On Sat, Nov 19, 2016 at 07:59:15AM +0100, postfix wrote: > I changed this network to "real" IPV6 (before I used 6TO4 > tunnelling). Now, every host and every program (including postfix) > rushes to use IPV6. But there are problems with postfix: on one > Host (postfix-2.10.1-6.el7.x86_64) I had in the logs:
The postconf output suggests it might be version 2.6.6. > Nov 19 06:13:01 tico postfix/postfix-script[23347]: the Postfix > mail system is not running > Nov 19 06:13:02 tico postfix/postfix-script[23426]: starting the > Postfix mail system > Nov 19 06:13:02 tico postfix/master[23428]: fatal: bind > fe80::4216:7eff:fea7:c56b port 587: Invalid argument > Nov 19 06:13:03 tico postfix/master[23427]: fatal: daemon > initialization failure > Nov 19 06:13:04 tico postfix/postfix-script[23429]: fatal: mail > system startup failed > > and this every hour. Why every hour? Are you trying to start it from a cron job? > I know that this error comes from the fact, that the IPV6 stack > misses the interface name when binding. The postfix information > page "Postfix IPv6 Support" is really not helpful in that > situation, specifying "that IPV6 is hardly used today" or similar. > > As an immediate measure I took the local interface away from the > interface list in main.cf. Now postfix runs like before. Okay, so the postconf output is AFTER this edit, was not causing the error above? > Is there a possibility to circumwent this error, adding the > interface to the address? Let's turn the question around on you. Was there a reason why you changed inet_interfaces and didn't use the default setting? By default Postfix will bind to and listen on all local interface addresses. Furthermore, why do you need the link-local address? Are there locally-connected ipv6 clients using it? Obviously no Internet mail-exchangers are using it. It looks like you also have an RFC1918-addressed LAN. If the clients are dual stack they could simply use that address. > For ssh your have the possibility to add the interface to the IPV6 > address like fe80::4216:7eff:fea7:c56b%enp2s0 separated from the > address by a percent sign. Or is there a workaround different from > not to use IPV6? See http://www.postfix.org/postconf.5.html#inet_interfaces for the syntax and defaults. > postconf -n > > alias_database = hash:/etc/aliases > alias_maps = hash:/etc/aliases > anvil_rate_time_unit = 60s > command_directory = /usr/sbin > config_directory = /etc/postfix > content_filter = > daemon_directory = /usr/libexec/postfix > data_directory = /data/postfix/cache > debug_peer_level = 2 > debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd > $daemon_directory/$process_name $process_id & sleep 5 > defer_transports = > disable_dns_lookups = no Set "enable_long_queue_ids = 1". > header_checks = regexp:/etc/postfix/header_checks > html_directory = no > inet_interfaces = localhost What this does: Postfix at startup time does a hosts(5) lookup per the nsswitch.conf(5) settings for "localhost". Then it binds those addresses which were returned. Typically those should be ipv4 127.0.0.1 and ipv6 ::1. > inet_protocols = all > local_recipient_maps = ldap:/etc/postfix/ldap-alias.cf With mydestination empty, this won't be used. > mail_owner = postfix > mailbox_command = > mailbox_transport = > mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man > masquerade_classes = envelope_sender, header_sender, header_recipient > masquerade_domains = > masquerade_exceptions = root > message_size_limit = 20480000 > mydestination = > myhostname = myhost.mydomain.com > mynetworks = 192.168.97.0/28, 127.0.0.0/8, [::1]/128, [fe80::]/64, > [fec0::]/64 > myorigin = $mydomain > newaliases_path = /usr/bin/newaliases.postfix > postscreen_access_list = permit_mynetworks, > cidr:/etc/postfix/postscreen_access.cidr > postscreen_blacklist_action = enforce > postscreen_dnsbl_action = enforce > postscreen_dnsbl_sites = sbl-xbl.spamhaus.org*2 b.barracudacentral.org*2 > postscreen_dnsbl_threshold = 2 Why sbl-xbl and not zen? Also, why the scoring? If you're going to block on either one, leave off the *2 and omit the postscreen_dnsbl_threshold setting. > postscreen_greet_action = enforce > queue_directory = /data/postfix/queues > readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES Just a packaging bug from upgrading an ancient install, I guess; this can't actually be 2.6.6 with postscreen_* settings. > relay_domains = permit_sasl_authenticated, permit_mynetworks,$mydestination This is wrong. You probably wanted "relay_domains =". > relayhost = > sample_directory = /usr/share/doc/postfix-2.6.6/samples > sendmail_path = /usr/sbin/sendmail.postfix > setgid_group = postdrop > smtp_tls_CAfile = /etc/postfix/cert/cacert.pem > smtp_tls_loglevel = 1 > smtp_tls_security_level = may > smtp_tls_session_cache_database = btree:/data/postfix/cache/tls_smtp_session > smtpd_client_connection_count_limit = 5 > smtpd_client_connection_rate_limit = 22 > smtpd_client_event_limit_exceptions = $mynetworks > smtpd_client_recipient_rate_limit = 100 > smtpd_client_restrictions = permit_sasl_authenticated, > hash:/etc/postfix/whitelist, hash:/etc/postfix/access Client restrictions of just a filename are going to use a check_client_access lookup. It's better to be specific about what you're trying to do. Also, "access" is a terrible name for an access(5) file. Its name should indicate how it is to be used. > smtpd_delay_reject = yes > smtpd_helo_required = yes > smtpd_helo_restrictions = permit_mynetworks, check_helo_access > hash:/etc/postfix/helo_checks, reject_invalid_hostname Like this, you specifically stated check_helo_access. That is better. That's deprecated syntax for the last one; it's now reject_invalid_helo_hostname. You might find it easier to keep all restrictions in one stage. You're all over the place with these. See here for the overview: http://www.postfix.org/SMTPD_ACCESS_README.html > smtpd_recipient_restrictions = permit_mynetworks, > permit_sasl_authenticated, reject_unauth_destination, > reject_rbl_client mail-abuse.org, MAPS RBL is a pay service, and I don't think that's the correct hostname for it. > reject_rbl_client sbl-xbl.spamhaus.org, Again, why not Zen? This looks like an ancient config, upgraded without keeping up-to-date on the services available. > reject_rbl_client blackholes.easynet.nl, Are you familiar with this one? I'm not (other than having seen it in many ancient configurations based on some blog post.) I would not use a DNSBL with which I am not familiar. > reject_rbl_client cbl.abuseat.org, This is included in Zen & sbl-xbl via XBL, so basically a wasted lookup. > reject_rhsbl_client mail-abuse.org, > reject_rhsbl_client sbl-xbl.spamhaus.org, > reject_rhsbl_client blackholes.easynet.nl, > reject_rhsbl_client cbl.abuseat.org Probably none of these (definitely not in the case of Spamhaus and CBL) are RHSBL services. And they never were. These were all wrong from the beginning. > check_recipient_access hash:/etc/postfix/check_recipients, That's good, because you're specific about what you're doing and you've given the file a descriptive name. However if you are using this for blocking, you should have put it before all those DNSBL queries. > check_recipient_access hash:/etc/postfix/access, This is bad for the filename, and for the fact that you're using the same file for a check_client_access lookup. Different things are looked up depending on the mumble in check_mumble_access. Please familiarize yourself with that (the above mentioned README can help.) > check_recipient_access ldap:/etc/postfix/ldap-spamfilter.cf, permit Likewise the LDAP lookup might have belonged above the DNSBLs. > smtpd_sasl_auth_enable = no > smtpd_sasl_local_domain = postfix The former is the default, does not need to be here; the latter makes no sense unless the former is "yes". > smtpd_sender_restrictions = permit_mynetworks, > permit_sasl_authenticated, You won't have SASL-authenticated clients if you've disabled SASL AUTH. > reject_unknown_sender_domain, hash:/etc/postfix/whitelist, Another implicit "mumble" which here in sender restrictions would be check_sender_access. And we used the same whitelist as a check_client_access lookup! That might not make sense. > check_sender_access hash:/etc/postfix/access, And wow, a third use of that same "access" file. > reject_rhsbl_sender dsn.rfc-ignorant.org The RFCI lists closed just over 4 years ago. You really should keep up-to-date on these services you are using. You're lucky that RFCI didn't put in a wildcard record, as some other retired DNSBL services have done. > smtpd_tls_CAfile = /etc/postfix/cert/cacert.pem > smtpd_tls_CApath = /etc/postfix/cert/CA > smtpd_tls_cert_file = /etc/postfix/cert/violina.mail.cert.pem > smtpd_tls_key_file = /etc/postfix/cert/violina.mail.key.pem > smtpd_tls_loglevel = 1 > smtpd_tls_security_level = may > smtpd_tls_session_cache_database = btree:/data/postfix/cache/tls_session > strict_rfc821_envelopes = no > transport_maps = hash:/etc/postfix/transport What is this doing? It's used to override DNS in specific cases. If you don't need to do that, don't set this. > unknown_local_recipient_reject_code = 550 > virtual_alias_maps = proxy:ldap:/etc/postfix/ldap-alias.cf > virtual_gid_maps = static:89 > virtual_mailbox_base = /data/postfix/maildrop/ > virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap-domain.cf > virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap-mailbox.cf > virtual_minimum_uid = 51 > virtual_transport = virtual > virtual_uid_maps = static:89 -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
