I recently migrated a site I maintain (stovebolt.com) from one hosting
company to another. The owners decided to buy a new server, which I setup
as the new webserver. Then I formatted the old webserver and set it up as
the mail server. The previous mail server will be surplused.
I installed FreeBSD 8.3 and all the ports I used for the previous mail
server and then began setting things up. I restored directories from
backup, including the postfix directory and subdirectores. Everything is
now working fine except one thing.
The web server has a forum (UBBThreads) which sends mail to users and to
new registrants. The web server is also running Postfix, and the mail is
relayed to the mail server and then sent to the final recipient.
At least it used to be. Now, no matter who the recipient is, mail sent
from www.stovebolt.com to mail.stovebolt.com is delivered to my account
(g...@stovebolt.com). This is true even from the commandline doing a
manual session.
Here's a commandline mail session on www
# telnet mail.stovebolt.com 25
Trying 216.58.158.171...
Connected to mail.stovebolt.com.
Escape character is '^]'.
220 mail.stovebolt.com ESMTP Postfix
HELO www.stovebolt.com
250 mail.stovebolt.com
MAIL FROM: g...@stovebolt.com
250 2.1.0 Ok
RCPT TO:
501 5.5.4 Syntax: RCPT TO:<address>
RCPT TO: pschm...@tx.rr.com
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: Test from www to RR at 2:56PM
Testing
.
250 2.0.0 Ok: queued as 5FC272F1433
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
Here's the maillog for that session on mail
Sep 29 14:57:50 mail postfix/cleanup[27880]: 5FC272F1433: message-id=<>
Sep 29 14:57:50 mail postfix/qmgr[26829]: 5FC272F1433:
from=<g...@stovebolt.com>, size=247, nrcpt=1 (queue active)
Sep 29 14:57:53 mail postfix/smtpd[27911]: disconnect from
www.stovebolt.com[216.58.158.170]
Sep 29 14:57:56 mail postfix/pickup[27864]: 8F5DC2F15EF: uid=1004
from=<filter>
Sep 29 14:57:56 mail postfix/cleanup[27922]: 8F5DC2F15EF:
message-id=<20120929145756.8f5dc2f1...@mail.stovebolt.com>
Sep 29 14:57:56 mail postfix/pipe[27912]: 5FC272F1433:
to=<pschm...@tx.rr.com>, relay=filter, delay=44, delays=39/0/0/5.7,
dsn=2.0.0, status=sent (delivered via filter service)
Sep 29 14:57:56 mail postfix/qmgr[26829]: 5FC272F1433: removed
Sep 29 14:57:56 mail postfix/qmgr[26829]: 8F5DC2F15EF:
from=<fil...@stovebolt.com>, size=758, nrcpt=1 (queue active)
Sep 29 14:57:56 mail postfix/local[27906]: 8F5DC2F15EF:
to=<g...@stovebolt.com>, orig_to=<geek>, relay=local, delay=0.06,
delays=0.04/0/0/0.02, dsn=2.0.0, status=sent (delivered to maildir)
Sep 29 14:57:56 mail postfix/qmgr[26829]: 8F5DC2F15EF: removed
Sep 29 14:58:14 mail postfix/qmgr[26829]: 458112F1573:
from=<g...@stovebolt.com>, size=4384, nrcpt=1 (queue active)
As you can see, the mail is delivered by filter to my address on stovebolt
instead of to my RR address.
Here's my setup:
FreeBSD 8.3 RELEASE (both servers)
Postfix 2.9.4
policyd-weight 0.1.15.1
spamassassin 3.2.2
courier-imapd 4.10.0
Here's how the mail server responds to EHLO
# telnet mail.stovebolt.com 25
Trying 216.58.158.171...
Connected to mail.stovebolt.com.
Escape character is '^]'.
220 mail.stovebolt.com ESMTP Postfix
EHLO www.stovebolt.com
250-mail.stovebolt.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Here's the Postfix setup for www
www.stovebolt.com
# postconf -n
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
$daemon_directory/$process_name $process_id & sleep 5
html_directory = /usr/local/share/doc/postfix
inet_interfaces = localhost
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydomain = stovebolt.com
myhostname = server1.$mydomain
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relayhost = mail.$mydomain
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
unknown_local_recipient_reject_code = 550
www.stovebolt.com
# grep -v "#" /usr/local/etc/postfix/master.cf
smtp inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
Here's the Postfix setup for mail
mail.stovebolt.com
# postconf -n
alias_database = hash:/usr/local/etc/postfix/aliases
alias_maps = hash:/usr/local/etc/postfix/aliases
hash:/usr/local/mailman/data/aliases
allow_mail_to_commands = alias,forward
allow_mail_to_files = alias,forward
allow_percent_hack = no
anvil_status_update_time = 1d
biff = no
body_checks = pcre:$config_directory/body-checks.pcre
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debug_peer_list = 127.0.0.1
debugger_command = PATH=/usr/bin: xxgdb $daemon_directory/$process_name
$process_id & sleep 5
default_privs = nobody
default_process_limit = 75
delay_warning_time = 1d
header_checks = pcre:$config_directory/header-checks.pcre
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
inet_interfaces = all
inet_protocols = ipv4
lmtp_destination_recipient_limit = 3000
lmtp_sasl_auth_enable = no
local_destination_concurrency_limit = 2
local_destination_recipient_limit = 100
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mailbox_size_limit = 104857600
maildrop_destination_recipient_limit = 1
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maximal_queue_lifetime = 5d
mydestination = $myhostname, localhost.$mydomain, localhost mail.$mydomain,
www.$mydomain, lists.$mydomain, $mydomain
mydomain = stovebolt.com
myhostname = mail.$mydomain
mynetworks = 127.0.0.0/8,216.58.158.170/32
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
owner_request_special = no
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
recipient_delimiter = +
relay_domains = $mydestination, www.stovebolt.com, server1.stovebolt.com
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_delay_reject = yes
smtpd_helo_restrictions = permit_mynetworks reject_invalid_hostname
smtpd_junk_command_limit = 5
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_destination check_client_access hash:$config_directory/access
reject_unauth_pipelining reject_non_fqdn_sender reject_non_fqdn_recipient
reject_unknown_sender_domain check_recipient_access
hash:$config_directory/policyd_weight_recipient_whitelist
check_client_access hash:$config_directory/policyd_weight_client_whitelist
check_policy_service inet:127.0.0.1:12525 permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /usr/local/etc/postfix/server.pem
smtpd_tls_cert_file = /usr/local/etc/postfix/server.pem
smtpd_tls_key_file = /usr/local/etc/postfix/server.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_domains = friendshipforest.com fieldoftrees.com
txantimedia.com
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
mail.stovebolt.com
# grep -v "#" /usr/local/etc/postfix/master.cf
smtp inet n - n - - smtpd -o
content_filter=filter:dummyr
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient
filter unix - n n - 10 pipe
flags=Rq user=filter argv=/usr/local/bin/filter.sh -f ${sender} --
${recipient}
relay unix - - n - - smtp
retry unix - - n - - error
proxywrite unix - - n - 1 proxymap
Here's filter.sh
# cat /usr/local/bin/filter.sh
#!/bin/sh
# Simple shell-based filter. It is meant to be invoked as follows:
# /path/to/script -f sender recipients...
# Localize these.
INSPECT_DIR=/usr/local/filter
SPAMDIR=/var/spool/spam
SENDMAIL="/usr/sbin/sendmail -i"
SPAMASSASSIN=/usr/local/bin/spamassassin
SPAMLIMIT=5
SPAMCK=2
# Exit codes from <sysexits.h>
EX_TEMPFAIL=75
EX_UNAVAILABLE=69
# Start processing.
cd $INSPECT_DIR || {
echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL; }
# Clean up when done or when aborting.
trap "rm -f in.$$" 0 1 2 3 15
cat | $SPAMASSASSIN -x > out.$$ || \
{ echo Cannot save mail to file; exit $EX_TEMPFAIL; }
if egrep -q "^X-Spam-Level: \*{$SPAMLIMIT,}" < out.$$
then
mv out.$$ $SPAMDIR
elif egrep -q "^X-Spam-Level: \*{$SPAMCK,}" < out.$$
then
$SENDMAIL geek < out.$$
else
$SENDMAIL "$@" < out.$$
fi
exit $?
Errors in the current maillog
# egrep -i '(error|warn|fatal)' /var/log/maillog | egrep -v
'(aol\.com\/errors|rDNS|policyd|does not resolve|retrying|imapd|mailman)'
Sep 29 00:33:26 mail postfix/error[46780]: 0965C2F1568:
to=<m...@tx.rr.com>, relay=none, delay=0.06, delays=0.03/0.01/0/0.02,
dsn=4.7.1, status=deferred (delivery temporarily suspended: host
cdptpa-smtpin02.mail.rr.com[75.180.132.244] refused to talk to me: 421
4.7.1 - Connection refused - <216.58.158.171> - Too many concurrent
connections from source IP)
Sep 29 10:08:26 mail postfix/qmgr[9496]: 429602F1593:
from=<fdawarn...@easilytoday.com>, size=2508, nrcpt=1 (queue active)
Sep 29 12:27:07 mail postfix/smtpd[26362]: warning: SASL authentication
failure: Password verification failed
Sep 29 12:27:07 mail postfix/smtpd[26362]: warning:
61.sub-70-192-192.myvzw.com[70.192.192.61]: SASL PLAIN authentication
failed: authentication failure
Sep 29 12:27:07 mail postfix/smtpd[26362]: warning:
61.sub-70-192-192.myvzw.com[70.192.192.61]: SASL LOGIN authentication
failed: authentication failure
I discovered last night that the new hosting company didn't setup rDNS for
the mail server. That was corrected about midnight, but DNS has to catch
up. The egrep excludes things that don't relate directly to postfix
operational parameters. E.g. I had changed the perms on the mailman
directory in error. That's now been fixed. I have an ssl cert tls error
for imap in the logs that was corrected.
I'll be happy to answer any additional questions or post other relevant
information.
Paul Schmehl (g...@stovebolt.com)
The Stovebolt Geek
The Net's Oldest and Most Complete
Resource for Antique Chevy and GM Trucks
http://www.stovebolt.com
