Quota status to Postfix in distributed environment

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
si5
Reply | Threaded
Open this post in threaded view
|

Quota status to Postfix in distributed environment

si5
Hi

My setup contains Postfix 2.10.1, Dovecot 2.2.10 on RHEL 7.3. The feature I tried to implement is "quota status to postfix". 

The configuration for this feature needs to be done both in dovecot and postfix. Though more configuration are from dovecot side but error is coming from postfix side configuration.

I have implemented Quota status to postfix in our setup. I have an imap server (dovecot) and mail server (postfix) in every node. I am able to send quota status to postfix and mails are rejected after 100% mail quota is crossed. This rejection is happening both in across the nodes and within the nodes.

The problem is if I am sending mails to any node and if any other node's dovecot is down, mails are not going. For example, I am sending an email within the system but if some other node's dovecot is down then email within the system also will not go.

My dovecot version is 2.2.10.
My postfix version is 2.1.10.

*doveconf -n output is below:-*

# 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-514.el7.x86_64 x86_64 Red Hat Enterprise Linux Server
release 7.3 (Maipo) xfs
auth_debug = yes
base_dir = /var/run/dovecot/
first_valid_gid = 5000
first_valid_uid = 5000
hostname = CmdHQ
login_greeting = ^^^^^^^^^^Dovecot ready^^^^^^^^^^
mail_debug = yes
mail_gid = 6000
mail_location = Maildir:/var/mail/vmail/<a href="http://tcs.mil.in/%n">tcs.mil.in/%n
mail_plugins = " quota"
mail_uid = 6000
mbox_write_locks = fcntl
passdb {
  args = /etc/dovecot/dovecot-ldap.conf
  driver = ldap
}
plugin {
  quota = maildir:User quota
  quota_rule = *:storage=8KB
  quota_rule2 = *:messages=12B
  quota_status_nouser = DUNNO
  quota_status_overquota = 552 5.2.2 Mailbox is over quota / mailbox is full
  quota_status_success = DUNNO
  quota_warning = storage=80%% quota-warning 80 %u
}
postmaster_address = [hidden email]
service auth {
  unix_listener auth-userdb {
    mode = 0600
    user = postfix
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
service quota-status {
  client_limit = 1
  executable = quota-status -p postfix
  inet_listener {
    port = 54317
  }
}
service quota-warning {
  executable = script /usr/local/bin/quota-warning.sh
  unix_listener quota-warning {
    group = postfix
    mode = 0666
    user = postfix
  }
  user = postfix
}
ssl = required
ssl_ca = </etc/dovecot/certs/cacert.pem
ssl_cert = </etc/dovecot/certs/[hidden email]
ssl_key = </etc/dovecot/certs/[hidden email]
userdb {
  args = /etc/dovecot/dovecot-ldap.conf
  driver = ldap
}
verbose_ssl = yes
protocol lmtp {
  info_log_path = /var/log/dovecot-lmtp.log
  mail_plugins = " quota"
}
protocol lda {
  info_log_path = /var/log/dovecot-lda.log
  log_path = /var/log/dovecot-lda-errors.log
  mail_plugins = " quota"
}
protocol imap {
  mail_plugins = " quota"
}

Here "service quota status" is the concerned section in conf file.
________________________________________________________________________________________________________

*Postfix configuration is below:- *

smtpd_relay_restrictions =
          check_policy_service inet:201.123.80.9:54317
          check_policy_service inet:201.123.80.23:54317


virtual_transport=lmtp:unix:private/dovecot-lmtp


Here, I am querying both two nodes. 201.123.80.9 is the other node.
201.123.80.23 is the node within which, email is sent.
___________________________________________________________________________________________________________

*logs while sending mail is below:-F*eb 22 12:43:24 1CorpHQ
postfix/proxymap[7327]: In dict_changed_name
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: initializing the server-side
TLS engine
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: In dict_changed_name
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: match_list_match: 1CorpHQ: no
match
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: match_list_match: 201.123.80.23:
no match
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: match_list_match: 1CorpHQ: no
match
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: match_list_match: 201.123.80.23:
no match
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text 220
1CorpHQserver.tcs.mil.in ESMTP Postfix
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text EHLO 1CorpHQ
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: match_list_match: 1CorpHQ: no
match
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: match_list_match: 201.123.80.23:
no match
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text
250-1CorpHQserver.tcs.mil.in
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text 250-PIPELINING
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text 250-SIZE 10240000
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text 250-VRFY
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text 250-ETRN
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text 250-STARTTLS
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text 250-ENHANCEDSTATUSCODES
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text 250-8BITMIME
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text 250 DSN
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text STARTTLS
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text 220 2.0.0 Ready to start
TLS
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: setting up TLS connection from
1CorpHQ[201.123.80.23]
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: 1CorpHQ[201.123.80.23]: TLS
cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: SSL_accept:before/accept
initialization
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: SSL_accept:SSLv3 read client
hello A
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: SSL_accept:SSLv3 write server
hello A
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: SSL_accept:SSLv3 write
certificate A
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: SSL_accept:SSLv3 write key
exchange A
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: SSL_accept:SSLv3 write server
done A
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: SSL_accept:SSLv3 flush data
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: SSL_accept:SSLv3 read client
key exchange A
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: SSL_accept:SSLv3 read finished
A
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: SSL_accept:SSLv3 write change
cipher spec A
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: SSL_accept:SSLv3 write
finished A
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: SSL_accept:SSLv3 flush data
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: Anonymous TLS connection
established from 1corphq[201.123.80.23]: TLSv1 with cipher
ECDHE-RSA-AES256-SHA (256/256 bits)
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text EHLO 1CorpHQ
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: match_list_match: 1CorpHQ: no
match
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: match_list_match: 201.123.80.23:
no match
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text
250-1CorpHQserver.tcs.mil.in
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text 250-PIPELINING
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text 250-SIZE 10240000
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text 250-VRFY
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text 250-ETRN
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text 250-ENHANCEDSTATUSCODES
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text 250-8BITMIME
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text 250 DSN
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text MAIL FROM:<
[hidden email]>
Feb 22 12:43:24 1CorpHQ postfix/trivial-rewrite[7330]: match_list_match:
transport_maps: no match
Feb 22 12:43:24 1CorpHQ postfix/trivial-rewrite[7330]: match_list_match:
transport_maps: no match
Feb 22 12:43:24 1CorpHQ postfix/trivial-rewrite[7330]: In dict_changed_name
Feb 22 12:43:24 1CorpHQ postfix/trivial-rewrite[7330]: match_list_match:
tcs.mil.in: no match
Feb 22 12:43:24 1CorpHQ postfix/trivial-rewrite[7330]: match_list_match:
tcs.mil.in: no match
Feb 22 12:43:24 1CorpHQ postfix/trivial-rewrite[7330]: match_list_match:
tcs.mil.in: no match
Feb 22 12:43:24 1CorpHQ postfix/trivial-rewrite[7330]: match_list_match:
tcs.mil.in: no match
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: In valid verify sender addr
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text 250 2.1.0 Ok
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: text RCPT TO:<
[hidden email]>
Feb 22 12:43:24 1CorpHQ postfix/trivial-rewrite[7330]: match_list_match:
tcs.mil.in: no match
Feb 22 12:43:24 1CorpHQ postfix/trivial-rewrite[7330]: match_list_match:
tcs.mil.in: no match
Feb 22 12:43:24 1CorpHQ postfix/trivial-rewrite[7330]: match_list_match:
tcs.mil.in: no match
Feb 22 12:43:24 1CorpHQ postfix/trivial-rewrite[7330]: match_list_match:
tcs.mil.in: no match
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: In valid verify sender addr
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: match_list_match:
permit_mynetworks: no match
Feb 22 12:43:24 1CorpHQ dovecot: quota-status: Debug: Loading modules from
directory: /usr/lib64/dovecot
Feb 22 12:43:24 1CorpHQ dovecot: quota-status: Debug: Module loaded:
/usr/lib64/dovecot/lib10_quota_plugin.so
Feb 22 12:43:24 1CorpHQ dovecot: auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
Feb 22 12:43:24 1CorpHQ dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Feb 22 12:43:24 1CorpHQ dovecot: auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
Feb 22 12:43:24 1CorpHQ dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libauthdb_ldap.so
Feb 22 12:43:24 1CorpHQ dovecot: auth: Debug: Read auth token secret from
/var/run/dovecot//auth-token-secret.dat
Feb 22 12:43:24 1CorpHQ dovecot: auth: Debug: master in: USER#0111#
011co.1cor...@...#011service=quota-status
Feb 22 12:43:24 1CorpHQ dovecot: auth: Debug: ldap([hidden email]):
user search: base=dc=tcs,dc=mil,dc=in scope=subtree
filter=(&(objectClass=person)(uid=co.1corphq))
fields=homeDirectory,uidNumber,gidNumber
Feb 22 12:43:24 1CorpHQ dovecot: auth: Debug: ldap([hidden email]):
no fields returned by the server
Feb 22 12:43:24 1CorpHQ dovecot: auth: Debug: ldap([hidden email]):
result:  homeDirectory missing; uidNumber missing; gidNumber missing
Feb 22 12:43:24 1CorpHQ dovecot: auth: Debug: userdb out: USER#0111#
[hidden email]
Feb 22 12:43:24 1CorpHQ dovecot: quota-status: Debug: auth input:
[hidden email]
Feb 22 12:43:24 1CorpHQ dovecot: quota-status: Debug: changed username to
[hidden email]
Feb 22 12:43:24 1CorpHQ dovecot: quota-status: Debug: Added userdb setting:
plugin/=yes
Feb 22 12:43:24 1CorpHQ dovecot: quota-status([hidden email]):
Debug: Effective uid=6000, gid=6000, home=
Feb 22 12:43:24 1CorpHQ dovecot: quota-status([hidden email]):
Debug: Quota root: name=User quota backend=maildir args=
Feb 22 12:43:24 1CorpHQ dovecot: quota-status([hidden email]):
Debug: Quota rule: root=User quota mailbox=* bytes=8192 messages=0
Feb 22 12:43:24 1CorpHQ dovecot: quota-status([hidden email]):
Debug: Quota rule: root=User quota mailbox=* bytes=8192 messages=12
Feb 22 12:43:24 1CorpHQ dovecot: quota-status([hidden email]):
Debug: Quota warning: bytes=6553 (80%) messages=0 reverse=no
command=quota-warning 80 [hidden email]
Feb 22 12:43:24 1CorpHQ dovecot: quota-status([hidden email]):
Debug: Quota grace: root=User quota bytes=819 (10%)
Feb 22 12:43:24 1CorpHQ dovecot: quota-status([hidden email]):
Debug: maildir++: root=/var/mail/vmail/tcs.mil.in/co.1corphq, index=,
indexpvt=, control=, inbox=/var/mail/vmail/tcs.mil.in/co.1corphq, alt=
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: warning: connect to
201.123.80.9:54317: Connection refused
Feb 22 12:43:24 1CorpHQ postfix/smtpd[7326]: warning: problem talking to
server 201.123.80.9:54317: Connection refused
Feb 22 12:43:25 1CorpHQ postfix/smtpd[7326]: warning: connect to
201.123.80.9:54317: Connection refused
Feb 22 12:43:25 1CorpHQ postfix/smtpd[7326]: warning: problem talking to
server 201.123.80.9:54317: Connection refused
Feb 22 12:43:25 1CorpHQ postfix/smtpd[7326]: NOQUEUE: reject: RCPT from
1CorpHQ[201.123.80.23]: 451 4.3.5 Server configuration problem; from=<
[hidden email]> to=<[hidden email]> proto=ESMTP
helo=<1CorpHQ>
Feb 22 12:43:25 1CorpHQ postfix/smtpd[7326]: text 451 4.3.5 Server
configuration problem
Feb 22 12:43:25 1CorpHQ postfix/smtpd[7326]: text RSET
Feb 22 12:43:25 1CorpHQ postfix/smtpd[7326]: text 250 2.0.0 Ok
Feb 22 12:43:25 1CorpHQ postfix/smtpd[7326]: lost connection after RSET
from 1CorpHQ[201.123.80.23]


I am understanding what the logs are trying to say. But I am not able to resolve the issue even after searching solution on internet and trying different hit and trials by myself.

I want that if i am sending email to any node or within node, the configuration relating to "check _policy_service" for other node does not interfere and mail goes properly. At the same time I can also fetch quota status from other nodes. 

If I can get any help regarding this it will be really appreciable as I have tried a lot of options already.

Regards

Reply | Threaded
Open this post in threaded view
|

Re: Quota status to Postfix in distributed environment

Noel Jones-2
On 2/27/2018 2:06 PM, SAAHIL IFTEKHAR wrote:

> Hi
>
> My setup contains Postfix 2.10.1, Dovecot 2.2.10 on RHEL 7.3. The
> feature I tried to implement is "quota status to postfix". 
>
> The configuration for this feature needs to be done both in dovecot
> and postfix. Though more configuration are from dovecot side but
> error is coming from postfix side configuration.
>
> I have implemented Quota status to postfix in our setup. I have an
> imap server (dovecot) and mail server (postfix) in every node. I am
> able to send quota status to postfix and mails are rejected after
> 100% mail quota is crossed. This rejection is happening both in
> across the nodes and within the nodes.
>
> The problem is if I am sending mails to any node and if any other
> node's dovecot is down, mails are not going. For example, I am
> sending an email within the system but if some other node's dovecot
> is down then email within the system also will not go.
>
> My dovecot version is 2.2.10.
> My postfix version is 2.1.10.
>
> *doveconf -n output is below:-*

... dovecot config irrelevant.

> Here "service quota status" is the concerned section in conf file.
> ________________________________________________________________________________________________________
>
> *Postfix configuration is below:- *
>
> smtpd_relay_restrictions =
>           check_policy_service inet:201.123.80.9:54317 <http://201.123.80.9:54317>
>           check_policy_service inet:201.123.80.23:54317 <http://201.123.80.23:54317>


Nitpick: this should really be in smtpd_recipient_restrictions, not
relay restrictions.

(unneeded debug output stripped)

> Feb 22 12:43:25 1CorpHQ postfix/smtpd[7326]: warning: problem talking to
> server 201.123.80.9:54317 <http://201.123.80.9:54317>: Connection refused
> Feb 22 12:43:25 1CorpHQ postfix/smtpd[7326]: NOQUEUE: reject: RCPT from
> 1CorpHQ[201.123.80.23]: 451 4.3.5 Server configuration problem; from=<
> [hidden email] <mailto:[hidden email]>> to=<[hidden email] <mailto:[hidden email]>> proto=ESMTP
> helo=<1CorpHQ>

Postfix here does the only reasonable thing: mail is deferred to the
sender to try again later.


Instead of asking every server about quota for every recipient, just
ask the server where the recipient resides.

Something like (untested, but the general idea is sound):
# main.cf
smtpd_restriction_classes =
  quota_server9
  quota_server23

quota_server9 =
   check_policy_service inet:201.123.80.9:54317

quota_server23 =
   check_policy_service inet:201.123.80.23:54317

smtpd_relay_restrictions =
(use what is appropriate for your site, such as:)
   permit_mynetworks
   permit_sasl_authenticated

smtpd_recipient_restrictions =
   check_recipient_access hash:/etc/postfix/check_quota
... other restrictions as appropriate


# /etc/postfix/check_quota
[hidden email]   quota_server9
[hidden email]   quota_server9
[hidden email]   quota_server23
[hidden email]   quota_server23


This example uses a hash: map, but any supported map type can be used.

This example method will scale nicely to a few servers.  If you have
hundreds of servers, the postfix config will become unmanageable and
require a different solution.


Reference:
http://www.postfix.org/RESTRICTION_CLASS_README.html
http://www.postfix.org/SMTPD_POLICY_README.html
http://www.postfix.org/DATABASE_README.html
http://www.postfix.org/documentation.html




  -- Noel Jones

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus