Re: Postfix as backup MX
Thanks Peter for the detailed information. Given that I run this mail server just for my family and in light of your advice, I probably don't need the backup. Thanks, Leo On 23/9/19 5:49 pm, Peter wrote: On 23/09/19 1:24 PM, subscription1 wrote: I've been running my own Postfix (Dovecot, MySQL, Rspamd) server thanks to these instructions (https://thomas-leister.de/en/mailserver-debian-stretch/ ) for more than a year without any issues. I'm using a paid service (Mail Reflector) to handle the times my server is down or (initially) to get the my mail server up and running. I'd like set up another server as a backup and while there are some "How To" out there, they seem to be 'ignoring' spam and/or security issues. Could I just use the same approach I used when setting up my current server with the exception of the following: 1. No virtual mailboxes on the backup 2. with an empty smtp_recipients_maps 3. with relay_domains = $mydestination mydomain.com This is asking for trouble. Spammers target backup MXes because they typically have fewer anti-spam protections than the primary MXes. In this particular case you are accepting mail to literally anyone and when you attempt to forward mail on to your primary for a user that does not exist you will end up creating a bounce message. If the envelope sender is spoofed (and it typically is in SPAM) then your backup MX becomes a source of backscatter and exacerbates the SPAM problem greatly. If your backup MX doesn't have as good anti-spam protections as your primary, or even if they are different in any way then you end up giving spammers an easy target to bypass your best anti-spam protections. Backup MXes are a relic from times past when servers were often times on dialup connections and hence not available 24/7. Today they typically cause more problems than they solve. Submission servers should (and typically will) retry messages for up to five days if your server is offline, and so backup MXes are rarely needed. If you think you need a backup MX then rethink. If you absolutely must have a backup MX then you should follow these guidelines: * Make sure your backup MX has exactly the same anti-spam protections as your primary MX. * Keep an up to date list of valid recipients and *reject* mail to any invalid recipient on the backup MX. * If your primary MX enforces quotas of any type then you should attempt to enforce those same quotas on the backup MX. * Don't use 3rd-party services for backup MX, they will rarely, if ever, be able to copy your exact anti-spam protections and restrictions. * If you really need a high availability environment for your mail consider a 2nd primary with the same priority instead of a backup. It will serve the same purpose as a backup with the additional benenfit that it won't be sitting idle most of the time but actually be handling part of the load all of the time. All of this said, you very likely don't need a backup MX and without a lot of planning, effort and thought it can actually make things much worse for you than if you didn't have one at all, plus the benefits of having a backup MX are almost non-existent nowadays. In short, just don't do it. Peter
Postfix as backup MX
I've been running my own Postfix (Dovecot, MySQL, Rspamd) server thanks to these instructions (https://thomas-leister.de/en/mailserver-debian-stretch/ ) for more than a year without any issues. I'm using a paid service (Mail Reflector) to handle the times my server is down or (initially) to get the my mail server up and running. I'd like set up another server as a backup and while there are some "How To" out there, they seem to be 'ignoring' spam and/or security issues. Could I just use the same approach I used when setting up my current server with the exception of the following: 1. No virtual mailboxes on the backup 2. with an empty smtp_recipients_maps 3. with relay_domains = $mydestination mydomain.com Thanks, Leo
Re: warning: hostname dc1.xxx.com.au does not resolve to address xxx.xxx.73.197
I think I found the issue.
I just found that the reverse DNS entry at the service provider had the
dc1.xxx.xom.au entry
Thanks
On 1/7/19 3:24 pm, subscription1 wrote:
I'd appreciate you help with the following:
I'm looking after two server on 2 differents domains. During testing I
found the following issue.
On the sending server I get the following
Jul 1 14:18:24 mail postfix/smtp[2135]: 9172F5FA8D: host
mail1..com[xxx.xxx.231.229] said: 450 4.7.25 Client host rejected:
cannot find your hostname, [xxx.xxx.73.197] (in reply to RCPT TO command)
On the receiving server I get:
Jul 1 06:18:21 mail1 postfix/postscreen[19345]: CONNECT from
[xxx.xxx.73.197]:44014 to [xxx.xxx.231.229]:25
Jul 1 06:18:21 mail1 postfix/postscreen[19345]: PASS OLD
[xxx.xxx.73.197]:44014
Jul 1 06:18:21 mail1 postfix/smtpd[19348]: warning: hostname
dc1.xxx.com.au does not resolve to address xxx.xxx.73.197: Name or
service not known
Jul 1 06:18:21 mail1 postfix/smtpd[19348]: connect from
unknown[xxx.xxx.73.197]
Jul 1 06:18:24 mail1 postfix/smtpd[19348]: NOQUEUE: reject: RCPT from
unknown[xxx.xxx.73.197]: 450 4.7.25 Client host rejected: cannot find
your hostname, [150.107.73.197]; from= to=
proto=ESMTP helo=
I can ping 'mail.xxx.net' on this server ok.
Sending Server postconf -n
output
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
delay_warning_time = 4h
inet_interfaces = 127.0.0.1, ::1, xxx.xxx.73.197
inet_protocols = all
local_recipient_maps = $virtual_mailbox_maps
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 52428800
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name}
{auth_authen}
milter_protocol = 6
mua_client_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject
mua_relay_restrictions =
reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_restrictions =
permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = xxx.net
myhostname = mail.xxx.net
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:11332
postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2 zen.spamhaus.org*2
postscreen_dnsbl_threshold = 2
postscreen_greet_action = drop
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_dns_support_level = dnssec
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_ciphers = high
smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = mail.xxx.net
smtpd_client_restrictions = permit_mynetworks check_client_access
hash:/etc/postfix/without_ptr reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
smtpd_milters = inet:localhost:11332
smtpd_recipient_restrictions = check_recipient_access
mysql:/etc/postfix/sql/recipient-access.cf
smtpd_relay_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain permit_mynetworks
reject_unauth_destination
smtpd_tls_cert_file = /etc/ssl/certs/2803b51614cb032f.crt
smtpd_tls_ciphers = high
smtpd_tls_key_file = /etc/ssl/private/wildcard.xxx.net.key
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_high_cipherlist =
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf
virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
Sending Server postconf -Mf output ---
smtp inet n - y - 1 postscreen
-o smtpd_sasl_auth_enable=no
smtpd pass - - y - - smtpd
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
9925 inet n
warning: hostname dc1.xxx.com.au does not resolve to address xxx.xxx.73.197
I'd appreciate you help with the following:
I'm looking after two server on 2 differents domains. During testing I
found the following issue.
On the sending server I get the following
Jul 1 14:18:24 mail postfix/smtp[2135]: 9172F5FA8D: host
mail1..com[xxx.xxx.231.229] said: 450 4.7.25 Client host rejected:
cannot find your hostname, [xxx.xxx.73.197] (in reply to RCPT TO command)
On the receiving server I get:
Jul 1 06:18:21 mail1 postfix/postscreen[19345]: CONNECT from
[xxx.xxx.73.197]:44014 to [xxx.xxx.231.229]:25
Jul 1 06:18:21 mail1 postfix/postscreen[19345]: PASS OLD
[xxx.xxx.73.197]:44014
Jul 1 06:18:21 mail1 postfix/smtpd[19348]: warning: hostname
dc1.xxx.com.au does not resolve to address xxx.xxx.73.197: Name or
service not known
Jul 1 06:18:21 mail1 postfix/smtpd[19348]: connect from
unknown[xxx.xxx.73.197]
Jul 1 06:18:24 mail1 postfix/smtpd[19348]: NOQUEUE: reject: RCPT from
unknown[xxx.xxx.73.197]: 450 4.7.25 Client host rejected: cannot find
your hostname, [150.107.73.197]; from= to=
proto=ESMTP helo=
I can ping 'mail.xxx.net' on this server ok.
Sending Server postconf -n
output
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
delay_warning_time = 4h
inet_interfaces = 127.0.0.1, ::1, xxx.xxx.73.197
inet_protocols = all
local_recipient_maps = $virtual_mailbox_maps
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 52428800
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
mua_relay_restrictions =
reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_restrictions =
permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = xxx.net
myhostname = mail.xxx.net
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:11332
postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_access
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2 zen.spamhaus.org*2
postscreen_dnsbl_threshold = 2
postscreen_greet_action = drop
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_dns_support_level = dnssec
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_ciphers = high
smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = mail.xxx.net
smtpd_client_restrictions = permit_mynetworks check_client_access
hash:/etc/postfix/without_ptr reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_milters = inet:localhost:11332
smtpd_recipient_restrictions = check_recipient_access
mysql:/etc/postfix/sql/recipient-access.cf
smtpd_relay_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination
smtpd_tls_cert_file = /etc/ssl/certs/2803b51614cb032f.crt
smtpd_tls_ciphers = high
smtpd_tls_key_file = /etc/ssl/private/wildcard.xxx.net.key
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_high_cipherlist =
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf
virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
Sending Server postconf -Mf output ---
smtp inet n - y - 1 postscreen
-o smtpd_sasl_auth_enable=no
smtpd pass - - y - - smtpd
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
9925 inet n - y - - smtpd
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o
Re: postfix/smtp Connection timeout
Thanks. That was the problem Leo On 4/6/19 10:53 pm, Bill Cole wrote: On 4 Jun 2019, at 8:23, subscription1 wrote: telnet on the working server shoews --- >>> telnet 203.205.219.57 25 Trying 203.205.219.57... Connected to 203.205.219.57. Escape character is '^]'. 220 newxmmxsza20.qq.com MX QQ Mail Server. ^] telnet> On the failing server I get --- >>> telnet 203.205.219.57 25 Trying 203.205.219.57... -- I can ping 203.205.219.57 from both servers This is a symptom of your network provider blocking port 25 outbound. That has long been the norm for residential/recreational service and in recent years it has expanded to the low-end hosting market (including Amazon and OVH,) where it is now common for hosting providers to block port 25 outbound by default and either provide an authenticated relay service (e.g. Amazon SES) or to unblock the port by customer request. Making the issue more complex, some providers have implemented port 25 blocking unevenly, so that some of their customers or networks are unblocked despite the official practice.
Re: postfix/smtp Connection timeout
The two servers are on different machines (different continents, actually) and different domains. I've sent an email to the same (non-existitent) recipient One the working server I get this --- Jun 4 14:06:50 mail1 postfix/submission/smtpd[13650]: connect from unknown[210.185.104.16] Jun 4 14:06:55 mail1 postfix/submission/smtpd[13650]: 312BA29EC56: client=unknown[210.185.104.16], sasl_method=PLAIN, sasl_username=po...@zudiewiener.com Jun 4 14:06:55 mail1 postfix/cleanup[13654]: 312BA29EC56: message-id= Jun 4 14:06:56 mail1 postfix/qmgr[1668]: 312BA29EC56: from=, size=397, nrcpt=1 (queue active) Jun 4 14:06:56 mail1 postfix/submission/smtpd[13650]: disconnect from unknown[210.185.104.16] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8 Jun 4 14:07:04 mail1 postfix/smtp[13655]: 312BA29EC56: to=, relay=mx3.qq.com[203.205.219.57]:25, delay=12, delays=2.7/0.03/8.3/0.55, dsn=5.0.0, status=bounced (host mx3.qq.com[203.205.219.57] said: 550 Mailbox not found. http://service.mail.qq.com/cgi-bin/help?subtype=1&=20022&=1000728 (in reply to RCPT TO command)) Jun 4 14:07:05 mail1 postfix/cleanup[13661]: 6F1F529EC5A: message-id=<20190604120705.6f1f529e...@mail1.zudiewiener.com> Jun 4 14:07:05 mail1 postfix/bounce[13660]: 312BA29EC56: sender non-delivery notification: 6F1F529EC5A Jun 4 14:07:05 mail1 postfix/qmgr[1668]: 6F1F529EC5A: from=<>, size=2689, nrcpt=1 (queue active) Jun 4 14:07:05 mail1 postfix/qmgr[1668]: 312BA29EC56: removed Jun 4 14:07:05 mail1 postfix/lmtp[13662]: 6F1F529EC5A: to=, relay=mail1.zudiewiener.com[private/dovecot-lmtp], delay=0.05, delays=0.02/0.01/0.01/0.01, dsn=2.0.0, status=sent (250 2.0.0 AFPWHOle9lxfNQAAHQghHA Saved) Jun 4 14:07:05 mail1 postfix/qmgr[1668]: 6F1F529EC5A: removed On the failed server I get --- Jun 4 22:07:38 mail postfix/submission/smtpd[14146]: connect from unknown[210.185.104.16] Jun 4 22:07:39 mail postfix/submission/smtpd[14146]: B4C025FA97: client=unknown[210.185.104.16], sasl_method=PLAIN, sasl_username=ll...@dragonclaw.net Jun 4 22:07:39 mail postfix/cleanup[14149]: B4C025FA97: message-id=<55b8c045-0fb9-bece-dd68-9f793260c...@dragonclaw.net> Jun 4 22:07:41 mail postfix/qmgr[11467]: B4C025FA97: from=, size=395, nrcpt=1 (queue active) Jun 4 22:07:41 mail postfix/submission/smtpd[14146]: disconnect from unknown[210.185.104.16] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8 Jun 4 22:08:12 mail postfix/smtp[14150]: connect to mx3.qq.com[203.205.219.57]:25: Connection timed out Jun 4 22:08:12 mail postfix/smtp[14150]: connect to mx3.qq.com[2001:df6:f400::2808]:25: Network is unreachable Jun 4 22:08:12 mail postfix/smtp[14150]: connect to mx2.qq.com[2001:df6:f400::2808]:25: Network is unreachable The telnet on the working server shoews --- >>> telnet 203.205.219.57 25 Trying 203.205.219.57... Connected to 203.205.219.57. Escape character is '^]'. 220 newxmmxsza20.qq.com MX QQ Mail Server. ^] telnet> On the failing server I get --- >>> telnet 203.205.219.57 25 Trying 203.205.219.57... -- I can ping 203.205.219.57 from both servers Thanks Leo On 4/6/19 9:19 pm, Wietse Venema wrote: subscription1: Jun? 4 17:21:11 mail postfix/smtp[11505]: connect to mail1.zudiewiener.com[173.212.231.229]:25: Connection timed out Do the two mail servers run on different machines, each with a different IP address? Does 'telnet 173.212.231.229 25' work from both machines, or does it work only from one machine? Wietse
postfix/smtp Connection timeout
Hi, I have two mail server configured the same way. A diff of the output of postconf -n shows only (expected) differences for inet_interfaces mydomain myhostname smtpd_banner smtpd_tls_cert_file smtpd_tls_key_file I can send emails from my client from one without fail, while I get connection timeout errors for the other Jun 4 17:20:39 mail postfix/submission/smtpd[11500]: connect from unknown[210.185.104.16] Jun 4 17:20:40 mail postfix/submission/smtpd[11500]: 161365FA82: client=unknown[210.185.104.16], sasl_method=PLAIN, sasl_username=ll...@dragonclaw.net Jun 4 17:20:40 mail postfix/cleanup[11504]: 161365FA82: message-id=<6accc68a-c0b4-033a-f633-2cc22ef5e...@dragonclaw.net> Jun 4 17:20:41 mail postfix/qmgr[11467]: 161365FA82: from=, size=404, nrcpt=1 (queue active) Jun 4 17:20:41 mail postfix/submission/smtpd[11500]: disconnect from unknown[210.185.104.16] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8 Jun 4 17:21:11 mail postfix/smtp[11505]: connect to mail1.zudiewiener.com[173.212.231.229]:25: Connection timed out Jun 4 17:21:41 mail postfix/smtp[11505]: connect to mail1.no-ip.com[8.23.224.50]:25: Connection timed out Jun 4 17:22:11 mail postfix/smtp[11505]: connect to mail2.no-ip.com[69.65.5.119]:25: Connection timed out - Thanks for any help to resolve this. Leo
