On Thu, Dec 09, 2010 at 09:38:17AM -0800, cmallon wrote:
> smtpd_recipient_restrictions =
> reject_unauth_destination,
>
> You only accept mail for domains listed in mydestination,
> virtual_alias_domains, virtual_mailbox_domains, or relay_domains.
>
> I'm not sure I understand. Are you saying that my values for
> mydestination, virtual_alias_domains, virtual_mailbox_domains or relay
> domains is responsible my broken smtpd_reciepient_restriction? I have 4
> postfix servers, this server is dedicated to only one client (my other
> servers run wonderfully)
"broken" is in the eye of the beholder. If you want Postfix to behave
differently, you need to configure it differently. I'm just telling
what your configuration means. In this case it rejects all recipient
domains not found in one of the above address classes.
> check_recipient_access hash:/etc/postfix/recipient_blacklist,
> <implicit_check_recipient_access> hash:/etc/postfix/perm_blacklist,
> <implicit_check_recipient_access> hash:/etc/postfix/hold,
>
> You have three tables that further filter the recipient domain.
>
> check_sender_access hash:/etc/postfix/sender_access,
>
> Then a table that filters the sender domain. Anything that makes it past
> this rule is accepted.
>
> permit_sasl_authenticated, permit_mynetworks
>
> I made some changes and removed check sender access and the hold tables,
> but the recipient restrictions are still not being honored.
The recipient restrictions are always honored. Unless your master.cf
file overrides main.cf in the "smtpd" instance the client connects
to, what you configure is what you get...
> mynetworks =
> 127.0.0.1/32,
> 10.1.0.0/16,
> 192.168.3.0/24,
> 172.16.0.0/12,
> 10.1.18.24,
> 192.168.0.0/16
These IPs will pass "permit_mynetworks".
> smtp_destination_concurrency_limit = 50
A bit too aggressive IMHO, many sites will not tolerate this, and you
just reduce performance.
> smtpd_pw_server_security_options = plain,login,cram-md5,gssapi
An Apple customization, we don't support this here.
> smtpd_recipient_restrictions =
> check_recipient_access hash:/etc/postfix/recipient_blacklist,
Recipients in this table are handled as specified.
> <implicit_check_recipient_access> hash:/etc/postfix/perm_blacklist,
If not rejected or definitely accepted by the previous rule,
handled as specified in this table.
> permit_sasl_authenticated,
> permit_mynetworks,
If not already rejected or accepted, trusted or authenticated
clients can send to anyone.
> reject_unauth_destination
Otherwise only domains in the usual address classes are accepted.
> smtpd_use_pw_server = yes
Apple-specific.
> I noticed the conversation regarding brevity this morning, so please
> pardon me if I'm providing too much information but I just want to
> be clear. I need my mail server to use an internal black list.
>
> I have emails that should never leave my server:
>
> I know this address is in the blacklist table:
>
> mail2:/var/spool/postfix root# grep [email protected]
> /etc/postfix/recipient_blacklist
> [email protected] reject
Don't "grep", use "postmap -q".
> Yet here it is in my mail logs:
>
> Dec 9 08:59:00 mail2 postfix/smtp[16933]: 0725C8E704FD:
> to=<[email protected]>,
> relay=mxgb1.opaltelecom.net[62.24.139.61]:25, delay=14026,
> delays=14025/0.11/0.67/0.33, dsn=5.0.0, status=bounced (host
> mxgb1.opaltelecom.net[62.24.139.61] said: 550 #5.1.0 Address rejected
> [email protected] (in reply to RCPT TO command))
How did this message enter your system? Where the rest of the logging
for the queue-id in question? What was the state of "main.cf" at the
time.
> mail2:/var/spool/postfix root# grep [email protected]
> /etc/postfix/recipient_blacklist
> [email protected] reject
Don't "grep", rather "postmap -q".
> Dec 9 09:21:30 mail2 postfix/smtp[17661]: 0ACFE8E4392A:
> to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10027,
> conn_use=13, delay=23079, delays=23077/1.3/0.01/1.1, dsn=2.0.0,
> status=sent (250 2.0.0 Ok: queued as 51E0B8ECA5FB)
Your content filter is sure slow, you have a 6+ hour delay in your
internal filter, something is very wrong.
>
> drwx------ 46523 _postfix wheel 50602710 Dec 9 09:31 incoming
> drwx------ 57617 _postfix wheel 57664578 Dec 6 12:50 incoming.1206
> drwx------ 60089 _postfix wheel 6499474 Dec 6 22:36 incoming.old
This is really bad. Your incoming queues are huge. And you are manually
renaming directories in the queue to try to fix it, this is no way to
run a Postfix server...
http://www.postfix.org/QSHAPE_README.html
--
Viktor.
