lmtp/smtpd incompatible WRT XFORWARD in 2.7.0?

Wed, 04 May 2011 10:46:07 -0700 

Greetings,

I seem to have XFORWARD troubles with Postfix 2.7.0 lmtp <-> smtpd
interoperability.  Amavisd-new is in the game, too, but looks innocent.

Looks like the XFORWARD code in Postfix's lmtp client generates
attributes ("PORT=unknown") that the smtpd doesn't permit.

Is this a Postfix bug in lmtp (or smtpd) as of 2.7.0?

Problem shown in the last three lines of the log below.

The mail rig is:

   10.0.0.2                                              <- IPs
   mx2              mail              mail               <- hostnames
-> Postfix 2.3.4 -> Postfix 2.7.0 <-> amavisd-new 2.6.4  <- software
   (listed MX)           |
                         `--> local(8) maildrop_command=maildrop -a -d

mx2 is outside my control, everything else is under my control.

First the logs, we see here three sessions with partial overlap:

1. mx2 -> mail's smtpd, injecting the mail received from outside.

   Looks pretty innocent. We offer PORT= to the Postfix-2.3.4 at mx2,
   it doesn't use it. So that's not it.

2. lmtp with localhost port 10024, amavisd listening

   Looks fishy, as it sends PORT=unknown.

3. smtpd with localhost for amavisd's back-injection after filtering

   Looks picky, as smtpd complains about PORT=unknown from step #2.


Logs (edited) - look for PORT=unknown

postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 220 mail.example.org
ESMTP Postfix (Ubuntu)
postfix/smtpd[19432]: < mx2.example.org[10.0.0.2]: EHLO mx2.example.org
postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250-mail.example.org
postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250-PIPELINING
postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250-SIZE 32000000
postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250-VRFY
postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250-ETRN
postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250-XFORWARD NAME
ADDR PROTO HELO SOURCE PORT
postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250-ENHANCEDSTATUSCODES
postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250-8BITMIME
postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250 DSN
postfix/smtpd[19432]: < mx2.example.org[10.0.0.2]: XFORWARD NAME=unknown
ADDR=186.58.X.Y
postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250 2.0.0 Ok
postfix/smtpd[19432]: < mx2.example.org[10.0.0.2]: XFORWARD PROTO=ESMTP
HELO=186-58-X-Y.source.example SOURCE=REMOTE
postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250 2.0.0 Ok
postfix/smtpd[19432]: < mx2.example.org[10.0.0.2]: MAIL
FROM:<[email protected]> SIZE=1731
postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250 2.1.0 Ok
postfix/smtpd[19432]: < mx2.example.org[10.0.0.2]: RCPT
TO:<[email protected]> ORCPT=rfc822;[email protected]
postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250 2.1.5 Ok
postfix/smtpd[19432]: < mx2.example.org[10.0.0.2]: DATA
postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 354 End data with
<CR><LF>.<CR><LF>
postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 220 [127.0.0.1] ESMTP
amavisd-new service ready
postfix/lmtp[19435]: > 127.0.0.1[127.0.0.1]:10024: LHLO mail.example.org
postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 250 2.0.0 Ok: queued
as A803E47DD5
postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250-[127.0.0.1]
postfix/smtpd[19432]: < mx2.example.org[10.0.0.2]: QUIT
postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250-VRFY
postfix/smtpd[19432]: > mx2.example.org[10.0.0.2]: 221 2.0.0 Bye
postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250-PIPELINING
postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250-SIZE
postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250-ENHANCEDSTATUSCODES
postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250-8BITMIME
postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250-DSN
postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250 XFORWARD NAME
ADDR PORT PROTO HELO SOURCE
postfix/lmtp[19435]: Using LMTP PIPELINING, TCP send buffer size is 4096
postfix/lmtp[19435]: > 127.0.0.1[127.0.0.1]:10024: XFORWARD NAME=unknown
ADDR=186.58.X.Y PORT=unknown
postfix/lmtp[19435]: > 127.0.0.1[127.0.0.1]:10024: XFORWARD PROTO=ESMTP
HELO=186-58-X-Y.source.example SOURCE=REMOTE
postfix/lmtp[19435]: > 127.0.0.1[127.0.0.1]:10024: MAIL
FROM:<[email protected]> SIZE=1975
postfix/lmtp[19435]: > 127.0.0.1[127.0.0.1]:10024: RCPT
TO:<[email protected]> ORCPT=rfc822;[email protected]
postfix/lmtp[19435]: > 127.0.0.1[127.0.0.1]:10024: DATA
postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250 2.5.0 Ok XFORWARD
postfix/smtpd[19432]: disconnect from mx2.example.org[10.0.0.2]
postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250 2.5.0 Ok XFORWARD
postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250 2.1.0 Sender
<[email protected]> OK
postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 250 2.1.5 Recipient
<[email protected]> OK
postfix/lmtp[19435]: < 127.0.0.1[127.0.0.1]:10024: 354 End data with
<CR><LF>.<CR><LF>
postfix/lmtp[19435]: > 127.0.0.1[127.0.0.1]:10024: .
postfix/lmtp[19435]: > 127.0.0.1[127.0.0.1]:10024: QUIT
postfix/smtpd[19437]: > localhost[127.0.0.1]: 220 mail.example.org ESMTP
Postfix (Ubuntu)
postfix/smtpd[19437]: < localhost[127.0.0.1]: EHLO localhost
postfix/smtpd[19437]: > localhost[127.0.0.1]: 250-mail.example.org
postfix/smtpd[19437]: > localhost[127.0.0.1]: 250-PIPELINING
postfix/smtpd[19437]: > localhost[127.0.0.1]: 250-SIZE 32000000
postfix/smtpd[19437]: > localhost[127.0.0.1]: 250-VRFY
postfix/smtpd[19437]: > localhost[127.0.0.1]: 250-ETRN
postfix/smtpd[19437]: > localhost[127.0.0.1]: 250-XVERP
postfix/smtpd[19437]: > localhost[127.0.0.1]: 250-XFORWARD NAME ADDR
PROTO HELO SOURCE PORT
postfix/smtpd[19437]: > localhost[127.0.0.1]: 250-ENHANCEDSTATUSCODES
postfix/smtpd[19437]: > localhost[127.0.0.1]: 250-8BITMIME
postfix/smtpd[19437]: > localhost[127.0.0.1]: 250 DSN
postfix/smtpd[19437]: < localhost[127.0.0.1]: XFORWARD ADDR=186.58.X.Y
NAME=unknown PORT=unknown PROTO=ESMTP HELO=186-58-X-Y.source.example
SOURCE=REMOTE
postfix/smtpd[19437]: > localhost[127.0.0.1]: 501 5.5.4 Bad PORT syntax:
unknown
amavis[18545]: (18545-18) (!)Negative SMTP resp. to XFORWARD: 501 5.5.4
Bad PORT syntax: unknown


Postfinger output (edited):

--System Parameters--
mail_version = 2.7.0
hostname = mail
uname = Linux mail 2.6.32-31-generic-pae #61-Ubuntu SMP Fri Apr 8
20:00:13 UTC 2011 i686 GNU/Linux

--Packaging information--
looks like this postfix comes from deb package: postfix-2.7.0-1ubuntu0.1

--main.cf non-default parameters--
alias_database = hash:/etc/aliases hash:/etc/aliases-users
alias_maps = hash:/etc/aliases hash:/var/lib/mailman/data/aliases
hash:/etc/aliases-users
append_dot_mydomain = no
biff = no
body_checks = pcre:/etc/postfix/body_checks
bounce_queue_lifetime = 3d
canonical_maps = hash:/etc/postfix/canonical
delay_warning_time = 255m
forward_path =
/var/mail/${user}/.forward${recipient_delimiter}${extension}
/var/mail/${user}/.forward
header_checks = pcre:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
local_recipient_maps = proxy:nis:passwd.byname $relocated_maps $alias_maps
mailbox_command = /usr/bin/maildrop -d "$USER" -a -f "$SENDER"
"$EXTENSION" "$RECIPIENT" "$USER" "$SENDER"
mailbox_size_limit = 0
masquerade_domains = [yes, my own domains listed here]
message_size_limit = 32000000
mydestination = ...
myhostname = ...
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 ...
192.168.0.0/24 192.168.2.0/24
myorigin = /etc/mailname
recipient_delimiter = +
relocated_maps = hash:/etc/postfix/relocated
show_user_unknown_table_name = no
smtpd_authorized_verp_clients = localhost localhost.$mydomain $myhostname
smtpd_authorized_xforward_hosts = 127.0.0.1 10.0.0.2
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = cidr:/etc/postfix/filtered-clients-cidr
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname permit_mynetworks
reject_non_fqdn_hostname
smtpd_recipient_restrictions = pcre:/etc/postfix/regexp_access
reject_unlisted_recipient reject_multi_recipient_bounce
permit_mynetworks permit_sasl_authenticated reject_unauth_pipelining
reject_unauth_destination
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_non_fqdn_sender
reject_unknown_sender_domain reject_unlisted_sender
hash:/etc/postfix/access permit_mynetworks check_sender_mx_access
cidr:/etc/postfix/mx_cidr_access check_sender_access
hash:/etc/postfix/sender_external permit
smtpd_tls_cert_file = /etc/ssl/certs/dovecot.pem
smtpd_tls_key_file = /etc/ssl/private/dovecot.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_helo_name = mail.example.org

--master.cf--
smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
        -o smtp_fallback_relay=
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
amavisfeed unix    -       -       n        -      2     lmtp
    -o lmtp_data_done_timeout=1200
    -o lmtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
127.0.0.1:10025 inet n    -       n       -       -     smtpd
    -o content_filter=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks
    -o local_header_rewrite_clients=

-- end of postfinger output --


References:
ยน) http://www.postfix.org/XFORWARD_README.html

Reply via email to