CentOS - Oct 2021 - Postfix and virtual mail boxes.[SOLVED - kinda]

On 9/10/21 9:55 pm, Peter wrote:
> On 9/10/21 12:26 pm, Rob Kampen wrote:
>> So, after many dozens of hours and sending test emails I have found a 
>> solution (work around) that appears to work okay. It is now different 
>> to the original two MX servers I cloned from, in that the maillog 
>> shows a different cycle of processing, and it now fails a truly 
>> unknown mailbox much later in the process - thus higher workload on 
>> my MX. But the key thing is that it does now do the virtual_alias 
>> checks on incoming emails on port 25 before rejecting.
>
> if your MX is not rejecting messages to invalid recipients right away 
> but instead bounces the messages later on you become a backscatter 
> source (See https://www.backscatterer.org/?target=bounces).
>
Understood. On the two existing MX the recipient checks happen up front 
AFTER alias substitutions and hence no reject of valid email addresses. 
I have been unable to achieve this behaviour with the new
MX
> your server needs a properly configured list of valid recipients so it 
> knows right away what recipients to accept and which ones to reject.
Agrred, and it has - in mysql tables.
>
>> No idea why this third MX is behaving differently. It has a dual 
>> stack IP, so I disabled IPv6 access and tried again, but that 
>> certainly wasn't the cause of the difference in processing.
>
> If you can provide the output of the following two commands it would 
> be very helpful in troubleshooting your problem:
>
> postconf -nf
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
 ??? $daemon_directory/$process_name $process_id & sleep 5
dovecot_destination_recipient_limit = 1
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 30720000
milter_default_action = accept
mydestination = localhost localhost.localdomain
myhostname = mx.example.com
mynetworks = 127.0.0.0/8, [::1]/128, 192.168.128.0/24,
 ??? [global:ip:6::]/64
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = inet:localhost:8891
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps
 ??? $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
 ??? $relay_recipient_maps $relay_domains $canonical_maps 
$sender_canonical_maps
 ??? $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_milters = inet:localhost:8891
smtpd_recipient_restrictions = check_policy_service inet:localhost:12350,
 ??? permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination,
 ??? check_policy_service unix:private/policyd-spf
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/letsencrypt/live/example.com/chain.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_dh1024_param_file = /etc/postfix/dhparam.pem
smtpd_tls_key_file = /etc/letsencrypt/live/example.com/privkey.pem
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_security_level = may
smtpd_use_tls = yes
tls_medium_cipherlist
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = no
unknown_local_recipient_reject_code = 550
virtual_alias_domains = 
proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf,
 ??? proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = static:12
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = dovecot
virtual_uid_maps = static:89
> postconf -Mf
smtp?????? inet? n?????? -?????? n?????? -?????? -?????? smtpd
 ??? -o smtpd_recipient_restrictions= -o content_filter=spamassassin
submission inet? n?????? -?????? n?????? -?????? -?????? smtpd
 ??? -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt
 ??? -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no
 ??? -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
 ??? -o milter_macro_daemon_name=ORIGINATING
smtps????? inet? n?????? -?????? n?????? -?????? -?????? smtpd
 ??? -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes
 ??? -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no
 ??? -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
 ??? -o milter_macro_daemon_name=ORIGINATING
pickup???? unix? n?????? -?????? n?????? 60????? 1?????? pickup
cleanup??? unix? n?????? -?????? n?????? -?????? 0?????? cleanup
qmgr?????? unix? n?????? -?????? n?????? 300???? 1?????? qmgr
tlsmgr???? unix? -?????? -?????? n?????? 1000??? 1?????? tlsmgr
rewrite??? unix? -?????? -?????? n?????? -?????? - trivial-rewrite
bounce???? unix? -?????? -?????? n?????? -?????? 0?????? bounce
defer????? unix? -?????? -?????? n?????? -?????? 0?????? bounce
trace????? unix? -?????? -?????? n?????? -?????? 0?????? bounce
verify???? unix? -?????? -?????? n?????? -?????? 1?????? verify
flush????? unix? n?????? -?????? n?????? 1000??? 0?????? flush
proxymap?? unix? -?????? -?????? n?????? -?????? -?????? proxymap
proxywrite unix? -?????? -?????? n?????? -?????? 1?????? proxymap
smtp?????? unix? -?????? -?????? n?????? -?????? -?????? smtp
relay????? unix? -?????? -?????? n?????? -?????? -?????? smtp
showq????? unix? n?????? -?????? n?????? -?????? -?????? showq
error????? unix? -?????? -?????? n?????? -?????? -?????? error
retry????? unix? -?????? -?????? n?????? -?????? -?????? error
discard??? unix? -?????? -?????? n?????? -?????? -?????? discard
local????? unix? -?????? n?????? n?????? -?????? -?????? local
virtual??? unix? -?????? n?????? n?????? -?????? -?????? virtual
lmtp?????? unix? -?????? -?????? n?????? -?????? -?????? lmtp
anvil????? unix? -?????? -?????? n?????? -?????? 1?????? anvil
scache???? unix? -?????? -?????? n?????? -?????? 1?????? scache
smtp-amavis unix -?????? -?????? n?????? -?????? 2?????? smtp
 ??? -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes
 ??? -o disable_dns_lookups=yes
127.0.0.1:10025 inet n?? -?????? n?????? -?????? -?????? smtpd
 ??? -o content_filter= -o local_recipient_maps= -o relay_recipient_maps ??? -o
smtpd_restriction_classes ??? -o
smtpd_client_restrictions=permit_mynetworks,reject
 ??? -o smtpd_helo_restrictions= -o smtpd_sender_restrictions ??? -o
smtpd_recipient_restrictions=permit_mynetworks,reject
 ??? -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes
 ??? -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001
 ??? -o smtpd_hard_error_limit=1000
dovecot??? unix? -?????? n?????? n?????? -?????? -?????? pipe
 ??? flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -f 
${sender}
 ??? -d ${recipient}
spamassassin unix -????? n?????? n?????? -?????? -?????? pipe
 ??? flags=R user=spamd argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f
 ??? ${sender} ${recipient}
policyd-spf unix -?????? n?????? n?????? -?????? 0?????? spawn
 ??? user=nobody argv=/usr/libexec/postfix/policyd-spf
>
> Also of great help would relevant logs for one message that is giving 
> you issues.? These should be in /var/log/maillog and contain a 
> connection line followed by a number of postfix/smtpd lines, please 
> copy all the logs for *one* message.? Please do not attempt to enable 
> verbose logging (it only adds in a lot of extra unneeded info that 
> detracts from finding the real problem) and it is unnecessary to 
> provide log lines from non-postfix processes.
Cannot see how this log listing can possibly help as it contains only 
three lines

Here is the log of the incorrectly rejected email coming into the new MX 
- very short as it immediately rejects the alias recipient address - 
which my other two MX do not do.

Oct? 8 16:43:19 mx postfix/smtpd[29015]: connect from 
mail-pf1-x432.google.com[2607:f8b0:4864:20::432]
Oct? 8 16:43:21 mx postfix/smtpd[29015]: NOQUEUE: reject: RCPT from 
mail-pf1-x432.google.com[2607:f8b0:4864:20::432]: 554 5.7.1 
<rob at example.com>: Recipient address rejected: Unknown user; 
from=<rob at gmail.com> to=<rob at example.com> proto=ESMTP 
helo=<mail-pf1-x432.google.com>
Oct? 8 16:43:21 mx postfix/smtpd[29015]: disconnect from 
mail-pf1-x432.google.com[2607:f8b0:4864:20::432]

This led me to the conclusion that the alias substitution is not taking 
place on my new MX whereas it does on my two working MX - hence my 
addition to the smtp processing line at the top of the master.cf file.

Appreciate any insight you can give me.
>
>> It should be noted that the two initial MX machines have an extra 
>> line in the maillog that is the second logged step in the process, 
>> and goes something like:
>>
>> Oct? 8 19:00:58 mx policyd-spf[16055]: prepend Received-SPF: None 
>> (mailfrom) identity=mailfrom; client-ip=209.85.210.180; 
>> helo=mail-pf1-f180.google.com; envelope-from=rob at example.com; 
>> receiver=<UNKNOWN>
>
> This is likely unrelated to the issue but may point to another issue 
> having to do with a possibly incorrect policyd setup.? We can cross 
> that bridge after we've fixed the primary issue though (one issue at a 
> time).
>
>> After that processing steps are identical.
>
> It's likely that there may be something else subtle in the logs that 
> we can spot that you are not noticing.
>
>
> Peter
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

On 10/10/21 11:28 pm, Rob Kampen wrote:
> smtp?????? inet? n?????? -?????? n?????? -?????? -?????? smtpd
>  ??? -o smtpd_recipient_restrictions= -o content_filter=spamassassin
I assume based on what you've said before that this is after you added 
the workaround you mentioned, but the logs below are without the 
smtpd_recipient_restrictions= part here?
> Cannot see how this log listing can possibly help as it contains only 
> three lines
Nonetheless I do appreciate seeing them, no offense but you can never 
tell if someone's interpretations of the logs are accurate and so it's 
best just to see the logs themselves.
> Here is the log of the incorrectly rejected email coming into the new MX 
> - very short as it immediately rejects the alias recipient address - 
> which my other two MX do not do.
Right.
> This led me to the conclusion that the alias substitution is not taking 
> place on my new MX whereas it does on my two working MX - hence my 
> addition to the smtp processing line at the top of the master.cf file.
I wouldn't jump to that conclusion just yet, though.

That said, based on your config and logs I think I may have been wrong 
in my previous guess and it may very well be related to your 
policyd-spf.  More on that in a bit.

Can you provide the output of the following commands (but substitute the 
actual recipient domain and address for the munged versions you supplied 
here):

postmap -q example.com mysql:/etc/postfix/mysql-virtual_alias_domains.cf

postmap -q rob at example.com mysql:/etc/postfix/mysql-virtual_forwardings.cf

postmap -q rob at example.com mysql:/etc/postfix/mysql-virtual_email2email.cf

postmap -q example.com mysql:/etc/postfix/mysql-virtual_domains.cf

postmap -q rob at example.com mysql:/etc/postfix/mysql-virtual_mailboxes.cf

The results of the above should give a much better picture of what's 
going on.

To check if it's the policyd that's causing the problem can you modify 
the smtpd_recipient_restrictions line in main.cf and remove just the 
"check_policy_service inet:localhost:12350," part?  So that it reads 
something like:

smtpd_recipient_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject_unauth_destination,
     check_policy_service unix:private/policyd-spf

Then check to see if it works after that (and provide logs again so I 
can check things over).  Note this also means reverting your workaround 
in master.cf for this test.


Peter