Yep it's called Sender Verification. The verification was done by geekmatt.com mail server, not yours. And based on the error message, I can conclude that
550-Verification failed for <contact@tomjn.com> 550-The mail server could
not deliver mail to contact@tomjn.com. The account or domain may not
exist, they may be blacklisted, or missing the proper dns entries. 550
Sender verify failed
was exim standard error message.
BTW, not all sender verification was bad. For the explanation, I will assume that you want send email FROM example.com TO example.net
At basic level, example.net mail server must verify that sender domain was exist. If a mail server rejected your email in this level, then your domain has 1) no DNS MX and no DNS A record, or 2) a malformed MX record such as a record with a zero-length MX hostname. In postfix, the equivalent parameter is reject_unknown_sender_domain
At advanced level, mail server will try to check if sender address is exist. Basically, before accepting your email, example.net mail server will try to telnet to your mail server without sending any email. This checks was considered bad because of several reasons.
Now, looks like domain tomjn.com was fail to comply with sender verification at basic level. Here the MX record of tomjn.com
% dig tomjn.com MX +short
1 178.62.28.136.tomjn.com.
% dig 178.62.28.136.tomjn.com
; <<>> DiG 9.9.5 <<>> 178.62.28.136.tomjn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, **status: NXDOMAIN,** id: 52812
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;178.62.28.136.tomjn.com. IN A
;; AUTHORITY SECTION:
tomjn.com. 1800 IN SOA NS1.DIGITALOCEAN.com. hostmaster.tomjn.com. 1410110590 3600 900 1209600 1800
There, your MX record has no valid A record. Thus geekmatt.com reject your email.
The solution: fix your MX record
This solution was variant from this solution. But first, we will adjust some configuration.
First: Of course you can use combination of mynetworks
and permit_mynetworks
to allow client relay. The alternative is using check_client_access
parameter. So, please remove both IP addresses (192.0.2.2/32, 203.0.113.2/32) from mynetworks
.
Second: We will apply restriction one by one. For initial step, we only limit domain and IP address from IP address 192.0.2.2. We can apply restriction class solution here
main.cf
smtpd_restriction_classes =
firstclient
firstclient =
check_sender_access hash:/etc/postfix/firstsender
reject
smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
check_client_access hash:/etc/postfix/myclient
reject_unauth_destination
/etc/postfix/myclient
192.0.2.2 firstclient
/etc/postfix/firstsender
example.com OK
Third: apply the similiar solution for second client, so the setup become
main.cf
smtpd_restriction_classes =
firstclient, secondclient
firstclient =
check_sender_access hash:/etc/postfix/firstsender
reject
secondclient =
check_sender_access hash:/etc/postfix/secondsender
reject
smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
check_client_access hash:/etc/postfix/myclient
reject_unauth_destination
/etc/postfix/myclient
192.0.2.2 firstclient
203.0.113.2 secondclient
/etc/postfix/firstsender
example.com OK
/etc/postfix/secondsender
example.net OK
FAQ:
Could you explain how above setup works?
The explanation how it works: Postfix restriction classes official docs
This isn't looks scalable. Can you provide me another solution?
Yes, you can use Postfix SMTP Access Policy Delegation
Hmm, postfix policy server looks good to me. But do I have to implement my own script?
You can use any policy server addon like policyd, postfwd and others.
Best Answer
Here are the steps to install postsrsd from Timo Röhling. These instructions seem to work for many Unix flavors including Ubuntu 14.04.