Postfix Sender Verification 550
I have Postfix and Dovecot installed on a VPS, and configured to forward mail on to a Gmail address, and accept smtp requests from gmail so that it can send on that domains behalf. TLS and authentication are working, email is arriving, MX domains, SPR, DKIM, SPF, all configured and working.
However, I can only send email to myself and a minority of domains. For example:
This is the mail system at host tomjn.com.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<[email protected]>: host dc-cd3425bc.geekmatt.com[87.106.180.26] said:
550-Verification failed for <[email protected]> 550-The mail server could
not deliver mail to [email protected]. The account or domain may not
exist, they may be blacklisted, or missing the proper dns entries. 550
Sender verify failed (in reply to RCPT TO command)
Final-Recipient: rfc822; [email protected]
Original-Recipient: rfc822;[email protected]
Action: failed
Status: 5.0.0
Remote-MTA: dns; dc-cd3425bc.geekmatt.com
Diagnostic-Code: smtp; 550-Verification failed for <[email protected]> 550-The
mail server could not deliver mail to [email protected]. The account or
domain may not exist, they may be blacklisted, or missing the proper dns
entries. 550 Sender verify failed
I'm unsure how to proceed. Is this the remote server saying no to mine? Mine saying no to the remote server?
I looked up address verification and found this:
http://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/external/ibm-public/postfix/dist/html/ADDRESS_VERIFICATION_README.html#caching
However it is ambiguous, when it says recipient is it talking about the remote server receiving the email? My server receiving a verification request? The remote server receiving a verification request? Does it mean the sender of the email or the sender of the verification request? It isn't clearly stated. Googling has lead to several questions with answers such as "its a bad idea, everyone should stop using it", to people who fix their problem which was caused by using something I'm not using ( e.g. SRS ).
Emails to [email protected] elicit no response.
Here is my main.cf for postfix:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
readme_directory = no
# TLS parameters
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sasl_auth_enable = yes
smtpd_helo_required = yes
#smtpd_pw_server_security_options = cram-md5,digest-md5,login,plain
#content_filter = smtp-amavis:[127.0.0.1]:10024
#smtpd_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname
smtpd_tls_cert_file=/etc/ssl/certs/dovecot.pem
smtpd_tls_key_file=/etc/ssl/private/dovecot.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated
smtpd_client_restrictions =
permit_mynetworks
permit_sasl_authenticated
REJECT
virtual_transport = lmtp:unix:private/dovecot-lmtp
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = tomjn.com
virtual_alias_domains = tomjn.com tomjn.co.uk
#alias_maps =
#alias_database = hash:/etc/aliases
myorigin = /etc/mailname
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
#mydestination = localhost.com, , localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 216.239.32.0/19 64.233.160.0/19 66.249.80.0/20 72.14.192.0/18 209.85.128.0/17 66.102.0.0/20 74.125.0.0/16 64.18.0.0/20 207.126.144.0/20 173.194.0.0/16 [2001:4860:4000::]/36 [2404:6800:4000::]/36 [2607:f8b0:4000::]/36 [2800:3f0:4000::]/36 [2a00:1450:4000::]/36 [2c0f:fb50:4000::]/36
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301
sidenote: yes I'm aware of google apps, yes DNS is configured correctly, no I'm only using Dovecot for TLS not IMAP/POP3, yes [email protected] exists
Solution 1:
Yep it's called Sender Verification. The verification was done by geekmatt.com mail server, not yours. And based on the error message, I can conclude that
550-Verification failed for <[email protected]> 550-The mail server could
not deliver mail to [email protected]. The account or domain may not
exist, they may be blacklisted, or missing the proper dns entries. 550
Sender verify failed
was exim standard error message.
BTW, not all sender verification was bad. For the explanation, I will assume that you want send email FROM example.com TO example.net
At basic level, example.net mail server must verify that sender domain was exist. If a mail server rejected your email in this level, then your domain has 1) no DNS MX and no DNS A record, or 2) a malformed MX record such as a record with a zero-length MX hostname. In postfix, the equivalent parameter is reject_unknown_sender_domain
At advanced level, mail server will try to check if sender address is exist. Basically, before accepting your email, example.net mail server will try to telnet to your mail server without sending any email. This checks was considered bad because of several reasons.
Now, looks like domain tomjn.com was fail to comply with sender verification at basic level. Here the MX record of tomjn.com
% dig tomjn.com MX +short
1 178.62.28.136.tomjn.com.
% dig 178.62.28.136.tomjn.com
; <<>> DiG 9.9.5 <<>> 178.62.28.136.tomjn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, **status: NXDOMAIN,** id: 52812
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;178.62.28.136.tomjn.com. IN A
;; AUTHORITY SECTION:
tomjn.com. 1800 IN SOA NS1.DIGITALOCEAN.com. hostmaster.tomjn.com. 1410110590 3600 900 1209600 1800
There, your MX record has no valid A record. Thus geekmatt.com reject your email.
The solution: fix your MX record