[pfx] Re: Handing off via localhost:10025 to spamassassin for scanning failure

[Curtis J Blank via Postfix-users]

I don't know how  many times now I have said this but I will day it again.
I have postfix set up to only listen on/use  127.0.0.1 *not* ::1.

And. I am not using spamd, it listens on port 783. I am using spampd 
which shows up as perl because is it written in perl and it listens on 
10025.

Here is the proof:

new:/etc/postfix # netstat -putan |grep -e ^Active -e ^Proto -e 
127\.0\.0\.1\: -e \:\:1\:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address State       
PID/Program name
tcp        0      0 127.0.0.1:631           0.0.0.0:* LISTEN      
2360/cupsd
tcp        0      0 127.0.0.1:783           0.0.0.0:* LISTEN      
2441/spamd
tcp        0      0 127.0.0.1:10024         0.0.0.0:* LISTEN      
5063/amavisd (maste
tcp        0      0 127.0.0.1:10025         0.0.0.0:* LISTEN      
13980/perl
tcp6       0      0 ::1:783                 :::* LISTEN      2441/spamd
tcp6       0      0 ::1:631                 :::* LISTEN      2360/cupsd
tcp6       0      0 ::1:10024               :::* LISTEN      
5063/amavisd (maste
udp        0      0 127.0.0.1:323 0.0.0.0:*                           
2399/chronyd
udp        0      0 127.0.0.1:659 0.0.0.0:*                           
2580/rpc.statd
udp6       0      0 ::1:323 :::*                                
2399/chronyd
new:/etc/postfix #

So you said " Ideally you want to either configure postfix to never try 
to connect to ::1 (but only connect to 127.0.0.1)".

That is what I want and I've been saying all along that that is how I 
have it configured. Unless I'm totally not understanding something here...

-Curt

# postconf -n
alias_maps = lmdb:/etc/aliases
biff = no
canonical_maps = lmdb:/etc/postfix/canonical
command_directory = /usr/sbin
compatibility_level = 3.9
content_filter = scan:[127.0.0.1]:10025
daemon_directory = /usr/lib/postfix/bin/
data_directory = /var/lib/postfix
debug_peer_level = 2
debug_peer_list = 0.0.0.0/0
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5
defer_transports =
delay_warning_time = 1h
disable_mime_output_conversion = no
disable_vrfy_command = yes
html_directory = /usr/share/doc/packages/postfix-doc/html
inet_interfaces = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains = <redacted>
masquerade_exceptions = root
message_size_limit = 0
message_strip_characters = \0
mydestination = $myhostname, localhost.$mydomain, $mydomain, www.$mydomain
mydomain = mydomain.com
myhostname = mydomain.com
mynetworks_style = host
myorigin = mydomain.com
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES
relay_clientcerts = lmdb:/etc/postfix/relay_ccerts
relay_domains = $mydestination lmdb:/etc/postfix/relay
relayhost =
relocated_maps = lmdb:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix-doc/samples
sender_canonical_maps = lmdb:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_dns_support_level = enabled
smtp_enforce_tls = no
smtp_sasl_auth_enable = no
smtp_sasl_password_maps =
smtp_sasl_security_options =
smtp_tls_CAfile =
smtp_tls_CApath =
smtp_tls_cert_file =
smtp_tls_key_file =
smtp_tls_security_level =
smtp_tls_session_cache_database =
smtp_use_tls = no
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = permit_sasl_authenticated, 
permit_mynetworks,reject
smtpd_delay_reject = yes
smtpd_discard_ehlo_keyword_address_maps = 
cidr:/etc/postfix/discard_ehlo_keyword
smtpd_enforce_tls = no
smtpd_forbid_bare_newline = normalize
smtpd_forbid_bare_newline_exclusions = $mynetworks
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_tls_clientcerts, 
permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = <redacted>
smtpd_sasl_path = smtpd
smtpd_sasl_type = cyrus
smtpd_sender_restrictions = lmdb:/etc/postfix/access, 
check_sender_access lmdb:/etc/postfix/sender_access, check_sender_access 
regexp:/etc/postfix/sender_access_regex, reject_unknown_sender_domain, 
reject_unverified_sender
smtpd_tls_CAfile = /etc/mail/certs/CA.cert.pem
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/mail/certs/MYServer.cert.pem
smtpd_tls_exclude_ciphers = RC4
smtpd_tls_key_file = /etc/mail/certs/MYServer.key.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level =
smtpd_use_tls = yes
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = lmdb:/etc/postfix/transport
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
virtual_alias_domains = lmdb:/etc/postfix/virtual
virtual_alias_maps = lmdb:/etc/postfix/virtual


On 6/28/24 23:27, Peter via Postfix-users wrote:
On 29/06/24 15:16, Curtis J Blank via Postfix-users wrote:
Peter, my  misunderstanding, sorry. This is what I discovered today 
in my testing. I explicitly used 127.0.0.1 and not localhost or so I 
thought, I explain that below.

Back on topic. I did some more testing. This was the spampd options 
used:
SPAMPD_OPTIONS="--host=localhost:10025 --relayhost=localhost:10026 
--user=vscan --tagall --children=5 --maxsize=7168 --homedir=/home/vscan"

I changed it to:
SPAMPD_OPTIONS="--host=127.0.0.1:10025 --relayhost=127.0.0.1:10026 
--user=vscan --tagall --children=5 --maxsize=7168 --homedir=/home/vscan"

This would work, kind of, but not the way that you think, see below.

There is no global
mynetworks = something
in  main.cf.

mynetworks is immaterial to this, it has nothing to do with this issue.

inet_protocols was set back to:
inet_protocols = all

And all works just fine. So, spampd set to use localhost when 
everything in postfix was set to use 127.0.0.1 probably explains why 
smtp thought spampd was trying to relay via a ::1 connection and 
denied it.

So the change you made to spamd changed it so that it no longer 
listens on ::1 but rather it now just listens on 127.0.0.1, before it 
was listening on both (being set to localhost).  There is another 
setting which you have set to 127.0.0.1 which controls which 
connections spamd will accept mail from, this is not the same setting 
as the one you just changed.

So before you had spamd listening on both 127.0.0.1 and on ::1 but 
only accepting mail from 127.0.0.1, so if postfix tried to connect 
from 127.0.0.1 spamd would be happy, but if postfix tried to connect 
from ::1 spamd would answer the connection (because it's listening) 
allow postfix to continue with the RCPT TO stage and then reject the 
message with a 454 relay access denied response, this causes Postfix 
to defer the connection and retry it at a later time, and when it 
retries there is a good chance it will try ::1 again.  So Postfix sees 
a good connection but the spamd is deferring the message.

So what is likely happening now is Postfix still attempts to connect 
to ::1 (because you didn't change the postfix settings in this regard) 
but spamd is no longer listening on ::1 so postfix cannot connect at 
all. Postfix seeing this then immediately tries to connect to 
127.0.0.1 and is able to connect to spamd and relay the message.  So 
Postfix is still configured to connect to the wrong IP but because 
spamd isn't even listening on that IP address at all postfix tries the 
next possibility which is the correct IP and it does so right away 
because there is no deferral.

Note that this is not the most ideal way of solving the problem. 
Ideally you want to either configure postfix to never try to connect 
to ::1 (but only connect to 127.0.0.1) or you want to configure spamd 
both listen and accept messages on both ::1 and 127.0.0.1.  This way 
there should never even be an attempt to connect to a non-working 
address (unless spamd actually is down).

But the part I still don't understand is why smtp was trying to use 
::1 when everything postfix wise is set to use 127.0.0.1.

To answer that I would need to see your config, specifically the 
output of the two commands I gave you before.

Everything except this that is:
mydestination = $myhostname, localhost.$mydomain, $mydomain, 
www.$mydomain

Should this be set to:
mydestination = $myhostname, 127.0.0.1.$mydomain, $mydomain, 
www.$mydomain

mydestination has nothing to do with this issue.

To keep ::1 from being used? If so oversight on my part, not thinking 
that through, so setting it to 127.0.0.1 would probably allow me to 
revert the spamd options back to what they were.

Maybe I'll just try it and see.

Send your config.


Peter
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org