unable to relay unless disable_dns_lookups = yes

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

unable to relay unless disable_dns_lookups = yes

leed-post

Hello all

Just trying out postfix, so I thought I'd set it up on my home adsl box
and relay one of my domains through it (and play with grey listing). So
it kinda works but I have to set :-

disable_dns_lookups = yes

For anything to get relayed. This breaks smtp auth, because it can't do
any mx lookups. I've taken it out of the chroot'ed env just in case that
was causing the prob, and I've put the destination in [] but it still
does a mx lookup, and then tries to connect back to itself, but as I'm
NAT'ed this doesn't work (I've tried setting proxy_interfaces, but then
it just errors about loops, which is correct)

Is what I've done right here?

So mail is all up and working for my domain (example.com) on my original
mailserver. I've now set the MX to be my home adsl box.

I've added an entry into

relay_domains
example.com OK

Also added an entry into
transport
example.com smtp:[mail.example.com] (which is the orignal working mail
server)


and here's part of my main.cf


smtpd_recipient_restrictions = permit_mynetworks,
                                  permit_sasl_authenticated,
                                  reject_unauth_destination,
                                  reject_rbl_client sbl.spamhaus.org,
                                  permit_auth_destination,
                                  check_policy_service inet:127.0.0.1:60000

relay_domains =  hash:/etc/postfix/relay_domains
transport_map = hash:/etc/postfix/transport

As I say it all works fine if

disable_dns_lookups = yes

Is set, but I thought having the original mail server in [] prevented
postfix from doing the mx lookup and just delivering straight to that
address? Thats not working for me, and yes I have remade the maps and
reloaded the config.

This is all running on a ubuntu server 8.04 box with packages from the
normal repo

Cheers for any help

Lee


# postconf -d | grep mail_version
mail_version = 2.5.1


# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_dns_lookups = yes
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
mydestination =
myhostname = server.millwood
mynetworks = 127.0.0.0/8 192.166.0.0/16
myorigin = /etc/mailname
recipient_delimiter = +
relay_domains = hash:/etc/postfix/relay_domains
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = ESMTP
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org, permit_auth_destination,
check_policy_service inet:127.0.0.1:60000
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom




Reply | Threaded
Open this post in threaded view
|

Re: unable to relay unless disable_dns_lookups = yes

Victor Duchovni
On Thu, Jul 03, 2008 at 02:08:54PM +0100, [hidden email] wrote:

>
> Just trying out postfix, so I thought I'd set it up on my home adsl box
> and relay one of my domains through it (and play with grey listing). So
> it kinda works but I have to set :-
>
> disable_dns_lookups = yes
>
> For anything to get relayed.

Your SOHO router DNS is borked, run a real caching DNS server on your
Postfix machine instead of querying the router in resolv.conf.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: unable to relay unless disable_dns_lookups = yes

leed-post
On Thu, 3 Jul 2008, Victor Duchovni wrote:

> On Thu, Jul 03, 2008 at 02:08:54PM +0100, [hidden email] wrote:
>
>>
>> Just trying out postfix, so I thought I'd set it up on my home adsl box
>> and relay one of my domains through it (and play with grey listing). So
>> it kinda works but I have to set :-
>>
>> disable_dns_lookups = yes
>>
>> For anything to get relayed.
>
> Your SOHO router DNS is borked, run a real caching DNS server on your
> Postfix machine instead of querying the router in resolv.conf.
>

The server running postfix is also running named, which is working for
everything else.

I wouldn't have thought that would matter as I'm trying to tell it to
deliver to a host and not do a mx lookup?

With disable_dns_lookups = yes, I get this :-

Jul  3 07:05:36 server postfix/smtp[9620]: B948635E5A5: to=<[hidden email]>, relay=example.com[193.243.233.81]:25,
delay=9.5, delays=0.9/0/0.05/8.5, dsn=2.0.0, status=sent (250 ok 1215065284 qp 24614)

the ip in the [] is my mail servers real ip address.

with it set to no, I get this :-

Jul  3 11:13:31 server postfix/smtp[12160]: BA41235E5AD: to=<[hidden email]>, relay=none, delay=31, delays=0.84/0/30/0, dsn=4.4.1, status=deferred (connect to home.example.com[MYHOMEIP]:25: Connection timed out)

Could this be the clue, relay=none, also with dns disabled it
doesn't seem to matter what I put in the transport file, it alway relays
to my mail servers IP.

Sorry I hope I'm explaining this OK.

Cheers
Lee




Reply | Threaded
Open this post in threaded view
|

Re: unable to relay unless disable_dns_lookups = yes

Wietse Venema
[hidden email]:

> On Thu, 3 Jul 2008, Victor Duchovni wrote:
>
> > On Thu, Jul 03, 2008 at 02:08:54PM +0100, [hidden email] wrote:
> >
> >>
> >> Just trying out postfix, so I thought I'd set it up on my home adsl box
> >> and relay one of my domains through it (and play with grey listing). So
> >> it kinda works but I have to set :-
> >>
> >> disable_dns_lookups = yes
> >>
> >> For anything to get relayed.
> >
> > Your SOHO router DNS is borked, run a real caching DNS server on your
> > Postfix machine instead of querying the router in resolv.conf.
> >
>
> The server running postfix is also running named, which is working for
> everything else.

Except MX record lookups. Where is your DNS server getting its
information from (any "forwarder" lines in named.conf)?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: unable to relay unless disable_dns_lookups = yes

leed-post
On Thu, 3 Jul 2008, Wietse Venema wrote:

> [hidden email]:
>> On Thu, 3 Jul 2008, Victor Duchovni wrote:
>>
>>> On Thu, Jul 03, 2008 at 02:08:54PM +0100, [hidden email] wrote:
>>>
>>>>
>>>> Just trying out postfix, so I thought I'd set it up on my home adsl box
>>>> and relay one of my domains through it (and play with grey listing). So
>>>> it kinda works but I have to set :-
>>>>
>>>> disable_dns_lookups = yes
>>>>
>>>> For anything to get relayed.
>>>
>>> Your SOHO router DNS is borked, run a real caching DNS server on your
>>> Postfix machine instead of querying the router in resolv.conf.
>>>
>>
>> The server running postfix is also running named, which is working for
>> everything else.
>
> Except MX record lookups. Where is your DNS server getting its
> information from (any "forwarder" lines in named.conf)?

I'm running my own DNS, no forwarding
Reply | Threaded
Open this post in threaded view
|

Re: unable to relay unless disable_dns_lookups = yes

Victor Duchovni
On Thu, Jul 03, 2008 at 07:59:43PM +0100, [hidden email] wrote:

> >Except MX record lookups. Where is your DNS server getting its
> >information from (any "forwarder" lines in named.conf)?
>
> I'm running my own DNS, no forwarding

The conclusion is not a consequece of the premise, what's in named.conf?
Is the firewall intercepting and applying "NAT" to DNS responses? Some
firewalls "proxy" DNS, so running your own DNS won't "help".

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: unable to relay unless disable_dns_lookups = yes

Mihira Fernando
In reply to this post by leed-post
On Friday 04 July 2008 00:29:43 [hidden email] wrote:

> On Thu, 3 Jul 2008, Wietse Venema wrote:
> > [hidden email]:
> >> On Thu, 3 Jul 2008, Victor Duchovni wrote:
> >>> On Thu, Jul 03, 2008 at 02:08:54PM +0100, [hidden email] wrote:
> >>>> Just trying out postfix, so I thought I'd set it up on my home adsl
> >>>> box and relay one of my domains through it (and play with grey
> >>>> listing). So it kinda works but I have to set :-
> >>>>
> >>>> disable_dns_lookups = yes
> >>>>
> >>>> For anything to get relayed.
> >>>
> >>> Your SOHO router DNS is borked, run a real caching DNS server on your
> >>> Postfix machine instead of querying the router in resolv.conf.
> >>
> >> The server running postfix is also running named, which is working for
> >> everything else.
> >
> > Except MX record lookups. Where is your DNS server getting its
> > information from (any "forwarder" lines in named.conf)?
>
> I'm running my own DNS, no forwarding

I believe the question there was, how does your DNS resolve queries for
domains not in your own DNS ?
for example, if a client PC in your network wants to resolve www.google.com
how does your DNS server get the DNS information of www.google.com ?

Do correct me if I'm wrong.

Mihira.
Reply | Threaded
Open this post in threaded view
|

Re: unable to relay unless disable_dns_lookups = yes

leed-post
In reply to this post by Victor Duchovni
On Thu, 3 Jul 2008, Victor Duchovni wrote:

> On Thu, Jul 03, 2008 at 07:59:43PM +0100, [hidden email] wrote:
>
>>> Except MX record lookups. Where is your DNS server getting its
>>> information from (any "forwarder" lines in named.conf)?
>>
>> I'm running my own DNS, no forwarding
>
> The conclusion is not a consequece of the premise, what's in named.conf?
> Is the firewall intercepting and applying "NAT" to DNS responses? Some
> firewalls "proxy" DNS, so running your own DNS won't "help".
>
>

zone "." {
  type hint;
  file "/etc/bind/db.root";
};

I really don't think my router is proxying DNS

My mx lookups seem fine.

# host -t mx morganstanley.com
morganstanley.com mail is handled by 0 mx2.morganstanley.com.
morganstanley.com mail is handled by 0 mx3.morganstanley.com.
morganstanley.com mail is handled by 0 mx4.morganstanley.com.
morganstanley.com mail is handled by 0 mx5.morganstanley.com.
morganstanley.com mail is handled by 0 mx6.morganstanley.com.
morganstanley.com mail is handled by 0 mx1.morganstanley.com.

My main issue just seems to be that what ever I put in transport it just
gets ignored and does the mx lookup.

Many thanks for you patience :)

Lee



Reply | Threaded
Open this post in threaded view
|

Re: unable to relay unless disable_dns_lookups = yes

Noel Jones-2
[hidden email] wrote:

>
> My main issue just seems to be that what ever I put in transport it just
> gets ignored and does the mx lookup.
>
> Many thanks for you patience :)
>
> Lee
>
>
>

So what's the output of
# postconf transport_maps

Does it show the filename you expect?


--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: unable to relay unless disable_dns_lookups = yes

leed-post
On Thu, 3 Jul 2008, Noel Jones wrote:

>
> So what's the output of
> # postconf transport_maps
>
> Does it show the filename you expect?
>

Noel you're a star, and I'm a first class idiot

It didn't show anything, because :-

transport_map = hash:/etc/postfix/transport

Arrrgghhhhh, its now "transport_maps" as in the plural and it all works
perfectly.

Sorry for wasting all your time
/tailbetweenlegs

Lee
Reply | Threaded
Open this post in threaded view
|

Re: unable to relay unless disable_dns_lookups = yes

Benny Pedersen
In reply to this post by leed-post

On Thu, July 3, 2008 15:08, [hidden email] wrote:

> mynetworks = 127.0.0.0/8 192.166.0.0/16

running behind nat ?

proxy_interfaces=<wan-ip>

--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Reply | Threaded
Open this post in threaded view
|

Re: unable to relay unless disable_dns_lookups = yes

Victor Duchovni
On Fri, Jul 04, 2008 at 04:09:03PM +0200, Benny Pedersen wrote:

>
> On Thu, July 3, 2008 15:08, [hidden email] wrote:
>
> > mynetworks = 127.0.0.0/8 192.166.0.0/16
>
> running behind nat ?
>
> proxy_interfaces=<wan-ip>

Also what is the 192.166.0.0/16 doing here? It is not the expected RFC
1918 192.168.0.0/16.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.