mail for domain.corp loops back to myself

I’m attempting to evaluate Ciphermail and I’m running info this "mail for domain.corp loops back to myself”

My goal is to set up Ciphermail as an internal mail server just for testing.

So, I have

testmail.mx.domain.corp

domain.corp’s MX record is set to:

dig @192.168.10.10 mx domain.corp

; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> @192.168.10.10 mx domain.corp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59536
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 3c201885a57bfe1393fbf7a2609f79469962e84c4c0b267e (good)
;; QUESTION SECTION:
;domain.corp. IN MX

;; ANSWER SECTION:
domain.corp. 300 IN MX 0 testmail.mx.domain.corp.

;; AUTHORITY SECTION:
domain.corp. 300 IN NS 192.168.10.10.

;; ADDITIONAL SECTION:
testmail.mx.domain.corp. 300 IN A 192.168.100.20

;; Query time: 1 msec
;; SERVER: 192.168.10.10#53(192.168.10.10)
;; WHEN: Sat May 15 00:33:26 PDT 2021
;; MSG SIZE rcvd: 136

My main.cf looks like this:

# postfix main config for CipherMail

# setting starting with djigzo_ will be overwritten when applying the MTA settings
djigzo_myhostname = testmail.mx.domain.corp
djigzo_mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
djigzo_mynetworks = 192.168.10.0/24, 192.168.100.0/24, 127.0.0.0/8
djigzo_relayhost =
djigzo_relayhost_mx_lookup =
djigzo_relayhost_port = 25
djigzo_relay_domains = domain.corp, mx.domain.corp, testmail.mx.domain.corp
djigzo_before_filter_message_size_limit = 10240000
djigzo_calculated_after_filter_message_size_limit = 30720000
djigzo_after_filter_message_size_limit = ${djigzo_calculated_after_filter_message_size_limit}
djigzo_mailbox_size_limit = 512000000
djigzo_smtp_helo_name = testmail.mx.domain.corp
djigzo_relay_transport_host =
djigzo_relay_transport_host_mx_lookup =
djigzo_relay_transport_host_port = 25
djigzo_reject_unverified_recipient =
djigzo_unverified_recipient_reject_code = 450
djigzo_parent_domain_matches_subdomains = relay_domains
djigzo_rbl_clients =
djigzo_calculated_queue_minfree = 92160000

# The internet hostname of this mail system
myhostname = ${djigzo_myhostname}

# The list of domains that are delivered via the $local_transport mail delivery transport
mydestination = ${djigzo_mydestination}

# The list of "trusted" remote SMTP clients that have more privileges than "strangers".
mynetworks = 127.0.0.0/8, [::1]/128, ${djigzo_mynetworks}

# What destination domains (and subdomains thereof) this system will relay mail to.
relay_domains = ${djigzo_relay_domains}

# What Postfix features match subdomains of "domain.tld" automatically, instead of requiring an explicit ".domain.tld" pattern.
parent_domain_matches_subdomains = ${djigzo_parent_domain_matches_subdomains}

# The hostname to send in the SMTP EHLO or HELO command.
smtp_helo_name = ${djigzo_smtp_helo_name?$djigzo_smtp_helo_name}${djigzo_smtp_helo_name:${myhostname}}

# The default mail delivery transport and next-hop destination for remote delivery to domains listed with $relay_domains
relay_transport = relay${djigzo_relay_transport_host?:${djigzo_relay_transport_host_mx_lookup:[}${djigzo_relay_transport_host}${djigzo_relay_transport_host_mx_lookup:]}:${djigzo_relay_transport_host_port}}

# The next-hop destination of non-local mail
relayhost = ${djigzo_relayhost_mx_lookup:${djigzo_relayhost?[}}${djigzo_relayhost}${djigzo_relayhost_mx_lookup:${djigzo_relayhost?]}}${djigzo_relayhost?:${djigzo_relayhost_port}}

# Optional restrictions that the Postfix SMTP server applies in the context of a client RCPT TO command
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
    ${djigzo_rbl_clients}
    ${djigzo_reject_unverified_recipient? reject_unverified_recipient}

# The numerical Postfix SMTP server response when a recipient address is rejected by the reject_unverified_recipient restriction
unverified_recipient_reject_code = ${djigzo_unverified_recipient_reject_code}

# disable DSN and ETRN ESMTP announce
smtpd_discard_ehlo_keywords = silent-discard, dsn, etrn

# reject all ETRN
smtpd_etrn_restrictions = reject

# disable local delivery
local_transport = error:local mail delivery is disabled
local_recipient_maps =

# forward local system accounts
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#virtual_alias_maps = hash:/etc/postfix/virtual-aliases

# The maximal size in bytes of a message, including envelope information.
message_size_limit = ${djigzo_after_filter_message_size_limit}

# The maximal size of any local(8) individual mailbox or maildir file
mailbox_size_limit = ${djigzo_mailbox_size_limit}

# The minimal amount of free space in bytes in the queue file system that is needed to receive mail
queue_minfree = ${djigzo_calculated_queue_minfree}

# What remote SMTP clients are allowed to use the XFORWARD feature
smtpd_authorized_xforward_hosts = 127.0.0.1/32

# forward incoming email to the Mail Processing Agent (MPA)
content_filter = djigzo:[127.0.0.1]:10025

# filter email headers
#header_checks = pcre:/etc/postfix/header-checks

# server side TLS configuration
#smtpd_tls_cert_file = /etc/postfix/tls.pem
#smtpd_tls_key_file = $smtpd_tls_cert_file
#smtpd_tls_security_level = may
#smtpd_tls_loglevel = 1
# disable low grade ciphers to prevent FREAK attack
#smtpd_tls_exclude_ciphers = aNULL, EXPORT, LOW

# client side TLS configuration
#smtp_tls_CApath = /etc/ssl/certs
#smtp_tls_security_level = may
#smtp_tls_loglevel = 1

#smtp_sasl_auth_enable = yes
#smtp_sasl_password_maps = hash:/etc/postfix/smtp_client_passwd
#smtp_sasl_type = cyrus
#smtp_sasl_security_options =

# The mail system name that is displayed in Received: headers, in the SMTP greeting banner, and in bounced mail.
mail_name = CipherMail

# The text that follows the 220 status code in the SMTP greeting banner.
# You MUST specify $myhostname at the start of the text. This is required by the SMTP protocol.
smtpd_banner = $myhostname ESMTP $mail_name

# The time after which the sender receives a copy of the message headers of mail that is still queued.
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# With locally submitted mail, append the string ".$mydomain" to addresses that have no ".domain" information.
# appending .domain is the MUA's job.
append_dot_mydomain = no

biff = no
recipient_delimiter = +

# list of error classes that are reported to the postmaster. Set to empty by default as it can be result in mail floods
# if there is some Postfix error.
notify_classes =

# enable long, non-repeating, queue IDs. The benefit of non-repeating names is simpler logfile analysis
enable_long_queue_ids = yes

# the address type ("ipv6", "ipv4" or "any") that the Postfix SMTP client will try first, when a destination has
# IPv6 and IPv4 addresses with equal MX preference.
smtp_address_preference = ipv4

When I send mail from an internal machine:

May 15 00:36:14 testmail.mx.domain.corp postfix/smtpd[39460]: connect from macbook-pro.adifferentdomain.intra[192.168.10.95]
May 15 00:36:14 testmail.mx.domain.corp postfix/smtpd[39460]: 4Fhxz26x1wz59DQp: client=macbook-pro.adifferentdomain.intra[192.168.10.95]
May 15 00:36:14 testmail.mx.domain.corp postfix/cleanup[39461]: 4Fhxz26x1wz59DQp: message-id=<20210515073614.DB9BED2E9A3(a)macbook-pro.adifferentdomain.intra>
May 15 00:36:14 testmail.mx.domain.corp postfix/qmgr[39375]: 4Fhxz26x1wz59DQp: from=<jeremy(a)macbook-pro.adifferentdomain.intra>, size=560, nrcpt=1 (queue active)
May 15 00:36:14 testmail.mx.domain.corp postfix/smtpd[39460]: disconnect from macbook-pro.adifferentdomain.intra[192.168.10.95] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May 15 00:36:15 testmail.mx.domain.corp postfix/smtp[39462]: 4Fhxz26x1wz59DQp: to=<jeremy(a)domain.corp>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.09, delays=0.01/0/0.04/0.04, dsn=2.6.0, status=sent (250 2.6.0 Message received)
May 15 00:36:15 testmail.mx.domain.corp postfix/qmgr[39375]: 4Fhxz26x1wz59DQp: removed
May 15 00:36:15 testmail.mx.domain.corp postfix/smtpd[39463]: connect from localhost[127.0.0.1]
May 15 00:36:15 testmail.mx.domain.corp postfix/smtpd[39463]: 4Fhxz31K2Fz59DQp: client=localhost[127.0.0.1], orig_client=macbook-pro.adifferentdomain.intra[192.168.10.95]
May 15 00:36:15 testmail.mx.domain.corp postfix/cleanup[39464]: 4Fhxz31K2Fz59DQp: message-id=<20210515073614.DB9BED2E9A3(a)macbook-pro.adifferentdomain.intra>
May 15 00:36:15 testmail.mx.domain.corp postfix/qmgr[39375]: 4Fhxz31K2Fz59DQp: from=<jeremy(a)macbook-pro.adifferentdomain.intra>, size=773, nrcpt=1 (queue active)
May 15 00:36:15 testmail.mx.domain.corp postfix/smtpd[39463]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 quit=1 commands=6
May 15 00:36:15 testmail.mx.domain.corp postfix/smtp[39449]: 4Fhxz31K2Fz59DQp: to=<jeremy(a)domain.corp>, relay=none, delay=0.02, delays=0.01/0/0.01/0, dsn=5.4.6, status=bounced (mail for domain.corp loops back to myself)
May 15 00:36:15 testmail.mx.domain.corp postfix/cleanup[39461]: 4Fhxz31TYhz59DR5: message-id=<4Fhxz31TYhz59DR5(a)testmail.mx.domain.corp>
May 15 00:36:15 testmail.mx.domain.corp postfix/qmgr[39375]: 4Fhxz31TYhz59DR5: from=<>, size=2701, nrcpt=1 (queue active)
May 15 00:36:15 testmail.mx.domain.corp postfix/bounce[39465]: 4Fhxz31K2Fz59DQp: sender non-delivery notification: 4Fhxz31TYhz59DR5
May 15 00:36:15 testmail.mx.domain.corp postfix/qmgr[39375]: 4Fhxz31K2Fz59DQp: removed
May 15 00:36:15 testmail.mx.domain.corp postfix/error[39466]: 4Fhxz31TYhz59DR5: to=<jeremy(a)macbook-pro.adifferentdomain.intra>, relay=none, delay=0.01, delays=0/0/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to macbook-pro.adifferentdomain.intra[192.168.10.95]:25: Connection refused)

I’m not sure what I’m doing wrong. I basically want mail to be delivered to the Ciphermail host for user jeremy.

Thanks
-jeremy

Postfix is responsible for the MTA part. Postfix contains a check which
checks whether the hostname (fqdn) of the server is the same as the
hostname of the server it connects to and if so it reports "mail for ... loops back to myself".

since you anonymized the logs, I cannot check whether this is the case
in your setup. From the config it appears that you did not configure
"Internal relay host" and therefore MX lookup is done for your internal
domains. Could it be that you want the CipherMail gateway to first
receive email for your domain and then have it forward using MX lookups
to the final server? If so, since the MX records point to the
CipherMail gateway, it will connect to itself because it will lookup
the next server via MX lookup.

You can solve this by explicitly specifying the "Internal relay host"
or by telling the gateway what the external IP address (See
proxy_interfaces
Postfix Configuration Parameters)

Kind regards,

Martijn Brinkers

···

--
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF Messenger and Webmail Messenger

On Sat, 2021-05-15 at 00:38 -0700, Jeremy Hansen via Users wrote:

I’m attempting to evaluate Ciphermail and I’m running info this "mail
for domain.corp loops back to myself”

My goal is to set up Ciphermail as an internal mail server just for
testing.

So, I have

testmail.mx.domain.corp

domain.corp’s MX record is set to:

dig @192.168.10.10 mx domain.corp

; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> @192.168.10.10 mx
domain.corp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59536
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL:
2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 3c201885a57bfe1393fbf7a2609f79469962e84c4c0b267e (good)
;; QUESTION SECTION:
;domain.corp. IN MX

;; ANSWER SECTION:
domain.corp. 300 IN MX 0
testmail.mx.domain.corp.

;; AUTHORITY SECTION:
domain.corp. 300 IN NS 192.168.10.10.

;; ADDITIONAL SECTION:
testmail.mx.domain.corp. 300 IN A 192.168.100.2
0

;; Query time: 1 msec
;; SERVER: 192.168.10.10#53(192.168.10.10)
;; WHEN: Sat May 15 00:33:26 PDT 2021
;; MSG SIZE rcvd: 136

My main.cf looks like this:

# postfix main config for CipherMail

# setting starting with djigzo_ will be overwritten when applying the
MTA settings
djigzo_myhostname = testmail.mx.domain.corp
djigzo_mydestination = $myhostname, localhost.$mydomain, localhost,
$mydomain
djigzo_mynetworks = 192.168.10.0/24, 192.168.100.0/24, 127.0.0.0/8
djigzo_relayhost =
djigzo_relayhost_mx_lookup =
djigzo_relayhost_port = 25
djigzo_relay_domains = domain.corp, mx.domain.corp,
testmail.mx.domain.corp
djigzo_before_filter_message_size_limit = 10240000
djigzo_calculated_after_filter_message_size_limit = 30720000
djigzo_after_filter_message_size_limit =
${djigzo_calculated_after_filter_message_size_limit}
djigzo_mailbox_size_limit = 512000000
djigzo_smtp_helo_name = testmail.mx.domain.corp
djigzo_relay_transport_host =
djigzo_relay_transport_host_mx_lookup =
djigzo_relay_transport_host_port = 25
djigzo_reject_unverified_recipient =
djigzo_unverified_recipient_reject_code = 450
djigzo_parent_domain_matches_subdomains = relay_domains
djigzo_rbl_clients =
djigzo_calculated_queue_minfree = 92160000

# The internet hostname of this mail system
myhostname = ${djigzo_myhostname}

# The list of domains that are delivered via the $local_transport
mail delivery transport
mydestination = ${djigzo_mydestination}

# The list of "trusted" remote SMTP clients that have more privileges
than "strangers".
mynetworks = 127.0.0.0/8, [::1]/128, ${djigzo_mynetworks}

# What destination domains (and subdomains thereof) this system will
relay mail to.
relay_domains = ${djigzo_relay_domains}

# What Postfix features match subdomains of "domain.tld"
automatically, instead of requiring an explicit ".domain.tld"
pattern.
parent_domain_matches_subdomains =
${djigzo_parent_domain_matches_subdomains}

# The hostname to send in the SMTP EHLO or HELO command.
smtp_helo_name =
${djigzo_smtp_helo_name?$djigzo_smtp_helo_name}${djigzo_smtp_helo_nam
e:${myhostname}}

# The default mail delivery transport and next-hop destination for
remote delivery to domains listed with $relay_domains
relay_transport =
relay${djigzo_relay_transport_host?:${djigzo_relay_transport_host_mx_
lookup:[}${djigzo_relay_transport_host}${djigzo_relay_transport_host_
mx_lookup:]}:${djigzo_relay_transport_host_port}}

# The next-hop destination of non-local mail
relayhost =
${djigzo_relayhost_mx_lookup:${djigzo_relayhost?[}}${djigzo_relayhost
}${djigzo_relayhost_mx_lookup:${djigzo_relayhost?]}}${djigzo_relayhos
t?:${djigzo_relayhost_port}}

# Optional restrictions that the Postfix SMTP server applies in the
context of a client RCPT TO command
smtpd_recipient_restrictions = permit_mynetworks
reject_unauth_destination
    ${djigzo_rbl_clients}
    ${djigzo_reject_unverified_recipient?
reject_unverified_recipient}

# The numerical Postfix SMTP server response when a recipient address
is rejected by the reject_unverified_recipient restriction
unverified_recipient_reject_code =
${djigzo_unverified_recipient_reject_code}

# disable DSN and ETRN ESMTP announce
smtpd_discard_ehlo_keywords = silent-discard, dsn, etrn

# reject all ETRN
smtpd_etrn_restrictions = reject

# disable local delivery
local_transport = error:local mail delivery is disabled
local_recipient_maps =

# forward local system accounts
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#virtual_alias_maps = hash:/etc/postfix/virtual-aliases

# The maximal size in bytes of a message, including envelope
information.
message_size_limit = ${djigzo_after_filter_message_size_limit}

# The maximal size of any local(8) individual mailbox or maildir file
mailbox_size_limit = ${djigzo_mailbox_size_limit}

# The minimal amount of free space in bytes in the queue file system
that is needed to receive mail
queue_minfree = ${djigzo_calculated_queue_minfree}

# What remote SMTP clients are allowed to use the XFORWARD feature
smtpd_authorized_xforward_hosts = 127.0.0.1/32

# forward incoming email to the Mail Processing Agent (MPA)
content_filter = djigzo:[127.0.0.1]:10025

# filter email headers
#header_checks = pcre:/etc/postfix/header-checks

# server side TLS configuration
#smtpd_tls_cert_file = /etc/postfix/tls.pem
#smtpd_tls_key_file = $smtpd_tls_cert_file
#smtpd_tls_security_level = may
#smtpd_tls_loglevel = 1
# disable low grade ciphers to prevent FREAK attack
#smtpd_tls_exclude_ciphers = aNULL, EXPORT, LOW

# client side TLS configuration
#smtp_tls_CApath = /etc/ssl/certs
#smtp_tls_security_level = may
#smtp_tls_loglevel = 1

#smtp_sasl_auth_enable = yes
#smtp_sasl_password_maps = hash:/etc/postfix/smtp_client_passwd
#smtp_sasl_type = cyrus
#smtp_sasl_security_options =

# The mail system name that is displayed in Received: headers, in the
SMTP greeting banner, and in bounced mail.
mail_name = CipherMail

# The text that follows the 220 status code in the SMTP greeting
banner.
# You MUST specify $myhostname at the start of the text. This is
required by the SMTP protocol.
smtpd_banner = $myhostname ESMTP $mail_name

# The time after which the sender receives a copy of the message
headers of mail that is still queued.
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# With locally submitted mail, append the string ".$mydomain" to
addresses that have no ".domain" information.
# appending .domain is the MUA's job.
append_dot_mydomain = no

biff = no
recipient_delimiter = +

# list of error classes that are reported to the postmaster. Set to
empty by default as it can be result in mail floods
# if there is some Postfix error.
notify_classes =

# enable long, non-repeating, queue IDs. The benefit of non-repeating
names is simpler logfile analysis
enable_long_queue_ids = yes

# the address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
client will try first, when a destination has
# IPv6 and IPv4 addresses with equal MX preference.
smtp_address_preference = ipv4

When I send mail from an internal machine:

May 15 00:36:14 testmail.mx.domain.corp postfix/smtpd[39460]: connect
from macbook-pro.adifferentdomain.intra[192.168.10.95]
May 15 00:36:14 testmail.mx.domain.corp postfix/smtpd[39460]:
4Fhxz26x1wz59DQp: client=macbook-
pro.adifferentdomain.intra[192.168.10.95]
May 15 00:36:14 testmail.mx.domain.corp postfix/cleanup[39461]:
4Fhxz26x1wz59DQp: message-id=<
20210515073614.DB9BED2E9A3(a)macbook-pro.adifferentdomain.intra>
May 15 00:36:14 testmail.mx.domain.corp postfix/qmgr[39375]:
4Fhxz26x1wz59DQp: from=<jeremy(a)macbook-pro.adifferentdomain.intra>,
size=560, nrcpt=1 (queue active)
May 15 00:36:14 testmail.mx.domain.corp postfix/smtpd[39460]:
disconnect from macbook-pro.adifferentdomain.intra[192.168.10.95]
ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May 15 00:36:15 testmail.mx.domain.corp postfix/smtp[39462]:
4Fhxz26x1wz59DQp: to=<jeremy(a)domain.corp>,
relay=127.0.0.1[127.0.0.1]:10025, delay=0.09,
delays=0.01/0/0.04/0.04, dsn=2.6.0, status=sent (250 2.6.0 Message
received)
May 15 00:36:15 testmail.mx.domain.corp postfix/qmgr[39375]:
4Fhxz26x1wz59DQp: removed
May 15 00:36:15 testmail.mx.domain.corp postfix/smtpd[39463]: connect
from localhost[127.0.0.1]
May 15 00:36:15 testmail.mx.domain.corp postfix/smtpd[39463]:
4Fhxz31K2Fz59DQp: client=localhost[127.0.0.1], orig_client=macbook-
pro.adifferentdomain.intra[192.168.10.95]
May 15 00:36:15 testmail.mx.domain.corp postfix/cleanup[39464]:
4Fhxz31K2Fz59DQp: message-id=<
20210515073614.DB9BED2E9A3(a)macbook-pro.adifferentdomain.intra>
May 15 00:36:15 testmail.mx.domain.corp postfix/qmgr[39375]:
4Fhxz31K2Fz59DQp: from=<jeremy(a)macbook-pro.adifferentdomain.intra>,
size=773, nrcpt=1 (queue active)
May 15 00:36:15 testmail.mx.domain.corp postfix/smtpd[39463]:
disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1
data=1 quit=1 commands=6
May 15 00:36:15 testmail.mx.domain.corp postfix/smtp[39449]:
4Fhxz31K2Fz59DQp: to=<jeremy(a)domain.corp>, relay=none, delay=0.02,
delays=0.01/0/0.01/0, dsn=5.4.6, status=bounced (mail for domain.corp
loops back to myself)
May 15 00:36:15 testmail.mx.domain.corp postfix/cleanup[39461]:
4Fhxz31TYhz59DR5: message-id=<
4Fhxz31TYhz59DR5(a)testmail.mx.domain.corp>
May 15 00:36:15 testmail.mx.domain.corp postfix/qmgr[39375]:
4Fhxz31TYhz59DR5: from=<>, size=2701, nrcpt=1 (queue active)
May 15 00:36:15 testmail.mx.domain.corp postfix/bounce[39465]:
4Fhxz31K2Fz59DQp: sender non-delivery notification: 4Fhxz31TYhz59DR5
May 15 00:36:15 testmail.mx.domain.corp postfix/qmgr[39375]:
4Fhxz31K2Fz59DQp: removed
May 15 00:36:15 testmail.mx.domain.corp postfix/error[39466]:
4Fhxz31TYhz59DR5: to=<jeremy(a)macbook-pro.adifferentdomain.intra>,
relay=none, delay=0.01, delays=0/0/0/0, dsn=4.4.1, status=deferred
(delivery temporarily suspended: connect to macbook-
pro.adifferentdomain.intra[192.168.10.95]:25: Connection refused)

I’m not sure what I’m doing wrong. I basically want mail to be
delivered to the Ciphermail host for user jeremy.

Thanks
-jeremy

Thank you for the response.

The MX is set to the gateway’s address. I don’t want to relay mail. I want to gateway to be the destination and I want <user(a)domain.corp> to be delivered to <user> on the ciphermail gateway.

It works fine if I set up the relay to go to another MTA, but I was hoping to not relay at all.

Thanks

···

On May 17, 2021, at 6:21 AM, Martijn Brinkers <martijn(a)ciphermail.com> wrote:

Postfix is responsible for the MTA part. Postfix contains a check which
checks whether the hostname (fqdn) of the server is the same as the
hostname of the server it connects to and if so it reports "mail for ... loops back to myself".

since you anonymized the logs, I cannot check whether this is the case
in your setup. From the config it appears that you did not configure
"Internal relay host" and therefore MX lookup is done for your internal
domains. Could it be that you want the CipherMail gateway to first
receive email for your domain and then have it forward using MX lookups
to the final server? If so, since the MX records point to the
CipherMail gateway, it will connect to itself because it will lookup
the next server via MX lookup.

You can solve this by explicitly specifying the "Internal relay host"
or by telling the gateway what the external IP address (See
proxy_interfaces
Postfix Configuration Parameters)

Kind regards,

Martijn Brinkers

--
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF Messenger and Webmail Messenger

On Sat, 2021-05-15 at 00:38 -0700, Jeremy Hansen via Users wrote:
I’m attempting to evaluate Ciphermail and I’m running info this "mail
for domain.corp loops back to myself”

My goal is to set up Ciphermail as an internal mail server just for
testing.

So, I have

testmail.mx.domain.corp

domain.corp’s MX record is set to:

dig @192.168.10.10 mx domain.corp

; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> @192.168.10.10 mx
domain.corp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59536
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL:
2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 3c201885a57bfe1393fbf7a2609f79469962e84c4c0b267e (good)
;; QUESTION SECTION:
;domain.corp. IN MX

;; ANSWER SECTION:
domain.corp. 300 IN MX 0
testmail.mx.domain.corp.

;; AUTHORITY SECTION:
domain.corp. 300 IN NS 192.168.10.10.

;; ADDITIONAL SECTION:
testmail.mx.domain.corp. 300 IN A 192.168.100.2
0

;; Query time: 1 msec
;; SERVER: 192.168.10.10#53(192.168.10.10)
;; WHEN: Sat May 15 00:33:26 PDT 2021
;; MSG SIZE rcvd: 136

My main.cf looks like this:

# postfix main config for CipherMail

# setting starting with djigzo_ will be overwritten when applying the
MTA settings
djigzo_myhostname = testmail.mx.domain.corp
djigzo_mydestination = $myhostname, localhost.$mydomain, localhost,
$mydomain
djigzo_mynetworks = 192.168.10.0/24, 192.168.100.0/24, 127.0.0.0/8
djigzo_relayhost =
djigzo_relayhost_mx_lookup =
djigzo_relayhost_port = 25
djigzo_relay_domains = domain.corp, mx.domain.corp,
testmail.mx.domain.corp
djigzo_before_filter_message_size_limit = 10240000
djigzo_calculated_after_filter_message_size_limit = 30720000
djigzo_after_filter_message_size_limit =
${djigzo_calculated_after_filter_message_size_limit}
djigzo_mailbox_size_limit = 512000000
djigzo_smtp_helo_name = testmail.mx.domain.corp
djigzo_relay_transport_host =
djigzo_relay_transport_host_mx_lookup =
djigzo_relay_transport_host_port = 25
djigzo_reject_unverified_recipient =
djigzo_unverified_recipient_reject_code = 450
djigzo_parent_domain_matches_subdomains = relay_domains
djigzo_rbl_clients =
djigzo_calculated_queue_minfree = 92160000

# The internet hostname of this mail system
myhostname = ${djigzo_myhostname}

# The list of domains that are delivered via the $local_transport
mail delivery transport
mydestination = ${djigzo_mydestination}

# The list of "trusted" remote SMTP clients that have more privileges
than "strangers".
mynetworks = 127.0.0.0/8, [::1]/128, ${djigzo_mynetworks}

# What destination domains (and subdomains thereof) this system will
relay mail to.
relay_domains = ${djigzo_relay_domains}

# What Postfix features match subdomains of "domain.tld"
automatically, instead of requiring an explicit ".domain.tld"
pattern.
parent_domain_matches_subdomains =
${djigzo_parent_domain_matches_subdomains}

# The hostname to send in the SMTP EHLO or HELO command.
smtp_helo_name =
${djigzo_smtp_helo_name?$djigzo_smtp_helo_name}${djigzo_smtp_helo_nam
e:${myhostname}}

# The default mail delivery transport and next-hop destination for
remote delivery to domains listed with $relay_domains
relay_transport =
relay${djigzo_relay_transport_host?:${djigzo_relay_transport_host_mx_
lookup:[}${djigzo_relay_transport_host}${djigzo_relay_transport_host_
mx_lookup:]}:${djigzo_relay_transport_host_port}}

# The next-hop destination of non-local mail
relayhost =
${djigzo_relayhost_mx_lookup:${djigzo_relayhost?[}}${djigzo_relayhost
}${djigzo_relayhost_mx_lookup:${djigzo_relayhost?]}}${djigzo_relayhos
t?:${djigzo_relayhost_port}}

# Optional restrictions that the Postfix SMTP server applies in the
context of a client RCPT TO command
smtpd_recipient_restrictions = permit_mynetworks
reject_unauth_destination
   ${djigzo_rbl_clients}
   ${djigzo_reject_unverified_recipient?
reject_unverified_recipient}

# The numerical Postfix SMTP server response when a recipient address
is rejected by the reject_unverified_recipient restriction
unverified_recipient_reject_code =
${djigzo_unverified_recipient_reject_code}

# disable DSN and ETRN ESMTP announce
smtpd_discard_ehlo_keywords = silent-discard, dsn, etrn

# reject all ETRN
smtpd_etrn_restrictions = reject

# disable local delivery
local_transport = error:local mail delivery is disabled
local_recipient_maps =

# forward local system accounts
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#virtual_alias_maps = hash:/etc/postfix/virtual-aliases

# The maximal size in bytes of a message, including envelope
information.
message_size_limit = ${djigzo_after_filter_message_size_limit}

# The maximal size of any local(8) individual mailbox or maildir file
mailbox_size_limit = ${djigzo_mailbox_size_limit}

# The minimal amount of free space in bytes in the queue file system
that is needed to receive mail
queue_minfree = ${djigzo_calculated_queue_minfree}

# What remote SMTP clients are allowed to use the XFORWARD feature
smtpd_authorized_xforward_hosts = 127.0.0.1/32

# forward incoming email to the Mail Processing Agent (MPA)
content_filter = djigzo:[127.0.0.1]:10025

# filter email headers
#header_checks = pcre:/etc/postfix/header-checks

# server side TLS configuration
#smtpd_tls_cert_file = /etc/postfix/tls.pem
#smtpd_tls_key_file = $smtpd_tls_cert_file
#smtpd_tls_security_level = may
#smtpd_tls_loglevel = 1
# disable low grade ciphers to prevent FREAK attack
#smtpd_tls_exclude_ciphers = aNULL, EXPORT, LOW

# client side TLS configuration
#smtp_tls_CApath = /etc/ssl/certs
#smtp_tls_security_level = may
#smtp_tls_loglevel = 1

#smtp_sasl_auth_enable = yes
#smtp_sasl_password_maps = hash:/etc/postfix/smtp_client_passwd
#smtp_sasl_type = cyrus
#smtp_sasl_security_options =

# The mail system name that is displayed in Received: headers, in the
SMTP greeting banner, and in bounced mail.
mail_name = CipherMail

# The text that follows the 220 status code in the SMTP greeting
banner.
# You MUST specify $myhostname at the start of the text. This is
required by the SMTP protocol.
smtpd_banner = $myhostname ESMTP $mail_name

# The time after which the sender receives a copy of the message
headers of mail that is still queued.
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# With locally submitted mail, append the string ".$mydomain" to
addresses that have no ".domain" information.
# appending .domain is the MUA's job.
append_dot_mydomain = no

biff = no
recipient_delimiter = +

# list of error classes that are reported to the postmaster. Set to
empty by default as it can be result in mail floods
# if there is some Postfix error.
notify_classes =

# enable long, non-repeating, queue IDs. The benefit of non-repeating
names is simpler logfile analysis
enable_long_queue_ids = yes

# the address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
client will try first, when a destination has
# IPv6 and IPv4 addresses with equal MX preference.
smtp_address_preference = ipv4

When I send mail from an internal machine:

May 15 00:36:14 testmail.mx.domain.corp postfix/smtpd[39460]: connect
from macbook-pro.adifferentdomain.intra[192.168.10.95]
May 15 00:36:14 testmail.mx.domain.corp postfix/smtpd[39460]:
4Fhxz26x1wz59DQp: client=macbook-
pro.adifferentdomain.intra[192.168.10.95]
May 15 00:36:14 testmail.mx.domain.corp postfix/cleanup[39461]:
4Fhxz26x1wz59DQp: message-id=<
20210515073614.DB9BED2E9A3(a)macbook-pro.adifferentdomain.intra>
May 15 00:36:14 testmail.mx.domain.corp postfix/qmgr[39375]:
4Fhxz26x1wz59DQp: from=<jeremy(a)macbook-pro.adifferentdomain.intra>,
size=560, nrcpt=1 (queue active)
May 15 00:36:14 testmail.mx.domain.corp postfix/smtpd[39460]:
disconnect from macbook-pro.adifferentdomain.intra[192.168.10.95]
ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May 15 00:36:15 testmail.mx.domain.corp postfix/smtp[39462]:
4Fhxz26x1wz59DQp: to=<jeremy(a)domain.corp>,
relay=127.0.0.1[127.0.0.1]:10025, delay=0.09,
delays=0.01/0/0.04/0.04, dsn=2.6.0, status=sent (250 2.6.0 Message
received)
May 15 00:36:15 testmail.mx.domain.corp postfix/qmgr[39375]:
4Fhxz26x1wz59DQp: removed
May 15 00:36:15 testmail.mx.domain.corp postfix/smtpd[39463]: connect
from localhost[127.0.0.1]
May 15 00:36:15 testmail.mx.domain.corp postfix/smtpd[39463]:
4Fhxz31K2Fz59DQp: client=localhost[127.0.0.1], orig_client=macbook-
pro.adifferentdomain.intra[192.168.10.95]
May 15 00:36:15 testmail.mx.domain.corp postfix/cleanup[39464]:
4Fhxz31K2Fz59DQp: message-id=<
20210515073614.DB9BED2E9A3(a)macbook-pro.adifferentdomain.intra>
May 15 00:36:15 testmail.mx.domain.corp postfix/qmgr[39375]:
4Fhxz31K2Fz59DQp: from=<jeremy(a)macbook-pro.adifferentdomain.intra>,
size=773, nrcpt=1 (queue active)
May 15 00:36:15 testmail.mx.domain.corp postfix/smtpd[39463]:
disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1
data=1 quit=1 commands=6
May 15 00:36:15 testmail.mx.domain.corp postfix/smtp[39449]:
4Fhxz31K2Fz59DQp: to=<jeremy(a)domain.corp>, relay=none, delay=0.02,
delays=0.01/0/0.01/0, dsn=5.4.6, status=bounced (mail for domain.corp
loops back to myself)
May 15 00:36:15 testmail.mx.domain.corp postfix/cleanup[39461]:
4Fhxz31TYhz59DR5: message-id=<
4Fhxz31TYhz59DR5(a)testmail.mx.domain.corp>
May 15 00:36:15 testmail.mx.domain.corp postfix/qmgr[39375]:
4Fhxz31TYhz59DR5: from=<>, size=2701, nrcpt=1 (queue active)
May 15 00:36:15 testmail.mx.domain.corp postfix/bounce[39465]:
4Fhxz31K2Fz59DQp: sender non-delivery notification: 4Fhxz31TYhz59DR5
May 15 00:36:15 testmail.mx.domain.corp postfix/qmgr[39375]:
4Fhxz31K2Fz59DQp: removed
May 15 00:36:15 testmail.mx.domain.corp postfix/error[39466]:
4Fhxz31TYhz59DR5: to=<jeremy(a)macbook-pro.adifferentdomain.intra>,
relay=none, delay=0.01, delays=0/0/0/0, dsn=4.4.1, status=deferred
(delivery temporarily suspended: connect to macbook-
pro.adifferentdomain.intra[192.168.10.95]:25: Connection refused)

I’m not sure what I’m doing wrong. I basically want mail to be
delivered to the Ciphermail host for user jeremy.

Thanks
-jeremy