best practice for HA cluster

[De Petter Mattheas]

Hello


Which work method do you guys prefer for ha with postfix?

2 postfix nodes with f5 load balancer active passive and shared storage for the 
que
How can you share config between active and passive ? can we use my sql cluster 
for configuration sharing between the two nodes?

Ha proxy or ha cluster with two nodes?



Met vriendelijke groeten
Kind regards
De Petter Mattheas
Technical support engineer - projects team
IT-Department Jan De Nul Dredging N.V.
T +32 (0)53 73 95 53
F +32 (0)53 21 00 31
www.jandenul.com


Any reaction to this e-mail or any other mail, including any
files transmitted therewith to sender's e-mail address(es)
shall be dealt with not as private, but as business
communication(s) and shall be registered as such.

Re: best practice for HA cluster

[Emmanuel Fusté]

Le 08/02/2019 à 11:35, De Petter Mattheas a écrit :


Hello

Which work method do you guys prefer for ha with postfix?

2 postfix nodes with f5 load balancer active passive and shared 
storage for the que


How can you share config between active and passive ? can we use my 
sql cluster for configuration sharing between the two nodes?


Ha proxy or ha cluster with two nodes?



Complete over engineering.
For two node :
- two independent node
- MX DNS entries
- your preferred conf tool to maintain config

Never use shared storage. It will be your main source of problems.
Use properly sized and resilient nodes (raid 1/10)
I never use load balancer under 4 nodes and always a minimum of two MX 
and up to four.

I always separate inbound and outbound nodes.

KISS design is the base rule for robust design.

Emmanuel.

RE: best practice for HA cluster

[De Petter Mattheas]

Thanks for the assist.

But we need an active passive setup and a shared config, when config a gets a 
change be should have exact the same config.

How would you set this up ?


-Original Message-
From: Emmanuel Fusté  
Sent: 08 February 2019 12:41
To: De Petter Mattheas ; Postfix users 

Subject: Re: best practice for HA cluster

Le 08/02/2019 à 11:35, De Petter Mattheas a écrit :
>
> Hello
>
> Which work method do you guys prefer for ha with postfix?
>
> 2 postfix nodes with f5 load balancer active passive and shared 
> storage for the que
>
> How can you share config between active and passive ? can we use my 
> sql cluster for configuration sharing between the two nodes?
>
> Ha proxy or ha cluster with two nodes?
>
>
Complete over engineering.
For two node :
- two independent node
- MX DNS entries
- your preferred conf tool to maintain config

Never use shared storage. It will be your main source of problems.
Use properly sized and resilient nodes (raid 1/10) I never use load balancer 
under 4 nodes and always a minimum of two MX and up to four.
I always separate inbound and outbound nodes.

KISS design is the base rule for robust design.

Emmanuel.


Any reaction to this e-mail or any other mail, including any
files transmitted therewith to sender's e-mail address(es)
shall be dealt with not as private, but as business
communication(s) and shall be registered as such.

Re: best practice for HA cluster

[Toens Bueker]

De Petter Mattheas  wrote:

> But we need an active passive setup and a shared config, when config a gets a 
> change be should have exact the same config.
> 
> How would you set this up ?

If you have a high available loadbalancer, you should use that to
enable active/passive (if node one fails, shift traffic to node 2).

Configuration should take place via configuration management (which
should be in place anyway).

Kind regards,
Töns
-- 
There is no safe distance.

RE: best practice for HA cluster

[De Petter Mattheas]

Yeas we have F5 loadbalancer.


But how do we shift the config ? as far as i know there is no central mgmt for 
postfix only config files on node 1 and node 2



Met vriendelijke groeten 
Kind regards  
De Petter Mattheas   
Technical support engineer - projects team 
IT-Department Jan De Nul Dredging N.V.
T +32 (0)53 73 95 53  
F +32 (0)53 21 00 31  
www.jandenul.com    


-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Toens Bueker
Sent: 08 February 2019 14:27
To: Postfix users 
Subject: Re: best practice for HA cluster

De Petter Mattheas  wrote:

> But we need an active passive setup and a shared config, when config a gets a 
> change be should have exact the same config.
> 
> How would you set this up ?

If you have a high available loadbalancer, you should use that to enable 
active/passive (if node one fails, shift traffic to node 2).

Configuration should take place via configuration management (which should be 
in place anyway).

Kind regards,
Töns
--
There is no safe distance.

Any reaction to this e-mail or any other mail, including any
files transmitted therewith to sender's e-mail address(es)
shall be dealt with not as private, but as business
communication(s) and shall be registered as such.

Re: best practice for HA cluster

[curtis]

You could use Unison to keep the config folders in sync.  Open source. runs on 
just about everything.

February 8 2019 8:59 AM, "De Petter Mattheas"  
wrote:
> Yeas we have F5 loadbalancer.
> 
> But how do we shift the config ? as far as i know there is no central mgmt 
> for postfix only config
> files on node 1 and node 2
> 
> Met vriendelijke groeten 
> Kind regards  
> De Petter Mattheas   
> Technical support engineer - projects team 
> IT-Department Jan De Nul Dredging N.V.
> T +32 (0)53 73 95 53  
> F +32 (0)53 21 00 31  
> www.jandenul.com
> 
> -Original Message-
> From: owner-postfix-us...@postfix.org  On 
> Behalf Of Toens Bueker
> Sent: 08 February 2019 14:27
> To: Postfix users 
> Subject: Re: best practice for HA cluster
> 
> De Petter Mattheas  wrote:
> 
>> But we need an active passive setup and a shared config, when config a gets 
>> a change be should have
>> exact the same config.
>> 
>> How would you set this up ?
> 
> If you have a high available loadbalancer, you should use that to enable 
> active/passive (if node
> one fails, shift traffic to node 2).
> 
> Configuration should take place via configuration management (which should be 
> in place anyway).
> 
> Kind regards,
> Töns
> --
> There is no safe distance.
> 
> Any reaction to this e-mail or any other mail, including any
> files transmitted therewith to sender's e-mail address(es)
> shall be dealt with not as private, but as business
> communication(s) and shall be registered as such.
> 

Re: best practice for HA cluster

[Toens Bueker]

De Petter Mattheas  wrote:

> Yeas we have F5 loadbalancer.
> But how do we shift the config? as far as i know there is no central mgmt for 
> postfix only config files on node 1 and node 2

I would use cfengine3 to enforce a config (ideally the same config)
on both nodes (which would be up an running at the same time) every
five minutes. Changes to the config would be done on the policy hub
and then automatically pulled from the nodes and enforced locally. 

If you have some other form of config management in place, it could be
used in a similar fashion. 

Kind regards,
Töns
-- 
There is no safe distance.

RE: SMTP_HELO_NAME can cause Blacklist triggers

[Patton, Matthew [Contractor]]

> > On 06.02.19 02:42, Patton, Matthew [Contractor] wrote:
>  I learned the hard way that if you don't set $myhostname to a FQDN
>  you can quickly end up on a black list despite having valid SPF
>  records.
> >
> > any evidence about this?

The host has both forward and reverse registered. It was in SPF. It's been 
sending mail just fine for months.
Previously the server had been HELO using an invalid FQDN configured via 
$myhostname. The hostname was bogus, as in could not be resolved, though the 
domain did exist. Furthermore the domain it was identifying as didn't match the 
PTR nor SPF. If anything, the host should have been blackballed from day one.

> > what led you to the conclusion that your non-fqdn hostname caused RBL
> > listing?

I changed the HELO to 'smtp' and $mydomain to match the A/PTR and the CBL got 
triggered within a very short period of time. Likely because of a hosted email 
provider like Microsoft (outlook.com) since we send a lot of messages their 
way. The other BL were clear/green.

The CBL remediation page was explicit about the lone 'smtp' being a trigger 
word thanks to Microtek routers, and it refused to clear me (hit count kept 
going up) until I had a FQDN or perhaps a hostname that wasn't a trigger word - 
I didn't have the luxury of time to screw around testing hypotheses. As soon as 
I changed my HELO to the FQDN the reputation started to improve until it rolled 
off.

> > I know servers that refuse non-FQDN helo.
> > I've seen servers that refuse invalid or generic DNS names
> > (ip-XX.aws.internal is both).
> > But I don't remember a RBL that would immediately list such hosts.

If the HELO is simply 'smtp' its apparently good enough for the CBL.

Re: best practice for HA cluster

[Harald Koch]

On Fri, Feb 8, 2019, at 06:40, Emmanuel Fusté wrote:
> 
> Never use shared storage. It will be your main source of problems.

Recognizing that shared storage is always a headache:

How do you handle the situation where your active node crashes with queued, 
undelivered messages?

-- 
Harald Koch
c...@pobox.com

Re: best practice for HA cluster

[Emmanuel Fusté]

Le 08/02/2019 à 15:58, Harald Koch a écrit :

On Fri, Feb 8, 2019, at 06:40, Emmanuel Fusté wrote:

Never use shared storage. It will be your main source of problems.

Recognizing that shared storage is always a headache:

How do you handle the situation where your active node crashes with queued, 
undelivered messages?

No, fix the problem or at last move and rebuild the queue on another 
node. What are you calling crashes ?

After 15 years of postfix exploitation, I never have to do it.
And the only time we lost emails was on a shared storage, so we killed 
it usage nine years ago.

More cheap, more simple, more serviceable, more robust.

Emmanuel.

Re: best practice for HA cluster

[Wietse Venema]

Harald Koch:
> On Fri, Feb 8, 2019, at 06:40, Emmanuel Fust? wrote:
> > 
> > Never use shared storage. It will be your main source of problems.
> 
> Recognizing that shared storage is always a headache:
> 
> How do you handle the situation where your active node crashes with queued, 
> undelivered messages?
> 

By making the file system redundant.

redundant MX service (each MX service has multiple Postfix queues)

redundant file system (each file system has multiple file servers)

redundant storage (each file server uses RAID)

Depending on budget, create the above in multiple geographical
locations, or replace some of the above with single instances.

Wietse

Re: Problems invoking amavis from postfix

[Robert Moskowitz]

I have dug some more and not found anything to help.  I went through 
http://www.postfix.org/docs.html where 2 of the amavis howtos are no 
longer available.  I have replicated the main.cf and master.cf as shown 
in http://www.shisaa.jp/postset/mailserver-1.html and still no apparent 
running of amavis on the test messages.


I have tried to get debugging working on postfix.  After reading 
http://www.postfix.org/DEBUG_README.html, I have tried appending -v to 
the smtpd lines in master.cf and not seen any more detail.  All I am 
seeing is:


Feb  8 11:11:45 klovia postfix/pickup[14472]: 3DD4059DA: uid=0 from=
Feb  8 11:11:45 klovia postfix/cleanup[14478]: 3DD4059DA: 
message-id=<20190208161145.3dd405...@klovia.htt-consult.com>
Feb  8 11:11:45 klovia postfix/qmgr[14473]: 3DD4059DA: 
from=, size=430, nrcpt=1 (queue active)
Feb  8 11:11:45 klovia dovecot: lda(r...@test.htt-consult.com): sieve: 
msgid=<20190208161145.3dd405...@klovia.htt-consult.com>: stored mail 
into mailbox 'INBOX'
Feb  8 11:11:45 klovia postfix/pipe[14484]: 3DD4059DA: 
to=, relay=dovecot, delay=1.1, 
delays=0.8/0.05/0/0.22, dsn=2.0.0, status=sent (delivered via dovecot 
service)

Feb  8 11:11:45 klovia postfix/qmgr[14473]: 3DD4059DA: removed

Something is wrong, but I have yet to find it.

Any and all help greatly appreciated.

On 2/7/19 4:16 PM, Robert Moskowitz wrote:
I am building a new system on CentOS7 that has postfix 2.10.1 and 
amavis-new 2.11.1


I am working from my notes of 2 years ago when I last did this 
successfully so either something has changed since then (quite 
likely), or I am missing something from my notes (also quite likely).


For main.cf I run:

postconf -e 'content_filter = amavis:[127.0.0.1]:10024'

Then I append to the default master.cf (working from my understanding 
that the last instruction in master.cf encountered is the one applied, 
rather than trying to edit what is there):


# 
== 
# service type private unpriv chroot wakeup maxproc command + args # 
(yes) (yes) (yes) (never) (100) # 
== 
smtpd pass - - n - - smtpd submission inet n - n - - smtpd -o 
smtpd_recipient_restrictions= pickup unix n - n 60 1 pickup -o 
content_filter= relay unix - - n - - smtp -o fallback_relay= maildrop 
unix - n n - - pipe flags=DRhu user=vmail argv=/usr/local/bin/maildrop 
-d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux 
-r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - 
pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop 
($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp 
argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient # # 
spam/virus section # amavis unix - - y - 2 lmtp -o 
lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes -o 
disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - n - - 
smtpd -o content_filter= -o smtpd_delay_reject=no -o 
smtpd_client_restrictions=permit_mynetworks,reject -o 
smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o 
smtpd_recipient_restrictions=permit_mynetworks,reject -o 
smtpd_data_restrictions=reject_unauth_pipelining -o 
smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o 
mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o 
smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o 
smtpd_client_connection_count_limit=0 -o 
smtpd_client_connection_rate_limit=0 -o 
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters 
-o local_header_rewrite_clients= -o smtpd_milters= -o 
local_recipient_maps= -o relay_recipient_maps= # # Dovecot LDA dovecot 
unix - n n - - pipe flags=DRhu user=vmail:mail 
argv=/usr/libexec/dovecot/deliver -d ${recipient} # # Vacation mail 
vacation unix - n n - - pipe flags=Rq user=vacation 
argv=/var/spool/vacation/vacation.pl -f ${sender} -- ${recipient}


Dovecot is working just fine, BTW.  So I run a couple of tests:

sendmail -i r...@test.htt-consult.com < sample-virus-simple.txt

Feb  7 12:52:57 klovia postfix/pickup[11341]: 9347458EC: uid=0 from=
Feb  7 12:52:57 klovia postfix/cleanup[11458]: 9347458EC: 
message-id=<20190207175257.934745...@klovia.htt-consult.com>
Feb  7 12:52:57 klovia postfix/qmgr[6089]: 9347458EC: 
from=, size=430, nrcpt=1 (queue active)
Feb  7 12:52:58 klovia dovecot: lda(r...@test.htt-consult.com): sieve: 
msgid=<20190207175257.934745...@klovia.htt-consult.com>: stored mail 
into mailbox 'INBOX'
Feb  7 12:52:58 klovia postfix/pipe[11465]: 9347458EC: 
to=, relay=dovecot, delay=4.3, 
delays=3.4/0.08/0/0.77, dsn=2.0.0, status=sent (delivered via dovecot 
service)

Feb  7 12:52:58 klovia postfix/qmgr[6089]: 9347458EC: removed


sendmail -i r...@test.htt-consult.com < sample-spam-GTUBE-junk.txt

Feb  7 12:54:08 klovia postfix/pickup[11341]: 860DE58EC: uid=0 from=
Feb  7 12:54:08 klovia postfix/cleanup[11458]: 860DE58EC: 
message-id=
Feb  7 12:54:08 klovia

Re: Problems invoking amavis from postfix

[Wietse Venema]

Robert Moskowitz:
> Something is wrong, but I have yet to find it.
> Any and all help greatly appreciated.

If you could summarize in one line what is wrong.

- You configured amavis via 'content_filter' but it is not being used?
  In that case, what is the output from:

  postconf -n content_filter
  postconf -P "*/*/content_filter"

  "postconf -P" requires Postfix 2.11 or later (released five years
  ago, it is no longer supported).

- Something else? amavis via Milter API, but it is not being used? 

Wietse

Re: Problems invoking amavis from postfix

[Dominic Raferd]

On Fri, 8 Feb 2019 at 16:18, Robert Moskowitz  wrote:
>
> I have dug some more and not found anything to help.  I went through 
> http://www.postfix.org/docs.html where 2 of the amavis howtos are no longer 
> available.  I have replicated the main.cf and master.cf as shown in 
> http://www.shisaa.jp/postset/mailserver-1.html and still no apparent running 
> of amavis on the test messages.
>
> I have tried to get debugging working on postfix.  After reading 
> http://www.postfix.org/DEBUG_README.html, I have tried appending -v to the 
> smtpd lines in master.cf and not seen any more detail.  All I am seeing is:
>
> Feb  8 11:11:45 klovia postfix/pickup[14472]: 3DD4059DA: uid=0 from=
> Feb  8 11:11:45 klovia postfix/cleanup[14478]: 3DD4059DA: 
> message-id=<20190208161145.3dd405...@klovia.htt-consult.com>
> Feb  8 11:11:45 klovia postfix/qmgr[14473]: 3DD4059DA: 
> from=, size=430, nrcpt=1 (queue active)
> Feb  8 11:11:45 klovia dovecot: lda(r...@test.htt-consult.com): sieve: 
> msgid=<20190208161145.3dd405...@klovia.htt-consult.com>: stored mail into 
> mailbox 'INBOX'
> Feb  8 11:11:45 klovia postfix/pipe[14484]: 3DD4059DA: 
> to=, relay=dovecot, delay=1.1, 
> delays=0.8/0.05/0/0.22, dsn=2.0.0, status=sent (delivered via dovecot service)
> Feb  8 11:11:45 klovia postfix/qmgr[14473]: 3DD4059DA: removed
>
> Something is wrong, but I have yet to find it.
>
> Any and all help greatly appreciated.

Try sending to amavis via smtp, not lmtp, this is the way I have it
set up in master.cf (extract only):

...
amavis unix - - y - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
...

and check for the setting of inet_socket_port in amavis, which needs
to be 10024 (set as default in debian, but not in original
amavisd-new):
grep -r \$inet_socket_port /etc/amavis

You will need to restart amavis after any configuration changes, and
maybe reload postfix too (it's easy enough).

Re: Problems invoking amavis from postfix

[Robert Moskowitz]

Wietse, thanks for responding.

On 2/8/19 11:31 AM, Wietse Venema wrote:

Robert Moskowitz:

Something is wrong, but I have yet to find it.
Any and all help greatly appreciated.

If you could summarize in one line what is wrong.


It does not seem that amavis-new is being called by postfix.  The test 
Eicar message goes right through into INBOX.




- You configured amavis via 'content_filter' but it is not being used?
   In that case, what is the output from:

   postconf -n content_filter


content_filter = amavisfeed:[127.0.0.1]:10024


   postconf -P "*/*/content_filter"

   "postconf -P" requires Postfix 2.11 or later (released five years
   ago, it is no longer supported).


And CentOS7 is still on 2.10.1


- Something else? amavis via Milter API, but it is not being used?


Besides the content_filter in main.cf, I have the 'typical' lines in 
master.cf:


amavisfeed unix    -    -    y    -    2    lmtp
    -o lmtp_data_done_timeout=1200
    -o lmtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
127.0.0.1:10025 inet n    -    n    -    -    smtpd
    -o content_filter=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o 
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings

    -o local_header_rewrite_clients=
    -o smtpd_milters=
    -o local_recipient_maps=
    -o relay_recipient_maps=

I suspect there is something else I have left out.



Wietse

Re: Problems invoking amavis from postfix

[Robert Moskowitz]

On 2/8/19 11:36 AM, Dominic Raferd wrote:

On Fri, 8 Feb 2019 at 16:18, Robert Moskowitz  wrote:

I have dug some more and not found anything to help.  I went through 
http://www.postfix.org/docs.html where 2 of the amavis howtos are no longer 
available.  I have replicated the main.cf and master.cf as shown in 
http://www.shisaa.jp/postset/mailserver-1.html and still no apparent running of 
amavis on the test messages.

I have tried to get debugging working on postfix.  After reading 
http://www.postfix.org/DEBUG_README.html, I have tried appending -v to the 
smtpd lines in master.cf and not seen any more detail.  All I am seeing is:

Feb  8 11:11:45 klovia postfix/pickup[14472]: 3DD4059DA: uid=0 from=
Feb  8 11:11:45 klovia postfix/cleanup[14478]: 3DD4059DA: 
message-id=<20190208161145.3dd405...@klovia.htt-consult.com>
Feb  8 11:11:45 klovia postfix/qmgr[14473]: 3DD4059DA: 
from=, size=430, nrcpt=1 (queue active)
Feb  8 11:11:45 klovia dovecot: lda(r...@test.htt-consult.com): sieve: 
msgid=<20190208161145.3dd405...@klovia.htt-consult.com>: stored mail into 
mailbox 'INBOX'
Feb  8 11:11:45 klovia postfix/pipe[14484]: 3DD4059DA: 
to=, relay=dovecot, delay=1.1, 
delays=0.8/0.05/0/0.22, dsn=2.0.0, status=sent (delivered via dovecot service)
Feb  8 11:11:45 klovia postfix/qmgr[14473]: 3DD4059DA: removed

Something is wrong, but I have yet to find it.

Any and all help greatly appreciated.

Try sending to amavis via smtp, not lmtp, this is the way I have it
set up in master.cf (extract only):

...
amavis unix - - y - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
...


FWIW, my current, 4 year old system works with lmtp and all the docs I 
have read say to use lmtp, but I will give this a try.




and check for the setting of inet_socket_port in amavis, which needs
to be 10024 (set as default in debian, but not in original
amavisd-new):
grep -r \$inet_socket_port /etc/amavis



# grep -r \$inet_socket_port /etc/amavisd
/etc/amavisd/amavisd.conf:   # option(s) -p overrides 
$inet_socket_port and $unix_socketname
/etc/amavisd/amavisd.conf:$inet_socket_port = 10024;   # listen on this 
local TCP port(s)
/etc/amavisd/amavisd.conf:# $inet_socket_port = [10024,10026];  # listen 
on multiple TCP ports


So that is right.  And I have tested this with 'telnet localhost 10024'.



You will need to restart amavis after any configuration changes, and
maybe reload postfix too (it's easy enough).

Re: Problems invoking amavis from postfix

[Wietse Venema]

Robert Moskowitz:
> Wietse, thanks for responding.
> 
> On 2/8/19 11:31 AM, Wietse Venema wrote:
> > Robert Moskowitz:
> >> Something is wrong, but I have yet to find it.
> >> Any and all help greatly appreciated.
> > If you could summarize in one line what is wrong.
> 
> It does not seem that amavis-new is being called by postfix.  The test 
> Eicar message goes right through into INBOX.

Never overlook the impossible: what is logged when you execute
"postfix reload"?  Does that configuration directory match the
location of the main.cf and master.cf files that you report here?

Wietse

Re: Problems invoking amavis from postfix

[Robert Moskowitz]

On 2/8/19 12:05 PM, Wietse Venema wrote:

Robert Moskowitz:

Wietse, thanks for responding.

On 2/8/19 11:31 AM, Wietse Venema wrote:

Robert Moskowitz:

Something is wrong, but I have yet to find it.
Any and all help greatly appreciated.

If you could summarize in one line what is wrong.

It does not seem that amavis-new is being called by postfix.  The test
Eicar message goes right through into INBOX.

Never overlook the impossible: what is logged when you execute
"postfix reload"?  Does that configuration directory match the
location of the main.cf and master.cf files that you report here?


I suspect it is something 'obvious', but I don't think it is this:

# postfix reload
postfix/postfix-script: refreshing the Postfix mail system
# tail /var/log/maillog -n10
Feb  8 11:52:22 klovia postfix/pickup[14557]: D519D5B15: uid=0 from=
Feb  8 11:52:22 klovia postfix/cleanup[14563]: D519D5B15: 
message-id=<20190208165222.d519d5...@klovia.htt-consult.com>
Feb  8 11:52:22 klovia postfix/qmgr[14558]: D519D5B15: 
from=, size=430, nrcpt=1 (queue active)
Feb  8 11:52:23 klovia dovecot: lda(r...@test.htt-consult.com): sieve: 
msgid=<20190208165222.d519d5...@klovia.htt-consult.com>: stored mail 
into mailbox 'INBOX'
Feb  8 11:52:23 klovia postfix/pipe[14570]: D519D5B15: 
to=, relay=dovecot, delay=0.72, 
delays=0.22/0.05/0/0.45, dsn=2.0.0, status=sent (delivered via dovecot 
service)

Feb  8 11:52:23 klovia postfix/qmgr[14558]: D519D5B15: removed
Feb  8 12:00:53 klovia clamd[6346]: SelfCheck: Database status OK.
Feb  8 12:10:53 klovia clamd[6346]: SelfCheck: Database status OK.
Feb  8 12:18:32 klovia postfix/postfix-script[14641]: refreshing the 
Postfix mail system
Feb  8 12:18:32 klovia postfix/master[14289]: reload -- version 2.10.1, 
configuration /etc/postfix


And /etc/postfix is where I have my edited mail.cf and master.cf.

Re: Problems invoking amavis from postfix

[Robert Moskowitz]

On 2/8/19 12:05 PM, Wietse Venema wrote:

Robert Moskowitz:

Wietse, thanks for responding.

On 2/8/19 11:31 AM, Wietse Venema wrote:

Robert Moskowitz:

Something is wrong, but I have yet to find it.
Any and all help greatly appreciated.

If you could summarize in one line what is wrong.

It does not seem that amavis-new is being called by postfix.  The test
Eicar message goes right through into INBOX.

Never overlook the impossible: what is logged when you execute
"postfix reload"?  Does that configuration directory match the
location of the main.cf and master.cf files that you report here?


Here is some more information (asked in a private mail):

# postconf smtpd_milters content_filter smtpd_proxy_filter

smtpd_milters =
content_filter = amavisfeed:[127.0.0.1]:10024
smtpd_proxy_filter =

#postconf -Mxf

pickup unix  n   -   n   60  1   pickup
cleanup    unix  n   -   n   -   0   cleanup
qmgr   unix  n   -   n   300 1   qmgr
tlsmgr unix  -   -   n   1000?   1   tlsmgr
rewrite    unix  -   -   n   -   - trivial-rewrite
bounce unix  -   -   n   -   0   bounce
defer  unix  -   -   n   -   0   bounce
trace  unix  -   -   n   -   0   bounce
verify unix  -   -   n   -   1   verify
flush  unix  n   -   n   1000?   0   flush
proxymap   unix  -   -   n   -   -   proxymap
proxywrite unix  -   -   n   -   1   proxymap
smtp   unix  -   -   n   -   -   smtp
relay  unix  -   -   n   -   -   smtp
showq  unix  n   -   n   -   -   showq
error  unix  -   -   n   -   -   error
retry  unix  -   -   n   -   -   error
discard    unix  -   -   n   -   -   discard
local  unix  -   n   n   -   -   local
virtual    unix  -   n   n   -   -   virtual
lmtp   unix  -   -   n   -   -   lmtp
anvil  unix  -   -   n   -   1   anvil
scache unix  -   -   n   -   1   scache
Smtpd  pass  -   -   n   -   -   smtpd -v
submission inet  n   -   n   -   -   smtpd -v
    -o syslog_name=postfix/submission -o smtpd_tls_wrappermode=no
    -o smtpd_tls_security_level = encrypt -o smtpd_sasl_auth_enable=yes -o
smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination 


    -o milter_macro_daemon_name=ORIGINATING
pickup unix  n   -   n   60  1   pickup
    -o content_filter=
relay  unix  -   -   n   -   -   smtp
    -o fallback_relay=
maildrop   unix  -   n   n   -   -   pipe
    flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
uucp   unix  -   n   n   -   -   pipe
    flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
    ($recipient)
ifmail unix  -   n   n   -   -   pipe
    flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp  unix  -   n   n   -   -   pipe
    flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop
    $recipient
amavisfeed unix  -   -   y   -   2   lmtp
    -o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes
    -o disable_dns_lookups=yes -o max_use=20
127.0.0.1:10025 inet n   -   n   -   -   smtpd
    -o content_filter= -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions= -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes=
    -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o 
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
    -o local_header_rewrite_clients= -o smtpd_milters= -o 
local_recipient_maps=

    -o relay_recipient_maps=
dovecot    unix  -   n   n   -   -   pipe
    flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -d
    ${recipient}
vacation   unix  -   n   n   -   -   pipe
    flags=Rq user=vacation argv=/var/spool/vacation/vacation.pl -f 
${sender} --

    ${recipient}

Re: Problems invoking amavis from postfix

[Wietse Venema]

Robert Moskowitz:
> > Never overlook the impossible: what is logged when you execute
> > "postfix reload"?  Does that configuration directory match the
> > location of the main.cf and master.cf files that you report here?
> 
> I suspect it is something 'obvious', but I don't think it is this:

One more:

ps ax|grep master

Wietse

Re: Problems invoking amavis from postfix

[Viktor Dukhovni]

On Fri, Feb 08, 2019 at 12:24:06PM -0500, Robert Moskowitz wrote:

[ Please avoid sending text with Unicode non-breaking spaces
  instead of ordinary spaces. ]

> Here is some more information (asked in a private mail):
> 
> # postconf smtpd_milters content_filter smtpd_proxy_filter
> 
> smtpd_milters =
> content_filter = amavisfeed:[127.0.0.1]:10024
> smtpd_proxy_filter =
> 
> #postconf -Mxf
> 
> pickup unix   n - n 60   
> 1 pickup
> pickup unix   n - n 60   
> 1 pickup
> -o content_filter=

The "pickup" service is defined twice in master.c, the second
instance (last one wins) disables content filtering for mail submitted
locally via sendmail(1).

On Fri, Feb 08, 2019 at 12:21:06PM -0500, Robert Moskowitz wrote:

> Feb  8 11:52:22 klovia postfix/pickup[14557]: D519D5B15: uid=0 from=

Your test probe was sent via sendmail(1).  Nothing to see here,
move along...

-- 
Viktor.

Re: Problems invoking amavis from postfix

[Dominic Raferd]

On Fri, 8 Feb 2019 at 17:33, Viktor Dukhovni  wrote:

> > #postconf -Mxf
> >
> > pickup unix   n - n 60  
> >  1 pickup
> > pickup unix   n - n 60  
> >  1 pickup
> > -o content_filter=
>
> The "pickup" service is defined twice in master.c, the second
> instance (last one wins) disables content filtering for mail submitted
> locally via sendmail(1).

I have to say - great catch ;-)

Re: Problems invoking amavis from postfix

[Robert Moskowitz]

On 2/8/19 12:32 PM, Wietse Venema wrote:

Robert Moskowitz:

Never overlook the impossible: what is logged when you execute
"postfix reload"?  Does that configuration directory match the
location of the main.cf and master.cf files that you report here?

I suspect it is something 'obvious', but I don't think it is this:

One more:

ps ax|grep master


13500 ?    Ss 0:11 /usr/sbin/amavisd (master)
14289 ?    Ss 0:01 /usr/libexec/postfix/master -w
14729 ttySAC2  S+ 0:00 grep --color=auto master

Re: Problems invoking amavis from postfix

[Robert Moskowitz]

On 2/8/19 12:42 PM, Dominic Raferd wrote:

On Fri, 8 Feb 2019 at 17:33, Viktor Dukhovni  wrote:


#postconf -Mxf

pickup unix   n - n 60   1  
   pickup
pickup unix   n - n 60   1  
   pickup
 -o content_filter=

The "pickup" service is defined twice in master.c, the second
instance (last one wins) disables content filtering for mail submitted
locally via sendmail(1).

I have to say - great catch ;-)


Like I said, I am obviously missing something simple I am not doing.

I pulled out that 2nd pickup entry (and I know where I picked up doing 
this, sigh):


Feb  8 13:22:30 klovia postfix/master[14289]: reload -- version 2.10.1, 
configuration /etc/postfix

Feb  8 13:22:49 klovia postfix/pickup[14743]: E01D25B15: uid=0 from=
Feb  8 13:22:49 klovia postfix/cleanup[14751]: E01D25B15: 
message-id=<20190208182249.e01d25...@klovia.htt-consult.com>
Feb  8 13:22:50 klovia postfix/qmgr[14744]: E01D25B15: 
from=, size=430, nrcpt=1 (queue active)
Feb  8 13:22:50 klovia amavis[13505]: (13505-02) LMTP [127.0.0.1]:10024 
/var/spool/amavisd/tmp/amavis-20190208T132250-13505-c4dwb85j: 
 ->  SIZE=430 
Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost 
(klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP 
for ; Fri,  8 Feb 2019 13:22:50 -0500 (EST)
Feb  8 13:22:50 klovia amavis[13505]: (13505-02) Checking: ry67P_Ijljpy 
[127.0.0.1]  -> 
Feb  8 13:22:50 klovia clamd[6346]: 
/var/spool/amavisd/tmp/amavis-20190208T132250-13505-c4dwb85j/parts/p002: 
Eicar-Test-Signature FOUND
Feb  8 13:22:50 klovia clamd[6346]: 
/var/spool/amavisd/tmp/amavis-20190208T132250-13505-c4dwb85j/parts/p001: 
Eicar-Test-Signature FOUND
Feb  8 13:22:50 klovia amavis[13505]: (13505-02) Blocked INFECTED 
(Eicar-Test-Signature) {DiscardedInbound,Quarantined}, [127.0.0.1] 
 -> , Message-ID: 
<20190208182249.e01d25...@klovia.htt-consult.com>, mail_id: 
ry67P_Ijljpy, Hits: -, size: 430, 383 ms
Feb  8 13:22:50 klovia postfix/lmtp[14755]: E01D25B15: 
to=, relay=127.0.0.1[127.0.0.1]:10024, 
delay=3, delays=2.5/0.04/0.01/0.39, dsn=2.7.0, status=sent (250 2.7.0 
Ok, discarded, id=13505-02 - INFECTED: Eicar-Test-Signature)

Feb  8 13:22:50 klovia postfix/qmgr[14744]: E01D25B15: removed


thank you, thank you, thank you...

Re: Problems invoking amavis from postfix

[Viktor Dukhovni]

> On Feb 8, 2019, at 1:26 PM, Robert Moskowitz  wrote:
> 
> Like I said, I am obviously missing something simple I am not doing.
> 
> I pulled out that 2nd pickup entry (and I know where I picked up doing this, 
> sigh):

Be careful to not introduce loops.  That override to skip content filters
with pickup(8) is required if you even decide to use "simple content filters"
as described in FILTER_README.  If all your filters are SMTP or LMTP, and
you want to filter local submission, then it is safe to remove the overide.

-- 
Viktor.

PATCH: Problems invoking amavis from postfix

[Wietse Venema]

Viktor Dukhovni:
> > pickup unix   n - n 60  
> >  1 pickup
> > pickup unix   n - n 60  
> >  1 pickup
> > -o content_filter=
> 
> The "pickup" service is defined twice in master.c, the second
> instance (last one wins) disables content filtering for mail submitted
> locally via sendmail(1).

That was easy enough to fix:

Feb  8 13:42:53 spike postfix/master[53597]: warning: duplicate master.cf entry 
for service "pickup" (public/pickup)-- using the last entry

--- ./src/master/master_conf.c- 2019-02-08 13:39:50.0 -0500
+++ ./src/master/master_conf.c  2019-02-08 13:36:28.0 -0500
@@ -117,6 +117,14 @@
}
 
/*
+* Warn about duplicate entry.
+*/
+   else if ((serv->flags & MASTER_FLAG_MARK) == 0) {
+   msg_warn("duplicate master.cf entry for service \"%s\" (%s)"
+"-- using the last entry", serv->ext_name, serv->name);
+   }
+
+   /*
 * Update an existing service entry. Make the current generation of
 * child processes commit suicide whenever it is convenient. The next
 * generation of child processes will run with the new configuration

Re: Problems invoking amavis from postfix

[Robert Moskowitz]

On 2/8/19 1:42 PM, Viktor Dukhovni wrote:

On Feb 8, 2019, at 1:26 PM, Robert Moskowitz  wrote:

Like I said, I am obviously missing something simple I am not doing.

I pulled out that 2nd pickup entry (and I know where I picked up doing this, 
sigh):

Be careful to not introduce loops.  That override to skip content filters
with pickup(8) is required if you even decide to use "simple content filters"
as described in FILTER_README.  If all your filters are SMTP or LMTP, and
you want to filter local submission, then it is safe to remove the overide.

Digging back into my notes from 2 years ago, avoiding the loop was why I 
added the content_filter override AFTER I had tested the antivirus 
scanning.  Grumble, grumble.


I am going to leave it out for now.  I will revisit this when I start 
working on using MILTER and adding DKIM and such.  For now, I have to 
get this system upgrade completed.  Getting close.

Re: PATCH: Problems invoking amavis from postfix

[Robert Moskowitz]

On 2/8/19 1:44 PM, Wietse Venema wrote:

Viktor Dukhovni:

pickup unix   n - n 60   1  
   pickup
pickup unix   n - n 60   1  
   pickup
 -o content_filter=

The "pickup" service is defined twice in master.c, the second
instance (last one wins) disables content filtering for mail submitted
locally via sendmail(1).

That was easy enough to fix:


When I was working on this 2 years ago, I thought it was kind of cool 
that instead of editing master.cf entries to fix them, I could just 
append a whole new entry with the 'right' content.


Much easier to automate changes (as we had nothing like postconf -e for 
changing master.cf).  If I read the patch right, you are providing a 
warning of the double entry.  Perhaps a better patch would warn and drop 
all but the last entry?





Feb  8 13:42:53 spike postfix/master[53597]: warning: duplicate master.cf entry for 
service "pickup" (public/pickup)-- using the last entry

--- ./src/master/master_conf.c- 2019-02-08 13:39:50.0 -0500
+++ ./src/master/master_conf.c  2019-02-08 13:36:28.0 -0500
@@ -117,6 +117,14 @@
}
  
  	/*

+* Warn about duplicate entry.
+*/
+   else if ((serv->flags & MASTER_FLAG_MARK) == 0) {
+   msg_warn("duplicate master.cf entry for service \"%s\" (%s)"
+"-- using the last entry", serv->ext_name, serv->name);
+   }
+
+   /*
 * Update an existing service entry. Make the current generation of
 * child processes commit suicide whenever it is convenient. The next
 * generation of child processes will run with the new configuration

Re: PATCH: Problems invoking amavis from postfix

[Wietse Venema]

Robert Moskowitz:
> 
> 
> On 2/8/19 1:44 PM, Wietse Venema wrote:
> > Viktor Dukhovni:
> >>> pickup unix   n - n 60
> >>>1 pickup
> >>> pickup unix   n - n 60
> >>>1 pickup
> >>>  -o content_filter=
> >> The "pickup" service is defined twice in master.c, the second
> >> instance (last one wins) disables content filtering for mail submitted
> >> locally via sendmail(1).
> > That was easy enough to fix:
> 
> When I was working on this 2 years ago, I thought it was kind of cool 
> that instead of editing master.cf entries to fix them, I could just 
> append a whole new entry with the 'right' content.
> 
> Much easier to automate changes (as we had nothing like postconf -e for 
> changing master.cf).? If I read the patch right, you are providing a 
> warning of the double entry.? Perhaps a better patch would warn and drop 
> all but the last entry?

Why do you think it was keeping both pickup entries?

Wietse

Re: PATCH: Problems invoking amavis from postfix

[Viktor Dukhovni]

> On Feb 8, 2019, at 2:07 PM, Robert Moskowitz  wrote:
> 
> Much easier to automate changes (as we had nothing like postconf -e for 
> changing master.cf).  If I read the patch right, you are providing a warning 
> of the double entry.  Perhaps a better patch would warn and drop all but the 
> last entry?

It is not the job of master(8) to edit master.cf.  Indeed that file
might reside in read-only storage.

If you meant "use only the last one", as Wietse also notes, that's the
current behaviour.

-- 
Viktor.

Re: PATCH: Problems invoking amavis from postfix

[Robert Moskowitz]

On 2/8/19 2:08 PM, Wietse Venema wrote:

Robert Moskowitz:


On 2/8/19 1:44 PM, Wietse Venema wrote:

Viktor Dukhovni:

pickup unix   n - n 60   1  
   pickup
pickup unix   n - n 60   1  
   pickup
  -o content_filter=

The "pickup" service is defined twice in master.c, the second
instance (last one wins) disables content filtering for mail submitted
locally via sendmail(1).

That was easy enough to fix:

When I was working on this 2 years ago, I thought it was kind of cool
that instead of editing master.cf entries to fix them, I could just
append a whole new entry with the 'right' content.

Much easier to automate changes (as we had nothing like postconf -e for
changing master.cf).? If I read the patch right, you are providing a
warning of the double entry.? Perhaps a better patch would warn and drop
all but the last entry?

Why do you think it was keeping both pickup entries?


Well, I am not sure.  From Viktor's earlier note, it seems that the last 
wins and the earlier ones are just ignored.  Maybe it is that Viktor 
said, "master.c" and I don't know what "master.c" different from 
"master.cf" that is in /etc/postfix.


I kind of assumed (and we know what that is an abbreviation for) that 
"master.c" is an internal entry in postfix built from processing 
master.cf.  Thus why keep all but the last in the internal table?

Re: PATCH: Problems invoking amavis from postfix

[Viktor Dukhovni]

> On Feb 8, 2019, at 2:15 PM, Robert Moskowitz  wrote:
> 
> Well, I am not sure.  From Viktor's earlier note, it seems that the last wins 
> and the earlier ones are just ignored.  Maybe it is that Viktor said, 
> "master.c"

A simple typo.  I meant master.cf.

-- 
Viktor.

Re: PATCH: Problems invoking amavis from postfix

[Robert Moskowitz]

On 2/8/19 2:10 PM, Viktor Dukhovni wrote:

On Feb 8, 2019, at 2:07 PM, Robert Moskowitz  wrote:

Much easier to automate changes (as we had nothing like postconf -e for 
changing master.cf).  If I read the patch right, you are providing a warning of 
the double entry.  Perhaps a better patch would warn and drop all but the last 
entry?

It is not the job of master(8) to edit master.cf.  Indeed that file
might reside in read-only storage.

If you meant "use only the last one", as Wietse also notes, that's the
current behaviour.


Ah, so it is my muddled reading.

I did not think that postfix should edit master.cf.  Only its internal 
processes would use the last entry found.

Re: PATCH: Problems invoking amavis from postfix

[Wietse Venema]

Robert Moskowitz:
> 
> 
> On 2/8/19 2:10 PM, Viktor Dukhovni wrote:
> >> On Feb 8, 2019, at 2:07 PM, Robert Moskowitz  wrote:
> >>
> >> Much easier to automate changes (as we had nothing like postconf -e for 
> >> changing master.cf).  If I read the patch right, you are providing a 
> >> warning of the double entry.  Perhaps a better patch would warn and drop 
> >> all but the last entry?
> > It is not the job of master(8) to edit master.cf.  Indeed that file
> > might reside in read-only storage.
> >
> > If you meant "use only the last one", as Wietse also notes, that's the
> > current behaviour.
> >
> Ah, so it is my muddled reading.
> 
> I did not think that postfix should edit master.cf. Only its internal 
> processes would use the last entry found.

To make this abundantly clear, adding this warning does not change program 
behavior.

Wietse

Re: PATCH: Problems invoking amavis from postfix

[Robert Moskowitz]

On 2/8/19 2:31 PM, Wietse Venema wrote:

Robert Moskowitz:


On 2/8/19 2:10 PM, Viktor Dukhovni wrote:

On Feb 8, 2019, at 2:07 PM, Robert Moskowitz  wrote:

Much easier to automate changes (as we had nothing like postconf -e for 
changing master.cf).  If I read the patch right, you are providing a warning of 
the double entry.  Perhaps a better patch would warn and drop all but the last 
entry?

It is not the job of master(8) to edit master.cf.  Indeed that file
might reside in read-only storage.

If you meant "use only the last one", as Wietse also notes, that's the
current behaviour.


Ah, so it is my muddled reading.

I did not think that postfix should edit master.cf. Only its internal
processes would use the last entry found.

To make this abundantly clear, adding this warning does not change program 
behavior.


I did see that, and because i assumed Viktor's typo (and I am a master 
at making typos) was a 'new' insight (for me) into postfix that there 
was something more at work here.


Got it all now.

I hope.

:)