Hi again Jasper..
I do appreciate your help - but have not solved the problem yet. Please
see below.
On 9/09/2010 11:58 PM, Jasper Jongmans wrote:
On 2010-09-09 17:29, Richard Chapman wrote:
I have been doing address masquerading - and thought that only
applied to sender addresses. After your comment - I disabled
masquerading - and that didn't solve the problem. I also do the
default address rewriting - but I doubt that can be the problem. I
don't think I am altering next-hop decisions. I am pretty sure
external servers correctly forward validu...@c5.aardvark.com.au to
this server - and this server rejects them. At least that is what it
looks like in the logs. Here is the maillog for a test message:
Sep 9 22:43:29 C5 postfix/master[4879]: reload configuration /etc/postfix
Sep 9 22:43:50 C5 postfix/smtpd[9254]: connect from unknown[192.168.0.166]
Sep 9 22:43:50 C5 postfix/smtpd[9254]: B3D401D2231D:
client=unknown[192.168.0.166], sasl_method=PLAIN, sasl_username=richard
Sep 9 22:43:50 C5 postfix/cleanup[9258]: B3D401D2231D:
message-id=<4c88f2a4.5000...@aardvark.com.au>
Sep 9 22:43:50 C5 postfix/qmgr[9195]: B3D401D2231D:
from=<rchap...@aardvark.com.au>, size=624, nrcpt=1 (queue active)
Sep 9 22:43:50 C5 postfix/smtpd[9254]: disconnect from unknown[192.168.0.166]
Sep 9 22:43:50 C5 postfix/cleanup[9258]: C37ED1D2232B:
message-id=<4c88f2a4.5000...@aardvark.com.au>
Sep 9 22:43:50 C5 postfix/qmgr[9195]: C37ED1D2232B:
from=<rchap...@aardvark.com.au>, size=767, nrcpt=1 (queue active)
Sep 9 22:43:50 C5 postfix/local[9259]: B3D401D2231D:
to=<rchap...@c5.aardvark.com.au>, relay=local, delay=0.08,
delays=0.06/0.01/0/0.01, dsn=2.0.0, status=sent (forwarded as )
Above line means local(8) was instructed by something like aliases or
.forward to send to another address. The original message was
B3D401D2231D, the new is C37ED1D2232B.
OK. I have checked there are no .forward files in the relevant users
home directories. Is there anywhere else I should look? I am runnig
postfix, dovecot, centos 5.5. Hopefully this is not relevant - but I
think sendmail is still installed on this machine. I changed from
sendmail to postfix some time back.
I have disabled masquerading, but the problem remains.
I have some user aliases - but have done tests on users with no obvious
aliases - and emails to them are also rejected.
Do you have any other suggestions as to where to look for unwanted
aliases or forwards?
Sep 9 22:43:50 C5 postfix/qmgr[9195]: B3D401D2231D: removed
Sep 9 22:43:54 C5 postfix/smtp[9261]: C37ED1D2232B: to=<rich...@aardvark.com.au>,
orig_to=<rchap...@c5.aardvark.com.au>, relay=ASPMX.L.GOOGLE.COM[72.14.213.27]:25,
delay=3.3, delays=0.01/0.02/1.6/1.8, dsn=2.0.0, status=sent (250 2.0.0 OK 1284043434
x29si3064677wfh.82)
Sep 9 22:43:54 C5 postfix/qmgr[9195]: C37ED1D2232B: removed
Sep 9 22:43:55 C5 postfix/smtpd[9254]: connect from
mail-pv0-f174.google.com[74.125.83.174]
Sep 9 22:43:56 C5 postfix/smtpd[9254]: NOQUEUE: reject: RCPT from
mail-pv0-f174.google.com[74.125.83.174]: 554 5.7.1<rich...@aardvark.com.au>: Relay access denied;
from=<rchap...@aardvark.com.au> to=<rich...@aardvark.com.au> proto=ESMTP
helo=<mail-pv0-f174.google.com>
Sep 9 22:43:56 C5 postfix/smtpd[9254]: disconnect from
mail-pv0-f174.google.com[74.125.83.174]
The smtp-client connects to Google Apps and succesfully delivers the
message. Some forward at Google Apps leads to another connection to
your smtpd-server, which then rejects the email because it is
addressed to the wrong domain. You probably have had this detour for a
while, just didn't notice it before because your server accepted the
email in the second phase.
Yes. That is how I was interpreting it too. The forward at google apps
is intentional. I agree the problem is probably something lost in the
mists of time..:-)
Do you know whether masquerading could case this problem? I understood
that masquerading applied only to the sender address on outgoing email -
but I may be wrong. I
have certainly run tests with it disabled in main.cf - and I believe I
have restarted postix. Is there anything else I would need to do to
disable it properly? e.g. Would I need to run postmap on some file?
Here is my postconf -n - in case you can see any clues in there. I have
also included /etc/aliases content - though it looks fairly innocent to me.
You will see that at the time of the postconf - I have re-enabled
masquerading and domain receiving - because this is a live server - so I
revert it to a working state after each test.
Thanks again
Richard.
*postconf -n*
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
delay_warning_time = 1
home_mailbox = Maildir/
html_directory = no
mailbox_command = procmail
mailbox_size_limit = 512000000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_domains = aardvark.com.au
message_size_limit = 409600000
mydestination = $myhostname, localhost.$mydomain, $mydomain
myhostname = c5.aardvark.com.au
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
notify_classes = resource, software, delay
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relayhost = smtp.gmail.com:submission
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_security_level = may
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks
permit_inet_interfaces reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_tls_cert_file = /usr/share/ssl/certs/c5.aardvark_cert.pem
smtpd_tls_key_file = /usr/share/ssl/private/c5.aardvark_key.pem
smtpd_use_tls = yes
soft_bounce = yes
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
*> cat /etc/aliases*
#
# Aliases in this file will NOT be expanded in the header from
# Mail, but WILL be visible over networks or from /bin/mail.
#
# >>>>>>>>>> The program "newaliases" must be run after
# >> NOTE>> this file is updated for any changes to
# >>>>>>>>>> show through to sendmail.
#
# Basic system aliases -- these MUST be present.
mailer-daemon: postmaster
postmaster: root
# General redirections for pseudo accounts.
bin: root
daemon: root
adm: root
lp: root
sync: root
shutdown: root
halt: root
mail: root
news: root
uucp: root
operator: root
games: root
gopher: root
ftp: root
nobody: root
radiusd: root
nut: root
dbus: root
vcsa: root
canna: root
wnn: root
rpm: root
nscd: root
pcap: root
apache: root
webalizer: root
dovecot: root
fax: root
quagga: root
radvd: root
pvm: root
amanda: root
privoxy: root
ident: root
named: root
xfs: root
gdm: root
mailnull: root
postgres: root
sshd: root
smmsp: root
postfix: root
netdump: root
ldap: root
squid: root
ntp: root
mysql: root
desktop: root
rpcuser: root
rpc: root
nfsnobody: root
ingres: root
system: root
toor: root
manager: root
dumper: root
abuse: root
newsadm: news
newsadmin: news
usenet: news
ftpadm: ftp
ftpadmin: ftp
ftp-adm: ftp
ftp-admin: ftp
# www: webmaster
# webmaster: root
noc: root
security: root
hostmaster: root
# info: postmaster
marketing: postmaster
# sales: postmaster
# support: postmaster
# trap decode to catch security attacks
decode: root
# Person who should get root's mail
root: richard
rchapman: richard
aardvark: richard
# Webmin: For webmin return address
webmin: richard
virusalert: root
# alias for notification messages from HylaFAX servers
FaxMaster: root
