On 9/10/21 9:55 pm, Peter wrote:
On 9/10/21 12:26 pm, Rob Kampen wrote:
So, after many dozens of hours and sending test emails I have found a solution (work around) that appears to work okay. It is now different to the original two MX servers I cloned from, in that the maillog shows a different cycle of processing, and it now fails a truly unknown mailbox much later in the process - thus higher workload on my MX. But the key thing is that it does now do the virtual_alias checks on incoming emails on port 25 before rejecting.
if your MX is not rejecting messages to invalid recipients right away but instead bounces the messages later on you become a backscatter source (See https://www.backscatterer.org/?target=bounces).
Understood. On the two existing MX the recipient checks happen up front AFTER alias substitutions and hence no reject of valid email addresses. I have been unable to achieve this behaviour with the new MX
your server needs a properly configured list of valid recipients so it knows right away what recipients to accept and which ones to reject.
Agrred, and it has - in mysql tables.
No idea why this third MX is behaving differently. It has a dual stack IP, so I disabled IPv6 access and tried again, but that certainly wasn't the cause of the difference in processing.
If you can provide the output of the following two commands it would be very helpful in troubleshooting your problem:
postconf -nf
alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 dovecot_destination_recipient_limit = 1 html_directory = no inet_interfaces = all inet_protocols = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 30720000 milter_default_action = accept mydestination = localhost localhost.localdomain myhostname = mx.example.com mynetworks = 127.0.0.0/8, [::1]/128, 192.168.128.0/24, [global:ip:6::]/64 newaliases_path = /usr/bin/newaliases.postfix non_smtpd_milters = inet:localhost:8891 proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES sample_directory = /usr/share/doc/postfix-2.10.1/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_milters = inet:localhost:8891 smtpd_recipient_restrictions = check_policy_service inet:localhost:12350, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policyd-spf smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_tls_CAfile = /etc/letsencrypt/live/example.com/chain.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/letsencrypt/live/example.com/fullchain.pem smtpd_tls_dh1024_param_file = /etc/postfix/dhparam.pem smtpd_tls_key_file = /etc/letsencrypt/live/example.com/privkey.pem smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_security_level = may smtpd_use_tls = yes tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 tls_preempt_cipherlist = no unknown_local_recipient_reject_code = 550 virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_gid_maps = static:12 virtual_mailbox_base = /var/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_transport = dovecot virtual_uid_maps = static:89
postconf -Mf
smtp inet n - n - - smtpd -o smtpd_recipient_restrictions= -o content_filter=spamassassin submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache smtp-amavis unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 dovecot unix - n n - - pipe flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient} spamassassin unix - n n - - pipe flags=R user=spamd argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/libexec/postfix/policyd-spf
Also of great help would relevant logs for one message that is giving you issues. These should be in /var/log/maillog and contain a connection line followed by a number of postfix/smtpd lines, please copy all the logs for *one* message. Please do not attempt to enable verbose logging (it only adds in a lot of extra unneeded info that detracts from finding the real problem) and it is unnecessary to provide log lines from non-postfix processes.
Cannot see how this log listing can possibly help as it contains only three lines
Here is the log of the incorrectly rejected email coming into the new MX - very short as it immediately rejects the alias recipient address - which my other two MX do not do.
Oct 8 16:43:19 mx postfix/smtpd[29015]: connect from mail-pf1-x432.google.com[2607:f8b0:4864:20::432] Oct 8 16:43:21 mx postfix/smtpd[29015]: NOQUEUE: reject: RCPT from mail-pf1-x432.google.com[2607:f8b0:4864:20::432]: 554 5.7.1 rob@example.com: Recipient address rejected: Unknown user; from=rob@gmail.com to=rob@example.com proto=ESMTP helo=<mail-pf1-x432.google.com> Oct 8 16:43:21 mx postfix/smtpd[29015]: disconnect from mail-pf1-x432.google.com[2607:f8b0:4864:20::432]
This led me to the conclusion that the alias substitution is not taking place on my new MX whereas it does on my two working MX - hence my addition to the smtp processing line at the top of the master.cf file.
Appreciate any insight you can give me.
It should be noted that the two initial MX machines have an extra line in the maillog that is the second logged step in the process, and goes something like:
Oct 8 19:00:58 mx policyd-spf[16055]: prepend Received-SPF: None (mailfrom) identity=mailfrom; client-ip=209.85.210.180; helo=mail-pf1-f180.google.com; envelope-from=rob@example.com; receiver=<UNKNOWN>
This is likely unrelated to the issue but may point to another issue having to do with a possibly incorrect policyd setup. We can cross that bridge after we've fixed the primary issue though (one issue at a time).
After that processing steps are identical.
It's likely that there may be something else subtle in the logs that we can spot that you are not noticing.
Peter _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos