[pfx] Postfix not doing round robin for equal weight MX records
Hi, I was hoping for real MX record round-robin but it does not work on one of my servers. Somehow, postfix is prioritising one of the MX more than others. Always the same: nlp3.loc-prd.net All MX servers, are in local network to this client mailserver. We have relayhost in main.cf: relayhost = mxmail.adatum.net We have MX record for this relayhost with equal weights of 10 for each, DNS TTL is setup to 300s, dns system is BIND, not Windows. dig mx mxmail.adatum.net mxmail.adatum.net. 146 IN MX 10 nlp1.loc-prd.net. mxmail.adatum.net. 146 IN MX 10 nlp2.loc-prd.net. mxmail.adatum.net. 146 IN MX 10 nlp3.loc-prd.net. mxmail.adatum.net. 146 IN MX 10 nlp6.loc-prd.net. mxmail.adatum.net. 146 IN MX 10 nlp5.loc-prd.net. mxmail.adatum.net. 146 IN MX 10 nlp4.loc-prd.net. Some setup parametres for better view: smtp_randomize_addresses = yes smtp_mx_address_limit = 10 smtp_mx_session_limit = 2 smtp_connection_cache_on_demand = yes smtp_connection_cache_time_limit = 2s default_destination_concurrency_limit = 20 smtp_destination_concurrency_limit = $default_destination_concurrency_limit default_destination_concurrency_failed_cohort_limit = 1 We have another 2 servers with the same setup, and they relay quite equally. Anything that will help to sove this issue would be much appreciated. Best regards, John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix not doing round robin for equal weight MX records
pt., 10 maj 2024 o 16:13 Wietse Venema via Postfix-users < postfix-users@postfix.org> napisał(a): All at once answer, hope it's OK: IP's: ^ dig mx mxmail.adatum.net +short | cut -d' ' -f2 | xargs dig a +short 10.56.155.14 10.32.32.103 10.32.32.104 10.26.15.31 10.26.15.32 10.26.15.34 And this one is favorized nlp3.loc-prd.net = 10.26.15.31 $ RESOLV.CONF and DIG: ^ cat /etc/resolv.conf search adatum.net nameserver 10.20.30.10 nameserver 10.20.30.20 AND: dig mx mxmail.adatum.net ... ;; ANSWER SECTION: mxmail.adatum.net. 146 IN MX 10 nlp1.loc-prd.net. mxmail.adatum.net. 146 IN MX 10 nlp2.loc-prd.net. mxmail.adatum.net. 146 IN MX 10 nlp3.loc-prd.net. mxmail.adatum.net. 146 IN MX 10 nlp6.loc-prd.net. mxmail.adatum.net. 146 IN MX 10 nlp5.loc-prd.net. mxmail.adatum.net. 146 IN MX 10 nlp4.loc-prd.net. ;; Query time: 0 msec ;; SERVER: 10.20.30.10#53(10.20.30.10) ;; WHEN: Fri May 10 15:26:10 BST 2024 ;; MSG SIZE rcvd: 261 -- also: dig a mxmail.adatum.net NOTHING ( no A record in DNS for this) $ CONFIG: ^ alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases allow_min_user = yes allow_percent_hack = no append_dot_mydomain = no best_mx_transport = local default_database_type = hash default_process_limit = 500 delay_warning_time = 16 disable_vrfy_command = no enable_long_queue_ids = yes header_checks = pcre:/etc/postfix/header_checks.pcre html_directory = no inet_interfaces = all inet_protocols = ipv4 local_recipient_maps = $alias_maps mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /app/PFXpostfix/postfix/usr/local/man mydestination = $myhostname, localhost.$mydomain, localhost, smtp.mydomain.com, mailhost mynetworks = 127.0.0.1, 10.20.30.5 myorigin = anonymized.com nested_header_checks = queue_directory = /var/spool/postfix readme_directory = no relayhost = mxmail.adatum.net setgid_group = postdrop smtp_host_lookup = dns, native smtp_mx_address_limit = 10 smtp_tls_loglevel = 1 smtp_tls_mandatory_ciphers = high smtp_tls_security_level = may swap_bangpath = no syslog_name = postfix transport_maps = hash:/etc/postfix/transport.map $ > > We have another 2 servers with the same setup, and they relay quite > equally. > > Equally as in that they also "prefer" the same MX host? Or a different one? > > It means, we have other set of mailhost + other 6 relayhosts, all setup the same, and this other set is working fine, round robin, equal amount of emails relayed, etc. Please provide evidence in the form of logs that show the preference. > > grep 'postfix/smtp.*relay=' /the/maillog/file | grep -v > nlp3.loc-prd.net > > Is this OK / enough ? Logs: ^ grep relay=nlp[123456].*status=sent /var/log/maillog | sed 's/.*relay=//' | sed 's/,.*//' | sort | uniq -c 5770 nlp1.loc-prd.net[10.56.155.14]:25 5694 nlp2.loc-prd.net[10.32.32.103]:25 5402 nlp4.loc-prd.net[10.32.32.104]:25 21531 nlp3.loc-prd.net[10.26.15.31]:25 5570 nlp6.loc-prd.net[10.26.15.32]:25 5694 nlp5.loc-prd.net[10.26.15.34]:25 $ Best regards, John pt., 10 maj 2024 o 16:13 Wietse Venema via Postfix-users < postfix-users@postfix.org> napisał(a): > John Doe via Postfix-users: > > Hi, > > > > I was hoping for real MX record round-robin but it does not work on one > of > > my servers. > > > > Somehow, postfix is prioritising one of the MX more than others. > > By default, Postfix looks up SMTP servers in DNS, and randomizes > the order of equal-preference records. After 25 years this is one > of the more bizarre problem reports. > > > Always the same: nlp3.loc-prd.net > > Then you aren't using the default settings for server lookup, or > Postfix is using a different resolver than your manual tests (with > dig), or Postfix has to ignore hosts that speak only IPv6 while > Postfix speaks only IPv4, or your resolver is doing nasty things. > > Postfix has no built-in DNS protocol support and relies on system > infrastructure. Historically that was a local bind or unbound > server, but more recently, systemd has also invaded into this > territory. > > > All MX servers, are in local network to this client mailserver. > > Postfix can handle that. > > > We have relayhost in main.cf: > > > > relayhost = mxmail.adatum.net > > Good. You have MX lookups turned on. > > > We have MX record for this relayhost with equal weights of 10 for each, > DNS > > TTL is setup to 300s, dns system is BIND, not Windows. > > > dig mx mxmail.adatum.net > > Can you demonstrate that thi
[pfx] Re: Postfix not doing round robin for equal weight MX records
niedz., 12 maj 2024 o 19:10 Wietse Venema via Postfix-users < postfix-users@postfix.org> napisał(a): > Viktor Dukhovni via Postfix-users: > > On Fri, May 10, 2024 at 01:13:06PM -0400, Wietse Venema via > Postfix-users wrote: > > ... Mystery solved. Thank You Wietse and Viktor for tips about my issue. conn_use in logs showed something interesting ... This one nlp3 was having TLS disabled, and I've missed that somehow, so by default it was reusing connections. Rest of relays had TLS enabled, and I don't reuse connections for TLS, so no conn_use in logs on my side. I even wote simple script to connect 50 times to each, wait for 220 code, quit, calculate latency - this showed that nlp3 is not the fastest one. Networks were all 24 bit ... We have enabled TLS on nlp3 and all traffic is even now :) Now it's time for a change to be able to reuse connections for TLS. Best regards, Thank You! John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Postfix relayhost dns records question
Hi, Can't find answer, about postfix dns preferences and dns lookup performance. Let's say I have relayhost with FQDN: srv2378948273.mydomain.com I'd like to create a DNS Alias record or A record to use more friendly name: relayhost1.mydomain.com Does postfix prefers A record more than DNA Alias ? And is there any performance or other issue with Alias records ? Best Regards, John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Postfix relayhost dns records question
Hi, Can't find answer, about postfix dns preferences and dns lookup performance. Let's say I have relayhost with FQDN: srv2378948273.mydomain.com I'd like to create a DNS Alias record or A record to use more friendly name: relayhost1.mydomain.com Does postfix prefers A record more than DNA Alias ? And is there any performance or other issue with Alias records ? Best Regards, John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: tlsproxy service role client is not available
Our postfix installation is compiled from source code. It's not a package from RedHat repository. I have stated wrong version for my previous servers, it's actually 3.6.6 not 3.3.6. and tlsproxy setup on 3.6.6 and tls reuse connection is worrking fine for me. czw., 31 lip 2025 o 17:16 Wietse Venema via Postfix-users < postfix-users@postfix.org> napisał(a): > Wietse Venema via Postfix-users: > > John Doe via Postfix-users: > > > postfix/master[2399665]: warning: process > > > /app/PFXpostfix/postfix/usr/libexec/postfix/tlsproxy pid 2399702 > killed by > > > signal 11 > > > > > > And it's deferring email to next hop :( > > > > # postconf 'smtp_tls_connection_reuse = no' > > # postfix reload > > > > This is an old problem, and I'll look for the patch that fixes this. > > This is not the problem that I had in mind, and there are no > tlsproxy problems patched in postfix-3.8.* or later. > > For the sake of provenance, I will assume that your Postfix versions > were built by RedHat, and that RedHat's Postfix version matches the > Postfix versions that I have released. > > I found postfix-3.8.5-8.el10.src.rpm on www.rpmfind.net. Would that > match the installed postfix-3.8.5 on your system? The RedHat patches > don't appear to affect Postfix TLS behavior. > > You wrote that the old rhel7 server runs Postfix 3.3.6. That version > did not implement smtp_tls_connection_reuse. It was introduced with > Postfix 3.4 and is still disabled by default. Is there a problem > that requires smtp_tls_connection_reuse support? > > I think that I will have to defer this to Viktor. Postfix programs > shuold not segfault with any input or configuration, but it can > take some effort to reproduce this independenty. > > Wietse > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: tlsproxy service role client is not available
Hi Viktor, This /app/PFXpostfix/postfix is our install directory of our compiled postfix 3.8.5 (not from RHEL8 repository). This is how we always install our postfix to separate it from the default postfix build (Which is disabled/not running at the same time BTW). Compiled version: postconf-internal -T run-version OpenSSL 3.0.13 30 Jan 2024 /app/PFXopenssl/bin/openssl version OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) ldd $(which postfix) linux-vdso.so.1 (0x7ffdc8deb000) libsasl2.so.3 => /app/PFXsasl/lib/libsasl2.so.3 (0x7efc6b643000) libdb-5.3.so => /app/PFXdb/db/lib/libdb-5.3.so (0x7efc6b291000) libpcre2-8.so.0 => /app/PFXpcre2/pcre2/lib/libpcre2-8.so.0 (0x7efc6b031000) libssl.so.3 => /app/PFXopenssl/lib64/libssl.so.3 (0x7efc6ad8a000) libcrypto.so.3 => /app/PFXopenssl/lib64/libcrypto.so.3 (0x7efc6a727000) libdl.so.2 => /lib64/libdl.so.2 (0x7efc6a523000) libresolv.so.2 => /lib64/libresolv.so.2 (0x7efc6a30b000) libc.so.6 => /lib64/libc.so.6 (0x7efc69f35000) libpthread.so.0 => /lib64/libpthread.so.0 (0x7efc69d15000) /lib64/ld-linux-x86-64.so.2 (0x7efc6b85f000) As You can see it's using our local openssl version which was also compiled from source, same way as on old servers which is working fine. dmesg is showing a lot of those entries / I assume 1 per failed connection: [2823377.074253] tlsproxy[2861947]: segfault at 0 ip 7f5fa6644f0e sp 7ffe82cfd088 error 4 in libc-2.28.so[7f5fa6618000+1cd000] [2823377.074800] Code: b6 07 29 c8 c3 0f 1f 80 00 00 00 00 f3 0f 1e fa 89 f8 31 d2 66 0f ef ff 09 f0 25 ff 0f 00 00 3d c0 0f 00 00 0f 8f 74 02 00 00 0f 6f 0f f3 0f 6f 06 66 0f 74 c1 66 0f da c1 66 0f ef c9 66 0f czw., 31 lip 2025 o 17:52 Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> napisał(a): > On Thu, Jul 31, 2025 at 02:33:53PM +0200, John Doe via Postfix-users wrote: > > > Any clue what is happening here ? > > > > postfix/tlsproxy[2399702]: CONNECT to [10.10.10.20]:25 > > postfix/smtp[2399701]: warning: private/tlsproxy service role "client" > is not available > > postfix/smtp[2399701]: 4bt4ws1G9NzZkhZC: Cannot start TLS: handshake > failure > > postfix/master[2399665]: warning: process > /app/PFXpostfix/postfix/usr/libexec/postfix/tlsproxy pid 2399702 killed by > signal 11 > > Though this makes it clear that you've enable TLS connection reuse in > the Postfix SMTP client, and that something goes wrong, the level of > detail is not sufficient to draw more detailed conclusions. > > Firstly, what exactly is "/app/PFXpostfix/postfix"? On a RedHat system, > I'd expect to find Postfix daemon binaries directly in system locations > like "/usr/libexec/postfix". That unexpected path may well have > outdated binaries left over from some other release or build. Check > your master.cf file carefully, and also your $daemon_directory setting > in main.cf. > > If that's not the crux of the problem, then: > > It is not quite clear which of the below is the right way to interpret the > log data: > > a. The smtp(8) client gets a negative response from tlsproxy(8), >and drops its connection, indirectly triggering a tlsproxy(8) >segfault. > > b. The tlsproxy(8) process segfaults early in processing the >new connection, and the smtp(8) client sees this as an >error in establishing a proxy connection. > > To make progress we'd need to know whether "a" or "b" is the sequence of > events. My instinct is "b", but it is important to know for sure. > > Also, it is important to know which version of OpenSSL this particular > Postfix installation was built against, and which OpenSSL is installed > on the system. > > -- > Viktor. > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: tlsproxy service role client is not available
Thank You Wietse and Viktor,
Really appreciate Your help :) All working fine now.
Best Regards
John
pt., 1 sie 2025 o 16:50 Wietse Venema via Postfix-users <
postfix-users@postfix.org> napisał(a):
> Wietse Venema via Postfix-users:
> > John Doe:
> > > Hi Wietse and Viktor,
> > >
> > > Replying in one email ...
> > >
> > > I'm attaching what You have required from me. and one more fail proof,
> with
> > > tlsproxy setting enabled in main.cf (lat time i have forgotten to
> enable
> > > them back- sorry)
> > >
> > > *I believe issue was fixed,* but it's a bit confusing now,* to show
> this I
> > > have ran postconf -x *not postconf -xh and -d to see what's default in
> 3.8.5
> > >
> > > [root@problematicsrv]# postconf-internal -x
> tlsproxy_client_security_level
> > > tlsproxy_client_security_level =
> >
> > The output is empty because...
> >
> > > [root@problematicsrv]# postconf-internal -d
> tlsproxy_client_security_level
> > > tlsproxy_client_security_level =
> >
> > ...the default for tlsproxy_client_security_level value is empty.
>
> The default wasn't empty: it just looked empty because the output
> had been word-wrapped.
>
> The root cause is incorrect backwards compatible support for the
> legacy configuration parameters tlsproxy_client_level and
> tlsproxy_client_policy. This disabled tlsproxy's TLS client role
> when a legacy parameter was set.
>
> The fix is to correct the default parameter values:
>
> Old:
> tlsproxy_client_security_level =
> ${tlsproxy_client_level:$smtp_tls_security_level}
> tlsproxy_client_policy_maps =
> ${tlsproxy_client_policy:$smtp_tls_policy_maps}
>
> New:
> tlsproxy_client_security_level =
> ${tlsproxy_client_level?{$tlsproxy_client_level}:{$smtp_tls_security_level}}
> tlsproxy_client_policy_maps =
> ${tlsproxy_client_policy?{$tlsproxy_client_policy}:{$smtp_tls_policy_maps}}
>
> Wietse
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: tlsproxy service role client is not available
Hi Wietse, Thank You, I assume this was a typo with noS, setting smtp_tls_connection_reuse = no Fixed the issue. What if I still want to use reusing connections, shall I wait for patch release for this version ? :) Best Ragrds, John czw., 31 lip 2025 o 15:10 Wietse Venema via Postfix-users < postfix-users@postfix.org> napisał(a): > John Doe via Postfix-users: > > postfix/master[2399665]: warning: process > > /app/PFXpostfix/postfix/usr/libexec/postfix/tlsproxy pid 2399702 killed > by > > signal 11 > > > > And it's deferring email to next hop :( > > # postconf 'smtp_tls_connection_reuse = noS' > # postfix reload > > This is an old problem, and I'll look for the patch that fixes this. > > Wietse > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] tlsproxy service role client is not available
Hi All, Postfix setup is same as on old rhel7 server, now I'm using rhel8. Postfix version differs and it's 3.8.5 on new server. Old one is 3.3.6. Certs are there, working fine on other box. Any clue what is happening here ? postfix/tlsproxy[2399702]: CONNECT to [10.10.10.20]:25 postfix/smtp[2399701]: warning: private/tlsproxy service role "client" is not available postfix/smtp[2399701]: 4bt4ws1G9NzZkhZC: Cannot start TLS: handshake failure postfix/master[2399665]: warning: process /app/PFXpostfix/postfix/usr/libexec/postfix/tlsproxy pid 2399702 killed by signal 11 And it's deferring email to next hop :( Best Regards, John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
