requiring TLS on a pool of servers
I have a group of Postfix servers. I want communications between these servers to be TLS and clients must present a known certificate. These servers are also public-facing and accept incoming mail from servers not under my control. I just started setting this up and it seems to be working as expected. I'm looking for feedback and suggestions. I think I understand what I'm doing. Each of these servers will accept mail from the other servers on port 5587. The master.cf has something like this: 64.147.113.42:5587 inet n - n - - smtpd -o smtp_tls_security_level=encrypt -o smtpd_recipient_restrictions=permit_tls_clientcerts,reject -o smtpd_tls_req_ccert=yes -o smtpd_tls_auth_only=no -o smtpd_tls_security_level=encrypt -o smtpd_tls_cert_file=/usr/local/etc/ssl/server.pem -o smtpd_tls_key_file=/usr/local/etc/ssl/D.example.org.nopassword.key -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt -o smtpd_sender_restrictions= -o smtpd_relay_restrictions= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_data_restrictions= Some of the entries from main.cf are: smtp_tls_policy_maps = hash:/usr/local/etc/postfix-config/tls_policy transport_maps = hash:/usr/local/etc/postfix-config/transport relay_clientcerts = hash:/usr/local/etc/postfix-config/relay_clientcerts smtpd_tls_fingerprint_digest=sha1 smtp_tls_fingerprint_digest=sha1 Ensure that comms is via TLS: # cat /usr/local/etc/postfix-config/tls_policy [A.example.org]:5587 encrypt protocols=TLSv1 ciphers=high [B.example.org]:5587 encrypt protocols=TLSv1 ciphers=high [C.example.org]:5587 encrypt protocols=TLSv1 ciphers=high Make sure the comms goes to the right service: # cat /usr/local/etc/postfix-config/transport A.example.org :[A.example.org]:5587 B.example.org :[B.example.org]:5587 C.example.org :[C.example.org]:5587 Accept incoming mail only if these certs are presented: # cat /usr/local/etc/postfix-config/relay_clientcerts 11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33:44 a.example.org 11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33:55 b.example.org 11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33:66 c.example.org -- Dan Langille - http://langille.org/
postfix reports no rDNS on a host with many PTR records
I'm seeing the following errors when a prominent North American life insurance vendor attempts to send me email. Oct 14 12:57:07 twinc postfix/smtpd[12194]: NOQUEUE: reject: RCPT from unknown[216.163.249.229]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [216.163.249.229]; from= to= proto=ESMTP helo= The crux is that this host does have (an abundance of) rDNS: [blake@twinc ~]# host 216.163.249.229 ;; Truncated, retrying in TCP mode. 229.249.163.216.in-addr.arpa domain name pointer ms2.dmmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.egadbprod.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.iimetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.afimetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.arsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.avsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.dlmmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.dnumetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.docviewweb.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.edwmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.eesmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.epmmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.erpmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.iibmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.metlifenet.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.mmpmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.prfmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.rpgmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.stimetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.alpsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.amnpmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.calcmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.catsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.glifmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.ibcsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.lifemetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.lsmsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.massmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.ribsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.smrsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.statmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.tajsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.witnessgold.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.witnessprod.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.dmassmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.emonemetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.linusmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.metlife-ihub.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.murexmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.parismetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.pmacsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.xtivametlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.avenuemetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.bdwisemetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.caesarmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.citrixmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.grpannmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.ifecadmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.legal-lawdept.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.siebelmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.tlarsametlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.tlazawmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.charliemetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.crcsurfmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.metcommpipedev.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.paragonmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.powerimageprod.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.ermskanametlife. 229.249.163.216.in-addr.arpa domain name pointer ms2.glif-pm-metlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.intelccometlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.kamakurametlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.orangesmmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.prosightmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.securitypricing.com. 229.
local_recipient_maps set up, yet postfix continues to send bounce messages
Sorry if this question gets asked too often, but I followed the instructions to stop backscatter email from my server, yet it continues to send bounces. Here is the output of postconf -n: alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 debug_peer_list = XXX.XXX.XXX.XXX home_mailbox = Maildir/ html_directory = no inet_interfaces = all local_recipient_maps = $virtual_alias_maps mail_owner = postfix mail_spool_directory = /var/spool/mail mailbox_command = /usr/bin/procmail -f- -a "$USER" mailbox_size_limit = 25600 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maximal_queue_lifetime = 3d mydestination = localhost,$myhostname mynetworks = XXX.XXX.XXX.XXX/32, XXX.XXX.XXX.XXX/32 newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_host_lookup = dns, native smtp_sasl_security_options = noplaintext smtpd_banner = $myhostname ESMTP $mail_name smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, reject_unlisted_recipient smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual virtual_mailbox_base = /var/spool/mail virtual_mailbox_domains = hash:/etc/postfix/mydomains There are no wildcards in virtual_alias_maps or alias_maps Thanks, Chad.
Re: local_recipient_maps set up, yet postfix continues to send bounce messages
Logs? On 2013-10-14 4:00 PM, Chad Elliott wrote: Sorry if this question gets asked too often, but I followed the instructions to stop backscatter email from my server, yet it continues to send bounces. Here is the output of postconf -n: alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 debug_peer_list = XXX.XXX.XXX.XXX home_mailbox = Maildir/ html_directory = no inet_interfaces = all local_recipient_maps = $virtual_alias_maps mail_owner = postfix mail_spool_directory = /var/spool/mail mailbox_command = /usr/bin/procmail -f- -a "$USER" mailbox_size_limit = 25600 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maximal_queue_lifetime = 3d mydestination = localhost,$myhostname mynetworks = XXX.XXX.XXX.XXX/32, XXX.XXX.XXX.XXX/32 newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_host_lookup = dns, native smtp_sasl_security_options = noplaintext smtpd_banner = $myhostname ESMTP $mail_name smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, reject_unlisted_recipient smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual virtual_mailbox_base = /var/spool/mail virtual_mailbox_domains = hash:/etc/postfix/mydomains There are no wildcards in virtual_alias_maps or alias_maps Thanks, Chad. -- Best regards, */Charles Marcus/* I.T. Director Media Brokers International, Inc. *678.514.6224 | 678.514.6299 fax*
Re: Some postfix delivering problems (SOLVED)
It seems to be working well now, just setting off the procmail command. Thanks to all. -- View this message in context: http://postfix.1071664.n5.nabble.com/Some-postfix-delivering-problems-tp62117p62192.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: local_recipient_maps set up, yet postfix continues to send bounce messages
Such a busy server, it's tough to get just the right snippet, let me know if anything seems missing here. Oct 14 12:44:46 mail postfix/smtpd[2527]: < mail.senderdomain.org[173.255.XXX.XXX7]: rcpt to:lksjdflkajsflkas...@mycompany.com Oct 14 12:44:46 mail postfix/smtpd[2527]: extract_addr: input: lksjdflkajsflkas...@mycompany.com Oct 14 12:44:46 mail postfix/smtpd[2527]: smtpd_check_addr: addr= lksjdflkajsflkas...@mycompany.com Oct 14 12:44:46 mail postfix/smtpd[2527]: ctable_locate: purge entry key z04...@.com Oct 14 12:44:46 mail postfix/smtpd[2527]: send attr request = rewrite Oct 14 12:44:46 mail postfix/smtpd[2527]: send attr rule = local Oct 14 12:44:46 mail postfix/smtpd[2527]: send attr address = lksjdflkajsflkas...@mycompany.com Oct 14 12:44:46 mail postfix/smtpd[2527]: private/rewrite socket: wanted attribute: flags Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute name: flags Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute value: 0 Oct 14 12:44:46 mail postfix/smtpd[2527]: private/rewrite socket: wanted attribute: address Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute name: address Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute value: lksjdflkajsflkas...@mycompany.com Oct 14 12:44:46 mail postfix/smtpd[2527]: private/rewrite socket: wanted attribute: (list terminator) Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute name: (end) Oct 14 12:44:46 mail postfix/smtpd[2527]: rewrite_clnt: local: lksjdflkajsflkas...@mycompany.com -> lksjdflkajsflkas...@mycompany.com Oct 14 12:44:46 mail postfix/smtpd[2527]: send attr request = resolve Oct 14 12:44:46 mail postfix/smtpd[2527]: send attr sender = Oct 14 12:44:46 mail postfix/smtpd[2527]: send attr address = lksjdflkajsflkas...@mycompany.com Oct 14 12:44:46 mail postfix/smtpd[2527]: private/rewrite socket: wanted attribute: flags Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute name: flags Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute value: 0 Oct 14 12:44:46 mail postfix/smtpd[2527]: private/rewrite socket: wanted attribute: transport Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute name: transport Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute value: virtual Oct 14 12:44:46 mail postfix/smtpd[2527]: private/rewrite socket: wanted attribute: nexthop Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute name: nexthop Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute value: mycompany.com Oct 14 12:44:46 mail postfix/smtpd[2527]: private/rewrite socket: wanted attribute: recipient Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute name: recipient Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute value: lksjdflkajsflkas...@mycompany.com Oct 14 12:44:46 mail postfix/smtpd[2527]: private/rewrite socket: wanted attribute: flags Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute name: flags Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute value: 1024 Oct 14 12:44:46 mail postfix/smtpd[2527]: private/rewrite socket: wanted attribute: (list terminator) Oct 14 12:44:46 mail postfix/smtpd[2527]: input attribute name: (end) Oct 14 12:44:46 mail postfix/smtpd[2527]: resolve_clnt: `' -> ` lksjdflkajsflkas...@mycompany.com' -> transp=`virtual' host=`mycompany.com' rcpt=`lksjdflkajsflkas...@mycompany.com' flags= class=virtual Oct 14 12:44:46 mail postfix/smtpd[2527]: ctable_locate: install entry key lksjdflkajsflkas...@mycompany.com Oct 14 12:44:46 mail postfix/smtpd[2527]: extract_addr: in: lksjdflkajsflkas...@mycompany.com, result: lksjdflkajsflkas...@mycompany.com Oct 14 12:44:46 mail postfix/smtpd[2527]: >>> START Recipient address RESTRICTIONS <<< Oct 14 12:44:46 mail postfix/smtpd[2527]: generic_checks: name=permit_sasl_authenticated Oct 14 12:44:46 mail postfix/smtpd[2527]: generic_checks: name=permit_sasl_authenticated status=0 Oct 14 12:44:46 mail postfix/smtpd[2527]: generic_checks: name=permit_mynetworks Oct 14 12:44:46 mail postfix/smtpd[2527]: permit_mynetworks: mail.senderdomain.org 173.255.XXX.XXX7 Oct 14 12:44:46 mail postfix/smtpd[2527]: match_hostname: mail.senderdomain.org ~? 67.192.XXX.XXX/32 Oct 14 12:44:46 mail postfix/smtpd[2527]: match_hostaddr: 173.255.XXX.XXX7 ~? 67.192.XXX.XXX/32 Oct 14 12:44:46 mail postfix/smtpd[2527]: match_hostname: mail.senderdomain.org ~? 127.0.0.0/8 Oct 14 12:44:46 mail postfix/smtpd[2527]: match_hostaddr: 173.255.XXX.XXX7 ~? 127.0.0.0/8 Oct 14 12:44:46 mail postfix/smtpd[2527]: match_list_match: mail.senderdomain.org: no match Oct 14 12:44:46 mail postfix/smtpd[2527]: match_list_match: 173.255.XXX.XXX7: no match Oct 14 12:44:46 mail postfix/smtpd[2527]: generic_checks: name=permit_mynetworks status=0 Oct 14 12:44:46 mail postfix/smtpd[2527]: generic_checks: name=reject_unauth_destination Oct 14 12:44:46 mail postfix/smtpd[2527]: reject_unauth_destination: lksjdflkajsflkas...@mycompany.com Oct 14 12:44:46 mail postfix/smtpd[2527]: permit_auth_destination: lksjdflkajsflkas...@mycompany.c
Re: local_recipient_maps set up, yet postfix continues to send bounce messages
On 10/14/2013 3:00 PM, Chad Elliott wrote: > Sorry if this question gets asked too often, but I followed the > instructions to stop backscatter email from my server, yet it > continues to send bounces. Here is the output of postconf -n: Without context, we can't provide much help. - what instructions did you follow? - what is being bounced? - what address class (local, virtual-alias, virtual-mailbox, ...) is bouncing? - NON VERBOSE logs demonstrating the problem? -- Noel Jones > > alias_maps = hash:/etc/aliases > command_directory = /usr/sbin > config_directory = /etc/postfix > daemon_directory = /usr/libexec/postfix > debug_peer_level = 2 > debug_peer_list = XXX.XXX.XXX.XXX > home_mailbox = Maildir/ > html_directory = no > inet_interfaces = all > local_recipient_maps = $virtual_alias_maps > mail_owner = postfix > mail_spool_directory = /var/spool/mail > mailbox_command = /usr/bin/procmail -f- -a "$USER" > mailbox_size_limit = 25600 > mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man > maximal_queue_lifetime = 3d > mydestination = localhost,$myhostname > mynetworks = XXX.XXX.XXX.XXX/32, XXX.XXX.XXX.XXX/32 > newaliases_path = /usr/bin/newaliases.postfix > queue_directory = /var/spool/postfix > readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES > sample_directory = /usr/share/doc/postfix-2.3.3/samples > sendmail_path = /usr/sbin/sendmail.postfix > setgid_group = postdrop > smtp_host_lookup = dns, native > smtp_sasl_security_options = noplaintext > smtpd_banner = $myhostname ESMTP $mail_name > smtpd_recipient_restrictions = permit_sasl_authenticated, > permit_mynetworks, reject_unauth_destination, > reject_unknown_sender_domain, reject_unlisted_recipient > smtpd_sasl_auth_enable = yes > smtpd_sasl_local_domain = $myhostname > smtpd_sasl_security_options = noanonymous > unknown_local_recipient_reject_code = 550 > virtual_alias_maps = hash:/etc/postfix/virtual > virtual_mailbox_base = /var/spool/mail > virtual_mailbox_domains = hash:/etc/postfix/mydomains > > > There are no wildcards in virtual_alias_maps or alias_maps > > Thanks, > > Chad. > >
Re: local_recipient_maps set up, yet postfix continues to send bounce messages
>Without context, we can't provide much help. >- what instructions did you follow? I set up "local_recipient_maps = $virtual_alias_maps" and "unknown_local_recipient_reject_code = 550" per instructions located here: http://www.postfix.org/BACKSCATTER_README.html - what is being bounced? mail sent to non-existent aliases/users (not in virtual_alias_maps) - what address class (local, virtual-alias, virtual-mailbox, ...) is bouncing? virtual-alias - NON VERBOSE logs demonstrating the problem? Oct 14 13:37:37 mail postfix/smtpd[17348]: A887A1A084D7: client=mail-ie0-f180.google.com[209.85.223.180] Oct 14 13:37:37 mail postfix/cleanup[21208]: A887A1A084D7: message-id= Oct 14 13:37:37 mail postfix/qmgr[21037]: A887A1A084D7: from=, size=1490, nrcpt=1 (queue active) Oct 14 13:37:37 mail postfix/virtual[20895]: A887A1A084D7: to=, relay=virtual, delay=0.09, delays=0.09/0/0/0, dsn=5.1.1, status=bounced (unknown user: "testboun...@myserver.com") Oct 14 13:37:37 mail postfix/bounce[21056]: A887A1A084D7: sender non-delivery notification: B87541A084D9 Oct 14 13:37:37 mail postfix/qmgr[21037]: A887A1A084D7: removed On Mon, Oct 14, 2013 at 4:24 PM, Noel Jones wrote: > On 10/14/2013 3:00 PM, Chad Elliott wrote: >> Sorry if this question gets asked too often, but I followed the >> instructions to stop backscatter email from my server, yet it >> continues to send bounces. Here is the output of postconf -n: > > Without context, we can't provide much help. > > - what instructions did you follow? > - what is being bounced? > - what address class (local, virtual-alias, virtual-mailbox, ...) is > bouncing? > - NON VERBOSE logs demonstrating the problem? > > > > > -- Noel Jones > >>
Re: local_recipient_maps set up, yet postfix continues to send bounce messages
On 2013-10-14 4:41 PM, Chad Elliott wrote: - what is being bounced? mail sent to non-existent aliases/users (not in virtual_alias_maps) This is the DESIRED result... what is the problem? -- Best regards, */Charles /*
Re: local_recipient_maps set up, yet postfix continues to send bounce messages
On 2013-10-14 4:00 PM, Chad Elliott wrote: Sorry if this question gets asked too often, but I followed the instructions to stop backscatter email from my server, and On 2013-10-14 4:41 PM, Chad Elliott wrote: - what is being bounced? mail sent to non-existent aliases/users (not in virtual_alias_maps) This is NOT 'backscatter'... Methinks you have some reading to do... -- Best regards, */Charles/*
Re: local_recipient_maps set up, yet postfix continues to send bounce messages
On 2013-10-14 4:54 PM, Charles Marcus wrote: On 2013-10-14 4:00 PM, Chad Elliott wrote: Sorry if this question gets asked too often, but I followed the instructions to stop backscatter email from my server, and On 2013-10-14 4:41 PM, Chad Elliott wrote: - what is being bounced? mail sent to non-existent aliases/users (not in virtual_alias_maps) This is NOT 'backscatter'... Methinks you have some reading to do... Sorry, I misread the logs, I guess it is in fact bounced instead of rejected...
What is causing this mail forwarding loop bounce?
I'm using Google's Postini replacement as a spam filter before mail gets to my smtp server. I currently have a problem where most emails that get spam trapped by Google disappear when I attempt to have them delivered. Google gives me the ability to reattempt delivery and I have a repeatable case where one example spam always gets bounced by my Postfix, and one always comes through fine. Here are my smtpd logs from a case where I tried to deliver the 2 spam emails seconds apart; the first one failed and the second one worked: http://pastebin.com/XUYR4ZDe Here's another attempt to deliver the same problematic email, this time with -v verbosity added to just about everything in /etc/postfix/master.cf: http://pastebin.com/ENkgTXz6 AFAICT, everything seems to go normally but then I get: send attr reason = mail forwarding loop for se...@sendu.me.uk and it eventually bounces. My postconf -n: postconf -n address_verify_relayhost = alias_database = hash:/etc/mail/aliases alias_maps = mysql:/etc/postfix/mysql-aliases.cf broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = //usr/lib64/postfix data_directory = /var/lib/postfix debug_peer_level = 1 default_destination_concurrency_limit = 2 home_mailbox = .maildir/ html_directory = /usr/share/doc/postfix-2.5.5/html inet_interfaces = all local_destination_concurrency_limit = 2 local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname local_transport = local mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = sendu.me.uk myhostname = 64x2.sendu.me.uk mynetworks_style = host myorigin = $mydomain newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.5.5/readme relayhost = outbound.mailhop.org relocated_maps = mysql:/etc/postfix/mysql-relocated.cf sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = smtp_tls_CAfile = /etc/ssl/private/sub.class1.server.ca.pem smtp_tls_CApath = /etc/ssl/certs smtp_tls_cert_file = /etc/ssl/private/sendu.me.uk.crt smtp_tls_key_file = /etc/ssl/private/sendu.me.uk.decrypted.key smtp_tls_loglevel = 0 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache smtp_tls_session_cache_timeout = 3600s smtp_use_tls = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_client_access cidr:/etc/postfix/allowed_clients.cidr, reject smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/ssl/private/sub.class1.server.ca.pem smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_ask_ccert = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/private/sendu.me.uk.crt smtpd_tls_key_file = /etc/ssl/private/sendu.me.uk.decrypted.key smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf virtual_gid_maps = static:$vmail-gid virtual_mailbox_base = / virtual_mailbox_domains = mail.sendu.me.uk senduphotography.com bala.me.uk virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf virtual_minimum_uid = 1000 virtual_transport = virtual virtual_uid_maps = static:$vmail-uid I'm running Postfix 2.8.4 Any help greatly appreciated. -- View this message in context: http://postfix.1071664.n5.nabble.com/What-is-causing-this-mail-forwarding-loop-bounce-tp62199.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: local_recipient_maps set up, yet postfix continues to send bounce messages
On 2013-10-14 4:00 PM, Chad Elliott wrote: virtual_alias_maps = hash:/etc/postfix/virtual virtual_mailbox_base = /var/spool/mail virtual_mailbox_domains = hash:/etc/postfix/mydomains There are no wildcards in virtual_alias_maps or alias_maps Tests against your maps? What do postmap -q myserver.com hash:/etc/postfix/mydomains postmap -q inva...@myserver.com hash:/etc/postfix/virtual postmap -q va...@myserver.com hash:/etc/postfix/virtual return? -- Best regards, */Charles/***
Re: local_recipient_maps set up, yet postfix continues to send bounce messages
On Mon, Oct 14, 2013 at 5:27 PM, Charles Marcus wrote: > On 2013-10-14 4:00 PM, Chad Elliott wrote: > > virtual_alias_maps = hash:/etc/postfix/virtual > virtual_mailbox_base = /var/spool/mail > virtual_mailbox_domains = hash:/etc/postfix/mydomains > > > There are no wildcards in virtual_alias_maps or alias_maps > > > Tests against your maps? > > What do > > postmap -q myserver.com hash:/etc/postfix/mydomains response was: "OK" > > postmap -q inva...@myserver.com hash:/etc/postfix/virtual > No Response, just a blank line > postmap -q va...@myserver.com hash:/etc/postfix/virtual > This responded with the alias that the email address was mapped to, in this case "INFO" > return? > > -- > > Best regards, > > Charles
Re: postfix reports no rDNS on a host with many PTR records
Blake Hudson: > I'm seeing the following errors when a prominent North American life > insurance vendor attempts to send me email. > > Oct 14 12:57:07 twinc postfix/smtpd[12194]: NOQUEUE: reject: RCPT from > unknown[216.163.249.229]: 450 4.7.1 Client host rejected: cannot find > your reverse hostname, [216.163.249.229]; > from= to= > proto=ESMTP helo= Please do not blame the messenger. > > The crux is that this host does have (an abundance of) rDNS: > > [blake@twinc ~]# host 216.163.249.229 > ;; Truncated, retrying in TCP mode. Postfix does not make the DNS query. The DNS query is made by the SYSTEM LIBRARY functions getnameinfo() and getaddrinfo(). Postfix has no control over how they work. When I test this with Postfix test programs for these functions: % ./getnameinfo 216.163.249.229 Hostname: ms.metlifeleads.com Address:216.163.249.229 % ./getaddrinfo ms.metlifeleads.com Hostname: ms.metlifeleads.com Addresses: 216.163.249.229 (The test programs are in the Postfix source code distribution under auxiliary/name-addr-test/) My non-Linux system returns one PTR result (ms.metlifeleads.com); the A record for this name is 216.163.249.229, and Postfix would be satisfied with the result. I suspect that it doesn't work this way on your system. Some Linux distributions require extra configuration to handle more than reply per query. I have forgotten what the option is. Wietse
Re: postfix reports no rDNS on a host with many PTR records
On 10/14/2013 08:41 PM, Blake Hudson wrote: I'm seeing the following errors when a prominent North American life insurance vendor attempts to send me email. Oct 14 12:57:07 twinc postfix/smtpd[12194]: NOQUEUE: reject: RCPT from unknown[216.163.249.229]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [216.163.249.229]; from= to= proto=ESMTP helo= The crux is that this host does have (an abundance of) rDNS: [blake@twinc ~]# host 216.163.249.229 ;; Truncated, retrying in TCP mode. 229.249.163.216.in-addr.arpa domain name pointer ms2.dmmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.egadbprod.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.iimetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.afimetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.arsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.avsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.dlmmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.dnumetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.docviewweb.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.edwmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.eesmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.epmmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.erpmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.iibmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.metlifenet.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.mmpmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.prfmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.rpgmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.stimetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.alpsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.amnpmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.calcmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.catsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.glifmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.ibcsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.lifemetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.lsmsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.massmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.ribsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.smrsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.statmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.tajsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.witnessgold.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.witnessprod.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.dmassmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.emonemetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.linusmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.metlife-ihub.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.murexmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.parismetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.pmacsmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.xtivametlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.avenuemetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.bdwisemetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.caesarmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.citrixmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.grpannmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.ifecadmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.legal-lawdept.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.siebelmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.tlarsametlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.tlazawmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.charliemetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.crcsurfmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.metcommpipedev.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.paragonmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.powerimageprod.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.ermskanametlife. 229.249.163.216.in-addr.arpa domain name pointer ms2.glif-pm-metlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.intelccometlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.kamakurametlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.orangesmmetlife.com. 229.249.163.216.in-addr.arpa domain name pointer ms2.prosightmetlife.com. 229.249.163.216.in-addr.arpa doma
Re: requiring TLS on a pool of servers
On Mon, Oct 14, 2013 at 08:12:01AM -0400, Dan Langille wrote: > The master.cf has something like this: > > 64.147.113.42:5587 inet n - n - - smtpd > -o smtp_tls_security_level=encrypt The above setting is pointless, drop it. > -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt An empty or nearly empty file is best here, all the CA DNs are sent to the SMTP client, which does not need any of them. > Some of the entries from main.cf are: > > smtp_tls_policy_maps = hash:/usr/local/etc/postfix-config/tls_policy > transport_maps = hash:/usr/local/etc/postfix-config/transport > relay_clientcerts = hash:/usr/local/etc/postfix-config/relay_clientcerts > smtpd_tls_fingerprint_digest=sha1 > smtp_tls_fingerprint_digest=sha1 Consider enabling TLS session caching. -- Viktor.
Re: local_recipient_maps set up, yet postfix continues to send bounce messages
On 10/14/2013 3:41 PM, Chad Elliott wrote: >> Without context, we can't provide much help. > > >> - what instructions did you follow? > I set up "local_recipient_maps = $virtual_alias_maps" and > "unknown_local_recipient_reject_code = 550" per instructions located > here: > http://www.postfix.org/BACKSCATTER_README.html I don't see anywhere that document recommends setting local_recipient_maps = $virtual_alias_maps. That looks like a hack someone dreamed up for covering broken address classes. Anyway, this won't have any effect for a virtual_mailbox_domain, which is what it appears you're using. > > - what is being bounced? > mail sent to non-existent aliases/users (not in virtual_alias_maps) > > - what address class (local, virtual-alias, virtual-mailbox, ...) is > bouncing? > virtual-alias Make sure you understand address classes. http://www.postfix.org/ADDRESS_CLASS_README.html Each domain postfix is responsible for must be listed in *only one* address class, one of: - local addresses, domain listed in mydestination, valid recipients listed in local_recipient_maps - domains relayed elsewhere for final delivery, domains listed in relay_domains, valid recipients listed in relay_recipient_maps. - virtual alias domains, domain listed in virtual_alias_domains, valid recipients listed in virtual_alias_maps (and must be aliased to another domain). - virtual mailbox, domains listed in virtual_mailbox_domains, valid users listed in virtual_mailbox_maps Usually people break recipient validation by using @domain <> @domain rewriting in virtual_alias_maps or in canonical maps. Don't do that. > > - NON VERBOSE logs demonstrating the problem? > > Oct 14 13:37:37 mail postfix/smtpd[17348]: A887A1A084D7: > client=mail-ie0-f180.google.com[209.85.223.180] > Oct 14 13:37:37 mail postfix/cleanup[21208]: A887A1A084D7: > message-id= > Oct 14 13:37:37 mail postfix/qmgr[21037]: A887A1A084D7: > from=, size=1490, nrcpt=1 (queue active) > Oct 14 13:37:37 mail postfix/virtual[20895]: A887A1A084D7: > to=, relay=virtual, delay=0.09, > delays=0.09/0/0/0, dsn=5.1.1, status=bounced (unknown user: > "testboun...@myserver.com") Apparently this is a virtual mailbox domain. Valid users must be listed in virtual_mailbox_maps. Domain rewrite wildcards will break recipient validation. > Oct 14 13:37:37 mail postfix/bounce[21056]: A887A1A084D7: sender > non-delivery notification: B87541A084D9 > Oct 14 13:37:37 mail postfix/qmgr[21037]: A887A1A084D7: removed > > -- Noel Jones
TLS library problem - SSL routines:SSL3_GET_RECORD - wrong version number
Hi people, I'm running postfix 2.9.6 and openssl 1.0.1 stock from Ubuntu 12.04 LTS. postfix is generally working fine as a relay to several SMTP servers (using a relayhost_map). However, there is one server that is causing trouble so that I cannot use it with postfix (while directly addressing it with e.g. kmail works). That server is run by a large organization, so I can't change its configuration. The errors I see are these: > […] postfix/smtp[9689]: warning: TLS library problem: 9689:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: > […] postfix/smtp[9689]: 033661A108A: to=, relay=server[X.X.X.X]:587, delay=0.51, delays=0.09/0.03/0.39/0, dsn=4.4.2, status=deferred (lost connection with server[X.X.X.X] while performing the EHLO handshake) In diagnosing the problem, I found that I can connect correctly to the server on the command line by issuing: $ openssl s_client -connect server:587 -starttls smtp -tls1 which gives (among many other things): > Secure Renegotiation IS supported > […] > Protocol : TLSv1 but NOT if I say: $ openssl s_client -connect server:587 -starttls smtp -tls1_1 which gives these errors: > 3078101192:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: > […] > Secure Renegotiation IS NOT supported > […] >Protocol : TLSv1.1 (This error was the same with a self-compiled version of the latest openssl 1.0.1e.) So, I thought I should try to force postfix to use tls1 instead of tls1_1 or 1_2. I set up a tls_policy map that I know is working (because it complains on typos or if I forbid all the protocols): [server]:587 encrypt protocols=!SSLv2:!TLSv1.1:!TLSv1.2 However, this does not help, and I still get the same error. Giving "protocols=TLSv1" fails just the same. What can I do? Thanks in advance! Michael
Re: TLS library problem - SSL routines:SSL3_GET_RECORD - wrong version number
On Tue, Oct 15, 2013 at 03:20:13AM +0200, Michael B?ker wrote: > > postfix/smtp[9689]: warning: TLS library problem: 9689:error:1408F10B:SSL > > routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: > > postfix/smtp[9689]: 033661A108A: to=, > > relay=server[X.X.X.X]:587, delay=0.51, delays=0.09/0.03/0.39/0, dsn=4.4.2, > > status=deferred (lost connection with server[X.X.X.X] while performing the > > EHLO handshake) Obfuscating the target domain and IP address makes it much harder to help you. At the very least you MUST obfuscate using a 1-to-1 function, so that each distinct domain or IP address is mapped to a distinct obfuscated value. You must post the relevant entries (unmangled except for any 1-to-1 mapping) from your transport table that direct mail for the recipients in question via the problem relay. > $ openssl s_client -connect server:587 -starttls smtp -tls1 > > but NOT if I say: > > $ openssl s_client -connect server:587 -starttls smtp -tls1_1 > > which gives these errors: > > [server]:587 encrypt protocols=!SSLv2:!TLSv1.1:!TLSv1.2 The obfuscation is again most unfortunate. Most likely said "[server]:587" lookup key in not fact the literal nexthop from the transport table. > However, this does not help, and I still get the same error. Giving > "protocols=TLSv1" fails just the same. Support for disabling TLSv1.1 and TLSv1.2 was added with Postfix 2.7.9, 2.8.10, 2.9.2 and 2.10. If you're using 2.9.6 you should be covered if you correctly specify the policy table lookup key and enable SMTP tls policy lookups. Showing "postconf -n" output would also be helpful. -- Viktor.
