Not sure if i have a DNS or Postfix issue ?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Not sure if i have a DNS or Postfix issue ?

Fazzina, Angelo

Hi, not sure if i am looking in the wrong place:

If you want my postconf I can get it.

 

User sends email to [hidden email] with client.  [one of recipients is [hidden email] and [hidden email]]

MX for listserv.uconn.edu is spam boxes.

Email goes to spam boxes, and spam boxes relay email to listserv.uconn.edu

 

Listserv.uconn.edu relays the email to smtp.uconn.edu

When smtp.uconn.edu resolves to MTA4 and not MTA1-3 we have an issue.

 

I get these errors

Sep 19 09:40:26 mta4 postfix/smtpd[22724]: 529981802840: reject: RCPT from MSB-P-Listserv.grove.ad.uconn.edu[137.99.30.25]:

554 5.7.1 <[hidden email]>: Relay access denied; from=<[hidden email]>

to=<[hidden email]> proto=ESMTP helo=<MSB-P-Listserv>

 

Sep 19 09:40:25 mta4 postfix/smtpd[22724]: NOQUEUE: reject: RCPT from MSB-P-Listserv.grove.ad.uconn.edu[137.99.30.25]:

554 5.7.1 <[hidden email]>: Relay access denied; from=<[hidden email]>

to=<[hidden email]> proto=ESMTP helo=<MSB-P-Listserv>

 

Is MTA4 having a problem due to the Load Balancer set to Ratio with 1% and when mail servers for MSN.com and Albanylaw.edu do DNS lookups for smtp.uconn.edu MTA4 rarely shows as a valid IP, and that is why Postfix gets the "relay" error ?

 

MTA4 is new so I wanted to test it and only give it 1% and the other 3 get 99%.

 

Sample of working on MTA2:

Sep 19 10:56:45 mta2 postfix/smtp[6866]: 93BA31323: to=<[hidden email]>, relay=msn-com.olc.protection.outlook.COM[104.47.12.33]:25, delay=1.1, delays=0.15/0.03/0.31/0.58, dsn=2.6.0, status=sent (250 2.6.0 <CAB9NHXhPPdAxM+0OOJ5JutOk25oso45-69ELgn1kg+[hidden email]> [InternalId=25031069508292, Hostname=DB3EUR04HT137.eop-eur04.prod.protection.outlook.com] 14339 bytes in 0.181, 77.092 KB/sec Queued mail for delivery)

 

RAW data:

 

[root@mta4 log]# dig any smtp.uconn.edu

 

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> any smtp.uconn.edu

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59980

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

 

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;smtp.uconn.edu.                        IN      ANY

 

;; ANSWER SECTION:

smtp.uconn.edu.         300     IN      A       137.99.25.235

smtp.uconn.edu.         300     IN      A       137.99.25.233

smtp.uconn.edu.         300     IN      A       137.99.25.234

 

;; Query time: 1 msec

;; SERVER: 137.99.25.14#53(137.99.25.14)

;; WHEN: Thu Sep 20 11:28:47 EDT 2018

;; MSG SIZE  rcvd: 91

 

[root@mta4 log]# dig any mta4.uits.uconn.edu

 

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> any mta4.uits.uconn.edu

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22377

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

 

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;mta4.uits.uconn.edu.           IN      ANY

 

;; ANSWER SECTION:

mta4.uits.uconn.edu.    14400   IN      A       137.99.25.243

 

;; Query time: 1 msec

;; SERVER: 137.99.25.14#53(137.99.25.14)

;; WHEN: Thu Sep 20 11:29:10 EDT 2018

;; MSG SIZE  rcvd: 64

 

 

I also did a telnet test on mta4 to msn.com and albanylaw.edu and got 250 so I know addresses are ok

Escape character is '^]'.

220 CO1NAM04FT020.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Thu, 20 Sep 2018 15:16:28 +0000

ehlo uconn.edu

250-CO1NAM04FT020.mail.protection.outlook.com Hello [137.99.25.235]

250-SIZE 157286400

250-PIPELINING

250-DSN

250-ENHANCEDSTATUSCODES

250-STARTTLS

250-8BITMIME

250-BINARYMIME

250-CHUNKING

250 SMTPUTF8

mail from:[hidden email]

250 2.1.0 Sender OK

rcpt to:[hidden email]

250 2.1.5 Recipient OK

quit

221 2.0.0 Service closing transmission channel

 

Thank you.

-ANGELO FAZZINA

 

ITS Service Manager:

Spam and Virus Prevention

Mass Mailing

G Suite/Gmail

 

[hidden email]

University of Connecticut,  ITS, SSG, Server Systems

860-486-9075

 

Reply | Threaded
Open this post in threaded view
|

Re: Not sure if i have a DNS or Postfix issue ?

Viktor Dukhovni


> On Sep 20, 2018, at 11:37 AM, Fazzina, Angelo <[hidden email]> wrote:
>
> User sends email to [hidden email].
> [two of recipients are [hidden email] and [hidden email]]
>  
> Listserv.uconn.edu relays the email to smtp.uconn.edu
> When smtp.uconn.edu resolves to MTA4 and not MTA1-3 we have an issue.
>  
> I get these errors
> Sep 19 09:40:26 mta4 postfix/smtpd[22724]: 529981802840: reject: RCPT from MSB-P-Listserv.grove.ad.uconn.edu[137.99.30.25]:
> 554 5.7.1 <[hidden email]>: Relay access denied; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP helo=<MSB-P-Listserv>
>  
> Sep 19 09:40:25 mta4 postfix/smtpd[22724]: NOQUEUE: reject: RCPT from MSB-P-Listserv.grove.ad.uconn.edu[137.99.30.25]:
> 554 5.7.1 <[hidden email]>: Relay access denied; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP helo=<MSB-P-Listserv>

The Postfix configuration of mta4 is not suited to its use:

  * You're using it as an *outbound* relay to deliver email to list members.
  * It is configured with access control rules that make sense on an *inbound*
    relay, allowing only email to internal domains.

This relay needs to permit all mail to external recipients from authorized
clients (perhaps all) on your network.  How it determines whether a client
is authorized to relay outbound email is generally a site-specific issue.

Clients can be allowed via CIDR table by IP address, or could be required
to authenticate with TLS client certs or SASL.  Or with the server only
accepting mail on an internal network where all clients are trusted, it
could allow all clients, with the network topology doing the access control.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

RE: Not sure if i have a DNS or Postfix issue ?

Fazzina, Angelo
Thanks for the clarification. I was afraid i would get the RTFM response to a question i had,
which may be related.
MTA4 = RHEL 7.5 and PF 2.10.1
MTA1-3 = RHEL 6.9 and PF 2.6.6

I did read a lot about the differences
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/Migration_Planning_Guide/Red_Hat_Enterprise_Linux-7-Migration_Planning_Guide-en-US.pdf
and noticed mention of this at a page 37

A new smtpd_relay_restrictions parameter has been added. By default this enables permit_mynetworks, permit_sasl_authenticated, and
defer_unauth_destination.
This prevents open relay problems due to mistakes with spam filter rules in smtpd_recipient_restrictions.
However, if your site has a complex mail relay policy configured under smtpd_recipient_restrictions, some mail may be incorrectly
deferred. To correct this, either remove smtpd_relay_restrictions configuration and usethe existing policy in smtpd_recipient_restrictions,
or copy the existing policy from smtpd_recipient_restrictions to smtpd_relay_restrictions


MTA1-3 have this
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/maps/block_to, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
and no smtpd_relay_restrictions in the file main.cf

MTA4 has
smtpd_recipient_restrictions = reject_unauth_destination
smtpd_relay_restrictions = check_recipient_access hash:/etc/postfix/maps/block_to, permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination

So i think i found the error.
My question is how to understand that paragragh so i know what to set
smtpd_recipient_restrictions
and
smtpd_relay_restrictions
to so mail flows the same way ?

do i simply change
smtpd_recipient_restrictions = reject_unauth_destination
to
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

I say this because all servers have
mynetworks = /etc/postfix/files/mynetwork
[root@mta2 files]# more mynetwork
#  These are networks whose hosts are authorized to relay mail.
#  Localhost
127.0.0.0/8
#  UConn networks
137.99.0.0/16     # UConn Public

Thanks again.


-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

[hidden email]
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Viktor Dukhovni
Sent: Thursday, September 20, 2018 12:10 PM
To: Postfix users <[hidden email]>
Subject: Re: Not sure if i have a DNS or Postfix issue ?



> On Sep 20, 2018, at 11:37 AM, Fazzina, Angelo <[hidden email]> wrote:
>
> User sends email to [hidden email].
> [two of recipients are [hidden email] and [hidden email]]
>  
> Listserv.uconn.edu relays the email to smtp.uconn.edu
> When smtp.uconn.edu resolves to MTA4 and not MTA1-3 we have an issue.
>  
> I get these errors
> Sep 19 09:40:26 mta4 postfix/smtpd[22724]: 529981802840: reject: RCPT from MSB-P-Listserv.grove.ad.uconn.edu[137.99.30.25]:
> 554 5.7.1 <[hidden email]>: Relay access denied; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP helo=<MSB-P-Listserv>
>  
> Sep 19 09:40:25 mta4 postfix/smtpd[22724]: NOQUEUE: reject: RCPT from MSB-P-Listserv.grove.ad.uconn.edu[137.99.30.25]:
> 554 5.7.1 <[hidden email]>: Relay access denied; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP helo=<MSB-P-Listserv>

The Postfix configuration of mta4 is not suited to its use:

  * You're using it as an *outbound* relay to deliver email to list members.
  * It is configured with access control rules that make sense on an *inbound*
    relay, allowing only email to internal domains.

This relay needs to permit all mail to external recipients from authorized
clients (perhaps all) on your network.  How it determines whether a client
is authorized to relay outbound email is generally a site-specific issue.

Clients can be allowed via CIDR table by IP address, or could be required
to authenticate with TLS client certs or SASL.  Or with the server only
accepting mail on an internal network where all clients are trusted, it
could allow all clients, with the network topology doing the access control.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Not sure if i have a DNS or Postfix issue ?

Noel Jones-2
On 9/20/2018 12:29 PM, Fazzina, Angelo wrote:

> Thanks for the clarification. I was afraid i would get the RTFM response to a question i had,
> which may be related.
> MTA4 = RHEL 7.5 and PF 2.10.1
> MTA1-3 = RHEL 6.9 and PF 2.6.6
>
> I did read a lot about the differences
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/Migration_Planning_Guide/Red_Hat_Enterprise_Linux-7-Migration_Planning_Guide-en-US.pdf
> and noticed mention of this at a page 37
>
> A new smtpd_relay_restrictions parameter has been added. By default this enables permit_mynetworks, permit_sasl_authenticated, and
> defer_unauth_destination.
> This prevents open relay problems due to mistakes with spam filter rules in smtpd_recipient_restrictions.
> However, if your site has a complex mail relay policy configured under smtpd_recipient_restrictions, some mail may be incorrectly
> deferred. To correct this, either remove smtpd_relay_restrictions configuration and usethe existing policy in smtpd_recipient_restrictions,
> or copy the existing policy from smtpd_recipient_restrictions to smtpd_relay_restrictions
>
>
> MTA1-3 have this
> smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/maps/block_to, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
> and no smtpd_relay_restrictions in the file main.cf
>
> MTA4 has
> smtpd_recipient_restrictions = reject_unauth_destination
> smtpd_relay_restrictions = check_recipient_access hash:/etc/postfix/maps/block_to, permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination


Assuming your block_to map is a list of recipients to always REJECT,
a better recipe for MTA4 would be:

smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/maps/block_to
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination


The idea is smtpd_recipient_restrictions is general anti-UCE and
other local controls, smtpd_relay_restrictions is to define which
clients are allowed relay access.



  -- Noel Jones


>
> So i think i found the error.
> My question is how to understand that paragragh so i know what to set
> smtpd_recipient_restrictions
> and
> smtpd_relay_restrictions
> to so mail flows the same way ?
>
> do i simply change
> smtpd_recipient_restrictions = reject_unauth_destination
> to
> smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
>
> I say this because all servers have
> mynetworks = /etc/postfix/files/mynetwork
> [root@mta2 files]# more mynetwork
> #  These are networks whose hosts are authorized to relay mail.
> #  Localhost
> 127.0.0.0/8
> #  UConn networks
> 137.99.0.0/16     # UConn Public
>
> Thanks again.
>
>
> -ANGELO FAZZINA
>
> ITS Service Manager:
> Spam and Virus Prevention
> Mass Mailing
> G Suite/Gmail
>
> [hidden email]
> University of Connecticut,  ITS, SSG, Server Systems
> 860-486-9075
>
> -----Original Message-----
> From: [hidden email] <[hidden email]> On Behalf Of Viktor Dukhovni
> Sent: Thursday, September 20, 2018 12:10 PM
> To: Postfix users <[hidden email]>
> Subject: Re: Not sure if i have a DNS or Postfix issue ?
>
>
>
>> On Sep 20, 2018, at 11:37 AM, Fazzina, Angelo <[hidden email]> wrote:
>>
>> User sends email to [hidden email].
>> [two of recipients are [hidden email] and [hidden email]]
>>  
>> Listserv.uconn.edu relays the email to smtp.uconn.edu
>> When smtp.uconn.edu resolves to MTA4 and not MTA1-3 we have an issue.
>>  
>> I get these errors
>> Sep 19 09:40:26 mta4 postfix/smtpd[22724]: 529981802840: reject: RCPT from MSB-P-Listserv.grove.ad.uconn.edu[137.99.30.25]:
>> 554 5.7.1 <[hidden email]>: Relay access denied; from=<[hidden email]>
>> to=<[hidden email]> proto=ESMTP helo=<MSB-P-Listserv>
>>  
>> Sep 19 09:40:25 mta4 postfix/smtpd[22724]: NOQUEUE: reject: RCPT from MSB-P-Listserv.grove.ad.uconn.edu[137.99.30.25]:
>> 554 5.7.1 <[hidden email]>: Relay access denied; from=<[hidden email]>
>> to=<[hidden email]> proto=ESMTP helo=<MSB-P-Listserv>
>
> The Postfix configuration of mta4 is not suited to its use:
>
>   * You're using it as an *outbound* relay to deliver email to list members.
>   * It is configured with access control rules that make sense on an *inbound*
>     relay, allowing only email to internal domains.
>
> This relay needs to permit all mail to external recipients from authorized
> clients (perhaps all) on your network.  How it determines whether a client
> is authorized to relay outbound email is generally a site-specific issue.
>
> Clients can be allowed via CIDR table by IP address, or could be required
> to authenticate with TLS client certs or SASL.  Or with the server only
> accepting mail on an internal network where all clients are trusted, it
> could allow all clients, with the network topology doing the access control.
>