Currently my production mail relay for work (sitting between Exchange
and the Internet) uses Postfix 2.9.3 on Debian 6. I'm building up a new
system using Postfix 2.11.0 on Ubuntu 14, and incorporating postscreen
as the first line of defense. Almost all the software is installed with
distro packages in both cases. The postscreen config is based on rob0's
example that is available on the Internet.
After the server has been running for a while, it will reject all
connection attempts with a 450 code. There's nothing in the log as to
why it's being rejected.
Feb 11 13:22:24 nexus1 postfix/postscreen[27744]: CONNECT from
[166.70.79.219]:37044 to [10.8.0.21]:25
Feb 11 13:22:31 nexus1 postfix/postscreen[27744]: NOQUEUE: reject: RCPT
from [166.70.79.219]:37044: 450 4.3.2 Service currently unavailable;
from=<elyog...@elyograg.org>, to=<shei...@redacted.com>, proto=ESMTP,
helo=<frodo.elyograg.org>
Feb 11 13:22:32 nexus1 postfix/postscreen[27744]: PASS NEW
[166.70.79.219]:37044
Feb 11 13:22:32 nexus1 postfix/postscreen[27744]: DISCONNECT
[166.70.79.219]:37044
With no changes to the config, I can restart postfix, then flush the
queue on my personal server which is trying to send the message, and it
will immediately get through with no problem. This problem is a
showstopper that is preventing me from bringing this new server into
production.
I suspect (but cannot confirm) that postscreen is having difficulty
reaching one or more of its configured DNSBL servers.
Is it possible to configure postscreen so that it will log the
underlying reason for the reject? If so, how do I do that? Any ideas
for how to detect and fix this problem are appreciated.
Here's my slightly redacted postconf -n output:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = pcre:/etc/postfix/body_checks
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks
inet_interfaces = all
mailbox_size_limit = 524288000
message_size_limit = 52428800
mydestination = nexus1.REDACTED.com, localhost.REDACTED.com, localhost
myhostname = nexus1.REDACTED.com
mynetworks = REDACTED
myorigin = /etc/mailname
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/client_access, cidr:/etc/postfix/postcreen_access,
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net
psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
readme_directory = no
recipient_delimiter = +
relay_domains = $mydestination, hash:/etc/postfix/relaydomains
relay_recipient_maps = hash:/etc/postfix/relay_recipients
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_connection_count_limit = 20
smtpd_client_connection_rate_limit = 60
smtpd_client_restrictions = permit_mynetworks, check_client_access
regexp:/etc/postfix/client_regexp, check_client_access
cidr:/etc/postfix/client_access, reject_unknown_reverse_client_hostname
reject_unknown_client_hostname
smtpd_data_restrictions = check_client_access
cidr:/etc/postfix/rule_breakers, reject_unauth_pipelining,
permit_mynetworks, reject_multi_recipient_bounce
smtpd_delay_reject = yes
smtpd_error_sleep_time = 15
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks, sleep 2,
check_recipient_access hash:/etc/postfix/recipient_access,
reject_non_fqdn_recipient, reject_unauth_destination,
reject_unknown_recipient_domain, reject_unlisted_recipient,
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_sender_restrictions = permit_mynetworks, check_sender_access
hash:/etc/postfix/sender_access, reject_non_fqdn_sender,
reject_unknown_sender_domain
smtpd_soft_error_limit = 2
smtpd_tls_cert_file = /etc/ssl/certs/local/wildcard.combined.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = hash:/etc/postfix/virtual
Thanks,
Shawn
