Postfix Plugin: "mail for <internal IP> loops back to myself"

[andrew]

Situation:
We are a small non-IT company who have an MS Exchange behind OPNsense. 2 Weeks ago I finally installed the postfix plugin according to the mailgateway guide in the documentation, and some other guides, to use it as an incomming SMTP Proxy.
Outgoing mail is still sent directly by Exchange (so its own correct HELO "mail1.ourcompany.de" is used).
I'll use it as a smarthost for outgoing mail too, after this problem is solved.
I'm not deep into mailservers/SMTP, so the config might be a bit rough (and wrong) around the edges, but it generally works. Almost.


Technical:
public domain name: ourcompany.de
internal Active Directory domain: company.local
internal mailserver hostname: mail01(.company.local)
MX record: mail1.ourcompany.de points to <public DSL IP of OPNsense>
rDNS of <public DSL IP of OPNsense>: mail1.ourcompany.de
Exchange internal IP: 192.168.x0.15
OPNsense internal IP: 192.168.x0.254
HELO when sending testmail to Spamhaus helocheck@abuseat.org: mail1.ourcompany.de (this must/should be the answer from Exchange, not postfix)
SMTP banner according to manual telnet check from outside: mail1.ourcompany.de (this should be the answer from postfix)
SMTP banner according to testconnectivity.microsoft.com incomming check: 220 mail1.ourcompany.de (this should be the answer from postfix)
EHLO Reply according to testconnectivity.microsoft.com incomming check: either mail1.ourcompany.de OR OPNsense (see below, both should be the answer from postfix)
Postfix Plugin Trusted networks: default + 192.168.x0.0/24
Postfix Plugin SMTP Banner: mail1.ourcompany.de
Postfix Plugin Domains: ourcompany.de destination 192.168.x0.15


Problem:
If I DO set the "System Hostname" in the postfix plugin to the mailservers public FQDN (mail1.ourcompany.de) as one should,
all incomming mails cannot be delivered. Postfix (it seems to me) generates these errormails:

Undelivered Mail Returned to Sender

This is the mail system at host mail1.ourcompany.de.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<my.name@ourcompany.de>: mail for 192.168.x0.15 loops back to myself


Attachment "message delivery status":

Reporting-MTA: dns; mail1.ourcompany.de
X-Postfix-Queue-ID: DC9768F48D3
X-Postfix-Sender: rfc822; my.privatemail@gmx.de
Arrival-Date: Mon, 12 Apr 2021 10:47:30 +0200 (CEST)

Final-Recipient: rfc822; my.name@ourcompany.de
Original-Recipient: rfc822;my.name@ourcompany.de
Action: failed
Status: 5.4.6
Diagnostic-Code: X-Postfix; mail for 192.168.x0.15 loops back to myself

If I DO NOT set the "System Hostname" in the postfix plugin, the hostname "OPNsense" is used for various things.
Also for the EHLO Reply (the HELO is correct! See "Technical" above) it seems. This doesn't prevent this setup from working, BUT it didn't take long before our IP ended up on Spamhaus CSS blocklist. Twice. This causes a lot of our outgoing mails to be undeliverable. I just got the 2nd delisting, but the IP can be blacklisted again any day.

Here are the 3 postfix GUI configs and their effect again:

1)
System Hostname: mail1.ourcompany.de
System Domain: ourcompany.de
System Origin: - empty -
Result: EHLO Reply corrrect (mail1.ourcompany.de) but delivery between postfix and Exchange is 100% broken: "mail for 192.168.10.15 loops back to myself"

2)
System Hostname: - empty -
System Domain: ourcompany.de
System Origin: mail1.ourcompany.de
Result: EHLO Reply wrong (OPNsense) and so we'll be getting blacklisted, but delivery between postfix and Exchange works

3)
System Hostname: - empty -
System Domain: ourcompany.de
System Origin: - empty -
Result: EHLO Reply wrong (OPNsense) and so we'll be getting blacklisted, but delivery between postfix and Exchange works

BTW: Can anyone elaborate a bit on the meaning/function/relevance of "System Domain" and "System Origin", and how they relate to each other? The hints in the GUI don't really explain it to me as a mailserver layman.

So, what I need is a correct EHLO Reply whithout the "mail for 192.168.10.15 loops back to myself" problem.
I guess postfix is confused that Exchange has the same HELO/EHLO as itself? If that is the cause, then the only solution I see is to change Exchange's HELO/EHLO. Or can you disable this check and force postfix to ignore it?
But then I can't use Exchange for outgoing mail anymore, and so I MUST use postfix as a smarthost then. Is that about right, or am I more and more confusing myself here?
Or is it maybe some funky DNS resolution problem?

Thanks for reading! I'll happily provide more info, if you need to know something specific.

Regards
Andre


EDIT: I found https://forum.opnsense.org/index.php?topic=19142.0 but his solution is my config 1) above.

[andrew]

No one? Seems I hit the jackpot...

[marjohn56]

As it's a plugin per say, you may be better off asking on the postfix forum; have you read the documentation available at postfix.org?


I do a similar thing, but I do not use postfix plugin, I use an EFA VM as my mail gateway which then delivers it to a Kerio instance. It sounds like it's more of a mail system issue than an Opnsense issue which may be why no-one has responded.

[Fright]

can you try to set destination like [192.168.0.15] (in square brackets)?

meaning/function/relevance of "System Domain" and "System Origin", and how they relate to each other? The hints in the GUI don't really explain it to me as a mailserver layman

hint in GUI is taken from postfix docs
System Domain ($mydomain) default internet domain for your postfix. used as default parameter in many places
System Origin ($myorigin) domain part (after @) used for outgouing mail from postfix itself

[JMC-NC]

Hi Andrew,

Have you been able to get an answer? I just installed postfix and I am also using MSExchange, and gets the same behavior.

Any help welcome.

Jean-Marc
New Caledonia