Join Log in
Score:0
Decent Dabbler avatar Server

Not receiving mail or even connection attempts from Google

ua flag
Decent Dabbler

I recently installed and configured my own postfix mail server on a vps. It uses a LetsEncrypt wildcard certificate, has a PTR DNS record with the vps' IP-address pointing to my mail server's hostname and is configured with SPF and DKIM (but no DMARC yet) and ufw is configured to allow incoming connections on ports 25,80,443,587,993.

Everything appeared to be working just fine: the mail server receives incoming mail from just about anybody except for mails from Google, as I discovered today:

I made multiple attempts today to create a Google account with one of my own mail addresses, but each time I failed to receive verification codes, even though Google told me they send one. In fact: /var/log/mail.log does not even list any connection attempts from Google.

I then tested creating a Google account with a temporary email address from a well known webmail provider and there the verification code came through without a problem.

So, this all leads me to believe there's some misconfiguration of my mail server.

My assumption is that Google has very strict security measures in place to verify the authenticity of mail addresses and/or mail servers, but I'm not knowledgeable enough to know where to look exactly.

Here's my /etc/postfix/main.cf (domain redacted as <mydomain>):

smtpd_banner = $myhostname ESMTP $mail_name
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/<mydomain>/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/<mydomain>/privkey.pem
smtpd_tls_security_level=may
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_recipient_restrictions=reject_unknown_client_hostname,check_policy_service unix:private/policyd-spf

# Host parameters
myhostname = mail.<mydomain>
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
masquerade_domains = $mydomain
mydestination = $myhostname, <mydomain>, vps.<mydomain>, localhost.<mydomain>, localhost
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

# Connect to Postgres for mailboxes, transports and aliases
local_recipient_maps =
virtual_uid_maps = static:997
virtual_gid_maps = static:998
virtual_mailbox_base = /var/mail/vmail/
virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/mailboxes.cf
virtual_alias_maps = pgsql:/etc/postfix/pgsql/aliases.cf
transport_maps = pgsql:/etc/postfix/pgsql/transports.cf

# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:127.0.0.1:8892
non_smtpd_milters = $smtpd_milters

...and here is my /etc/postfix/master.cf:

smtp      inet  n       -       y       -       -       smtpd
  -o disable_vrfy_command=yes
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_auth_only=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=
  -o milter_macro_daemon_name=ORIGINATING
  -o disable_vrfy_command=yes
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#smtps     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
  -o header_checks=regexp:/etc/postfix/header_checks
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -   n   n   -   2   pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

policyd-spf  unix  -       n       n       -       0       spawn user=policyd-spf argv=/usr/bin/policyd-spf

Do you have any idea why Google fails to send mail to my mail server? Could it be the lack of DMARC? Or could Google be attempting to send mail though another port than 25, perhaps? Is that a thing? Incoming mail through another port than 25?

Some additional information, in response to glts's answer, which may be relevant:

I do have an MX record pointing to my mail server:

name ttl type value
@ 15min MX 10 mail.<mydomain>

However, the hostname (/etc/hostname) of my vps box is vps.<mydomain>. Only postfix is configured to listen to mail.<mydomain> (as you can see in main.cf). Could this perhaps be an issue?

120
1 + 5
diya avatar
la flag
diya
Did you at one time use Google's mail services with that domain? (I can't speak from experience with regards to Google but have had similar problems because of that with other mail providers/ISP's after clients moved to different e-mail providers and their old mailboxes didn't get decommissioned properly.) Then mail sent from Gmail/Google Workspace might still consider your domain *"local"* (and then MX records aren't consulted) and messages might still be sent to, and end up in, the mailboxes set up with Google.
0
Reply
in flag
Gerald Schneider
Send yourself a mail from Google Mail and check errors in the reply you get.
2
Reply
Decent Dabbler avatar
ua flag
Decent Dabbler
@diya No, I did not. The domain name is new and to my knowledge never registered before.
0
Reply
Decent Dabbler avatar
ua flag
Decent Dabbler
@GeraldSchneider I don't have a Google Mail account.
0
Reply
Decent Dabbler avatar
ua flag
Decent Dabbler
@GeraldSchneider It's a good suggestion though. If other suggestions don't lead anywhere I may make a GMail account just to check, indeed. Cheers!
0
Reply
Score:2
avatar Server
us flag
glts

If you don’t see a line like the following in the log, then Google servers are indeed not even trying to contact you.

postfix/smtpd[90034]: connect from mail-oa1-x2a.google.com[2001:4860:4864:20::2a]

How does a sender know which mail server to connect to? By looking at the mail domain’s MX record.

So, if you expect to receive mail at address me@example.com, then the sending MTA will look at example.com’s MX record to find the right server. It will then look up the IP address(es) for the mail server, so make sure A and AAAA records are set up for mail.<mydomain>, too.

If you haven’t configured an MX record for your mail domain example.com pointing at your mail server, then of course Google would never find you. Other than that, Google seems to me to be an ordinary sender with no special hidden requirements.

+ 3
Decent Dabbler avatar
ua flag
Decent Dabbler
Thanks for your answer. I can confirm that there are no google lines in my `mail.log`. And I forgot to mention I also have an MX record: `name: @ ttl: 15min type: MX value: 10 mail.<mydomain>`. Since other incoming mails are coming through just fine, I doubt my MX record is the issue. However, the hostname of my vps box is `vps.<mydomain>`. Only postfix is configured to listen to `mail.<mydomain>`. Could this perhaps be an issue?
1
Reply
Decent Dabbler avatar
ua flag
Decent Dabbler
Oh wow, the AAAA record could very well be it! Especially since your example log line mentions a Google IPv6 address. I didn't change the AAAA record yet, because I didn't know how to find the IPv6 address of my VPS box. I'm not even sure my VPS provider supports it. I will go and find that out and then change (or delete?) the AAAA record and see if that fixes it. Could take a while though. But good call!
0
Reply
Decent Dabbler avatar
ua flag
Decent Dabbler
That's it! As soon as I changed the AAAA record the verification mail from Google arrived. I'll mark your answer as accepted, but please make sure to include your comment about the AAAA record in your answer, if it's not too much trouble, as *that* was the actual pointer that solved it. Extremely happy that you managed to solve it. Cheers!
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.