iredmail-doc/html/errors.html

<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>Errors you may see while maintaining iRedMail server</title>
        <link rel="stylesheet" type="text/css" href="./css/markdown.css" />
    </head>
    <body>
    
    <div id="navigation">
    <a href="http://www.iredmail.org" target="_blank">
        <img alt="iRedMail web site"
             src="./images/logo-iredmail.png"
             style="vertical-align: middle; height: 30px;"
             />&nbsp;
        <span>iRedMail</span>
    </a>
    &nbsp;&nbsp;//&nbsp;&nbsp;<a href="./index.html">Document Index</a></div><h1 id="errors-you-may-see-while-maintaining-iredmail-server">Errors you may see while maintaining iRedMail server</h1>
<div class="toc">
<ul>
<li><a href="#errors-you-may-see-while-maintaining-iredmail-server">Errors you may see while maintaining iRedMail server</a><ul>
<li><a href="#postfix">Postfix</a><ul>
<li><a href="#intended-policy-rejection-please-try-again-later">Intended policy rejection, please try again later</a></li>
<li><a href="#sender-address-rejected-not-logged-in">Sender address rejected: not logged in</a></li>
<li><a href="#helo-command-rejected-need-fully-qualified-hostname">Helo command rejected: need fully-qualified hostname</a></li>
<li><a href="#sender-address-rejected-not-owned-by-user-userdomainltd">Sender address rejected: not owned by user user@domain.ltd</a></li>
<li><a href="#recipient-address-rejected-smtp-auth-is-required-for-users-under-this-sender-domain">Recipient address rejected: SMTP AUTH is required for users under this sender domain</a></li>
<li><a href="#recipient-address-rejected-sender-is-not-same-as-smtp-authenticate-username">Recipient address rejected: Sender is not same as SMTP authenticate username</a><ul>
<li><a href="#case-1">case #1</a></li>
<li><a href="#case-2">case #2</a></li>
</ul>
</li>
<li><a href="#unreasonable-virtual_alias_maps-map-expansion-size-for-userdomaincom">unreasonable virtual_alias_maps map expansion size for user@domain.com</a></li>
<li><a href="#helo-command-rejected-access-denied-your-email-was-rejected-because-the-sending-mail-server-does-not-identify-itself-correctly-local">Helo command rejected: ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (.local)</a></li>
<li><a href="#warning-do-not-list-domain-mydomaincom-in-both-mydestination-and-virtual_mailbox_domains">warning: do not list domain mydomain.com in BOTH mydestination and virtual_mailbox_domains</a></li>
</ul>
</li>
<li><a href="#amavisd">Amavisd</a><ul>
<li><a href="#connect-to-12700112700110024-connection-refused">connect to 127.0.0.1[127.0.0.1]:10024: Connection refused</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</div>
<h2 id="postfix">Postfix</h2>
<h3 id="intended-policy-rejection-please-try-again-later">Intended policy rejection, please try again later</h3>
<p>Sample error message in Postfix log file:</p>
<blockquote>
<p>Jul 24 06:43:08 mx0 postfix/smtpd[12719]: NOQUEUE: reject: RCPT from sender.com[xx.xx.xx.xx]: 451 4.7.1 <a href="&#109;&#97;&#105;&#108;&#116;&#111;&#58;&#114;&#101;&#99;&#105;&#112;&#105;&#101;&#110;&#116;&#64;&#109;&#121;&#45;&#100;&#111;&#109;&#97;&#105;&#110;&#46;&#99;&#111;&#109;">&#114;&#101;&#99;&#105;&#112;&#105;&#101;&#110;&#116;&#64;&#109;&#121;&#45;&#100;&#111;&#109;&#97;&#105;&#110;&#46;&#99;&#111;&#109;</a>: Recipient address rejected: <strong class="red">Intentional policy rejection, please try again later</strong>; from=<a href="&#109;&#97;&#105;&#108;&#116;&#111;&#58;&#115;&#101;&#110;&#100;&#101;&#114;&#64;&#115;&#101;&#110;&#100;&#101;&#114;&#45;&#100;&#111;&#109;&#97;&#105;&#110;&#46;&#99;&#111;&#109;">&#115;&#101;&#110;&#100;&#101;&#114;&#64;&#115;&#101;&#110;&#100;&#101;&#114;&#45;&#100;&#111;&#109;&#97;&#105;&#110;&#46;&#99;&#111;&#109;</a> to=<a href="&#109;&#97;&#105;&#108;&#116;&#111;&#58;&#114;&#101;&#99;&#105;&#112;&#105;&#101;&#110;&#116;&#64;&#109;&#121;&#45;&#100;&#111;&#109;&#97;&#105;&#110;&#46;&#99;&#111;&#109;">&#114;&#101;&#99;&#105;&#112;&#105;&#101;&#110;&#116;&#64;&#109;&#121;&#45;&#100;&#111;&#109;&#97;&#105;&#110;&#46;&#99;&#111;&#109;</a> proto=SMTP helo=<mx2.sender.com></p>
</blockquote>
<p>This error is caused by greylisting service, sender server will retry to
deliver the same email, and your server will accept it after few retries.</p>
<ul>
<li>For more technical details about Greylisting, please visit:<ul>
<li><a href="http://greylisting.org">Homepage: What is greylisting?</a></li>
<li><a href="http://greylisting.org/articles/">Articles about greylisting</a></li>
</ul>
</li>
<li>To manage greylisting service, please read iRedAPD tutorial: <a href="./manage.iredapd.html#greylisting">Manage iRedAPD: Greylisting</a></li>
</ul>
<h3 id="sender-address-rejected-not-logged-in">Sender address rejected: not logged in</h3>
<p>Sample error message in Postfix log file:</p>
<blockquote>
<p>Jun 24 11:57:13 mx1 postfix/smtpd[2667]: NOQUEUE: reject: RCPT from
mail.mydomain.com[1.2.3.4]: 553 5.7.1 &lt;sombody@my-domain.com>: <strong class="red">Sender address
rejected: not logged in</strong>; from=&lt;sombody@my-domain.com>
to=&lt;receipent@receipentdomain.com> proto=ESMTP helo=&lt;client_helo.com></p>
</blockquote>
<p>This error is caused by incorrectly configured mail client application, not a
server issue.</p>
<p>All mail users are forced to perform SMTP auth before sending email, so you
must configure your mail client applications (Outlook, Thunderbird, ...) to
enable SMTP authentication.</p>
<h3 id="helo-command-rejected-need-fully-qualified-hostname">Helo command rejected: need fully-qualified hostname</h3>
<p>Sample error message in Postfix log file:</p>
<blockquote>
<p>Sep 22 08:51:03 mail postfix/smtpd[22067]: NOQUEUE: reject: RCPT from
dslb-092-074-062-133.092.074.pools.vodafone-ip.de[92.74.62.133]: 504 5.5.2
&lt;EHSGmbHLUCASPC>: <strong>Helo command rejected: need fully-qualified hostname</strong>;
from=<a href="&#109;&#97;&#105;&#108;&#116;&#111;&#58;&#117;&#115;&#101;&#114;&#64;&#100;&#111;&#109;&#97;&#105;&#110;&#45;&#97;&#46;&#99;&#111;&#109;">&#117;&#115;&#101;&#114;&#64;&#100;&#111;&#109;&#97;&#105;&#110;&#45;&#97;&#46;&#99;&#111;&#109;</a> to=<a href="&#109;&#97;&#105;&#108;&#116;&#111;&#58;&#117;&#115;&#101;&#114;&#64;&#100;&#111;&#109;&#97;&#105;&#110;&#45;&#98;&#46;&#99;&#111;&#109;">&#117;&#115;&#101;&#114;&#64;&#100;&#111;&#109;&#97;&#105;&#110;&#45;&#98;&#46;&#99;&#111;&#109;</a> proto=ESMTP helo=&lt;EHSGmbHLUCASPC></p>
</blockquote>
<p>According to RFC document, HELO identity must be a FQDN (fully-qualified
hostname). Sender sends <code>EHSGmbHLUCASPC</code> as HELO hostname, but it's not a FQDN.
It's sender's fault, not your mistake.</p>
<p>As a temporary solution, you can whitelist this HELO hostname
by adding a line like below at the top of file <code>/etc/postfix/helo_access.pcre</code>
(Linux/OpenBSD) or <code>/usr/local/etc/postfix/helo_access.pcre</code>:</p>
<pre><code>/^EHSGmbHLUCASPC$/ OK
</code></pre>

<h3 id="sender-address-rejected-not-owned-by-user-userdomainltd">Sender address rejected: not owned by user user@domain.ltd</h3>
<p>This error is caused by restriction rule <code>reject_sender_login_mismatch</code> in
Postfix parameter <code>smtpd_recipient_restrictions</code>, in file <code>/etc/postfix/main.cf</code>:</p>
<pre><code>smtpd_recipient_restrictions =
    ...
    reject_sender_login_mismatch,
    ...
</code></pre>

<p>It will reject the request when $smtpd_sender_login_maps specifies an owner
for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL
FROM address owner; or when the client is (SASL) logged in, but the client
login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps.
Check <a href="http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch">manual page of Postfix configuration file</a> for more details.</p>
<p>Removing <code>reject_sender_login_mismatch</code> and restarting Postfix service fixes
this issue.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>If you want to allow some users to send as other users, or allow all users
to send as their alias addresses, or allow member of mail list/alias to send
as mail list/alias, you should try iRedAPD plugin <code>reject_sender_login_mismatch</code>
instead (requires iRedAPD-1.4.4 or later releases).</p>
<p>Read comments in file <code>/opt/iredapd/plugins/reject_sender_login_mismatch.py</code>,
then enable it in iRedAPD config file <code>/opt/iredapd/settings.py</code> (<code>plugins =</code>),
restart iRedAPD service. That's all.</p>
</div>
<h3 id="recipient-address-rejected-smtp-auth-is-required-for-users-under-this-sender-domain">Recipient address rejected: SMTP AUTH is required for users under this sender domain</h3>
<blockquote>
<p>Old error message was: <code>SMTP AUTH is required, or it is a spam with forged sender domain</code></p>
</blockquote>
<p>Sender domain is hosted locally on your iRedMail server, but sender doesn't
perform SMTP AUTH to send email.</p>
<ul>
<li>
<p>If this is not sent by a server or device under your control, most likely this
  email is spam with forged sender address.</p>
</li>
<li>
<p>If this is sent by a server or device under your control and you want to
  allow it, please add the IP address of this server/device in 2 config files
  (NOTE: parameter names are case SeNsItIvE):</p>
<ul>
<li>
<p><code>/opt/iredapd/settnigs.py</code>, parameter <code>MYNETWORKS =</code> (doesn't exist by
  default, feel free to add it). For example:</p>
<p><code>MYNETWORKS = ['192.168.0.10', '192.168.0.20', '192.168.0.30']</code></p>
</li>
<li>
<p><code>/etc/postfix/main.cf</code>, parameter <code>mynetworks =</code>. For example:</p>
<p><code>mynetworks = 127.0.0.1 192.168.0.10 192.168.0.20 192.168.0.30</code></p>
</li>
</ul>
</li>
</ul>
<h3 id="recipient-address-rejected-sender-is-not-same-as-smtp-authenticate-username">Recipient address rejected: Sender is not same as SMTP authenticate username</h3>
<h4 id="case-1">case #1</h4>
<p>If the smtp authenticate username is different than the address in mail header
<code>From:</code> field, you will get this rejection (by iRedAPD).</p>
<p>Solutions:</p>
<ul>
<li>If you don't need to send as different sender, please update your mail
  composer (like Outlook, Thunderbird, webmail, your own script used to send
  email, etc) to use same address as smtp authenticate username and sender
  address in <code>From:</code>.</li>
<li>If you do need to send as different sender address (<code>From:</code>), please add one
  setting in iRedAPD config file <code>/opt/iredapd/settings.py</code>, then restart
  iRedAPD service:</li>
</ul>
<pre><code>ALLOWED_LOGIN_MISMATCH_SENDERS = ['user@mydomain.com']
</code></pre>

<p>Notes: <code>user@mydomain.com</code> is the email address you used for smtp authentication.</p>
<h4 id="case-2">case #2</h4>
<p>If you're a member of mailing list or mail alias, and trying to send email with
the email address of mailing list/alias as sender address, you will get same
error. There's another setting you can try (either one is ok):</p>
<pre><code>ALLOWED_LOGIN_MISMATCH_LIST_MEMBER = True
</code></pre>

<p>It will allow all members of mailing list/alias to send email with the email
of mailing list/alias as the sender address.</p>
<h3 id="unreasonable-virtual_alias_maps-map-expansion-size-for-userdomaincom">unreasonable virtual_alias_maps map expansion size for user@domain.com</h3>
<p>Sample error message in Postfix log file:</p>
<blockquote>
<p>Feb 11 19:59:06 mail postfix/cleanup[30575]: warning: 23C334232FB3:
<strong class="red">unreasonable virtual_alias_maps map expansion size</strong> for
user@domain.com -- deferring delivery</p>
</blockquote>
<p>It means the maximal number of addresses that virtual alias expansion produces
from each original recipient exceeds hard limit, please either increase the
hard limit (default is 1000), or reduce alias members.</p>
<p>To increase the limit to, for example, 1500, please add below setting in
Postfix config file <code>/etc/postfix/main.cf</code>:</p>
<pre><code>virtual_alias_expansion_limit = 1500
</code></pre>

<p>Reference: <a href="http://www.postfix.org/postconf.5.html#virtual_alias_expansion_limit">Postfix Configuration Parameters</a></p>
<h3 id="helo-command-rejected-access-denied-your-email-was-rejected-because-the-sending-mail-server-does-not-identify-itself-correctly-local">Helo command rejected: ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (.local)</h3>
<p>It means sender mail server uses a FQDN hostname which ends with <code>.local</code> as
HELO identity. <code>.local</code> is not a valid top level domain name, and all mail
servers should use a valid domain name which is resolvable from DNS query.</p>
<p>Two solutions:</p>
<ol>
<li>Temporarily remove this HELO check rule on YOUR server, in file
   <code>/etc/postfix/helo_access.pcre</code> (Linux/OpenBSD) or
   <code>/usr/local/etc/postfix/helo_access.pcre</code> (FreeBSD), then reload Postfix
   service.</li>
<li>Ask sender server system administrator to correct their HELO identity, they
   will experience same issue while sending email to others.</li>
</ol>
<h3 id="warning-do-not-list-domain-mydomaincom-in-both-mydestination-and-virtual_mailbox_domains">warning: do not list domain mydomain.com in BOTH mydestination and virtual_mailbox_domains</h3>
<p>Sample log in Postfix log file:</p>
<blockquote>
<p>Feb 20 03:31:54 mail postfix/trivial-rewrite[2216]: warning: do not list
domain mydomain.com in BOTH mydestination and virtual_mailbox_domains</p>
</blockquote>
<p>This error message means mail domain name <code>mydomain.com</code> is:</p>
<ul>
<li>listed in Postfix parameter <code>mydestination</code>. Most probably, this domain name
  is value of Postfix parameter <code>myhostname</code>, and <code>myhostname</code> is value of
  <code>mydestination</code>.</li>
<li>a virtual mail domain name. Most probably, you added this domain with
  iRedAdmin.</li>
</ul>
<p>To solve this, please either use a different <code>myhostname</code> or don't use this
domain name as mail domain (remove it with iRedAdmin). To use a different value
for Postfix parameter <code>myhostname</code>, you must also change server hostname.</p>
<h2 id="amavisd">Amavisd</h2>
<h3 id="connect-to-12700112700110024-connection-refused">connect to 127.0.0.1[127.0.0.1]:10024: Connection refused</h3>
<p>This error means Amavisd service is not running, please try to start it first.</p>
<ul>
<li>RHEL/CentOS/FreeBSD: <code># service amavisd restart</code></li>
<li>Debian/Ubuntu: <code># service amavis restart</code></li>
<li>OpenBSD: <code># /etc/rc.d/amavisd restart</code> or <code># rcctl restart amavisd</code></li>
</ul>
<p>After restarted amavisd service, please check its
<a href="./file.locations.html#amavisd">log file</a> to make sure it's running.</p>
<p>Notes:</p>
<ul>
<li>At least 2GB memory is required for a low traffic mail server. If your
  server doesn't have enough memory, Amavisd and ClamAV may be not able to
  start, or stop running automatically after running for a while. If it's just
  a testing server, you can follow
  <a href="./completely.disable.amavisd.clamav.spamassassin.html">our tutorial</a> to
  disable some features of Amavisd to keep it running, or disable it completely.</li>
</ul><div class="footer">
    <p style="text-align: center; color: grey;">All documents are available in <a href="https://bitbucket.org/zhb/iredmail-docs/src">BitBucket repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://bitbucket.org/zhb/iredmail-docs/get/tip.tar.bz2">download the latest version</a> for offline reading. If you found something wrong, please do <a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
</div>
<script type="text/javascript">
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

  ga('create', 'UA-3293801-21', 'auto');
  ga('send', 'pageview');
</script>
</body></html>