Postfix can't send from localhost

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix can't send from localhost

bithead
I have a newly installed Debian 8 server, created to replace an old postfix server running on Debian Lenny. I've installed and reconfigured as needed the following newer packages on the new server:

postfix 2.1.3-1
dovecot 2.2.13-12~deb8u1
amavisd-new 2.10.1-2~deb8u1
spamassasin 3.4.0-6
clamav 0.99.2+dfsg-0+deb8u2
dkimproxy 1.4.1-3

I am able to send and receive mail between local users using both Thunderbird and Squirrelmail. I can also send to external users using both mail clients.

What I cannot do is send to any user, local or external, from the server itself. This affects not just the console program 'mail', but also daily reports sent via scripts called in cron jobs. Attempts using 'mail' or via the script files trying to send to local accounts result in:

status=deferred (delivery temporarily suspended: host 127.0.0.1[127.0.0.1] refused to talk to me: 421 Internal error (Next hop is down))


Here is main.cf:
==========

mailbox_size_limit = 0
message_size_limit = 30000000

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

myhostname = host.domain.com

myorigin = $mydomain

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

virtual_alias_maps = hash:/etc/postfix/virtual

mynetworks = 10.0.0.0/8, 127.0.0.0/8

relay_domains =

virtual_alias_domains =

alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases

content_filter = smtp-amavis:[127.0.0.1]:10028
smtp-amavis_destination_concurrency_limit = 20

smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_delay_reject = no

header_checks = regexp:/etc/postfix/header_checks.regexp
nested_header_checks =

smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =
smtpd_recipient_restrictions =
        reject_unlisted_recipient,
        check_client_access    hash:/etc/postfix/GEN000_override,
        check_client_access  regexp:/etc/postfix/fqrdns.regexp,
        check_helo_access      hash:/etc/postfix/access,
        check_helo_access    regexp:/etc/postfix/helo_blacklist.regexp,
        check_sender_access    hash:/etc/postfix/blacklist,
        check_sender_access  regexp:/etc/postfix/sender_blacklist.regexp,
        check_sender_mx_access cidr:/etc/postfix/mx_access.txt,
        check_sender_access    hash:/etc/postfix/bdwl
        check_client_access    hash:/etc/postfix/broken_helos,
        reject_invalid_hostname,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        check_sender_access regexp:/etc/postfix/filter_10026_catchall,
        permit_mynetworks,
        reject_non_fqdn_hostname,
        reject_non_fqdn_recipient,
        reject_unauth_destination,
        check_recipient_access hash:/etc/postfix/restricted,
        reject_unknown_client,
        reject_unknown_hostname,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,

smtpd_data_restrictions =
        reject_unauth_pipelining

debug_peer_level = 2

debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix

newaliases_path = /usr/bin/newaliases.postfix

mailq_path = /usr/bin/mailq.postfix

setgid_group = postdrop

html_directory = no

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.1.5/samples

readme_directory = /usr/share/doc/postfix-2.1.5/README_FILES

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
inet_protocols = ipv4


And here is master.cf:
==============

smtp      inet  n       -       n       -       -       smtpd
pickup    fifo  n       -       n       60      1       pickup
        -o content_filter=dkimsign:127.0.0.1:10026
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

scache    unix  -       -       n       -       1       scache
discard   unix  -       -       n       -       -       discard
tlsmgr    unix  -       -       n       1000    1       tlsmgr

smtp-amavis unix -      -       n     -       2  smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet n  -       n     -       -  smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks_style=host
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

retry     unix  -       -       n       -       -       error
proxywrite unix -       -       n       -       1       proxymap

submission  inet  n     -       n       -       -       smtpd
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o content_filter=dkimsign:[127.0.0.1]:10027
    -o receive_override_options=no_address_mappings
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    -o smtpd_client_restrictions=permit_mynetworks,reject

dkimsign    unix  -       -       n       -       10       smtp
    -o smtp_send_xforward_command=yes
    -o smtp_discard_ehlo_keywords=8bitmime,starttls

127.0.0.1:10028 inet  n  -      n       -       10      smtpd
    -o content_filter=
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8


I have determined through trial and error that disabling this content filter in master.cf...

pickup    fifo  n       -       n       60      1       pickup
        -o content_filter=dkimsign:127.0.0.1:10026

...enables mail sent via 'mail' or cron jobs to be processed. However the problem does not exist with that line enabled on the original postfix (2.5.5-1.1+lenny1) server. Having inherited the old server, I'm not fully up to speed on what that line does, but the old server works and has been for years, so I don't want to blindly take the line out not knowing what I might break in the process.

Here is some of the output from netstat -tapn, showing that the server is listening on port 10026:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      1/init
tcp        0      0 127.0.0.1:10023         0.0.0.0:*               LISTEN      4404/postgrey.pid -
tcp        0      0 127.0.0.1:10024         0.0.0.0:*               LISTEN      4731/amavisd-new (m
tcp        0      0 127.0.0.1:10025         0.0.0.0:*               LISTEN      4699/master
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      4385/mysqld
tcp        0      0 127.0.0.1:10026         0.0.0.0:*               LISTEN      4424/perl
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      4699/master
tcp        0      0 127.0.0.1:10027         0.0.0.0:*               LISTEN      4442/perl
tcp        0      0 127.0.0.1:10028         0.0.0.0:*               LISTEN      4699/master
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      1/init
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      3205/rpcbind

And here is the same from the original fully functional server:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:60000         0.0.0.0:*               LISTEN      3649/postgrey.pid -
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      4254/dovecot
tcp        0      0 127.0.0.1:10024         0.0.0.0:*               LISTEN      3504/amavisd (maste
tcp        0      0 127.0.0.1:10025         0.0.0.0:*               LISTEN      4186/master
tcp        0      0 127.0.0.1:10026         0.0.0.0:*               LISTEN      4098/perl
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      3573/mysqld
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      4186/master
tcp        0      0 127.0.0.1:10027         0.0.0.0:*               LISTEN      4106/perl
tcp        0      0 127.0.0.1:10028         0.0.0.0:*               LISTEN      4186/master
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      4146/inetd
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      4254/dovecot

With the exception of the port for postgrey, I've made sure all of the 100xx ports match functions on both servers.

At this point I don't know where else to look. Please help if you can!
Reply | Threaded
Open this post in threaded view
|

Re: Postfix can't send from localhost

Scott Kitterman-4
On Monday, January 23, 2017 11:52:09 AM bithead wrote:
...
> postfix 2.1.3-1
...

OP meant 2.11.3-1.

> ... replace an old postfix server running on Debian Lenny ...

Which is ancient.

The Debian dkimproxy package no longer provides some of the helper scripts it
once did.  Instead of trying to fix your DKIM signing to work like it used to,
you are probably better off switching to something like a opendkim milter.

This is entirely a distribution specific issue, so I'd recommend pursuing this
via Debian support resources rather than here.

Scott K
Reply | Threaded
Open this post in threaded view
|

Re: Postfix can't send from localhost

bithead
Thank you Scott.  Yes, I meant 2.11.3-1 for the postfix version.  Per your suggestion, I've posted this in the Debian forums as well.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix can't send from localhost

bithead
In reply to this post by Scott Kitterman-4
Scott - can you (or anyone else) shed some light on why there would be a DKIM content filter on the pickup process?  Nothing I've read about DKIM so far has ever shown an example of why one might do that.  As previously indicated, I've inherited this server, so am trying to back-learn the previous admin's thinking.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix can't send from localhost

Noel Jones-2
On 1/24/2017 1:03 PM, bithead wrote:
> Scott - can you (or anyone else) shed some light on why there would be a DKIM
> content filter on the pickup process?  Nothing I've read about DKIM so far
> has ever shown an example of why one might do that.  As previously
> indicated, I've inherited this server, so am trying to back-learn the
> previous admin's thinking.


That would be a reasonable place to put a DKIM signing filter to
insure local mail is signed.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Postfix can't send from localhost

bithead
Very good, then.  Thanks!
Reply | Threaded
Open this post in threaded view
|

Re: [Solved] Postfix can't send from localhost

bithead
In reply to this post by bithead
It turns out the previous admin neglected to include a section in master.cf to indicate the relay port that was specified in the dkimproxy_in.conf file.  Adding that section cured the problem.  Apparently the old system running on lenny somehow tolerates the omission without causing any problems.

Thanks to those who took the time to read and/or reply!