Service currently unavailable

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Service currently unavailable

Silvio Siefke-3
Hello,

i have the problem that all mails hang by postscreen. I think I be not
sure. I can not find a mistake in configuration. But local and from
outside hang all mails in postscreen and goes not through.

[root@de-fra ~]# cat /var/log/mail.log | grep "74.125.82.44"
Jul  5 15:21:25 de-fra.silviosiefke.com postfix/postscreen[3244]: CONNECT from [74.125.82.44]:37019 to [178.254.26.48]:25
Jul  5 15:21:31 de-fra.silviosiefke.com postfix/tlsproxy[3251]: CONNECT from [74.125.82.44]:37019
Jul  5 15:21:31 de-fra.silviosiefke.com postfix/tlsproxy[3251]: Anonymous TLS connection established from [74.125.82.44]:37019: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jul  5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: NOQUEUE: reject: RCPT from [74.125.82.44]:37019: 450 4.3.2 Service currently unavailable; from=<[hidden email]>, to=<[hidden email]>, proto=ESMTP, helo=<mail-wm0-f44.google.com>
Jul  5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: HANGUP after 0.14 from [74.125.82.44]:37019 in tests after SMTP handshake
Jul  5 15:21:31 de-fra.silviosiefke.com postfix/tlsproxy[3251]: DISCONNECT [74.125.82.44]:37019
Jul  5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: PASS NEW [74.125.82.44]:37019
Jul  5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: DISCONNECT [74.125.82.44]:37019

I use fuglu as "amavisd-new". The emails self now after 20 minuts is not in box.

Thank you for help.

Silvio


[root@de-fra ~]# postconf -n
alias_database = $alias_maps
alias_maps = hash:/etc/postfix/tables/aliases
anvil_rate_time_unit = 60s
bounce_size_limit = 8192
command_directory = /usr/bin
compatibility_level = 2
daemon_directory = /usr/lib/postfix/bin
data_directory = /var/lib/postfix
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/tables/header_checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = 127.0.0.1, 178.254.26.48
inet_protocols = ipv4
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 20480000
meta_directory = /etc/postfix
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = silviosiefke.com
myhostname = de-fra.silviosiefke.com
mynetworks = 127.0.0.0/8
mynetworks_style = host
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
non_smtpd_milters = inet:127.0.0.1:12345
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/tables/postscreen_access.cidr
postscreen_bare_newline_action = drop
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*2, bl.mailspike.net, bl.spamcop.net, b.barracudacentral.org, swl.spamhaus.org*-2
postscreen_dnsbl_threshold = 2
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /etc/postfix
sendmail_path = /usr/bin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_tls_cert_file = /etc/letsencrypt/live/de-fra.silviosiefke.com/fullchain.pem
smtp_tls_ciphers = high
smtp_tls_key_file = /etc/letsencrypt/live/de-fra.silviosiefke.com/privkey.pem
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_client_connection_count_limit = 20
smtpd_client_connection_rate_limit = 20
smtpd_client_message_rate_limit = 50
smtpd_client_recipient_rate_limit = 50
smtpd_client_restrictions = permit_mynetworks, reject_invalid_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_unknown_client, check_client_access regexp:/etc/postfix/tables/client_restrictions permit
smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
smtpd_delay_reject = yes
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/tables/helo_access, reject_unauth_pipelining, reject_non_fqdn_hostname, reject_invalid_hostname, warn_if_reject reject_unknown_hostname, permit
smtpd_milters = inet:127.0.0.1:12345
smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10030, check_policy_service inet:127.0.0.1:12525, check_client_access hash:/etc/postfix/tables/blacklist, check_sender_access hash:/etc/postfix/tables/senderaccess, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_non_fqdn_hostname, reject_invalid_hostname, permit_mynetworks, reject_unauth_pipelining, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_unknown_client, permit
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_address
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/de-fra.silviosiefke.com/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = ${config_directory}/dh/dh2048.pem
smtpd_tls_dh512_param_file = ${config_directory}/dh/dh512.pem
smtpd_tls_key_file = /etc/letsencrypt/live/de-fra.silviosiefke.com/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
soft_bounce = no
tls_export_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ALL:!aNULL:!ADH:!3DES:!EXP:!RC4:!kKRB5:!aDSS:!DES:!aPSK:!kECDH:!RC2:!IDEA:!SEED:!CAMELLIA:!AES128-SHA
tls_preempt_cipherlist = yes
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/tables/virtual
virtual_mailbox_base = /
virtual_mailbox_domains = $mydomain, silviosiefke.de, silviosiefke.fr

< master.cf >

smtp      inet  n       -       n       -       1       postscreen
  -o smtpd_proxy_filter=localhost:10025
  -o smtpd_client_connection_count_limit=10
  -o smtpd_proxy_options=speed_adjust

# fuglu include
127.0.0.1:10026 inet n  -       n       -        -      smtpd
  -o smtpd_authorized_xforward_hosts=127.0.0.0/8
  -o smtpd_client_restrictions=
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=
  -o mynetworks=127.0.0.0/8
  -o receive_override_options=no_unknown_recipient_checks

smtpd     pass  -       -       n       -       -       smtpd
  -o smtpd_proxy_filter=localhost:10025
  -o smtpd_sasl_auth_enable=no

dnsblog   unix  -       -       n       -       0       dnsblog
tlsproxy  unix  -       -       n       -       0       tlsproxy

submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_recipient_restrictions=reject_unknown_recipient_domain,reject_non_fqdn_recipient,permit_sasl_authenticated,reject
  -o smtpd_tls_dh1024_param_file=/etc/postfix/dh/dh2048.pem

pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Service currently unavailable

/dev/rob0
On Wed, Jul 05, 2017 at 03:44:19PM +0200, [hidden email] wrote:
> i have the problem that all mails hang by postscreen. I think I be
> not sure. I can not find a mistake in configuration. But local and
> from outside hang all mails in postscreen and goes not through.
>
> [root@de-fra ~]# cat /var/log/mail.log | grep "74.125.82.44"

Sometimes grep will miss important messages which concern a mail
transaction.  In this case it's probably fine, but for future
reference, you might want to use a pager like less(1) and its own
internal search feature.

Also, UUOC, "grep 'expression' filename". :)

> Jul  5 15:21:25 de-fra.silviosiefke.com postfix/postscreen[3244]: CONNECT from [74.125.82.44]:37019 to [178.254.26.48]:25
> Jul  5 15:21:31 de-fra.silviosiefke.com postfix/tlsproxy[3251]: CONNECT from [74.125.82.44]:37019
> Jul  5 15:21:31 de-fra.silviosiefke.com postfix/tlsproxy[3251]: Anonymous TLS connection established from [74.125.82.44]:37019: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> Jul  5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: NOQUEUE: reject: RCPT from [74.125.82.44]:37019: 450 4.3.2 Service currently unavailable; from=<[hidden email]>, to=<[hidden email]>, proto=ESMTP, helo=<mail-wm0-f44.google.com>
> Jul  5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: HANGUP after 0.14 from [74.125.82.44]:37019 in tests after SMTP handshake
> Jul  5 15:21:31 de-fra.silviosiefke.com postfix/tlsproxy[3251]: DISCONNECT [74.125.82.44]:37019
> Jul  5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: PASS NEW [74.125.82.44]:37019
> Jul  5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: DISCONNECT [74.125.82.44]:37019

Did you read the POSTSCREEN_README section about the after-220 tests?
Don't activate those if you are not prepared to deal with the
consequences.

> I use fuglu as "amavisd-new". The emails self now after 20 minuts
> is not in box.

Content filtering is not relevant to postscreen rejections and
deferrals.

I can point you to my own postscreen configuration, which avoids the
problem you're having with reception from gmail:

http://rob0.nodns4.us/postscreen.html

Specifically you want to use list.dnswl.org and
postscreen_dnsbl_whitelist_threshold.  All Google and most legitimate
senders of all kinds are listed in DNSWL.

Note that postscreen_dnsbl_whitelist_threshold requires at least
Postfix version 2.11.  If your version is less than that, upgrade.  
I'd recommend the latest 3.2 release.

> [root@de-fra ~]# postconf -n
> alias_database = $alias_maps
> alias_maps = hash:/etc/postfix/tables/aliases
> anvil_rate_time_unit = 60s
> bounce_size_limit = 8192
> command_directory = /usr/bin
> compatibility_level = 2
> daemon_directory = /usr/lib/postfix/bin
> data_directory = /var/lib/postfix
> disable_vrfy_command = yes
> header_checks = regexp:/etc/postfix/tables/header_checks
> home_mailbox = Maildir/
> html_directory = no
> inet_interfaces = 127.0.0.1, 178.254.26.48
> inet_protocols = ipv4
> mail_owner = postfix
> mailbox_size_limit = 0
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/share/man
> message_size_limit = 20480000
> meta_directory = /etc/postfix
> mydestination = $myhostname, localhost.$mydomain, localhost
> mydomain = silviosiefke.com
> myhostname = de-fra.silviosiefke.com
> mynetworks = 127.0.0.0/8
> mynetworks_style = host
> myorigin = $myhostname
> newaliases_path = /usr/bin/newaliases
> non_smtpd_milters = inet:127.0.0.1:12345
> postscreen_access_list = permit_mynetworks cidr:/etc/postfix/tables/postscreen_access.cidr
> postscreen_bare_newline_action = drop
> postscreen_bare_newline_enable = yes

That's an after-220 test.

> postscreen_blacklist_action = drop
> postscreen_dnsbl_action = enforce
> postscreen_dnsbl_sites = zen.spamhaus.org*2, bl.mailspike.net, bl.spamcop.net, b.barracudacentral.org, swl.spamhaus.org*-2
> postscreen_dnsbl_threshold = 2
> postscreen_greet_action = enforce
> postscreen_non_smtp_command_enable = yes
> postscreen_pipelining_enable = yes

These two also.  If any single after-220 test is enabled, postscreen
will talk to (and defer mail from) any not-yet-whitelisted client.
That's the main thing I hoped for you to get from the Postfix
POSTSCREEN_README.

> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix
> recipient_delimiter = +
> sample_directory = /etc/postfix
> sendmail_path = /usr/bin/sendmail
> setgid_group = postdrop
> shlib_directory = /usr/lib/postfix
> smtp_tls_cert_file = /etc/letsencrypt/live/de-fra.silviosiefke.com/fullchain.pem

(Not relevant to this issue, but who are you sending mail to that is
asking for client certificates?)

> smtp_tls_ciphers = high

Probably a bad idea, this will cause more fallback to plaintext.
Is that what you want, more plaintext sending of mail?  (Also not
relevant to this issue.)

> smtp_tls_key_file = /etc/letsencrypt/live/de-fra.silviosiefke.com/privkey.pem
> smtp_tls_loglevel = 1
> smtp_tls_mandatory_ciphers = high
> smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
> smtp_tls_protocols = !SSLv2,!SSLv3

Ditto previous comment.  Leave TLS settings at the well-considered
default values unless you really know what you're doing.

> smtp_tls_security_level = may
> smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
> smtpd_banner = $myhostname ESMTP
> smtpd_client_connection_count_limit = 20
> smtpd_client_connection_rate_limit = 20
> smtpd_client_message_rate_limit = 50
> smtpd_client_recipient_rate_limit = 50
> smtpd_client_restrictions = permit_mynetworks, reject_invalid_hostname, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_unknown_client, check_client_access regexp:/etc/postfix/tables/client_restrictions permit

Deprecated syntax for "reject_unknown_client_hostname".  Did you
follow an outdated howto?  Remember, most bloggers out there are
unqualified to be writing Postfix documentation.

Also, I find that this restriction is still too aggressive.  You will
find a lot of legitimate mail being blocked by that.

Deprecated syntax also for "reject_invalid_helo_hostname", but that
restriction is generally safe to use.

> smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit
> smtpd_delay_reject = yes
> smtpd_etrn_restrictions = permit_mynetworks, reject
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/tables/helo_access, reject_unauth_pipelining, reject_non_fqdn_hostname, reject_invalid_hostname, warn_if_reject reject_unknown_hostname, permit

More deprecated syntax here.  Also, why did you split out into so
many restriction stages?  I find that harder to follow than to keep
them all in one linear stage.  If the goal was to keep all CLIENT
based restrictions under smtpd_client_restrictions and all HELO/EHLO
based restrictions under smtpd_helo_restrictions, you failed at that
by including a HELO restriction in smtpd_client_restrictions.

> smtpd_milters = inet:127.0.0.1:12345
> smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10030, check_policy_service inet:127.0.0.1:12525, check_client_access hash:/etc/postfix/tables/blacklist, check_sender_access hash:/etc/postfix/tables/senderaccess, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_non_fqdn_hostname, reject_invalid_hostname, permit_mynetworks, reject_unauth_pipelining, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_unknown_client, permit

More of the same here.

> smtpd_reject_unlisted_sender = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_address
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/letsencrypt/live/de-fra.silviosiefke.com/fullchain.pem
> smtpd_tls_ciphers = high
> smtpd_tls_dh1024_param_file = ${config_directory}/dh/dh2048.pem
> smtpd_tls_dh512_param_file = ${config_directory}/dh/dh512.pem
> smtpd_tls_key_file = /etc/letsencrypt/live/de-fra.silviosiefke.com/privkey.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_mandatory_ciphers = high
> smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
> smtpd_tls_protocols = !SSLv2,!SSLv3
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
> soft_bounce = no
> tls_export_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ALL:!aNULL:!ADH:!3DES:!EXP:!RC4:!kKRB5:!aDSS:!DES:!aPSK:!kECDH:!RC2:!IDEA:!SEED:!CAMELLIA:!AES128-SHA
> tls_preempt_cipherlist = yes
> unknown_address_reject_code = 554
> unknown_client_reject_code = 554
> unknown_hostname_reject_code = 554
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = hash:/etc/postfix/tables/virtual
> virtual_mailbox_base = /

This setting is explicitly not recommended in the documentation.

> virtual_mailbox_domains = $mydomain, silviosiefke.de, silviosiefke.fr
>
> < master.cf >
>
> smtp      inet  n       -       n       -       1       postscreen
>   -o smtpd_proxy_filter=localhost:10025
>   -o smtpd_client_connection_count_limit=10
>   -o smtpd_proxy_options=speed_adjust
>
> # fuglu include
> 127.0.0.1:10026 inet n  -       n       -        -      smtpd
>   -o smtpd_authorized_xforward_hosts=127.0.0.0/8
>   -o smtpd_client_restrictions=
>   -o smtpd_helo_restrictions=
>   -o smtpd_sender_restrictions=
>   -o smtpd_recipient_restrictions=permit_mynetworks,reject
>   -o smtpd_data_restrictions=
>   -o mynetworks=127.0.0.0/8
>   -o receive_override_options=no_unknown_recipient_checks
>
> smtpd     pass  -       -       n       -       -       smtpd
>   -o smtpd_proxy_filter=localhost:10025
>   -o smtpd_sasl_auth_enable=no
>
> dnsblog   unix  -       -       n       -       0       dnsblog
> tlsproxy  unix  -       -       n       -       0       tlsproxy
>
> submission inet n       -       n       -       -       smtpd
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_sasl_type=dovecot
>   -o smtpd_sasl_path=private/auth
>   -o smtpd_recipient_restrictions=reject_unknown_recipient_domain,reject_non_fqdn_recipient,permit_sasl_authenticated,reject
>   -o smtpd_tls_dh1024_param_file=/etc/postfix/dh/dh2048.pem
>
> pickup    unix  n       -       n       60      1       pickup
> cleanup   unix  n       -       n       -       0       cleanup
> qmgr      unix  n       -       n       300     1       qmgr
> #qmgr     unix  n       -       n       300     1       oqmgr
> tlsmgr    unix  -       -       n       1000?   1       tlsmgr
> rewrite   unix  -       -       n       -       -       trivial-rewrite
> bounce    unix  -       -       n       -       0       bounce
> defer     unix  -       -       n       -       0       bounce
> trace     unix  -       -       n       -       0       bounce
> verify    unix  -       -       n       -       1       verify
> flush     unix  n       -       n       1000?   0       flush
> proxymap  unix  -       -       n       -       -       proxymap
> proxywrite unix -       -       n       -       1       proxymap
> smtp      unix  -       -       n       -       -       smtp
> relay     unix  -       -       n       -       -       smtp
> #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
> showq     unix  n       -       n       -       -       showq
> error     unix  -       -       n       -       -       error
> retry     unix  -       -       n       -       -       error
> discard   unix  -       -       n       -       -       discard
> local     unix  -       n       n       -       -       local
> virtual   unix  -       n       n       -       -       virtual
> lmtp      unix  -       -       n       -       -       lmtp
> anvil     unix  -       -       n       -       1       anvil
> scache    unix  -       -       n       -       1       scache

--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Service currently unavailable

Wietse Venema
In reply to this post by Silvio Siefke-3
[hidden email]:

> Hello,
>
> i have the problem that all mails hang by postscreen. I think I be not
> sure. I can not find a mistake in configuration. But local and from
> outside hang all mails in postscreen and goes not through.
>
> [root@de-fra ~]# cat /var/log/mail.log | grep "74.125.82.44"
> Jul  5 15:21:25 de-fra.silviosiefke.com postfix/postscreen[3244]: CONNECT from [74.125.82.44]:37019 to [178.254.26.48]:25
> Jul  5 15:21:31 de-fra.silviosiefke.com postfix/tlsproxy[3251]: CONNECT from [74.125.82.44]:37019
> Jul  5 15:21:31 de-fra.silviosiefke.com postfix/tlsproxy[3251]: Anonymous TLS connection established from [74.125.82.44]:37019: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> Jul  5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: NOQUEUE: reject: RCPT from [74.125.82.44]:37019: 450 4.3.2 Service currently unavailable; from=<[hidden email]>, to=<[hidden email]>, proto=ESMTP, helo=<mail-wm0-f44.google.com>
> Jul  5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: HANGUP after 0.14 from [74.125.82.44]:37019 in tests after SMTP handshake
> Jul  5 15:21:31 de-fra.silviosiefke.com postfix/tlsproxy[3251]: DISCONNECT [74.125.82.44]:37019
> Jul  5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: PASS NEW [74.125.82.44]:37019
> Jul  5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: DISCONNECT [74.125.82.44]:37019
the next 30 days.

You have "postscreen_bare_newline_enable = yes". With this, postscreen
will require that the client passes a 'bare newline' test once every
30 days. The logging above has no "BARE NEWLINE" violation record,
and postscreen logs 'PASS NEW' which confirms that the client passed
all tests. postscreen then replies with "450 4.3.2 Service currently unavailable" for reasons documented in the postscreen manpage.

Normally, postscreen saves the test result to the postscreen whitelist
cache (configured with postscreen_cache_map) so that the client can
skip the test for the next 30 days. This is not working.

The reason that the test keeps being repeated is that the test
result is not properly written to the postscreen whitelist cache.
This may be caused by a corrupted database file.

I suggest that you remove the postscreen_cache_map file and do
'postfix reload'.

Minor nit, unrelated to the broken whitelist problem:

> smtp      inet  n       -       n       -       1       postscreen
>   -o smtpd_proxy_filter=localhost:10025
>   -o smtpd_client_connection_count_limit=10
>   -o smtpd_proxy_options=speed_adjust

smtpd_proxy_filter is not a postscreen feature. It belongs with the
smtpd that follows postscreen, as shown below.
 
> smtpd     pass  -       -       n       -       -       smtpd
>   -o smtpd_proxy_filter=localhost:10025
>   -o smtpd_sasl_auth_enable=no

You could also take the lame option and disable the bare newline
test. But that would still require the client to pass all tests on
every connection, resulting in unnecessary delays.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Service currently unavailable

Silvio Siefke-3
On Wed, 5 Jul 2017 12:11:41 -0400 (EDT)
[hidden email] (Wietse Venema) wrote:

> I suggest that you remove the postscreen_cache_map file and do
> 'postfix reload'.

Im not sure this was but it looks normally again. So all mails
arrived.

Thank you for help & Nice day
Silvio
Loading...