtpd_recipient_restrictions".
* If you're using Postfix >= 3.3, unless $compatibility_level
is set to a value > 0, the default "smtpd_relay_restrictions"
is empty, and the above configuration will fail for lack of
"reject-by-default" relay control.
* With Postfix 2.10 through 3.2, or compatibility_level >= 1,
With the default "smtpd_relay_restrictions", this allows outbound
mail from just mynetworks.
However, the default relay restrictions "defer" unauthorised relay
attempts, you should generally "reject" once the configuration is
deemed correct.
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtp_tls_security_level = may
> smtp_tls_loglevel=2
This TLS log level is too verbose for anything other than expert
debugging. Set it back to 1.
> smtp_tls_relay_restrictions = permit_mynetworks
> permit_sasl_authenticated defer_unauth_destination
What is this?
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 yyy.com
Hostnames in mynetworks are fragile, and not recommended, don't recall
whether they're still supported, but even if they are, you should not
use them. So no "yyy.com" here.
> /etc/postfix/master.cf:
> #smtp inet n - y - - smtpd
> submission inet n - y - - smtpd
This looks like a submission service, so you would generally require
TLS.
> When I attempt to send mail out using the mail command, the log shows:
> Jan 16 21:20:05 ggg postfix/qmgr[13811]: 3CF5C3F3A5: from=<m...@xxx.com>,
> size=423, nrcpt=1 (queue active)
> Jan 16 21:20:05 ggg postfix/smtp[13860]: initializing the client-side TLS
> engine
> Jan 16 21:20:06 ggg postfix/smtp[13820]: connect to xxx.com[a.b.c.d]:25:
> Connection timed out
> Jan 16 21:20:06 ggg postfix/smtp[13829]: connect to xxx.com[a.b.c.d]:25:
> Connection timed out
>
> questions:
> 1. Why is it attempting to send mail on port 25 and not 587?
You have nothing in your configuration that would direct outbound
traffic to port 587, and it is likely not what you want anyway.
Does "xx.com" really receive inbound email on port 587? If so,
you'd need a transport table entry to send it there, and probably
SASL to authenticate your access to that service.
> 2. Why is it trying to connect to itself (xxx.com)?
> Note: the interface IP addr is of an internal google network,
> not the external DNS address which points to this machine.
Because the recipient domain is not listed in mydestination, or
virtual_mailbox_domains, and the MX host of the recipient domain
(or the domain itself otherwise) is "xxx.com".
The Postfix book by Ralf and Patrick is probably a good first
resource if the material in:
http://www.postfix.org/BASIC_CONFIGURATION_README.html
http://www.postfix.org/STANDARD_CONFIGURATION_README.html
http://www.postfix.org/SOHO_README.html
assumes more background than you already have.
--
Viktor.
