On Wed, Jul 05, 2017 at 03:44:19PM +0200, [email protected] wrote: > i have the problem that all mails hang by postscreen. I think I be > not sure. I can not find a mistake in configuration. But local and > from outside hang all mails in postscreen and goes not through. > > [root@de-fra ~]# cat /var/log/mail.log | grep "74.125.82.44"
Sometimes grep will miss important messages which concern a mail transaction. In this case it's probably fine, but for future reference, you might want to use a pager like less(1) and its own internal search feature. Also, UUOC, "grep 'expression' filename". :) > Jul 5 15:21:25 de-fra.silviosiefke.com postfix/postscreen[3244]: CONNECT > from [74.125.82.44]:37019 to [178.254.26.48]:25 > Jul 5 15:21:31 de-fra.silviosiefke.com postfix/tlsproxy[3251]: CONNECT from > [74.125.82.44]:37019 > Jul 5 15:21:31 de-fra.silviosiefke.com postfix/tlsproxy[3251]: Anonymous TLS > connection established from [74.125.82.44]:37019: TLSv1.2 with cipher > ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > Jul 5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: NOQUEUE: > reject: RCPT from [74.125.82.44]:37019: 450 4.3.2 Service currently > unavailable; from=<[email protected]>, to=<[email protected]>, > proto=ESMTP, helo=<mail-wm0-f44.google.com> > Jul 5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: HANGUP > after 0.14 from [74.125.82.44]:37019 in tests after SMTP handshake > Jul 5 15:21:31 de-fra.silviosiefke.com postfix/tlsproxy[3251]: DISCONNECT > [74.125.82.44]:37019 > Jul 5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: PASS NEW > [74.125.82.44]:37019 > Jul 5 15:21:31 de-fra.silviosiefke.com postfix/postscreen[3244]: DISCONNECT > [74.125.82.44]:37019 Did you read the POSTSCREEN_README section about the after-220 tests? Don't activate those if you are not prepared to deal with the consequences. > I use fuglu as "amavisd-new". The emails self now after 20 minuts > is not in box. Content filtering is not relevant to postscreen rejections and deferrals. I can point you to my own postscreen configuration, which avoids the problem you're having with reception from gmail: http://rob0.nodns4.us/postscreen.html Specifically you want to use list.dnswl.org and postscreen_dnsbl_whitelist_threshold. All Google and most legitimate senders of all kinds are listed in DNSWL. Note that postscreen_dnsbl_whitelist_threshold requires at least Postfix version 2.11. If your version is less than that, upgrade. I'd recommend the latest 3.2 release. > [root@de-fra ~]# postconf -n > alias_database = $alias_maps > alias_maps = hash:/etc/postfix/tables/aliases > anvil_rate_time_unit = 60s > bounce_size_limit = 8192 > command_directory = /usr/bin > compatibility_level = 2 > daemon_directory = /usr/lib/postfix/bin > data_directory = /var/lib/postfix > disable_vrfy_command = yes > header_checks = regexp:/etc/postfix/tables/header_checks > home_mailbox = Maildir/ > html_directory = no > inet_interfaces = 127.0.0.1, 178.254.26.48 > inet_protocols = ipv4 > mail_owner = postfix > mailbox_size_limit = 0 > mailq_path = /usr/bin/mailq > manpage_directory = /usr/share/man > message_size_limit = 20480000 > meta_directory = /etc/postfix > mydestination = $myhostname, localhost.$mydomain, localhost > mydomain = silviosiefke.com > myhostname = de-fra.silviosiefke.com > mynetworks = 127.0.0.0/8 > mynetworks_style = host > myorigin = $myhostname > newaliases_path = /usr/bin/newaliases > non_smtpd_milters = inet:127.0.0.1:12345 > postscreen_access_list = permit_mynetworks > cidr:/etc/postfix/tables/postscreen_access.cidr > postscreen_bare_newline_action = drop > postscreen_bare_newline_enable = yes That's an after-220 test. > postscreen_blacklist_action = drop > postscreen_dnsbl_action = enforce > postscreen_dnsbl_sites = zen.spamhaus.org*2, bl.mailspike.net, > bl.spamcop.net, b.barracudacentral.org, swl.spamhaus.org*-2 > postscreen_dnsbl_threshold = 2 > postscreen_greet_action = enforce > postscreen_non_smtp_command_enable = yes > postscreen_pipelining_enable = yes These two also. If any single after-220 test is enabled, postscreen will talk to (and defer mail from) any not-yet-whitelisted client. That's the main thing I hoped for you to get from the Postfix POSTSCREEN_README. > queue_directory = /var/spool/postfix > readme_directory = /usr/share/doc/postfix > recipient_delimiter = + > sample_directory = /etc/postfix > sendmail_path = /usr/bin/sendmail > setgid_group = postdrop > shlib_directory = /usr/lib/postfix > smtp_tls_cert_file = > /etc/letsencrypt/live/de-fra.silviosiefke.com/fullchain.pem (Not relevant to this issue, but who are you sending mail to that is asking for client certificates?) > smtp_tls_ciphers = high Probably a bad idea, this will cause more fallback to plaintext. Is that what you want, more plaintext sending of mail? (Also not relevant to this issue.) > smtp_tls_key_file = /etc/letsencrypt/live/de-fra.silviosiefke.com/privkey.pem > smtp_tls_loglevel = 1 > smtp_tls_mandatory_ciphers = high > smtp_tls_mandatory_protocols = !SSLv2,!SSLv3 > smtp_tls_protocols = !SSLv2,!SSLv3 Ditto previous comment. Leave TLS settings at the well-considered default values unless you really know what you're doing. > smtp_tls_security_level = may > smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache > smtpd_banner = $myhostname ESMTP > smtpd_client_connection_count_limit = 20 > smtpd_client_connection_rate_limit = 20 > smtpd_client_message_rate_limit = 50 > smtpd_client_recipient_rate_limit = 50 > smtpd_client_restrictions = permit_mynetworks, reject_invalid_hostname, > reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, > reject_unknown_client, check_client_access > regexp:/etc/postfix/tables/client_restrictions permit Deprecated syntax for "reject_unknown_client_hostname". Did you follow an outdated howto? Remember, most bloggers out there are unqualified to be writing Postfix documentation. Also, I find that this restriction is still too aggressive. You will find a lot of legitimate mail being blocked by that. Deprecated syntax also for "reject_invalid_helo_hostname", but that restriction is generally safe to use. > smtpd_data_restrictions = reject_unauth_pipelining, > reject_multi_recipient_bounce, permit > smtpd_delay_reject = yes > smtpd_etrn_restrictions = permit_mynetworks, reject > smtpd_helo_required = yes > smtpd_helo_restrictions = permit_mynetworks, check_helo_access > hash:/etc/postfix/tables/helo_access, reject_unauth_pipelining, > reject_non_fqdn_hostname, reject_invalid_hostname, warn_if_reject > reject_unknown_hostname, permit More deprecated syntax here. Also, why did you split out into so many restriction stages? I find that harder to follow than to keep them all in one linear stage. If the goal was to keep all CLIENT based restrictions under smtpd_client_restrictions and all HELO/EHLO based restrictions under smtpd_helo_restrictions, you failed at that by including a HELO restriction in smtpd_client_restrictions. > smtpd_milters = inet:127.0.0.1:12345 > smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10030, > check_policy_service inet:127.0.0.1:12525, check_client_access > hash:/etc/postfix/tables/blacklist, check_sender_access > hash:/etc/postfix/tables/senderaccess, reject_non_fqdn_sender, > reject_non_fqdn_recipient, reject_non_fqdn_hostname, reject_invalid_hostname, > permit_mynetworks, reject_unauth_pipelining, reject_unknown_sender_domain, > reject_unknown_recipient_domain, reject_unauth_destination, > reject_unknown_client, permit More of the same here. > smtpd_reject_unlisted_sender = yes > smtpd_sasl_auth_enable = yes > smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, > reject_unknown_sender_domain, reject_unknown_address > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = > /etc/letsencrypt/live/de-fra.silviosiefke.com/fullchain.pem > smtpd_tls_ciphers = high > smtpd_tls_dh1024_param_file = ${config_directory}/dh/dh2048.pem > smtpd_tls_dh512_param_file = ${config_directory}/dh/dh512.pem > smtpd_tls_key_file = /etc/letsencrypt/live/de-fra.silviosiefke.com/privkey.pem > smtpd_tls_loglevel = 1 > smtpd_tls_mandatory_ciphers = high > smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3 > smtpd_tls_protocols = !SSLv2,!SSLv3 > smtpd_tls_security_level = may > smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache > soft_bounce = no > tls_export_cipherlist = > ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ALL:!aNULL:!ADH:!3DES:!EXP:!RC4:!kKRB5:!aDSS:!DES:!aPSK:!kECDH:!RC2:!IDEA:!SEED:!CAMELLIA:!AES128-SHA > tls_preempt_cipherlist = yes > unknown_address_reject_code = 554 > unknown_client_reject_code = 554 > unknown_hostname_reject_code = 554 > unknown_local_recipient_reject_code = 550 > virtual_alias_maps = hash:/etc/postfix/tables/virtual > virtual_mailbox_base = / This setting is explicitly not recommended in the documentation. > virtual_mailbox_domains = $mydomain, silviosiefke.de, silviosiefke.fr > > < master.cf > > > smtp inet n - n - 1 postscreen > -o smtpd_proxy_filter=localhost:10025 > -o smtpd_client_connection_count_limit=10 > -o smtpd_proxy_options=speed_adjust > > # fuglu include > 127.0.0.1:10026 inet n - n - - smtpd > -o smtpd_authorized_xforward_hosts=127.0.0.0/8 > -o smtpd_client_restrictions= > -o smtpd_helo_restrictions= > -o smtpd_sender_restrictions= > -o smtpd_recipient_restrictions=permit_mynetworks,reject > -o smtpd_data_restrictions= > -o mynetworks=127.0.0.0/8 > -o receive_override_options=no_unknown_recipient_checks > > smtpd pass - - n - - smtpd > -o smtpd_proxy_filter=localhost:10025 > -o smtpd_sasl_auth_enable=no > > dnsblog unix - - n - 0 dnsblog > tlsproxy unix - - n - 0 tlsproxy > > submission inet n - n - - smtpd > -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o smtpd_sasl_type=dovecot > -o smtpd_sasl_path=private/auth > -o > smtpd_recipient_restrictions=reject_unknown_recipient_domain,reject_non_fqdn_recipient,permit_sasl_authenticated,reject > -o smtpd_tls_dh1024_param_file=/etc/postfix/dh/dh2048.pem > > pickup unix n - n 60 1 pickup > cleanup unix n - n - 0 cleanup > qmgr unix n - n 300 1 qmgr > #qmgr unix n - n 300 1 oqmgr > tlsmgr unix - - n 1000? 1 tlsmgr > rewrite unix - - n - - trivial-rewrite > bounce unix - - n - 0 bounce > defer unix - - n - 0 bounce > trace unix - - n - 0 bounce > verify unix - - n - 1 verify > flush unix n - n 1000? 0 flush > proxymap unix - - n - - proxymap > proxywrite unix - - n - 1 proxymap > smtp unix - - n - - smtp > relay unix - - n - - smtp > # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 > showq unix n - n - - showq > error unix - - n - - error > retry unix - - n - - error > discard unix - - n - - discard > local unix - n n - - local > virtual unix - n n - - virtual > lmtp unix - - n - - lmtp > anvil unix - - n - 1 anvil > scache unix - - n - 1 scache -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
