[pfx] Re: Understanding log entries
Small edit for clarity. Wietse Doug Hardie via Postfix-users: > Is there a way to configure postfix to drop the email if all the > providers MTAs return a 5xx response? We had a problem like that when some people wanted to make TLS mandatory. The solution was not to bounce mail when a server did not offer working TLS, but instead to try alternate hosts and only declare TLS failure when there were no more SMTP servers to try. Quoting from https://www.postfix.org/postconf.5.html#default_delivery_status_filter Note: the (smtp|lmtp)_delivery_status_filter is applied only once per recipient: when delivery is successful, when delivery is rejected with 5XX, or when there are no more alternate MX or A destinations. Use smtp_reply_filter or lmtp_reply_filter to inspect responses for all delivery attempts. The idea then is to: - Leave smtp_skip_5xx_greeting at its default, so that Postfix will internally map a 544 greeting into a soft 4.0.0 error status. - Let Postfix try alternate hosts (up to smtp_mx_address_limit or smtp-mx_session_limit). - Use smtp_delivery_status_filter to convert the status from the last connection attempt into a hard 5.0.0 error status, but only if that response has the expected form. Untested example: /etc/postfix/main.cf: smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter /etc/postfix/smtp_dsn_filter: /^4(\.\d+\.\d+ IP=.+None.bad reputation.+)/ 5$1 This is a little tricky, because the search string differs from the remote SMTP server response which has no 4.x.x status code. Postfix generates that status code internally if the server reply coes not contain one, and prepends that generated code to the server's response. If a server replies with a multiline reponse, Postfix will concatenate the lines into one. Postfix does not respect server-side ASCII art. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Understanding log entries
Small edit for clarity. Wietse Doug Hardie via Postfix-users: > Is there a way to configure postfix to drop the email if all the > providers MTAs return a 5xx response? We had a problem like that when some people wanted to make TLS mandatory. The solution was not to bounce mail when a server did not offer working TLS, but instead to try alternate hosts and only declare TLS failure when there were no more SMTP servers to try. Quoting from https://www.postfix.org/postconf.5.html#default_delivery_status_filter Note: the (smtp|lmtp)_delivery_status_filter is applied only once per recipient: when delivery is successful, when delivery is rejected with 5XX, or when there are no more alternate MX or A destinations. Use smtp_reply_filter or lmtp_reply_filter to inspect responses for all delivery attempts. The idea then is to: - Leave smtp_skip_5xx_greeting at its default, so that Postfix will internally map a 544 greeting into a soft 4.0.0 error status. - Let Postfix try alternate hosts (up to smtp_mx_address_limit or smtp-mx_session_limit). - Use smtp_delivery_status_filter to convert the status from the last connection attempt into a hard 5.0.0 error status, but only if that response has the expected form. Untested example: /etc/postfix/main.cf: smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter /etc/postfix/smtp_dsn_filter: /^4(\.\d+\.\d+ IP=.+None.bad reputation.+)/ 5$1 This is a little tricky, because the search string differs from the remote SMTP server response which has no 4.x.x status code. Postfix generates that status code internally if the server reply coes not contain one, and prepends that generated code to the server's response. If a server replies with a multiline reponse, Postfix will concatenate the lines into one. Postfix does not respect server-side ASCII art. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Understanding log entries
Doug Hardie via Postfix-users: > Is there a way to configure postfix to drop the email if all the > providers MTAs return a 5xx response? We had a problem like that when some people wanted to make TLS mandatory. The solution was not to bounce mail when a server did not offer working TLS, but instead to defer deliveries and only declare TLS failure when there were no more SMTP servers to try. Quoting from https://www.postfix.org/postconf.5.html#default_delivery_status_filter Note: the (smtp|lmtp)_delivery_status_filter is applied only once per recipient: when delivery is successful, when delivery is rejected with 5XX, or when there are no more alternate MX or A destinations. Use smtp_reply_filter or lmtp_reply_filter to inspect responses for all delivery attempts. The idea then is to: - Leave smtp_skip_5xx_greeting at its default, so that Postfix will internally map a 544 greeting into a soft 4.0.0 error status. - Let Postfix try alternate hosts (up to smtp_mx_address_limit or smtp-mx_session_limit). - Use smtp_delivery_status_filter to convert the status from the last connection attempt into a hard 5.0.0 error status, but only if that response has the expected form. Untested example: /etc/postfix/main.cf: smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter /etc/postfix/smtp_dsn_filter: /^4(\.\d+\.\d+ IP=.+None.bad reputation.+)/ 5$1 This is a little tricky, because the search string differs from the remote SMTP server response which has no 4.x.x status code. Postfix generates that status code internally if the server reply coes not contain one, and prepends that generated code to the server's response. If a server replies with a multiline reponse, Postfix will concatenate the lines into one. Postfix does not respect server-side ASCII art. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Understanding log entries
On Sun, Feb 11, 2024 at 07:13:38PM +1300, Peter via Postfix-users wrote: > Right, and further to that a 554 response at connection time is a rejection > of the *connection*. No attempt was ever made to send the *message*, so in > a manner of speaking the message is still valid and a different connection > might accept it (e.g. by attempting a different MX). An MTA that wants to > reject the message should should wait until after the RCPT TO command to > reject the actual message. Rejection is equally valid after "MAIL FROM", since that the start of the "mail transaction". The receiving system then can't log which recipients did not get the message, but perhaps that's OK in some cases. Bottom line the message can be rejected by rejecting: - MAIL FROM - RCPT TO (for each recipient) - DATA - END OF DATA (a.k.a. "dot"). With BDAT one can reject all the chunks after some first chunk that is sufficient grounds to do that. Because of PIPELINING, one needs to be willing to receive and reject some subsequent chunks. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Understanding log entries
On 11/02/24 13:51, Doug Hardie via Postfix-users wrote: If I am understanding correctly, that means that if I set smtp_skip_5xx_greeting to "no", then postfix would stop after the first 5xx and terminate the email. That seems like it might open up some issues where a provider with multiple MTAs might have one in problem state, but the others working fine. If postfix tried the problem MTA first, the email would never get delivered. Right, and further to that a 554 response at connection time is a rejection of the *connection*. No attempt was ever made to send the *message*, so in a manner of speaking the message is still valid and a different connection might accept it (e.g. by attempting a different MX). An MTA that wants to reject the message should should wait until after the RCPT TO command to reject the actual message. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Understanding log entries
> On Feb 10, 2024, at 15:55, Wietse Venema via Postfix-users > wrote: > > Doug Hardie via Postfix-users: >> I used Viktor's collate to trace a specific email handling. There were a >> number of these entries. However, I am only showing 2 of them: >> > > This is host mx01.t-online.de[194.25.134.72]: > >> Feb 10 03:15:40 mail postfix/smtp[60428]: 4TWjVT5qz7z2gF8w: >> to=, >> orig_to=, >> relay=mx01.t-online.de[194.25.134.72]:25, delay=59371, >> delays=59369/0.02/1.5/0, dsn=4.0.0, status=deferred (host >> mx01.t-online.de[194.25.134.72] refused to talk to me: 554 >> IP=47.181.130.121 - None/bad reputation. Ask your postmaster for >> help or to contact t...@rx.t-online.de for reset. (NOWL)) > > With "smtp_skip_5xx_greeting = yes" (the default) Postfix > will skip to an alternate MX address. > > And this is mx03.t-online.de[194.25.134.73]: > >> Feb 10 03:20:21 mail postfix/smtp[60525]: 4TWjVT5qz7z2gF8w: >> to=, >> orig_to=, >> relay=mx03.t-online.de[194.25.134.73]:25, delay=59652, >> delays=59651/0/1.4/0, dsn=4.0.0, status=deferred (host >> mx03.t-online.de[194.25.134.73] refused to talk to me: 554 >> IP=47.181.130.121 - None/bad reputation. Ask your postmaster for >> help or to contact t...@rx.t-online.de for reset. (NOWL)) >> >> I am a bit confused as it appears that the receiving MTA is returning >> a 554 and a 4.0.0 which appears inconsistent. Obviously postfix >> is using the temp failure as it continues to retry periodically. >> From the text, it appears that this should be a permanent failure, >> not temporary. Is the receiving MTA confused or am I? > > You can configure this to be permanent. But, as you see, even > different MTAs of the same provider differ in their responses. If I am understanding correctly, that means that if I set smtp_skip_5xx_greeting to "no", then postfix would stop after the first 5xx and terminate the email. That seems like it might open up some issues where a provider with multiple MTAs might have one in problem state, but the others working fine. If postfix tried the problem MTA first, the email would never get delivered. Is there a way to configure postfix to drop the email if all the providers MTAs return a 5xx response? -- Doug ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Understanding log entries
On 2024-02-10 at 18:33:29 UTC-0500 (Sat, 10 Feb 2024 15:33:29 -0800) Doug Hardie via Postfix-users is rumored to have said: > I used Viktor's collate to trace a specific email handling. There were a > number of these entries. However, I am only showing 2 of them: > > Feb 10 03:15:40 mail postfix/smtp[60428]: 4TWjVT5qz7z2gF8w: > to=, > orig_to=, > relay=mx01.t-online.de[194.25.134.72]:25, delay=59371, > delays=59369/0.02/1.5/0, dsn=4.0.0, status=deferred (host > mx01.t-online.de[194.25.134.72] refused to talk to me: 554 IP=47.181.130.121 > - None/bad reputation. Ask your postmaster for help or to contact > t...@rx.t-online.de for reset. (NOWL)) > Feb 10 03:20:21 mail postfix/smtp[60525]: 4TWjVT5qz7z2gF8w: > to=, > orig_to=, > relay=mx03.t-online.de[194.25.134.73]:25, delay=59652, delays=59651/0/1.4/0, > dsn=4.0.0, status=deferred (host mx03.t-online.de[194.25.134.73] refused to > talk to me: 554 IP=47.181.130.121 - None/bad reputation. Ask your postmaster > for help or to contact t...@rx.t-online.de for reset. (NOWL)) > > I am a bit confused as it appears that the receiving MTA is returning a 554 > and a 4.0.0 No, it is sending a 554 without an extended code instead of a connect greeting, which Postfix (reasonably) treats as a temporary failure in the scope of the specific message being tried. > which appears inconsistent. Obviously postfix is using the temp failure as > it continues to retry periodically. From the text, it appears that this > should be a permanent failure, not temporary. Is the receiving MTA confused > or am I? It's a quirk of Telekom. They reject with 554 at connect when they dislike your IP. In my experience, the email address in the rejection message is responsive. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Understanding log entries
Wietse Venema via Postfix-users: > Doug Hardie via Postfix-users: > > I used Viktor's collate to trace a specific email handling. There were a > > number of these entries. However, I am only showing 2 of them: > > > > This is host mx01.t-online.de[194.25.134.72]: > > > Feb 10 03:15:40 mail postfix/smtp[60428]: 4TWjVT5qz7z2gF8w: > > to=, > > orig_to=, > > relay=mx01.t-online.de[194.25.134.72]:25, delay=59371, > > delays=59369/0.02/1.5/0, dsn=4.0.0, status=deferred (host > > mx01.t-online.de[194.25.134.72] refused to talk to me: 554 > > IP=47.181.130.121 - None/bad reputation. Ask your postmaster for > > help or to contact t...@rx.t-online.de for reset. (NOWL)) > > With "smtp_skip_5xx_greeting = yes" (the default) Postfix > will skip to an alternate MX address. Oh, and it is Postfix that does the remapping to dsn=4.0.0. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Understanding log entries
Doug Hardie via Postfix-users: > I used Viktor's collate to trace a specific email handling. There were a > number of these entries. However, I am only showing 2 of them: > This is host mx01.t-online.de[194.25.134.72]: > Feb 10 03:15:40 mail postfix/smtp[60428]: 4TWjVT5qz7z2gF8w: > to=, > orig_to=, > relay=mx01.t-online.de[194.25.134.72]:25, delay=59371, > delays=59369/0.02/1.5/0, dsn=4.0.0, status=deferred (host > mx01.t-online.de[194.25.134.72] refused to talk to me: 554 > IP=47.181.130.121 - None/bad reputation. Ask your postmaster for > help or to contact t...@rx.t-online.de for reset. (NOWL)) With "smtp_skip_5xx_greeting = yes" (the default) Postfix will skip to an alternate MX address. And this is mx03.t-online.de[194.25.134.73]: > Feb 10 03:20:21 mail postfix/smtp[60525]: 4TWjVT5qz7z2gF8w: > to=, > orig_to=, > relay=mx03.t-online.de[194.25.134.73]:25, delay=59652, > delays=59651/0/1.4/0, dsn=4.0.0, status=deferred (host > mx03.t-online.de[194.25.134.73] refused to talk to me: 554 > IP=47.181.130.121 - None/bad reputation. Ask your postmaster for > help or to contact t...@rx.t-online.de for reset. (NOWL)) > > I am a bit confused as it appears that the receiving MTA is returning > a 554 and a 4.0.0 which appears inconsistent. Obviously postfix > is using the temp failure as it continues to retry periodically. > From the text, it appears that this should be a permanent failure, > not temporary. Is the receiving MTA confused or am I? You can configure this to be permanent. But, as you see, even different MTAs of the same provider differ in their responses. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
