Postix masquerading problem

Rocky Linux General
1

I’m trying to get to grips with postfix.

I created a new server (this has NOTHING to do with the old server with sendmail on it.)

I followed the instructions from one of the websites and it works, no problem

I need to masquerade sender@office.myDomain.com to sender@myDomain.com as I did with sendmail.

I added the line:

smtp_generic_maps = hash:/etc/postfix/generic to /etc/postfix/main.cf

I added the line mail1@office.myDomain.com mail1@myDomain.com

I execute postmap /etc/postfix/generic and I get a warning

postmap: warning: /etc/postfix/main.cf, line 135: overriding earlier entry: inet_interfaces=$myhostname, localhost

Restart postfix and the masquerade doesn’t work.

What am I doing wrong?

2

After seeing this same problem unanswered on so many other forums it appears that masquerading on Postfix just doesn’t work.

3

You should probably use this instead in /etc/postfix/main.cf:

sender_canonical_maps = hash:/etc/postfix/sender_canonical

and then in /etc/postfix/sender_canonical put:

sender@office.mydomain.com sender@mydomain.com

and then do:

postmap /etc/postfix/sender_canonical

after this should be enough to restart postfix. The postfix docs tend to explain this strategy: Postfix Address Rewriting

That’s obviously for sending emails, for receiving, then you use the appropriate canonical option in the docs (recipient_canonical_maps)

Your error:

means you have two entries of inet_interfaces in main.cf so remove the duplicate and incorrect one. inet_interfaces should not be $myhostname or anything like that, if you are unsure just put:

inet_interfaces = all

but I would check both entries that you have, since first there should only be one, and secondly, it should be configured properly.

4

There is no folder named sender_canonical. I only have a folder canonical. Is that the one you mean?

Is ‘sender’ a literal or should it be replaced by user name(s) or what?

5

You create a file called sender_canonical like I mentioned in my previous post, and inside that file you put the information in the format I suggested. The same as when you created the /etc/postfix/generic file.

sender@office.mydomain.com sender@mydomain.com

the first address being the one that you want to change, and the second one being the one you want to change it to.

6

In Main.cf

smtp_tls_security_level = may
meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix
## Added by henry 12/08/2022
## smtp_generic_maps = hash:/etc/postfix/generic
sender_canonical_maps = hash:/etc/postfix/sender_canonical

Created the file sender_canonical

added the line sender@office.mydomain.com sender@mydomain.com
(Substituting office,myDomain and myDomain with the correct info)

Ran

postmap /etc/postfix/sender_canonical (no Errors)

Restarted Postfix. checked status - no errors

Sent myself a message header below

Return-path: <myname@myDomain>
Received: from tspf1.office.myDomain ([192.168.0.205])
	by TSGW1.office.myDomain with ESMTP; Sun, 14 Aug 2022 19:02:51 +0200
Message-ID: <77a9c35cab5066e529eddc9baa177ec8b3a74786.camel@myDomain>
Subject: Test Postfix Masquerading
From: Henry Martin <myname@myDomain>
Reply-To: myname@myDomain
To: myname@myDomain
Date: Sun, 14 Aug 2022 19:02:50 +0200
Organization: My Organization
Content-Type: text/plain
X-Mailer: Evolution 3.28.5 (3.28.5-18.el8) 
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Ubdeliverable to myName@protonmail.com (Unable to relay)

7

So this is the problem. Either your ISP is blocking this machine from sending SMTP emails, or you have postfix incorrectly configured. You would need to post the entire main.cf and master.cf from the /etc/postfix directory for anyone to actually know what changes you have made, and whether they are incorrect or not. Please copy and paste that here. Please do not post as a screenshot. Best is to copy/paste the text.

And please post properly using the appropriate formatting tools that this forum allows, because posting text without formatting in code blocks means we cannot read it properly. I have edited your post above to give you an example of how to do this.

8 
> compatibility_level = 2
> 
> command_directory = /usr/sbin
> 
> daemon_directory = /usr/libexec/postfix
> 
> data_directory = /var/lib/postfix
> 
> myhostname = tspf1.office.myDomain.com
> #myhostname = virtual.domain.tld
> 
> mydomain = office.myDomain.com
> 
> inet_interfaces = all
> #inet_interfaces = $myhostname
> #inet_interfaces = localhost
> #inet_interfaces = localhost
> #inet_interfaces = $myhostname
> 
> inet_protocols = all
> 
> unknown_local_recipient_reject_code = 550
> 
> mynetworks = 192.168.0.0/24, 127.0.0.0/8
> #mynetworks = $config_directory/mynetworks
> #mynetworks = hash:/etc/postfix/network_table
> 
> #alias_maps = dbm:/etc/aliases
> alias_maps = hash:/etc/aliases
> #alias_maps = hash:/etc/aliases, nis:mail.aliases
> #alias_maps = netinfo:/aliases
> 
> #alias_database = dbm:/etc/aliases
> #alias_database = dbm:/etc/mail/aliases
> alias_database = hash:/etc/aliases
> #alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
> 
> #home_mailbox = Mailbox
> home_mailbox = Maildir/
> 
> debug_peer_level = 2
> 
> debugger_command =
> PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
> ddd $daemon_directory/$process_name $process_id & sleep 5
> 
> sendmail_path = /usr/sbin/sendmail.postfix
> 
> newaliases_path = /usr/bin/newaliases.postfix
> 
> mailq_path = /usr/bin/mailq.postfix
> 
> setgid_group = postdrop
> 
> html_directory = no
> 
> manpage_directory = /usr/share/man
> 
> sample_directory = /usr/share/doc/postfix/samples
> 
> readme_directory = /usr/share/doc/postfix/README_FILES
> 
> smtpd_use_tls = yes
> smtpd_tls_cert_file = /etc/postfix/mail.crt
> 
> smtpd_tls_key_file = /etc/postfix/mail.key
> 
> smtpd_tls_security_level = may
> 
> smtp_tls_CApath = /etc/pki/tls/certs
> 
> smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
> 
> smtp_tls_security_level = may
> meta_directory = /etc/postfix
> shlib_directory = /usr/lib64/postfix
> ## Added by me 12/08/2022
> ## smtp_generic_maps = hash:/etc/postfix/generic
> sender_canonical_maps = hash:/etc/postfix/sender_canonical
9

Nothing stands out in the configuration as being problematic. Usually though you would need a DNS A record for tspf1.office.myDomain.com. as the unable to relay, assuming that mydomain.com is your normal Groupwise server could be the server rejecting the email, or as mentioned before, it could be your ISP not allowing you to send SMTP port 25 from that particular server that you have created.

10

My ISP does NOT block any ports. I block them and open them on OPNsense Firewall and 25 and 110 are open.

I have a DNS entry for office.MyDomain.com. The MX record points to the sub-domain office.myDomain.com.

My normal mail server is (you have it) tsxx1.office.myDomain.com and the new server is tspf1.office.myDomain.com. All mail out and in is to and from myDomain.com, not office.myDomain.com, that is what I’m trying to masquerade.

Ah, that may be the problem. I haven’t created a public DNS record for it, only an internal private one. I didn’t want to make it public until it was working. Could this be the problem?

11

Difficult to say. The only information I can go on is what you posted which was unable to relay.

So either this means it’s because your mail server rejected it because it doesn’t have an SMTP entry, or your mail server doesn’t allow relay for your internal network, so according to postfix that mail server would need to allow: 192.168.0.0/24 assuming of course that is your internal network. But you haven’t provided enough information for us to know whether this is the case or not. Another option for unable to relay is that it is caused by the ISP - you say that this is not the case, so then it doesn’t leave many other options other than what I have written so far.

So in summary, your main mail server doesn’t want to accept email from postfix because of missing DNS A record, or that postfix is unable to communicate with your main mail server, either because the port is blocked, or because it doesn’t allow relaying from your internal network.

Unfortunately it will be impossible to help further with this problem because it means you need to paste the full logs showing the email delivery failure from the postfix side, as well as from the Groupwise Mail server. And you need to paste it without redacting too much information, because when it is heavily redacted, then it’s impossible to know what was sent from where and what to. Therefore, I suggest you take a look at the logs, and take into account what I’ve posted, that should give you an idea of what you need to unblock/configure to allow it to work.

12

NO, my mail server does not reject I had mail going through to Proton mail fro this server when I was using the generic, but it always arrived from tspf1.office.myDomain.com and NOT as tspf1.myDomain,com, so even though it was coming from the wrong network, it was accepted.

Tomorrow, I’ll go back to the generic as I managed to get it to work and post a complete accepted mail, and the maillog
My bedtime

13

This was sent using Sendmail from the other server. I still get no joy with Postfix. So it isn’t my ISP and it isn’t my own server rejecting sendmail.

> Return-Path: <myName2@myDomain.com>
> X-Original-To: MyName@protonmail.com
> Delivered-To: MyName@protonmail.com
> Received: from rocky-86.office.myDomain.com (unknown [99.999.999.999]) (using
>  TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
>   key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No
>  client certificate requested) by mailin024.protonmail.ch (Postfix) with ESMTPS id
>  4M6PWC3TjGz9vNPW for <MyName@protonmail.com>; Tue, 16 Aug 2022 08:31:19 +0000 (UTC)
> Received: from localhost (localhost [127.0.0.1]) by rocky-86.office.myDomain.com
>  (8.15.2/8.15.2) with ESMTP id 27G8VCq9303707; Tue, 16 Aug 2022 10:31:13 +0200
> Authentication-Results: mailin024.protonmail.ch; arc=none smtp.remote-ip=99.999.999.999
> Authentication-Results: mailin024.protonmail.ch; dkim=none
> Authentication-Results: mailin024.protonmail.ch; spf=pass
>  smtp.mailfrom=myDomain.com
> Authentication-Results: mailin024.protonmail.ch; dmarc=pass (p=none dis=none)
>  header.from=myDomain.com
> Message-Id: <7365d8090697dee1fb2db76268acbcac00b605e6.camel@myDomain.com>
> Subject: Testing Sendmail with SPF DMARC and Masqueraing
> From: My Name <myName2@myDomain.com>
> Reply-To: myName2@myDomain.com
> To: myName2@myDomain.com
> Cc: MyName@protonmail.com
> Date: Tue, 16 Aug 2022 10:31:12 +0200
> Organization: My COMPANY
> Content-Type: text/plain
> X-Mailer: Evolution 3.28.5 (3.28.5-18.el8)
> Mime-Version: 1.0
> Content-Transfer-Encoding: quoted-printable
> X-Spamd-Result: default: False [2.70 / 25.00]; HFILTER_HOSTNAME_UNKNOWN(2.50)[];
>  R_MISSING_CHARSET(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[myDomain.com,none];
>  MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:85.234.199.231/32];
>  MIME_GOOD(-0.10)[text/plain]; NEURAL_HAM(-0.00)[-0.982]; MIME_TRACE(0.00)[0:+];
>  RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:9031, ipnet:85.234.192.0/19, country:BE];
>  R_DKIM_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[];
>  HAS_REPLYTO(0.00)[myName2@myDomain.com]; HAS_ORG_HEADER(0.00)[];
>  TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[];
>  RCPT_COUNT_TWO(0.00)[2]; REPLYTO_ADDR_EQ_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2];
>  TO_DN_NONE(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]
> X-Rspamd-Queue-Id: 4M6PWC3TjGz9vNPW
> X-Rspamd-Server: cp3-mailin-024.plabs.ch
> X-Pm-Spam: 0yeiAIic37iBOIJChpR3Y2bi4AiOiiW5abg3iiACLWbfxNvc2imUcOBi7TJCISQ6I
>  EuIDgCwMIJlTgojIiM34AiLCPFJURIC6y0CICMgwBSIlf0RTUJFFDlEREVPlI6TisDAIIJCfiVGZ
>  Wdfd5maW6yIbIsHgSBlI0TiQB7OiwCJIXN3wi0WYiOwAAwLj4TMMOIT2xADNjM4YkwNjsDIOIJCt
>  lR2bFbp9giZHwiAOI0Hg9BSfCLiAJpc36CIZIIC2iZmMTNkVc1OT4jMNNIz12ITMjZwQMiYzsH0I
>  IJCz6ISYHIgslzImw3NXY0WiwAiOCLiANvc2imUcOAixiACLmcwVJ0b3gjoIIEjuCBCMVQFl81U1
>  CCBMTR0ZCBiOXYllBzcytGFcIBHyhJ2bmYslR5aXzGlIIQDwvRHIDIwYxuJVzFtIY92ygoTZCM04
>  I2MDuVxXLATuTBCMEUfZFTUETyBUUYE6lNHImblRBtcijXRYaVGzQNFIiRyBNvZWcmRcbAiwgAjL
>  1UGBhFX0fE9TT9kOTBSREU6YhFIEgE8TZ9GluByc3bgQVicHzGlbaBChTBibEUgYVjUmk3JbX4Gt
>  w4CMFIfRNDU0P0JXRlFfYVEVFVM95FSUvE5IIRGlyN2cXa0B9uaW2GFIYlWssJWYSZc5Igbi9SBf
>  ================
> X-Pm-Origin: external
> X-Pm-Transfer-Encryption: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
> X-Pm-Content-Encryption: on-delivery
> X-Pm-Spamscore: 1
> X-Pm-Spam-Action: inbox
> 
> 
> -----BEGIN PGP MESSAGE-----
> Version: ProtonMail
> 
> wcBMA03mX92+vQlWAQf/S0TAeCtUKsS8tNAZwqXYrKpRV36x9+0pJkmZF/RO
> npDj9KcvogPdwYpmp1xPfRF4nrzSLoUqajAN00PSob90DqRmEyFUJqyEgQot
> 9jlkvetvpPwL47wpo3Fd96dnKO/gQMHANFL2V4VHKR6+YyoAbu2plrcgpBMG
> 1zdFiHP94v2SKxsD/sT0+rCIqfs4X8OsEim2bxJn2gdHECGCEBmdS40/s+mT
> JllZLYShfbCzifkHCsf6eNQjRHsAMnKKcMy5PjmpTxREMARWLNhT3a7l/EW6
> wzduMQDT309/9Bk+AkQgXbaRNUCyWrv8qtIKWCuCWT8wp9/RsRdelXdCYDdu
> 2NJ6AcEK+aEYen+l3l9X/uXE+kbos3f3LluJ4WzpNgI3tofd7Fp3YijbAA12
> PmPPJREQDSUrZ5yL3kqNwek+u2qGU087K9q7OuoyCgpt/kWmo+iLqb8MDmpl
> 7tBCJKMqrVh/540iqcQT1LT1TPrkaBSWxlTmF18zlFO0zmc=
> =lNPb
> -----END PGP MESSAGE-----

99.999.999.999 = My ISP’s gateway.

14

Could you run “postconf -v | grep -i restriction” from your Postfix server as well. And add in here
Didn’t see any statement of “smtpd_client_restrictions” nor “smtpd_sender_restrictions”
(Also, might be good to have the full output from ‘postconf -v’)

Might be so that Postfix now a days have those set by default, but I am always adding “permit_mynetworks” to both of them in Postfix, and then make sure that all my client IP networks are fully defined in “mynetworks”
I think the “unable to relay” message are in fact a message from your Postfix server

Btw, your mail client are on IP net 192.168.0.0/24?

15

postconf -v | grep -i restriction
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps $smtpd_client_restrictions $smtpd_helo_restrictions $smtpd_sender_restrictions $smtpd_relay_restrictions $smtpd_recipient_restrictions $address_verify_sender_dependent_default_transport_maps $address_verify_sender_dependent_relayhost_maps $address_verify_transport_maps $fallback_transport_maps $lmtp_discard_lhlo_keyword_address_maps $lmtp_pix_workaround_maps $lmtp_sasl_password_maps $lmtp_tls_policy_maps $mailbox_command_maps $mailbox_transport_maps $postscreen_discard_ehlo_keyword_address_maps $rbl_reply_maps $sender_dependent_default_transport_maps $sender_dependent_relayhost_maps $smtp_discard_ehlo_keyword_address_maps $smtp_pix_workaround_maps $smtp_sasl_password_maps $smtp_tls_policy_maps $smtpd_discard_ehlo_keyword_address_maps $smtpd_milter_maps $virtual_gid_maps $virtual_uid_maps
smtpd_client_restrictions =
smtpd_data_restrictions =
smtpd_end_of_data_restrictions =
smtpd_etrn_restrictions =
smtpd_helo_restrictions =
smtpd_recipient_restrictions =
smtpd_relay_restrictions = ${{$compatibility_level} < {1} ? {} : {permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}}
smtpd_restriction_classes =
smtpd_sender_restrictions =

16

Ok,

I have this in most of my Postfix installations
smtpd_client_restrictions = permit_mynetworks

(I do have a few more restrictions as well, but this gives at least my clients access to use Postfix as an internal “Relayer”)

As for sender (recipient are local) I do have this at my outer Postfix as well.
smtpd_sender_restrictions = regexp:/etc/postfix/forbid_from, permit_mynetworks, reject_unknown_sender_domain, reject_rhsbl_sender zen.spamhaus.org

And mynetworks are defined as:
mynetworks = 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24

This will allow those networks to per definition use my Postfix as an SMTP relayer

/Micke

17

Btw,

smtd_sender_restrictions, are just to block a few SMTP senders that I do not trust, and allow those I really trust. You could at this point leave it blank as you already do have

/Micke

18

Ah,
just realised, I do have 127.0.0.1/32 within mynetworks defined as well. FYI

19

Where do I change this?

20

In main.cf file, i.e. same file as you do have your “mynetworks” statement
Put it last in your main.cf file, or make sure that you do not have a conflicting statement. Hence the “postconf -v” which will always show you the correct configured values.