Greetings, I seem to have XFORWARD troubles with Postfix 2.7.0 lmtp <-> smtpd interoperability. Amavisd-new is in the game, too, but looks innocent.
Looks like the XFORWARD code in Postfix's lmtp client generates attributes ("PORT=unknown") that the smtpd doesn't permit. Is this a Postfix bug in lmtp (or smtpd) as of 2.7.0? Problem shown in the last three lines of the log below. The mail rig is: 10.0.0.2 <- IPs mx2 mail mail <- hostnames -> Postfix 2.3.4 -> Postfix 2.7.0 <-> amavisd-new 2.6.4 <- software (listed MX) | `--> local(8) maildrop_command=maildrop -a -d mx2 is outside my control, everything else is under my control. First the logs, we see here three sessions with partial overlap: 1. mx2 -> mail's smtpd, injecting the mail received from outside. Looks pretty innocent. We offer PORT= to the Postfix-2.3.4 at mx2, it doesn't use it. So that's not it. 2. lmtp with localhost port 10024, amavisd listening Looks fishy, as it sends PORT=unknown. 3. smtpd with localhost for amavisd's back-injection after filtering Looks picky, as smtpd complains about PORT=unknown from step #2. Logs (edited) - look for PORT=unknown postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 220 mail.example.org ESMTP Postfix (Ubuntu) postfix/smtpd[19432]: < mx2.example.org[10.0.0.2]: EHLO mx2.example.org postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250-mail.example.org postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250-PIPELINING postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250-SIZE 32000000 postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250-VRFY postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250-ETRN postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250-XFORWARD NAME ADDR PROTO HELO SOURCE PORT postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250-ENHANCEDSTATUSCODES postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250-8BITMIME postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250 DSN postfix/smtpd[19432]: < mx2.example.org[10.0.0.2]: XFORWARD NAME=unknown ADDR=186.58.X.Y postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250 2.0.0 Ok postfix/smtpd[19432]: < mx2.example.org[10.0.0.2]: XFORWARD PROTO=ESMTP HELO=186-58-X-Y.source.example SOURCE=REMOTE postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250 2.0.0 Ok postfix/smtpd[19432]: < mx2.example.org[10.0.0.2]: MAIL FROM:<sen...@example.com> SIZE=1731 postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250 2.1.0 Ok postfix/smtpd[19432]: < mx2.example.org[10.0.0.2]: RCPT TO:<lu...@my.example.org> ORCPT=rfc822;lu...@my.example.org postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250 2.1.5 Ok postfix/smtpd[19432]: < mx2.example.org[10.0.0.2]: DATA postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 354 End data with <CR><LF>.<CR><LF> postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 220 [127.0.0.1] ESMTP amavisd-new service ready postfix/lmtp[19435]: > 127.0.0.1[127.0.0.1]:10024: LHLO mail.example.org postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250 2.0.0 Ok: queued as A803E47DD5 postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250-[127.0.0.1] postfix/smtpd[19432]: < mx2.example.org[10.0.0.2]: QUIT postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250-VRFY postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 221 2.0.0 Bye postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250-PIPELINING postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250-SIZE postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250-ENHANCEDSTATUSCODES postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250-8BITMIME postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250-DSN postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250 XFORWARD NAME ADDR PORT PROTO HELO SOURCE postfix/lmtp[19435]: Using LMTP PIPELINING, TCP send buffer size is 4096 postfix/lmtp[19435]: > 127.0.0.1[127.0.0.1]:10024: XFORWARD NAME=unknown ADDR=186.58.X.Y PORT=unknown postfix/lmtp[19435]: > 127.0.0.1[127.0.0.1]:10024: XFORWARD PROTO=ESMTP HELO=186-58-X-Y.source.example SOURCE=REMOTE postfix/lmtp[19435]: > 127.0.0.1[127.0.0.1]:10024: MAIL FROM:<sen...@example.com> SIZE=1975 postfix/lmtp[19435]: > 127.0.0.1[127.0.0.1]:10024: RCPT TO:<lu...@my.example.org> ORCPT=rfc822;lu...@my.example.org postfix/lmtp[19435]: > 127.0.0.1[127.0.0.1]:10024: DATA postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250 2.5.0 Ok XFORWARD postfix/smtpd[19432]: disconnect from mx2.example.org[10.0.0.2] postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250 2.5.0 Ok XFORWARD postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250 2.1.0 Sender <sen...@example.com> OK postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250 2.1.5 Recipient <lu...@my.example.org> OK postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 354 End data with <CR><LF>.<CR><LF> postfix/lmtp[19435]: > 127.0.0.1[127.0.0.1]:10024: . postfix/lmtp[19435]: > 127.0.0.1[127.0.0.1]:10024: QUIT postfix/smtpd[19437]: > localhost[127.0.0.1]: 220 mail.example.org ESMTP Postfix (Ubuntu) postfix/smtpd[19437]: < localhost[127.0.0.1]: EHLO localhost postfix/smtpd[19437]: > localhost[127.0.0.1]: 250-mail.example.org postfix/smtpd[19437]: > localhost[127.0.0.1]: 250-PIPELINING postfix/smtpd[19437]: > localhost[127.0.0.1]: 250-SIZE 32000000 postfix/smtpd[19437]: > localhost[127.0.0.1]: 250-VRFY postfix/smtpd[19437]: > localhost[127.0.0.1]: 250-ETRN postfix/smtpd[19437]: > localhost[127.0.0.1]: 250-XVERP postfix/smtpd[19437]: > localhost[127.0.0.1]: 250-XFORWARD NAME ADDR PROTO HELO SOURCE PORT postfix/smtpd[19437]: > localhost[127.0.0.1]: 250-ENHANCEDSTATUSCODES postfix/smtpd[19437]: > localhost[127.0.0.1]: 250-8BITMIME postfix/smtpd[19437]: > localhost[127.0.0.1]: 250 DSN postfix/smtpd[19437]: < localhost[127.0.0.1]: XFORWARD ADDR=186.58.X.Y NAME=unknown PORT=unknown PROTO=ESMTP HELO=186-58-X-Y.source.example SOURCE=REMOTE postfix/smtpd[19437]: > localhost[127.0.0.1]: 501 5.5.4 Bad PORT syntax: unknown amavis[18545]: (18545-18) (!)Negative SMTP resp. to XFORWARD: 501 5.5.4 Bad PORT syntax: unknown Postfinger output (edited): --System Parameters-- mail_version = 2.7.0 hostname = mail uname = Linux mail 2.6.32-31-generic-pae #61-Ubuntu SMP Fri Apr 8 20:00:13 UTC 2011 i686 GNU/Linux --Packaging information-- looks like this postfix comes from deb package: postfix-2.7.0-1ubuntu0.1 --main.cf non-default parameters-- alias_database = hash:/etc/aliases hash:/etc/aliases-users alias_maps = hash:/etc/aliases hash:/var/lib/mailman/data/aliases hash:/etc/aliases-users append_dot_mydomain = no biff = no body_checks = pcre:/etc/postfix/body_checks bounce_queue_lifetime = 3d canonical_maps = hash:/etc/postfix/canonical delay_warning_time = 255m forward_path = /var/mail/${user}/.forward${recipient_delimiter}${extension} /var/mail/${user}/.forward header_checks = pcre:/etc/postfix/header_checks html_directory = /usr/share/doc/postfix/html local_recipient_maps = proxy:nis:passwd.byname $relocated_maps $alias_maps mailbox_command = /usr/bin/maildrop -d "$USER" -a -f "$SENDER" "$EXTENSION" "$RECIPIENT" "$USER" "$SENDER" mailbox_size_limit = 0 masquerade_domains = [yes, my own domains listed here] message_size_limit = 32000000 mydestination = ... myhostname = ... mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 ... 192.168.0.0/24 192.168.2.0/24 myorigin = /etc/mailname recipient_delimiter = + relocated_maps = hash:/etc/postfix/relocated show_user_unknown_table_name = no smtpd_authorized_verp_clients = localhost localhost.$mydomain $myhostname smtpd_authorized_xforward_hosts = 127.0.0.1 10.0.0.2 smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_client_restrictions = cidr:/etc/postfix/filtered-clients-cidr smtpd_etrn_restrictions = reject smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname permit_mynetworks reject_non_fqdn_hostname smtpd_recipient_restrictions = pcre:/etc/postfix/regexp_access reject_unlisted_recipient reject_multi_recipient_bounce permit_mynetworks permit_sasl_authenticated reject_unauth_pipelining reject_unauth_destination smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain reject_unlisted_sender hash:/etc/postfix/access permit_mynetworks check_sender_mx_access cidr:/etc/postfix/mx_cidr_access check_sender_access hash:/etc/postfix/sender_external permit smtpd_tls_cert_file = /etc/ssl/certs/dovecot.pem smtpd_tls_key_file = /etc/ssl/private/dovecot.pem smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_helo_name = mail.example.org --master.cf-- smtp inet n - - - - smtpd submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp -o smtp_fallback_relay= showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} amavisfeed unix - - n - 2 lmtp -o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks -o local_header_rewrite_clients= -- end of postfinger output -- References: ยน) http://www.postfix.org/XFORWARD_README.html