Re: [CentOS] Postfix and virtual mail boxes.[SOLVED - kinda]
On 11/10/21 12:53 am, Peter wrote: On 10/10/21 11:28 pm, Rob Kampen wrote: smtp inet n - n - - smtpd -o smtpd_recipient_restrictions= -o content_filter=spamassassin I assume based on what you've said before that this is after you added the workaround you mentioned, but the logs below are without the smtpd_recipient_restrictions= part here? Correct, once I added the -o smtpd_recipient_restrictions= the alias substitutions worked and the log becomes much longer as all the various processes complete and add their trace to the maillog. Cannot see how this log listing can possibly help as it contains only three lines Nonetheless I do appreciate seeing them, no offense but you can never tell if someone's interpretations of the logs are accurate and so it's best just to see the logs themselves. Here is the log of the incorrectly rejected email coming into the new MX - very short as it immediately rejects the alias recipient address - which my other two MX do not do. Right. This led me to the conclusion that the alias substitution is not taking place on my new MX whereas it does on my two working MX - hence my addition to the smtp processing line at the top of the master.cf file. I wouldn't jump to that conclusion just yet, though. That said, based on your config and logs I think I may have been wrong in my previous guess and it may very well be related to your policyd-spf. More on that in a bit. Can you provide the output of the following commands (but substitute the actual recipient domain and address for the munged versions you supplied here): postmap -q example.com mysql:/etc/postfix/mysql-virtual_alias_domains.cf postmap -q r...@example.com mysql:/etc/postfix/mysql-virtual_forwardings.cf postmap -q r...@example.com mysql:/etc/postfix/mysql-virtual_email2email.cf postmap -q example.com mysql:/etc/postfix/mysql-virtual_domains.cf postmap -q r...@example.com mysql:/etc/postfix/mysql-virtual_mailboxes.cf The results of the above should give a much better picture of what's going on. OK - just to let you know the munge I used. example.com is an alias domain for example.org which is the actual domain with Maildir space on the server. rob@ is alias for rkampen@ thus the only real address is rkam...@example.org now the results [root@mx rkampen]# postmap -q example.org mysql:/etc/postfix/mysql-virtual_alias_domains.cf [root@mx rkampen]# postmap -q example.org mysql:/etc/postfix/mysql-virtual_domains.cf example.org [root@mx rkampen]# postmap -q example.com mysql:/etc/postfix/mysql-virtual_alias_domains.cf example.com [root@mx rkampen]# postmap -q example.com mysql:/etc/postfix/mysql-virtual_domains.cf [root@mx rkampen]# postmap -q r...@example.com mysql:/etc/postfix/mysql-virtual_forwardings.cf [root@mx rkampen]# postmap -q r...@example.org mysql:/etc/postfix/mysql-virtual_forwardings.cf rkam...@example.org [root@mx rkampen]# postmap -q @example.com mysql:/etc/postfix/mysql-virtual_forwardings.cf @example.org [root@mx rkampen]# postmap -q r...@example.com mysql:/etc/postfix/mysql-virtual_email2email.cf [root@mx rkampen]# postmap -q r...@example.org mysql:/etc/postfix/mysql-virtual_email2email.cf [root@mx rkampen]# postmap -q rkam...@example.org mysql:/etc/postfix/mysql-virtual_email2email.cf rkam...@example.org [root@mx rkampen]# postmap -q rkam...@example.com mysql:/etc/postfix/mysql-virtual_email2email.cf [root@mx rkampen]# postmap -q rkam...@example.com mysql:/etc/postfix/mysql-virtual_mailboxes.cf [root@mx rkampen]# postmap -q rkam...@example.org mysql:/etc/postfix/mysql-virtual_mailboxes.cf example.org/rkampen/ As all but mysql-virtual_alias_domains.cf are copies from the other MX, I think these are fine. Also as email presented via port 587 via an authenticated STARTTLS session actually work fine, I have no reason to suspect any issues in this area. To check if it's the policyd that's causing the problem can you modify the smtpd_recipient_restrictions line in main.cf and remove just the "check_policy_service inet:localhost:12350," part? So that it reads something like: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policyd-spf Then check to see if it works after that (and provide logs again so I can check things over). Note this also means reverting your workaround in master.cf for this test. Well that may have done it! Now I get a correctly sent email with the alias substitutions done. Funny how that line seems to cause no error on my two original MX - looks like I better check them out a little more too. Here is the munged log (same munging as above) Oct 11 13:53:09 mx postfix/smtpd[10711]: connect from mail-pj1-x1030.google.com[2607:f8b0:4864:20::1030] Oct 11 13:53:10 mx policyd-spf[10723]: ERROR: Unknown name "TestOnly" in file "/etc/python-policyd-spf/policyd-spf.conf" Oc
Re: [CentOS] Postfix and virtual mail boxes.[SOLVED - kinda]
On 10/10/21 11:28 pm, Rob Kampen wrote: smtp inet n - n - - smtpd -o smtpd_recipient_restrictions= -o content_filter=spamassassin I assume based on what you've said before that this is after you added the workaround you mentioned, but the logs below are without the smtpd_recipient_restrictions= part here? Cannot see how this log listing can possibly help as it contains only three lines Nonetheless I do appreciate seeing them, no offense but you can never tell if someone's interpretations of the logs are accurate and so it's best just to see the logs themselves. Here is the log of the incorrectly rejected email coming into the new MX - very short as it immediately rejects the alias recipient address - which my other two MX do not do. Right. This led me to the conclusion that the alias substitution is not taking place on my new MX whereas it does on my two working MX - hence my addition to the smtp processing line at the top of the master.cf file. I wouldn't jump to that conclusion just yet, though. That said, based on your config and logs I think I may have been wrong in my previous guess and it may very well be related to your policyd-spf. More on that in a bit. Can you provide the output of the following commands (but substitute the actual recipient domain and address for the munged versions you supplied here): postmap -q example.com mysql:/etc/postfix/mysql-virtual_alias_domains.cf postmap -q r...@example.com mysql:/etc/postfix/mysql-virtual_forwardings.cf postmap -q r...@example.com mysql:/etc/postfix/mysql-virtual_email2email.cf postmap -q example.com mysql:/etc/postfix/mysql-virtual_domains.cf postmap -q r...@example.com mysql:/etc/postfix/mysql-virtual_mailboxes.cf The results of the above should give a much better picture of what's going on. To check if it's the policyd that's causing the problem can you modify the smtpd_recipient_restrictions line in main.cf and remove just the "check_policy_service inet:localhost:12350," part? So that it reads something like: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policyd-spf Then check to see if it works after that (and provide logs again so I can check things over). Note this also means reverting your workaround in master.cf for this test. Peter ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Postfix and virtual mail boxes.[SOLVED - kinda]
On 9/10/21 9:55 pm, Peter wrote: On 9/10/21 12:26 pm, Rob Kampen wrote: So, after many dozens of hours and sending test emails I have found a solution (work around) that appears to work okay. It is now different to the original two MX servers I cloned from, in that the maillog shows a different cycle of processing, and it now fails a truly unknown mailbox much later in the process - thus higher workload on my MX. But the key thing is that it does now do the virtual_alias checks on incoming emails on port 25 before rejecting. if your MX is not rejecting messages to invalid recipients right away but instead bounces the messages later on you become a backscatter source (See https://www.backscatterer.org/?target=bounces). Understood. On the two existing MX the recipient checks happen up front AFTER alias substitutions and hence no reject of valid email addresses. I have been unable to achieve this behaviour with the new MX your server needs a properly configured list of valid recipients so it knows right away what recipients to accept and which ones to reject. Agrred, and it has - in mysql tables. No idea why this third MX is behaving differently. It has a dual stack IP, so I disabled IPv6 access and tried again, but that certainly wasn't the cause of the difference in processing. If you can provide the output of the following two commands it would be very helpful in troubleshooting your problem: postconf -nf alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 dovecot_destination_recipient_limit = 1 html_directory = no inet_interfaces = all inet_protocols = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 3072 milter_default_action = accept mydestination = localhost localhost.localdomain myhostname = mx.example.com mynetworks = 127.0.0.0/8, [::1]/128, 192.168.128.0/24, [global:ip:6::]/64 newaliases_path = /usr/bin/newaliases.postfix non_smtpd_milters = inet:localhost:8891 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES sample_directory = /usr/share/doc/postfix-2.10.1/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_milters = inet:localhost:8891 smtpd_recipient_restrictions = check_policy_service inet:localhost:12350, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policyd-spf smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_tls_CAfile = /etc/letsencrypt/live/example.com/chain.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/letsencrypt/live/example.com/fullchain.pem smtpd_tls_dh1024_param_file = /etc/postfix/dhparam.pem smtpd_tls_key_file = /etc/letsencrypt/live/example.com/privkey.pem smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_security_level = may smtpd_use_tls = yes tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 tls_preempt_cipherlist = no unknown_local_recipient_reject_code = 550 virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_gid_maps = static:12 virtual_mailbox_base = /var/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_transport = dovecot virtual_uid_maps = static:89 postconf -Mf smtp inet n - n - - smtpd -o smtpd_recipient_restrictions= -o content_filter=spamassassin submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
