Re: mail for 'root' delivery blocked :(

[Jean-François Bachelet]

Hello raf ^^)

Le 28/07/2021 à 08:54, raf a écrit :
On Wed, Jul 28, 2021 at 06:21:55AM +0200, Jean-François Bachelet 
<jfbache...@free.fr> wrote:

Hello ^^)

I have some problems with my postfix install, will report one by one :

I have activated the 'soft_bounce = yes' option in main.cf to see what
happens.


1 / Mail sent by some daemons running as 'root' (here it's Pflogsumm, per
example) with 'r...@server.mydomain.com'

for 'r...@server.domain.com' are bounced/rejected, as reported in
'/var/spool/postfix/defer/' :

----------------------------------------------------------------------------------------------------------------------
<r...@server.mydomain.com>: mail for server.mydomain.com loops back to
myself
recipient=r...@server.mydomain.com
offset=780
dsn_orig_rcpt=rfc822;r...@server.mydomain.com
status=4.4.6
action=delayed
reason=mail for server.mydomain.com loops back to myself

---------------------------------------------------------------------------------------------------------------------


in the '/var/spool/postfix/deferred' dir I find the 'pflogsumm' mail  for
'root'

----------------------------------------------------------------------------------------------------------------------

Postfix log summaries for Jul 28

Grand Totals
------------
messages

      14   received
       9   delivered
       0   forwarded
       0   deferred
       4   bounced
       0   rejected (0%)
       0   reject warnings
       0   held
       0   discarded (0%)

   78102   bytes received
   50082   bytes delivered
       1   senders
       1   sending hosts/domains
       2   recipients
       2   recipient hosts/domains


Per-Hour Traffic Summary
------------------------
     time          received  delivered   deferred    bounced     rejected
     --------------------------------------------------------------------
     0000-0100           0          0          0          0          0
     0100-0200           2          1          0          2          0
     0200-0300           0          0          0          0          0
     0300-0400           4          2          0          2          0
     0400-0500           8          6          0          0          0
     0500-0600           0          0          0          0          0
     0600-0700           0          0          0          0          0
     0700-0800           0          0          0          0          0
     0800-0900           0          0          0          0          0
     0900-1000           0          0          0          0          0
     1000-1100           0          0          0          0          0
     1100-1200           0          0          0          0          0
     1200-1300           0          0          0          0          0
     1300-1400           0          0          0          0          0
     1400-1500           0          0          0          0          0
     1500-1600           0          0          0          0          0
     1600-1700           0          0          0          0          0
     1700-1800           0          0          0          0          0
     1800-1900           0          0          0          0          0
     1900-2000           0          0          0          0          0
     2000-2100           0          0          0          0          0
     2100-2200           0          0          0          0          0
     2200-2300           0          0          0          0          0
     2300-2400           0          0          0          0          0

Host/Domain Summary: Message Delivery
--------------------------------------
  sent cnt  bytes   defers   avg dly max dly host/domain
  -------- -------  -------  ------- ------- -----------
       5    25140        0     0.3 s    0.4 s  server.mydomain.com
       4    24942        0     3.2 s    6.5 s  me@my_email.fr

Host/Domain Summary: Messages Received
---------------------------------------
  msg cnt   bytes   host/domain
  -------- -------  -----------
      14    78102   server.mydomain.com

Senders by message count
------------------------
      14r...@server.mydomain.com

Recipients by message count
---------------------------
       5r...@dserver.mydomain.com
       4me@my_email.fr

Senders by message size
-----------------------
   78102r...@server.mydomain.com

Recipients by message size
--------------------------
   25140r...@server.mydomain.com
   24942me@my_email.fr

message deferral detail: none

message bounce detail (by relay)
--------------------------------
   none (total: 4)
          4   mail for server.mydomain.com loops back to myself

message reject detail: none

message reject warning detail: none

message hold detail: none

message discard detail: none

smtp delivery failures: none

Warnings
--------
   anvil (total: 6)
          6   /etc/postfix/main.cf, line 704: overriding earlier entry: smtpd...
   bounce (total: 4)
          2   /etc/postfix/main.cf, line 704: overriding earlier entry: smtpd...
          2   /etc/postfix/main.cf, line 705: overriding earlier entry: smtpd...
   cleanup (total: 2)
          2   /etc/postfix/main.cf, line 704: overriding earlier entry: smtpd...
   master (total: 6)
          6   /etc/postfix/main.cf, line 710: overriding earlier entry: smtpd...
   pickup (total: 5)
          3   /etc/postfix/main.cf, line 704: overriding earlier entry: smtpd...
          2   /etc/postfix/main.cf, line 710: overriding earlier entry: smtpd...
   postdrop (total: 2)
          2   /etc/postfix/main.cf, line 704: overriding earlier entry: smtpd...
   postfix (total: 3)
          3   /etc/postfix/main.cf, line 710: overriding earlier entry: smtpd...
   postfix-script (total: 5)
          5   symlink leaves directory:/etc/postfix/./makedefs.out
   postlog (total: 5)
          5   /etc/postfix/main.cf, line 710: overriding earlier entry: smtpd...
   postsuper (total: 2)
          2   /etc/postfix/main.cf, line 710: overriding earlier entry: smtpd...
   qmgr (total: 2)
          2   /etc/postfix/main.cf, line 710: overriding earlier entry: smtpd...
   sendmail (total: 2)
          2   /etc/postfix/main.cf, line 704: overriding earlier entry: smtpd...
   smtp (total: 6)
          4   /etc/postfix/main.cf, line 704: overriding earlier entry: smtpd...
          2   /etc/postfix/main.cf, line 705: overriding earlier entry: smtpd...
   smtpd (total: 8)
          8   /etc/postfix/main.cf, line 704: overriding earlier entry: smtpd...
   trivial-rewrite (total: 4)
          2   /etc/postfix/main.cf, line 704: overriding earlier entry: smtpd...
          2   /etc/postfix/main.cf, line 705: overriding earlier entry: smtpd...

Fatal Errors: none

Panics: none

Master daemon messages
----------------------
       5   daemon started -- version 3.4.14, configuration /etc/postfix
       2   terminating on signal 15

------------------------------------------------------------------------------------------------------------------


as you can see messages sent by 'pflogsumm for 'root' are pruned, and if I
tell 'pflogsumm' to send to me directly messages are delivered fine to my
personal mailbox


I don't understand as in the 'aliases' file I have set 'root:
me@my_email.fr' so mail sent to 'root' should end in my personal mailbox...

Postfix problems should be reported to 'postmaster' too (in aliases it's set
to deliver to root) and it's not, but I don't find any bounced or
rejected/deffered

messages for 'postmaster' in the entire '/var/spool/postfix' dir...


what can prevent the aliases to work there ?

the aliases file :

------------------------------------------------------------

# See man 5 aliases for format
postmaster:     root
clamav:         root
  root:           me@my_email.fr
------------------------------------------------------------


there is a lot of warnings at the end of the report too. that warnings are
the reason of my second question/problem :


2 / in the Postfix logfile '/var/log/mail.warn' I find the whole lines
reported in the 'pflogsumm' warnings :

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Jul 28 03:56:52 discovery postfix/postfix-script[1525]: warning: symlink
leaves directory: /etc/postfix/./makedefs.out
Jul 28 04:05:16 discovery postfix/postfix-script[1185]: warning: symlink
leaves directory: /etc/postfix/./makedefs.out
Jul 28 05:10:16 discovery postfix/trivial-rewrite[1830]: warning:
/etc/postfix/main.cf, line 705: overriding earlier entry:
smtpd_recipient_restrictions=permit_mynetworks, permit_auth_destination,
permit_sasl_authenticated, reject
Jul 28 05:10:16 discovery postfix/smtp[1831]: warning: /etc/postfix/main.cf,
line 705: overriding earlier entry:
smtpd_recipient_restrictions=permit_mynetworks, permit_auth_destination,
permit_sasl_authenticated, reject
Jul 28 05:10:16 discovery postfix/bounce[1832]: warning:
/etc/postfix/main.cf, line 705: overriding earlier entry:
smtpd_recipient_restrictions=permit_mynetworks, permit_auth_destination,
permit_sasl_authenticated, reject
Jul 28 05:15:16 discovery postfix/trivial-rewrite[1841]: warning:
/etc/postfix/main.cf, line 705: overriding earlier entry:
smtpd_recipient_restrictions=permit_mynetworks, permit_auth_destination,
permit_sasl_authenticated, reject
Jul 28 05:15:16 discovery postfix/smtp[1842]: warning: /etc/postfix/main.cf,
line 705: overriding earlier entry:
smtpd_recipient_restrictions=permit_mynetworks, permit_auth_destination,
permit_sasl_authenticated, reject
Jul 28 05:15:16 discovery postfix/bounce[1843]: warning:
/etc/postfix/main.cf, line 705: overriding earlier entry:
smtpd_recipient_restrictions=permit_mynetworks, permit_auth_destination,
permit_sasl_authenticated, reject
Jul 28 05:25:10 discovery postfix/sendmail[1882]: warning:
/etc/postfix/main.cf, line 705: overriding earlier entry:
smtpd_recipient_restrictions=permit_mynetworks, permit_auth_destination,
permit_sasl_authenticated, reject
Jul 28 05:25:10 discovery postfix/postdrop[1883]: warning:
/etc/postfix/main.cf, line 705: overriding earlier entry:
smtpd_recipient_restrictions=permit_mynetworks, permit_auth_destination,
permit_sasl_authenticated, reject
Jul 28 05:25:10 discovery postfix/cleanup[1884]: warning:
/etc/postfix/main.cf, line 705: overriding earlier entry:
smtpd_recipient_restrictions=permit_mynetworks, permit_auth_destination,
permit_sasl_authenticated, reject
Jul 28 05:25:10 discovery postfix/trivial-rewrite[1885]: warning:
/etc/postfix/main.cf, line 705: overriding earlier entry:
smtpd_recipient_restrictions=permit_mynetworks, permit_auth_destination,
permit_sasl_authenticated, reject
Jul 28 05:25:10 discovery postfix/smtp[1886]: warning: /etc/postfix/main.cf,
line 705: overriding earlier entry:
smtpd_recipient_restrictions=permit_mynetworks, permit_auth_destination,
permit_sasl_authenticated, reject
Jul 28 05:25:10 discovery postfix/smtpd[1889]: warning:
/etc/postfix/main.cf, line 705: overriding earlier entry:
smtpd_recipient_restrictions=permit_mynetworks, permit_auth_destination,
permit_sasl_authenticated, reject
Jul 28 05:25:10 discovery postfix/smtp[1891]: warning: /etc/postfix/main.cf,
line 705: overriding earlier entry:
smtpd_recipient_restrictions=permit_mynetworks, permit_auth_destination,
permit_sasl_authenticated, reject
Jul 28 05:25:16 discovery postfix/bounce[1892]: warning:
/etc/postfix/main.cf, line 705: overriding earlier entry:
smtpd_recipient_restrictions=permit_mynetworks, permit_auth_destination,
permit_sasl_authenticated, reject
Jul 28 05:40:21 discovery postfix/pickup[1958]: warning:
/etc/postfix/main.cf, line 705: overriding earlier entry:
smtpd_recipient_restrictions=permit_mynetworks, permit_auth_destination,
permit_sasl_authenticated, reject
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

beside the habitual (on debian) 'makedefs.out' warning I have a problem with
my postfix configuration that I don't see how to correct it...

-----------------------------------------------------------

~# postconf -n

postconf: warning: /etc/postfix/main.cf, line 705: overriding earlier entry:
smtpd_recipient_restrictions=permit_mynetworks, permit_auth_destination,
permit_sasl_authenticated, reject
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mailbox_size_limit = 2147483648
mailq_path = /usr/bin/mailq
message_size_limit = 10485760
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = my_domainFQDN.com
myhostname = mail.my_domainFQDN.com
mynetworks = 127.0.0.0/8, 10.0.0.0/24
mynetworks_style = subnet
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
sendmail_path = /usr/bin/postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP
smtpd_helo_restrictions = reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
(the line #705) : smtpd_recipient_restrictions = reject_invalid_hostname,
reject_unknown_recipient_domain, reject_unauth_destination,
reject_rbl_client sbl.spamhaus.org, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
soft_bounce = yes (for now, I'm debugging ;))
unknown_local_recipient_reject_code = 550

--------------------------------------------------------------------------


and what's exactly in 'main.cf' around that problematic 705 line :

--------------------------------------------------------------------------------------------------

692
693 # SMTP-Auth settings
694 smtpd_sasl_type = dovecot
695 smtpd_sasl_path = private/auth
696 smtpd_sasl_auth_enable = yes
697 smtpd_sasl_security_options = noanonymous
698 smtpd_sasl_local_domain = $myhostname
699 smtpd_recipient_restrictions = permit_mynetworks,
permit_auth_destination, permit_sasl_authenticated, reject
700
701 # Content Filter for Antivirus Scan (ClamAV + Amavis)
702 content_filter = smtp-amavis:[127.0.0.1]:10024
703
704 # SMTP Restrictions Defaults + Anti-Spam
705 smtpd_recipient_restrictions = reject_invalid_hostname,
706         reject_unknown_recipient_domain,
707         reject_unauth_destination,
708         reject_rbl_client sbl.spamhaus.org,
709         permit
710
711 smtpd_helo_restrictions = reject_invalid_helo_hostname,
712         reject_non_fqdn_helo_hostname,
713         reject_unknown_helo_hostname
714

---------------------------------------------------------------------------------------------------


I took the defaults 'SMTP Restrictions' stuff (line 704 to 713) in there :
https://wiki.debian.org/Postfix#anti-spam:_smtp_restrictions

btw now I think 'if this are SMTP restrictions, so why the 'smtpd' at
beginning of line 705 ???' shouln't it be 'smtp' there.

(same question for 'smtpd_helo' at line 711 : shouldn't it be 'smtp' there.)


that will explain the

postconf: warning: /etc/postfix/main.cf, line 705: overriding earlier entry:
smtpd_recipient_restrictions=permit_mynetworks, permit_auth_destination,
permit_sasl_authenticated, reject...


Thanks by advance to light my (postfix newbee) bulb ^^)

Jeff
Hi,

The "overriding earlier entry" warning means that you
have two definitions of smtpd_recipient_restrictions in
main.cf.

The first of them (above line 705, the one being
overridden) is:

  smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_auth_destination,
   permit_sasl_authenticated,
   reject

The second of them (at line 705, the one doing the
overriding) is:

  smtpd_recipient_restrictions =
   reject_invalid_hostname,
   reject_unknown_recipient_domain,
   reject_unauth_destination,
   reject_rbl_client
   sbl.spamhaus.org,
   permit

Postfix uses whichever comes last, and warns you about
the earlier ones. If the value in use is correct, then
delete the one that appears above it in main.cf, and
the warning should stop.

The makedefs.out warning can be stopped by deleting the
makedefs.out symlink, or by replacing it with the real
symlinked-to file in /usr/share/postfix/makedefs.out.

I can't see what's causing your real problem
(non-delivery to root), but a theory is that you have:

   local_recipient_maps = unix:passwd.byname $alias_maps

which is slightly different to the default:

   local_recipient_maps = proxy:unix:passwd.byname $alias_maps

The difference means that access to /etc/passwd might
not work for postfix services that are chrooted. Just a
thought. It might be irrelevant.

You could try leaving local_recipient_maps at its
default, and see what happens.

One thing that seems strange to me is that
permit_mynetworks and permit_sasl_authenticated don't
appear in your smtpd_recipient_restrictions. These were
in the overridden value. Maybe you need to add them
back into your smtpd_recipient_restrictions. But again,
this might not be relevant to your problem.

I've tried to concatenate the two lines in one, putting the permit 
stances from line 699 after the line 709 like below

but that don't work either perhaps I should have commented out the line 
'permit' or put that permit lines before the reject ones ?

 smtpd_recipient_restrictions =
  reject_invalid_hostname,
  reject_unknown_recipient_domain,
  reject_unauth_destination,
  reject_rbl_client
  sbl.spamhaus.org,
  permit
  permit_mynetworks,
  permit_auth_destination,
  permit_sasl_authenticated,
  reject


There seem to be a lot of things in the postconf -n
output that match the default values (e.g.
newaliases_path, setgid_group, ...). They can be
removed from main.cf.

But there's one setting that seems very odd:

   sendmail_path = /usr/bin/postfix

ouch, there was a typo it's sbin or bin :(

corrected :

647 # sendmail_path: The full pathname of the Postfix sendmail command.
648 # This is the Sendmail-compatible mail posting interface.
649 #
650 sendmail_path = /usr/sbin/sendmail


that is like that in this tuto : 
https://www.server-world.info/en/note?os=Debian_10&p=mail&f=1

I think it's an error that has never been reported to the site webmaster...

(postfix newbee I said ;))


Is there a good reason for that? It would normally be

   sendmail_path = /usr/sbin/sendmail

You could try removing that and seeing if it helps.

As for the real problem "mail for server.mydomain.com
loops back to myself", maybe "server.mydomain.com"
should be in $mydestinations? If MX for
sender.mydomain.com is mail.my_domainFQDN.com but
mail.my_domainFQDN.com doesn't know to deliver mail for
sender.mydomain.com locally, then it might loop(?).
But don't trust me. I'm not an expert. This might be
a bad idea.

Good luck.

cheers,
raf