Postfix 3.1 -> Postfix 3.3

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix 3.1 -> Postfix 3.3

Gary Chambers-7
Hello All,

I'm attempting to configure Postfix 3.3 on a freshly-installed Ubuntu 18.04 LTS
system.  The system will do nothing more than relay mail (for status and
summary e-mails) to my main mail server.  The same configuration works using
Postfix 3.1.  What am I missing?  Thank you for your time and assistance.

The contents of postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 3
inet_interfaces = loopback-only
inet_protocols = ipv4
mailbox_size_limit = 0
mydestination = localhost.localdomain, localhost
myhostname = cuddy.example.com
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = [smtp.example.com]:submission
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes

The contents of postconf -Mf:

smtp       inet  n       -       y       -       -       smtpd
pickup     unix  n       -       y       60      1       pickup
cleanup    unix  n       -       y       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       y       1000?   1       tlsmgr
rewrite    unix  -       -       y       -       -       trivial-rewrite
bounce     unix  -       -       y       -       0       bounce
defer      unix  -       -       y       -       0       bounce
trace      unix  -       -       y       -       0       bounce
verify     unix  -       -       y       -       1       verify
flush      unix  n       -       y       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       y       -       -       smtp
relay      unix  -       -       y       -       -       smtp
     -o syslog_name=postfix/$service_name
showq      unix  n       -       y       -       -       showq
error      unix  -       -       y       -       -       error
retry      unix  -       -       y       -       -       error
discard    unix  -       -       y       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       y       -       -       lmtp
anvil      unix  -       -       y       -       1       anvil
scache     unix  -       -       y       -       1       scache

The contents of /etc/aliases:

# See man 5 aliases for format
postmaster:    root
root:          [hidden email]

When executing 'netstat -plunt|mail root', I receive the following response:

-Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
BF2B5131B8     3116 Mon Sep 24 11:10:44  me@cuddy
(host smtp.example.com[00.000.00.000] said: 450 4.1.8 <me@cuddy>: Sender
address rejected: Domain not found (in reply to RCPT TO command)) me@cuddy

--
Gary Chambers
Reply | Threaded
Open this post in threaded view
|

Re: Postfix 3.1 -> Postfix 3.3

Wietse Venema
Gary Chambers:
> -Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
> BF2B5131B8     3116 Mon Sep 24 11:10:44  me@cuddy
> (host smtp.example.com[00.000.00.000] said: 450 4.1.8 <me@cuddy>: Sender
> address rejected: Domain not found (in reply to RCPT TO command)) me@cuddy

cuddy is not a valid domain name. Check your main.cf:append_dot_mydomain
setting, as well as main.cf:smtp_dns_resolver_options.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Postfix 3.1 -> Postfix 3.3

Stephen Satchell
On 09/24/2018 08:57 AM, Wietse Venema wrote:

> Gary Chambers:
>> -Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
>> BF2B5131B8     3116 Mon Sep 24 11:10:44  me@cuddy
>> (host smtp.example.com[00.000.00.000] said: 450 4.1.8 <me@cuddy>: Sender
>> address rejected: Domain not found (in reply to RCPT TO command)) me@cuddy
>
> cuddy is not a valid domain name. Check your main.cf:append_dot_mydomain
> setting, as well as main.cf:smtp_dns_resolver_options.
>
> Wietse
>

It's been quite a while since I've approached a PostFix config (but I'll
be bringing up a CentOS 7 implementation "Real Soon Now" to replace my
years-old version) so I have this question:  does the PostFix package
have a configuration "lint" utility to catch static mistakes?  (Yes, I
know that this was ultimately a problem with a client, but it sparks the
question.)
Reply | Threaded
Open this post in threaded view
|

Re: Postfix 3.1 -> Postfix 3.3

Viktor Dukhovni
In reply to this post by Wietse Venema


> On Sep 24, 2018, at 11:57 AM, Wietse Venema <[hidden email]> wrote:
>
> Gary Chambers:
>> -Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
>> BF2B5131B8     3116 Mon Sep 24 11:10:44  me@cuddy
>> (host smtp.example.com[00.000.00.000] said: 450 4.1.8 <me@cuddy>: Sender
>> address rejected: Domain not found (in reply to RCPT TO command)) me@cuddy
>
> cuddy is not a valid domain name. Check your main.cf:append_dot_mydomain
> setting, as well as main.cf:smtp_dns_resolver_options.

Also double check the chroot jail (queue_directory) etc/resolv.conf
file.  The master.cf output shows most services chrooted.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix 3.1 -> Postfix 3.3

Wietse Venema
In reply to this post by Stephen Satchell
Stephen Satchell:

> On 09/24/2018 08:57 AM, Wietse Venema wrote:
> > Gary Chambers:
> >> -Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
> >> BF2B5131B8     3116 Mon Sep 24 11:10:44  me@cuddy
> >> (host smtp.example.com[00.000.00.000] said: 450 4.1.8 <me@cuddy>: Sender
> >> address rejected: Domain not found (in reply to RCPT TO command)) me@cuddy
> >
> > cuddy is not a valid domain name. Check your main.cf:append_dot_mydomain
> > setting, as well as main.cf:smtp_dns_resolver_options.
>
> It's been quite a while since I've approached a PostFix config (but I'll
> be bringing up a CentOS 7 implementation "Real Soon Now" to replace my
> years-old version) so I have this question:  does the PostFix package
> have a configuration "lint" utility to catch static mistakes?  (Yes, I
> know that this was ultimately a problem with a client, but it sparks the
> question.)

It took only 15+ years for the postconf command to be able to warn
about typos in parameter names.

What you are asking for requires knowledge of how every Postfix
program uses its parameters, and doing all this without duplicating
the semantics of those programs, because duplication means that
things will be out-of-sync all the time.

This could be a good opportunity for deep learning.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Postfix 3.1 -> Postfix 3.3

Gary Chambers-7
In reply to this post by Viktor Dukhovni
Wietse/Viktor,

Thank you for taking the time to assist me.  I feel like I should have a
better understanding of this, but I've been fortunate that, until now, the
drop-in configs for these types of mail systems has just worked.

>> -Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
>> BF2B5131B8     3116 Mon Sep 24 11:10:44  me@cuddy
>> (host smtp.example.com[00.000.00.000] said: 450 4.1.8 <me@cuddy>: Sender
>> address rejected: Domain not found (in reply to RCPT TO command)) me@cuddy
>
> cuddy is not a valid domain name. Check your main.cf:append_dot_mydomain
> setting, as well as main.cf:smtp_dns_resolver_options.

When I set append_dot_mydomain = yes:

-Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
6BB13131B8     3150 Mon Sep 24 13:13:49  [hidden email]
(host smtp.example.com[00.000.00.000] said: 450 4.1.8
<[hidden email]>: Sender address rejected: Domain not found (in
reply to RCPT TO command))
                   [hidden email]

I've also added with no difference:

masquerade_domains = example.com

With respect to smtp_dns_resolver_options, the server is running on a local
LAN with an entirely different DNS domain name.  The results are identical
to the above even with smtp_dns_resolver_options = res_defnames.

> Also double check the chroot jail (queue_directory) etc/resolv.conf file.
> The master.cf output shows most services chrooted.

Interesting; that's the default OS package master.cf, but I'm not running
chrooted.  Would you recommend that I just change them all to be no?

Also, shouldn't the client initiate a connection on the submission port?

Thank you, again.

--
Gary Chambers
Reply | Threaded
Open this post in threaded view
|

Re: Postfix 3.1 -> Postfix 3.3

Wietse Venema
In reply to this post by Gary Chambers-7
All of these services are tunning with chroot ENABLED. Check
your $queue_directory/etc/resolv.conf file again.

> smtp       inet  n       -       y       -       -       smtpd
> pickup     unix  n       -       y       60      1       pickup
> cleanup    unix  n       -       y       -       0       cleanup
> tlsmgr     unix  -       -       y       1000?   1       tlsmgr
> rewrite    unix  -       -       y       -       -       trivial-rewrite
> bounce     unix  -       -       y       -       0       bounce
> defer      unix  -       -       y       -       0       bounce
> trace      unix  -       -       y       -       0       bounce
> verify     unix  -       -       y       -       1       verify
> flush      unix  n       -       y       1000?   0       flush
> smtp       unix  -       -       y       -       -       smtp
> relay      unix  -       -       y       -       -       smtp
> showq      unix  n       -       y       -       -       showq
> error      unix  -       -       y       -       -       error
> retry      unix  -       -       y       -       -       error
> discard    unix  -       -       y       -       -       discard
> lmtp       unix  -       -       y       -       -       lmtp
> anvil      unix  -       -       y       -       1       anvil
> scache     unix  -       -       y       -       1       scache

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Postfix 3.1 -> Postfix 3.3

Gary Chambers-7
Wietse,

> All of these services are tunning with chroot ENABLED. Check
> your $queue_directory/etc/resolv.conf file again.
>
>> smtp       inet  n       -       y       -       -       smtpd
>> pickup     unix  n       -       y       60      1       pickup
>> cleanup    unix  n       -       y       -       0       cleanup
>> tlsmgr     unix  -       -       y       1000?   1       tlsmgr
>> rewrite    unix  -       -       y       -       -       trivial-rewrite
>> bounce     unix  -       -       y       -       0       bounce
>> defer      unix  -       -       y       -       0       bounce
>> trace      unix  -       -       y       -       0       bounce
>> verify     unix  -       -       y       -       1       verify
>> flush      unix  n       -       y       1000?   0       flush
>> smtp       unix  -       -       y       -       -       smtp
>> relay      unix  -       -       y       -       -       smtp
>> showq      unix  n       -       y       -       -       showq
>> error      unix  -       -       y       -       -       error
>> retry      unix  -       -       y       -       -       error
>> discard    unix  -       -       y       -       -       discard
>> lmtp       unix  -       -       y       -       -       lmtp
>> anvil      unix  -       -       y       -       1       anvil
>> scache     unix  -       -       y       -       1       scache

$queue_directory/etc/resolv.conf is the same as /etc/resolv.conf.  I've also
disabled chroot with the same result.  Two points that puzzle me are why the
system does not attempt a SASL connection to the submission port and why
this configuration works in versions 3.1 and 2.9 of Postfix.

-Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
77E39131AF     2895 Thu Sep 27 11:42:12  [hidden email]
(host smtp.example.com[00.000.00.000] said: 450 4.1.8 <[hidden email]>:
Sender address rejected: Domain not found (in reply to RCPT TO command))
                                          [hidden email]

Here's an updated postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
inet_interfaces = loopback-only
inet_protocols = ipv4
mailbox_size_limit = 0
mydestination =
myhostname = cuddy
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = [smtp.example.com]:submission
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/Gary_Chambers_Root_CA.pem
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes

Here's an updated postconf -Mf:

smtp       inet  n       -       n       -       -       smtpd
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
     -o syslog_name=postfix/$service_name
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache

Thank you, again, for your time and assistance.

--
Gary Chambers
Reply | Threaded
Open this post in threaded view
|

Re: Postfix 3.1 -> Postfix 3.3

Wietse Venema
Gary Chambers:
> -Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
> 77E39131AF     2895 Thu Sep 27 11:42:12  [hidden email]
> (host smtp.example.com[00.000.00.000] said: 450 4.1.8 <[hidden email]>:
> Sender address rejected: Domain not found (in reply to RCPT TO command))
>                                           [hidden email]

This is working as intended. cuddy.localdomain is NOT a valid domain
name. Use proper domain names, or add  00.000.00.000 to mynetworks.
Postfix recipient checks should have 'permit_mynetworks' to
exclude such clients.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Postfix 3.1 -> Postfix 3.3

Gary Chambers-7
Wietse,

> Gary Chambers:
>> -Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
>> 77E39131AF     2895 Thu Sep 27 11:42:12  [hidden email]
>> (host smtp.example.com[00.000.00.000] said: 450 4.1.8 <[hidden email]>:
>> Sender address rejected: Domain not found (in reply to RCPT TO command))
>>                                           [hidden email]

> This is working as intended.

Why is it inconsistent with the way it works in Postfix versions 3.1 and
2.9?  The v2.9 postconf -n output:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = 192.168.1.4, 127.0.0.1
mailbox_size_limit = 0
mydestination = localhost.localdomain, localhost
myhostname = bail
mynetworks = 192.168.1.0/24 127.0.0.0/8
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = [smtp.example.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes

I'm migrating from an Ubuntu 12.04 LTS server to an Ubuntu 18.04 LTS server
on the same network (dynamic home network, relaying to my Postfix server out
on the internet).

> cuddy.localdomain is NOT a valid domain name.

Agreed.  It doesn't matter, however, on the existing server (being replaced)
or on another Postfix 3.1 server with an identical configuration.

> Use proper domain names, or add  00.000.00.000 to mynetworks.  Postfix
> recipient checks should have 'permit_mynetworks' to exclude such clients.

Got it.  I'm just trying to understand why it's not working for me in 3.3.
Thank you, as always, for your time, superlative software, and willingness
to assist.

--
G.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix 3.1 -> Postfix 3.3

Viktor Dukhovni
In reply to this post by Gary Chambers-7


> On Sep 27, 2018, at 11:58 AM, Gary Chambers <[hidden email]> wrote:
>
>
> -Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
> 77E39131AF     2895 Thu Sep 27 11:42:12  [hidden email]
> (host smtp.example.com[00.000.00.000] said: 450 4.1.8 <[hidden email]>:
> Sender address rejected: Domain not found (in reply to RCPT TO command))
>                                         [hidden email]

Note that the *sender* domain is "cuddy.localdomain".  Note also that
the reject message is "*Sender* address rejected".  Does "cuddy.localdomain"
resolve via DNS on your system?

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix 3.1 -> Postfix 3.3

Viktor Dukhovni


> On Sep 27, 2018, at 12:54 PM, Viktor Dukhovni <[hidden email]> wrote:
>
>>
>> -Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
>> 77E39131AF     2895 Thu Sep 27 11:42:12  [hidden email]
>> (host smtp.example.com[00.000.00.000] said: 450 4.1.8 <[hidden email]>:
>> Sender address rejected: Domain not found (in reply to RCPT TO command))
>>                                        [hidden email]
>
> Note that the *sender* domain is "cuddy.localdomain".  Note also that
> the reject message is "*Sender* address rejected".  Does "cuddy.localdomain"
> resolve via DNS on your system?

Actually, it is the *remote* system "smtp.example.com" that did not accept this
mail, because the *sender* address is invalid.  Not much you can do about that
on the sending end.  Either use a valid sender address, or convince the remote
system to accept the mail.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix 3.1 -> Postfix 3.3

Gary Chambers-7
Viktor,

>> -Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
>> 77E39131AF     2895 Thu Sep 27 11:42:12  [hidden email]
>> (host smtp.example.com[00.000.00.000] said: 450 4.1.8 <[hidden email]>:
>> Sender address rejected: Domain not found (in reply to RCPT TO command))
>>                                         [hidden email]
>
> Note that the *sender* domain is "cuddy.localdomain".  Note also that
> the reject message is "*Sender* address rejected".  Does "cuddy.localdomain"
> resolve via DNS on your system?

I did note the sender domain, and cuddy.localdomain does not resolve via DNS
on my system.  My question is why the identical configuration works in
Postfix 3.1 and 2.9.

> Actually, it is the *remote* system "smtp.example.com" that did not accept
> this mail, because the *sender* address is invalid.  Not much you can do
> about that on the sending end.  Either use a valid sender address, or
> convince the remote system to accept the mail.

I control smtp.example.com, so I'm able to make it accept whatever I'm
sending to it.  I also don't mind making the changes, but I'd like to
understand why I'm making them because of the apparent different behavior in
the previous Postfix versions.

--
Gary Chambers
Reply | Threaded
Open this post in threaded view
|

Re: Postfix 3.1 -> Postfix 3.3

Viktor Dukhovni


> On Sep 27, 2018, at 1:24 PM, Gary Chambers <[hidden email]> wrote:
>
> Viktor,
>
>>> -Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
>>> 77E39131AF     2895 Thu Sep 27 11:42:12  [hidden email]
>>> (host smtp.example.com[00.000.00.000] said: 450 4.1.8 <[hidden email]>:
>>> Sender address rejected: Domain not found (in reply to RCPT TO command))
>>>                                        [hidden email]
>>
>> Note that the *sender* domain is "cuddy.localdomain".  Note also that
>> the reject message is "*Sender* address rejected".  Does "cuddy.localdomain"
>> resolve via DNS on your system?
>
> I did note the sender domain, and cuddy.localdomain does not resolve via DNS
> on my system.  My question is why the identical configuration works in
> Postfix 3.1 and 2.9.
>
>> Actually, it is the *remote* system "smtp.example.com" that did not accept
>> this mail, because the *sender* address is invalid.  Not much you can do
>> about that on the sending end.  Either use a valid sender address, or
>> convince the remote system to accept the mail.
>
> I control smtp.example.com, so I'm able to make it accept whatever I'm
> sending to it.  I also don't mind making the changes, but I'd like to
> understand why I'm making them because of the apparent different behavior in
> the previous Postfix versions.

The difference between Postfix versions you speak of is mostly an illusion.
You have a message in your queue with a sender address that the remote
system is unwilling to accept.  That's all.  If the sender address was not
supposed to be "cuddy.localdomain", you need to have suitable settings for
some combination of:

        myorigin
        append_dot_mydomain
        smtp_generic_maps

to ensure that outbound mail carries a valid domain.  Note that Debian
and Ubuntu systems set "myorigin" outside of Postfix:

   myorigin = /etc/mailname

Most likely the new system has a different /etc/mailname than the old.
The only pertinent change in Postfix is that the default value of
append_dot_mydomain changed to "no" as of Postfix 3.0.

--
        Viktor.