I’ve moderate expertise with Postfix and sys admin in general, and after 10
days of beating my head against this particular brick wall am posting this
overly long, rather tedious question because I’ve exhausted my other resources
but am not quite ready to throw in the towel.
That said…
Here’s a simplified, sanitized description of the problem, using only two
servers. I run an ISP-style setup using OS X Server 10.6 and Postfix. Each
server should act as MX backup for the other. Both test servers use virtual
domains and OS X Server style aliases held in a shared Open Directory/LDAP
domain.
Setup
Server #1
ip: 111.111.111.001
host name: wheat.glutinous.com
test virtual domain: sourdough.com
test account: bryan_sourdough_com
test address: [email protected]
virtual_alias_maps: [none]
virtual_alias_domains: sourdough.com
relay_domains: pumpernickle.com
Server #2
ip: 111.111.111.002
host name: rye.glutinous.com
test virtual domain: pumpernickle.com
test account: bryan_pumpernickle_com
test address: [email protected]
virtual_alias_maps: [none]
virtual_alias_domains: pumpernickle.com
relay_domains: sourdough.com
The Problem
The hosts of [email protected] and [email protected] happily exchange
mail with any server on earth except for each other. If [email protected]
sends mail to [email protected], its host wheat.glutinous.com creates the
account bryan_pumpernickle_com on itself, and receives the message itself. It
never contacts the destination host of [email protected]
(rye.glutinous.com) at all.
And vice versa. When asked to speak to each other, the two servers become
neurotically introspective, stare into their own navels, and send test messages
to themselves. They believe they're responsible for domains that actually
belong to other hosts.
There are no hidden aliases anywhere that I’ve failed to mention. I’ve queried
all the relevant hash files to make sure they respond with the correct
information.
The only account aliases are held in the shared LDAP domain. For reasons I
don’t understand, any server with access to the LDAP directory believes itself
solely responsible for every address it can see, without regard for entires in
virtual_alias_domains, relay_domains, or MX precedence. (Aside… This behavior
changed from OSXS 10.5 to 10.6.)
There are no log errors per se, since the hosts all believe they’re behaving
perfectly.
DNS
DNS for all hosts and virtual domains resolve correctly. MX records look like
this:
sourdough.com. 3600 IN MX 10 mail.
wheat.glutinous.com.
sourdough.com. 3600 IN MX 20 mail. rye.glutinous.com.
pumpernickle.com. 3600 IN MX 10 mail.
rye.glutinous.com.
pumpernickle.com. 3600 IN MX 20 mail.
wheat.glutinous.com.
A Clue
Continuing the example above, if I create the following entry in virtual_users,
the problem vanishes and everything works.
[email protected] [email protected]
Unfortunately, this kludge won't scale well - it isn't something I can turn
over to the non-geeks who will ultimately manage the day-to-day stuff.
Failed Solutions
I’ve attempted to solve the problem using transport_maps. For example, on
wheat.glutinous.com:
main.cf
transport_maps = hash:/etc/postfix/transport
transport
gurgitate.org smtp:[mail.gilded-bat.laughingboot.net]
.gurgitate.org smtp:[mail.gilded-bat.laughingboot.net]
This has no effect.
I’ve also lobotimized main.cf, simplifying it as much as possible, to no avail.
The Kindness of Strangers
My reach has exceeded my grasp, my brain is fried, and I just don’t get it. I
particularly don’t understand why telling wheat.glutinous.com that
[email protected] should be forwarded to itself persuades it behave itself to
send the message of to rye.glutinous.com.
The output of postconf -n for wheat.glutinous.com is below.
I’m going take a break, repair the espresso machine, and pray I can depend on
the kindness of strangers.
Thanks,
Bryan
postconf -n for wheat.glutinous.com:
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
enable_server_options = yes
header_checks = pcre:/etc/postfix/custom_header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = localhost
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_domains =
message_size_limit = 52428800
mydomain = sourdough.com
mydomain_fallback = localhost
myhostname = wheat.glutinous.com
mynetworks = 127.0.0.0/8 111.111.111.001 111.111.111.002
newaliases_path = /usr/bin/newaliases
owner_request_special = no
permit_mx_backup_networks = $mynetworks
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = hash:/etc/postfix/relay_domains
relay_recipient_maps =
relayhost =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd_client_restrictions = permit_sasl_authenticated permit_mynetworks
reject_rbl_client zen.spamhaus.org permit
smtpd_data_restrictions = permit_mynetworks reject_unauth_pipelining
reject_multi_recipient_bounce permit
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated permit_mynetworks
check_helo_access hash:/etc/postfix/helo_access reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname permit
smtpd_pw_server_security_options = cram-md5 login plain
smtpd_recipient_restrictions = reject_non_fqdn_recipient
reject_non_fqdn_sender reject_unknown_sender_domain
reject_unknown_recipient_domain permit_mynetworks
permit_sasl_authenticated permit_mx_backup
reject_unauth_destination reject_non_fqdn_hostname
reject_invalid_hostname reject_unlisted_recipient reject_rhsbl_recipient
zen.spamhaus.org permit
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = permit_sasl_authenticated permit_mynetworks
reject_non_fqdn_sender reject_rhsbl_sender zen.spamhaus.org
reject_unknown_sender_domain permit
smtpd_tls_CAfile =
/etc/certificates/wheat.glutinous.com.B5E2C62A67054B9826A2F9E30921B8812B17EA4E.chain.pem
smtpd_tls_cert_file =
/etc/certificates/wheat.glutinous.com.B5E2C62A67054B9826A2F9E30921B8812B17EA4E.cert.pem
smtpd_tls_exclude_ciphers = SSLv2 aNULL ADH eNULL
smtpd_tls_key_file =
/etc/certificates/wheat.glutinous.com.B5E2C62A67054B9826A2F9E30921B8812B17EA4E.key.pem
smtpd_tls_loglevel = 0
smtpd_use_pw_server = yes
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = $virtual_alias_maps
hash:/etc/postfix/virtual_domains
virtual_alias_maps = $virtual_maps hash:/etc/postfix/virtual_users
