Postfix subdomain can send, but not receive external email
I'm setting up an AWS EC2 instance, and I need the server to be able to receive emails. Let's say that I am setting up email on the subdomain mail.myserver.com
.
I have Postfix installed, and I can send/receive emails locally. I can send emails from the server to my external gmail account. I can also telnet into port 25 from my laptop with telnet mail.myserver.com 25
and successfully send an email to the server.
But if I try to send an email from gmail or outlook to the server, there is nothing... crickets. The email doesn't bounce back. There is no error message. I check the postfix log at /var/log/email.log
and there is no sign of any incoming connection from gmail/outlook. I check for errors at /var/log/email.err
and there is nothing.
I am wondering if this could be a DNS issue because I have previously setup email for the server at myserver.com
with IP address 111.111.111.111. But I am currently trying to configure a separate server at the subdomain mail.myserver.com
with IP address 22.22.22.22.
Here are the DNS records for both the main domain myserver.com
which has working email, and the new subdomain mail.myserver.com
which currently won't receive external mail:
A @ 111.111.111.111
A mail 22.22.22.22
MX @ @ (Priority: 0)
MX mail mail (Priority: 0)
TXT @ v=spf1 mx -all
TXT mail v=spf1 mx -all
Here is the postfix config /etc/postfix/main.cf
:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.myserver.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.myserver.com/privkey.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3 !TLSv1
smtpd_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtpd_tls_received_header = yes
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.myserver.com
home_mailbox = Maildir/
virtual_alias_maps = hash:/etc/postfix/virtual
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mail.myserver.com, localhost, ip-x-x-x-x.us-east-2.compute.internal, localhost.us-east-2.compute.internal, localhost.$mydomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
As a side note, I have also checked the mailboxes and logs of the main domain myserver.com
just to make sure emails were not ending up there for some reason. They are not. Nothing in the logs.
I have been stuck on this for 24 hours, and I'm not sure how to continue troubleshooting this when I'm not getting any error messages or bounced mail. All suggestions are welcome!
Solution 1:
If you define MX records without specifying how to handle unqualified names, rather type out the fully-qualified name of your mail servers A+AAAA. The entire name, ending with a dot, like this:
@ IN MX 10 mx1.mydomain.example.
subdomain IN MX 10 mx1.mydomain.example.
mx1 IN A 192.0.2.1
mx1 IN AAAA 2001:db8::1
I think this is your problem because the dns information you provided MX mail mail (Priority: 0)
lacks a fully-qualified name in the MX record. If the software did not complete the unqualified name with your domain, mails might be delivered elsewhere (or in this case, probably not at all because the domain does not currently resolve).