Re: Config changes?
On Thu, Oct 13, 2022 at 05:16:56PM +0200, Jack Raats wrote: > I'm using postfix 3.7.2_1,1 on a FreeBSD 13.2-p2 server. Everything is OK. > > After updating to version 3.7.3,1 mail is n't delivered to another > server due to zen.spamhaus blocking by postscreen. > > Unstalling 3.7.3,1 and replacing is by 3.7.2_1,1 everything is OK again. > > Is something in the config of 3.7.3,1 changed? Which resolvers are you using in /etc/resolv.conf? Do you have a local resolver, or are you forwarding to an ISP or some other shared resolver? -- Viktor.
Re: Config changes?
Jack Raats: > Hi, > > I'm using postfix 3.7.2_1,1 on a FreeBSD 13.2-p2 server. Everything is OK. > > After updating to version 3.7.3,1 mail is n't delivered to another > server due to zen.spamhaus blocking by postscreen. > > Unstalling 3.7.3,1 and replacing is by 3.7.2_1,1 everything is OK again. > > Is something in the config of 3.7.3,1 changed? You may want to check this again: DNS lookups results will sometimes change over time. There are no changes in postscreen source code. There are no changes in files that handle configuration settings. The changes in the two global library files are not in code that postscreen depends on. The changes in the tls library do not affect postscreen's DNSBL code. However if Postfix 3.7.2 was built with a different compiler then some things may change even if the code did not. These are the files that are changed with Postfix-3.7.3: $ zcat postfix-2.3-patch-03.gz | grep '^d' diff -ur --new-file /var/tmp/postfix-3.7.2/src/global/mail_version.h ./src/global/mail_version.h diff -ur --new-file /var/tmp/postfix-3.7.2/HISTORY ./HISTORY diff -ur --new-file /var/tmp/postfix-3.7.2/RELEASE_NOTES ./RELEASE_NOTES diff -ur --new-file /var/tmp/postfix-3.7.2/src/cleanup/cleanup_milter.c ./src/cleanup/cleanup_milter.c diff -ur --new-file /var/tmp/postfix-3.7.2/src/global/map_search.c ./src/global/map_search.c diff -ur --new-file /var/tmp/postfix-3.7.2/src/global/verify.c ./src/global/verify.c diff -ur --new-file /var/tmp/postfix-3.7.2/src/oqmgr/qmgr_message.c ./src/oqmgr/qmgr_message.c diff -ur --new-file /var/tmp/postfix-3.7.2/src/qmgr/qmgr_message.c ./src/qmgr/qmgr_message.c diff -ur --new-file /var/tmp/postfix-3.7.2/src/tls/tls_server.c ./src/tls/tls_server.c
Config changes?
Hi, I'm using postfix 3.7.2_1,1 on a FreeBSD 13.2-p2 server. Everything is OK. After updating to version 3.7.3,1 mail is n't delivered to another server due to zen.spamhaus blocking by postscreen. Unstalling 3.7.3,1 and replacing is by 3.7.2_1,1 everything is OK again. Is something in the config of 3.7.3,1 changed? Gr., Jack
Re: submission configuration and RFC 6409
Nick Tait:
> On 13/10/2022 8:04 am, Geert Hendrickx wrote:
> > "permit_mynetworks" has the (documented) drawback that remote mail forwarded
> > by a neighbouring system can still be rewritten (and thus break signatures).
> >
> > My personal preference is permit_inet_interfaces, permit_sasl_authenticated,
> > neither of these should cause false positives.
>
> I agree that the default option value /shouldn't/ include
> "permit_mynetworks", for the exact reason described above.
>
> But IMHO the 'cleaner' solution is to leave the default option value as
> it is ("permit_inet_interfaces"), and instead explicitly configure the
> submission (and submissions) services with "-o
> local_header_rewrite_clients=static:all" to treat all /submission/
> connections as local_header_rewrite_clients?
I agree. For the MUA submission(s)/smtps services, this is better
done in master.cf for the specific services, than in main.cf.
> Doing it this way makes it explicit (easier to comprehend intent),
> rather than having to deduce the behaviour based on the inference that
> submission (and submissions) use SASL authentication, whereas smtp doesn't?
>
> I guess there were two underlying questions I was trying to ask:
>
> 1. Whether it is possible to update the source code to include "-o
> local_header_rewrite_clients=static:all" in master.cf for
> "submission" and "submissions" services only? (NB: No change to
> "smtp" service.)
> 2. And are there any other missing options that should be set? E.g. I
> see the option "always_add_missing_headers" but it seems to work
> fine without adding this, and besides this appears to be a cleanup
> option rather than smtpd option?
Postfix (cleanup) adds headers
- When the SMTP daemon found a match with local_header_rewrite_clients.
This should be used selectively (i.e. for specific services or
address ranges). This is not documented and that should be fixed.
It just makes it easy to canonicalize all header information.
- When always_add_missing_headers=yes. This should not be used if
you want to preserve existing DKIM signatures.
A better name might be "local_header_canonicalize_clients" because
the ultimate goal was to canonicalize all header information from
specific clients. If there is a need to make this more specific,
then we could add a fine control for that.
The defaults would be:
# Default setting for when to canonicalize headers ("safe").
local_header_canonicalize_clients = permit_inet_interfaces
# Default setting for what how to canonicalize (historical behavior).
local_header_canonicalize_classes = rewrite_addresses, add_missing_headers
Wietse
Re: time spent in active queue
On Thu, Oct 13, 2022 at 01:30:41PM +0200, juan smitt wrote: > What can we check/tune if there are ~35K mails in the active queue > (stress test is being performed) and a mail spends ~4m in the active > queue? Your output latency is too high: Throughput = Concurrency / Latency > 2022-10-13 07:54:05.823323+00:00 postfix/qmgr ... (queue active) > 2022-10-13 07:58:12.308448+00:00 postfix/smtp ... > relay=relayserver.ip[relayserver.ip]:25, delay=247, > delays=0.06/245/0.09/1 Message delivery took ~1s. If your destination concurrency limit is 20, then your throughput is ~20 msgs/sec which may be lower than the input rate. > The relayhosts are accepting the emails, the emails aren't deferred, > the OS seems fine on both our side an on the relay nodes. Why is it taking a full second to deliver a single message? You've redacted the message size and recipient count, that's not helpful. -- Viktor.
time spent in active queue
Hi, What can we check/tune if there are ~35K mails in the active queue (stress test is being performed) and a mail spends ~4m in the active queue? Example: 2022-10-13 07:54:05.823323+00:00 postfix/qmgr ... (queue active) (no log entries here) 2022-10-13 07:58:12.308448+00:00 postfix/smtp ... relay=relayserver.ip[relayserver.ip]:25, delay=247, delays=0.06/245/0.09/1 The relayhosts are accepting the emails, the emails aren't deferred, the OS seems fine on both our side an on the relay nodes. Thanks!
