My first config - unable to telnet to port 25, virtual.db missing

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
30 messages Options
12
Reply | Threaded
Open this post in threaded view
|

My first config - unable to telnet to port 25, virtual.db missing

Paul Cocker
I have a CentOS 5.2 machine running postfix 2.3.3 install via yum and am
setting up for the first time, having been a sendmail user previously.
 
I have been configuring it based around 'Postfix email firewall/gateway'
setup in the postfix documentation as this machine will be acting as the
primary mail server for outgoing mail and the second MX entry for
incoming.
 
The server has hosts.deny set to ALL:ALL but smtp in hosts.allow is also
set to ALL.
 
Running a postconf -n results in the following output:
 
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
local_recipient_maps =
local_transport = error:local mail delivery is disabled
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination =
mynetworks = 100.243.0.0/22, 100.132.127.128/25
myorigin = domain1.co.uk
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains =
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains = domain1.co.uk, domain2.co.uk, domain3.co.uk
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual

I do /usr/sbin/postfix check, which results in no errors, followed by
/usr/sbin/postfix start. I can see master running in my process list.
 
However, attempts to connect to port 25 on this machine from within the
100.243.0.0/22 network timeout with 'Connect failed' messages.
 
My maillog is filled with the following:
 
Oct  6 14:57:20 merlin postfix/postfix-script: starting the Postfix mail
system
Oct  6 14:57:20 merlin postfix/master[13470]: daemon started -- version
2.3.3, configuration /etc/postfix
Oct  6 14:57:20 merlin postfix/qmgr[13472]: CDF481F80062:
from=<[hidden email]>, size=971, nrcpt=1 (queue active)
...
Oct  6 14:57:21 merlin postfix/trivial-rewrite[13474]: fatal: open
database /etc/postfix/virtual.db: No such file or directory
Oct  6 14:57:21 merlin postfix/cleanup[13473]: fatal: open database
/etc/postfix/virtual.db: No such file or directory
Oct  6 14:57:22 merlin postfix/master[13470]: warning: process
/usr/libexec/postfix/cleanup pid 13473 exit status 1
Oct  6 14:57:22 merlin postfix/master[13470]: warning:
/usr/libexec/postfix/cleanup: bad command startup -- throttling
Oct  6 14:57:22 merlin postfix/master[13470]: warning: process
/usr/libexec/postfix/trivial-rewrite pid 13474 exit status 1
Oct  6 14:57:22 merlin postfix/master[13470]: warning:
/usr/libexec/postfix/trivial-rewrite: bad command startup -- throttling
...
 
Do I need to manually create virtual.db (and should I run a
set-permissions from postconf if I do?), or is that incidental to the
other errors? Are these errors the reason it won't accept connections on
port 25, or is there an error in the config above?
 
Paul Cocker




TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.

Reply | Threaded
Open this post in threaded view
|

Re: My first config - unable to telnet to port 25, virtual.db missing

Barney Desmond
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Create the file with:

postmap /etc/postfix/virtual

then attempt to start postfix again. The use of a Makefile in
/etc/postfix is also advised, it'll help keep you sane.
http://www.anchor.com.au/hosting/dedicated/postfix_makefile
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI6iRvI3WmMwKrR4MRAt+JAJ4jwVJOXyVYeFSM3hypwHOUQJs4EwCdF1GF
2twRufESGz0W0tf1HQ3REyw=
=OMwd
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: My first config - unable to telnet to port 25, virtual.db missing

Brian Evans - Postfix List
In reply to this post by Paul Cocker
Paul Cocker wrote:

> I have a CentOS 5.2 machine running postfix 2.3.3 install via yum and am
> setting up for the first time, having been a sendmail user previously.
>  
> I have been configuring it based around 'Postfix email firewall/gateway'
> setup in the postfix documentation as this machine will be acting as the
> primary mail server for outgoing mail and the second MX entry for
> incoming.
>  
> The server has hosts.deny set to ALL:ALL but smtp in hosts.allow is also
> set to ALL.
>  
> Running a postconf -n results in the following output:
>  
[...]
> relay_domains = domain1.co.uk, domain2.co.uk, domain3.co.uk
>  

No relay_recipient_maps?  You seem to be heading to be a
(Back|Out)scatter source.
Highly suggest you have a static map or db map (LDAP,SQL) of real users.


>
> Oct  6 14:57:21 merlin postfix/trivial-rewrite[13474]: fatal: open
> database /etc/postfix/virtual.db: No such file or directory
>  

You forgot to run 'postmap hash:/etc/postfix/virtual'.  This must be
done for all hash, cdb, btree, (s)dbm files that you define as maps.
>  
> Do I need to manually create virtual.db (and should I run a
> set-permissions from postconf if I do?), or is that incidental to the
> other errors? Are these errors the reason it won't accept connections on
> port 25, or is there an error in the config above?
>  

Does master.cf have an uncommented line for the smtpd service?
What happens if you remove (comment) the line from hosts.deny?

Brian
Reply | Threaded
Open this post in threaded view
|

Re: My first config - unable to telnet to port 25, virtual.db missing

mouss-2
In reply to this post by Paul Cocker
Paul Cocker a écrit :

> I have a CentOS 5.2 machine running postfix 2.3.3 install via yum and am
> setting up for the first time, having been a sendmail user previously.
>  
> I have been configuring it based around 'Postfix email firewall/gateway'
> setup in the postfix documentation as this machine will be acting as the
> primary mail server for outgoing mail and the second MX entry for
> incoming.
>  
> The server has hosts.deny set to ALL:ALL but smtp in hosts.allow is also
> set to ALL.
>  

hosts.* are irrelevant. postfix doesn't use tcpwrappers.


> [snip]
> relay_domains = domain1.co.uk, domain2.co.uk, domain3.co.uk
>  

As Brian said, list the relay users in relay_recipient_maps. otherwise
use reject_unverified_recipient (with a check_recipient_access).

> sample_directory = /usr/share/doc/postfix-2.3.3/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = hash:/etc/postfix/virtual
>
> I do /usr/sbin/postfix check, which results in no errors, followed by
> /usr/sbin/postfix start. I can see master running in my process list.
>  
> However, attempts to connect to port 25 on this machine from within the
> 100.243.0.0/22 network timeout with 'Connect failed' messages.
>  
> My maillog is filled with the following:
>  
> Oct  6 14:57:20 merlin postfix/postfix-script: starting the Postfix mail
> system
> Oct  6 14:57:20 merlin postfix/master[13470]: daemon started -- version
> 2.3.3, configuration /etc/postfix
> Oct  6 14:57:20 merlin postfix/qmgr[13472]: CDF481F80062:
> from=<[hidden email]>, size=971, nrcpt=1 (queue active)
> ...
> Oct  6 14:57:21 merlin postfix/trivial-rewrite[13474]: fatal: open
> database /etc/postfix/virtual.db: No such file or directory
>  

you forgot to "compile" the virtual map:
# postmap hash:/etc/postfix/virtual

Please read:
    http://www.postfix.org/DATABASE_README.html


> Oct  6 14:57:21 merlin postfix/cleanup[13473]: fatal: open database
> /etc/postfix/virtual.db: No such file or directory
> Oct  6 14:57:22 merlin postfix/master[13470]: warning: process
> /usr/libexec/postfix/cleanup pid 13473 exit status 1
> Oct  6 14:57:22 merlin postfix/master[13470]: warning:
> /usr/libexec/postfix/cleanup: bad command startup -- throttling
> Oct  6 14:57:22 merlin postfix/master[13470]: warning: process
> /usr/libexec/postfix/trivial-rewrite pid 13474 exit status 1
> Oct  6 14:57:22 merlin postfix/master[13470]: warning:
> /usr/libexec/postfix/trivial-rewrite: bad command startup -- throttling
> ...
>  
> Do I need to manually create virtual.db (and should I run a
> set-permissions from postconf if I do?), or is that incidental to the
> other errors? Are these errors the reason it won't accept connections on
> port 25, or is there an error in the config above?
>  
> Paul Cocker
>
>
>
>
> TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
>
>  

Reply | Threaded
Open this post in threaded view
|

RE: {Spam?} Re: My first config - unable to telnet to port 25, virtual.db missing

Paul Cocker
Thanks for the clarifications. I've compiled virtual and progress is being made.

As we receive around 100 000 mails a day, I assume that doesn't fall into the category of "low volume", so I don't think reject_unverified_recipient would be suitable, nor is maintaining a list of valid e-mail addresses in postfix manually.

So at this point I'll see to setup a method for queering AD, and I see the HOWTO section has a couple of articles which cover this. My only concern would be the risks in opening up communications to AD from the DMZ.


Paul Cocker

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of mouss
Sent: 06 October 2008 16:30
To: [hidden email]
Subject: {Spam?} Re: My first config - unable to telnet to port 25, virtual.db missing

Paul Cocker a écrit :

> I have a CentOS 5.2 machine running postfix 2.3.3 install via yum and
> am setting up for the first time, having been a sendmail user previously.
>  
> I have been configuring it based around 'Postfix email firewall/gateway'
> setup in the postfix documentation as this machine will be acting as
> the primary mail server for outgoing mail and the second MX entry for
> incoming.
>  
> The server has hosts.deny set to ALL:ALL but smtp in hosts.allow is
> also set to ALL.
>  

hosts.* are irrelevant. postfix doesn't use tcpwrappers.


> [snip]
> relay_domains = domain1.co.uk, domain2.co.uk, domain3.co.uk
>  

As Brian said, list the relay users in relay_recipient_maps. otherwise use reject_unverified_recipient (with a check_recipient_access).

> sample_directory = /usr/share/doc/postfix-2.3.3/samples
> sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop
> unknown_local_recipient_reject_code = 550 virtual_alias_maps =
> hash:/etc/postfix/virtual
>
> I do /usr/sbin/postfix check, which results in no errors, followed by
> /usr/sbin/postfix start. I can see master running in my process list.
>  
> However, attempts to connect to port 25 on this machine from within
> the
> 100.243.0.0/22 network timeout with 'Connect failed' messages.
>  
> My maillog is filled with the following:
>  
> Oct  6 14:57:20 merlin postfix/postfix-script: starting the Postfix
> mail system Oct  6 14:57:20 merlin postfix/master[13470]: daemon
> started -- version 2.3.3, configuration /etc/postfix Oct  6 14:57:20
> merlin postfix/qmgr[13472]: CDF481F80062:
> from=<[hidden email]>, size=971, nrcpt=1 (queue active) ...
> Oct  6 14:57:21 merlin postfix/trivial-rewrite[13474]: fatal: open
> database /etc/postfix/virtual.db: No such file or directory
>  

you forgot to "compile" the virtual map:
# postmap hash:/etc/postfix/virtual

Please read:
    http://www.postfix.org/DATABASE_README.html


> Oct  6 14:57:21 merlin postfix/cleanup[13473]: fatal: open database
> /etc/postfix/virtual.db: No such file or directory Oct  6 14:57:22
> merlin postfix/master[13470]: warning: process
> /usr/libexec/postfix/cleanup pid 13473 exit status 1 Oct  6 14:57:22
> merlin postfix/master[13470]: warning:
> /usr/libexec/postfix/cleanup: bad command startup -- throttling Oct  6
> 14:57:22 merlin postfix/master[13470]: warning: process
> /usr/libexec/postfix/trivial-rewrite pid 13474 exit status 1 Oct  6
> 14:57:22 merlin postfix/master[13470]: warning:
> /usr/libexec/postfix/trivial-rewrite: bad command startup --
> throttling ...
>  
> Do I need to manually create virtual.db (and should I run a
> set-permissions from postconf if I do?), or is that incidental to the
> other errors? Are these errors the reason it won't accept connections
> on port 25, or is there an error in the config above?
>  
> Paul Cocker
>
>
>
>
> TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
>
>  




TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.

Reply | Threaded
Open this post in threaded view
|

Re: {Spam?} Re: My first config - unable to telnet to port 25, virtual.db missing

Henrik K
On Tue, Oct 07, 2008 at 10:24:38AM +0100, Paul Cocker wrote:
>
> So at this point I'll see to setup a method for queering AD, and I see the
> HOWTO section has a couple of articles which cover this. My only concern
> would be the risks in opening up communications to AD from the DMZ.

Simply create the list in your internal network, maybe AD server itself, I'm
sure you can google the necessary tools. And then scp it to postfix.

Reply | Threaded
Open this post in threaded view
|

Re: My first config - unable to telnet to port 25, virtual.db missing

mouss-2
In reply to this post by Paul Cocker
Paul Cocker wrote:
> Thanks for the clarifications. I've compiled virtual and progress is being made.
>
> As we receive around 100 000 mails a day, I assume that doesn't fall into the category of "low volume", so I don't think reject_unverified_recipient would be suitable, nor is maintaining a list of valid e-mail addresses in postfix manually.
>
> So at this point I'll see to setup a method for queering AD, and I see the HOWTO section has a couple of articles which cover this. My only concern would be the risks in opening up communications to AD from the DMZ.
>

Please don't top post. put your replies after the text you reply to.
google if this is not clear.

you can have a periodic task to dump the users list. the list of valid
users doesn't change often. if you are concerned about newly created
users, you could work around this (tempfail at first try. similar to
greylisting) but you'll need a log parser or a policy service to
"update" the config. probably not worth the pain.

alternatively, you can consider ldap replication.
Reply | Threaded
Open this post in threaded view
|

RE: My first config - unable to telnet to port 25, virtual.db missing

Paul Cocker
In reply to this post by Brian Evans - Postfix List
This server is only the secondary mail server for incoming mail, so it
won't be bouncing anything just passing it onto the primary server which
does perform valid recipient checks. I don't see any point doing it here
too as it just means more hits against the AD servers for no greater
effect, unless I needed to lessen the load on the primary MX server
which I don't.

That this wasn't evident might suggest I've configured it incorrectly to
act as a secondary MX server.


Paul Cocker

Systems Infrastructure Support

Network Administrator and Security Specialist


-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Brian Evans -
Postfix List
Sent: 06 October 2008 15:46
To: [hidden email]
Subject: Re: My first config - unable to telnet to port 25, virtual.db
missing

Paul Cocker wrote:
> I have a CentOS 5.2 machine running postfix 2.3.3 install via yum and
> am setting up for the first time, having been a sendmail user
previously.
>  
> I have been configuring it based around 'Postfix email
firewall/gateway'
> setup in the postfix documentation as this machine will be acting as
> the primary mail server for outgoing mail and the second MX entry for
> incoming.
>  
> The server has hosts.deny set to ALL:ALL but smtp in hosts.allow is
> also set to ALL.
>  
> Running a postconf -n results in the following output:
>  
[...]
> relay_domains = domain1.co.uk, domain2.co.uk, domain3.co.uk
>  

No relay_recipient_maps?  You seem to be heading to be a
(Back|Out)scatter source.
Highly suggest you have a static map or db map (LDAP,SQL) of real users.


>
> Oct  6 14:57:21 merlin postfix/trivial-rewrite[13474]: fatal: open
> database /etc/postfix/virtual.db: No such file or directory
>  

You forgot to run 'postmap hash:/etc/postfix/virtual'.  This must be
done for all hash, cdb, btree, (s)dbm files that you define as maps.
>  
> Do I need to manually create virtual.db (and should I run a
> set-permissions from postconf if I do?), or is that incidental to the
> other errors? Are these errors the reason it won't accept connections
> on port 25, or is there an error in the config above?
>  

Does master.cf have an uncommented line for the smtpd service?
What happens if you remove (comment) the line from hosts.deny?

Brian



TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.

Reply | Threaded
Open this post in threaded view
|

Re: My first config - unable to telnet to port 25, virtual.db missing

Natxo Asenjo
On Tue, Oct 7, 2008 at 4:06 PM, Paul Cocker <[hidden email]> wrote:
> This server is only the secondary mail server for incoming mail, so it
> won't be bouncing anything just passing it onto the primary server which
> does perform valid recipient checks. I don't see any point doing it here
> too as it just means more hits against the AD servers for no greater
> effect, unless I needed to lessen the load on the primary MX server
> which I don't.

please do get a relay_recipients map. That way you block all mail at
the gate which should not be there. Otherwise you are becoming a
source of backscatter.

We have a similar setup here. I have writtten a simple batch file
which dumps all the e-mail addresses of AD to a file. I copy this file
to the postfix gateway, a bit of perl and it is done. It is quite
simple actually.

the batch file uses adfind.exe
(http://www.joeware.net/freetools/tools/adfind/index.htm) and pscp
(from putty); you need to create a key to be able to copy the files to
the unix host (but this is not the place to ask). I use a unix user at
the postfix box with inlogname: exchangeuxdf

-===============batch.bat==================
@echo off

d:

cd d:\scripts\ldap

adfind -sc exchaddresses:smtp > d:\scripts\ldap\virtual.txt


pscp -i "d:\scripts\ldap\exchangeuser.ppk"
"D:\Scripts\ldap\virtual.txt"
exchangeuser@unixserver:/home/exchangeuser

=============================================

adfind dumps all smtp addresses to the file virtual.txt and then that
file gets copied to the postfix server.

The format of the virtual.txt is this:

dn:CN=cn,OU=ou,OU=ou,DC=dc,DC=dc
>proxyAddresses: SMTP:[hidden email]
>proxyAddresses: smtp:[hidden email]
>proxyAddresses: smtp:[hidden email]

Postfix expects this format:
[hidden email]     OK
                             ^^^^^ -> this is a tab

so using your favourite scripting langauge you can quite easily parse
it and adapt it to the format postifx wants. I have this script, it
works for me:

======================
#!/usr/bin/perl

use warnings;
use strict;
use File::Copy;

my $valid_recpts = "/home/exchange/virtual.txt"; # original file from exchange
my $relay_recps = "/home/exchange/relay_recipients"; # final file that
will be postmapped
my $dos2unix = `/usr/bin/dos2unix $valid_recpts`; # fix those pesky
differences between dos en unix
my $postfix_relayrcpts = "/etc/postfix/relay_recipients.db"; # final
relay_recipients map
my $relay_recpsdb = "/home/exchange/relay_recipients.db"; # original
relay_recipients map

open(VALID,"< $valid_recpts") or die "$!\n";
open(RELAY,"> $relay_recps") or die "$!\n";

while(<VALID>) {
        next unless $_ =~ /^.*(smtp:)(.*\.nl)$/i;
        print RELAY "$2\tOK\n";
        }

close(VALID);
close(RELAY);

chown exchangeuser, exchangeuser, $valid_recpts; # otherwise exchange
cannot overwrite it

my $postmap = `/usr/sbin/postmap $relay_recps`;

move($relay_recpsdb, $postfix_relayrcpts);

============================================

in main.cf the relevant part for relay_recipients is:
relay_recipient_maps = hash:/etc/postfix/relay_recipients

We run those scripts every 6 hours. This setup has been working for
over a year now and e-mail has stopped being an issue for us.

HTH.
--
Groeten,
J.Asenjo
Reply | Threaded
Open this post in threaded view
|

Re: My first config - unable to telnet to port 25, virtual.db missing

mouss-2
In reply to this post by Paul Cocker
Paul Cocker wrote:
> This server is only the secondary mail server for incoming mail, so it
> won't be bouncing anything just passing it onto the primary server which
> does perform valid recipient checks.

and the primary will bounce! This is backscatter.
Recipient validation must be performed at the "edge", when the client is
not one of your servers. This way, mail to invalid recipients is
rejected and it is that client responsibility to handle the error. if
you don't, then one of your servers will send a bounce. and since spam
uses forged senders, the bounce will go to an innocent that never sent
you mail. People are sick of bounce storms, and you may get
blocklisted.if this happens, I wish good luck getting out of the many
private BLs.

> I don't see any point doing it here
> too as it just means more hits against the AD servers for no greater
> effect, unless I needed to lessen the load on the primary MX server
> which I don't.
>

then don't use a secondary MX. Many spammers target secondary MXes,
because they are generally less protected against spam (Whether your is
or not doesn't matter).

> That this wasn't evident might suggest I've configured it incorrectly to
> act as a secondary MX server.
>

It doesn't matter if it is a secondary or if it is a "gateway". Invalid
recipients must be rejected, not bounced. Once mail is accepted by one
of your servers, it is too late.
Reply | Threaded
Open this post in threaded view
|

RE: [SPAM?] Re: My first config - unable to telnet to port 25, virtual.db missing

Paul Cocker
The primary passes to an internal mail server, but performs recipient
validation before doing so. This is why I don't believe it's worth doing
on the secondary because it means genuine recipients will be checked
with the internal server twice (should they be received by the
secondary, not primary MX).

Apologies if my terminology is off here. I always think of MX servers as
gateways, though I realise in some companies the gateway server and the
internal mail server will be one and the same.

From reading further into your response, perhaps I misunderstanding MX
records. So far as I know, if the secondary MX server receives the
e-mail, it shouldn't pass it inside but rather should pass it to the
primary MX server, which should be the single point of contact with the
internal mail server. Is this incorrect?

Paul Cocker


-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of mouss
Sent: 07 October 2008 20:01
Cc: [hidden email]
Subject: [SPAM?] Re: My first config - unable to telnet to port 25,
virtual.db missing
Importance: Low

Paul Cocker wrote:
> This server is only the secondary mail server for incoming mail, so it

> won't be bouncing anything just passing it onto the primary server
> which does perform valid recipient checks.

and the primary will bounce! This is backscatter.
Recipient validation must be performed at the "edge", when the client is
not one of your servers. This way, mail to invalid recipients is
rejected and it is that client responsibility to handle the error. if
you don't, then one of your servers will send a bounce. and since spam
uses forged senders, the bounce will go to an innocent that never sent
you mail. People are sick of bounce storms, and you may get
blocklisted.if this happens, I wish good luck getting out of the many
private BLs.

> I don't see any point doing it here
> too as it just means more hits against the AD servers for no greater
> effect, unless I needed to lessen the load on the primary MX server
> which I don't.
>

then don't use a secondary MX. Many spammers target secondary MXes,
because they are generally less protected against spam (Whether your is
or not doesn't matter).

> That this wasn't evident might suggest I've configured it incorrectly
> to act as a secondary MX server.
>

It doesn't matter if it is a secondary or if it is a "gateway". Invalid
recipients must be rejected, not bounced. Once mail is accepted by one
of your servers, it is too late.



TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.

Reply | Threaded
Open this post in threaded view
|

RE: [SPAM?] Re: My first config - unable to telnet to port 25, virtual.db missing

MacShane, Tracy
 

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Paul Cocker
> Sent: Wednesday, 8 October 2008 6:00 PM
> To: [hidden email]
> Subject: RE: [SPAM?] Re: My first config - unable to telnet
> to port 25, virtual.db missing
>
> The primary passes to an internal mail server, but performs
> recipient validation before doing so. This is why I don't
> believe it's worth doing on the secondary because it means
> genuine recipients will be checked with the internal server
> twice (should they be received by the secondary, not primary MX).
>
> Apologies if my terminology is off here. I always think of MX
> servers as gateways, though I realise in some companies the
> gateway server and the internal mail server will be one and the same.
>
> From reading further into your response, perhaps I
> misunderstanding MX records. So far as I know, if the
> secondary MX server receives the e-mail, it shouldn't pass it
> inside but rather should pass it to the primary MX server,
> which should be the single point of contact with the internal
> mail server. Is this incorrect?
>
> Paul Cocker
>
>

As has been mentioned a number of times, please don't top post.

MX records do not work in the way you think. Any MX server - unless
configured to do otherwise - will relay mail directly to the recipients.
The MX priorities are so that you can direct the bulk of mail (which
should look at the lowest-numbered MX, although spammers don't care
about such niceties) to your most specced-up server or best Internet
link, or whatever, while your secondary MX might have a lesser hardware
configuration or be sitting on a smaller pipe. But they still can accept
mail (and will).

We have a primary and secondary Postfix MX on our DMZ, with the primary
sitting next to our fattest Internet pipe. Both servers will deliver
mail to the Exchange servers on the internal network; both servers do AD
lookups using a perl script to build valid relay_recipient and transport
tables every hour. We have no problem permitting a service account a
one-way lookup through the firewall to the LDAP port for the domain
controllers.

Plenty of people use Mxes at the same priority level as a load-balancing
mechanism. It doesn't matter - even the primary/secondary model should
validate all mail coming through as rigorously on each server. The whole
point of the redundancy and using MX records is that if one server dies,
you don't need to do *anything* for mail services to keep running.
Reply | Threaded
Open this post in threaded view
|

Re: My first config - unable to telnet to port 25, virtual.db missing

mouss-2
In reply to this post by Paul Cocker
Paul Cocker wrote:
> The primary passes to an internal mail server, but performs recipient
> validation before doing so. This is why I don't believe it's worth doing
> on the secondary because it means genuine recipients will be checked
> with the internal server twice (should they be received by the
> secondary, not primary MX).

Let's go the concrete example way.

$ host -t mx jonview.com
jonview.com mail is handled by 10 mx.ca.mci.com.
jonview.com mail is handled by 5 mail.jonview.com.

so the domain has a primary and a secondary (and the primary probably
passes mail to an internal server as suggested by the "user unknown in
RELAY recipient..." below).

now here's a bounce from yesterday junkscatter storm:

This is the mail system at host mx03.ca.mci.com.

...
<[hidden email]>: host mail.jonview.com[209.47.92.183] said:
550 <[hidden email]>: Recipient address rejected:
User unknown in relay recipient table (in reply to RCPT TO command)
...


so the primary does recipient validation and the secondary sent me the
junk (the original subject was "5% off for 305.mattias1". I guess you're
now familiar with such subjects).

ALL servers that get connections from strangers MUST do recipient
validation DURING THE SMTP TRANSACTION. you get your share of junk, I
get mine, and I get enough of it, so I don't need to see yours.

PS. when you post, fix the subject line by removing the silly "spam" tag
added by your (broken?) filter.

Also please do not top post. put your replies after the text you reply
to. google if this is not clear.

>
> Apologies if my terminology is off here. I always think of MX servers as
> gateways, though I realise in some companies the gateway server and the
> internal mail server will be one and the same.
>
> From reading further into your response, perhaps I misunderstanding MX
> records. So far as I know, if the secondary MX server receives the
> e-mail, it shouldn't pass it inside but rather should pass it to the
> primary MX server, which should be the single point of contact with the
> internal mail server. Is this incorrect?
>

That's ok. but you can easily understand that ratware doesn't care about
the standards. Some ratware intentionally skips the first MX. See
Jorey's nolisting page:
        http://nolisting.org/

Reply | Threaded
Open this post in threaded view
|

RE: [SPAM?] Re: My first config - unable to telnet to port 25, virtual.db missing

Paul Cocker
In reply to this post by MacShane, Tracy
> > -----Original Message-----
> > From: [hidden email]
> > [mailto:[hidden email]] On Behalf Of Paul Cocker
> > Sent: Wednesday, 8 October 2008 6:00 PM
> > To: [hidden email]
> > Subject: RE: [SPAM?] Re: My first config - unable to telnet to port
> > 25, virtual.db missing
> >
> > The primary passes to an internal mail server, but performs
> recipient
> > validation before doing so. This is why I don't believe it's worth
> > doing on the secondary because it means genuine recipients will be
> > checked with the internal server twice (should they be
> received by the
> > secondary, not primary MX).
> >
> > Apologies if my terminology is off here. I always think of
> MX servers
> > as gateways, though I realise in some companies the gateway
> server and
> > the internal mail server will be one and the same.
> >
> > From reading further into your response, perhaps I
> misunderstanding MX
> > records. So far as I know, if the secondary MX server receives the
> > e-mail, it shouldn't pass it inside but rather should pass
> it to the
> > primary MX server, which should be the single point of contact with
> > the internal mail server. Is this incorrect?
> >
> > Paul Cocker
> >
> >
>
> As has been mentioned a number of times, please don't top post.
>

Apologies for that, but the prefix scheme isn't as professional and
Outlook 2003 doesn't provide a good method for switching between the
two. Still, I'll stop being so lazy ;)

> MX records do not work in the way you think. Any MX server -
> unless configured to do otherwise - will relay mail directly
> to the recipients.
> The MX priorities are so that you can direct the bulk of mail
> (which should look at the lowest-numbered MX, although
> spammers don't care about such niceties) to your most
> specced-up server or best Internet link, or whatever, while
> your secondary MX might have a lesser hardware configuration
> or be sitting on a smaller pipe. But they still can accept
> mail (and will).
>
> We have a primary and secondary Postfix MX on our DMZ, with
> the primary sitting next to our fattest Internet pipe. Both
> servers will deliver mail to the Exchange servers on the
> internal network; both servers do AD lookups using a perl
> script to build valid relay_recipient and transport tables
> every hour. We have no problem permitting a service account a
> one-way lookup through the firewall to the LDAP port for the
> domain controllers.
>
> Plenty of people use Mxes at the same priority level as a
> load-balancing mechanism. It doesn't matter - even the
> primary/secondary model should validate all mail coming
> through as rigorously on each server. The whole point of the
> redundancy and using MX records is that if one server dies,
> you don't need to do *anything* for mail services to keep running.
>

Thank you for the clear explanation, it's a great help and certainly
corrects some misconceptions I had. I suspect we'll end up using the
backup only as a method for picking up mail the primary is too busy to
take (especially as some mail servers seem to give up on the first
try!), otherwise we'll have to maintain two spam filters on two separate
systems (one postfix w/ addon such as SpamAssassin and one Barracuda).
It opens the option to allow internal delivery on the secondary
temporarily should the primary fail.

I have setup recipient validation, thanks to these discussions, as even
if we don't end up needing it it's an interesting learning exercise. I
have run into a hurdle however which is that the validation check fails
because Active Directory is setup to use LDAP signing (or
LDAP_STRONG_AUTH_REQUIRED as the error states) and I haven't had any
luck thus far in finding how to modify the script to accommodate this.



TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.

Reply | Threaded
Open this post in threaded view
|

RE: My first config - unable to telnet to port 25, virtual.db missing

Paul Cocker
In reply to this post by mouss-2
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of mouss
> Sent: 08 October 2008 09:04
> To: [hidden email]
> Subject: Re: My first config - unable to telnet to port 25,
> virtual.db missing
>
> Paul Cocker wrote:
> > The primary passes to an internal mail server, but performs
> recipient
> > validation before doing so. This is why I don't believe it's worth
> > doing on the secondary because it means genuine recipients will be
> > checked with the internal server twice (should they be
> received by the
> > secondary, not primary MX).
>
> Let's go the concrete example way.
>
> $ host -t mx jonview.com
> jonview.com mail is handled by 10 mx.ca.mci.com.
> jonview.com mail is handled by 5 mail.jonview.com.
>
> so the domain has a primary and a secondary (and the primary
> probably passes mail to an internal server as suggested by
> the "user unknown in RELAY recipient..." below).
>
> now here's a bounce from yesterday junkscatter storm:
>
> This is the mail system at host mx03.ca.mci.com.
>
> ...
> <[hidden email]>: host mail.jonview.com[209.47.92.183] said:
> 550 <[hidden email]>: Recipient address rejected:
> User unknown in relay recipient table (in reply to RCPT TO
> command) ...
>
>
> so the primary does recipient validation and the secondary
> sent me the junk (the original subject was "5% off for
> 305.mattias1". I guess you're now familiar with such subjects).
>
> ALL servers that get connections from strangers MUST do
> recipient validation DURING THE SMTP TRANSACTION. you get
> your share of junk, I get mine, and I get enough of it, so I
> don't need to see yours.

Referring to the uppercase, I assume this is based around both machines
passing directly to the internal server. If, as we do, the secondary
forwards the mail onto the primary (which skips the secondary's headers
and examines those that came before) then such validation is not a
requirement to "good behaviour", correct?

I want to get the secondary setup for validation so that should we have
a major fault it can pass directly inside, but I haven't been able to
get it to work with AD LDAP signing yet.

>
> PS. when you post, fix the subject line by removing the silly
> "spam" tag added by your (broken?) filter.
>
> Also please do not top post. put your replies after the text
> you reply to. google if this is not clear.
>
> >
> > Apologies if my terminology is off here. I always think of
> MX servers
> > as gateways, though I realise in some companies the gateway
> server and
> > the internal mail server will be one and the same.
> >
> > From reading further into your response, perhaps I
> misunderstanding MX
> > records. So far as I know, if the secondary MX server receives the
> > e-mail, it shouldn't pass it inside but rather should pass
> it to the
> > primary MX server, which should be the single point of contact with
> > the internal mail server. Is this incorrect?
> >
>
> That's ok. but you can easily understand that ratware doesn't
> care about the standards. Some ratware intentionally skips
> the first MX. See Jorey's nolisting page:
> http://nolisting.org/
>
>



TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.

Reply | Threaded
Open this post in threaded view
|

Re: My first config - unable to telnet to port 25, virtual.db missing

mouss-2
Paul Cocker wrote:
> Referring to the uppercase, I assume this is based around both machines
> passing directly to the internal server. If, as we do, the secondary
> forwards the mail onto the primary (which skips the secondary's headers
> and examines those that came before) then such validation is not a
> requirement to "good behaviour", correct?

you're still not getting it. you must implement recipient validation on
all servers that get connections from untrusted sources. period. it
doesn't matter if you call the server "secondary", "primary" or
"Virginia". the server must either have a copy of the list of valid
recipients or use reject_unverified_recipient.

when your secondary accepts a transaction, it queues the message and
will later pass it to the primary. this doesn't happen during the smtp
transaction. This is the famous "store and forward" mechanism. so if the
primary rejects a recipient, your secondary would generate a bounce. and
this is the thing we don't want. we want your secondary to reject (not
bounce).

        http://spamlinks.net/prevent-secure-backscatter.htm

Reply | Threaded
Open this post in threaded view
|

RE: [SPAM?] Re: My first config - unable to telnet to port 25, virtual.db missing

Paul Cocker
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of mouss
> Sent: 08 October 2008 14:03
> Cc: [hidden email]
> Subject: [SPAM?] Re: My first config - unable to telnet to
> port 25, virtual.db missing
> Importance: Low
>
> Paul Cocker wrote:
> > Referring to the uppercase, I assume this is based around both
> > machines passing directly to the internal server. If, as we do, the
> > secondary forwards the mail onto the primary (which skips the
> > secondary's headers and examines those that came before) then such
> > validation is not a requirement to "good behaviour", correct?
>
> you're still not getting it. you must implement recipient
> validation on all servers that get connections from untrusted
> sources. period. it doesn't matter if you call the server
> "secondary", "primary" or "Virginia". the server must either
> have a copy of the list of valid recipients or use
> reject_unverified_recipient.
>
> when your secondary accepts a transaction, it queues the
> message and will later pass it to the primary. this doesn't
> happen during the smtp transaction. This is the famous "store
> and forward" mechanism. so if the primary rejects a
> recipient, your secondary would generate a bounce. and this
> is the thing we don't want. we want your secondary to reject
> (not bounce).
>
> http://spamlinks.net/prevent-secure-backscatter.htm
>
>

But isn't recipient maps purely checking the destination address to see
if it's valid? If so, why does it matter when you check the validity so
long as you do before it reaches its final destination for that domain
and is bounced?

Reading the link you provided (very helpful, thanks), is the reason you
need to reject during the session:

"but should instead reject the mail during the SMTP session, and leave
the remote sending server to handle the bounce"



TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.

Reply | Threaded
Open this post in threaded view
|

RE: [SPAM?] Re: My first config - unable to telnet to port 25, virtual.db missing

d.hill
On Wed, 8 Oct 2008, Paul Cocker wrote:

> But isn't recipient maps purely checking the destination address to see
> if it's valid? If so, why does it matter when you check the validity so
> long as you do before it reaches its final destination for that domain
> and is bounced?

Let's just assume your secondary server accepted a connection. It is your
secondary server's responsibility to deal with that connection. It can
either reject the connection telling the sending server to go away, or
accept the message for delivery (in your case, accept a message for
delivery even if the account doesn't exist). If your secondary server
accepts the message, connection to the sending server has already been
closed. The ONLY thing it can do at this time, is bounce.

We have two gateway servers that filter messages coming in. Those two
servers pass messages along to three internal servers. The two filter
servers at the gateway reject (not bounce) unknown accounts BEFORE the
message is passed on to its next destination via:

   reject_unknown_recipients

Reply | Threaded
Open this post in threaded view
|

Re: [SPAM?] Re: My first config - unable to telnet to port 25, virtual.db missing

Natxo Asenjo
In reply to this post by Paul Cocker
On Wed, Oct 8, 2008 at 3:29 PM, Paul Cocker <[hidden email]> wrote:

> But isn't recipient maps purely checking the destination address to see
> if it's valid? If so, why does it matter when you check the validity so
> long as you do before it reaches its final destination for that domain
> and is bounced?

if you reject it at the gateway, there will not be backscatter. If you
reject it later, there will be.

That is the difference.

--
Groeten,
Natxo Asenjo
Reply | Threaded
Open this post in threaded view
|

RE: [SPAM?] Re: My first config - unable to telnet to port 25, virtual.db missing

d.hill
In reply to this post by d.hill


On Wed, 8 Oct 2008, Duane Hill wrote:

> On Wed, 8 Oct 2008, Paul Cocker wrote:
>
>> But isn't recipient maps purely checking the destination address to see
>> if it's valid? If so, why does it matter when you check the validity so
>> long as you do before it reaches its final destination for that domain
>> and is bounced?
>
> Let's just assume your secondary server accepted a connection. It is your
> secondary server's responsibility to deal with that connection. It can either
> reject the connection telling the sending server to go away, or accept the
> message for delivery (in your case, accept a message for delivery even if the
> account doesn't exist). If your secondary server accepts the message,
> connection to the sending server has already been closed. The ONLY thing it
> can do at this time, is bounce.
>
> We have two gateway servers that filter messages coming in. Those two servers
> pass messages along to three internal servers. The two filter servers at the
> gateway reject (not bounce) unknown accounts BEFORE the message is passed on
> to its next destination via:
>
>  reject_unknown_recipients

This should be:

   reject_unverified_recipient
12