> The "connection refused" is the part that needs to be fixed.
VPN (temporarily?) down? firewall issue? "wrong" destination?
something else?
Starting with those^ to narrow down, looking backwards through my logs - for
cases of 'double-bounce' & 'connection refused' - this apparently has been
going on awhile :-(
It's a bit confusing 2 me, as there are
'from=<double-bounce.*@mail01.example.com' examples that fail
postfix.log:Apr 12 08:43:20 mail01 postfix/qmgr[14749]:
3qxxxxxxxxxxxx1: from=<double-bounce3...@mail01.example.com>, size=254, nrcpt=1
(queue active)
postfix.log-Apr 12 08:43:20 mail01 postfix/vpn/smtp[20641]: connect to
back.mail01.example.com[10.1.1.16]:25: Connection refused
and those that work, or at least refuse differently
postfix.log:Apr 12 09:12:19 mail01 postfix/qmgr[14749]:
3qxxxxxxxxxxxx2: from=<double-bounce3...@mail01.example.com>, size=254, nrcpt=1
(queue active)
postfix.log-Apr 12 09:12:19 mail01 postfix/psint/smtpd[21873]: NOQUEUE:
reject: RCPT from a8-95.smtp-out.amazonses.com[54.240.8.95]: 450 4.1.1
<exampl...@example.com>: Recipient address rejected: unverified address:
Recipient address verification failed; from=<01...@amazonses.com>
to=<exampl...@example.com> proto=ESMTP helo=<a8-95.smtp-out.amazonses.com>
etc.
I'm trying to identify consistent patterns to figure out the cause.
In postconf, 'double' only appears in two places.
postconf | grep double
address_verify_sender = $double_bounce_sender
double_bounce_sender = double-bounce
I suspect address verification.
My goal is that only incoming mail from the net gets address-verified for
legitimate recipient. That's the Accepted if OK, rejected if not.
And ideally outgoing mail gets limited to being sent from/by valid email
addresses.
The backend in this exercise has the valid recipient list. So verify checks
are done 'by' the frontend 'against' the backend.
>From my config,
./main.cf
address_verify_map = lmdb:/var/lib/postfix/verify_cache
address_verify_sender = $double_bounce_sender
address_verify_transport_maps =
static:vpn:[back.mail01.example.com]:25
double_bounce_sender = double-bounce
reject_tempfail_action = defer_if_permit
transport_maps =
lmdb:/etc/postfix/relay_transports
lmdb:/etc/postfix/external_transports
unverified_recipient_reject_reason = Recipient address
verification failed
unverified_recipient_tempfail_action = defer_if_permit
smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_unauth_pipelining
reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_mynetworks
reject_unverified_recipient
reject_unlisted_recipient
master.cf
...
[127.0.0.1]:14002 inet n - n - - smtpd
-o syslog_name=postfix/postqrtrn
-o content_filter=vpn:[back.mail01.example.com]:50001
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings,no_milters
-o mynetworks=127.0.0.0/8,10.1.0.0/24,10.1.1.0/24
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_sender_restrictions=
-o smtpd_relay_restrictions=permit_mynetworks,reject
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o smtpd_end_of_data_restrictions=
-o smtpd_etrn_restrictions=
vpn unix - - n - - smtp
-o syslog_name=postfix/vpn
-o smtp_bind_address=10.1.0.16
-o smtp_connect_timeout=5
-o smtp_helo_timeout=5
...
and
./relay_transports
example.com vpn:[back.mail01.example.com]:50001
./external_transports
mail01.example.com local:
* amavis:[127.0.0.1]:14003
IIUC^ the ONLY thing that port 25 on the backend should ever be seeing is
address verification probes from the frontend.
Once everything's ok, the mail transport from the frontend goes to the backend
port 50001 for receipt and further processing.
Atm, my best guess is that the problem's either in master.cf's
-o receive_override_options=...
-o smtpd_mumble_restrictions=
or main.cf's
address_verify_transport_maps =
, maybe !static ...
I'm guessing there's a clever telnet &/or sendmail 'test' to exec here that'll
help narrow this down. But so far I'm not sure what piece would have to
connect to what, and how :-/
Jason
