NS8: Mail-Relay issues

NethServer Version: NS8, Rocky Linux 9.6
Module: Mail 1.6.1
Module: WebTop 1.4.3
Module: Imapsync 1.1.0

Hello, I have issues with Mail-Relay Function:
As I understood from ns8-smarthost-for-sending-mail , the Mail-Relay should be usable for sending mails for different users via different external accounts.

Now I have to transfer the sending mails to several different accounts/hosts, where some of them are using the same host:port, but a different Authentication (user/PW).
(Actually I used a custom sender dependent relay function in NS7 via postfix custom files for sender_relayhost, sender_passwd, which I need now on NS8)

So I have about 10 different Relay-Rules:

Rule 1: 
  ruleType: Sender:   
  Sender: User1@domain.a
  Hostname: MAILHOST.A:587
  authentification: on
  Username: Username1@domain.a (differnt from User1, but with same domain)
  Password: <PW>
  TLS: enforced

Rule 2: 
  ruleType: Sender:   
  Sender: User2@domain.a
  Hostname: MAILHOST.A:587
  authentification: on
  Username: Username2@domain.a    (different from User2@domain.a) - but with same domain
  Password: <PW>
  TLS: enforced

.... 

Situation A: Both (or all) Relay Rules active:

Now when User1 sends a mail (e.g. from Webtop) it gets correctly fowarded via the “smarthost” of RelayRule1:

Jul 14 02:28:07 main-ns8 postfix/smtpd[1146864]: connect from LOCAL_LAN_CLIENT[LOCAL_LAN_IP]
Jul 14 02:28:07 main-ns8 postfix/smtpd[1146864]: Anonymous TLS connection established from LOCAL_LAN_CLIENT[LOCAL_LAN_IP]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
Jul 14 02:28:07 main-ns8 postfix/smtpd[1146864]: 9D397160C41D2: client=LOCAL_LAN_CLIENT[LOCAL_LAN_IP], sasl_method=PLAIN, sasl_username=USER1_AD_NAME
Jul 14 02:28:07 main-ns8 postfix/cleanup[1146872]: 9D397160C41D2: message-id=<b836957c-77e8-44a9-b662-0a911e0dd92b@aon.at>
Jul 14 02:28:12 main-ns8 postfix/qmgr[924582]: 9D397160C41D2: from=<USER1@DOMAIN.A>, size=915, nrcpt=1 (queue active)
Jul 14 02:28:12 main-ns8 postfix/smtp[1146895]: Untrusted TLS connection established to MAILHOST.A[IP_MAILHOST.A]:587: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
Jul 14 02:28:14 main-ns8 postfix/smtp[1146895]: 9D397160C41D2: to=<USER1@DOMAIN.A>, relay=MAILHOST.A[IP_MAILHOST.A]:587, delay=6.7, delays=4.6/0.05/0.21/1.8, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4bgR7c3BDqzGrqnn)
Jul 14 02:28:14 main-ns8 postfix/qmgr[924582]: 9D397160C41D2: removed
Jul 14 02:28:17 main-ns8 postfix/smtpd[1146864]: disconnect from LOCAL_LAN_CLIENT[LOCAL_LAN_IP] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8


When User2 sends a mail it gets rejected from foreign host


Jul 14 02:35:28 main-ns8 postfix/smtpd[1151579]: connect from cluster-localnode[10.5.4.1]
Jul 14 02:35:28 main-ns8 postfix/smtpd[1151579]: F2BC0160C41DA: client=cluster-localnode[10.5.4.1], sasl_method=LOGIN, sasl_username=angelika
Jul 14 02:35:29 main-ns8 postfix/cleanup[1151582]: F2BC0160C41DA: message-id=<1447675978.146.1752460528457@webtop>
Jul 14 02:35:30 main-ns8 postfix/qmgr[924582]: F2BC0160C41DA: from=<USER2@DOMAIN.A>, size=1365, nrcpt=1 (queue active)
Jul 14 02:35:30 main-ns8 postfix/smtpd[1151579]: disconnect from cluster-localnode[10.5.4.1] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
Jul 14 02:35:30 main-ns8 postfix/smtp[1151584]: Untrusted TLS connection established to MAILHOST.A[IP_MAILHOST.A]:587: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
Jul 14 02:35:31 main-ns8 postfix/smtp[1151584]: F2BC0160C41DA: to=<<MAIL_TARGET_ADDRESS@DOMAIN.A>>, relay=MAILHOST.A[IP_MAILHOST.A]:587, delay=2.2, delays=1.8/0.05/0.21/0.08, dsn=5.7.1, status=bounced (host MAILHOST.A[IP_MAILHOST.A] said: 553 5.7.1 <USER2@DOMAIN.A>: Sender address rejected: not owned by user USERNAME1 (in reply to RCPT TO command))
Jul 14 02:35:31 main-ns8 postfix/cleanup[1151582]: 0E56C160C41DB: message-id=<20250714023531.0E56C160C41DB@mail.wf1.dynip.online>
Jul 14 02:35:31 main-ns8 postfix/qmgr[924582]: 0E56C160C41DB: from=<>, size=4152, nrcpt=1 (queue active)
Jul 14 02:35:31 main-ns8 postfix/bounce[1151585]: F2BC0160C41DA: sender non-delivery notification: 0E56C160C41DB
Jul 14 02:35:31 main-ns8 postfix/qmgr[924582]: F2BC0160C41DA: removed
Jul 14 02:35:37 main-ns8 postfix/smtp[1151584]: 0E56C160C41DB: to=<USER2@DOMAIN.A>, relay=<??MAILRELAYHOST.A??>[IP_MAILRELAYHOST??]:25, delay=6.2, delays=0.04/0/6.2/0, dsn=4.7.1, status=deferred (host <??MAILRELAYHOST.A??>[IP_MAILRELAYHOST??] refused to talk to me: 220-<??MAILRELAYHOST.A??> ESMTP (1) 521 5.7.1 Service unavailable; client [<NS8_EXTERNAL_SERVER_IP>] blocked using zen.spamhaus.org)

From following line

Jul 14 02:35:31 main-ns8 postfix/smtp[1151584]: F2BC0160C41DA: to=<<MAIL_TARGET_ADDRESS@DOMAIN.A>>, relay=MAILHOST.A[IP_MAILHOST.A]:587, delay=2.2, delays=1.8/0.05/0.21/0.08, dsn=5.7.1, status=bounced (host MAILHOST.A[IP_MAILHOST.A] said: 553 5.7.1 <USER2@DOMAIN.A>: Sender address rejected: not owned by user USERNAME1 (in reply to RCPT TO command))

it can be deduced that postfix uses the wrong relay rule (still USERNAME1 is used, whereas actually USERNAME2 (for authentication via Rule 2) should be used.
Why at the and another error via the <??MAILRELAYHOST.A??> is coming, I don’t know either - but seems to be a followup issue after the first one - due to in situation B below it is working.

Situation B: Only relay rule for User2 is active - all other rules deactivated (on Mail-Relay NS8 GUI):

Now User2 can send mails without issues and they get forwarded as per mail-rule correctly


Jul 14 02:39:58 main-ns8 postfix/smtpd[1154637]: connect from cluster-localnode[10.5.4.1]
Jul 14 02:39:59 main-ns8 postfix/smtpd[1154637]: 0B151160C41E2: client=cluster-localnode[10.5.4.1], sasl_method=LOGIN, sasl_username=angelika
Jul 14 02:39:59 main-ns8 postfix/cleanup[1154641]: 0B151160C41E2: message-id=<1611342954.167.1752460798618@webtop>
Jul 14 02:40:00 main-ns8 postfix/qmgr[1154338]: 0B151160C41E2: from=<USER2@DOMAIN.A>, size=1362, nrcpt=1 (queue active)
Jul 14 02:40:00 main-ns8 postfix/smtpd[1154637]: disconnect from cluster-localnode[10.5.4.1] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
Jul 14 02:40:00 main-ns8 postfix/smtp[1154647]: Untrusted TLS connection established to MAILHOST.A[IP_MAILHOST.A]:587: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
Jul 14 02:40:02 main-ns8 postfix/smtp[1154647]: 0B151160C41E2: to=<<MAIL_TARGET_ADDRESS@DOMAIN.A>>, relay=MAILHOST.A[IP_MAILHOST.A]:587, delay=3.3, delays=1.3/0.06/0.19/1.8, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4bgRPD3kQdzGrqnr)
Jul 14 02:40:02 main-ns8 postfix/qmgr[1154338]: 0B151160C41E2: removed

Note the following regarding the authentication usernames:
"Username2@domain.a" looks actually like "Username1.xxx_yyy@domain.a"
So Username2 has the Username1 as part of its username, but is appended with another string (actually the name connected via underscore)
Not sure this is relevant, but maybe…
But for some other mail rules, a completely different username is used (not composed out of username1), but still with same hostname:port for the external mail server (actually many rules - but not all - are for the same external mail provider).

So somehow it seems when multiple rules are active (maybe only with same Hostname:port for external mailserver?) - the wrong authentication (or even wrong relay rule - as the hostname:port is the same I cannot distinguish this really) is used?

How can I debug further here?
How can I make sure the correct rule is used for each user?
Many thanks for help in advance!

Maybe this is linked to this topic: https://github.com/NethServer/dev/issues/7433 ?

But not actually sure, because if trying the workaround from here: https://community.nethserver.org/t/single-relay-for-account-does-not-work-but-in-a-strange-way/25575/7, if I enforce the 'sender/login match, both user 1 and user 2 cannot send at all (from webtop failure: "553 5.7.1 : Sender address rejected: not owned by user USER2", from other mail client failure "<user1@domain.a>: Sender address rejected: not owned by user user1 .

Which mail app version are you using? Did you upgrade to 1.7+?
You can check in Software Center or using api-cli run cluster/list-installed-modules | jq on CLI.

The current working version of Mail is 1.6.4, version 1.7+ has a known bug, see Relay error after update mail node to 1.7.0 - #11 by davidep

Sorry, Mail is actually on V1.6.4 (was a typo before I guess)
I do not get any update offered so far. Software Repository reload does not change this.
Which means I have to wait for V1.7.x, or try the 1.7.0 (how to upgrade if not offered?) and see if the bug even affects me as I do have a rule for each user (for each complete sender address, user@domain) anyway already defined?

Yes, 1.7+ has a known bug when the same name is used for user domain and mail domain. So the Software Center update isn’t shown.

It’s possible to update manually, see Relay error after update mail node to 1.7.0 - #14 by mrmarkuz

If something’s not working, it’s possible to revert from 1.7.1 to 1.6.4, see Relay error after update mail node to 1.7.0 - #11 by davidep

Thanks, Upgrade went ok, running Mail1 now on 1.7.1-dev.2.
First test with two relay rules were promising and first mails for both users have been transferred successfully, will test with more user rules then later and will check the logs finally. Re-sending the waiting mails (still waiting from the original issue) in the queue however did not work for resend (they are very few only luckily, not a big issue).

EDIT: After checking with more rules I confirm it works for those accounts tested. Thank for help again, much appreciated!

2 Likes