SOLVED: Re: relay access denied by relayhost, but I have permit_mynetworks

[David Benfell]

Hello /dev/rob0 ,

Yup, this seems to have been it. Thanks very much for your eyes.


On 05/25/2016 03:34 PM, /dev/rob0 wrote:
> 50.250.218.164 is not in 50.250.218.0/28 ... not in $mynetworks

-- 
David Benfell, Ph.D.
benf...@parts-unknown.org



signature.asc
Description: OpenPGP digital signature

Re: relay access denied by relayhost, but I have permit_mynetworks

[/dev/rob0]

On Wed, May 25, 2016 at 02:43:09PM -0700, David Benfell wrote:
> I'm getting relay access denied when my main web server attempts to 
> relay mail through my main mail server to outside domains. The web 
> server also functions as a secondary MX (and this seems to work). 
> Here is the main mail server configuration:
> 
> [root@home ~]# postconf -nf

A lot of junk in there, but I won't comment on that stuff for now.

> mynetworks = 127.0.0.0/8, [::1]/128, 192.168.1.0/24, 10.8.0.0/16,
> 50.250.218.0/28, [2001:470:67:119::]/64
->^^^

> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
> defer_unauth_destination

> Here is the configuration on the web server:

> relayhost = mail.parts-unknown.org

(That means it does a MX lookup first for "mail.parts-unknown.org" 
before falling back to A/.)

> smtp_bind_address = 50.250.218.164

> A sample log entry on the web server (with email address obscured):
> May 25 07:52:18 vegan postfix/smtp[33049]: 17457F040DA9:
> to=, relay=mail.parts-unknown.org[50.250.218.162]:25,
> delay=241020, delays=241020/0.04/0.59/0.02, dsn=4.7.1, status=deferred
> (host mail.parts-unknown.org[50.250.218.162] said: 454 4.7.1
> : Relay access denied (in reply to RCPT TO command))
> 
> The corresponding entry on the mail server:
> May 25 07:52:18 home postfix/smtpd[55825]: NOQUEUE: reject: RCPT from
> unknown[50.250.218.164]: 454 4.7.1 : Relay access
> denied; from= to=
> proto=ESMTP helo=

> What other information do I need to supply? What is wrong?

50.250.218.164 is not in 50.250.218.0/28 ... not in $mynetworks
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: ot: pre emptive throttling/limiting ?

[Scott Lambert]

On Wed, May 25, 2016 at 08:18:23PM +1000, Voytek wrote:
> I have a small server with several domains, always worry some dumb users'
> account will get hacked and start spamming (including this dumb user,
> like, my own forgotten test account got hacked)
>  
> is it a good idea to put some limits or throttling 'just in case' ?

Yes, it is always a good idea to have message send limits 'just in case'.

I use policyd2 and give users the ability to send 200 messages per hour
and 500 messages per 24 hours.  99.9% of my users are okay with those
limits and I haven't been blacklisted since.  Then next 0.09% of users
are okay with me resetting their counters once or twice per year when
they send out class reunion mailings or some other rare legitimate mass
mailing.

My brother used his account from a hotspot once and got compromised.
So yes, I run the limits even on my personal mail server where I trust
everyone.

-- 
Scott LambertKC5MLE   Unix SysAdmin
lamb...@lambertfam.org

relay access denied by relayhost, but I have permit_mynetworks

[David Benfell]

Hi all,

I'm getting relay access denied when my main web server attempts to
relay mail through my main mail server to outside domains. The web
server also functions as a secondary MX (and this seems to work). Here
is the main mail server configuration:

[root@home ~]# postconf -nf
address_verify_map = btree:$data_directory/verify_cache
alias_database = $alias_maps
alias_maps = hash:/etc/aliases, hash:/usr/local/mailman/data/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo
cont;
echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
>$config_directory/$process_name.$process_id.log & sleep 5
fast_flush_domains = $relay_domains
header_checks = pcre:/usr/local/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
in_flow_delay = 1s
inet_interfaces = 127.0.0.1, [::1], 10.8.0.1, 50.250.218.162,
[2001:470:67:119::4]
inet_protocols = ipv4, ipv6
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
local_destination_concurrency_limit = 2
mail_owner = postfix
mailbox_command_maps = hash:/usr/local/etc/postfix/mailbox_commands
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 20971520
mydestination = localhost, localhost.$mydomain, cybernude.org,
mail.cybernude.org, munich.cybernude.org, vegan.cybernude.org,
www.cybernude.org, disunitedstates.com, mail.disunitedstates.com,
munich.disunitedstates.com, vegan.disunitedstates.com,
www.disunitedstates.com, disunitedstates.org, mail.disunitedstates.org,
munich.disunitedstates.org, vegan.disunitedstates.org,
www.disunitedstates.org, greybeard95a.com, mail.greybeard95a.com,
munich.greybeard95a.com, vegan.greybeard95a.com, www.greybeard95a.com,
n4rky.me, mail.n4rky.me, munich.n4rky.me, vegan.n4rky.me, www.n4rky.me,
parts-unknown.org, mail.parts-unknown.org, munich.parts-unknown.org,
www.parts-unknown.org, vegan.parts-unknown.org, n4rky.parts-unknown.org,
carolb.parts-unknown.org, home.parts-unknown.org, humansci.org,
home.humansci.org, mail.humansci.org, vegan.humansci.org,
www.humansci.org,
humanscience.institute, home.humanscience.institute,
mail.humanscience.institute, vegan.humanscience.institute,
www.humanscience.institute, reykjavik.parts-unknown.org,
reykjavik2.parts-unknown.org
mydomain = parts-unknown.org
myhostname = mail.parts-unknown.org
mynetworks = 127.0.0.0/8, [::1]/128, 192.168.1.0/24, 10.8.0.0/16,
50.250.218.0/28, [2001:470:67:119::]/64
mynetworks_style = subnet
myorigin = $myhostname
newaliases_path = /usr/local/bin/newaliases
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_bare_newline_action = enforce
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:$config_directory/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net
psbl.surriel.com
bl.mailspike.net swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
queue_run_delay = 200s
readme_directory = /usr/local/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_bind_address = 50.250.218.162
smtp_tls_ciphers = medium
smtp_tls_key_file = /var/www/ssl/home-2015-03-23/privateKey.key
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_use_tls = yes
smtpd_authorized_verp_clients = $mynetworks
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions =
   
permit_mynetworks,permit_sasl_authenticated,check_reverse_client_hostname_access
pcre:/etc/postfix/fqrdns.pcre
smtpd_command_filter = pcre:/etc/postfix/append_verp.pcre
smtpd_peername_lookup = no
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,check_sender_access
   
hash:/etc/postfix/sender_access,reject_unauth_destination,reject_rbl_client
zen.spamhaus.org,reject_rbl_client bl.spamcop.net,check_policy_service
unix:private/spf-policy
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_optio

Re: postfix / dovecot / virtual_mailbox_maps regex

[Viktor Dukhovni]

On Wed, May 25, 2016 at 10:56:36PM +0200, Dirk wrote:

> > What kind of mappings happen in that regexp table?  Sure you can
> > the mail delivered to some maildir or other, but how are users able
> > to read the mail?  Presumably dovecot still needs to know about
> > the mailboxes created by virtual(8) so it can grant access to them
> > to suitably authenticated users via IMAP.
>
> /.*\.d...@x.domain1.com/  x.domains1.com/dirk/
>
> This is kind of my own "spamgourmet.com" implementation where I can give
> email Addresses on the fly to any "webpage".
> Everything is dilvered to one maildir.
> 
> > > But now I would like to use sieve with dovecot.
> >
> > For both domains?  Or just one of them?
> 
> Ideally both.
>
> >> Therefore I would have to enable
> >> #virtual_transport = lmtp:unix:private/dovecot-lmtp
> >
> > Fine, now the LMTP recipient needs to be a recipient name known to
> > dovecot, but that's not much different from the requirement that
> > dovecot be able to associated users with mailboxes for IMAP.
> >
> > So you've not explained your problem in sufficient detail.
>
> As to my knowlege dovecot can not handle "dynamically" created emails
> addresses.

Give it addresses it knows.

> > Well dovecot does not know about that mailbox.  Deliver to a mailbox
> > that dovecot does know about.  You'd typically use virtual_alias_maps
> > for that.
>
> Not possible - there is no mapping until the mail arrives. The email
> address is dynamic.

Nonsense, essentially the same regexp table can be used in
virtual_alias_maps instead of virtual_mailbox_maps:

/\.d...@x.domain1.com/  d...@x.domain1.com

-- 
Viktor.

Re: postfix / dovecot / virtual_mailbox_maps regex

[Dirk]

Hi Viktor,

thanks or you reply.


On 25.05.2016 22:27, Viktor Dukhovni wrote:
> On Wed, May 25, 2016 at 10:00:55PM +0200, Dirk wrote:
>
>> Which user to what maildir is definend in.
>> virtual_mailbox_maps = hash:/etc/postfix/vmaps
>>
>> The second (sub)domain has not fixed user assignment. The users must
>> match an regex defined as well in
>> virtual_mailbox_maps = regexp:/etc/postfix/vmaps-regex
> Presumably, you have:
>
> virtual_mailbox_maps =
>   hash:/etc/postfix/vmaps,
>   regexp:/etc/postfix/vmaps-regex
>
> to accomplish both.  Right?

Yes you are right.

> What kind of mappings happen in that regexp table?  Sure you can
> the mail delivered to some maildir or other, but how are users able
> to read the mail?  Presumably dovecot still needs to know about
> the mailboxes created by virtual(8) so it can grant access to them
> to suitably authenticated users via IMAP.
/.*\.d...@x.domain1.com/  x.domains1.com/dirk/
This is kind of my own "spamgourmet.com" implementation where I can give
email Addresses on the fly to any "webpage".
Everything is dilvered to one maildir.

>> But now I would like to use sieve with dovecot.
> For both domains?  Or just one of them?

Ideally both.
>> Therefore I would have to enable
>> #virtual_transport = lmtp:unix:private/dovecot-lmtp
> Fine, now the LMTP recipient needs to be a recipient name known to
> dovecot, but that's not much different from the requirement that
> dovecot be able to associated users with mailboxes for IMAP.
>
> So you've not explained your problem in sufficient detail.
As to my knowlege dovecot can not handle "dynamically" created emails
addresses.
>> [private/dovecot-lmtp] said: 550 5.1.1  User 
>> doesn't exist: test.d...@x.domain1.com (in reply to RCPT TO command)
> Well dovecot does not know about that mailbox.  Deliver to a mailbox
> that dovecot does know about.  You'd typically use virtual_alias_maps
> for that.
Not possible - there is no mapping until the mail arrives. The email
address is dynamic.

>> It would maybe solve my probelm if I could enable the virtual_transport
>> only for domain1.com not x.domain1.com.
> You can certainly use the transport(5) table to direct either domain
> to a different transport, but it is not clear that this is the right
> approach.
>
>   http://www.postfix.org/ADDRESS_REWRITING_README.html
>   http://www.postfix.org/ADDRESS_CLASS_README.html
>   http://www.postfix.org/virtual.5.html
>   http://www.postfix.org/postconf.5.html#virtual_alias_maps
>   http://www.postfix.org/postconf.5.html#transport_maps
>

I read to virtual and transport_maps serveral times - no luck till now.

Re: postfix / dovecot / virtual_mailbox_maps regex

[Viktor Dukhovni]

On Wed, May 25, 2016 at 10:00:55PM +0200, Dirk wrote:

> Which user to what maildir is definend in.
> virtual_mailbox_maps = hash:/etc/postfix/vmaps
> 
> The second (sub)domain has not fixed user assignment. The users must
> match an regex defined as well in
> virtual_mailbox_maps = regexp:/etc/postfix/vmaps-regex

Presumably, you have:

virtual_mailbox_maps =
hash:/etc/postfix/vmaps,
regexp:/etc/postfix/vmaps-regex

to accomplish both.  Right?

What kind of mappings happen in that regexp table?  Sure you can
the mail delivered to some maildir or other, but how are users able
to read the mail?  Presumably dovecot still needs to know about
the mailboxes created by virtual(8) so it can grant access to them
to suitably authenticated users via IMAP.

> But now I would like to use sieve with dovecot.

For both domains?  Or just one of them?

> Therefore I would have to enable
> #virtual_transport = lmtp:unix:private/dovecot-lmtp

Fine, now the LMTP recipient needs to be a recipient name known to
dovecot, but that's not much different from the requirement that
dovecot be able to associated users with mailboxes for IMAP.

So you've not explained your problem in sufficient detail.

> [private/dovecot-lmtp] said: 550 5.1.1  User doesn't 
> exist: test.d...@x.domain1.com (in reply to RCPT TO command)

Well dovecot does not know about that mailbox.  Deliver to a mailbox
that dovecot does know about.  You'd typically use virtual_alias_maps
for that.

> It would maybe solve my probelm if I could enable the virtual_transport
> only for domain1.com not x.domain1.com.

You can certainly use the transport(5) table to direct either domain
to a different transport, but it is not clear that this is the right
approach.

http://www.postfix.org/ADDRESS_REWRITING_README.html
http://www.postfix.org/ADDRESS_CLASS_README.html
http://www.postfix.org/virtual.5.html
http://www.postfix.org/postconf.5.html#virtual_alias_maps
http://www.postfix.org/postconf.5.html#transport_maps

-- 
Viktor.

postfix / dovecot / virtual_mailbox_maps regex

[Dirk]

I going in circels with a problem I have with postfix/dovecot.
I have a setup for two virtual_mailbox_domains on my postfix.

domain1.com
x.domain1.com

both domains are delivered by postfix to users maildir which is accessed
via dovecot
Which user to what maildir is definend in.
virtual_mailbox_maps = hash:/etc/postfix/vmaps

The second (sub)domain has not fixed user assignment. The users must
match an regex defined as well in
virtual_mailbox_maps = regexp:/etc/postfix/vmaps-regex

This works quite fine.
But now I would like to use sieve with dovecot.

Therefore I would have to enable
#virtual_transport = lmtp:unix:private/dovecot-lmtp

If I do so - the mails for the sub domain x.domain1.com which has
"dynamic users" based on a pattern is rejected by dovecot

[private/dovecot-lmtp] said: 550 5.1.1  User doesn't 
exist: test.d...@x.domain1.com (in reply to RCPT TO command)

The question is now - how can I set this up that i can define
dovcot-lmtp to enable sieve and stick to my dynamic users.

It would maybe solve my probelm if I could enable the virtual_transport
only for domain1.com not x.domain1.com.
But this configuration I did in transports fails.

Can someone give me a hint how to get this fixed ?

best regards

Dirk

Re: Send mail to /dev/null without other filtering

[Viktor Dukhovni]

On Wed, May 25, 2016 at 11:46:45AM -0600, Richard B. Pyne wrote:

> Is there a simple way to discard email coming to a specific address, such as
> nore...@domain.com without it having to go through all the other spam
> filtering I have in place and clogging my mail queue?

See the "DISCARD" action in the access(5) manpage.  Obviously use
with great caution.

-- 
Viktor.

Send mail to /dev/null without other filtering

[Richard B. Pyne]

Is there a simple way to discard email coming to a specific address, 
such as nore...@domain.com without it having to go through all the other 
spam filtering I have in place and clogging my mail queue?


Thanks.

--Richard

ot: pre emptive throttling/limiting ?

[Voytek]

I have a small server with several domains, always worry some dumb users'
account will get hacked and start spamming (including this dumb user,
like, my own forgotten test account got hacked)

is it a good idea to put some limits or throttling 'just in case' ?

Postfix 2.11, average server usage is like:
Per-Day Traffic Summary
---
date  received  delivered   deferredbounced rejected

May 23 2016  1422   1794 21  0   3399
May 24 2016  1683   2239 10  0   4509
May 25 2016  1583   2031 11  1   5402
May 15 2016   576633 15  1   5343
May 16 2016  1438   2007 18  6   8497
May 17 2016  1579   2128 11  1   7738
May 18 2016  1598   1912  8  2   5889
May 19 2016  1604   2044 13  6   4947
May 20 2016  1196   1292  9  2   5100
May 21 2016   723788  9  1   4349
May 22 201684 89  0  0450
May  8 2016  1753   1823  8   1222   2498
May  9 2016  2894   3286 10   1440   3365
May 10 2016  3064   3401 26   1440   2413
May 11 2016  3004   3428 20   1440   3255