On 10/25/2010 9:05 PM, Michael Orlitzky wrote:
On 10/25/2010 10:38 PM, utahnix wrote:
Hello all,
This question has probably been asked on this list before, but maybe not
quite with these circumstances. I'm hoping one of you can give me some
direction.
I've got a fairly typical Postfix setup... Postfix, Cyrus IMAP, ClamAV,
SpamAssassin... all on Linux.
Anyway, I've set up greylisting with Postgrey to help cut down on the
junk mail that I get. I've set it up with default values (deferral of
300 seconds, etc). Well all seems good and fair except some of my
regular senders can't seem to get their email through. I've checked my
server logs and I don't even see their email address mentioned (it
doesn't appear to even reach my machine). Several of the emails in
question are Yahoo or Gmail. What's odd is that I have both a Yahoo
account and a Gmail account, and I can send myself mail with no problems.
I disabled Postgrey temporarily and had these senders re-send test
messages from their addresses, and it worked (I got their messages). So
something was certainly hanging things up. I just wish I knew what that was.
Do you have "smtpd_delay_reject = yes" set? If so, you should be able to
see the senders' addresses in your logs even if they were greylisted.
Yes I do, actually.
This got me thinking... my ISP requires that I forward all outbound
email through their SMTP server. Because their mail server (the SMTP
relay I'm required to relay mail to) has suddenly been added to various
RBLs for repeated "deferrals", is it possible that my greylisting is
what is getting them on those RBLs?
Added to RBLs for deferrals? Doesn't make sense, or I'm missing something.
I don't know that deferrals would get a system blacklisted, per se. My
thought was no, but I often worry that I'm missing something in my
technical understanding.
I just found it disturbing that suddenly (the same time I implemented
Postgrey) outbound messages leaving my ISP's SMTP relay started to
bounce because *their* SMTP relay server is on an RBL (in this case,
commtouch.com), and... I suddenly am not getting all of my inbound
messages. In other words, I implement greylisting and suddenly people
are having trouble with message delivery, one way or another, and that
had me worrying.
I realize that this could very well be two issues, and I also realize
that the issues might not have anything to do with my machine. But I
also realize it would be very arrogant of me to assume there couldn't be
problems with my machine. While I'm no email newbie, I'm also no master.
The Postgrey does cut down on the spam significantly, particularly when
used in conjunction with SpamAssassin and RBLs like SpamCop and
SpamHaus. I'd like to keep Postgrey if I can, assuming that my delivery
problems are not directly associated with Postgrey... but if my
circumstances with my ISP won't allow me to greylist, then disabling
Postgrey might save me a headache.
I guess I'm looking for some advice as to whether Postgrey could cause
problems with my ISP (they run Exim on FreeBSD and firewall outgoing tcp
port 25 everywhere but on their one mail server) but I don't know much
more than that), or if there are some settings I should change to
improve my greylisting setup.
It's highly unlikely, but concentrate on one problem at a time.
When these people send to you and the messages don't make it through, do
they get a rejection or anything that might suggest that delivery failed?
Let me clarify here. On incoming messages that clients insist they've
sent and we've never received, no, nobody is getting any sort of
rejection message or delivery failure (boy those make troubleshooting
easier!). There's no mention of their email address in the logs (and I
know Postfix is pretty verbose by default, which is another reason I
like it).
On outbound messages we have had a few bounce backs. This is where my
concern about the RBLs come into the picture. The rejection messages
indicate that the SMTP relay maintained by my ISP is what is on the RBL,
not my IP. But because they've firewalled port 25, if their relay can't
send mail, my system, by default, cannot either.
If not -- while you should still be seeing their email address in the
logs -- I would guess that SpamAssassin or ClamAV snatched the message.
That was my thinking as well (that it would be in the logs), but I found
myself questioning my own logic. I guess I just want to be sure I
haven't missed something.
Now might be a good time to post your `postconf -n`.
Here it is:
alias_maps = hash:/etc/aliases
always_bcc = archi...@domain1.com
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
defer_transports =
disable_dns_lookups = no
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_filter.pcre
html_directory = /usr/share/doc/packages/postfix/html
inet_interfaces = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_exceptions = root
message_size_limit = 26214400
mime_header_checks = pcre:/etc/postfix/mime_filter.pcre
mydestination = $myorigin
myhostname = mail.domain1.com
mynetworks = 127.0.0.0/8 [::1]/128 10.0.0.0/24
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
relay_domains =
relayhost = send.etv.net
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_enforce_tls = no
smtp_helo_name = mail.domain1.com
smtp_sasl_security_options = noanonymous
smtp_tls_enforce_peername = yes
smtp_use_tls = no
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = permit_mynetworks, check_client_access
hash:/etc/postfix/client_access.hash, permit_sasl_authenticated,
reject_rbl_client zen.spamhaus.org, permit
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_helo_access
hash:/etc/postfix/helo_filter.hash, check_helo_access
pcre:/etc/postfix/helo_filter.pcre, reject_non_fqdn_hostname,
reject_invalid_hostname, permit
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_recipient,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, check_recipient_access
hash:/etc/postfix/recip_filter.hash, check_recipient_access
pcre:/etc/postfix/recip_filter.pcre, reject_unauth_destination,
check_recipient_maps, check_recipient_access
hash:/etc/postfix/overquota, check_policy_service
inet:127.0.0.1:60000, permit
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sender_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender,
reject_unknown_sender_domain, permit_mynetworks, check_sender_access
hash:/etc/postfix/sender_filter.hash, check_sender_access
pcre:/etc/postfix/sender_filter.pcre, permit
smtpd_soft_error_limit = 60
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/servercerts/servercert.pem
smtpd_tls_key_file = /etc/ssl/servercerts/serverkey.pem
smtpd_use_tls = no
soft_bounce = no
strict_rfc821_envelopes = no
unknown_local_recipient_reject_code = 550
virtual_alias_domains = domain5.com domain6.com
virtual_alias_maps = hash:/etc/postfix/forwards
virtual_mailbox_domains = domain1.com domain2.com domain3.com domain4.com
virtual_mailbox_maps = hash:/etc/postfix/users
virtual_transport = lmtp:unix:/data/mail/lib/imap/socket/lmtp
And just to clear confusion, the virtual alias domains contain forwards
only (i.e. u...@reallylongdomain.com -> u...@domain.com)
Thanks!
