In message <5709c8c8.1050...@megan.vbhcs.org> Noel Jones writes: > On 4/9/2016 10:00 PM, Curtis Villamizar wrote: > > Since I enabled postscreen (with soft_bounce=yes in master.cf) I was > > getting logs of this form: > > > > Apr 9 01:08:12 mta1 postfix/postscreen[18326]: > > NOQUEUE: reject: RCPT from [2607:f8b0:4002:c05::22d]:32999: > > 450 4.3.2 Service currently unavailable; > > from=<redac...@gmail.com>, to=<REDACTED>, > > proto=ESMTP, helo=<mail-yw0-x22d.google.com> > > > > linefeeds added by me for readability. > > > > gmail would just keep trying a half hour later and mail never gets > > delivered. > > > > rfc3463 isn't very helpful: > > > > X.3.2 System not accepting network messages > > > > The host on which the mailbox is resident is not accepting > > messages. Examples of such conditions include an immanent > > shutdown, excessive load, or system maintenance. This is > > useful for both permanent and permanent transient errors. > > > > I have lines of the form: > > > > main.cf: > > postscreen_access_list = > > cidr:$config_directory/postscreen_access > > hash:$config_directory/postscreen_reject > > > > postscreen_access: > > # google mail servers > > 2607:f8b0:4002:c00::/60 permit > > [... other google server blocks ...] > > > > This is a workaround that shouldn't be needed. > > > > Any idea what the cause of this is? So far no legit mail except gmail > > gets caught here. > > > > Curtis > > Look for other warnings and errors in your logs, maybe just before > the reject, maybe earlier. > > -- Noel Jones
This is it for that connections: Apr 9 01:07:15 mta1 postfix/postscreen[18326]: CONNECT from [2607:f8b0:4002:c05::22d]:32999 to [2001:470:88e6:1::141]:25 Apr 9 01:07:18 mta1 postfix/tlsproxy[18331]: CONNECT from [2607:f8b0:4002:c05::22d]:32999 Apr 9 01:08:12 mta1 postfix/tlsproxy[18331]: Untrusted TLS connection established from [2607:f8b0:4002:c05::22d]:32999: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Apr 9 01:08:12 mta1 postfix/postscreen[18326]: NOQUEUE: reject: RCPT from [2607:f8b0:4002:c05::22d]:32999: 450 4.3.2 Service currently unavailable; from=<redac...@gmail.com>, to=<REDACTED>, proto=ESMTP, helo=<mail-yw0-x22d.google.com> Apr 9 01:08:12 mta1 postfix/postscreen[18326]: PASS NEW [2607:f8b0:4002:c05::22d]:32999 Apr 9 01:08:12 mta1 postfix/tlsproxy[18331]: DISCONNECT [2607:f8b0:4002:c05::22d]:32999 Apr 9 01:08:12 mta1 postfix/postscreen[18326]: DISCONNECT [2607:f8b0:4002:c05::22d]:32999 The IP address got whitelisted but then the next retry from gmail usually doesn't come from the same IP address and comes 30 minutes later. They seem to have some sort of pool of servers that work on the same set of mail queues. Today I caught 2 gmails where this happenned where I didn't have the block in the permit list but each got delivered on next attempt. I haven't had postscreen enabled long and only for two domain, one currently used only for a web site and therefore available for email testing and the other that is mostly mail to me and gets a fair amount of spam. I now have a non-gmail sender where this happened. In that case after the 450 it went immediately to the secondary MX that at this time is not running postscreen and all was fine. I'll recheck my configs, then post if I can't figure it out. Curtis
