Recipient Maps in Address Rewritting don't check the MX entry in the recipient server

[marioolofo]

Prior to placing the issue, please check following: (fill out each checkbox with an X once done)

• [X ] I understand that not following or deleting the below instructions will result in immediate closure and/or deletion of my issue.
• [X ] I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
• [X ] I have understood that answers are voluntary and community-driven, and not commercial support.
• [X ] I have verified that my issue has not been already answered in the past. I also checked previous issues.

Summary

I have a redirect from sac@amakhaparis.com.br to sac@amakhaparis.neoassist.com, and it was added in the Recipient Maps on the Address Rewritting tab. The problem is, the mailcow don't get the MX register from the new address, just connect directly on port 25 in the A registered IP. For example:

dig amakhaparis.neoassist.com

;; ANSWER SECTION: amakhaparis.neoassist.com. 300 IN CNAME cdn-02.atendimen.to. cdn-02.atendimen.to. 49 IN A 172.67.27.34 cdn-02.atendimen.to. 49 IN A 104.22.73.177 cdn-02.atendimen.to. 49 IN A 104.22.72.177

In this case, the MX record from this server points to mailgun.com

But when the redirect occours, the log I got is this:

23/02/2021 21:00:59 | info | 100228203C: to=sac@amakhaparis.neoassist.com, relay=none, delay=123951, delays=123860/1.1/90/0, dsn=4.4.1, status=deferred (connect to amakhaparis.neoassist.com[172.67.27.34]:25: Connection timed out) 23/02/2021 21:00:59 | info | connect to amakhaparis.neoassist.com[172.67.27.34]:25: Connection timed out 23/02/2021 21:00:58 | info | 2CD8F82329: to=sac@amakhaparis.neoassist.com, orig_to=sac@amakhacosmeticos.com.br, relay=none, delay=110484, delays=110393/0.57/90/0, dsn=4.4.1, status=deferred (connect to amakhaparis.neoassist.com[172.67.27.34]:25: Connection timed out)

You can see that the mail is been sent to the amakhaparis.neoassist.com IP, not the mailgun one =/

The mailcow instance was updated via ./update.sh today, bellow is the version installed: Found tag 1.8 for mailcow/unbound, which is older than the current tag 1.13 and should be deleted. Found tag 1.28 for mailcow/clamd, which is older than the current tag 1.38 and should be deleted. Found tag 1.45 for mailcow/rspamd, which is older than the current tag 1.76 and should be deleted. Found tag 1.43 for mailcow/phpfpm, which is older than the current tag 1.73 and should be deleted. Found tag 1.58 for mailcow/sogo, which is older than the current tag 1.95 and should be deleted. Found tag 1.86 for mailcow/dovecot, which is older than the current tag 1.140 and should be deleted. Found tag 1.37 for mailcow/postfix, which is older than the current tag 1.59 and should be deleted. Found tag 1.61 for mailcow/acme, which is older than the current tag 1.77 and should be deleted. Found tag 1.28 for mailcow/netfilter, which is older than the current tag 1.39 and should be deleted. Found tag 1.56 for mailcow/watchdog, which is older than the current tag 1.88 and should be deleted. Found tag 1.32 for mailcow/dockerapi, which is older than the current tag 1.38 and should be deleted. Found tag 1.6 for mailcow/solr, which is older than the current tag 1.7 and should be deleted. Found tag 1.1 for mailcow/olefy, which is older than the current tag 1.6 and should be deleted.

Logs

23/02/2021 21:00:59	info	100228203C: to=sac@amakhaparis.neoassist.com, relay=none, delay=123951, delays=123860/1.1/90/0, dsn=4.4.1, status=deferred (connect to amakhaparis.neoassist.com[172.67.27.34]:25: Connection timed out)
23/02/2021 21:00:59	info	connect to amakhaparis.neoassist.com[172.67.27.34]:25: Connection timed out
23/02/2021 21:00:58	info	2CD8F82329: to=sac@amakhaparis.neoassist.com, orig_to=sac@amakhacosmeticos.com.br, relay=none, delay=110484, delays=110393/0.57/90/0, dsn=4.4.1, status=deferred (connect to amakhaparis.neoassist.com[172.67.27.34]:25: Connection timed out)

Reproduction

It appears that the problem is to create a Recipient Map rule to a server that don't host it's own mailserver, the MX entry from the recipient is ignored.

System information

Question	Answer
My operating system	Ubuntu 19.04 (GNU/Linux 5.0.0-38-generic x86_64)
Is Apparmor, SELinux or similar active?	Apparmor
Virtualization technlogy (KVM, VMware, Xen, etc - LXC and OpenVZ are not supported	Don't know
Server/VM specifications (Memory, CPU Cores)	Intel(R) Xeon(R) Gold 6140 CPU @ 2.30GHz x4 - 8 GB Memory
Docker Version (docker version)	Docker version 19.03.1, build 74b1e89
Docker-Compose Version (docker-compose version)	docker-compose version 1.28.4, build cabd5cfb
Reverse proxy (custom solution)

• Output of git diff origin/master, any other changes to the code? If so, please post them.
• All third-party firewalls and custom iptables rules are unsupported. Please check the Docker docs about how to use Docker with your own ruleset. Nevertheless, iptabels output can help us to help you: iptables -L -vn, ip6tables -L -vn, iptables -L -vn -t nat and ip6tables -L -vn -t nat.
• DNS problems? Please run docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254 (set the IP accordingly, if you changed the internal mailcow network) and post the output.

[mkuron]

The problem is, the mailcow don't get the MX register from the new address, just connect directly on port 25 in the A registered IP.

In my test, recipient maps are correctly using the MX of the destination address.

dig amakhaparis.neoassist.com amakhaparis.neoassist.com. 300 IN CNAME cdn-02.atendimen.to. [...] In this case, the MX record from this server points to mailgun.com

That domain name does not currently have an MX record. As a result (and per the SMTP standard), it falls back to the A record. So what you're seeing is correct behavior and you just need to make sure to actually set the MX record that points to mailgun. Note that if you have a CNAME record on a domain name, you cannot have any other records on that same domain name. You'd need to put the MX on the domain that the CNAME points to or replace the CNAME with direct A records.

[marioolofo]

Thank you @mkuron, understood the problem!

• The CNAME entry is used to go to cdn-02.atendimento.to
• The mailserver checks the MX entry on cdn-02.atendimento.to
• MX don't exist on this server, so it uses the A entry to connect.

But it works when I send emails directly to sac@amakhaparis.neoassist.com from gmail for example =/ In this case they ignore the CNAME redirect and use the MX instead?

Thank you again,

[mkuron]

$ dig +short amakhaparis.neoassist.com mx @9.9.9.9
cdn-02.atendimen.to.
$ dig +short amakhaparis.neoassist.com mx @8.8.8.8
1 mxa.mailgun.org.
1 mxb.mailgun.org.

Seems to be an implementation detail whether a DNS recursor will see other records when a CNAME record is present. In any case, having CNAME and other records on the same domain name violates the DNS standard, so please don't do it.

[marioolofo]

Understood!

Very informative, thank you for you support, very apreciatted