Verständnisfrage postscreen

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Verständnisfrage postscreen

Sebastian Schieke
Hallo Allerseits,

auf einem Testsystem möchte ich postscreen einsetzen. Nun übermittelt ein MUA via submission eine Nachricht zur Zustellung an einen externen Empfänger. Die Mail kann aber nicht versendet werden:

Jun  5 16:38:30 vps-zap336907-1 postfix/qmgr[18167]: 452E4100A4A: from=<[hidden email]>, size=911, nrcpt=1 (queue active)
Jun  5 16:38:30 vps-zap336907-1 postfix/qmgr[18167]: warning: connect to transport private/smtp: Connection refused

Ist Postfix in diesem Fall dann letlich auch MUA, und kann deshalb nicht versenden?


## master.cf
smtp      inet  n       -       n       -       1       postscreen
smtpd     pass  -       -       n       -       -       smtpd
dnsblog   unix  -       -       n       -       0       dnsblog
tlsproxy  unix  -       -       n       -       0       tlsproxy

submission inet  n       -       n       -       -       smtpd
         -o smtpd_sasl_auth_enable=yes
         -o smtpd_enforce_tls=yes

pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
relay    unix  -       -       n       -       -       smtp
trace    unix  -       -       n       -       0       bounce
proxymap  unix -       -       n       -       -       proxymap
anvil    unix  -       -       n       -       1       anvil
scache   unix  -       -       -       -       1       scache
discard          unix  -       -       n       -       -       discard
tlsmgr    unix  -       -       n       1000?   1       tlsmgr

spf-policy  unix  -       n       n       -       -       spawn user=nobody argv=/usr/bin/perl /usr/sbin/postfix-policyd-spf-perl

retry     unix  -       -       -       -       -       error


## main.cf
address_verify_map = btree:/var/spool/postfix/data/verify
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 3d
broken_sasl_auth_clients = yes
compatibility_level = 2
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps =
mailbox_command =
maximal_queue_lifetime = 3d
message_size_limit = 20971520
mydestination = mail.fitzefatzebook.de, fitzefatzebook.de, localhost
myhostname = mail.fitzefatzebook.de
mynetworks = 127.0.0.0/8
postscreen_bare_newline_enable = no
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3 hostkarma.junkemailfilter.com=127.0.0.2*2 rep.mailspike.net=127.0.0.[10;11]*2 b.barracudacentral.org*2 rep.mailspike.net=127.0.0.[12;13] dnsbl.sorbs.net=127.0.0.[6;10] db.wpbl.info=127.0.0.2 bl.spamcop.net ix.dnsbl.manitu.net psbl.surriel.com dnsbl.inps.de ubl.unsubscore.com hostkarma.junkemailfilter.com=127.0.0.1*-2 list.dnswl.org=127.0.[0..255].2*-1 list.dnswl.org=127.0.[0..255].3*-2 rep.mailspike.net=127.0.0.[18;19]*-1 rep.mailspike.net=127.0.0.20*-2
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -2
postscreen_greet_action = enforce
postscreen_greet_banner = $myhostname - Please wait to be seated
postscreen_greet_ttl = 1d
postscreen_greet_wait = ${stress?2}${stress:4}s
postscreen_non_smtp_command_enable = no
postscreen_pipelining_enable = no
relay_domains = hash:/etc/postfix/relay_domains
relayhost =
smtp_tls_cert_file = /etc/letsencrypt/live/fitzefatzebook.de/fullchain.pem
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_key_file = /etc/letsencrypt/live/fitzefatzebook.de/privkey.pem
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/access_recipient_rfc, check_client_access cidr:/etc/postfix/access_client, check_helo_access hash:/etc/postfix/access_helo, check_sender_access hash:/etc/postfix/access_sender, check_recipient_access hash:/etc/postfix/access_recipient, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_invalid_hostname, permit_sasl_authenticated, permit_mynetworks, permit_mx_backup, reject_unauth_destination, check_policy_service unix:private/policy, check_sender_access hash:/etc/postfix/disallow_my_domain, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/fitzefatzebook.de/fullchain.pem
smtpd_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_key_file = /etc/letsencrypt/live/fitzefatzebook.de/privkey.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
transport_maps = hash:/etc/postfix/transport, hash:/etc/postfix/relay_domains
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 577
unverified_sender_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual

lG
Sebastian

signature.asc (190 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Verständnisfrage postscreen

Jens Adam-2
Hi,

in dem Auszug der master.cf fehlt ein:
 smtp      unix  -       -       n       -       -       smtp

Darf man fragen, was das für ein System mit welcher Postfix Version ist?

Ansonsten, hier sieht man eine aktuelle Upstream-master.cf: https://github.com/vdukhovni/postfix/blob/master/postfix/conf/master.cf


--byte


Reply | Threaded
Open this post in threaded view
|

Re: Verständnisfrage postscreen

Patrick Ben Koetter-2
In reply to this post by Sebastian Schieke
* Sebastian Schieke <[hidden email]>:
> Hallo Allerseits,
>
> auf einem Testsystem möchte ich postscreen einsetzen. Nun übermittelt ein MUA via submission eine Nachricht zur Zustellung an einen externen Empfänger. Die Mail kann aber nicht versendet werden:
>
> Jun  5 16:38:30 vps-zap336907-1 postfix/qmgr[18167]: 452E4100A4A: from=<[hidden email]>, size=911, nrcpt=1 (queue active)
> Jun  5 16:38:30 vps-zap336907-1 postfix/qmgr[18167]: warning: connect to transport private/smtp: Connection refused

Du setzt ein chrootetes Postfix ein?

p@rick


--
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
 
Reply | Threaded
Open this post in threaded view
|

Re: Verständnisfrage postscreen

Carsten Rosenberg
In reply to this post by Sebastian Schieke
Ich glaube dir fehlt einfach der smtp Client

smtp       unix  -       -       -       -       -       smtp


VG Carsten

On 05.06.2018 18:47, Sebastian Schieke wrote:

> Hallo Allerseits,
>
> auf einem Testsystem möchte ich postscreen einsetzen. Nun übermittelt ein MUA via submission eine Nachricht zur Zustellung an einen externen Empfänger. Die Mail kann aber nicht versendet werden:
>
> Jun  5 16:38:30 vps-zap336907-1 postfix/qmgr[18167]: 452E4100A4A: from=<[hidden email]>, size=911, nrcpt=1 (queue active)
> Jun  5 16:38:30 vps-zap336907-1 postfix/qmgr[18167]: warning: connect to transport private/smtp: Connection refused
>
> Ist Postfix in diesem Fall dann letlich auch MUA, und kann deshalb nicht versenden?
>
>
> ## master.cf
> smtp      inet  n       -       n       -       1       postscreen
> smtpd     pass  -       -       n       -       -       smtpd
> dnsblog   unix  -       -       n       -       0       dnsblog
> tlsproxy  unix  -       -       n       -       0       tlsproxy
>
> submission inet  n       -       n       -       -       smtpd
>          -o smtpd_sasl_auth_enable=yes
>          -o smtpd_enforce_tls=yes
>
> pickup    fifo  n       -       n       60      1       pickup
> cleanup   unix  n       -       n       -       0       cleanup
> qmgr      fifo  n       -       n       300     1       qmgr
> rewrite   unix  -       -       n       -       -       trivial-rewrite
> bounce    unix  -       -       n       -       0       bounce
> defer     unix  -       -       n       -       0       bounce
> verify    unix  -       -       n       -       1       verify
> flush     unix  n       -       n       1000?   0       flush
> showq     unix  n       -       n       -       -       showq
> error     unix  -       -       n       -       -       error
> local     unix  -       n       n       -       -       local
> virtual   unix  -       n       n       -       -       virtual
> lmtp      unix  -       -       n       -       -       lmtp
> relay    unix  -       -       n       -       -       smtp
> trace    unix  -       -       n       -       0       bounce
> proxymap  unix -       -       n       -       -       proxymap
> anvil    unix  -       -       n       -       1       anvil
> scache   unix  -       -       -       -       1       scache
> discard          unix  -       -       n       -       -       discard
> tlsmgr    unix  -       -       n       1000?   1       tlsmgr
>
> spf-policy  unix  -       n       n       -       -       spawn user=nobody argv=/usr/bin/perl /usr/sbin/postfix-policyd-spf-perl
>
> retry     unix  -       -       -       -       -       error
>
>
> ## main.cf
> address_verify_map = btree:/var/spool/postfix/data/verify
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> bounce_queue_lifetime = 3d
> broken_sasl_auth_clients = yes
> compatibility_level = 2
> inet_interfaces = all
> inet_protocols = ipv4
> local_recipient_maps =
> mailbox_command =
> maximal_queue_lifetime = 3d
> message_size_limit = 20971520
> mydestination = mail.fitzefatzebook.de, fitzefatzebook.de, localhost
> myhostname = mail.fitzefatzebook.de
> mynetworks = 127.0.0.0/8
> postscreen_bare_newline_enable = no
> postscreen_blacklist_action = enforce
> postscreen_dnsbl_action = enforce
> postscreen_dnsbl_sites = zen.spamhaus.org*3 hostkarma.junkemailfilter.com=127.0.0.2*2 rep.mailspike.net=127.0.0.[10;11]*2 b.barracudacentral.org*2 rep.mailspike.net=127.0.0.[12;13] dnsbl.sorbs.net=127.0.0.[6;10] db.wpbl.info=127.0.0.2 bl.spamcop.net ix.dnsbl.manitu.net psbl.surriel.com dnsbl.inps.de ubl.unsubscore.com hostkarma.junkemailfilter.com=127.0.0.1*-2 list.dnswl.org=127.0.[0..255].2*-1 list.dnswl.org=127.0.[0..255].3*-2 rep.mailspike.net=127.0.0.[18;19]*-1 rep.mailspike.net=127.0.0.20*-2
> postscreen_dnsbl_threshold = 3
> postscreen_dnsbl_whitelist_threshold = -2
> postscreen_greet_action = enforce
> postscreen_greet_banner = $myhostname - Please wait to be seated
> postscreen_greet_ttl = 1d
> postscreen_greet_wait = ${stress?2}${stress:4}s
> postscreen_non_smtp_command_enable = no
> postscreen_pipelining_enable = no
> relay_domains = hash:/etc/postfix/relay_domains
> relayhost =
> smtp_tls_cert_file = /etc/letsencrypt/live/fitzefatzebook.de/fullchain.pem
> smtp_tls_exclude_ciphers = RC4, aNULL
> smtp_tls_key_file = /etc/letsencrypt/live/fitzefatzebook.de/privkey.pem
> smtp_tls_security_level = may
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> smtpd_data_restrictions = reject_unauth_pipelining, permit
> smtpd_delay_reject = yes
> smtpd_helo_required = yes
> smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/access_recipient_rfc, check_client_access cidr:/etc/postfix/access_client, check_helo_access hash:/etc/postfix/access_helo, check_sender_access hash:/etc/postfix/access_sender, check_recipient_access hash:/etc/postfix/access_recipient, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_invalid_hostname, permit_sasl_authenticated, permit_mynetworks, permit_mx_backup, reject_unauth_destination, check_policy_service unix:private/policy, check_sender_access hash:/etc/postfix/disallow_my_domain, permit
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_path = private/auth
> smtpd_sasl_type = dovecot
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/letsencrypt/live/fitzefatzebook.de/fullchain.pem
> smtpd_tls_exclude_ciphers = RC4, aNULL
> smtpd_tls_key_file = /etc/letsencrypt/live/fitzefatzebook.de/privkey.pem
> smtpd_tls_mandatory_ciphers = high
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtpd_tls_security_level = may
> tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
> transport_maps = hash:/etc/postfix/transport, hash:/etc/postfix/relay_domains
> unknown_address_reject_code = 550
> unknown_client_reject_code = 550
> unknown_hostname_reject_code = 550
> unverified_recipient_reject_code = 577
> unverified_sender_reject_code = 550
> virtual_alias_maps = hash:/etc/postfix/virtual
>
> lG
> Sebastian
>
Reply | Threaded
Open this post in threaded view
|

Re: Verständnisfrage postscreen

Sebastian Schieke
Hallo Carsten,

genau das war es, danke. Bei dieser Gelegenheit habe ich auch einmal die master.cf auf Vordermann gebracht.

Vielen Dank für die Hinweise.

lG
Sebastian

signature.asc (190 bytes) Download Attachment