Configure postfix to accept inbound mail only from Google

I like to host my own email on a Mac Mini running OS X Server.  I’ve also looked for solutions that allow filtering out SPAM before the mail gets sent to my server.  For many years I used Postini’s spam filtering service to clean incoming email before Postini forwarded the mail on to my server.  I now use Google mail, part of Google Apps service to remove spam and to archive all the mail.
The approach of letting Google clean emal before sending the mail on to my OS X Server uses two domains, one a “public” domain for incoming email and another a “private” domain used only for  forwarding the filtered email to OS X server.
All went well with the defult Postfix configuration that came with OS X Server for a few months, then SPAM started creeping into my “private” domain as various spammers discovered my private email address and started sending mail directly to the Mac Mini, bypassing Google.
Whenever I had spare time I would search the web looking for how to configure Postfix on OS X server so that email from Google and my other machines would be accepted and all other email would be blocked.  There were lots of write-ups on how to relay outgoing email to Google, but I couldn’t find straightforward configuration instructions for configuring Postfix to only allow incoming email forwarded by Google or coming from my machines and block all other sources.
With a Google apps account you get telephone support so I gave Google a call and within a few rings got a very pleasant guy who listened to what I wanted to do and didn’t have the configuration setup, but did offer to send me a document showing the blocks of IP addresses used by Google for sending email. 
I’ve posted several requests for help doing this type of configuration and never received responses that made sense.  So in the interest of helping anyone else that wants to configure Postfix to accept connections from a set of specific IP addresses and refuse connections from all other connections for inbound email, here is what will get you going:
Use your favorite text editor to edit the Postfix configuration file (I use BBEDIT) but use whatever you like. 
On the OS X Server open this file:
/Library/Server/Mail/Config/postfix/main.cf
Immediately do a “save as…” to make a backup copy with a different name, such as …mail.df.back1 in the same directory so you can revert to the backup if necessary.
substitute your domain names in the following commands:
public.com   -  change to your publicly advertised  routable domain
hidden.com  -  change to your OS X Server  routable domain
lan.com - change to your OS X Server lan domain, should be registered to make things clean and shouldn’t be .local
10.6.18.0/24 - change to your LAN subnet
host - change to your host name
Your Postfix configuration file should contain these commands (and probably more).  Each situation varies so do what you have to for your situation….
Have Postfix add your public domain name in the email header
myorigin = public.com
mydomain_fallback = localhost
message_size_limit = 41943040
biff = no
aaa.bbb.ccc.ddn - Your publicly routable IP addresses provided by your ISP
Let Postfix know your LAN network, the routable addresses you have from your ISP, and the Google networks where the Google email servers live.  Get the latest list of Google networks hosting email at this address: https://support.google.com/a/answer/3070269
mynetworks =
          10.6.18.0/24,
          127.0.0.0/8
# ISP provided routable  IP Addresses, individually or cidr aaa.bbb.ccc.0/24 notation if possible
          aaa.bbb.ccc.dd1,
          aaa.bbb.ccc.dd2,
          aaa.bbb.ccc.dd3,
          aaa.bbb.ccc.dd4,
# Google networks 
          64.18.0.0/20
          64.233.160.0/19
          66.102.0.0/20
          66.249.80.0/20
          72.14.192.0/18
          74.125.0.0/16
          173.194.0.0/16
          207.126.144.0/20
          209.85.128.0/17
          216.239.32.0/19
smtpd_client_restrictions =
          permit_mynetworks
          permit_sasl_authenticated
#  Comment out the spam blacklist sites since Google does spam filtering for you
#          reject_rbl_client bl.spamcop.net
#          reject_rbl_client zen.spamhaus.org
#          permit
#  If you get this far, reject because the IP address isn’t one of yours or Google’s
          REJECT
The rest of the config file should be  pretty much what you already have in place
recipient_delimiter = +
smtpd_tls_ciphers = medium
inet_protocols = all
inet_interfaces = all
config_directory = /Library/Server/Mail/Config/postfix
smtpd_enforce_tls = no
smtpd_use_pw_server = yes
relayhost =
smtpd_tls_cert_file =  your cert file path here
mydomain = hidden.com
smtpd_pw_server_security_options = cram-md5,digest-md5,login,plain
smtpd_sasl_auth_enable = yes
smtpd_helo_required = yes
smtpd_tls_CAfile = your file path here
content_filter = smtp-amavis:[127.0.0.1]:10024
smtpd_recipient_restrictions =
     permit_mynetworks,
     permit_sasl_authenticated,
     check_policy_service unix:private/policy,
     reject_unauth_pipelining,
     reject_invalid_hostname,
     reject_unauth_destination,
     reject_unknown_recipient_domain,
     reject_non_fqdn_recipient,
     permit
header_checks = pcre:/Library/Server/Mail/Config/postfix/custom_header_checks
myhostname = host.hidden.com
smtpd_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname
smtpd_use_tls = yes
smtpd_tls_key_file = your path here
enable_server_options = yes
recipient_canonical_maps = hash:/Library/Server/Mail/Config/postfix/system_user_maps
virtual_alias_maps = $virtual_maps hash:/Library/Server/Mail/Config/postfix/virtual_users
virtual_alias_domains = $virtual_alias_maps hash:/Library/Server/Mail/Config/postfix/virtual_domains
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, ipv6.$mydomain, public.com
mailbox_transport = dovecot
postscreen_dnsbl_sites = zen.spamhaus.org*2
maps_rbl_domains =
This config file should do the job of keeping out everyone but the Google email servers and devices on your WAN and LAN.
Any suggestions to make this better or more efficient welcomed!

After a few telnet tests I can answer my own question: It makes an open relay server to spammers! But to solve the former issue with the connection refuse, I had to switch to virtual hosting in the advanced tab of the mail service and add my own domains.

Similar Messages

  • Have to add 0.0.0.0/0 to "Accept SMTP relays only from these"?

    To reach the server via vpn I had to add a virtual IP (192.168.1.1) to the ethernet port. Since then mail acts a bit strange: I have to add 0.0.0.0/0 to "Accept SMTP relays only from these" in SA. Otherwise i get a "[/var/imap/socket/lmtp]: Connection refused" in the smtp log and the server does not accept any delivery of mails from the internets.
    I'm not quite sure if it's a good idea. Can anyone please tell if this is still a security risk (while having access restrictions on the mail service)?

    After a few telnet tests I can answer my own question: It makes an open relay server to spammers! But to solve the former issue with the connection refuse, I had to switch to virtual hosting in the advanced tab of the mail service and add my own domains.

  • Securely Configure HT to Accept E-mails from non-Exchange SMTP Gateway

    Hi
    We have setup a new Exchange 2010 environment. We are not using Edge Transport servers as SMTP gateway, rather using a hosting service named ProopPoint. The ProofPoint gateway accepts e-mail for our SMTP domain
    and after performing anti-spam etc. functions, is supposed to send e-mail to internal Hub Transport servers in our domain. We need to allow the ProofPoint servers to send e-mail to our HT servers (HT servers should accept connections from ProofPoint servers).
    I know that I can go to the “Default <Sever_Name>” receive connector on each HT and on the
    Permissions Group tab check the “Anonymous Users” to allow ProofPoint servers to be able to submit e-mails to HTs but that won’t be a good idea as (I think) this would make my HT as “OPEN RELAY” (pls. correct me if I’m wrong)
    as that Default connector is configured by default to listen from any IP addresses. So want to know:
    If this is the only way I could achieve this?
    If I configure a separate “Receive Connector” on my HT servers and configure only IP Addresses of the ProofPoint to be able to submit e-mails to HT – Will this work?
    Also, is there a way I can restrict user(s) in Exchange 2010 to send only 30 messages per minute?
    Any ideas and/or supported documents would be highly appreciated….
    Regards
    Taranjeet Singh
    zamn

    Hi
    When I create a new Receive connector, I have to specify the type "Intended Use" of the connector in terms of Internal/Custom/Internet etc.. What option do I need to select here?
    If I select Internet, I do not get any window to put Remote IP Address and if I just go with default configuration in the connector creation, it gives me the following error:
    Failed
    Error:
    The values that you specified for the Bindings and RemoteIPRanges parameters conflict with the settings on Receive connector "<Server_Name)\Default". A Receive connector must have a unique combination of a local IP address, port bindings, and remote IP address
    ranges. Change at least one of these values.
    Click here for help...
    http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.2.309.2&t=exchgf1&e=ms.exch.err.Ex142B4F
    Exchange Management Shell command attempted:
    new-ReceiveConnector -Name 'Test' -Usage 'Internet' -Bindings '0.0.0.0:25' -Server 'Server'
    Elapsed Time: 00:00:00
    Also, what options do I need to select on the "Authentication" and "Permissions" tabs of the connector?
    Regards
    Taranjeet Singh

  • 10.5 - 10.6.2: Postfix not accepting e-mails from certain hosts

    Hi
    Two days ago we migrated our server from 10.5 Server to a new Mac mini server running 10.6.2 server.
    We are now facing the problem that postfix refuses to accept incoming e-mails from most hosts. Some hosts seem to be able to get through, but so far we haven't be able to identify a pattern.
    The transfers just times out with various error messages. Below is one of the shorter transscripts. Any ideas where to start looking?
    Feb 5 18:36:12 www postfix/smtpd[34067]: connect from pluto2-mail.kagi.com[67.134.14.166]
    Feb 5 18:36:12 www postfix/smtpd[34067]: setting up TLS connection from pluto2-mail.kagi.com[67.134.14.166]
    Feb 5 18:36:13 www postfix/smtpd[34067]: Anonymous TLS connection established from pluto2-mail.kagi.com[67.134.14.166]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
    Feb 5 18:36:14 www postfix/smtpd[34067]: 42ABB92A50: client=pluto2-mail.kagi.com[67.134.14.166]
    Feb 5 18:41:14 www postfix/smtpd[34067]: warning: networkbiopairinterop: error reading 5 bytes from the network: Connection reset by peer
    Feb 5 18:41:14 www postfix/smtpd[34067]: timeout after DATA (986 bytes) from pluto2-mail.kagi.com[67.134.14.166]
    Feb 5 18:41:14 www postfix/smtpd[34067]: disconnect from pluto2-mail.kagi.com[67.134.14.166]
    Thanks,
    Ilja

    Hi again,
    I was able to further narrow down the problem. The remote server is sending a complete message but postfix on our mac doesn't recognize the end of message token, thus timing out the connection after 5 minutes.
    Any ideas? Is this a postfix issue? If so, what can we do about it.
    <pre>
    0x02e0: 2039 3437 3039 2d31 3430 3520 2055 5341 .94709-1405..USA
    0x02f0: 0d0a 5351 4e4d 2d6b 6167 6920 3531 3530 ..SQNM-kagi.5150
    0x0300: 0d0a 0d0a 0d0a 0d0a 0d0a 5343 2d54 4659 ..........SC-TFY
    0x0310: 5020 352e 3068 0d0a 2e0d 0a P.5.0h.....
    19:43:28.538241 IP (tos 0x0, ttl 64, id 8917, offset 0, flags [DF], proto TCP (6), length 64, bad cksum 0 (->9605)!)
    www.mydomain.com.smtp > terra.kagi.com.45495: Flags [.], cksum 0x8210 (incorrect -> 0x4852), seq 291, ack 1186, win 33304, options [nop,nop,TS val 928896121 ecr 2567915589,nop,nop,sack 1 {4082:4825}], length 0
    0x0000: 4500 0040 22d5 4000 4006 0000 6d46 c4f2 E..@".@[email protected]..
    0x0010: 4386 0c1f 0019 b1b7 685e 0685 d895 c111 C.......h^......
    0x0020: b010 8218 8210 0000 0101 080a 375d d479 ............7].y
    0x0030: 990f 4845 0101 050a d895 cc61 d895 cf48 ..HE.......a...H
    </pre>
    <pre>
    19:48:28.318858 IP (tos 0x0, ttl 64, id 27393, offset 0, flags [DF], proto TCP (6), length 118, bad cksum 0 (->4da3)!)
    www.mydomain.com.smtp > terra.kagi.com.45495: Flags [P.], cksum 0x8246 (incorrect -> 0x0c90), seq 291:345, ack 1186, win 33304, options [nop,nop,TS val 928899117 ecr 2567915589,nop,nop,sack 1 {4082:4825}], length 54
    0x0000: 4500 0076 6b01 4000 4006 0000 6d46 c4f2 E..vk.@[email protected]..
    0x0010: 4386 0c1f 0019 b1b7 685e 0685 d895 c111 C.......h^......
    0x0020: b018 8218 8246 0000 0101 080a 375d e02d .....F......7].-
    0x0030: 990f 4845 0101 050a d895 cc61 d895 cf48 ..HE.......a...H
    0x0040: 3432 3120 342e 342e 3220 7777 772e 6977 421.4.4.2.www.iw
    0x0050: 6173 636f 6469 6e67 2e63 6f6d 2045 7272 ascoding.com.Err
    0x0060: 6f72 3a20 7469 6d65 6f75 7420 6578 6365 or:.timeout.exce
    0x0070: 6564 6564 0d0a eded..
    19:48:28.321859 IP (tos 0x0, ttl 64, id 46435, offset 0, flags [DF], proto TCP (6), length 64, bad cksum 0 (->377)!)
    www.mydomain.com.smtp > terra.kagi.com.45495: Flags [F.], cksum 0x8210 (incorrect -> 0x3c67), seq 345, ack 1186, win 33304, options [nop,nop,TS val 928899117 ecr 2567915589,nop,nop,sack 1 {4082:4825}], length 0
    0x0000: 4500 0040 b563 4000 4006 0000 6d46 c4f2 [email protected]@[email protected]..
    0x0010: 4386 0c1f 0019 b1b7 685e 06bb d895 c111 C.......h^......
    0x0020: b011 8218 8210 0000 0101 080a 375d e02d ............7].-
    0x0030: 990f 4845 0101 050a d895 cc61 d895 cf48 ..HE.......a...H
    </pre>
    Regards,
    Ilja

  • New hard drive - how to import iTunes and Mail only from Time Machine backup

    Hi
    I am installing a new boot drive into my MacPro.  When I do this, I only want to copy over initially Mail and iTunes as previously backed up in Time Machine. 
    Is there an simple way to do this without a complete copy of my last Lion install going on the new drive?
    Thanks in advance.
    Matt

    The music sync is one way - computer to ipod.  The only exception is itunes purchases.
    Copy everything from your backup copy of your computer.

  • Accept SMTP relays only from these hosts...

    Do we need to enable at all this thing in Server Admin?
    Since we require from everyone to use authentication in order to send mail (even inside the company's network).
    I noticed that when enabled and set to our inside network, in main.cf the mynetworks line looks like this (mynetworks = 192.168.1.0/24).
    Then, any Open relay internet test that I ran, marks that mail server as open relay.
    So, I decided to keep it unchecked, and leave the mynetworks line in main.cf to 127.0.0.0/8
    Any thoughts?
    Regards
    K.

    Something else is amiss if adding '192.168.1.0/24' to mynetworks enables open relay, because that just shouldn't happen.
    You're not checking for open relays from within your network are you?
    At the very least you should have 127.0.0.1/8 as allowed since there are several server-based processes that may try to send email (e.g. disk notification alerts) which may fail if they can't send unauthenticated.
    Other than that, if all network clients are required to authenticate then there's no absolute need to set them in the relays field.

  • Trouble Sending Mail only from MacBook Pro

    I've got a MacPro and a MacBook Pro. The MacPro is connected via ethernet while the MacBook Pro is connected to the same network via WiFi. I can always connect to the internet on the laptop and also receive incoming mail, but cannot send mail using the Mail app on the laptop. No problems sending from the MacPro. Any ideas about what might be going on?

    ... one other piece of info - when I connect to the same home network with my iPhone, I can both receive and send emails on the same email account.

  • Receiving Mail Only from Addresses I Specify

    Is there any simple way to set up Mail to send all messages to the junk folder except ones from particular addresses I put on a list to let through?
    Sorry if this has been answered, but I couldn't find it by searching…
    Thanks.

    Wouldn't Mail > Preferences > Rules > Add Rule > and then select the following pulldowns: if any of the following are conditions met: Sender not in my address book then move message to mailbox junk, do what you want? Or as an additional second condition, use previous recipients?
    If you are going to maintain a stand-alone list, you will probably have to do something like: if Account {acc'tName} then Run Applescript {file/path/to/Applescript}, then move message to mailbox junk where the Applescript parses the mail message's From line and compares it against the stand-alone list.
    (if this solves your problem, or is actually helpful towards arriving at a solution to your problem, please consider marking this reply as "helpful" or "solved" in order to award points. This would be in addition to (if applicable) marking this question as "answered")

  • Inbound BGP selection from Google Cache Server (video content)

    Scenario:
    Having multiple gateway A & B. 1G bandwidth for each GW. total 2G
    Current inbound traffic A 98% utilized. for B inbound traffic was under utilized below 50%
    From Analysis many traffic came form video Google cache was using GW A and not using GW B
    Need solution how to divert video traffic by using GW B path. using BGP method.

    Before I comment I would like to see more detail like existing traffic flow (Internal dummy source to Internet) diagram with peering detail, etc.
    Happy to Help

  • Configure Postfix to allow a non fully-qualified hostname to send email

    I have a Mushroom Networks Porcini box that sends notifications from email address bbna@bbna
    When I set up the Porcini to send notifications to my email address using a Mac Mini running Snow Leopard Server the email session aborts:
    macbookenet:~ pderby$ telnet red.pderby.com 25
    Trying 208.37.99.226...
    Connected to red.pderby.com.
    Escape character is '^]'.
    220 red.pderby.com ESMTP Postfix
    HELO bbna
    250 red.pderby.com
    MAIL FROM:<bbna@bbna>
    250 2.1.0 Ok
    RCPT TO:<[email protected]>
    504 5.5.2 <bbna>: Helo command rejected: need fully-qualified hostname
    I would like to configure Postfix to accept mail from this MAIL FROM address as an exception, rejecting any other addresses that are not fully-qualified.
    Is there a way to do that?
    Thanks for any help!

    Launch Terminal.app and buried in the usual postconf -n output for your host, you should find this line:
    smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
    If so, then edit it with the following two lines (that first line is one long line) to tweak that:
    sudo postconf -e "smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname"
    sudo postfix reload
    That will cause local hosts (from the mynetworks setting) to bypass the SMTP HELO check that's tripping your "underpowered" box here.

  • I need help resolving issues with inbound mail on 10.8.5 server.

    Let's start from the beginning.
    I had a Mac Mini server running OS X 10.7 since 2011. I have a static IP and domain registered. I used it for mail, calendar, and web service.  It was working beautifully until a week ago.  Suddenly it stopped processing mail for me from google and apple managed domains.  There may be other domains, I do not know.
    I checked my external firewall and the correct ports are being forwarded (25, 587, 993).  Connected to a remote network, I can verify that nmap shows the ports as open.  I can telnet into the server on port 25 and send mail.  I checked with the ISP and they are not blocking/filtering those ports and the DNS they are hosting for me appears to be correct (unchanged from when it was working).  I've looked in the logs, but I'm not sure what I'm looking for, really.  I upgraded to 10.8.5 and server 2.2.2 last night in an attempt to rectify the situation but I'm still unable to receive mail from my other accounts (iCloud and gmail).
    I've been trying to troubleshoot this issue for a while now and I'm all out of ideas.  If anyone has any advice I'd really appreciate it.
    Thanks,
    Trevor

    Hi,
    I can send/receive mail locally.  I send mail to [email protected] from [email protected] and [email protected].  This works while on my LAN and connected to my work via VPN.
    I'm not listed on any blacklist, either by domain or IP using that tool.  The MX lookup tool at that site lists everything as OK, the MX record appears to be correct.  The SMTP test at that site shows a "failed to connect" error.  The exact error is:
    Connection attempt #1 - Unable to connect after 15 seconds. [15.04 sec]
    I'm not sure what I'm looking for in my log files.  I do not see any inbound connection attempts from google or apple domains when I try to send from my other e-mail accounts.
    when I run the dig command, I get the following output:
    dig @8.8.8.8 -t mx bakernet.ca
    ; <<>> DiG 9.8.5-P1 <<>> @8.8.8.8 -t mx bakernet.ca
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1983
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;bakernet.ca. IN MX
    ;; ANSWER SECTION:
    bakernet.ca. 3599 IN MX 10 mail.bakernet.ca.
    ;; Query time: 100 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Sat Jun 21 07:47:08 EDT 2014
    ;; MSG SIZE  rcvd: 50
    I don't see an  A record here.  My DNS is hosted by my ISP, my server is performing DNS lookups for my LAN.
    When I run dig from inside my LAN I get the following:
    ; <<>> DiG 9.8.5-P1 <<>> -t mx bakernet.ca
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21448
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
    ;; QUESTION SECTION:
    ;bakernet.ca. IN MX
    ;; ANSWER SECTION:
    bakernet.ca. 10800 IN MX 10 mail.bakernet.ca.
    ;; AUTHORITY SECTION:
    bakernet.ca. 10800 IN NS www.bakernet.ca.
    ;; ADDITIONAL SECTION:
    mail.bakernet.ca. 10800 IN A 172.16.0.17
    www.bakernet.ca. 10800 IN A 172.16.0.17
    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Sat Jun 21 08:02:04 EDT 2014
    ;; MSG SIZE  rcvd: 100
    That does show an A record for the mail.bakernet.ca hostname.  Looks like my ISP is to blame?
    Trevor

  • Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept e-mail from certain senders, or another restriction may be preventing delivery

    HI,
    We are getting following error message for all users while sending mail to external but we able to receive mail from internet.
    Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept e-mail from certain senders, or another restriction may
    be preventing delivery.

    Hi,
    Please follow Luke and Shelly’s suggestion to check your SPF record and Send Connector configuration. Also you can post the complete NDR message(with NDR status code) here for further analysis.
    If there is any updates, please feel free to let us know.
    Thanks,
    Winnie Liang
    TechNet Community Support

  • PORT_ACCESS Configuration to accecpt inbound mail from 1 IP address

    I have a inbound mail proxy that relays imbound mail to my final destination iMS5.2 mail server, for this reason I want to block all un-autheticated inbound connections to my iMS5.2 server except for the IP address of the mail proxy(s).
    It seems the way to do this is through edits to the PORT_ACCESS mapping table.
    My default looks like so
    PORT_ACCESS
      *|*|*|*|* $C$|INTERNAL_IP;$3|$Y$E
      *  $YEXTERNALWhat I think will do as I require would look like this.
    We do not allow users of our sub-net to send outbound mail in an unauthenticated manner, so I think these rules will not affect authenticated users.
    PORT_ACCESS
      *|*|*|*|* $C$|INTERNAL_IP;$3|$Y$E
      TCP|*|25|212.115.144.233|*   $Y
      TCP|*|25|*|*              $N500$ Not$ Inbound$ MX.
    ! *  $YEXTERNAL Since the last rule of the origional enabled all inbound connections, the dropping of the line with the additional 2 filtering linnes should do what I want.
    Thou I'm not quite sure about the meaning of the $YEXTERNAL key word line, this seems to accept from all "*" sources (accept as designated by the "$Y"), as to the meaning of the terminating "EXTERNAL" Keyword, I'm not sure of the meaning.
    -Lee

    I would set up a test box, and test. The documentation for port access is somewhat foggy to me, too . . .

  • Dropping connection from inbound mail

    About 2 days ago our server stopped being willing to receive messages from one of our client's outbound servers. Sometimes they receive a message bounceback immediately, other times in several hours or overnight. No changes were made to our server or mail configuration and we are successfully receiving messages from numerous other folks to the same address without issue.
    Included below is an excerpt of the mail.log file showing an attempted connect to our server and then "immediate" loss of connection. I have tried restarting the mail service and rebooting the server (10.5.4). Does this look like an issue at our end or their's? If ours, any thoughts on cause and cure? Note also that we're behind a Cisco Pix, but no changes have been there for a considerable period either and the "no fixup protocol smtp 25" is set. We are not running spam filtering.
    Any help or suggestions would be much appreciated!
    Thanks,
    Brian
    Sep 10 10:50:33 myserver postfix/smtpd[24513]: connect from bean.electric.net[72.35.23.29]
    Sep 10 10:50:33 myserver postfix/smtpd[24513]: lost connection after CONNECT from bean.electric.net[72.35.23.29]
    Sep 10 10:50:33 myserver postfix/smtpd[24513]: disconnect from bean.electric.net[72.35.23.29]
    Sep 10 10:50:42 myserver postfix/smtpd[24515]: connect from bean.electric.net[72.35.23.29]
    Sep 10 10:50:42 myserver postfix/smtpd[24515]: lost connection after CONNECT from bean.electric.net[72.35.23.29]
    Sep 10 10:50:42 myserver postfix/smtpd[24515]: disconnect from bean.electric.net[72.35.23.29]
    Sep 10 10:54:02 myserver postfix/anvil[24466]: statistics: max connection rate 4/60s for (smtp:72.35.23.29) at Sep 10 10:50:42
    Sep 10 10:54:02 myserver postfix/anvil[24466]: statistics: max connection count 2 for (smtp:72.35.23.29) at Sep 10 10:50:32
    Sep 10 10:54:02 myserver postfix/anvil[24466]: statistics: max cache size 1 at Sep 10 10:46:27
    Here's a bounceback message as forwarded by the client to a different account...if this helps.
    Subject: Mail delivery failed: returning message to sender
    This message was created automatically by mail delivery software.
    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:
    [email protected]
    retry timeout exceeded
    ------ This is a copy of the message, including all the headers. ------
    ------ The body of the message is 18682 characters long; only the first
    ------ 16384 or so are included here.
    Return-path: <[email protected]>
    Received: from 1Kd7Hz-0008HS-T4 by worden.electric.net with emc1-ok (Exim 4.69)
    (envelope-from <[email protected]>)
    id 1Kd7Hz-0008J3-Un
    for [email protected]; Tue, 09 Sep 2008 10:46:07 -0700
    Received: by emcmailer; Tue, 09 Sep 2008 10:46:07 -0700
    Received: from [66.38.130.1] (helo=cgaowa2.cga-canada.org)
    by worden.electric.net with esmtps (TLSv1:RC4-MD5:128)
    (Exim 4.69)
    (envelope-from <[email protected]>)
    id 1Kd7Hz-0008HS-T4
    for [email protected]; Tue, 09 Sep 2008 10:46:07 -0700
    Received: from CGAEXCH.cga-canada.net ([10.1.10.151]) by
    cgaowa2.cga-canada.net ([10.1.10.155]) with mapi; Tue, 9 Sep 2008 10:46:06
    -0700
    Content-Type: multipart/mixed;
    boundary="000_035F790236EE4A418923913476257A9801D869F7DBCGAEXCHcgacan"
    From: Cleint <[email protected]>
    To: "[email protected]"
    Date: Tue, 9 Sep 2008 10:46:05 -0700
    Subject: FW: New Notices for You
    Thread-Topic: New Notices for You
    Thread-Index: AckSGnOB27CoC/P/TSOWwemQb6Es9wAiVymA
    Message-ID: <[email protected]>
    Accept-Language: en-US
    Content-Language: en-US
    X-MS-Has-Attach:
    X-MS-TNEF-Correlator: <[email protected]>
    acceptlanguage: en-US
    MIME-Version: 1.0
    X-Outbound-IP: 66.38.130.1
    X-Env-From: [email protected]
    X-Virus-Status: Scanned by VirusSMART (c)
    X-Virus-Status: Scanned by VirusSMART (s)
    --000_035F790236EE4A418923913476257A9801D869F7DBCGAEXCHcgacan
    Content-Type: text/plain; charset="us-ascii"
    Content-Transfer-Encoding: quoted-printable
    Message was edited by: Brian Friedrich

    Always fun to answer your own question. It turns out that the application of the "no fixup protocol smtp 25" to the Pix seems to have resolved this issue. Very odd I must say, because the "fixup" had been active since setting the unit up years ago... Nonetheless, mail from this client is coming through now (including the backlog...oh joy).

  • Mail Receive from outside in Exchange server 2010 (Accepted Domain)

    Hello All
    Two Exchange 2010 server running existing environment. in front of two exchange server have McAfee firewall. This McAfee Firewall receive the mail from outside and send it to Exchange 2010 server.
    for example abc.com is working well to send and receive mail using exchange server. recently i have add
    Accepted Domain which is bcd.com.   But this Accepted Domain can not receive mail from outside. I have configure MX record, Accepted Domain and also mail point. but the problem is that mail cannot receive from outside
    domain. i have also several time modify the receive connector but abc.com work but bcd.com not work
    Please suggest.
    Error:
    firewall.abc.com rejected your message to the following email addresses:
    [email protected] ([email protected])
    firewall.abc.com gave this error:
    <[email protected]>... Relaying denied
    Your message wasn't delivered due to a permission or security issue. The address may only accept email from certain senders or another restriction may be preventing delivery. For more tips to resolve this issue see
    DSN code 5.7.1 in Exchange Online. If the problem continues contact your help desk.

    Have you checked the SMTP protocol log on the Exchange server? Do you see the 5xx status code in the log when a message is sent to the @bcd.com domain?
    If you see the 5xx status code for that domain, check the "Accepted domains" and verify that you didn't make any typos in the domain name. If it looks okay then stop and start the transport service on the Exchange servers and retest.
    If you don't see the 5xx status message for that domain you should check the machine firewall.bcd.com and verify that it's configured to accept e-mail for the @bcd.com domain. I'm guessing that the firewall.bcd.com machine is acting as a SMTP proxy and not
    as a SMTP relay. However, if there are SMTP log files on that machine you should check them and see which IP address is returning the 5xx status message.
    --- Rich Matheisen MCSE&I, Exchange MVP

Maybe you are looking for