Hi Guys, Thanks Wietse for your comments, you confirmed what I assumed but couldn't afford to assume!
And thanks for your thoughts Bennett. I'm happy to say that the key points you mentioned are ones we have already given thought as part of our general planning. I've been progressing following your comments and have made good progress but have hit a road block that I'm hoping someone can spot what I'm missing. The short issue is that although we're using 'reject_unverified_recipients' and have set 'unverified_recipient_reject_code = 550', mail is still continuing and going through greylisting (returning 450 to client) and not until greylisting is over is it rejecting the email back to the client. The log snippet below shows that upon the initial connection, greylisting is triggered even though the remote server has returned "550 Recipient address rejected". I'm not sure if the logging order of entries is a factor of how the log handles work or if it is indicative of a problem in the order tests are executed. I'm hoping it's something simple I'm missing and someone will spot my failure or if not any pointers on the best way to dig into this further? I've compiled the basics to help but happy to dig up anything else pertinent, I just don't know enough about it to know where to push next. Any help/suggestions/pointers much appreciated. Cheers, Daniel *postconf mail_version:* mail_version = 2.9.6 (Debian Wheezy package, 2.9.6-2) *postconf -n:* address_verify_map = proxy:btree:$data_directory/verify_cache append_dot_mydomain = no biff = no config_directory = /etc/postfix inet_interfaces = all inet_protocols = ipv4 local_recipient_maps = local_transport = error:local mail delivery is disabled mailbox_size_limit = 0 mydestination = myhostname = scanner-nz-01.nownz.co.nz mynetworks = 127.0.0.0/8, 202.137.240.0/21, 202.56.32.0/20, 202.56.48.0/21, 103.8.140.0/22, 103.15.126.0/23, 203.92.24.0/23, 103.22.234.0/23, 163.47.236.0/22, 100.64.0.0/10, 10.0.0.0/8 myorigin = $myhostname readme_directory = no relay_domains = $transport_maps smtpd_authorized_xclient_hosts = 202.137.240.46,202.137.240.47,202.137.240.48,127.0.0.0/8 smtpd_authorized_xforward_hosts = 202.137.240.46,202.137.240.47,202.137.240.48,127.0.0.0/8 smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_connection_rate_limit = 500 smtpd_client_message_rate_limit = 500 smtpd_client_recipient_rate_limit = 500 smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated,reject_unknown_helo_hostname smtpd_recipient_restrictions = reject_non_fqdn_recipient, *reject_unverified_recipient*, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination,* check_policy_service inet:127.0.0.1:2501 <http://127.0.0.1:2501>* smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sender_restrictions = reject_unknown_sender_domain strict_rfc821_envelopes = yes transport_maps = proxy:mysql:/etc/postfix/transport.cf unknown_address_reject_code = 550 unverified_recipient_reject_code = 550 unverified_recipient_reject_reason = Recipient address lookup failed virtual_alias_maps = hash:/etc/postfix/virtual *Log:* Feb 17 14:54:24 scanner-nz-01 postfix/smtpd[58620]: connect from smtp-nz-01.nownz.co.nz[202.137.240.47] Feb 17 14:54:24 scanner-nz-01 postfix/cleanup[58630]: 13761BC51: message-id=<20150217015424.13761b...@scanner-nz-01.nownz.co.nz> Feb 17 14:54:24 scanner-nz-01 postfix/qmgr[55254]: 13761BC51: from=< double-bou...@scanner-nz-01.nownz.co.nz>, size=264, nrcpt=1 (queue active) Feb 17 14:54:24 scanner-nz-01 sqlgrey: grey: new: 65.55.34.24(65.55.34.24), hopper...@hotmail.com -> nosuchem...@randominsanity.net.nz *Feb 17 14:54:24 scanner-nz-01 postfix/smtpd[58620]: NOQUEUE: reject: RCPT from unknown[65.55.34.24]: 450 4.7.1 <nosuchem...@randominsanity.net.nz <nosuchem...@randominsanity.net.nz>>: Recipient address rejected: Greylisted for 5 minutes; from=<hopper...@hotmail.com <hopper...@hotmail.com>> to=<nosuchem...@randominsanity.net.nz <nosuchem...@randominsanity.net.nz>> proto=ESMTP helo=<COL004-OMC1S14.hotmail.com <http://COL004-OMC1S14.hotmail.com>>Feb 17 14:54:24 scanner-nz-01 postfix/smtp[58631]: 13761BC51: to=<nosuchem...@randominsanity.net.nz <nosuchem...@randominsanity.net.nz>>, relay=202.137.240.16[202.137.240.16]:25, delay=0.06, delays=0/0/0.01/0.05, dsn=5.1.1, status=undeliverable (host 202.137.240.16[202.137.240.16] said: 550 5.1.1 <nosuchem...@randominsanity.net.nz <nosuchem...@randominsanity.net.nz>>: Recipient address rejected: User unknown in local recipient table (in reply to RCPT TO command))* Feb 17 14:54:24 scanner-nz-01 postfix/qmgr[55254]: 13761BC51: removed Feb 17 14:54:24 scanner-nz-01 postfix/smtpd[58620]: disconnect from unknown[65.55.34.24] ...sqlgrey early reconnect attempts removed for brevity ... Feb 17 14:59:33 scanner-nz-01 postfix/smtpd[58812]: connect from smtp-nz-01.nownz.co.nz[202.137.240.47] Feb 17 14:59:33 scanner-nz-01 sqlgrey: grey: reconnect ok: 65.55.34.24(65.55.34.24), hopper...@hotmail.com -> nosuchem...@randominsanity.net.nz (00:05:08) Feb 17 14:59:33 scanner-nz-01 sqlgrey: grey: from awl: 65.55.34.24, hopper...@hotmail.com added Feb 17 14:59:33 scanner-nz-01 postfix/smtpd[58812]: NOQUEUE: client=unknown[65.55.34.24] Feb 17 14:59:35 scanner-nz-01 postfix/smtpd[58820]: connect from localhost[127.0.0.1] Feb 17 14:59:35 scanner-nz-01 postfix/smtpd[58820]: 5C90DBC51: client=localhost[127.0.0.1], orig_client=unknown[65.55.34.24] Feb 17 14:59:35 scanner-nz-01 postfix/cleanup[58821]: 5C90DBC51: message-id=<col127-w44ca911a32d6d4dc72267aac...@phx.gbl> Feb 17 14:59:35 scanner-nz-01 postfix/qmgr[55254]: 5C90DBC51: from=< hopper...@hotmail.com>, size=2056, nrcpt=1 (queue active) Feb 17 14:59:35 scanner-nz-01 postfix/smtpd[58820]: disconnect from localhost[127.0.0.1] Feb 17 14:59:35 scanner-nz-01 amavis[47717]: (47717-10) Passed CLEAN {RelayedOpenRelay}, [65.55.34.24]:39782 [65.55.34.8] <hopper...@hotmail.com> -> <nosuchem...@randominsanity.net.nz>, Message-ID: <col127-w44ca911a32d6d4dc72267aac...@phx.gbl>, mail_id: WkXs4wCZmzn6, Hits: 1.277, size: 1591, queued_as: 5C90DBC51, 1769 ms Feb 17 14:59:35 scanner-nz-01 postfix/smtpd[58812]: proxy-accept: END-OF-MESSAGE: 250 2.0.0 from MTA(smtp:[127.0.0.1]:20025): 250 2.0.0 Ok: queued as 5C90DBC51; from=<hopper...@hotmail.com> to=< nosuchem...@randominsanity.net.nz> proto=ESMTP helo=< COL004-OMC1S14.hotmail.com> Feb 17 14:59:35 scanner-nz-01 postfix/smtp[58822]: 5C90DBC51: to=< nosuchem...@randominsanity.net.nz>, relay=202.137.240.16[202.137.240.16]:25, delay=0.06, delays=0.02/0.01/0.01/0.02, dsn=5.1.1, status=bounced (host 202.137.240.16[202.137.240.16] said: 550 5.1.1 < nosuchem...@randominsanity.net.nz>: Recipient address rejected: User unknown in local recipient table (in reply to RCPT TO command)) Feb 17 14:59:35 scanner-nz-01 postfix/cleanup[58821]: 6A4AEC0B9: message-id=<20150217015935.6a4aec...@scanner-nz-01.nownz.co.nz> Feb 17 14:59:35 scanner-nz-01 postfix/bounce[58823]: 5C90DBC51: sender non-delivery notification: 6A4AEC0B9 Feb 17 14:59:35 scanner-nz-01 postfix/qmgr[55254]: 6A4AEC0B9: from=<>, size=4322, nrcpt=1 (queue active) Feb 17 14:59:35 scanner-nz-01 postfix/qmgr[55254]: 5C90DBC51: removed Feb 17 14:59:35 scanner-nz-01 postfix/smtpd[58812]: disconnect from unknown[65.55.34.24] Feb 17 14:59:36 scanner-nz-01 postfix/smtp[58822]: 6A4AEC0B9: to=< hopper...@hotmail.com>, relay=mx4.hotmail.com[207.46.8.199]:25, delay=1.4, delays=0.01/0/0.48/0.87, dsn=2.0.0, status=sent (250 < 20150217015935.6a4aec...@scanner-nz-01.nownz.co.nz> Queued mail for delivery) Feb 17 14:59:36 scanner-nz-01 postfix/qmgr[55254]: 6A4AEC0B9: removed On Fri, Dec 19, 2014 at 5:28 AM, Bennett Todd <b...@rahul.net> wrote: > The design sounds familiar. I've a couple of little thoughts, neither > specific to your design sketch. > > Maintaining perfectly consistent distributed configuration without any risk > of race conditions is hard; I try to design away from that requirement. > > So, for instance, I've avoided having servers with externally visible > differences in behavior within a load balancing / sharing pool. > > And, with anything this complex, debugging is hard, so I'd try to set up a > test harness, both to debug the configuration as you develop it, and then > again for confirming any substantial change you make; thus the test setup, > with test data, instrumentation, and verification, should be documented and > maintained as part of the production system. Perhaps needless to say, the > test harness would include the VM configuration of a test environment. And > I'd find it comforting to have bro network monitoring for a distinct > perspective on what the plant is doing. >
