You are not logged in.
Greetz everyone,
I'm currently messing around with my mail-setup here.
Everything is working properly except receiving mails (which should obv. work).
I'm running the setup in a systemd-nspawn container.
the postfix/main.cf:
##
## Network settings
##
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = 127.0.0.1, ::1, 10.1.0.3
myhostname = mail.mydomain.de
##
## Mail queue settings
##
maximal_queue_lifetime = 1h
bounce_queue_lifetime = 1h
maximal_backoff_time = 15m
minimal_backoff_time = 5m
queue_run_delay = 5m
##
## TLS settings
###
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
### Outbound SMTP connections (Postfix as sender)
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
### Inbound SMTP connections
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_ciphers = high
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_cert_file=/etc/letsencrypt/live/mydomain.de/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mydomain.de/privkey.pem
##
## Local mail delivery to Dovecot via LMTP
##
virtual_transport = lmtp:unix:private/dovecot-lmtp
##
## Spam filter and DKIM signatures via Rspamd
##
smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept
##
## Server Restrictions for clients, cecipients and relaying
## (concerning S2S-connections. Mailclient-connections are configured in submission-section in master.cf)
##
### Conditions in which Postfix works as a relay. (for mail user clients)
smtpd_relay_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
### Conditions in which Postfix accepts e-mails as recipient (additional to relay conditions)
### check_recipient_access checks if an account is "sendonly"
smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/sql/recipient-access.cf
### Restrictions for all sending foreign servers ("SMTP clients")
smtpd_client_restrictions = permit_mynetworks
check_client_access hash:/etc/postfix/without_ptr
reject_unknown_client_hostname
### Foreign mail servers must present a valid "HELO"
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
# Block clients, which start sending too early
smtpd_data_restrictions = reject_unauth_pipelining
##
## Restrictions for MUAs (Mail user agents)
##
mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
##
## Postscreen Filter
##
### Postscreen Whitelist / Blocklist
postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action = drop
# Drop connections if other server is sending too quickly
postscreen_greet_action = drop
### DNS blocklists
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2
zen.spamhaus.org*2
postscreen_dnsbl_action = drop
##
## MySQL queries
##
virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf
virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf
virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf
local_recipient_maps = $virtual_mailbox_maps
##
## Miscellaneous
##
### Maximum mailbox size (0=unlimited - is already limited by Dovecot quota)
mailbox_size_limit = 0
### Maximum size of inbound e-mails (50 MB)
message_size_limit = 52428800
### Do not notify system users on new e-mail
biff = no
### Users always have to provide full e-mail addresses
append_dot_mydomain = no
### Delimiter for "Address Tagging"
recipient_delimiter = +
postfix/master.cf
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - 1 postscreen
-o smtpd_sasl_auth_enable=no
smtpd pass - - y - - smtpd
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_relay_restrictions=$mua_relay_restrictions
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_sender_login_maps=mysql:/etc/postfix/sql/sender-login-maps.cf
-o smtpd_helo_required=no
-o smtpd_helo_restrictions=
-o cleanup_service_name=submission-header-cleanup
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
submission-header-cleanup unix n - n - 0 cleanup
-o header_checks=regexp:/etc/postfix/submission_header_cleanup
sudo systemctl status postfix
● postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2018-08-22 09:51:34 CEST; 5min ago
Process: 16166 ExecStop=/usr/bin/postfix stop (code=exited, status=0/SUCCESS)
Process: 16177 ExecStart=/usr/bin/postfix start (code=exited, status=0/SUCCESS)
Main PID: 16251 (master)
CGroup: /system.slice/postfix.service
├─16251 /usr/lib/postfix/bin/master -w
├─16252 pickup -l -t unix -u -c
├─16253 qmgr -l -t unix -u
└─16257 tlsmgr -l -t unix -u -c
Aug 22 09:51:56 mail postfix/smtpd[16262]: NOQUEUE: reject: RCPT from unknown[212.227.17.22]: 450 4.7.25 Client host rejected: cannot find your hostname, [212.227.17.22]; from=<felix.golatofski@gmx.de> to=<goliath@mydomain.de> proto=ESMTP helo=<mout.gmx.net>
Aug 22 09:51:56 mail postfix/smtpd[16262]: disconnect from unknown[212.227.17.22] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=5/7
Aug 22 09:53:15 mail postfix/postscreen[16259]: CONNECT from [212.227.17.21]:57165 to [10.1.0.3]:25
Aug 22 09:53:15 mail postfix/postscreen[16259]: PASS OLD [212.227.17.21]:57165
Aug 22 09:53:15 mail postfix/smtpd[16262]: connect from unknown[212.227.17.21]
Aug 22 09:53:15 mail postfix/smtpd[16262]: NOQUEUE: reject: RCPT from unknown[212.227.17.21]: 450 4.7.25 Client host rejected: cannot find your hostname, [212.227.17.21]; from=<myemail@gmx.de> to=<goliath@mydomain.de> proto=ESMTP helo=<mout.gmx.net>
Aug 22 09:53:16 mail postfix/smtpd[16262]: disconnect from unknown[212.227.17.21] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=5/7
Aug 22 09:56:36 mail postfix/anvil[16263]: statistics: max connection rate 1/60s for (smtpd:212.227.17.22) at Aug 22 09:51:55
Aug 22 09:56:36 mail postfix/anvil[16263]: statistics: max connection count 1 for (smtpd:212.227.17.22) at Aug 22 09:51:55
Aug 22 09:56:36 mail postfix/anvil[16263]: statistics: max cache size 1 at Aug 22 09:51:55
[root@mail ~]#
Especially take a look at
Aug 22 09:53:15 mail postfix/smtpd[16262]: NOQUEUE: reject: RCPT from unknown[212.227.17.21]: 450 4.7.25 Client host rejected: cannot find your hostname, [212.227.17.21]; from=<myemail@gmx.de> to=<goliath@mydomain.de> proto=ESMTP helo=<mout.gmx.net>
Aug 22 09:53:16 mail postfix/smtpd[16262]: disconnect from unknown[212.227.17.21] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=5/7
(I did indeed copy /etc/{localtime,resolv.conf,hosts,services} to /var/spool/postfix/etc)
If any further information is needed, feel free to ask.
Cheers,
Felix aka TheGoliath
Last edited by TheGoliath (2018-08-23 18:36:29)
Offline
Offline
Yes, I've seen that already. But the provider gmx should match it's ip addresses via a ptr record correctly. So I think it is some misconfiguration or missing configuration with my postfix.
Offline
If you remove that option is the mail accepted? You did not indicate you were aware of that option being the likely cause in the original post so I suggested it.
Offline
Yes, the mail goes through. Yes, sorry. I should have indicated that. I know, that it's the cause. I just want to know, how to get it working with the option (cause it looks for the server's ptr records or hostnames and thus it prohibits a lot of spam for me). So the problem should be the DNS, right? My resolv.conf sets two nameservers. My own nameserver in the IPv6 and IPv4 format. I already tried the same with both resolvers of cloudflare (1.1.1.1, 1.0.0.1,....)
(Just to show, that it worked: https://imgur.com/a/RqbKygO)
Offline
Perhaps it is the following you connect from 212.227.17.21 with helo mout.gmx.net dig@1.1.1.1 shows that has the address 5.79.121.69 dig -x @1.1.1.1 shows no reverse for that IP.
Edit:
If this is meant to be you as an authenticated user sending mail I can not see anything in the log snippet you posted of the client authenticating itself and postfix is treating it as another mail server.
Last edited by loqs (2018-08-22 15:30:23)
Offline
212.227.17.21 should be the gmx's ip which (normally) has an reverse dns
Offline
My resolv.conf sets two nameservers. My own nameserver in the IPv6 and IPv4 format.
It sounds like your nameserver is not providing your postfix server with the result of:
unbound-host 212.227.17.21
21.17.227.212.in-addr.arpa domain name pointer mout.gmx.net.
Last edited by brebs (2018-08-23 09:15:21)
Offline
unbound works properly:
[root@mail ~]# unbound-host 212.227.17.21
21.17.227.212.in-addr.arpa domain name pointer mout.gmx.net.
So idk why postfix can't `access` the unbound
Offline
Does /etc/resolv.conf contain "nameserver 127.0.0.1", to actually *use* unbound?
Offline
Yes it does. Both files `/etc/resolv.conf` and `/var/spool/postfix/etc/resolv.conf` contain `nameserver 127.0.0.1`
Tried it recently again.
Aug 23 12:40:20 mail postfix/postscreen[25305]: CONNECT from [212.227.17.20]:40123 to [10.1.0.3]:25
Aug 23 12:40:26 mail postfix/postscreen[25305]: PASS OLD [212.227.17.20]:40123
Aug 23 12:40:26 mail postfix/smtpd[25308]: connect from unknown[212.227.17.20]
Aug 23 12:40:26 mail postfix/smtpd[25308]: NOQUEUE: reject: RCPT from unknown[212.227.17.20]: 450 4.7.25 Client host rejected: cannot find your hostname, [212.227.17.20]; from=<myemail@gmx.de> to=<goliath@mydomain.de> proto=ESMTP helo=<mout.gmx.net>
Aug 23 12:40:26 mail postfix/smtpd[25308]: disconnect from unknown[212.227.17.20] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=5/7
Aug 23 12:43:46 mail postfix/anvil[25288]: statistics: max connection rate 1/60s for (submission:79.129.28.135) at Aug 23 12:39:21
Aug 23 12:43:46 mail postfix/anvil[25288]: statistics: max connection count 1 for (submission:79.129.28.135) at Aug 23 12:39:21
Aug 23 12:43:46 mail postfix/anvil[25288]: statistics: max cache size 1 at Aug 23 12:39:21
Aug 23 12:45:29 mail postfix/postscreen[25350]: CONNECT from [212.227.17.21]:43411 to [10.1.0.3]:25
Aug 23 12:45:29 mail postfix/postscreen[25350]: PASS OLD [212.227.17.21]:43411
Aug 23 12:45:29 mail postfix/smtpd[25353]: connect from unknown[212.227.17.21]
Aug 23 12:45:29 mail postfix/smtpd[25353]: NOQUEUE: reject: RCPT from unknown[212.227.17.21]: 450 4.7.25 Client host rejected: cannot find your hostname, [212.227.17.21]; from=<myemail@gmx.de> to=<goliath@mydomain.de> proto=ESMTP helo=<mout.gmx.net>
Aug 23 12:45:29 mail postfix/smtpd[25353]: disconnect from unknown[212.227.17.21] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=5/7
Last edited by TheGoliath (2018-08-23 10:50:22)
Offline
TheGoliath
Can you check output of
$ dig -x 8.8.4.4
$ dig -x 212.227.17.21
To make sure system resolver using your local DNS recursor
Offline
Works imo:
[root@mail ~]# dig -x 8.8.4.4
; <<>> DiG 9.13.2 <<>> -x 8.8.4.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19721
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;4.4.8.8.in-addr.arpa. IN PTR
;; ANSWER SECTION:
4.4.8.8.in-addr.arpa. 86400 IN PTR google-public-dns-b.google.com.
;; Query time: 977 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 23 14:11:20 CEST 2018
;; MSG SIZE rcvd: 93
[root@mail ~]# dig -x 8.8.4.4
; <<>> DiG 9.13.2 <<>> -x 8.8.4.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51464
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;4.4.8.8.in-addr.arpa. IN PTR
;; ANSWER SECTION:
4.4.8.8.in-addr.arpa. 86390 IN PTR google-public-dns-b.google.com.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug 23 14:11:30 CEST 2018
;; MSG SIZE rcvd: 93
Last edited by TheGoliath (2018-08-23 12:12:52)
Offline
Anything else I could/should try?
Offline
@TheGoliath is it expected that the connection is being treated as a SMTP client rather than a Mail user agent?
Offline
No why should it be treated as an smtp client?
Offline
For further reference. My setup is based on the Blogpost: https://thomas-leister.de/en/mailserver-debian-stretch/
Offline
You have following line on your master.cf:
-o smtpd_client_restrictions=$mua_client_restrictions
And at the same time you have
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
on main.cf
so every smtp client your postfix get connected will be checked with mua_client_restrictions and smtpd_client_restrictions will not be checked for them. As a result only authenticated clients and permit_mynetworks hosts are allowed to send an emails
Last edited by sincomil (2018-08-23 13:15:33)
Offline
In post #5 you indicated that removing reject_unknown_client_hostname resolved the issue. In the configuration you posted in #1
### Restrictions for all sending foreign servers ("SMTP clients")
smtpd_client_restrictions = permit_mynetworks
check_client_access hash:/etc/postfix/without_ptr
reject_unknown_client_hostname
Is the only use of reject_unknown_client_hostname.
Offline
Aww yeah. Makes sense. Gonna fix that when I'm back from the beach
Offline
@simcomil do you have a corrected config or example config that requires authentication for MUA's to send mail and no authentication but additional checks for other mail servers?
Offline
One thing. Look at my master.cf all processes are running in a chroot. Thus could it be that they can't reach the local resolver?
Offline
And I rewrote the whole mail setup. So I didn't copy&paste but edited every config file accordingly. Should be now more maintainable.
(So using e.g. /etc/dovecot/conf.d/* and stock files (modified to fit my needs))
I was right with the chroot. Now it works when disabling chroot.
@loqs @sincomil
Offline
So resolving the hostname and thus the option with reject_unknown_client
Journal:
Aug 23 20:07:41 mail postfix/smtpd[981]: connect from mout.gmx.net[212.227.17.21]
Aug 23 20:07:41 mail postfix/smtpd[981]: A418312856: client=mout.gmx.net[212.227.17.21]
Aug 23 20:07:41 mail postfix/cleanup[989]: A418312856: message-id=<51473227-f8cc-e5f4-8427-38f49d8d67c2@gmx.de>
Aug 23 20:07:41 mail postfix/qmgr[954]: A418312856: from=<myemail@gmx.de>, size=2085, nrcpt=1 (queue active)
Aug 23 20:07:42 mail postfix/smtpd[981]: disconnect from mout.gmx.net[212.227.17.21] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Aug 23 20:07:42 mail postfix/lmtp[991]: A418312856: to=<goliath@mydomain.de>, relay=mail.mydomain.de[private/dovecot-lmtp], delay=0.35, delays=0.32/0/0/0.03, dsn=2.0.0, status=sent (250 2.0.0 <goliath@mydomain.de> ULGbOu33flvgAwAAYrfSig Saved)
Aug 23 20:07:42 mail postfix/qmgr[954]: A418312856: removed
For your information. I found that entry in the arch wiki:
https://wiki.archlinux.org/index.php/Po … hroot_jail
It even tells me that I should copy the libraries.
I should rtfm!
Thanks guys. You are great people.
/Solved
Last edited by TheGoliath (2018-08-23 18:23:04)
Offline
One last question. How can I mark this thread as solved?
Or is it only possible when being a moderator =<
Offline