Hello,
In our setup we have two mail gateway servers accepting incoming mail
(mailgw1.noa.gr [primary] and mailgw3.noa.gr), filtering mail (using
postscreen, amavis, spamassassin, clamav) and forwarding to the internal
mail server (vmail2.noa.gr) where user mailboxes lie.
All servers are running postfix 3.7.0.
I am trying to investigate why our mail gateway servers (mailgw1 and
mailgw3) sometimes connect over IPv6 and some other times connect over
IPv4 to deliver mail to vmail2.
As an example I am listing below some successive log entries (collated,
usernames modified).
Why does this happen? I would expect all connections to be made using
IPv6, since it is preferred over IPv4. Why all connections do not use IPv6?
Can you please help me to understand and correct any settings if/where
needed?
At the bottom I list the output of postconf -n for mailgw1 and vmail2.
Log entries follow:
May 03 07:23:54 vmail2 postfix/smtpd[24699]: connect from
mailgw1.noa.gr[2001:648:2ffc:1115::27]
May 03 07:23:54 vmail2 postfix/smtpd[24699]: Anonymous TLS connection
established from mailgw1.noa.gr[2001:648:2ffc:1115::27]: TLSv1.3 with
cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature RSA-PSS (4096 bits) server-digest SHA256
May 03 07:23:54 vmail2 postfix/smtpd[24699]: 3EA3681E8C1DE:
client=mailgw1.noa.gr[2001:648:2ffc:1115::27]
May 03 07:23:54 vmail2 postfix/cleanup[22675]: 3EA3681E8C1DE:
message-id=<010001808828f889-bcb7b94b-b241-41c4-879f-353d04ea2966-000...@email.amazonses.com>
May 03 07:23:54 vmail2 postfix/qmgr[27646]: 3EA3681E8C1DE:
from=<010001808828f889-bcb7b94b-b241-41c4-879f-353d04ea2966-000...@bounce.academia-mail.com>,
size=63158, nrcpt=1 (queue active)
May 03 07:23:54 vmail2 postfix/smtpd[24699]: disconnect from
mailgw1.noa.gr[2001:648:2ffc:1115::27] ehlo=2 starttls=1 mail=1 rcpt=1
data=1 quit=1 commands=7
May 03 07:23:54 vmail2 postfix/lmtp[22677]: 3EA3681E8C1DE:
to=<xx...@noa.gr>, relay=vmail2.noa.gr[private/dovecot-lmtp],
delay=0.35, delays=0.31/0.002/0.001/0.034, dsn=2.0.0, status=sent (250
2.0.0 <xx...@noa.gr> YC2SIVqucGJvYgAAcV+qjQ Saved)
May 03 07:23:54 vmail2 postfix/qmgr[27646]: 3EA3681E8C1DE: removed
May 03 07:24:17 vmail2 postfix/smtpd[24699]: connect from
mailgw1.noa.gr[2001:648:2ffc:1115::27]
May 03 07:24:17 vmail2 postfix/smtpd[24699]: Anonymous TLS connection
established from mailgw1.noa.gr[2001:648:2ffc:1115::27]: TLSv1.3 with
cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature RSA-PSS (4096 bits) server-digest SHA256
May 03 07:24:17 vmail2 postfix/smtpd[24699]: 5415981E8C1DE:
client=mailgw1.noa.gr[2001:648:2ffc:1115::27]
May 03 07:24:17 vmail2 postfix/cleanup[22675]: 5415981E8C1DE:
message-id=<dcd2e064-ca98-11ec-9d5d-ed4f4e355...@facebookmail.com>
May 03 07:24:17 vmail2 postfix/qmgr[27646]: 5415981E8C1DE:
from=<groupupda...@facebookmail.com>, size=25840, nrcpt=1 (queue active)
May 03 07:24:17 vmail2 postfix/smtpd[24699]: disconnect from
mailgw1.noa.gr[2001:648:2ffc:1115::27] ehlo=2 starttls=1 mail=1 rcpt=1
data=1 quit=1 commands=7
May 03 07:24:17 vmail2 postfix/lmtp[22677]: 5415981E8C1DE:
to=<zz...@gein.noa.gr>, relay=vmail2.noa.gr[private/dovecot-lmtp],
delay=0.1, delays=0.093/0.001/0.001/0.008, dsn=2.0.0, status=sent (250
2.0.0 <zz...@gein.noa.gr> aEf1GXGucGJvYgAAcV+qjQ Saved)
May 03 07:24:17 vmail2 postfix/qmgr[27646]: 5415981E8C1DE: removed
May 03 07:24:26 vmail2 postfix/smtpd[24699]: connect from
mailgw1.noa.gr[83.212.5.27]
May 03 07:24:26 vmail2 postfix/smtpd[24699]: Anonymous TLS connection
established from mailgw1.noa.gr[83.212.5.27]: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature RSA-PSS (4096 bits) server-digest SHA256
May 03 07:24:26 vmail2 postfix/smtpd[24699]: 0FE2A81E8C1DE:
client=mailgw1.noa.gr[83.212.5.27]
May 03 07:24:26 vmail2 postfix/cleanup[22675]: 0FE2A81E8C1DE:
message-id=<20220503042418.138f63f...@cl2n038.stanford.edu>
May 03 07:24:26 vmail2 postfix/qmgr[27646]: 0FE2A81E8C1DE:
from=<jsen...@j3.stanford.edu>, size=4807, nrcpt=3 (queue active)
May 03 07:24:26 vmail2 postfix/smtpd[24699]: disconnect from
mailgw1.noa.gr[83.212.5.27] ehlo=2 starttls=1 mail=1 rcpt=1 data=1
quit=1 commands=7
May 03 07:24:26 vmail2 postfix/lmtp[22677]: 0FE2A81E8C1DE:
to=<us...@noa.gr>, orig_to=<usergr...@noa.gr>,
relay=vmail2.noa.gr[private/dovecot-lmtp], delay=0.18,
delays=0.056/0.003/0.001/0.12, dsn=2.0.0, status=sent (250 2.0.0
<us...@noa.gr> uABAB3qucGJvYgAAcV+qjQ Saved)
May 03 07:24:26 vmail2 postfix/qmgr[27646]: 0FE2A81E8C1DE: removed
May 03 07:24:40 vmail2 postfix/smtpd[24699]: connect from
mailgw1.noa.gr[83.212.5.27]
May 03 07:24:40 vmail2 postfix/smtpd[24699]: Anonymous TLS connection
established from mailgw1.noa.gr[83.212.5.27]: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature RSA-PSS (4096 bits) server-digest SHA256
May 03 07:24:40 vmail2 postfix/smtpd[24699]: DC30681E8C1DE:
client=mailgw1.noa.gr[83.212.5.27]
May 03 07:24:40 vmail2 postfix/cleanup[22675]: DC30681E8C1DE:
message-id=<CAPa4v2xkMytcz6JFBMospEc-p=byummefuf8qgull-hiwy9...@mail.gmail.com>
May 03 07:24:41 vmail2 postfix/qmgr[27646]: DC30681E8C1DE:
from=<icue2022-announceme...@ait.asia>, size=4638210, nrcpt=1 (queue active)
May 03 07:24:41 vmail2 postfix/smtpd[24699]: disconnect from
mailgw1.noa.gr[83.212.5.27] ehlo=2 starttls=1 mail=1 rcpt=1 data=1
quit=1 commands=7
May 03 07:24:42 vmail2 postfix/lmtp[22677]: DC30681E8C1DE:
to=<us...@noa.gr>, relay=vmail2.noa.gr[private/dovecot-lmtp], delay=1.2,
delays=1.1/0.002/0.001/0.12, dsn=2.0.0, status=sent (250 2.0.0
<us...@noa.gr> EEM6O4mucGJvYgAAcV+qjQ Saved)
May 03 07:24:42 vmail2 postfix/qmgr[27646]: DC30681E8C1DE: removed
May 03 07:24:46 vmail2 postfix/smtpd[24699]: connect from
mailgw1.noa.gr[83.212.5.27]
May 03 07:24:46 vmail2 postfix/smtpd[24699]: Anonymous TLS connection
established from mailgw1.noa.gr[83.212.5.27]: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature RSA-PSS (4096 bits) server-digest SHA256
May 03 07:24:46 vmail2 postfix/smtpd[24699]: 9A5F481E8C1DE:
client=mailgw1.noa.gr[83.212.5.27]
May 03 07:24:46 vmail2 postfix/cleanup[22675]: 9A5F481E8C1DE:
message-id=<010001808829cccc-d16d5d6b-a77c-4f29-bb3e-f7efe9cd971e-000...@email.amazonses.com>
May 03 07:24:46 vmail2 postfix/qmgr[27646]: 9A5F481E8C1DE:
from=<010001808829cccc-d16d5d6b-a77c-4f29-bb3e-f7efe9cd971e-000...@bounce.academia-mail.com>,
size=63201, nrcpt=1 (queue active)
May 03 07:24:46 vmail2 postfix/smtpd[24699]: disconnect from
mailgw1.noa.gr[83.212.5.27] ehlo=2 starttls=1 mail=1 rcpt=1 data=1
quit=1 commands=7
May 03 07:24:46 vmail2 postfix/lmtp[22677]: 9A5F481E8C1DE:
to=<us...@meteo.noa.gr>, relay=vmail2.noa.gr[private/dovecot-lmtp],
delay=0.12, delays=0.095/0.001/0.001/0.018, dsn=2.0.0, status=sent (250
2.0.0 <us...@meteo.noa.gr> CIpCK46ucGJvYgAAcV+qjQ Saved)
May 03 07:24:46 vmail2 postfix/qmgr[27646]: 9A5F481E8C1DE: removed
------------------------------------------------------------------------------------------------
postconf -n on mailgw1.noa.gr:
allowed_list1 = reject
allowed_list2 = reject
command_directory = /usr/sbin
compatibility_level = 3.6
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
default_process_limit = 100
disable_vrfy_command = yes
enable_long_queue_ids = yes
header_checks = pcre:/etc/postfix/blacklisted_maillists
html_directory = no
inet_interfaces = all
inet_protocols = ipv4, ipv6
local_recipient_maps =
local_transport = error:local mail delivery is disabled
mail_name = NOA MAIL ICXC-NIKA
mail_owner = postfix
maillog_file = /var/log/postfix.log
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 15728640
meta_directory = /etc/postfix
mydestination =
mynetworks = 127.0.0.1/32 [::1]/128
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_exceptions.cidr
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net
psbl.surriel.com bl.mailspike.net list.dnswl.org=127.0.[0..255].0*-2
list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix3-3.7.2/README_FILES
relay_domains = $transport_maps
relay_recipient_maps =
sample_directory = /usr/share/doc/postfix3-3.7.2/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_tls_security_level = may
smtpd_helo_required = yes
smtpd_recipient_restrictions = check_client_access
hash:/etc/postfix/amavis_bypass check_sender_access
hash:/etc/postfix/amavis_bypass_senders check_sender_access
hash:/etc/postfix/blacklisted_senders check_sender_access
pcre:/etc/postfix/blacklisted_maillists reject_unverified_recipient
reject_unauth_destination check_recipient_access
hash:/etc/postfix/protected_destinations permit_mynetworks
reject_invalid_hostname reject_unauth_pipelining reject_non_fqdn_sender
reject_unknown_sender_domain reject_non_fqdn_recipient
reject_unknown_recipient_domain reject_rbl_client b.barracudacentral.org
reject_rbl_client zen.spamhaus.org reject_rbl_client psbl.surriel.com
reject_rbl_client bl.spamcop.net reject_rhsbl_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org
permit
smtpd_restriction_classes = allowed_list1,allowed_list2
smtpd_tls_CAfile = /etc/pki/tls/certs/GeantChain.crt
smtpd_tls_cert_file = /etc/pki/tls/certs/star_noa_gr_cert-754868755.crt
smtpd_tls_exclude_ciphers = DES,3DES,MD5,aNULL,AES128,CAMELLIA128
smtpd_tls_key_file = /etc/pki/tls/private/star_noa_gr-1243437.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
transport_maps = hash:/etc/postfix/transportmap
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtualmap
------------------------------------------------------------------------------------------------
postconf -n on vmail2.noa.gr:
# postconf -n
alias_database = hash:/etc/postfix/aliases,
hash:/etc/postfix/aliases.d/virtual_aliases
alias_maps = hash:/etc/aliases
allowed_list1 = check_sasl_access
hash:/etc/postfix/allowed_groupmail_users,reject
allowed_list2 = permit_sasl_authenticated,reject
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 3.6
controlled_senders = check_sender_access hash:/etc/postfix/blocked_senders
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo
cont; echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
>$config_directory/$process_name.$process_id.log & sleep 5
default_process_limit = 100
delay_logging_resolution_limit = 3
deliver_lock_attempts = 40
gwcheck = reject_unverified_recipient, reject_unauth_destination
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4, ipv6
local_header_rewrite_clients = static:all
mail_name = Postfix IC-XC-NI-KA
mail_owner = postfix
maillog_file = /var/log/postfix.log
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 41943040
meta_directory = /etc/postfix
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = noa.gr
myhostname = vmail2.noa.gr
mynetworks = 195.251.204.0/24, 195.251.202.0/23, 194.177.194.0/23,
127.0.0.0/8, 10.201.0.0/16, [2001:648:2011::]/48, 83.212.5.24/29,
[2001:648:2ffc:1115::]/64, 62.217.124.0/29, [2001:648:2ffc:126::]/64,
[::1]/128
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
parent_domain_matches_subdomains =
postfwdcheck = check_policy_service inet:127.0.0.1:10040
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix3-3.7.0/README_FILES
recipient_canonical_maps = hash:/etc/postfix/domainrecipientmap
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix3-3.7.0/samples
sender_canonical_maps = hash:/etc/postfix/domainsendermap
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
smtp_tls_security_level = may
smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/localhost.cidr check_client_access
cidr:/etc/postfix/gwservers.cidr check_client_access
cidr:/etc/postfix/non-tls-clients.cidr permit_sasl_authenticated reject
smtpd_delay_reject = yes
smtpd_end_of_data_restrictions = check_client_access
cidr:/etc/postfix/postfwdpolicy.cidr
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/protected_destinations permit_mynetworks
permit_sasl_authenticated reject_unverified_recipient
reject_unauth_destination
smtpd_relay_restrictions =
smtpd_restriction_classes =
controlled_senders,allowed_list1,allowed_list2, postfwdcheck,gwcheck
smtpd_sasl_auth_enable = no
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/pki/tls/certs/GeantChain.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/star_noa_gr_cert-754868755.crt
smtpd_tls_key_file = /etc/pki/tls/private/star_noa_gr-1243437.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/aliases,
hash:/etc/postfix/aliases.d/virtual_aliases,
proxy:ldap:/etc/postfix/ldap-alias-vacation.cf,
proxy:ldap:/etc/postfix/ldap-aliases.cf
virtual_gid_maps = static:500
virtual_mailbox_base = /home/vmail/
virtual_mailbox_domains = $mydomain, space.$mydomain, admin.$mydomain,
nestor.$mydomain, gein.$mydomain, meteo.$mydomain, technet.$mydomain,
astro.$mydomain, hesperia-space.eu
virtual_mailbox_limit = 0
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap-users.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:500
postconf: warning: /etc/postfix/main.cf: unused parameter:
127.0.0.1:10040_time_limit=3600
------------------------------------------------------------------------------------------------
Thanks in advance,
Nick
