I've set up a mailserver with Postfix, Roundcube and Dovecot. All works well - almost.
In my country there's a popular free email service by the name of inbox.lv. And they have an anti-spam rule set up that when a new server tries to send emails to them, they first greylist it for 10 minutes and require the server to re-send the email. Fair enough.
However when using Postfix to send outgoing emails (either from Roundcube or Thunderbird) it doesn't queue the message. Instead it immediately returns with an error. There's also a log entry (newlines/spacing added by me for legibility; IP and email addresses redacted for privacy):
May 31 23:17:18 21 postfix/smtpd[24814]: NOQUEUE: reject: RCPT from unknown[MY.IP.ADDRESS.HERE]:
450 4.1.1 <[email protected]>: Recipient address rejected: unverified address:
host mx1.inbox.lv[194.152.32.74] said: 450 4.7.1 <unknown[SERVER.IP.ADDRESS.HERE]>:
Client host rejected: greylisted, please retry in 597 seconds (in reply to RCPT TO command);
from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.1.216]>
All the queue settings are left at defaults. Postfix version is 2.10.1.
Why is this happening and how can I make Postfix queue the messages and retry in 10 minutes?
Added: Postfix config (anonymized):
[root@myserver etc]# postconf mail_version
mail_version = 2.10.1
[root@myserver etc]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 100000000
milter_default_action = accept
mydestination = localhost
mydomain = mydomain.lv
myhostname = mydomain.lv
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = reject_unverified_recipient
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mydomain.lv/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mydomain.lv/privkey.pem
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_mailbox_domains = d1.lv d2.lv d3.lv d4.lv
virtual_mailbox_limit = 0
virtual_transport = lmtp:unix:/var/run/dovecot/lmtp
[root@myserver etc]# postconf -M
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
smtps inet n - n - - smtpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
[root@myserver etc]#
You configured postfix to connect to remote destinations to ask them about recipients - as a requisite before you accept anything into your local queue.
smtpd_recipient_restrictions =reject_unverified_recipientOn a general purpose mail server, this is inappropriate for anything but domains under your control or with whose operators you have an agreement.
Asking remote servers for whether they have certain users without delivering mails will make quite a number of servers stop wanting to interact with you. Before knowing what you will send, they cannot easily tell whether you are a spammer trying to wash a list of his next victims or someone intending to deliver mail.
The simplest change to address that concern and solve your original problem:
smtpd_recipient_restrictions =permit_sasl_authenticated,reject_unauth_destination, reject_unverified_recipientBecause the restrictions are processed in the order specified, This exempts your authenticated users, and unrelated relay requests (rejected anyway). This way you can still enforce
reject_unverified_recipienton incoming messages (where dovecot will presumably confirm addresses without delay). But without nagging remote servers about recipients that at a time you do not have mail for yet. You have to get more complex than this, though, if you want the feature also enabled for your users writing messages to each other. The ADDRESS_VERIFICATION_README file in your postfix documentation is.. a but old, but should still give you a general overview.I generally recommend using the master.cf (which comes with suitable templates, at least in more recent times) to setup partially separated smtpd instances, one on port 25 for general internet use, one of port 465 for mandatory-authenticated user submissions. That way you can in a reasonably maintainable fashion enforce different rules on a per-service basis, further easing the task of treating relay traffic different from incoming traffic.