Understanding Postfix and smtpd_recipient_restrictions priorities
Hi all, I've got a setup with Debian Lenny, Postfix with MySQL(on a remote server in the same LAN of the mail server) and Clamav+Spamassassin. The original smtpd_recipient_restrictions parameter setting was this one: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_invalid_hostname Spamassassin is configured with rbl check and so those lists were never considered in Postfix... Until now. Some days ago we started to serve a mail domain with a large amount of spam and after that the Mysql database broke up with the message "Too many connections". The cause of this problem (as we saw from the logs) was that for any spam message which was directed to a nonexistent mail address (but with a correct domain) a connection to the db was also generated. We've tried to find out a solution by adding some rbl checks directly in Postfix: smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_helo_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client list.dsbl.org, reject_rbl_client rbl.mail-abuse.org, reject_rbl_client spamsources.fabel.dk, reject_unlisted_recipient putting "reject_unlisted_recipient" after all the rbl check drastically reduced the db connections, but after some time the Postfix process has stopped working. We saw the process up with a "ps", but it was not accepting mail anymore. The only solution was to manually restart the Postfix daemon. To find out a solution we recompiled and installed the 2.6.5 Postfix release (with vda patch, instead of the default Lenny 2.5.5) and after that the Postfix process went down just a time in a day, but it was not necessary to restart the daemon. The original process become responsive again by itself. So the questions are: what the problems may be? Are they caused just by the amount of messages the mail server must manage? Why a new version seems to solve the problem? Are the priorities configured in the smtpd_recipient_restrictions parameters correct? Thanks for your help, -- RaSca Mia Mamma Usa Linux: Niente è impossibile da capire, se lo spieghi bene! ra...@miamammausalinux.org http://www.miamammausalinux.org
Re: Understanding Postfix and smtpd_recipient_restrictions priorities
Il giorno Mer 13 Gen 2010 18:09:35 CET, Steve ha scritto: [...] I would suggest you to use proxy maps to lower the amount of connections to the MySQL backend. And on the above smtpd_recipient_restrictions I would suggest to push reject_unlisted_recipient above all RBL checks since there is no benefit in checking RBLs if you are anyway going to reject them later (if the recipient is not managed on your system). I as well would not use zen.spamhaus.org (without a subscription) if you have a high mail volume. Thank you Steve, I made as you suggested and now the MySQL threads still remains low even if reject_unlisted_recipient is on the top of the list. I also removed smahaus.org from the rbl check, I'm going to find out if it's conveninet subscribing to the service. Thanks a lot! -- RaSca Mia Mamma Usa Linux: Niente è impossibile da capire, se lo spieghi bene! ra...@miamammausalinux.org http://www.miamammausalinux.org
Re: Understanding Postfix and smtpd_recipient_restrictions priorities
Il giorno Mer 13 Gen 2010 18:52:58 CET, Brian Evans - Postfix List ha scritto: [...] In addition, list.dsbl.org is dead and gone for some time now. You are just adding a DNS lookup that will never return anything valuable. Thanks everybody for the suggestions, I've got another problem now: this night some mails were not dispatched directly to the maildir but those remains queued. What i see from the logs is that the status is sent, but the mail is not delivered to the maildir: Jan 14 06:23:41 mail-1 postfix/smtp[3836]: C0F0620E04B: to=, relay=127.0.0.1[127.0.0.1]:10025, delay=0.11, delays=0.02/0/0.04/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as CE51C20E04A) This morning after a few tests, i just restarted the postfix daemon, and after a while mails arrived on the box. Does this can depend from the proxy directive? Ho can i control this postfix feature or check where things starts to go wrong (ok, quite wrong since at the end every mail arrived)? Thanks again, -- RaSca Mia Mamma Usa Linux: Niente è impossibile da capire, se lo spieghi bene! ra...@miamammausalinux.org http://www.miamammausalinux.org
Re: Understanding Postfix and smtpd_recipient_restrictions priorities
Il giorno Gio 14 Gen 2010 09:55:06 CET, Steve ha scritto: [...] You probably have a service listening on port 10025 (probably a greylisting service or such) and you forgot to start that service or the service crashed. Can you restart that service and then issue a "postsuper -r ALL"? [...] Of course I have it. It's the clamsmtp daemon: tcp0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 4579/clamsmtpd But it was not crashed. The only thing I've done to turn things on again was to restart the postfix daemon, without restarting anything else. For making myself more clear, I try to explain with more details my architecture. Postfix is configured for passing the mails to the clamsmtp daemon. main.cf: content_filter = scan:127.0.0.1:10025 receive_override_options = no_address_mappings unknown_local_recipient_reject_code = 450 master.cf: scanunix -- n - 16 smtp -o smtp_send_xforward_command=yes 127.0.0.1:10026 inet n - n - 16 smtpd -o content_filter= -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks_style=host -o smtpd_authorized_xforward_hosts=127.0.0.0/8 Obviously clamsmtp is listening on the 10025. As you say, something in the mail chain was broken, but I can extract from the logs which component is. Have you any suggestion? Thank you for your precious support! P.S.: What the "postsuper -r ALL" command do? -- RaSca Mia Mamma Usa Linux: Niente è impossibile da capire, se lo spieghi bene! ra...@miamammausalinux.org http://www.miamammausalinux.org
Problem with "mail transport unavailable"
Hi all, I've got Postfix running on two machines balanced with lvs, the configuration is obviously identical on every machine, but in only on one of them and with some messages i see this kind of error message in the log: Jan 21 11:52:55 mail-2 postfix/error[4716]: E2B4A208256: to=, relay=none, delay=181215, delays=181215/0.05/0/0.25, dsn=4.3.0, status=deferred (mail transport unavailable) I've got many line like this one, the ID is identical for some lines so it seems to be a retry. All the daemons are started (I've got postfix+spampd+clamav) and responsive (as i can see from telnet checks). What else should I check? Have you got any idea? Note that the mail server works perfectly, only for those group 150 messages I receive this error. Thanks for your help, -- RaSca Mia Mamma Usa Linux: Niente è impossibile da capire, se lo spieghi bene! ra...@miamammausalinux.org http://www.miamammausalinux.org
Re: Problem with "mail transport unavailable"
Il giorno Gio 21 Gen 2010 13:08:02 CET, wie...@porcupine.org (Wietse Venema) ha scritto: [...] http://www.postfix.org/DEBUG_README.html#logging Look for obvious signs of trouble Hi, I haven't found any message of this kind concerning the message group. As i wrote, Postfix works perfectly except for those messages in this machine (no log of this kind are on the first one). I've got NO fatal or panic messages. The only warning message i found is "verification failed: Name or service not known" but it's about domains which really does not exists. The only error message i can read is about the transport unavailable. What else should i check? I know that these information may be few for giving me help, but I'm trying to find out a way for understanding what is happening. -- RaSca Mia Mamma Usa Linux: Niente è impossibile da capire, se lo spieghi bene! ra...@miamammausalinux.org http://www.miamammausalinux.org
Re: Problem with "mail transport unavailable" (SOLVED)
Il giorno Gio 21 Gen 2010 14:33:16 CET, RaSca ha scritto: [...] What else should i check? I know that these information may be few for giving me help, but I'm trying to find out a way for understanding what is happening. Thanks to my friend Mauro, I finally solved the problem. The problem was that those mail were received by postfix when i was renaming the clamav's content_filer, which in origin was: content_filter = scan:127.0.0.1:10027 once renamed it in content_filter = clamav:127.0.0.1:10027 and restarted postfix (and clamav, of course) those mail arrived during the restart were pointing to the wrong transport: Jan 21 15:06:06 mail-2 postfix/qmgr[31542]: warning: connect to transport scan: Connection refused so, the fastest solution was to launch a postsuper -r ALL to force the re-queuing of all messages. So, the right approach was to look the queue, forcing one message to flush and look in the log for some errors. -- RaSca Mia Mamma Usa Linux: Niente è impossibile da capire, se lo spieghi bene! ra...@miamammausalinux.org http://www.miamammausalinux.org
Re: Problem with "mail transport unavailable"
Il giorno Gio 21 Gen 2010 16:33:23 CET, wie...@porcupine.org (Wietse Venema) ha scritto: RaSca: http://www.postfix.org/DEBUG_README.html#logging Look for obvious signs of trouble Hi, I haven't found any message of this kind concerning the message group. I suppose you overlooked this warning then. Jan 21 15:06:06 mail-2 postfix/qmgr[31542]: warning: connect to transport scan: Connection refused Wietse The message was not related to the ID of the message, so with grep was impossible to see. I will look better in the future. Thanks for you precious help. -- RaSca Mia Mamma Usa Linux: Niente è impossibile da capire, se lo spieghi bene! ra...@miamammausalinux.org http://www.miamammausalinux.org
Re: Problem with "mail transport unavailable"
Il giorno Gio 21 Gen 2010 17:21:52 CET, wie...@porcupine.org (Wietse Venema) ha scritto: [...] I asked you to egrep '(fatal|panic|error|etc)' but you thought you knew better and therefore lost time. Wietse You don't asked me anything, you just copied and pasted a README file. You are the prophet of knowing better than anyone, don't fear ;-) -- RaSca Mia Mamma Usa Linux: Niente è impossibile da capire, se lo spieghi bene! ra...@miamammausalinux.org http://www.miamammausalinux.org
Re: Problem with "mail transport unavailable"
Il giorno Gio 21 Gen 2010 18:19:07 CET, Michael Katz ha scritto: [...] In short, Wietse has earned a position of the highest regard and ultimate professional respect and insulting him is out of line on this list. In short, I'm not insulting anyone and I'm not frustrated. Keep up the good work! -- RaSca Mia Mamma Usa Linux: Niente è impossibile da capire, se lo spieghi bene! ra...@miamammausalinux.org http://www.miamammausalinux.org
