Re: check_policy_service not working - need a 4eye method or..
On 2015-08-06 13:50, Istvan Prosinger wrote: Got it. I have made a small perl script as a service that would only return reject as a policy (that sould have rendered most of the mailing impossibble), and postfix was still mailing happily. Since I have recompiled Postfix from the source, it was out of the question the the process was faulty, so the only option is that Postfix couldn't connect to a local service. It was the firewall. The FORWARD chain was set to drop all, and the rest is history.. Thanks everyone for the extraordinary efforts. @Wietse Regarding this one, is it possibble to implement an error message in the log if it cannot connect to a service, like a policy service in this case? I guess any clue in the maillog would do
Re: check_policy_service not working - need a 4eye method or..
Got it. I have made a small perl script as a service that would only return reject as a policy (that sould have rendered most of the mailing impossibble), and postfix was still mailing happily. Since I have recompiled Postfix from the source, it was out of the question the the process was faulty, so the only option is that Postfix couldn't connect to a local service. It was the firewall. The FORWARD chain was set to drop all, and the rest is history.. Thanks everyone for the extraordinary efforts.
Re: check_policy_service not working - need a 4eye method or..
Istvan Prosinger: On 2015-08-06 13:50, Istvan Prosinger wrote: Got it. I have made a small perl script as a service that would only return reject as a policy (that sould have rendered most of the mailing impossibble), and postfix was still mailing happily. Since I have recompiled Postfix from the source, it was out of the question the the process was faulty, so the only option is that Postfix couldn't connect to a local service. It was the firewall. The FORWARD chain was set to drop all, and the rest is history.. Thanks everyone for the extraordinary efforts. @Wietse Regarding this one, is it possibble to implement an error message in the log if it cannot connect to a service, like a policy service in this case? I guess any clue in the maillog would do The information is already in your logfiles, You just need to develop a clue to find it. Postfix logs a WARNING when the connect() call fails, and it optionally logs an INFO message when the connect() call succeeds. fd = auto_clnt-connect(auto_clnt-endpoint, BLOCKING, auto_clnt-timeout); if (fd 0) { msg_warn(connect to %s: %m, auto_clnt-endpoint); } else { if (msg_verbose) msg_info(%s: connected to %s, myname, auto_clnt-endpoint); Wietse
Re: check_policy_service not working - need a 4eye method or..
On 2015-08-03 16:16, Viktor Dukhovni wrote: On Mon, Aug 03, 2015 at 09:48:35AM -0400, Postfix User wrote: On Mon, 03 Aug 2015 14:52:33 +0200, Istvan Prosinger stated: Yeah when I took the server for audit, Postfix was dead and couldn't start -the config file was (and stil is) in mess. Nevertheless, accepting SMTP is not the issue at this moment. The issue is that it seems to be disregarding the policy check. I have even precompiled it from source yesterday, thinking that it might be damaged, but no effect... I assume you have read everything at http://www.postfix.org/DEBUG_README.html#mail Might I suggest you provide output from the postfinger tool. This can be found at http://ftp.wl0.org/SOURCES/postfinger. Also post the output of: ps -o pid,command -p $(pgrep -x master) along with the output of: strings $command | grep /postfix where $command is the full pathname of the master executable reported running by ps. If you can examine the process environment via /proc or by other means, also report the value of the MAIL_CONFIG environment variable of the master process. Here goes: [root@top ~]# ./postfinger postfinger - postfix configuration on Wed Aug 5 02:41:25 MDT 2015 version: 1.30 Warning: postfinger output may show private configuration information, such as ip addresses and/or domain names which you do not want to show to the public. If this is the case it is your responsibility to modify the output to hide this private information. [Remove this warning with the --nowarn option.] --System Parameters-- mail_version = 3.0.2 hostname = top.tesspot.com uname = Linux top.tesspot.com 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue Jun 23 22:06:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux --Packaging information-- looks like this postfix comes from RPM package: postfix-2.10.1-6.el7.x86_64 --main.cf non-default parameters-- alias_maps = hash:/etc/aliases allow_percent_hack = no broken_sasl_auth_clients = yes debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id sleep 5 home_mailbox = Maildir/ inet_protocols = ipv4 mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 0 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost, top.tesspot.com myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES sample_directory = /usr/share/doc/postfix-2.10.1/samples sender_bcc_maps = hash:/etc/postfix/bcc sendmail_path = /usr/sbin/sendmail.postfix smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031 smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem smtpd_tls_key_file = /etc/postfix/postfix.key.pem smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = SSLv3, TLSv1 smtpd_use_tls = yes virtual_alias_maps = hash:/etc/postfix/virtual --master.cf-- smtpinetn - n - - smtpd -o smtpd_sasl_auth_enable=yes smtps inetn - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING pickupunix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix -
Re: check_policy_service not working - need a 4eye method or..
Yeah when I took the server for audit, Postfix was dead and couldn't start -the config file was (and stil is) in mess. Nevertheless, accepting SMTP is not the issue at this moment. The issue is that it seems to be disregarding the policy check. I have even precompiled it from source yesterday, thinking that it might be damaged, but no effect... On 2015-08-02 23:14, Viktor Dukhovni wrote: On Sun, Aug 02, 2015 at 10:53:35PM +0200, Istvan Prosinger wrote: smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031 smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination With the above configuration, either you never accept any SMTP email, master.cf contains an override of smtpd_recipient_restrictions and smtpd_end_of_data_restrictions, or the policy service *is* used, whether you can convince yourself of that or not. smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = SSLv3, TLSv1 smtpd_use_tls = yes Better: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may
Re: check_policy_service not working - need a 4eye method or..
On Mon, 03 Aug 2015 14:52:33 +0200, Istvan Prosinger stated: Yeah when I took the server for audit, Postfix was dead and couldn't start -the config file was (and stil is) in mess. Nevertheless, accepting SMTP is not the issue at this moment. The issue is that it seems to be disregarding the policy check. I have even precompiled it from source yesterday, thinking that it might be damaged, but no effect... I assume you have read everything at http://www.postfix.org/DEBUG_README.html#mail Might I suggest you provide output from the postfinger tool. This can be found at http://ftp.wl0.org/SOURCES/postfinger. -- Jerry
Re: check_policy_service not working - need a 4eye method or..
On Mon, Aug 03, 2015 at 09:48:35AM -0400, Postfix User wrote: On Mon, 03 Aug 2015 14:52:33 +0200, Istvan Prosinger stated: Yeah when I took the server for audit, Postfix was dead and couldn't start -the config file was (and stil is) in mess. Nevertheless, accepting SMTP is not the issue at this moment. The issue is that it seems to be disregarding the policy check. I have even precompiled it from source yesterday, thinking that it might be damaged, but no effect... I assume you have read everything at http://www.postfix.org/DEBUG_README.html#mail Might I suggest you provide output from the postfinger tool. This can be found at http://ftp.wl0.org/SOURCES/postfinger. Also post the output of: ps -o pid,command -p $(pgrep -x master) along with the output of: strings $command | grep /postfix where $command is the full pathname of the master executable reported running by ps. If you can examine the process environment via /proc or by other means, also report the value of the MAIL_CONFIG environment variable of the master process. -- Viktor.
Re: check_policy_service not working - need a 4eye method or..
On Sun, Aug 02, 2015 at 10:53:35PM +0200, Istvan Prosinger wrote: smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031 smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination With the above configuration, either you never accept any SMTP email, master.cf contains an override of smtpd_recipient_restrictions and smtpd_end_of_data_restrictions, or the policy service *is* used, whether you can convince yourself of that or not. smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = SSLv3, TLSv1 smtpd_use_tls = yes Better: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may -- Viktor.
Re: check_policy_service not working - need a 4eye method or..
Hi Viktor, I think I have attached postconf -n at start (at least that was the master plan). Sorry if I missed it Here goes, unaltered [root@top ~]# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases allow_percent_hack = no broken_sasl_auth_clients = yes command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id sleep 5 home_mailbox = Maildir/ html_directory = no inet_interfaces = all inet_protocols = ipv4 mail_owner = postfix mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 0 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man meta_directory = /etc/postfix mydestination = $myhostname, localhost.$mydomain, localhost, top.tesspot.com mydomain = tesspot.com myhostname = top.tesspot.com myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES sample_directory = /usr/share/doc/postfix-2.10.1/samples sender_bcc_maps = hash:/etc/postfix/bcc sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop shlib_directory = no smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031 smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem smtpd_tls_key_file = /etc/postfix/postfix.key.pem smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = SSLv3, TLSv1 smtpd_use_tls = yes unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual On 7/31/2015 4:37 PM, Viktor Dukhovni wrote: On Fri, Jul 31, 2015 at 02:28:35PM +0200, Istvan Prosinger wrote: On 2015-07-30 17:23, wie...@porcupine.org wrote: Istvan Prosinger: Hello everyone, I have this im main.cf (I'ts actually an attempt to implement cluebringer/policyd) smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination You say that's what it is set to, but show no hard evidence. Try: postconf -n | mail -s postconf -n output your-email-address Then forward the body of that email to the list (as untouched as possible, do not rewrap lines, avoid Outlook and HTML, ...).
Re: check_policy_service not working - need a 4eye method or..
Istvan Prosinger: On 2015-07-30 17:23, wie...@porcupine.org wrote: Istvan Prosinger: Hello everyone, I have this im main.cf (I'ts actually an attempt to implement cluebringer/policyd) smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination For some reason Postfix is ignoring the 1st row (the check_policy_service one) - there's no trace in policyd log that postfix even tried to contact it, while it works fine when I telnet to it. Well maybe policyd is lying. Wietse I don't think so. I've tried to give false parameters here to Postfix that sould produce an error in the maillog, but Postfix is all happy, carrying on... What is the output from: find / -name main.cf Wietse
Re: check_policy_service not working - need a 4eye method or..
Istvan Prosinger: On 2015-07-30 17:23, wie...@porcupine.org wrote: Istvan Prosinger: Hello everyone, I have this im main.cf (I'ts actually an attempt to implement cluebringer/policyd) smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination For some reason Postfix is ignoring the 1st row (the check_policy_service one) - there's no trace in policyd log that postfix even tried to contact it, while it works fine when I telnet to it. Well maybe policyd is lying. Wietse I don't think so. I've tried to give false parameters here to Postfix that sould produce an error in the maillog, but Postfix is all happy, carrying on... What is the output from: find / -name main.cf Wietse Yeah thoght of that one. [root@top ~]# find / -name main.cf /etc/postfix/main.cf /usr/libexec/postfix/main.cf
Re: check_policy_service not working - need a 4eye method or..
On Fri, Jul 31, 2015 at 02:28:35PM +0200, Istvan Prosinger wrote: On 2015-07-30 17:23, wie...@porcupine.org wrote: Istvan Prosinger: Hello everyone, I have this im main.cf (I'ts actually an attempt to implement cluebringer/policyd) smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination You say that's what it is set to, but show no hard evidence. Try: postconf -n | mail -s postconf -n output your-email-address Then forward the body of that email to the list (as untouched as possible, do not rewrap lines, avoid Outlook and HTML, ...). -- Viktor.
Re: check_policy_service not working - need a 4eye method or..
On 2015-07-30 17:23, wie...@porcupine.org wrote: Istvan Prosinger: Hello everyone, I have this im main.cf (I'ts actually an attempt to implement cluebringer/policyd) smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination For some reason Postfix is ignoring the 1st row (the check_policy_service one) - there's no trace in policyd log that postfix even tried to contact it, while it works fine when I telnet to it. Well maybe policyd is lying. Wietse I don't think so. I've tried to give false parameters here to Postfix that sould produce an error in the maillog, but Postfix is all happy, carrying on...
Re: check_policy_service not working - need a 4eye method or..
On Fri, 31 Jul 2015 14:28:35 +0200 Istvan Prosinger ist...@prosinger.net wrote: I don't think so. I've tried to give false parameters here to Postfix that sould produce an error in the maillog, but Postfix is all happy, carrying on... what false parameters you tried? share with us your conf.
Re: check_policy_service not working - need a 4eye method or..
Istvan Prosinger: Hello everyone, I have this im main.cf (I'ts actually an attempt to implement cluebringer/policyd) smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination For some reason Postfix is ignoring the 1st row (the check_policy_service one) - there's no trace in policyd log that postfix even tried to contact it, while it works fine when I telnet to it. Well maybe policyd is lying. Wietse