So I decided to walk before I could run. Getting backup MX with MySQL
backend to restrict to just valid users is proving harder than I thought.
But for the time being, what I did was reset the config on the secondary
MX to a very standard postfix config using hash: and Berkeley DB files.
However what I'm doing is having the primary server extract valid
addresses (mailboxes and aliases) from MySQL, compile them into postfix
format (<em...@domain.tld><tab>OK), and then rsync it over the the
secondary in the form of /etc/postfix/relay_recipients twice a day.
Two minutes later, on the secondary side, it moves it to /etc/postfix, and
runs postmap on the file to create /etc/postfix/relay_recipient_maps.db.
It then restarts postfix.
I have included these lines which I thought would do the trick:
relay_recipient_maps = hash:/etc/postfix/relay_recipients
relay_domains = <domain.tld>,<domain.tld>,...<domain.tld>
smtpd_relay_restrictions = permit_mynetworks,
reject_invalid_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_unlisted_recipient,
reject_rbl_client zen.spamhaus.org,
permit
However when I telnet to port 25, I feed it this, it accepts it just fine
still, and forces my primary to generate a bounceback:
# telnet caduceus.wtfayla.net 25
Trying <secondary IP address?...
Connected to caduceus.wtfayla.net.
Escape character is '^]'.
220 caduceus.wtfayla.net ESMTP Postfix (Debian/GNU)
helo fongaboo.com
250 caduceus.wtfayla.net
mail from: jcapra@<workemail>.com
250 2.1.0 Ok
rcpt to: nonexistentaddr...@fongaboo.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
this should not exist
.
250 2.0.0 Ok: queued as 32F272E41F6
I've attached the full main.cf to the email. I'm following this tutorial to a T:
https://www.linuxbabe.com/mail-server/how-to-set-up-a-backup-email-server-postfix-ubuntu
TIA!
On Tue, 29 Nov 2022, Jonathan Capra wrote:
On Tue, 29 Nov 2022, raf wrote:
On Sun, Nov 27, 2022 at 11:40:01PM -0500, Jonathan Capra
<post...@fongaboo.com> wrote:
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
Not relevant, but the above line isn't needed (since Postfix 2.11).
I commented this out.
mydestination = $myhostname, ca2ceus.wtfayla.net, localhost
Does the value of $myhostname refer to the primary MX host by any chance?
If so, the above line would cause the secondary MX host to deliver locally.
But that's probably not it (if all occurrences of <hostname> refer to the
same hostname). The certificate there is for the host name
ca2ceus.wtfayla.net (presumably, the secondary MX's public hostname).
Just looks like I forgot to s/ca2ceus.wtfayla.net/<secondary hostname>/g for
one instant. Now that the cat is out of the bag, caduceus.wtfayla.net is
$myhostname, and ca2ceus.wtfayla.net is just a CNAME to the former.
relayhost = #mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
The line above looks wrong. Comments only start at the
start of a line (after spaces/tabs is ok). If this is
the cause of the problem (i.e., postfix trying to relay
to an incorrect hostname), there would probably be log
messages to indicate that. But that's probably not it
either. Postfix wouldn't deliver locally if it thought
it was supposed to relay but failed.
Turns out it's just a case of carriage returns somehow getting lost when
pasting into the email. It really looks like this:
relayhost =
#mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
#mynetworks = 127.0.0.0/8, 174.138.48.1/20
But that means that relayhost is empty. Should it be set to $mynetworks?
transport_maps = # hash:/etc/postfix/transport_maps,
mysql:/etc/postfix/mysql_relay_transports.cf
The apparent comment above is also wrong. Move it to a line
of its own. Perhaps that's relevant if transports are used
to relay to the primary MX host.
Same deal with the email formatting. It really looks like this:
transport_maps =
# hash:/etc/postfix/transport_maps,
mysql:/etc/postfix/mysql_relay_transports.cf
I hope that helps a bit. But it might not be enough to
solve the problem.
cheers,
raf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
# smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
# smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_cert_file=/etc/letsencrypt/live/ca2ceus.wtfayla.net/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/ca2ceus.wtfayla.net/privkey.pems
mtpd_tls_security_level=may
smtpd_tls_protocols = !SSLv2, !SSLv3 !TLSv1
smtpd_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_CApath=/etc/ssl/certs
# smtp_tls_security_level=may
smtp_tls_security_level=verify
smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
smtp_tls_loglevel = 1
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
myhostname = caduceus.wtfayla.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, ca2ceus.wtfayla.net, localhost.wtfayla.net,
localhost
relayhost =
relay_recipient_maps = hash:/etc/postfix/relay_recipients
relay_domains =
5h0w.me,acpac518.org,albanypostcardproject.com,ashleycovelli.com,ashleyhenderson.com,bigflavors.co,bigflavorstinykitchen.com,danhealy.net,danisi.org,dinocovelli.com,domesticmixologist.com,ellenvilleflightpark.com,exhuman.org,fantasyland.com,fongaboo.com,fongaboo.net,fongaboo.org,helix.wtfayla.net,herfamedgoodlooks.com,jakeandthemountainmen.com,jaylove.net,jerksnake.com,jerksnake.net,jerksnake.org,kb2nea.org,liz.fongaboo.com,mad-machinery.com,madmachinery.com,mechno.com,mechno.net,mechno.org,occupyalbany.org,paulbliss.com,paulbliss.net,paulbliss.org,privacypatriots.org,restorethe4th.com,sarahbadger.com,sferatu.com,sferatu.net,sferatu.org,supperclubny.com,timbreconsultants.com,twistedpairvisuals.com,vmail.h6lix.wtfayla.net,wtfayla.com,wtfayla.net,wtfayla.org
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 50.75.172.136/29
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
maximal_queue_lifetime = 10d
# Restrictions
smtpd_relay_restrictions = permit_mynetworks,
reject_invalid_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_unlisted_recipient,
reject_rbl_client zen.spamhaus.org,
permit
