Receiving emails to a backup virtualmin server when main server is offline

Virtualmin
1
SYSTEM INFORMATION
Server A
Ubuntu 64bit 24.04.3
Webmin 2.620
Virtualmin 8.0.0 Professional
Webserver Apache version 2.4.58

Server B
Ubuntu 64bit 24.04.3
Webmin 2.621
Virtualmin 8.0.0 GPL
Webserver Apache version 2.4.58

We have a virtualmin server (Server A) (v8.0.0 Professional) all setup and running our websites and email and all is good.

We have now setup a secondary virtualmin server (Server B) (v8.0.0 GPL) at a different location, but connected via vpn to the same network. We’ve followed the guide at Hold and Forward Backup Mail Server | Virtualmin — Open Source Web Hosting Control Panel and verified the relay_recipients file and it does have all the correct email addresses that it has sync’d from Server A.

In cloudflare, we have setup MX10 to point to the main server (Server A), and MX20 to point to the backup server (Server B).

If I then put Server A’s offline, and then try and send an email from an external source (via an independent proxmox mail gateway server), the sending server’s communication tries to send the email to Server B (as Server A is now offline), however Server B is responding with 454 4.7.1 Relay access denied. I will post the communication log below from the proxmox server (I have changed the actual IP addresses and email addresses for security).

I think that we’ve done everything that we should have done, and checked everything - so I am wondering if there is something obvious that I have missed. Any help would be appreciated.

Thank you in advance.
Phil.

2026-01-27T15:30:24.579041+00:00 pmg postfix/smtpd[10851]: connect from pipsmail.local[1.2.3.4]

2026-01-27T15:30:24.602910+00:00 pmg postfix/smtpd[10851]: Anonymous TLS connection established from pipsmail.local[1.2.3.4]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256

2026-01-27T15:30:24.631730+00:00 pmg postfix/smtpd[10851]: 9A22E68014D: client=pipsmail.local[1.2.3.4]

2026-01-27T15:30:24.720089+00:00 pmg postfix/cleanup[10854]: 9A22E68014D: message-id=DIIE.00000023000BFDB3@mailt.sending-domain.com

2026-01-27T15:30:24.749565+00:00 pmg postfix/qmgr[1284]: 9A22E68014D: from=phils@sending-domain.com, size=3651, nrcpt=1 (queue active)

2026-01-27T15:30:24.749862+00:00 pmg postfix/smtpd[10851]: disconnect from pipsmail.local[1.2.3.4] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7

2026-01-27T15:30:24.861209+00:00 pmg pmg-smtp-filter[7354]: 6807FF6978DA10CD265: new mail message-id=DIIE.00000023000BFDB3@mailt.sending-domain.com

2026-01-27T15:30:25.004299+00:00 pmg postfix/smtpd[10859]: connect from localhost.localdomain[127.0.0.1]

2026-01-27T15:30:25.007118+00:00 pmg postfix/smtpd[10859]: 01AD3680812: client=localhost.localdomain[127.0.0.1], orig_client=pipsmail.local[1.2.3.4]

2026-01-27T15:30:25.049013+00:00 pmg postfix/cleanup[10854]: 01AD3680812: message-id=DIIE.00000023000BFDB3@mailt.sending-domain.com

2026-01-27T15:30:25.063048+00:00 pmg postfix/qmgr[1284]: 01AD3680812: from=phils@sending-domain.com, size=4456, nrcpt=1 (queue active)

2026-01-27T15:30:25.063186+00:00 pmg postfix/smtpd[10859]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5

2026-01-27T15:30:25.063668+00:00 pmg pmg-smtp-filter[7354]: 6807FF6978DA10CD265: accept mail to phils@receiving-domain.com (01AD3680812) (rule: default-accept)

2026-01-27T15:30:25.072116+00:00 pmg pmg-smtp-filter[7354]: 6807FF6978DA10CD265: processing time: 0.221 seconds (0, 0.103, 0)

2026-01-27T15:30:25.073597+00:00 pmg postfix/lmtp[10855]: 9A22E68014D: to=phils@receiving-domain.com, relay=127.0.0.1[127.0.0.1]:10023, delay=0.46, delays=0.13/0.05/0.04/0.23, dsn=2.5.0, status=sent (250 2.5.0 OK (6807FF6978DA10CD265))

2026-01-27T15:30:25.074076+00:00 pmg postfix/qmgr[1284]: 9A22E68014D: removed

2026-01-27T15:30:55.242746+00:00 pmg postfix/smtp[10860]: Untrusted TLS connection established to webhost-ha.serverB.com[5.6.7.8]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (2048 bits) server-digest SHA256

2026-01-27T15:30:55.317264+00:00 pmg postfix/smtp[10860]: 01AD3680812: to=phils@receiving-domain.com, relay=webhost-ha.serverB.com[5.6.7.8]:25, delay=30, delays=0.06/0.05/30/0.07, dsn=4.7.1, status=deferred (host webhost-ha.serverB.com[5.6.7.8] said: 454 4.7.1 phils@receiving-domain.com: Relay access denied (in reply to RCPT TO command))

2

Check the /etc/postfix/relay_recipients map. What’s in it? Virtualmin should be managing it, so it should know about your users.

3

Oh, but there might be some additional requirements, maybe new. I don’t remember how I set this up last time, as it’s been several years.

You may need this:

And, maybe relay_domains and relay_transport. I’m still reading, but it does seem like it’s more complicated than our documentation indicates.

4

So, yeah, I think you also need relay_domains listing all your domains.

You probably don’t need relay_transport. I think just adding relay_domains for all of your domains will solve the problem.

5

Thanks for your replies, Joe.

I am unsure where I need to configure the “relay_domains” that you say. I have created a file with this name in the /etc/postfix, and added our domains in that file. I have added the following line to the /etc/postfix/main.cf file: relay_domains = hash:/etc/postfix/relay_domains

Now when I send an email, I am getting a different error message as per the communication log below:-

(1) Could not connect to mail.receiving-domain.com on port 25
(1) Connecting to server 5.6.7.8 on port 25
(00001616) New Socket
(00001616) ReUseAddr : 1
(00001616) OutOfBandDataInline: 1
(00001616) KeepAlive : 5 minutes
(00001616) Socket Bound to Port 0
(00001616) Socket Connected to 5.6.7.8
(1) Connection established (1616)
(00001616) read (54/0)
(00001616) Got complete TCP Message (Size=54)
:1: 220 webhost-ha.serverB.com ESMTP Postfix (Ubuntu)
:1: EHLO mailt.sending-domain.com
SendTCPDataSSLEx: (00001616) write (29)
:1: 250- webhost-ha.serverB.com
:1: 250-PIPELINING
:1: 250-SIZE 10240000
:1: 250-VRFY
:1: 250-ETRN
:1: 250-STARTTLS
:1: 250-AUTH PLAIN LOGIN
:1: 250-AUTH=PLAIN LOGIN
:1: 250-ENHANCEDSTATUSCODES
:1: 250-8BITMIME
:1: 250-DSN
:1: 250-SMTPUTF8
:1: 250 CHUNKING
:1: STARTTLS
SendTCPDataSSLEx: (00001616) write (10)
(00001616) read (30/0)
(00001616) Got complete TCP Message (Size=30)
:1: 220 2.0.0 Ready to start TLS
(DAVIDTLS) TLS connection info: (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256)
(DAVIDTLS) SSL version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256
(1) TLS connection established
:1: EHLO mailt.sending-domain.com
:1: 250- webhost-ha.serverB.com
:1: 250-PIPELINING
:1: 250-SIZE 10240000
:1: 250-VRFY
:1: 250-ETRN
:1: 250-AUTH PLAIN LOGIN
:1: 250-AUTH=PLAIN LOGIN
:1: 250-ENHANCEDSTATUSCODES
:1: 250-8BITMIME
:1: 250-DSN
:1: 250-SMTPUTF8
:1: 250 CHUNKING
:1: MAIL FROM:mail@sending-domain.com
(00001616) read (14/0)
(00001616) Got complete TCP Message (Size=14)
:1: 250 2.1.0 Ok
:1: RCPT TO:phils@receiving-domain.com
(00001616) read (68/0)
(00001616) Got complete TCP Message (Size=68)
:1: 451 4.3.0 phils@receiving-domain.com: Temporary lookup failure
(1) Server temporary busy (phils@receiving-domain.com)
:1: RSET
(00001616) read (14/0)
(00001616) Got complete TCP Message (Size=14)
:1: 250 2.0.0 Ok
:1: QUIT
(00001616) read (15/0)
(00001616) Got complete TCP Message (Size=15)
:1: 221 2.0.0 Bye
(1) Mail Transmission aborted

(1) TLS ShutDown
(1) FREE TLS

6

Please put triple backticks ```on an empty line between “below:-” and (1) Could…" If you quote below that block you need another line with triple backtics to close it.
But, have you seen this page? I see a cert issue?

7

Curious, how long might you be offline for?

Sending mail servers should keep retrying for a couple of days if your server is down.

If it’s just for reboots after OS updates, I wouldn’t even bother.