[pfx] Re: Frustrated and sad - Authentication required
Mailman29 via Postfix-users: > I have changed the $myhostname string and it still says it loops > back to myself. Port 25 must be forwarded for incoming mail. Postfix > isn't supposed to be listening to any ports. In fact, I only have > smtpd enabled, and not smtp. This is very confusing. :( Wietse Venema: > To inform the Postfix SMTP client that this Postfix instance does > not receive mail from the network, specify: > > main.cf: > inet_interfaces = Mailman29 via Postfix-users: > I thought that may be right, but if I comment out the "inet_interfaces" > it fails to take mail from the main server for outbound delivery. We appear to be talking aobut different servers: one that: "isn't supposed to be listening to any ports", yet ssomehow should be able to receive mail. and one that should listen: "if I comment out the "inet_interfaces" it fails to take mail from the main server for outbound delivery". Coming back to the diagram: public IP address, port 25: haproxy -> non-public port or address: frontend.example.com MTA with transport_maps -> non-public port or address: backend.example.com MTA I understand from your response that the backend MTA should send mail to the internet through the frontend MTA. All that is possible but it requires careful configuration: 1) The backend.example.com MTA receives inbound mail from the frontend, delivers mail locally for example.com, localhost, backend.example.com, frontend.example.com, and sends outbound mail through the frontend. /etc/postfix/main.cf: # This example assumes delivery with the local(8) delivery agent, # with valid recipients specified in local_recipient_maps # (default: $alias_maps unix:passwd.byname). # Instead, one could deliver with virtual_transport, list the # domains with virtual_mailbox_domains, and list valid recipients # with virtual_mailbox_maps. mydestination = example.com localhost backend.example.com frontend.example.com # Use a distinct MTA name to avoid name-based loop detection. myhostname = backend.example.com relayhost = [127.0.0.1]:frontend-outbound-port inet_interfaces = 127.0.0.1 /etc/postfix/master.cf: # Use a port other than 25 to disable IP address based loop detection. 127.0.0.1:backend-inbound-port .. .. .. .. .. .. .. smtpd 2) The frontend.example.com MTA forwards mail to the backend for example.com, localhost, *.example.com: /etc/postfix-frontend/main.cf: # Use a distinct MTA name to avoid name-based loop detection. myhostname = frontend.example.com # Forward example.com, *.example.com, localhost. relay_domains = example.com localhost # This assumes you have a list of valid recipients. relay_recipient_maps = ...list with valid recipients... transport_maps = hash:/etc/postfix-frontend/transport mydestination = proy_interfaces = the haproxy public IP address inet_interfaces = 127.0.0.1 /etc/postfix-frontend/transport: # Forward example.com, *.example.com, localhost to the backend. # Execute "postmap hash:/etc/postfix-frontend/transport after # editing the file. example.com relay:[127.0.0.1]:backend-inbound-port .example.com relay:[127.0.0.1]:backend-inbound-port localhost relay:[127.0.0.1]:backend-inbound-port /etc/postfix-frontend/master.cf: # The port that receives inbound mail through haproxy. 127.0.0.1:frontend-inbound-port .. .. .. .. .. .. .. smtpd -o syslog_name=postfix/frontend-inbound -o smtpd_upstream_proxy_protocol=haproxy # The port that receives outbound mail from the backend MTA. # Use a port other than 25 to disable IP address based loop detection. 127.0.0.1:frontend-outbound-port .. .. .. .. .. .. .. smtpd -o syslog_name=postfix/frontend-outbound -o smtpd_upstream_proxy_protocol= There's probably a setting that I'm overlooking but this should cover most of it. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Frustrated and sad - Authentication required
I thought that may be right, but if I comment out the "inet_interfaces" it fails to take mail from the main server for outbound delivery. Sent with Proton Mail secure email. On Friday, May 31st, 2024 at 1:32 PM, Wietse Venema via Postfix-users wrote: > Mailman29 via Postfix-users: > > > I have changed the $myhostname string and it still says it loops > > back to myself. Port 25 must be forwarded for incoming mail. Postfix > > isn't supposed to be listening to any ports. In fact, I only have > > smtpd enabled, and not smtp. This is very confusing. :( > > > To inform the Postfix SMTP client that this Postfix instance does > not receive mail from the network, specify: > > main.cf: > inet_interfaces = > > This change requires "postfix reload". > > We're solving this one micro step at a time, because there > are no clear design and requirements. > > Wietse > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Frustrated and sad - Authentication required
Mailman29 via Postfix-users: > I have changed the $myhostname string and it still says it loops > back to myself. Port 25 must be forwarded for incoming mail. Postfix > isn't supposed to be listening to any ports. In fact, I only have > smtpd enabled, and not smtp. This is very confusing. :( To inform the Postfix SMTP client that this Postfix instance does not receive mail from the network, specify: main.cf: inet_interfaces = This change requires "postfix reload". We're solving this one micro step at a time, because there are no clear design and requirements. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Frustrated and sad - Authentication required
I have changed the $myhostname string and it still says it loops back to myself. Port 25 must be forwarded for incoming mail. Postfix isn't supposed to be listening to any ports. In fact, I only have smtpd enabled, and not smtp. This is very confusing. :( Sent with Proton Mail secure email. On Friday, May 31st, 2024 at 2:45 AM, Viktor Dukhovni via Postfix-users wrote: > On Fri, May 31, 2024 at 12:33:34AM +, Mailman29 via Postfix-users wrote: > > > Yeah, so even changing the domain name on the server (Ubuntu) itself > > doesn't fix the issue. It must be ip based. Since the proxy and > > Postfix share an IP address, Postfix will always think it's looping > > back to itself. Is that correct? > > > The Postfix SMTP client checks for its own IP address, and its own > hostname in the EHLO response only when relaying to port 25, on other > ports the loop checks are suppressed. > > If you must forward via port 25, you need to ensure that the remote IP > is not listed in "inet_interfaces" and the hostname in the remote EHLO > response is not the same as $myhostname. > > -- > Viktor. > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Frustrated and sad - Authentication required
On Fri, May 31, 2024 at 12:33:34AM +, Mailman29 via Postfix-users wrote: > Yeah, so even changing the domain name on the server (Ubuntu) itself > doesn't fix the issue. It must be ip based. Since the proxy and > Postfix share an IP address, Postfix will always think it's looping > back to itself. Is that correct? The Postfix SMTP client checks for its own IP address, and its own hostname in the EHLO response only when relaying to port 25, on other ports the loop checks are suppressed. If you must forward via port 25, you need to ensure that the remote IP is not listed in "inet_interfaces" and the hostname in the remote EHLO response is not the same as $myhostname. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Frustrated and sad - Authentication required
Yeah, so even changing the domain name on the server (Ubuntu) itself doesn't fix the issue. It must be ip based. Since the proxy and Postfix share an IP address, Postfix will always think it's looping back to itself. Is that correct? On Thursday, May 30th, 2024 at 5:55 PM, Wietse Venema via Postfix-users wrote: > Mailman29 via Postfix-users: > > > Have a good pub visit. > > Changing the "myhostname" line in postfix has zero effect. It still says > > "loops back to myself" :( > > > Having a problem? https://www.postfix.org/DEBUG_README.html#mail > > Wietse > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Frustrated and sad - Authentication required
Mailman29 via Postfix-users: > Have a good pub visit. > Changing the "myhostname" line in postfix has zero effect. It still says > "loops back to myself" :( Having a problem? https://www.postfix.org/DEBUG_README.html#mail Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Frustrated and sad - Authentication required
Have a good pub visit. Changing the "myhostname" line in postfix has zero effect. It still says "loops back to myself" :( On Thursday, May 30th, 2024 at 4:07 PM, Wietse Venema via Postfix-users wrote: > Mailman29 via Postfix-users: > > > The network diagram you have is correct. I'm afraid I don't > > understnad the "use loopback for internal communication". There's > > no internal communication. Should I just put 127.0.0.1 in my main.cf > > in place of "mail2"? > > > - External: communication from internet to haproxy. > > - Internal: communication between haproxy and front-end MTA. > > - Internal: communication between front-end MTA and back-end MTA. > > The internal communication endpoints are supposed to be hidden from > the public internet, so that mail from outside can only flow over > the intended path, not around it. > > It's time to go to the pub. Cheers. > > Wietse > > > Sent with Proton Mail secure email. > > > > On Thursday, May 30th, 2024 at 3:39 PM, Wietse Venema via Postfix-users > > postfix-users@postfix.org wrote: > > > > > Mailman29 via Postfix-users: > > > > > > > myhostname is set to "mail2" in main.cf, but the mx record points > > > > to mail.somedomain.com, (they share the same IP though) would it > > > > be doing an ip lookup first? I guess I need to "trick" it into > > > > thinking it's not the same if it's IP based. > > > > > > Postfix requires transport_maps to forward mail from a front-end > > > MTA to a backend MTA. Other approaches are not supported. > > > > > > Based on your earlier description I expect something like: > > > > > > public IP address, port 25: haproxy -> > > > > > > hidden port or address: frontend MTA with transport_maps -> > > > > > > hidden port or address: backend MTA > > > > > > If all this runs on a single host, and you use loopback (127.0.0.1) > > > for internal communication, then Postfix won't care whether servers > > > use the same MTA name. > > > > > > If you use a non-routable network such as 10.* or 192.168.* for > > > internal communication, then you will need distinct MTA names. > > > > > > However, for sanity sake, I'd always recommend that different MTA > > > instances identify themselves with different names. Otherwise youir > > > logging will be incomprehensible. > > > > > > Wietse > > > > > > > On Thursday, May 30th, 2024 at 2:34 PM, Wietse Venema via Postfix-users > > > > postfix-users@postfix.org wrote: > > > > > > > > > Mailman29 via Postfix-users: > > > > > > > > > > > Well the logs say this, which doesn't help. > > > > > > May 30 14:01:02 mail2 postfix/smtp[1390778]: C5DCBA0501: > > > > > > to=prvs=1880817b8e=myem...@somedomain.com, relay=none, delay=5.2, > > > > > > delays=0/0/5.2/0, dsn=5.4.6, status=bounced (mail for somedomain.com > > > > > > loops back to myself) > > > > > > > > > > On the contrary, it says that you have configured a mailer loop, > > > > > or that you have two different mail services that use the same MTA > > > > > name (in Postfix parlance, the MTA name is the myhostname setting). > > > > > > > > > > > The domain and the postfix server do share the same IP (haproxy > > > > > > server), but if Postfix would deliver the bounce message it would > > > > > > get passed through the proxy to the mail server backend. Is there > > > > > > a way to force this? > > > > > > > > > > 1) If the Postfix machine is a front-end for a backend server, then > > > > > Postfix must be configured as a mail gateway, and there should be > > > > > a transport_maps setting that routes mail for the domain to the > > > > > backend instead of sending it to the public internet address. See > > > > > https://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall > > > > > > > > > > 2) If your Postfix server is behind an inbound proxy server, then > > > > > you MUST specify the external address with main.cf:proxy_interfaces, > > > > > so that Postfix will know that it should not try to connect there. > > > > > https://www.postfix.org/postconf.5.html#proxy_interfaces > > > > > > > > > > 3) If you really have more than one mail server, then they must > > > > > have different MTA names (In Postfix parlance the MTA name is the > > > > > myhostname setting). > > > > > > > > > > Wietse > > > > > > > > > > > On Thursday, May 30th, 2024 at 1:46 PM, Wietse Venema via > > > > > > Postfix-users postfix-users@postfix.org wrote: > > > > > > > > > > > > > Mailman29: > > > > > > > > > > > > > > > Brilliant! I had a loop with haproxy that pointed it back at my > > > > > > > > mail server! > > > > > > > > > > > > > > > > Now, how do I get postfix to send failures etc to my server? It > > > > > > > > seems they just disappear into the ether! > > > > > > > > > > > > > > Look in your logs: > > > > > > > https://www.postfix.org/DEBUG_README.html#logging > > > > > > > > > > > > > > If you don't understand an error or warning message, report the > > > > > > > problem on the postfix-users mailing list. > > > > > > > >
[pfx] Re: Frustrated and sad - Authentication required
Mailman29 via Postfix-users: > > > The network diagram you have is correct. I'm afraid I don't > understnad the "use loopback for internal communication". There's > no internal communication. Should I just put 127.0.0.1 in my main.cf > in place of "mail2"? - External: communication from internet to haproxy. - Internal: communication between haproxy and front-end MTA. - Internal: communication between front-end MTA and back-end MTA. The internal communication endpoints are supposed to be hidden from the public internet, so that mail from outside can only flow over the intended path, not around it. It's time to go to the pub. Cheers. Wietse > Sent with Proton Mail secure email. > > On Thursday, May 30th, 2024 at 3:39 PM, Wietse Venema via Postfix-users > wrote: > > > Mailman29 via Postfix-users: > > > > > myhostname is set to "mail2" in main.cf, but the mx record points > > > to mail.somedomain.com, (they share the same IP though) would it > > > be doing an ip lookup first? I guess I need to "trick" it into > > > thinking it's not the same if it's IP based. > > > > > > Postfix requires transport_maps to forward mail from a front-end > > MTA to a backend MTA. Other approaches are not supported. > > > > Based on your earlier description I expect something like: > > > > public IP address, port 25: haproxy -> > > > > > > hidden port or address: frontend MTA with transport_maps -> > > > > > > hidden port or address: backend MTA > > > > If all this runs on a single host, and you use loopback (127.0.0.1) > > for internal communication, then Postfix won't care whether servers > > use the same MTA name. > > > > If you use a non-routable network such as 10.* or 192.168.* for > > internal communication, then you will need distinct MTA names. > > > > However, for sanity sake, I'd always recommend that different MTA > > instances identify themselves with different names. Otherwise youir > > logging will be incomprehensible. > > > > Wietse > > > > > On Thursday, May 30th, 2024 at 2:34 PM, Wietse Venema via Postfix-users > > > postfix-users@postfix.org wrote: > > > > > > > Mailman29 via Postfix-users: > > > > > > > > > Well the logs say this, which doesn't help. > > > > > May 30 14:01:02 mail2 postfix/smtp[1390778]: C5DCBA0501: > > > > > to=prvs=1880817b8e=myem...@somedomain.com, relay=none, delay=5.2, > > > > > delays=0/0/5.2/0, dsn=5.4.6, status=bounced (mail for somedomain.com > > > > > loops back to myself) > > > > > > > > On the contrary, it says that you have configured a mailer loop, > > > > or that you have two different mail services that use the same MTA > > > > name (in Postfix parlance, the MTA name is the myhostname setting). > > > > > > > > > The domain and the postfix server do share the same IP (haproxy > > > > > server), but if Postfix would deliver the bounce message it would > > > > > get passed through the proxy to the mail server backend. Is there > > > > > a way to force this? > > > > > > > > 1) If the Postfix machine is a front-end for a backend server, then > > > > Postfix must be configured as a mail gateway, and there should be > > > > a transport_maps setting that routes mail for the domain to the > > > > backend instead of sending it to the public internet address. See > > > > https://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall > > > > > > > > 2) If your Postfix server is behind an inbound proxy server, then > > > > you MUST specify the external address with main.cf:proxy_interfaces, > > > > so that Postfix will know that it should not try to connect there. > > > > https://www.postfix.org/postconf.5.html#proxy_interfaces > > > > > > > > 3) If you really have more than one mail server, then they must > > > > have different MTA names (In Postfix parlance the MTA name is the > > > > myhostname setting). > > > > > > > > Wietse > > > > > > > > > On Thursday, May 30th, 2024 at 1:46 PM, Wietse Venema via > > > > > Postfix-users postfix-users@postfix.org wrote: > > > > > > > > > > > Mailman29: > > > > > > > > > > > > > Brilliant! I had a loop with haproxy that pointed it back at my > > > > > > > mail server! > > > > > > > > > > > > > > Now, how do I get postfix to send failures etc to my server? It > > > > > > > seems they just disappear into the ether! > > > > > > > > > > > > Look in your logs: https://www.postfix.org/DEBUG_README.html#logging > > > > > > > > > > > > If you don't understand an error or warning message, report the > > > > > > problem on the postfix-users mailing list. > > > > > > > > > > > > Wietse > > > > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > > > > > On Thursday, May 30th, 2024 at 12:50 PM, Wietse Venema via > > > > > > > Postfix-users postfix-users@postfix.org wrote: > > > > > > > > > > > > > > > Mailman29 via Postfix-users: > > > > > > > > > > > > > > > > > HI guys. > > > > > > > > > I'm having an awful time getting postfix to work in one form > > > > > > > > > only. > > > >
[pfx] Re: Frustrated and sad - Authentication required
The network diagram you have is correct. I'm afraid I don't understnad the "use loopback for internal communication". There's no internal communication. Should I just put 127.0.0.1 in my main.cf in place of "mail2"? Sent with Proton Mail secure email. On Thursday, May 30th, 2024 at 3:39 PM, Wietse Venema via Postfix-users wrote: > Mailman29 via Postfix-users: > > > myhostname is set to "mail2" in main.cf, but the mx record points > > to mail.somedomain.com, (they share the same IP though) would it > > be doing an ip lookup first? I guess I need to "trick" it into > > thinking it's not the same if it's IP based. > > > Postfix requires transport_maps to forward mail from a front-end > MTA to a backend MTA. Other approaches are not supported. > > Based on your earlier description I expect something like: > > public IP address, port 25: haproxy -> > > > hidden port or address: frontend MTA with transport_maps -> > > > hidden port or address: backend MTA > > If all this runs on a single host, and you use loopback (127.0.0.1) > for internal communication, then Postfix won't care whether servers > use the same MTA name. > > If you use a non-routable network such as 10.* or 192.168.* for > internal communication, then you will need distinct MTA names. > > However, for sanity sake, I'd always recommend that different MTA > instances identify themselves with different names. Otherwise youir > logging will be incomprehensible. > > Wietse > > > On Thursday, May 30th, 2024 at 2:34 PM, Wietse Venema via Postfix-users > > postfix-users@postfix.org wrote: > > > > > Mailman29 via Postfix-users: > > > > > > > Well the logs say this, which doesn't help. > > > > May 30 14:01:02 mail2 postfix/smtp[1390778]: C5DCBA0501: > > > > to=prvs=1880817b8e=myem...@somedomain.com, relay=none, delay=5.2, > > > > delays=0/0/5.2/0, dsn=5.4.6, status=bounced (mail for somedomain.com > > > > loops back to myself) > > > > > > On the contrary, it says that you have configured a mailer loop, > > > or that you have two different mail services that use the same MTA > > > name (in Postfix parlance, the MTA name is the myhostname setting). > > > > > > > The domain and the postfix server do share the same IP (haproxy > > > > server), but if Postfix would deliver the bounce message it would > > > > get passed through the proxy to the mail server backend. Is there > > > > a way to force this? > > > > > > 1) If the Postfix machine is a front-end for a backend server, then > > > Postfix must be configured as a mail gateway, and there should be > > > a transport_maps setting that routes mail for the domain to the > > > backend instead of sending it to the public internet address. See > > > https://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall > > > > > > 2) If your Postfix server is behind an inbound proxy server, then > > > you MUST specify the external address with main.cf:proxy_interfaces, > > > so that Postfix will know that it should not try to connect there. > > > https://www.postfix.org/postconf.5.html#proxy_interfaces > > > > > > 3) If you really have more than one mail server, then they must > > > have different MTA names (In Postfix parlance the MTA name is the > > > myhostname setting). > > > > > > Wietse > > > > > > > On Thursday, May 30th, 2024 at 1:46 PM, Wietse Venema via Postfix-users > > > > postfix-users@postfix.org wrote: > > > > > > > > > Mailman29: > > > > > > > > > > > Brilliant! I had a loop with haproxy that pointed it back at my > > > > > > mail server! > > > > > > > > > > > > Now, how do I get postfix to send failures etc to my server? It > > > > > > seems they just disappear into the ether! > > > > > > > > > > Look in your logs: https://www.postfix.org/DEBUG_README.html#logging > > > > > > > > > > If you don't understand an error or warning message, report the > > > > > problem on the postfix-users mailing list. > > > > > > > > > > Wietse > > > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > > > On Thursday, May 30th, 2024 at 12:50 PM, Wietse Venema via > > > > > > Postfix-users postfix-users@postfix.org wrote: > > > > > > > > > > > > > Mailman29 via Postfix-users: > > > > > > > > > > > > > > > HI guys. > > > > > > > > I'm having an awful time getting postfix to work in one form > > > > > > > > only. > > > > > > > > Accept mail from one ip address only, regardless of the sender's > > > > > > > > domain name, and send it out to the recipients. Postfix has no > > > > > > > > accounts, and accepts no incoming mail. It's only for sending > > > > > > > > from > > > > > > > > my local server. > > > > > > > > > > > > > > > > Here's my main.cf, as you can see I have it set up to accept > > > > > > > > mail > > > > > > > > from my IP address only, but every time I try to send mail > > > > > > > > through > > > > > > > > it I get the error : (somedomain.com is placeholder for my FQDN) > > > > > > > > > > > > > > > > --> EHLO mail! > > > > > > > > <-
[pfx] Re: Frustrated and sad - Authentication required
Mailman29 via Postfix-users: > myhostname is set to "mail2" in main.cf, but the mx record points > to mail.somedomain.com, (they share the same IP though) would it > be doing an ip lookup first? I guess I need to "trick" it into > thinking it's not the same if it's IP based. Postfix requires transport_maps to forward mail from a front-end MTA to a backend MTA. Other approaches are not supported. Based on your earlier description I expect something like: public IP address, port 25: haproxy -> hidden port or address: frontend MTA with transport_maps -> hidden port or address: backend MTA If all this runs on a single host, and you use loopback (127.0.0.1) for internal communication, then Postfix won't care whether servers use the same MTA name. If you use a non-routable network such as 10.* or 192.168.* for internal communication, then you will need distinct MTA names. However, for sanity sake, I'd always recommend that different MTA instances identify themselves with different names. Otherwise youir logging will be incomprehensible. Wietse > On Thursday, May 30th, 2024 at 2:34 PM, Wietse Venema via Postfix-users > wrote: > > > Mailman29 via Postfix-users: > > > > > Well the logs say this, which doesn't help. > > > May 30 14:01:02 mail2 postfix/smtp[1390778]: C5DCBA0501: > > > to=prvs=1880817b8e=myem...@somedomain.com, relay=none, delay=5.2, > > > delays=0/0/5.2/0, dsn=5.4.6, status=bounced (mail for somedomain.com > > > loops back to myself) > > > > On the contrary, it says that you have configured a mailer loop, > > or that you have two different mail services that use the same MTA > > name (in Postfix parlance, the MTA name is the myhostname setting). > > > > > The domain and the postfix server do share the same IP (haproxy > > > server), but if Postfix would deliver the bounce message it would > > > get passed through the proxy to the mail server backend. Is there > > > a way to force this? > > > > 1) If the Postfix machine is a front-end for a backend server, then > > Postfix must be configured as a mail gateway, and there should be > > a transport_maps setting that routes mail for the domain to the > > backend instead of sending it to the public internet address. See > > https://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall > > > > 2) If your Postfix server is behind an inbound proxy server, then > > you MUST specify the external address with main.cf:proxy_interfaces, > > so that Postfix will know that it should not try to connect there. > > https://www.postfix.org/postconf.5.html#proxy_interfaces > > > > 3) If you really have more than one mail server, then they must > > have different MTA names (In Postfix parlance the MTA name is the > > myhostname setting). > > > > Wietse > > > > > On Thursday, May 30th, 2024 at 1:46 PM, Wietse Venema via Postfix-users > > > postfix-users@postfix.org wrote: > > > > > > > Mailman29: > > > > > > > > > Brilliant! I had a loop with haproxy that pointed it back at my mail > > > > > server! > > > > > > > > > > Now, how do I get postfix to send failures etc to my server? It > > > > > seems they just disappear into the ether! > > > > > > > > Look in your logs: https://www.postfix.org/DEBUG_README.html#logging > > > > > > > > If you don't understand an error or warning message, report the > > > > problem on the postfix-users mailing list. > > > > > > > > Wietse > > > > > > > > > Sent with Proton Mail secure email. > > > > > > > > > > On Thursday, May 30th, 2024 at 12:50 PM, Wietse Venema via > > > > > Postfix-users postfix-users@postfix.org wrote: > > > > > > > > > > > Mailman29 via Postfix-users: > > > > > > > > > > > > > HI guys. > > > > > > > I'm having an awful time getting postfix to work in one form only. > > > > > > > Accept mail from one ip address only, regardless of the sender's > > > > > > > domain name, and send it out to the recipients. Postfix has no > > > > > > > accounts, and accepts no incoming mail. It's only for sending from > > > > > > > my local server. > > > > > > > > > > > > > > Here's my main.cf, as you can see I have it set up to accept mail > > > > > > > from my IP address only, but every time I try to send mail through > > > > > > > it I get the error : (somedomain.com is placeholder for my FQDN) > > > > > > > > > > > > > > --> EHLO mail! > > > > > > > <-- 250-relay.somedomain.com Hello mail [IPaddress], pleased to > > > > > > > meet you > > > > > > > > > > > > THAT IS NOT Postfix. You can tweak settings and it will have no > > > > > > effect, > > > > > > because you are not taking to Postfix. > > > > > > > > > > > > I suggest that you look in the maillog file to fid out what > > > > > > program is answering the connection.. > > > > > > > > > > > > Wietse > > > > > > ___ > > > > > > Postfix-users mailing list -- postfix-users@postfix.org > > > > > > To unsubscribe send an email to postfix-users-le...@postfix.org > > > > > > > >
[pfx] Re: Frustrated and sad - Authentication required
myhostname is set to "mail2" in main.cf, but the mx record points to mail.somedomain.com, (they share the same IP though) would it be doing an ip lookup first? I guess I need to "trick" it into thinking it's not the same if it's IP based. On Thursday, May 30th, 2024 at 2:34 PM, Wietse Venema via Postfix-users wrote: > Mailman29 via Postfix-users: > > > Well the logs say this, which doesn't help. > > May 30 14:01:02 mail2 postfix/smtp[1390778]: C5DCBA0501: > > to=prvs=1880817b8e=myem...@somedomain.com, relay=none, delay=5.2, > > delays=0/0/5.2/0, dsn=5.4.6, status=bounced (mail for somedomain.com > > loops back to myself) > > > On the contrary, it says that you have configured a mailer loop, > or that you have two different mail services that use the same MTA > name (in Postfix parlance, the MTA name is the myhostname setting). > > > The domain and the postfix server do share the same IP (haproxy > > server), but if Postfix would deliver the bounce message it would > > get passed through the proxy to the mail server backend. Is there > > a way to force this? > > > 1) If the Postfix machine is a front-end for a backend server, then > Postfix must be configured as a mail gateway, and there should be > a transport_maps setting that routes mail for the domain to the > backend instead of sending it to the public internet address. See > https://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall > > 2) If your Postfix server is behind an inbound proxy server, then > you MUST specify the external address with main.cf:proxy_interfaces, > so that Postfix will know that it should not try to connect there. > https://www.postfix.org/postconf.5.html#proxy_interfaces > > 3) If you really have more than one mail server, then they must > have different MTA names (In Postfix parlance the MTA name is the > myhostname setting). > > Wietse > > > On Thursday, May 30th, 2024 at 1:46 PM, Wietse Venema via Postfix-users > > postfix-users@postfix.org wrote: > > > > > Mailman29: > > > > > > > Brilliant! I had a loop with haproxy that pointed it back at my mail > > > > server! > > > > > > > > Now, how do I get postfix to send failures etc to my server? It > > > > seems they just disappear into the ether! > > > > > > Look in your logs: https://www.postfix.org/DEBUG_README.html#logging > > > > > > If you don't understand an error or warning message, report the > > > problem on the postfix-users mailing list. > > > > > > Wietse > > > > > > > Sent with Proton Mail secure email. > > > > > > > > On Thursday, May 30th, 2024 at 12:50 PM, Wietse Venema via > > > > Postfix-users postfix-users@postfix.org wrote: > > > > > > > > > Mailman29 via Postfix-users: > > > > > > > > > > > HI guys. > > > > > > I'm having an awful time getting postfix to work in one form only. > > > > > > Accept mail from one ip address only, regardless of the sender's > > > > > > domain name, and send it out to the recipients. Postfix has no > > > > > > accounts, and accepts no incoming mail. It's only for sending from > > > > > > my local server. > > > > > > > > > > > > Here's my main.cf, as you can see I have it set up to accept mail > > > > > > from my IP address only, but every time I try to send mail through > > > > > > it I get the error : (somedomain.com is placeholder for my FQDN) > > > > > > > > > > > > --> EHLO mail! > > > > > > <-- 250-relay.somedomain.com Hello mail [IPaddress], pleased to > > > > > > meet you > > > > > > > > > > THAT IS NOT Postfix. You can tweak settings and it will have no > > > > > effect, > > > > > because you are not taking to Postfix. > > > > > > > > > > I suggest that you look in the maillog file to fid out what > > > > > program is answering the connection.. > > > > > > > > > > Wietse > > > > > ___ > > > > > Postfix-users mailing list -- postfix-users@postfix.org > > > > > To unsubscribe send an email to postfix-users-le...@postfix.org > > > > > > ___ > > > Postfix-users mailing list -- postfix-users@postfix.org > > > To unsubscribe send an email to postfix-users-le...@postfix.org > > > ___ > > > Postfix-users mailing list -- postfix-users@postfix.org > > > To unsubscribe send an email to postfix-users-le...@postfix.org > > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Frustrated and sad - Authentication required
Mailman29 via Postfix-users: > Well the logs say this, which doesn't help. > May 30 14:01:02 mail2 postfix/smtp[1390778]: C5DCBA0501: > to=, relay=none, delay=5.2, > delays=0/0/5.2/0, dsn=5.4.6, status=bounced (mail for somedomain.com > loops back to myself) On the contrary, it says that you have configured a mailer loop, or that you have two different mail services that use the same MTA name (in Postfix parlance, the MTA name is the myhostname setting). > The domain and the postfix server do share the same IP (haproxy > server), but if Postfix would deliver the bounce message it would > get passed through the proxy to the mail server backend. Is there > a way to force this? 1) If the Postfix machine is a front-end for a backend server, then Postfix must be configured as a mail gateway, and there should be a transport_maps setting that routes mail for the domain to the backend instead of sending it to the public internet address. See https://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall 2) If your Postfix server is behind an inbound proxy server, then you MUST specify the external address with main.cf:proxy_interfaces, so that Postfix will know that it should not try to connect there. https://www.postfix.org/postconf.5.html#proxy_interfaces 3) If you really have more than one mail server, then they must have different MTA names (In Postfix parlance the MTA name is the myhostname setting). Wietse > On Thursday, May 30th, 2024 at 1:46 PM, Wietse Venema via Postfix-users > wrote: > > > Mailman29: > > > > > Brilliant! I had a loop with haproxy that pointed it back at my mail > > > server! > > > > > > Now, how do I get postfix to send failures etc to my server? It > > > seems they just disappear into the ether! > > > > > > Look in your logs: https://www.postfix.org/DEBUG_README.html#logging > > > > If you don't understand an error or warning message, report the > > problem on the postfix-users mailing list. > > > > Wietse > > > > > Sent with Proton Mail secure email. > > > > > > On Thursday, May 30th, 2024 at 12:50 PM, Wietse Venema via Postfix-users > > > postfix-users@postfix.org wrote: > > > > > > > Mailman29 via Postfix-users: > > > > > > > > > HI guys. > > > > > I'm having an awful time getting postfix to work in one form only. > > > > > Accept mail from one ip address only, regardless of the sender's > > > > > domain name, and send it out to the recipients. Postfix has no > > > > > accounts, and accepts no incoming mail. It's only for sending from > > > > > my local server. > > > > > > > > > > Here's my main.cf, as you can see I have it set up to accept mail > > > > > from my IP address only, but every time I try to send mail through > > > > > it I get the error : (somedomain.com is placeholder for my FQDN) > > > > > > > > > > --> EHLO mail! > > > > > <-- 250-relay.somedomain.com Hello mail [IPaddress], pleased to meet > > > > > you > > > > > > > > THAT IS NOT Postfix. You can tweak settings and it will have no effect, > > > > because you are not taking to Postfix. > > > > > > > > I suggest that you look in the maillog file to fid out what > > > > program is answering the connection.. > > > > > > > > Wietse > > > > ___ > > > > Postfix-users mailing list -- postfix-users@postfix.org > > > > To unsubscribe send an email to postfix-users-le...@postfix.org > > > > ___ > > Postfix-users mailing list -- postfix-users@postfix.org > > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Frustrated and sad - Authentication required
Well the logs say this, which doesn't help. May 30 14:01:02 mail2 postfix/smtp[1390778]: C5DCBA0501: to=, relay=none, delay=5.2, delays=0/0/5.2/0, dsn=5.4.6, status=bounced (mail for somedomain.com loops back to myself) The domain and the postfix server do share the same IP (haproxy server), but if Postfix would deliver the bounce message it would get passed through the proxy to the mail server backend. Is there a way to force this? On Thursday, May 30th, 2024 at 1:46 PM, Wietse Venema via Postfix-users wrote: > Mailman29: > > > Brilliant! I had a loop with haproxy that pointed it back at my mail server! > > > > Now, how do I get postfix to send failures etc to my server? It > > seems they just disappear into the ether! > > > Look in your logs: https://www.postfix.org/DEBUG_README.html#logging > > If you don't understand an error or warning message, report the > problem on the postfix-users mailing list. > > Wietse > > > Sent with Proton Mail secure email. > > > > On Thursday, May 30th, 2024 at 12:50 PM, Wietse Venema via Postfix-users > > postfix-users@postfix.org wrote: > > > > > Mailman29 via Postfix-users: > > > > > > > HI guys. > > > > I'm having an awful time getting postfix to work in one form only. > > > > Accept mail from one ip address only, regardless of the sender's > > > > domain name, and send it out to the recipients. Postfix has no > > > > accounts, and accepts no incoming mail. It's only for sending from > > > > my local server. > > > > > > > > Here's my main.cf, as you can see I have it set up to accept mail > > > > from my IP address only, but every time I try to send mail through > > > > it I get the error : (somedomain.com is placeholder for my FQDN) > > > > > > > > --> EHLO mail! > > > > <-- 250-relay.somedomain.com Hello mail [IPaddress], pleased to meet you > > > > > > THAT IS NOT Postfix. You can tweak settings and it will have no effect, > > > because you are not taking to Postfix. > > > > > > I suggest that you look in the maillog file to fid out what > > > program is answering the connection.. > > > > > > Wietse > > > ___ > > > Postfix-users mailing list -- postfix-users@postfix.org > > > To unsubscribe send an email to postfix-users-le...@postfix.org > > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Frustrated and sad - Authentication required
Mailman29: > Brilliant! I had a loop with haproxy that pointed it back at my mail server! > > Now, how do I get postfix to send failures etc to my server? It > seems they just disappear into the ether! Look in your logs: https://www.postfix.org/DEBUG_README.html#logging If you don't understand an error or warning message, report the problem on the postfix-users mailing list. Wietse > Sent with Proton Mail secure email. > > On Thursday, May 30th, 2024 at 12:50 PM, Wietse Venema via Postfix-users > wrote: > > > Mailman29 via Postfix-users: > > > > > HI guys. > > > I'm having an awful time getting postfix to work in one form only. > > > Accept mail from one ip address only, regardless of the sender's > > > domain name, and send it out to the recipients. Postfix has no > > > accounts, and accepts no incoming mail. It's only for sending from > > > my local server. > > > > > > Here's my main.cf, as you can see I have it set up to accept mail > > > from my IP address only, but every time I try to send mail through > > > it I get the error : (somedomain.com is placeholder for my FQDN) > > > > > > --> EHLO mail! > > > <-- 250-relay.somedomain.com Hello mail [IPaddress], pleased to meet you > > > > > > THAT IS NOT Postfix. You can tweak settings and it will have no effect, > > because you are not taking to Postfix. > > > > I suggest that you look in the maillog file to fid out what > > program is answering the connection.. > > > > Wietse > > ___ > > Postfix-users mailing list -- postfix-users@postfix.org > > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Frustrated and sad - Authentication required
Mailman29 via Postfix-users: > HI guys. > I'm having an awful time getting postfix to work in one form only. > Accept mail from one ip address only, regardless of the sender's > domain name, and send it out to the recipients. Postfix has no > accounts, and accepts no incoming mail. It's only for sending from > my local server. > > Here's my main.cf, as you can see I have it set up to accept mail > from my IP address only, but every time I try to send mail through > it I get the error : (somedomain.com is placeholder for my FQDN) > > --> EHLO mail! > <-- 250-relay.somedomain.com Hello mail [IPaddress], pleased to meet you THAT IS NOT Postfix. You can tweak settings and it will have no effect, because you are not taking to Postfix. I suggest that you look in the maillog file to fid out what program is answering the connection.. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
