Address lookup failed for any external domain

[krejcar25]

Hi to all,
I seem to be stuck. I have configured Mail Server in Docker and then hit a wall. Users can auth against SMTP with no problem but mail gets stored in queue and not delivered. The error in queue and in console is Address lookup failed., see a couple of lines below. I tried using different DNS respolvers in SMTP > Outgoing, system, all of the preconfigured options, custom DNS, nothing seems to change.

2024-05-03T15:12:33.398905Z  INFO delivery{id=172950097928130562 return_path="***sender address***" nrcpt=1 size=1175}:attempt{domain="outlook.cz" attempt_number=1}: smtp::outbound::local: context="deliver_local" event="deferred" rcpt="***recipient address***" reason="Address lookup failed."
2024-05-03T15:12:33.401085Z  INFO delivery{id=172950097928130562 return_path="***sender address***" nrcpt=1 size=1175}: smtp::outbound::delivery: Delivery was not possible, message re-queued for delivery. context="queue" event="requeue" reason="delivery-incomplete"

I also tried looking for this error message in the source to see where it is generated, maybe that would help me (here) but I don't speak too much Rust.

DNS requests from within the container are working fine and after installing dig I could resolve outlook.cz using the system resolver in Docker, and using all of the mentioned DNS servers so it's not a network issue. To make sure of that I even tried using a locally hosted DNS and running Stalwart outside of Docker directly in the host system, and the same error message showed up again.

config.toml

Here is my current config for completeness sake.

[authentication.fallback-admin]
secret = "b2l0!MOM!e2p0"
user = "admin"

[cluster]
node-id = 1

[directory.activedirectory]
attributes.class = "objectClass"
attributes.description = "displayName"
attributes.email = "mail"
attributes.email-alias = "otherMailbox"
attributes.groups = "memberOf"
attributes.name = "sAMAccountName"
attributes.quota = "diskQuota"
attributes.secret = "userPassword"
base-dn = "***SUPER SECRET SETTING***"
bind.auth.dn = "?@domain"
bind.auth.enable = true
bind.dn = "stalwart@domain"
bind.secret = "***SUPER SECRET SETTING***"
cache.entries = 500
cache.ttl.negative = "10m"
cache.ttl.positive = "1h"
filter.domains = "(&(|(objectClass=person)(objectClass=group))(|(mail=*@?)(otherMailbox=*@?)))"
filter.email = "(&(|(objectClass=person)(objectClass=group))(|(mail=?)(otherMailbox=?)))"
filter.expand = "(&(|(objectClass=person)(objectClass=group))(mail=?))"
filter.name = "(&(|(objectClass=person)(objectClass=group))(sAMAccountName=?))"
filter.verify = "(&(|(objectClass=person)(objectClass=group))(|(mail=*?*)(otherMailbox=*?*)))"
timeout = "15s"
tls.allow-invalid-certs = false
tls.enable = false
type = "ldap"
url = "***SUPER SECRET SETTING***"

[lookup.default]
hostname = "***SUPER SECRET SETTING***"

[server]
max-connections = 8192

[server.http]
permissive-cors = false
url = "protocol + '://' + key_get('default', 'hostname') + ':' + local_port"
use-x-forwarded = true

[server.listener]
http.bind = "[::]:8080"
http.protocol = "http"
https.bind = "[::]:443"
https.protocol = "http"
https.tls.implicit = true
imap.bind = "[::]:143"
imap.protocol = "imap"
imaptls.bind = "[::]:993"
imaptls.protocol = "imap"
imaptls.tls.implicit = true
sieve.bind = "[::]:4190"
sieve.protocol = "managesieve"
smtp.bind = "[::]:25"
smtp.protocol = "smtp"
submission.bind = "[::]:587"
submission.protocol = "smtp"
submissions.bind = "[::]:465"
submissions.protocol = "smtp"
submissions.tls.implicit = true

[server.socket]
backlog = 1024
nodelay = true
reuse-addr = true
reuse-port = true

[storage]
blob = "blob_minio"
data = "data_postgres"
directory = "activedirectory"
fts = "fulltext_elastic"
lookup = "lookup_redis"

[store.blob_minio]
access-key = "***SUPER SECRET SETTING***"
bucket = "stalwart"
endpoint = "http://blobstore:9000"  # valid Docker host
purge.frequency = "0 3 *"
region = "eu-central-1"
secret-key = "***SUPER SECRET SETTING***"
timeout = "15s"
type = "s3"

[store.data_postgres]
compression = "lz4"
database = "stalwart"
host = "datastore"  # valid Docker host
password = "***SUPER SECRET SETTING***"
pool.max-connections = 10
port = 5432
purge.frequency = "0 3 *"
query.domains = "SELECT 1 FROM emails WHERE address LIKE '%@' || $1 LIMIT 1"
query.emails = "SELECT address FROM emails WHERE name = $1 AND type != 'list' ORDER BY type DESC, address ASC"
query.expand = "SELECT p.address FROM emails AS p JOIN emails AS l ON p.name = l.name WHERE p.type = 'primary' AND l.address = $1 AND l.type = 'list' ORDER BY p.address LIMIT 50"
query.members = "SELECT member_of FROM group_members WHERE name = $1"
query.name = "SELECT name, type, secret, description, quota FROM accounts WHERE name = $1 AND active = true"
query.recipients = "SELECT name FROM emails WHERE address = $1 ORDER BY name ASC"
query.verify = "SELECT address FROM emails WHERE address LIKE '%' || $1 || '%' AND type = 'primary' ORDER BY address LIMIT 5"
timeout = "15s"
tls.allow-invalid-certs = false
tls.enable = false
type = "postgresql"
user = "stalwart"

[store.fulltext_elastic]
cloud-id = "stalwart"
index.replicas = 0
index.shards = 3
password = "***SUPER SECRET SETTING***"
tls.allow-invalid-certs = true
type = "elasticsearch"
url = "https://es01:9200"  # valid Docker host
user = "elastic"

[store.lookup_redis]
redis-type = "single"
timeout = "15s"
type = "redis"
urls = "redis://lookupstore"  # valid docker host

[tracer.docker]
ansi = false
enable = true
level = "info"
type = "stdout"

[tracer.log]
ansi = false
enable = true
level = "info"
path = "/opt/stalwart-mail/logs"
prefix = "stalwart.log"
rotate = "daily"
type = "log"

If anyone sees anything wrong with this config or has ideas what could be wrong please help me, I am clueless now.

Have a lovely day,
Amy!

[krejcar25]

I will add that delivery to any local domain works without issues. Some settings are not contained in the config for some reason after I modified them in the Web Interface, this would be SMTP > Outbound > Routing: Next hop only has one line is_local_domain('activedirectory', rcpt_domain) then 'local', after that just a false.

[krejcar25]

I will go on a limp here and assume a bunch of stuff right after I figured out a workaround. The workaround consists of creating another authentication directory, a local one this time, and then selecting that manually in the Next hop condition, instead of letting it be handled by LDAP. The guessing part is here. This is the output of ldapsearch using the configured domain filter:

Amys-MacBook-Pro.local  ➜  ~ ldapsearch -h DC.domain -b DC=domain -D user@domain -W "(&(|(objectClass=person)(objectClass=group))(|(mail=*@outlook.cz)(otherMailbox=*@outlook.cz)))" sAMAccountName mail otherMailbox
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <DC=domain> with scope subtree
# filter: (&(|(objectClass=person)(objectClass=group))(|(mail=*@outlook.cz)(otherMailbox=*@outlook.cz)))
# requesting: sAMAccountName mail otherMailbox
#

# search result
search: 2
result: 0 Success

# numResponses: 1

This filter correctly discovered no objects (and I promise you no object in my Active Directory has its mail attribute set to outlook.cz). It still returned a result, just a status one, but still. I will guess that Stalwart just checks that there is some results, not necessarily that they are valid.

Stalwart was attempting to deliver outbound mail to local users and didn't know what to do with the domain outlook.cz, pretty correctly. After telling it that it is in fact an external domain that is supposed to be handled by DNS, it happily delivered.

I will leave this here, perhaps this should be improved, or at least the behaviour of the domain search filter documented. My issue is now resolved, hopefully this thread is useful to someone in the future.

[Yaya48]

Hi, i'm facing the same issue right now, i don't really understand how you make your own domain a local domain and every other one external domain i would be happy to know thanks!