I am fairly new to plesk and postfix so please bear with me. I have plesk setup on a server with multiple domains already living and breathing, including email which all works fine. My issue comes in with a new domain I added that is using exchange for the email instead of the local postfix. So I deactivated postfix for this "newdomin.tld" in plesk but anytime the website tries to send an email (PHP Contact form) I never get the test emails (despite the form reporting success).
Here are the errors I get in my maillog:
Jul 30 08:00:19 mydomain postfix/qmgr[22665]: 15F972500E30: from=<phpform#newdomin.tld>, size=836, nrcpt=1 (queue active)
Jul 30 08:00:19 mydomain postfix/smtp[22852]: 15F972500E30: to=<validuser#newdomin.tld>, relay=none, delay=0.09, delays=0.08/0.01/0/0, dsn=5.4.6, status=bounced (mail for XXX.XXX.XXX.XXX loops back to myself)
Jul 30 08:00:19 mydomain postfix/cleanup[22750]: 2EB332500EEF: message-id=<20150730150019.2EB332500EEF#mydomain.com>
Jul 30 08:00:19 mydomain postfix/bounce[22853]: 15F972500E30: sender non-delivery notification: 2EB332500EEF
Jul 30 08:00:19 mydomain postfix/qmgr[22665]: 2EB332500EEF: from=<>, size=2630, nrcpt=1 (queue active)
Jul 30 08:00:19 mydomain postfix/qmgr[22665]: 15F972500E30: removed
Jul 30 08:00:19 mydomain postfix/smtp[22852]: 2EB332500EEF: to=<validuser#newdomin.tld>, relay=none, delay=0.03, delays=0.03/0/0/0, dsn=5.4.6, status=bounced (mail for XXX.XXX.XXX.XXX loops back to myself)
Jul 30 08:00:19 mydomain postfix/qmgr[22665]: 2EB332500EEF: removed
Jul 30 08:00:19 mydomain plesk_saslauthd[22790]: activity on 0 channel(s)
Jul 30 08:00:19 mydomain plesk_saslauthd[22790]: select timeout, exiting
And here is my main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
inet_interfaces = all
inet_protocols = all
#mydestination = localhost.$mydomain, localhost, localhost.localdomain
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
mail.$mydomain, www.$mydomain, ftp.$mydomain
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.8.17/samples
readme_directory = /usr/share/doc/postfix-2.8.17/README_FILES
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual, hash:/etc/postfix/virtual_mailbox_maps
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = hash:/etc/postfix/transport, hash:/var/spool/postfix/plesk/transport
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
mynetworks =
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_client_restrictions = reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_unauth_destination,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dsn.rfc-ignorant.org,
reject_rbl_client dul.dnsbl.sorbs.net,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client ix.dnsbl.manitu.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client ix.dnsbl.manitu.net,
reject_rbl_client combined.rbl.msrbl.net,
reject_rbl_client rabl.nuclearelephant.com,
permit
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:30
virtual_gid_maps = static:31
smtpd_milters = , inet:127.0.0.1:12768
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
mailbox_size_limit = 0
virtual_mailbox_limit = 0
myhostname = mycustomdomain.com
message_size_limit = 31457280
Any help would be appreciated, this is a default plesk setup (12.0.18 Update #57) running on CentOS 6.6. And all other email, webmail, smtp settings seem to work for all other servers, it is just this one that has Exchange. I did make sure all my DNS settings were correct in plesk as well as in my server portal through codero hosting. I know the exchange settings are working as everyone gets their emails i just cant send emails from the domain out tot he exchange server.
Thanks!
Seems I had gencom.us smtp:206.225.87.101 in my /etc/postfix/transport and /var/spool/postfix/plesk/transport files. once removed things started working again.
Related
I have set up postfix and dovecot following several guides online and consistently have the problem that emails I send will not be encrypted.
I have been testing the settings by sending an email to my #gmail.com account as I am sure the google servers will support TLS encryption, and email in the gmail webmail clearly shows the red crossed out padlock to show that they are not encrypted.
If I set
smtpd_tls_security_level = encrypt
smtp_tls_security_level = encrypt
I get this error
TLS is required, but was not offered by host gmail-smtp-in.l.google.com[64.233.167.27]
And if I set it to may it sends the email, without encrypting it.
This is the output of postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mailbox_command =
mailbox_size_limit = 0
mydestination = $myhostname, localdomain, localhost, localhost.localdomain, localhost, mail.example.com, example.com
myhostname = mail.example.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks_style = subnet
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
smtp_tls_CAfile = /routeto/my.ca-bundle
smtp_tls_cert_file = /routeto/my.crt
smtp_tls_key_file = /routeto/my.key
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = example.com
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /routeto/my.ca-bundle
smtpd_tls_cert_file = /routeto/my.crt
smtpd_tls_key_file = /routeto/my.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
and this is the output of a telnet on port 25 followed by ehlo test
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
and the same thing on port 587
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
TLS is required, but was not offered by host gmail-smtp-in.l.google.com[64.233.167.27]
This clearly shows, that the host does not offer STARTTLS to your server. But, it is known that gmail offers STARTTLS and your test with telnet confirms it. My guess is that you did the telnet from a different system and that your mail server is behind some (transparent) firewall which intercepts traffic to analyze it. In order to not deal with encrypted SMTP traffic this is often done by simply stripping the STARTTLS command from the servers response to EHLO so that the mail server assumes that TLS is not supported.
See also What happens if STARTTLS dropped in SMTP?.
I'm new to using postfix. Tried installing postfix as MTA for my ubuntu server. The main.cf looks like below:
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = ubuntu
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, ubuntu, localhost.localdomain, , localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
myorigin =
home_mailbox = Maildir/
mailbox_command =
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
However, on sending an email to my personal mail with mail -s, i see the below
Apr 07 00:56:52 ubuntu postfix/pickup[3901]: 4C0E8BA0029: uid=1000 from=<ubuntu#ubuntu>
Apr 07 00:56:52 ubuntu postfix/cleanup[7717]: 4C0E8BA0029: message-id=<20170407045652.4C0E8BA0029#ubuntu>
Apr 07 00:56:52 ubuntu postfix/qmgr[4899]: 4C0E8BA0029: from=<ubuntu#ubuntu>, size=322, nrcpt=1 (queue active)
Apr 07 00:56:52 ubuntu postfix/smtp[7719]: 4C0E8BA0029: to=<xxxx.xxxx#xxxx.com>, relay=xx.xxxxxxxx.xxxx.com[xx.xxx.xxx.xxx]:25, delay=0.35, delays=0.07/0/0.19/0.08, dsn=2.0.0, status=sent (250 ok: Message 84730726 accepted)
Apr 07 00:56:52 ubuntu postfix/qmgr[4899]: 4C0E8BA0029: removed
But the mail is never delivered to my personal mail box. Appreciate the inputs.
The problem was the server was missing a FQDN. I did set it up in the hosts file and set using "hostname ubuntu.local". Mail forwarding works fine now.
Mail from Plesk.
But i recieve this answer
Out: 220 **DOMAIN** ESMTP Postfix (Debian/GNU)
In: EHLO [10.33.205.183]
Out: 250-**DOMAIN**
Out: 250-PIPELINING
Out: 250-SIZE 31457280
Out: 250-ETRN
Out: 250-STARTTLS
Out: 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In: STARTTLS
Out: 454 4.7.0 TLS not available due to local problem
In: ???
Out: 502 5.5.2 Error: command not recognized
In: ?????(?'??????
Out: 502 5.5.2 Error: command not recognized
In: ????
Out: 502 5.5.2 Error: command not recognized
Out: 421 4.4.2 **DOMAIN** Error: timeout exceeded
Session aborted, reason: timeout
For other details, see the local mail logfile
Here is my main.cf:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/tls/httpsd.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = ***DOMAIN***
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost.startdedicated.de, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128 **IP**/32
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = , hash:/var/spool/postfix/plesk/transport
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:30
virtual_gid_maps = static:31
smtpd_milters = , inet:127.0.0.1:12768
non_smtpd_milters =
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
virtual_mailbox_limit = 0
message_size_limit = 31457280
I should say, that i not be an expert on linux and mailing!
The config file is located: /etc/postfix/main.cf
The cert /etc/postfix/tls/httpsd.pem is the servers default cert.
Thank you!
TL;TR: both bad client and bad server.
The mail server you use is configured wrong in that it believes it can to TLS (as seen in EHLO containing STARTTLS) but then fails to actually use TLS (error when client tries to use TLS). Additionally the client simply ignores the error message to the STARTTLS command and continues with the TLS handshake. This causes error messages from the server which expects proper SMTP commands but instead gets what looks like garbage (the TLS ClientHello).
i'm trying to configure postfix to work with an external smtp server.
This is my main.cf file (this is from a fresh installation and few customize settings):
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = ubuntuTesting
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = ubuntuTesting, localhost.localdomain, localhost
relayhost = smtp.site.it
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_type = cyrus
smtp_sasl_auth_enable = yes
# optional: necessary if email provider uses load balancing and
# forwards emails to another smtp server
# for delivery (ie: smtp.yahoo.com --> smtp.phx.1.yahoo.com)
smtp_cname_overrides_servername = no
I've created the sasl_passwd with smtp, username and password. When i try to send an email with 'mail' command this is the output in the logs
Jun 12 15:13:13 ubuntuTesting postfix/qmgr[2390]: AE6FD1E136B: from=<ubuntu#ubuntuTesting>, size=368, nrcpt=1 (queue active)
Jun 12 15:13:14 ubuntuTesting postfix/smtp[2401]: AE6FD1E136B: enabling PIX workarounds: disable_esmtp delay_dotcrlf for smtp.site.com[xxx.xxx.xx.xx]:25
Jun 12 15:13:14 ubuntuTesting postfix/smtp[2401]: AE6FD1E136B: to=<stefano#site.com>, relay=smtp.site.com[xxx.xxx.xx.xx]:25, delay=0.72, delays=0.04/0.04/0.59/0.05, dsn=4.4.2, status=deferred (lost connection with smtp.site.com[xxx.xxx.xx.xx] while sending MAIL FROM)
Jun 12 15:23:03 ubuntuTesting postfix/smtp[2491]: AE6FD1E136B: enabling PIX workarounds: disable_esmtp delay_dotcrlf for smtp.site.com[xxx.xxx.xx.xx]:25
Jun 12 15:23:03 ubuntuTesting postfix/smtp[2491]: AE6FD1E136B: to=<stefano#site.com>, relay=smtp.site.com[xxx.xxx.xx.xx]:25, delay=590, delays=589/0.01/0.36/0.04, dsn=4.4.2, status=deferred (lost connection with smtp.site.com[xxx.xxx.xx.xx] while sending MAIL FROM)
I think the issues is that the smtp server accept AUTH PLAIN login type, but i can't figure out how to login correctly. I've tried a lot of things.
I can make it works with my google account, but not with this one.
I have a server that runs on apache, and I am sending emails from that server. I want to set the number of recipients that each outgoing email can send to. I am following this tutorial and this manual - it seems to be as easy as adding smtpd_recipient_limit=2 to master.cf like below, reloading postfix, and running a test with 3 recipients. Each recipients still get email, with no error messages in /var/log/syslog file below. What is missing?
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# limit number of emails that can be send. Each outgoing mail are seperated by
# 1 second delay. Number of recepients of each message is limited to 10.
#smtp_destination_rate_delay = 1s
#smtp_extra_recipient_limit = 10
#smtpd_client_message_rate_limit=2
smtpd_recipient_limit=2
smtpd_recipient_overshoot_limit=0
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = xxx
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
# (sorry have to smear out the domain name)
mydestination = xxx, localhost.xxx, , localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
#Added
home_mailbox = Maildir/
virtual_alias_maps = hash:/etc/postfix/virtual
Log file below
Apr 10 22:35:54 xxx postfix/pickup[7448]: 16151400BC: uid=33 from=<www-data>
Apr 10 22:35:54 xxx postfix/cleanup[7455]: 16151400BC: message-id=<597dd15203e984495188a846c186772e#xxx>
Apr 10 22:35:54 xxx postfix/qmgr[7447]: 16151400BC: from=<www-data#xxx>, size=674, nrcpt=3 (queue active)
Apr 10 22:35:55 xxx postfix/smtp[7457]: 16151400BC: to=<yyy#gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.196.27]:25, delay=1.5, delays=0.01/0/0.15/1.4, dsn=2.0.0, status=sent (250 2.0.0 OK 1397183738 v62si6606269yhp.5 - gsmtp)
Apr 10 22:35:55 xxx postfix/smtp[7457]: 16151400BC: to=<zzz#gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.196.27]:25, delay=1.5, delays=0.01/0/0.15/1.4, dsn=2.0.0, status=sent (250 2.0.0 OK 1397183738 v62si6606269yhp.5 - gsmtp)
Apr 10 22:35:55 xxx postfix/smtp[7457]: 16151400BC: to=<ttt#gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.196.27]:25, delay=1.5, delays=0.01/0/0.15/1.4, dsn=2.0.0, status=sent (250 2.0.0 OK 1397183738 v62si6606269yhp.5 - gsmtp)
Apr 10 22:35:55 xxx postfix/qmgr[7447]: 16151400BC: removed
It is because smtpd_recipient_limit only apply to the mails received by smtpd daemon through an SMTP transaction. The mails submitted using sendmail command is queued in maildrop queue by postdrop command, which is picked up by pickup and fed to cleanup directly.
You can't restrict recipient count for the mails submitted through sendmail command.
The only solution to this problem is force your applications to send mail only through smtp transaction.
You need to use smtp_destination_recipient_limit instead.