On Dec 9, 2010, at 10:55 AM, Victor Duchovni wrote:
The recipient restrictions are always honored. Unless your master.cf
file overrides main.cf in the "smtpd" instance the client connects
to, what you configure is what you get...
This is the master.cf file:
# DO NOT SHARE THE POSTFIX QUEUE BETWEEN MULTIPLE POSTFIX INSTANCES.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
#
# Before-filter SMTP server. Receive mail from the network and
# pass it to the content filter on localhost port 10025.
#
#smtp inet n - n - - smtpd
# -o smtpd_proxy_filter=127.0.0.1:10025
# -o smtpd_client_connection_count_limit=10
#
# After-filter SMTP server. Receive mail from the content filter on
# localhost port 10026.
#
#127.0.0.1:10026 inet n - n - - smtpd
# -o smtpd_authorized_xforward_hosts=127.0.0.0/8
# -o smtpd_client_restrictions=
# -o smtpd_helo_restrictions=
# -o smtpd_sender_restrictions=
# -o smtpd_recipient_restrictions=permit_mynetworks,reject
# -o smtpd_data_restrictions=
# -o mynetworks=127.0.0.0/8
# -o receive_override_options=no_unknown_recipient_checks
#
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/recipient_blacklist,hash:/etc/postfix/perm_blacklist,permit_mynetworks,reject
#
#
# specify the location of the DomainKeys signing filter
#
dksign unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime
#
#
# service for accepting messages FROM the DomainKeys signing filter
#
#smtp inet n - n - - smtpd
127.0.0.1:10028 inet n - n - 10 smtpd
-o content_filter=
-o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
#
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
-o content_filter=
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n - 1 nqmgr
#tlsmgr fifo - - n - 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
#
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix - n n - - pipe
flags=R user=cyrusimap argv=/cyrus/bin/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus unix - n n - 10 pipe
user=cyrusimap argv=/usr/bin/cyrus/bin/deliver -e -r ${sender} -m
${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
scache unix - - n - 1 scache
discard unix - - n - - discard
tlsmgr unix - - n 1000? 1 tlsmgr
retry unix - - n - - error
These IPs will pass "permit_mynetworks".
smtp_destination_concurrency_limit = 50
A bit too aggressive IMHO, many sites will not tolerate this, and you
just reduce performance.
REMOVED
smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/recipient_blacklist,
Recipients in this table are handled as specified.
That's my problem -- they aren't. All the recipient addresses in this table
are marked "reject"
If not already rejected or accepted, trusted or authenticated
clients can send to anyone.
reject_unauth_destination
Otherwise only domains in the usual address classes are accepted.
I know this address is in the blacklist table:
mail2:/var/spool/postfix root# grep [email protected]
/etc/postfix/recipient_blacklist
[email protected] reject
Don't "grep", use "postmap -q".
mail2:/var/spool/postfix root# postmap -q [email protected]
/etc/postfix/recipient_blacklist
reject
How did this message enter your system?
The client's customer signs up to receive notifications on a topic they're
interested in. When the topic is updated, the application on our server
generates an email. The email is sent to a vip on our load balancer then sent
to the internal client mail server. (This was set up with lad balancing in
mind). At this time, the mail server should sign the email using dkfilter and
send the email off to the subscriber. Sometimes, someone will fat finger their
address, have a name change or discontinue service with their isp and fail to
unsubscribe from the notification list. Thats when we get a bounce. I'd like
to prevent sending emails to bad addresses, so I set up an internal blacklist.
Maybe smtpd_recipient_restrictions isn't the correct parameter for this?
Where the rest of the logging
for the queue-id in question? What was the state of "main.cf" at the
time.
Dec 9 08:58:59 mail2 postfix/qmgr[16878]: 0725C8E704FD:
from=<[email protected]>, size=2019, nrcpt=1 (queue active)
Dec 9 08:59:00 mail2 postfix/smtp[16933]: 0725C8E704FD:
to=<[email protected]>,
relay=mxgb1.opaltelecom.net[62.24.139.61]:25, delay=14026,
delays=14025/0.11/0.67/0.33, dsn=5.0.0, status=bounced (host
mxgb1.opaltelecom.net[62.24.139.61] said: 550 #5.1.0 Address rejected
[email protected] (in reply to RCPT TO command))
Dec 9 08:59:00 mail2 postfix/bounce[16967]: 0725C8E704FD: sender non-delivery
notification: 7D1578EC1C27
Dec 9 08:59:01 mail2 postfix/bounce[16967]: 0725C8E704FD: postmaster
non-delivery notification: 857938EC1C42
Dec 9 08:59:01 mail2 postfix/qmgr[16878]: 0725C8E704FD: removed
The state of the main.cf:
2bounce_notice_recipient = postmaster
alias_maps = hash:/etc/aliases
always_bcc =
append_at_myorigin = no
enable_server_options = yes
html_directory = no
inet_interfaces = all
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 1d
message_size_limit = 10240000
mydestination = $myhostname,localhost.$mydomain
mydomain = my_clientmail.my_company.com
mydomain_fallback = localhost
myhostname = my_clientmail
mynetworks =
127.0.0.1/32,10.1.0.0/16,192.168.3.0/24,172.16.0.0/12,10.1.18.24,192.168.0.0/16
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
notify_classes = bounce,protocol
owner_request_special = no
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtp_destination_concurrency_limit = 50
smtpd_client_restrictions =
smtpd_enforce_tls = no
smtpd_pw_server_security_options = plain,login,cram-md5,gssapi
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/recipient_blacklist,hash:/etc/postfix/perm_blacklist,permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_tls_key_file =
smtpd_tls_loglevel = 0
smtpd_use_pw_server = yes
smtpd_use_tls = no
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual_alias
virtual_transport = lmtp:unix:/var/imap/socket/lmtp debug_peer_list =
127.0.0.
Your content filter is sure slow, you have a 6+ hour delay in your
internal filter, something is very wrong.
Yes -- I know -- and I recognize that I may have two separate problems going on.
drwx------ 46523 _postfix wheel 50602710 Dec 9 09:31 incoming
drwx------ 57617 _postfix wheel 57664578 Dec 6 12:50 incoming.1206
drwx------ 60089 _postfix wheel 6499474 Dec 6 22:36 incoming.old
This is really bad. Your incoming queues are huge. And you are manually
renaming directories in the queue to try to fix it, this is no way to
run a Postfix server...
Your right. I've been trying to solve this all week and this is why I'm coming
to you...
http://www.postfix.org/QSHAPE_README.html
I was under the impression that QSHAPE wouldn't run on MAC OS -- but I'll give
it a shot and get back to you with the results.
--
Viktor.
Thank YOU Viktor -- I appreciate your help.
