Re: Adding route to Gateway server

[Matus UHLAR - fantomas]

On 02.12.20 18:04, Chu, Uy wrote:

I currently have 2 postfix servers as our gateway servers hosting our
domain.  It is currently configure to receive internet email bound for our
domain and then send it to our ProofPoint servers for hygiene scrubbing. 
This is all working great right now, but our Cyber team wanted us to

implement a journaling mailbox/server and bcc all inbound and outbound
to/from the internet emails to this
mail...@server.com.


they need to forward syslog as well, since the original recipient
information is lost this way.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901

Re: Adding route to Gateway server

[Christian Ejlertsen]

You can just add it to the transport file
Ex add this to the transport file:
1...@1234test.com smtp:1.2.3.4

postmap the file.
test by postmap -q  
"1...@1234test.com"  
/path/to/transport

Taken from
http://www.postfix.org/transport.5.html

look under table search order


--

Med venlig hilsen / Best Regards

Christian Ejlertsen
Lytzen IT A/S
Tlf: +45 88328788
Dir: +45 88328707

On Wed, 2020-12-02 at 18:04 +, Chu, Uy wrote:
Hi,

I currently have 2 postfix servers as our gateway servers hosting our domain.  
It is currently configure to receive internet email bound for our domain and 
then send it to our ProofPoint servers for hygiene scrubbing.  This is all 
working great right now, but our Cyber team wanted us to implement a journaling 
mailbox/server and bcc all inbound and outbound to/from the internet emails to 
this mail...@server.com.

How can I create that route so that when I use the always_bcc = 
mail...@server.com that it will not go through my 
normal route to our ProofPoint servers.

Thank you for your help.

About messages bounced due name resolution issues using IPv6

[Sergio Belkin]

Hi folks,
I have a postfix 2.10 with the following parameters set:

smtp_address_preference = any
inet_protocols = all

Sometimes users get this kind of errors:


This is the mail system at host groupware.example.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

: Host or domain name not found. Name
service error for
name=another-example.com.mail.protection.outlook.com type=: Host
found but no data record of requested type


AFAIK if DNS over IPv6 fails it tries over IPv4, doesn't it?

I wonder if beyond this bouncing the smtp uses then IPv4 and sends the
messages anyway. Please could you clarify this for me?

Thanks in advance

-- 
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org

Re: About messages bounced due name resolution issues using IPv6

[Wietse Venema]

Sergio Belkin:
> smtp_address_preference = any
> inet_protocols = all
...
> : Host or domain name not found. Name
> service error for
> name=another-example.com.mail.protection.outlook.com type=: Host
> found but no data record of requested type
> 
> 
> AFAIK if DNS over IPv6 fails it tries over IPv4, doesn't it?

Postfix will send A and  queries, but it will report an error
only for the last query that it tried. You might fimnd more details
in the Postfix logging.

So, the complete error message would be :

"I made DNS queries with type A and  for the name
another-example.com.mail.protection.outlook.com. All queries
failed. The last query that failed had type . The last error
was "name exists but there is no  record".

But we reall don't want to send THAT in an email bounce message.

> I wonder if beyond this bouncing the smtp uses then IPv4 and sends the
> messages anyway. Please could you clarify this for me?

All A and  queries failed.

Wietse

Re: About messages bounced due name resolution issues using IPv6

[Sergio Belkin]

El jue, 3 dic 2020 a las 16:37, Wietse Venema ()
escribió:

> Sergio Belkin:
> > smtp_address_preference = any
> > inet_protocols = all
> ...
> > : Host or domain name not found. Name
> > service error for
> > name=another-example.com.mail.protection.outlook.com type=: Host
> > found but no data record of requested type
> > 
> >
> > AFAIK if DNS over IPv6 fails it tries over IPv4, doesn't it?
>
> Postfix will send A and  queries, but it will report an error
> only for the last query that it tried. You might fimnd more details
> in the Postfix logging.
>
> So, the complete error message would be :
>
> "I made DNS queries with type A and  for the name
> another-example.com.mail.protection.outlook.com. All queries
> failed. The last query that failed had type . The last error
> was "name exists but there is no  record".
>
> But we reall don't want to send THAT in an email bounce message.
>
> > I wonder if beyond this bouncing the smtp uses then IPv4 and sends the
> > messages anyway. Please could you clarify this for me?
>
> All A and  queries failed.
>
> Wietse
>

Thanks Wietse for your answer

Is quite interesting that I find the following in logs:
Dec  2 23:53:09 muteriver postfix/smtp[28063]: warning: no MX host for
another-example.com has a valid address record

And then:

Dec  2 23:53:09 muteriver postfix/smtp[28063]: ED1CF1813C56F: to=<
apere...@another-example.com>, relay=none, delay=5.9, delays=0.17/0/5.8/0,
dsn=5.4.4, status=bounced (Host or domain name not found. Name service
error for name=another-example.com.mail.protection.outlook.com type=:
Host found but no data record of requested type)

and finally:

Dec  2 23:53:10 muteriver postfix/qmgr[1528]: ED1CF1813C56F: removed

That last line led me to wonder if the message was finally sent...

If I try to resolve another-example.com.mail.protection.outlook.com
manually on the mail server works fine with IPv4.

What do you think?

Was the message never sent?

If so, is there a way that postfix retries later if there is a temporary
resolution?

Thanks in advance!
-- 
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org

Re: About messages bounced due name resolution issues using IPv6

[Viktor Dukhovni]

On Thu, Dec 03, 2020 at 05:34:45PM -0300, Sergio Belkin wrote:

> Dec  2 23:53:09 muteriver postfix/smtp[28063]: ED1CF1813C56F: to=<
> apere...@another-example.com>, relay=none, delay=5.9, delays=0.17/0/5.8/0,
> dsn=5.4.4, status=bounced (Host or domain name not found. Name service
> error for name=another-example.com.mail.protection.outlook.com type=:
> Host found but no data record of requested type)

This was not a transient error, an authoritative "no such host or
address" response was received as is seen from the hard "5.4.4" DSN.

https://tools.ietf.org/html/rfc3463#section-3.5

With transient DNS errors, the DSN would have been 4.4.4.  You should
also note the "status=bounced".  The message was "returned to sender,
address unknown".

> Dec  2 23:53:10 muteriver postfix/qmgr[1528]: ED1CF1813C56F: removed

The original message was therefore removed.

-- 
Viktor.

Re: About messages bounced due name resolution issues using IPv6

[Wietse Venema]

> So, the complete error message would be :
>
> "I made DNS queries with type A and  for the name
> another-example.com.mail.protection.outlook.com. All queries
> failed. The last query that failed had type . The last error
> was "name exists but there is no  record".
>
> But we reall don't want to send THAT in an email bounce message.
>
> > I wonder if beyond this bouncing the smtp uses then IPv4 and sends the
> > messages anyway. Please could you clarify this for me?
>
> All A and  queries failed.

Sergio Belkin:
> 
> Thanks Wietse for your answer
> 
> Is quite interesting that I find the following in logs:
> Dec  2 23:53:09 muteriver postfix/smtp[28063]: warning: no MX host for
> another-example.com has a valid address record

Indeed, these details are not revealed in the bounce message but
can be found in Postfix logs.

> And then:
> 
> Dec  2 23:53:09 muteriver postfix/smtp[28063]: ED1CF1813C56F: to=<
> apere...@another-example.com>, relay=none, delay=5.9, delays=0.17/0/5.8/0,
> dsn=5.4.4, status=bounced (Host or domain name not found. Name service
> error for name=another-example.com.mail.protection.outlook.com type=:
> Host found but no data record of requested type)
> 
> and finally:
> 
> Dec  2 23:53:10 muteriver postfix/qmgr[1528]: ED1CF1813C56F: removed
> 
> That last line led me to wonder if the message was finally sent...

The message ED1CF1813C56F is deleted ONLY after Postfix successfully
injects the non-delivery notifcation into the Postfix mail queue.

> If I try to resolve another-example.com.mail.protection.outlook.com
> manually on the mail server works fine with IPv4.
> 
> What do you think?

What comes to mind:

1) You ran the command as root, and the Postfix SMTP client does
not run as root. Name resution fails when the necessary files are
not accessible.

2) You ran the command outside the Postfix chroot jail, and the
Postfix SMTP client runs inside the Postfix chroot jail. Name
resolution fails inside the chroot jail when files are missing,
have wrong permissions, or have wrong contents.

3) Some "security" configuration is breaking Postfix. For exammple
SeLiux or AppArmor.

4) Some other permisssion or configuration problem.

To find out if name resolution fails due to missing files or bad
permissions, run the Postfix SMTP client under strace as described
in http://www.postfix.org/DEBUG_README.html

Wietse

Re: About messages bounced due name resolution issues using IPv6

[Bastian Blank]

Hi Sergio

On Thu, Dec 03, 2020 at 05:34:45PM -0300, Sergio Belkin wrote:
> Is quite interesting that I find the following in logs:
> Dec  2 23:53:09 muteriver postfix/smtp[28063]: warning: no MX host for
> another-example.com has a valid address record

Well, more serious: another-example.com does not even have _any_ MX
entries:

| % drill another-example.com mx
| ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 55819
| ;; another-example.com.   IN  MX
| 
| ;; ANSWER SECTION:
| 
| ;; AUTHORITY SECTION:
| another-example.com.  900 IN  SOA ns-1861.awsdns-40.co.uk.  
awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

Bastian

-- 
Captain's Log, star date 21:34.5...

Re: About messages bounced due name resolution issues using IPv6

[Sergio Belkin]

El jue, 3 dic 2020 a las 17:59, Wietse Venema ()
escribió:

> > So, the complete error message would be :
> >
> > "I made DNS queries with type A and  for the name
> > another-example.com.mail.protection.outlook.com. All queries
> > failed. The last query that failed had type . The last error
> > was "name exists but there is no  record".
> >
> > But we reall don't want to send THAT in an email bounce message.
> >
> > > I wonder if beyond this bouncing the smtp uses then IPv4 and sends the
> > > messages anyway. Please could you clarify this for me?
> >
> > All A and  queries failed.
>
> Sergio Belkin:
> >
> > Thanks Wietse for your answer
> >
> > Is quite interesting that I find the following in logs:
> > Dec  2 23:53:09 muteriver postfix/smtp[28063]: warning: no MX host for
> > another-example.com has a valid address record
>
> Indeed, these details are not revealed in the bounce message but
> can be found in Postfix logs.
>
> > And then:
> >
> > Dec  2 23:53:09 muteriver postfix/smtp[28063]: ED1CF1813C56F: to=<
> > apere...@another-example.com>, relay=none, delay=5.9,
> delays=0.17/0/5.8/0,
> > dsn=5.4.4, status=bounced (Host or domain name not found. Name service
> > error for name=another-example.com.mail.protection.outlook.com
> type=:
> > Host found but no data record of requested type)
> >
> > and finally:
> >
> > Dec  2 23:53:10 muteriver postfix/qmgr[1528]: ED1CF1813C56F: removed
> >
> > That last line led me to wonder if the message was finally sent...
>
> The message ED1CF1813C56F is deleted ONLY after Postfix successfully
> injects the non-delivery notifcation into the Postfix mail queue.
>
> > If I try to resolve another-example.com.mail.protection.outlook.com
> > manually on the mail server works fine with IPv4.
> >
> > What do you think?
>
> What comes to mind:
>
> 1) You ran the command as root, and the Postfix SMTP client does
> not run as root. Name resution fails when the necessary files are
> not accessible.
>
> 2) You ran the command outside the Postfix chroot jail, and the
> Postfix SMTP client runs inside the Postfix chroot jail. Name
> resolution fails inside the chroot jail when files are missing,
> have wrong permissions, or have wrong contents.
>
> 3) Some "security" configuration is breaking Postfix. For exammple
> SeLiux or AppArmor.
>

I have SELinux disables, and have no AppArmor

>
> 4) Some other permisssion or configuration problem.
>

It's weird because it only happens with a few domains...


>
> To find out if name resolution fails due to missing files or bad
> permissions, run the Postfix SMTP client under strace as described
> in http://www.postfix.org/DEBUG_README.html
>
> Wietse
>

Thanks
-- 
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org

Re: About messages bounced due name resolution issues using IPv6

[Wietse Venema]

Sergio Belkin:
> > What comes to mind:
> >
> > 1) You ran the command as root, and the Postfix SMTP client does
> > not run as root. Name resution fails when the necessary files are
> > not accessible.
> >
> > 2) You ran the command outside the Postfix chroot jail, and the
> > Postfix SMTP client runs inside the Postfix chroot jail. Name
> > resolution fails inside the chroot jail when files are missing,
> > have wrong permissions, or have wrong contents.
> >
> > 3) Some "security" configuration is breaking Postfix. For exammple
> > SeLiux or AppArmor.
> >
> 
> I have SELinux disables, and have no AppArmor
> 
> >
> > 4) Some other permisssion or configuration problem.
> 
> It's weird because it only happens with a few domains...

It would be perfectly consistent with cases 1, 2, or 4 above. You
can start with a network sniffer and verify that Postfix sends its
the right DNS queries to the 'right' server.

Wietse

Re: About messages bounced due name resolution issues using IPv6

[Sergio Belkin]

El jue, 3 dic 2020 a las 18:18, Wietse Venema ()
escribió:

> Sergio Belkin:
> > > What comes to mind:
> > >
> > > 1) You ran the command as root, and the Postfix SMTP client does
> > > not run as root. Name resution fails when the necessary files are
> > > not accessible.
> > >
> > > 2) You ran the command outside the Postfix chroot jail, and the
> > > Postfix SMTP client runs inside the Postfix chroot jail. Name
> > > resolution fails inside the chroot jail when files are missing,
> > > have wrong permissions, or have wrong contents.
> > >
> > > 3) Some "security" configuration is breaking Postfix. For exammple
> > > SeLiux or AppArmor.
> > >
> >
> > I have SELinux disables, and have no AppArmor
> >
> > >
> > > 4) Some other permisssion or configuration problem.
> >
> > It's weird because it only happens with a few domains...
>
> It would be perfectly consistent with cases 1, 2, or 4 above. You
> can start with a network sniffer and verify that Postfix sends its
> the right DNS queries to the 'right' server.
>
> Wietse
>

OK Wietse, somewhat to take in account, such  domain name has not  a record
 for its MX, but only has a record A.


-- 
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org

Re: About messages bounced due name resolution issues using IPv6

[Sergio Belkin]

El jue, 3 dic 2020 a las 18:04, Bastian Blank () escribió:

> Hi Sergio
>
> On Thu, Dec 03, 2020 at 05:34:45PM -0300, Sergio Belkin wrote:
> > Is quite interesting that I find the following in logs:
> > Dec  2 23:53:09 muteriver postfix/smtp[28063]: warning: no MX host for
> > another-example.com has a valid address record
>
> Well, more serious: another-example.com does not even have _any_ MX
> entries:
>
> | % drill another-example.com mx
> | ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 55819
> | ;; another-example.com.   IN  MX
> |
> | ;; ANSWER SECTION:
> |
> | ;; AUTHORITY SECTION:
> | another-example.com.  900 IN  SOA ns-1861.awsdns-40.co.uk.
> awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
>
> Bastian
>

Thanks Bastian, I had to obfuscate the domain name due to privacy issues :-/
But I told to Wietse, that domain name has a MX record with an 'A' record
associated, but lacks of '' record.
What is weird for me is that it happens sometimes not always with that
domain...

Thanks in advance

>
> --
> Captain's Log, star date 21:34.5...
>


-- 
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org

Re: About messages bounced due name resolution issues using IPv6

[Viktor Dukhovni]

> On Dec 3, 2020, at 7:28 PM, Sergio Belkin  wrote:
> 
> Thanks Bastian, I had to obfuscate the domain name due to privacy issues :-/
> But I told to Wietse, that domain name has a MX record with an 'A' record 
> associated, but lacks of '' record.
> What is weird for me is that it happens sometimes not always with that 
> domain...

Even after Wietse and I prowled around in all the
dark places in the code, we still failed to find
a plausible way for a soft error in IPv4 lookups
to fail to suppress a hard NODATA for IPv6 lookups.

The only possible explanations are:

   - Your resolver erroneously reported NODATA for IPv4
   - The authoritative nameservers reported NODATA for IPv4
   - Neither of us was able to spot a subtle bug

To distinguish between these, it would be helpful if you
set:

   debug_peer_list = another-example-com.mail.protection.outlook.com
   debug_peer_level = 1

and if/when the problem happens again, either posted a sanitised
log (with the guilty domain name obscured as appropriate) to the
list, or sent a copy to just me and Wietse off list.

I'd like to see the actual queries and responses logged by the
Postfix SMTP delivery agent.

-- 
Viktor.

spamsources.fabel.dk

[David Neil]

Testing my email domain reveals all the DMARC, SPF, etc, recs are 
correct and working.


However, there is one blacklist that lists my domain/IP-address, and has 
done for some time. (so there's no time-out for good behavior then! I've 
had the IPaddr for some years, but who knows what was happening before 
then?)


When I follow the instructions and attempt a "Delist request for 
spamsources.fabel.dk" they quickly assure me that they won't spam me, 
but seem to demand a GMail account. So, one security issue (spam) is 
traded for another (tracking).


Are these people part of Google?
Do you know of some other way to contact them using a secure and private 
email account?

Is their blacklist widely used anyway?
--
Regards,
=dn

Re: spamsources.fabel.dk

[Vincent Pelletier]

On Fri, Dec 4, 2020 at 11:26 AM David Neil  wrote:
> When I follow the instructions and attempt a "Delist request for
> spamsources.fabel.dk" they quickly assure me that they won't spam me,
> but seem to demand a GMail account. So, one security issue (spam) is
> traded for another (tracking).
>
> Are these people part of Google?
> Do you know of some other way to contact them using a secure and private
> email account?
> Is their blacklist widely used anyway?

Unpopular opinion time: this specific DNSBL single-handledly managed to
convince me, a lowly email admin trying to be good, that DNSBLs are trying
to make me do their work for them.

They blacklist entire hosting companies subnets, despite the subnets hosting
independently-administrated servers: I'm not the hosting company, so how
can I request unlisting and answer "what steps were taken to fix the issue" in
good faith ?
They suggest using Mandrill as a reputable SMTP relay, and then manage to
blacklist some of Mandrill's own outgoing IPs.

So to be able to use emails I have to fight for the reputation of my server's IP
(fair enough), fight my paid-for server's hosting company subnet reputation
(so I guess I need to migrate my services from provider to provider everytime
there has been mass infections by a spam worm in that specific corner of
the internet), fight my paid-for email relay outgoing server reputation (so even
the solution recommended by the very DNSBL is being blocked), and then
spend unpaid time curating their list for them so it can be used by even more
inbound filters and they can cause me more headaches the next time
they fancy ? All the while my users cannot discuss with their customers and
providers which rely on this list (without even realising it) ?

Sure, they can count on it and drink water.
-- 
Vincent Pelletier

Re: About messages bounced due name resolution issues using IPv6

[Sergio Belkin]

El jue, 3 dic 2020 a las 22:23, Viktor Dukhovni ()
escribió:

> > On Dec 3, 2020, at 7:28 PM, Sergio Belkin  wrote:
> >
> > Thanks Bastian, I had to obfuscate the domain name due to privacy issues
> :-/
> > But I told to Wietse, that domain name has a MX record with an 'A'
> record associated, but lacks of '' record.
> > What is weird for me is that it happens sometimes not always with that
> domain...
>
> Even after Wietse and I prowled around in all the
> dark places in the code, we still failed to find
> a plausible way for a soft error in IPv4 lookups
> to fail to suppress a hard NODATA for IPv6 lookups.
>
> The only possible explanations are:
>
>- Your resolver erroneously reported NODATA for IPv4
>- The authoritative nameservers reported NODATA for IPv4
>- Neither of us was able to spot a subtle bug
>
> To distinguish between these, it would be helpful if you
> set:
>
>debug_peer_list = another-example-com.mail.protection.outlook.com
>debug_peer_level = 1
>
> and if/when the problem happens again, either posted a sanitised
> log (with the guilty domain name obscured as appropriate) to the
> list, or sent a copy to just me and Wietse off list.
>
> I'd like to see the actual queries and responses logged by the
> Postfix SMTP delivery agent.
>
> --
> Viktor.
>
>
Thanks Viktor and Wietse, up to now the error didn't happen again.
Some information about my software that may be useful:
libc-2.17-260.el7_6.4.x86_64
glibc-2.17-260.el7_6.4.i686
dnsmasq-2.76-7.el7.x86_64


-- 
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org

Re: About messages bounced due name resolution issues using IPv6

[Sergio Belkin]

El vie, 4 dic 2020 a las 1:42, Sergio Belkin () escribió:

>
>
> El jue, 3 dic 2020 a las 22:23, Viktor Dukhovni (<
> postfix-us...@dukhovni.org>) escribió:
>
>> > On Dec 3, 2020, at 7:28 PM, Sergio Belkin  wrote:
>> >
>> > Thanks Bastian, I had to obfuscate the domain name due to privacy
>> issues :-/
>> > But I told to Wietse, that domain name has a MX record with an 'A'
>> record associated, but lacks of '' record.
>> > What is weird for me is that it happens sometimes not always with that
>> domain...
>>
>> Even after Wietse and I prowled around in all the
>> dark places in the code, we still failed to find
>> a plausible way for a soft error in IPv4 lookups
>> to fail to suppress a hard NODATA for IPv6 lookups.
>>
>> The only possible explanations are:
>>
>>- Your resolver erroneously reported NODATA for IPv4
>>- The authoritative nameservers reported NODATA for IPv4
>>- Neither of us was able to spot a subtle bug
>>
>> To distinguish between these, it would be helpful if you
>> set:
>>
>>debug_peer_list = another-example-com.mail.protection.outlook.com
>>debug_peer_level = 1
>>
>> and if/when the problem happens again, either posted a sanitised
>> log (with the guilty domain name obscured as appropriate) to the
>> list, or sent a copy to just me and Wietse off list.
>>
>> I'd like to see the actual queries and responses logged by the
>> Postfix SMTP delivery agent.
>>
>> --
>> Viktor.
>>
>>
> Thanks Viktor and Wietse, up to now the error didn't happen again.
> Some information about my software that may be useful:
> libc-2.17-260.el7_6.4.x86_64
> glibc-2.17-260.el7_6.4.i686
> dnsmasq-2.76-7.el7.x86_64
>
>
> Just in case: the first package is  glibc-2.17-260.el7_6.4.x86_64


-- 
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org

Re: About messages bounced due name resolution issues using IPv6

[Viktor Dukhovni]

On Fri, Dec 04, 2020 at 01:42:57AM -0300, Sergio Belkin wrote:

> Thanks Viktor and Wietse, up to now the error didn't happen again.
> Some information about my software that may be useful:
> libc-2.17-260.el7_6.4.x86_64
> glibc-2.17-260.el7_6.4.i686
> dnsmasq-2.76-7.el7.x86_64

Is there a compelling reason to run a stripped-down (and typically not
adequately standards-conformant) DNS resolvers on a mail server?

I'd steer well clear of "dnsmasq", "systemd-resolved" and other
"DNS made simple" resolvers.

Install "unbound", "bind" or "knot", whichever you're most
comfortable with.

-- 
Viktor.