[pfx] SELinux/SMTP Relay Handshake Failure
Hi All, This issue is definitely SELinux related, because it only crops up when SELinux is enabled. I'm getting a `TLS handshake failed for service=smtp peer=[104.199.96.85]:587` error when attempting to rely via mailjet (that's who's IP that is) and also brevo/sendinblue. Any one have any ideas (apart from disabling SELinux - that is *NOT* an option) :-) @Vickto: you mentioned in a previous reply (which I can't find) about someone else having an SELinux issue around postfix's smtp(8)/relay process (I think) when I asked a related Q before. Could you please point me back towards that other user's posts so I can see if that solution helps me - thanks Thanks all Dulux-Oz ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SELinux/SMTP Relay Handshake Failure
Hi Dulux-Oz, On 4 Dec 2023, at 9:20, duluxoz via Postfix-users wrote: > Hi All, > > This issue is definitely SELinux related, because it only crops up when > SELinux is enabled. > > I'm getting a `TLS handshake failed for service=smtp > peer=[104.199.96.85]:587` error when attempting to rely via mailjet (that's > who's IP that is) and also brevo/sendinblue. > > Any one have any ideas (apart from disabling SELinux - that is *NOT* an > option) :-) > disabling SElinux is never a good option :) On which Linux-Distro is this issue happening? Can you send the SELinux messages from the Linux Audit Subsystem (where SELinux send information about policy violations) from around the time the issue is reported in the mail log? This would be the command: ausearch -m avc -i --start --end (see "man ausearch" for the syntax of the start- and end-times -- there might be a large number of log entries -- try to limit the time to a few minutes before/after the error occurred) I suspect some files have the wrong SElinux security context label, but which files that are will be told by the audit log messages. Greetings Carsten ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SELinux/SMTP Relay Handshake Failure
On 04/12/2023 19:44, Carsten Strotmann (sys4) via Postfix-users wrote: Hi Dulux-Oz, On 4 Dec 2023, at 9:20, duluxoz via Postfix-users wrote: Hi All, This issue is definitely SELinux related, because it only crops up when SELinux is enabled. I'm getting a `TLS handshake failed for service=smtp peer=[104.199.96.85]:587` error when attempting to rely via mailjet (that's who's IP that is) and also brevo/sendinblue. Any one have any ideas (apart from disabling SELinux - that is *NOT* an option) :-) disabling SElinux is never a good option :) On which Linux-Distro is this issue happening? Can you send the SELinux messages from the Linux Audit Subsystem (where SELinux send information about policy violations) from around the time the issue is reported in the mail log? This would be the command: ausearch -m avc -i --start --end (see "man ausearch" for the syntax of the start- and end-times -- there might be a large number of log entries -- try to limit the time to a few minutes before/after the error occurred) I suspect some files have the wrong SElinux security context label, but which files that are will be told by the audit log messages. Greetings Carsten ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org Hi Carsten Its Rocky v9.1 That's the funny thing: I've done an `audit2allow -a` and all of the 'errors' are accounted for by update policys, and the suggested `ausearch` produces nothing - zip, narda, nil :-( ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SELinux/SMTP Relay Handshake Failure
Hi Dulux-Oz, On 4 Dec 2023, at 9:52, duluxoz via Postfix-users wrote: > Its Rocky v9.1 > thanks, this helps as a reference. > That's the funny thing: I've done an `audit2allow -a` and all of the 'errors' > are accounted for by update policys, and the suggested `ausearch` produces > nothing - zip, narda, nil :-( There might be SELinux policy rules with a "donotaudit" flag that cause this issue. Try to disable the "donotaudit" feature with sudo semodule -DB and wait for the error to occur again, then check the audit logs. Creating new policy rules with "audit2allow" should only be used in rare conditions, most of the time the policy can be configured using additional file-context, ports or booleans. Reading and understanding the audit log entries does help getting a good and secure SELinux deployment. You can enable the "donotaudit" rule flags once the issue is resolved with sudo selinux -B Greetings Carsten Strotmann ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] localhost rejected ?
Hi guys.
I can send email to root@localhost and I thought it was all
good but today a tool/client wanted to send an email to that
address and it got:
...
connect from localhost[127.0.0.1]
NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 504 5.5.2
: Recipient address rejected: need
fully-qualified address; from=
to= proto=ESMTP helo=
disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1
quit=1 commands=3/4
Say I manually:
-> $ echo -e "${_when} \n\n${@:2}" | mail -S
"from=mo...@whale.mine.priv" -s "${_hostUpper}" root@localhos
...
952E7604CF0D: uid=0 from=
952E7604CF0D:
message-id=<20231204134149.piflm%mo...@whale.mine.priv>
952E7604CF0D: from=, size=317, nrcpt=1
(queue active)
99753604D3F9:
message-id=<20231204134149.piflm%mo...@whale.mine.priv>
952E7604CF0D: to=, relay=local, delay=0.04,
delays=0.02/0.01/0/0.01, dsn=2.0.0, status=sent (forwarded
as 99753604D3F9)
99753604D3F9: from=, size=444, nrcpt=1
(queue active)
952E7604CF0D: removed
99753604D3F9: to=,
orig_to=,
relay=whale.mine.priv[private/dovecot-lmtp], delay=0.07,
delays=0.01/0/0.02/0.05, dsn=2.0.0, status=sent (250 2.0.0
KePOJh3XbWVZMDcAn4O9eQ Saved)
99753604D3F9: removed
Before I start fiddling with it all - I'm bit confuse where
to start: postfix or client?
I'd prefer to have _postifx_ handle such "cases" - what is
(not)happening here?
many thanks, L.___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: localhost rejected ?
Dnia 4.12.2023 o godz. 14:44:44 lejeczek via Postfix-users pisze:
>
> I can send email to root@localhost and I thought it was all good but
> today a tool/client wanted to send an email to that address and it
> got:
> ...
> connect from localhost[127.0.0.1]
> NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 504 5.5.2
> : Recipient address rejected: need fully-qualified
> address; from= to=
[...]
> Say I manually:
> -> $ echo -e "${_when} \n\n${@:2}" | mail -S
> "from=mo...@whale.mine.priv" -s "${_hostUpper}" root@localhos
> ...
> 952E7604CF0D: uid=0 from=
[...]
> 952E7604CF0D: to=, relay=local, delay=0.04,
> delays=0.02/0.01/0/0.01, dsn=2.0.0, status=sent (forwarded as
> 99753604D3F9)
Do you have "reject_non_fqdn_recipient" anywhere in your
smtpd_*_restrictions in main.cf ?
If you do, that's the restriction that is rejecting your message.
When you send mail locally using the "mail" command, it does not come in via
SMTP, so smtpd_*_restrictions don't apply.
--
Regards,
Jaroslaw Rafa
r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Help on Postfix TCP table transport_map
Currently we are using clamd as content milter which is acting as a postqueue milter . Please find the configuration below#main.cf content_filter = scan:[127.0.0.1]:10025#master.cf0.0.0.0:10026 inet n - n - 16 smtpd -o content_filter= -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions= -o mynetworks_style=host As per our current setting , we are using virtual transport :#main.cf virtual_transport = lmtp:myddomain.com:24We are replacing virtual transport with RECIPIENT based transport using TCP table using the following settings transport_maps=tcp:127.0.0.1:10050What we have found is the transport_map is being called for “from” and “to” address when “from” and “rcpt” staging first time (BEFORE QUEUE) , this again happens when the clamp Injecting back to postfix after POST QUEUE milterWe have tried to add the following settings in master.cf , but that is not seems be working0.0.0.0:10026 inet n - n - 16 smtpd -o transport_maps=tcp:127.0.0.1:100501- Is there any way we can avoid calling this two times, we need this result after queue ideally( if not possible before queue). How to avoid this being called multiple times2- Is there any way to differentiate between the “from” and “rcpt” because we ideally need RCPT to decide the transport RegardsSeena___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SELinux/SMTP Relay Handshake Failure
On Mon, Dec 04, 2023 at 07:20:08PM +1100, duluxoz via Postfix-users wrote: > This issue is definitely SELinux related, because it only crops up when > SELinux is enabled. > > I'm getting a `TLS handshake failed for service=smtp > peer=[104.199.96.85]:587` error when attempting to rely via mailjet (that's > who's IP that is) and also brevo/sendinblue. > > Any one have any ideas (apart from disabling SELinux - that is *NOT* an > option) :-) It should be of course, but in the meantime, it would most productive if you shared your configuration settings. That is, the outputs of: $ postconf -nf and $ postconf -Mf making sure to not change the spaces or line breaks. > @Vicktor: you mentioned in a previous reply (which I can't find) about > someone else having an SELinux issue around postfix's smtp(8)/relay process > (I think) when I asked a related Q before. SELinux was preventing "tlsproxy" from opening the client certificate file. Patrick had client certificates configured for use even with remote systems where there was no access to be gained based on such client credentials. I recommend against configuring client certificates as a default. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Help on Postfix TCP table transport_map
seena--- via Postfix-users: > We are replacing virtual transport with RECIPIENT based transport > using TCP table using the following settings > >transport_maps=tcp:127.0.0.1:10050 > > What we have found is the transport_map is being called for _from_ and > _to_ address when _from_ and _rcpt_ staging first time (BEFORE QUEUE) , > this again happens when the clamp Injecting back to postfix after POST > QUEUE milter PLEASE DO NOT send HTML-only mail to the mailing list. By default Postfix does not query the transport map for the sender address, but it will when: * You have smtpd_reject_unlisted_sender = yes. * You have have reject_unlisted_sender in smtpd_xxx_restrictions, in an access table, or in a policy server response. * You have reject_unverified_sender in smtpd_xxx_restrictions, in an access table, or in a policy server response. * Mail is bounced after it has been accepted into the Postfix queue. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
