Background: Internal Mail Relay server. Connections from the internet are
not possible. The vast majority of messages are going to Google Apps.
Problem one: How to properly 'blacklist' certain To: addresses. I am
currently using:
header_checks = pcre:/etc/postfix/header_checks
where header_checks looks like this (abbreviated):
/^To: et...@aaaaaa.com/ DISCARD
> /^To: nicole.elli...@aaaaaa.com/ DISCARD
> /^To: jobcontroller_na...@aaaaaa.com/ DISCARD
>
I had a naive idea to do this:
#smtpd_recipient_restrictions = permit_mynetworks,
> # reject_unauth_pipelining,
> # reject_non_fqdn_recipient,
> # reject_unknown_recipient_domain,
> # check_recipient_access =
> hash:/etc/postfix/recipient_access,
> # permit
>
But that blew up with:
May 31 13:58:16 rmail3b00 postfix/smtpd[32485]: fatal: parameter
> "smtpd_recipient_restrictions": specify at least one working instance of:
> check_relay_domains, reject_unauth_destination, reject, defer or
> defer_if_permit
>
If I include 'check_relay_domains', that defeats the purpose of the server
being an internal mail relay. I can't use 'reject_unauth_destination',
since postfix isn't the final destination, or a backup relay server for
such.
Could someone enlighten me as what I'm missing?
Yes, the 'right' answer is to clean up these messages at the source.
Unfortunately that's not feasible.
Problem two:
May 30 12:31:39 rmail3b01 postfix/smtpd[6239]: DD01F7B0:
> client=unknown[10.12.244.5]
> May 30 12:31:39 rmail3b01 postfix/cleanup[6270]: DD01F7B0: message-id=<
> jira.93213.1369931405057.32084.1369931500...@prtjira01.atl.aaaaaa.com>
> *May 30 12:31:39* rmail3b01 postfix/qmgr[9732]: DD01F7B0:
> from=<jira.nore...@aaaaaa.com>, size=1796, nrcpt=1 (queue active)
> *May 30 12:38:23 rmail3b01 postfix/error[6485]: DD01F7B0:
> to=<acre...@aaaaaa.com>, relay=none, delay=403, delays=0.01/403/0/0,
> dsn=4.4.2, status=deferred (delivery temporarily suspended: conversation
> with alt1.aspmx.l.google.com[173.194.65.27] timed out while sending end
> of data -- message may be sent more than once)*
> *May 30 12:48:22* rmail3b01 postfix/qmgr[9732]: DD01F7B0:
> from=<jira.nore...@aaaaaa.com>, size=1796, nrcpt=1 (queue active)
> May 30 12:48:23 rmail3b01 postfix/smtp[6682]: DD01F7B0:
> to=<acre...@aaaaaa.com>, relay=aspmx.l.google.com[173.194.75.26]:25,
> delay=1003, delays=1002/0.47/0.1/0.51, dsn=2.0.0, status=sent (250 2.0.0 OK
> 1369932503 x16si25369762vci.84 - gsmtp)
> May 30 12:48:23 rmail3b01 postfix/qmgr[9732]: DD01F7B0: removed
>
I have several message which follow the above pattern. They're received
from internal systems just fine. Some minutes later, they give me a
'deferred' error. A few minutes later, they are sent successfully.
However, while watching tcpdump output very carefully, I can find no
evidence that postfix ever attempted to send this message at or around
12:38 on May 30th.
Is there ever a time when a message was never placed on the wire, yet would
log as 'deferred'? Say when postfix intended to send that message as part
of a pipeline, but when the pipeline is hung up by the remote server before
that message can be placed on the wire?
Brass tacks:
# sh ./postfinger --all
postfinger - postfix configuration on Fri May 31 16:49:51 EDT 2013
version: 1.30
Warning: postfinger output may show private configuration information,
such as ip addresses and/or domain names which you do not want to show
to the public. If this is the case it is your responsibility to modify
the output to hide this private information. [Remove this warning with
the --nowarn option.]
--System Parameters--
mail_version = 2.6.6
hostname = rmail3b00
uname = Linux rmail3b00 2.6.32-358.2.1.el6.centos.plus.x86_64 #1 SMP Wed
Mar 13 02:09:07 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
--Packaging information--
looks like this postfix comes from RPM package:
postfix-2.6.6-2.2.el6_1.x86_64
--Mailbox locking methods--
flock fcntl dotlock
--Supported Lookup tables--
btree cidr environ hash ldap mysql nis pcre proxy regexp static unix
--main.cf non-default parameters--
alias_maps = hash:/etc/aliases
debug_peer_list = AAAAAA.com
header_checks = pcre:/etc/postfix/header_checks
local_header_rewrite_clients = permit_mynetworks
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost
mydomain = relay.AAAAAA.com
myhostname = rmail3b00.relay.AAAAAA.com
mynetworks = cidr:/etc/postfix/mynetworks.cidr
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
smtpd_helo_required = yes
--master.cf--
smtp inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
--Specific file and directory permissions--
drwx-wx---. 2 postfix postdrop 4096 May 25 10:01 /var/spool/postfix/maildrop
drwx--x---. 2 postfix postdrop 4096 May 31 14:17 /var/spool/postfix/public
total 0
srw-rw-rw- 1 postfix postfix 0 May 31 14:17 cleanup
srw-rw-rw- 1 postfix postfix 0 May 31 14:17 flush
prw--w--w- 1 postfix postfix 0 May 31 16:49 pickup
prw--w--w- 1 postfix postfix 0 May 31 16:47 qmgr
srw-rw-rw- 1 postfix postfix 0 May 31 14:17 showq
drwx------. 2 postfix root 4096 May 31 14:17 /var/spool/postfix/private
total 0
srw-rw-rw- 1 postfix postfix 0 May 31 14:17 anvil
srw-rw-rw- 1 postfix postfix 0 May 31 14:17 bounce
srw-rw-rw- 1 postfix postfix 0 May 31 14:17 defer
srw-rw-rw- 1 postfix postfix 0 May 31 14:17 discard
srw-rw-rw- 1 postfix postfix 0 May 31 14:17 error
srw-rw-rw- 1 postfix postfix 0 May 31 14:17 lmtp
srw-rw-rw- 1 postfix postfix 0 May 31 14:17 local
srw-rw-rw- 1 postfix postfix 0 May 31 14:17 proxymap
srw-rw-rw- 1 postfix postfix 0 May 31 14:17 proxywrite
srw-rw-rw- 1 postfix postfix 0 May 31 14:17 relay
srw-rw-rw- 1 postfix postfix 0 May 31 14:17 retry
srw-rw-rw- 1 postfix postfix 0 May 31 14:17 rewrite
srw-rw-rw- 1 postfix postfix 0 May 31 14:17 scache
srw-rw-rw- 1 postfix postfix 0 May 31 14:17 smtp
srw-rw-rw- 1 postfix postfix 0 May 31 14:17 tlsmgr
srw-rw-rw- 1 postfix postfix 0 May 31 14:17 trace
srw-rw-rw- 1 postfix postfix 0 May 31 14:17 verify
srw-rw-rw- 1 postfix postfix 0 May 31 14:17 virtual
-rwxr-sr-x. 1 root postdrop 180808 Dec 3 2011 /usr/sbin/postdrop
-rwxr-sr-x. 1 root postdrop 213736 Dec 3 2011 /usr/sbin/postqueue
--Library dependencies--
/usr/libexec/postfix/smtpd:
linux-vdso.so.1 => (0x00007fff595ff000)
libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007f001545a000)
liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007f001524b000)
libpcre.so.0 => /lib64/libpcre.so.0 (0x00007f001501e000)
libmysqlclient.so.16 => /usr/lib64/mysql/libmysqlclient.so.16
(0x00007f0014c9a000)
libm.so.6 => /lib64/libm.so.6 (0x00007f0014a16000)
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f00147fb000)
libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f001459e000)
libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f0014204000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f0013fff000)
libz.so.1 => /lib64/libz.so.1 (0x00007f0013de9000)
libdb-4.7.so => /lib64/libdb-4.7.so (0x00007f0013a75000)
libnsl.so.1 => /lib64/libnsl.so.1 (0x00007f001385b000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f0013641000)
libc.so.6 => /lib64/libc.so.6 (0x00007f00132ae000)
libssl3.so => /usr/lib64/libssl3.so (0x00007f0013077000)
libsmime3.so => /usr/lib64/libsmime3.so (0x00007f0012e4b000)
libnss3.so => /usr/lib64/libnss3.so (0x00007f0012b10000)
libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f00128e4000)
libplds4.so => /lib64/libplds4.so (0x00007f00126e0000)
libplc4.so => /lib64/libplc4.so (0x00007f00124db000)
libnspr4.so => /lib64/libnspr4.so (0x00007f001229d000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f0012066000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2
(0x00007f0011e21000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f0011b3b000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f0011937000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f001170a000)
/lib64/ld-linux-x86-64.so.2 (0x0000003ac5c00000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f00114ed000)
libfreebl3.so => /lib64/libfreebl3.so (0x00007f001128a000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0
(0x00007f001107f000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f0010e7c000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f0010c5c000)
-- end of postfinger output --
