Re: Postfix as backup MX
Thanks Peter for the detailed information. Given that I run this mail server just for my family and in light of your advice, I probably don't need the backup. Thanks, Leo On 23/9/19 5:49 pm, Peter wrote: On 23/09/19 1:24 PM, subscription1 wrote: I've been running my own Postfix (Dovecot, MySQL, Rspamd) server thanks to these instructions (https://thomas-leister.de/en/mailserver-debian-stretch/ ) for more than a year without any issues. I'm using a paid service (Mail Reflector) to handle the times my server is down or (initially) to get the my mail server up and running. I'd like set up another server as a backup and while there are some "How To" out there, they seem to be 'ignoring' spam and/or security issues. Could I just use the same approach I used when setting up my current server with the exception of the following: 1. No virtual mailboxes on the backup 2. with an empty smtp_recipients_maps 3. with relay_domains = $mydestination mydomain.com This is asking for trouble. Spammers target backup MXes because they typically have fewer anti-spam protections than the primary MXes. In this particular case you are accepting mail to literally anyone and when you attempt to forward mail on to your primary for a user that does not exist you will end up creating a bounce message. If the envelope sender is spoofed (and it typically is in SPAM) then your backup MX becomes a source of backscatter and exacerbates the SPAM problem greatly. If your backup MX doesn't have as good anti-spam protections as your primary, or even if they are different in any way then you end up giving spammers an easy target to bypass your best anti-spam protections. Backup MXes are a relic from times past when servers were often times on dialup connections and hence not available 24/7. Today they typically cause more problems than they solve. Submission servers should (and typically will) retry messages for up to five days if your server is offline, and so backup MXes are rarely needed. If you think you need a backup MX then rethink. If you absolutely must have a backup MX then you should follow these guidelines: * Make sure your backup MX has exactly the same anti-spam protections as your primary MX. * Keep an up to date list of valid recipients and *reject* mail to any invalid recipient on the backup MX. * If your primary MX enforces quotas of any type then you should attempt to enforce those same quotas on the backup MX. * Don't use 3rd-party services for backup MX, they will rarely, if ever, be able to copy your exact anti-spam protections and restrictions. * If you really need a high availability environment for your mail consider a 2nd primary with the same priority instead of a backup. It will serve the same purpose as a backup with the additional benenfit that it won't be sitting idle most of the time but actually be handling part of the load all of the time. All of this said, you very likely don't need a backup MX and without a lot of planning, effort and thought it can actually make things much worse for you than if you didn't have one at all, plus the benefits of having a backup MX are almost non-existent nowadays. In short, just don't do it. Peter
Postfix as backup MX
I've been running my own Postfix (Dovecot, MySQL, Rspamd) server thanks to these instructions (https://thomas-leister.de/en/mailserver-debian-stretch/ ) for more than a year without any issues. I'm using a paid service (Mail Reflector) to handle the times my server is down or (initially) to get the my mail server up and running. I'd like set up another server as a backup and while there are some "How To" out there, they seem to be 'ignoring' spam and/or security issues. Could I just use the same approach I used when setting up my current server with the exception of the following: 1. No virtual mailboxes on the backup 2. with an empty smtp_recipients_maps 3. with relay_domains = $mydestination mydomain.com Thanks, Leo
Re: warning: hostname dc1.xxx.com.au does not resolve to address xxx.xxx.73.197
I think I found the issue. I just found that the reverse DNS entry at the service provider had the dc1.xxx.xom.au entry Thanks On 1/7/19 3:24 pm, subscription1 wrote: I'd appreciate you help with the following: I'm looking after two server on 2 differents domains. During testing I found the following issue. On the sending server I get the following Jul 1 14:18:24 mail postfix/smtp[2135]: 9172F5FA8D: host mail1..com[xxx.xxx.231.229] said: 450 4.7.25 Client host rejected: cannot find your hostname, [xxx.xxx.73.197] (in reply to RCPT TO command) On the receiving server I get: Jul 1 06:18:21 mail1 postfix/postscreen[19345]: CONNECT from [xxx.xxx.73.197]:44014 to [xxx.xxx.231.229]:25 Jul 1 06:18:21 mail1 postfix/postscreen[19345]: PASS OLD [xxx.xxx.73.197]:44014 Jul 1 06:18:21 mail1 postfix/smtpd[19348]: warning: hostname dc1.xxx.com.au does not resolve to address xxx.xxx.73.197: Name or service not known Jul 1 06:18:21 mail1 postfix/smtpd[19348]: connect from unknown[xxx.xxx.73.197] Jul 1 06:18:24 mail1 postfix/smtpd[19348]: NOQUEUE: reject: RCPT from unknown[xxx.xxx.73.197]: 450 4.7.25 Client host rejected: cannot find your hostname, [150.107.73.197]; from= to= proto=ESMTP helo= I can ping 'mail.xxx.net' on this server ok. Sending Server postconf -n output alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no compatibility_level = 2 delay_warning_time = 4h inet_interfaces = 127.0.0.1, ::1, xxx.xxx.73.197 inet_protocols = all local_recipient_maps = $virtual_mailbox_maps mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 message_size_limit = 52428800 milter_default_action = accept milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} milter_protocol = 6 mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject mydestination = $myhostname, localhost.$mydomain, localhost mydomain = xxx.net myhostname = mail.xxx.net mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname non_smtpd_milters = inet:localhost:11332 postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access postscreen_blacklist_action = drop postscreen_dnsbl_action = drop postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2 zen.spamhaus.org*2 postscreen_dnsbl_threshold = 2 postscreen_greet_action = drop readme_directory = no recipient_delimiter = + relayhost = smtp_dns_support_level = dnssec smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_ciphers = high smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_security_level = dane smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = mail.xxx.net smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/without_ptr reject_unknown_client_hostname smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname smtpd_milters = inet:localhost:11332 smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/sql/recipient-access.cf smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination smtpd_tls_cert_file = /etc/ssl/certs/2803b51614cb032f.crt smtpd_tls_ciphers = high smtpd_tls_key_file = /etc/ssl/private/wildcard.xxx.net.key smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA tls_preempt_cipherlist = yes tls_ssl_options = NO_COMPRESSION virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf virtual_transport = lmtp:unix:private/dovecot-lmtp Sending Server postconf -Mf output --- smtp inet n - y - 1 postscreen -o smtpd_sasl_auth_enable=no smtpd pass - - y - - smtpd dnsblog unix - - y - 0 dnsblog tlsproxy unix - - y - 0 tlsproxy 9925 inet n
warning: hostname dc1.xxx.com.au does not resolve to address xxx.xxx.73.197
I'd appreciate you help with the following: I'm looking after two server on 2 differents domains. During testing I found the following issue. On the sending server I get the following Jul 1 14:18:24 mail postfix/smtp[2135]: 9172F5FA8D: host mail1..com[xxx.xxx.231.229] said: 450 4.7.25 Client host rejected: cannot find your hostname, [xxx.xxx.73.197] (in reply to RCPT TO command) On the receiving server I get: Jul 1 06:18:21 mail1 postfix/postscreen[19345]: CONNECT from [xxx.xxx.73.197]:44014 to [xxx.xxx.231.229]:25 Jul 1 06:18:21 mail1 postfix/postscreen[19345]: PASS OLD [xxx.xxx.73.197]:44014 Jul 1 06:18:21 mail1 postfix/smtpd[19348]: warning: hostname dc1.xxx.com.au does not resolve to address xxx.xxx.73.197: Name or service not known Jul 1 06:18:21 mail1 postfix/smtpd[19348]: connect from unknown[xxx.xxx.73.197] Jul 1 06:18:24 mail1 postfix/smtpd[19348]: NOQUEUE: reject: RCPT from unknown[xxx.xxx.73.197]: 450 4.7.25 Client host rejected: cannot find your hostname, [150.107.73.197]; from= to= proto=ESMTP helo= I can ping 'mail.xxx.net' on this server ok. Sending Server postconf -n output alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no compatibility_level = 2 delay_warning_time = 4h inet_interfaces = 127.0.0.1, ::1, xxx.xxx.73.197 inet_protocols = all local_recipient_maps = $virtual_mailbox_maps mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 message_size_limit = 52428800 milter_default_action = accept milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} milter_protocol = 6 mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject mydestination = $myhostname, localhost.$mydomain, localhost mydomain = xxx.net myhostname = mail.xxx.net mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname non_smtpd_milters = inet:localhost:11332 postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access postscreen_blacklist_action = drop postscreen_dnsbl_action = drop postscreen_dnsbl_sites = ix.dnsbl.manitu.net*2 zen.spamhaus.org*2 postscreen_dnsbl_threshold = 2 postscreen_greet_action = drop readme_directory = no recipient_delimiter = + relayhost = smtp_dns_support_level = dnssec smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_ciphers = high smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_security_level = dane smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = mail.xxx.net smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/without_ptr reject_unknown_client_hostname smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname smtpd_milters = inet:localhost:11332 smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/sql/recipient-access.cf smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination smtpd_tls_cert_file = /etc/ssl/certs/2803b51614cb032f.crt smtpd_tls_ciphers = high smtpd_tls_key_file = /etc/ssl/private/wildcard.xxx.net.key smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA tls_preempt_cipherlist = yes tls_ssl_options = NO_COMPRESSION virtual_alias_maps = mysql:/etc/postfix/sql/aliases.cf virtual_mailbox_domains = mysql:/etc/postfix/sql/domains.cf virtual_mailbox_maps = mysql:/etc/postfix/sql/accounts.cf virtual_transport = lmtp:unix:private/dovecot-lmtp Sending Server postconf -Mf output --- smtp inet n - y - 1 postscreen -o smtpd_sasl_auth_enable=no smtpd pass - - y - - smtpd dnsblog unix - - y - 0 dnsblog tlsproxy unix - - y - 0 tlsproxy 9925 inet n - y - - smtpd submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o
Re: postfix/smtp Connection timeout
Thanks. That was the problem Leo On 4/6/19 10:53 pm, Bill Cole wrote: On 4 Jun 2019, at 8:23, subscription1 wrote: telnet on the working server shoews --- >>> telnet 203.205.219.57 25 Trying 203.205.219.57... Connected to 203.205.219.57. Escape character is '^]'. 220 newxmmxsza20.qq.com MX QQ Mail Server. ^] telnet> On the failing server I get --- >>> telnet 203.205.219.57 25 Trying 203.205.219.57... -- I can ping 203.205.219.57 from both servers This is a symptom of your network provider blocking port 25 outbound. That has long been the norm for residential/recreational service and in recent years it has expanded to the low-end hosting market (including Amazon and OVH,) where it is now common for hosting providers to block port 25 outbound by default and either provide an authenticated relay service (e.g. Amazon SES) or to unblock the port by customer request. Making the issue more complex, some providers have implemented port 25 blocking unevenly, so that some of their customers or networks are unblocked despite the official practice.
Re: postfix/smtp Connection timeout
The two servers are on different machines (different continents, actually) and different domains. I've sent an email to the same (non-existitent) recipient One the working server I get this --- Jun 4 14:06:50 mail1 postfix/submission/smtpd[13650]: connect from unknown[210.185.104.16] Jun 4 14:06:55 mail1 postfix/submission/smtpd[13650]: 312BA29EC56: client=unknown[210.185.104.16], sasl_method=PLAIN, sasl_username=po...@zudiewiener.com Jun 4 14:06:55 mail1 postfix/cleanup[13654]: 312BA29EC56: message-id= Jun 4 14:06:56 mail1 postfix/qmgr[1668]: 312BA29EC56: from=, size=397, nrcpt=1 (queue active) Jun 4 14:06:56 mail1 postfix/submission/smtpd[13650]: disconnect from unknown[210.185.104.16] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8 Jun 4 14:07:04 mail1 postfix/smtp[13655]: 312BA29EC56: to=, relay=mx3.qq.com[203.205.219.57]:25, delay=12, delays=2.7/0.03/8.3/0.55, dsn=5.0.0, status=bounced (host mx3.qq.com[203.205.219.57] said: 550 Mailbox not found. http://service.mail.qq.com/cgi-bin/help?subtype=1&=20022&=1000728 (in reply to RCPT TO command)) Jun 4 14:07:05 mail1 postfix/cleanup[13661]: 6F1F529EC5A: message-id=<20190604120705.6f1f529e...@mail1.zudiewiener.com> Jun 4 14:07:05 mail1 postfix/bounce[13660]: 312BA29EC56: sender non-delivery notification: 6F1F529EC5A Jun 4 14:07:05 mail1 postfix/qmgr[1668]: 6F1F529EC5A: from=<>, size=2689, nrcpt=1 (queue active) Jun 4 14:07:05 mail1 postfix/qmgr[1668]: 312BA29EC56: removed Jun 4 14:07:05 mail1 postfix/lmtp[13662]: 6F1F529EC5A: to=, relay=mail1.zudiewiener.com[private/dovecot-lmtp], delay=0.05, delays=0.02/0.01/0.01/0.01, dsn=2.0.0, status=sent (250 2.0.0 AFPWHOle9lxfNQAAHQghHA Saved) Jun 4 14:07:05 mail1 postfix/qmgr[1668]: 6F1F529EC5A: removed On the failed server I get --- Jun 4 22:07:38 mail postfix/submission/smtpd[14146]: connect from unknown[210.185.104.16] Jun 4 22:07:39 mail postfix/submission/smtpd[14146]: B4C025FA97: client=unknown[210.185.104.16], sasl_method=PLAIN, sasl_username=ll...@dragonclaw.net Jun 4 22:07:39 mail postfix/cleanup[14149]: B4C025FA97: message-id=<55b8c045-0fb9-bece-dd68-9f793260c...@dragonclaw.net> Jun 4 22:07:41 mail postfix/qmgr[11467]: B4C025FA97: from=, size=395, nrcpt=1 (queue active) Jun 4 22:07:41 mail postfix/submission/smtpd[14146]: disconnect from unknown[210.185.104.16] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8 Jun 4 22:08:12 mail postfix/smtp[14150]: connect to mx3.qq.com[203.205.219.57]:25: Connection timed out Jun 4 22:08:12 mail postfix/smtp[14150]: connect to mx3.qq.com[2001:df6:f400::2808]:25: Network is unreachable Jun 4 22:08:12 mail postfix/smtp[14150]: connect to mx2.qq.com[2001:df6:f400::2808]:25: Network is unreachable The telnet on the working server shoews --- >>> telnet 203.205.219.57 25 Trying 203.205.219.57... Connected to 203.205.219.57. Escape character is '^]'. 220 newxmmxsza20.qq.com MX QQ Mail Server. ^] telnet> On the failing server I get --- >>> telnet 203.205.219.57 25 Trying 203.205.219.57... -- I can ping 203.205.219.57 from both servers Thanks Leo On 4/6/19 9:19 pm, Wietse Venema wrote: subscription1: Jun? 4 17:21:11 mail postfix/smtp[11505]: connect to mail1.zudiewiener.com[173.212.231.229]:25: Connection timed out Do the two mail servers run on different machines, each with a different IP address? Does 'telnet 173.212.231.229 25' work from both machines, or does it work only from one machine? Wietse
postfix/smtp Connection timeout
Hi, I have two mail server configured the same way. A diff of the output of postconf -n shows only (expected) differences for inet_interfaces mydomain myhostname smtpd_banner smtpd_tls_cert_file smtpd_tls_key_file I can send emails from my client from one without fail, while I get connection timeout errors for the other Jun 4 17:20:39 mail postfix/submission/smtpd[11500]: connect from unknown[210.185.104.16] Jun 4 17:20:40 mail postfix/submission/smtpd[11500]: 161365FA82: client=unknown[210.185.104.16], sasl_method=PLAIN, sasl_username=ll...@dragonclaw.net Jun 4 17:20:40 mail postfix/cleanup[11504]: 161365FA82: message-id=<6accc68a-c0b4-033a-f633-2cc22ef5e...@dragonclaw.net> Jun 4 17:20:41 mail postfix/qmgr[11467]: 161365FA82: from=, size=404, nrcpt=1 (queue active) Jun 4 17:20:41 mail postfix/submission/smtpd[11500]: disconnect from unknown[210.185.104.16] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8 Jun 4 17:21:11 mail postfix/smtp[11505]: connect to mail1.zudiewiener.com[173.212.231.229]:25: Connection timed out Jun 4 17:21:41 mail postfix/smtp[11505]: connect to mail1.no-ip.com[8.23.224.50]:25: Connection timed out Jun 4 17:22:11 mail postfix/smtp[11505]: connect to mail2.no-ip.com[69.65.5.119]:25: Connection timed out - Thanks for any help to resolve this. Leo