Solved sending mails from jail - 550 5.7.25 invalid/host-not-in-DNS return address not allowed

Hello, I have FreeBSD host with hostname mainserver.mydomain.com (this DNS record is managed by my own BIND dns server), and several jail on this hosts like:
nginx_proxy.mainserver.mydomain.com (127.0.1.2)
app1.mainserver.mydomain.com (127.0.1.3)
app2.mainserver.mydomain.com (127.0.1.4)
...

These jail subdomains are not managed by any DNS (it's only hostnames in jails rc.conf).

When I sending mail from these jails, this error occurs (returned mail):
Code:
The original message was received at Thu, 1 Mar 2018 14:30:45 +0100 (CET)
from [127.0.1.3]

   ----- The following addresses had permanent fatal errors -----
recipient@something.com
    (reason: 550 5.7.25 invalid/host-not-in-DNS return address not allowed)
    (expanded from: <root@app1.mainserver.mydomain.com>)

   ----- Transcript of session follows -----
... while talking to mx3.mail.icloud.com.:
>>> MAIL From:<root@app1.mainserver.mydomain.com> SIZE=764
<<< 550 5.7.25 invalid/host-not-in-DNS return address not allowed
554 5.0.0 Service unavailable

Reporting-MTA: dns; app1.mainserver.mydomain.com
Received-From-MTA: DNS; [127.0.1.3]
Arrival-Date: Thu, 1 Mar 2018 14:30:45 +0100 (CET)
...

So OK, my jail hostnames are only internal, not managed by any DNS and this is a problem. What is the best way to solve this?
1) add jail hostnames as DNS records to my own BIND DNS
2) do some sendmail masquerading and send mails through main host (mainserver.mydomain.com) sendmail?

Thanks!
 
Setting up a mail server can be very tedious. You need ensure that your reverse dns/ptr is working among many other things.
An nslookup must resolve your domain name to an IP AND vice versa.
nslookup app1.mainserver.mydomain.com
>app1.mainserver.mydomain.com ---> X.X.Y.Z
nslookup [option] X.X.Y.Z
>X.X.Y.Z --> app1.mainserver.mydomain.com


I found out that running an email server in a jail most probably requires using a public IP in the jail.

By the way, you have left us in a wild imagination of what your email server suite is - postfix/spamassssin/etc vs opensmtpd/spamd/etc vs ....?
 
I am using just core FreeBSD base sendmail. I suggested it in point (2).
If I need to even resolve from IP back to the jail domain, it's a problem with VPS hosting (IP will be resolved to some hosting technical DNS name like X345-56.hosting.com).

Is it really necessary to resolve back from IP, if I need only send emails from a jail (cron ouputs, periodic outputs...)? I have few important jails with properly configured DNS names (jail hostnames can be resolved via DNS), and mail sending is OK from them.
I don't like to configure dozens and dozens jail hostnames in my own DNS - but maybe it's not the right way and I definintelly should do it?

Sendmail masquerading from jails via main host (properly configured in DNS) sendmail is not a solution?
 
Code:
I am using just core FreeBSD base sendmail. I suggested it in point (2).
It is still not apparent in your communication that it is sendmail.

Sendmail masquerading from jails via main host (properly configured in DNS) sendmail is not a solution?
Sure, it is.
You could have one or more jails configure to send emails and relay them to a public-facing email service on another jail. But you must make sure that the other jails are not configured to send emails to domains outside your network without authentication. Otherwise, your machine would become an open relay. If well configured, any attempt to send an email outside your network will result in a "relay access denied" and you can manually complete the process as another option.

The public-facing email service must have PTR & Reverse-PTR/DNS working in order to receive emails. I reckon the problem might be coming from sendmail (policies). You may not have the same problem with OpenSMTPD installed on other jails and connecting each to the public-facing email server (e,g, Postfix) in another jail. Many an admin would recommend OpenSMTPD over Sendmail.
 
So... after reality check (masquerading, securing sendmails or adapting another mail servers...) it looks like just adding proper DNS records for all jails is the best way :) Thanks for assistance! Done.
 
So... after reality check (masquerading, securing sendmails or adapting another mail servers...) it looks like just adding proper DNS records for all jails is the best way :) Thanks for assistance! Done.
You are welcome Petr. For the thank you, may I ask that you give me a thumb up by clicking the thanks (thumb-up) button adjacent the reply?
 
Back
Top