Date: Sat, 10 Apr 2010 19:33:33 -0700 From: perikillo <perikillo@gmail.com> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: FreeBSD 8: Postfix policyd-weight not working!!! Message-ID: <k2i51d7a5161004101933ke291cee2hff01be467cfae503@mail.gmail.com> In-Reply-To: <u2n51d7a5161004081529jb8a55435o7ce1ddc255bb4ba8@mail.gmail.com> References: <i2k51d7a5161004080729ua1945906w242add379296f2de@mail.gmail.com> <w2scce506b1004081457za583c53co5b27cfb1b96cd4cc@mail.gmail.com> <u2n51d7a5161004081529jb8a55435o7ce1ddc255bb4ba8@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 8, 2010 at 3:29 PM, perikillo <perikillo@gmail.com> wrote:
>
>
> On Thu, Apr 8, 2010 at 2:57 PM, Noel Jones <noeldude@gmail.com> wrote:
>
>> On Thu, Apr 8, 2010 at 9:29 AM, perikillo <perikillo@gmail.com> wrote:
>> > Hi people.
>> >
>> > I'm working in my first spam gateway, using Postfix + policyd-weight.
>> >
>> > I have 2 jails for this, the jail-A is the mail server, where the
>> mailboxes
>> > exist, they are on each user home directory:
>> >
>> > /home/user-1
>> > /home/user-2
>> > /home/user-3
>> > ...
>> > /home/user-N
>> >
>> > This jail-A have samba+ldap=PDC, nss_ldap+pam_ldap working +
>> > dovecot+postfix working to.
>> >
>> > id test
>> > uid=10003(test) gid=513(Domain Users) groups=513(Domain Users)
>> > id root
>> > uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),512(Domain Admins)
>> >
>> > I can add users without a issue using smbldap-tools.
>> >
>> > I have test dovecot+postfix and I can send emails with that jail.
>> >
>> > Now I want to setup my spam gateway, is another jail called jail-B, I
>> have
>> > setup nss_ldap+pam_ldap to contact my PDC(jail-A) and is working:
>> >
>> > id user1
>> > uid=10002(user1) gid=513(Domain Users) groups=513(Domain Users)
>> > id test
>> > uid=10003(test) gid=513(Domain Users) groups=513(Domain Users)
>> >
>> > Now, the part is the one is not working is postfix+ policyd-weight.
>> >
>> > Went I test with other machine in the network using telnet, for some
>> reason
>> > once postfix accept the mail wants to send the email to the outside not
>> > internally. I have setup transport to send the email jail-A but I don't
>> see
>> > any task doing this, check:
>> >
>> > Apr 8 07:02:01 filtro postfix/qmgr[6723]: 97002BB47C2: from=<test@X.org
>> >,
>> > size=409, nrcpt=1 (queue active)
>> > Apr 8 07:02:04 filtro postfix/smtpd[6727]: connect from filtro.X.org
>> > [192.168.49.7]
>> > Apr 8 07:02:31 filtro postfix/smtp[6725]: connect to X.org[X.Y.Z.W]:25:
>> > Operation timed out
>> > Apr 8 07:02:31 filtro postfix/smtp[6725]: 97002BB47C2: to=<user2@X.org
>> >,
>> > relay=none, delay=869, delays=839/0.03/30/0, dsn=4.4.1, status=deferred
>> > (connect to X.org[X.Y.Z.W]:25: Operation timed out)
>>
>> You say that X.org should be delivered locally. Postfix doesn't think
>> X.org is a local domain.
>>
>> > Apr 8 07:10:00 filtro postfix/sendmail[6763]: fatal: root(0): No
>> recipient
>> > addresses found in message header
>>
>> This appears that you've used "sendmail -t" to inject some mail, and
>> there was no To: header.
>> Don't rely on headers for mail routing.
>>
>>
>> >
>> > X.Y.Z.W --> Public address.
>> >
>> > My postfix settings are this:
>> >
>> > alias_maps = hash:/etc/aliases
>> > command_directory = /usr/local/sbin
>> > config_directory = /usr/local/etc/postfix
>> > daemon_directory = /usr/local/libexec/postfix
>> > data_directory = /var/db/postfix
>> > debug_peer_level = 2
>> > home_mailbox = Maildir/
>> > html_directory = /usr/local/share/doc/postfix
>> > inet_interfaces = all
>> > local_destination_concurrency_limit = 2
>> > mail_owner = postfix
>> > mailq_path = /usr/local/bin/mailq
>> > manpage_directory = /usr/local/man
>> > mydomain = X.org
>> > myhostname = filtro.X.org
>>
>> You might want to add
>> mydestination = $mydomain $myhostname localhost
>>
>>
>> > myorigin = $mydomain
>> > newaliases_path = /usr/local/bin/newaliases
>> > queue_directory = /var/spool/postfix
>> > readme_directory = /usr/local/share/doc/postfix
>> > relay_domains = $transport_maps
>>
>> Bad idea. If you add a transport for eg. hotmail, you become an
>> instant open relay. Don't reuse transport_maps this way.
>>
>> If mail is delivered locally on this box, relay_domains should be
>> explicitly set empty.
>> relay_domains =
>>
>>
>> > sample_directory = /usr/local/etc/postfix
>> > sendmail_path = /usr/local/sbin/sendmail
>> > setgid_group = maildrop
>> > smtpd_delay_reject = yes
>> > smtpd_helo_required = yes
>> > smtpd_recipient_restrictions = permit_mynetworks,
>> > reject_unauth_destination, reject_non_fqdn_recipient,
>> > reject_invalid_helo_hostname, check_policy_service
>> > inet:[192.168.49.7]:12525
>> > soft_bounce = no
>> > transport_maps = hash:/usr/local/etc/postfix/transport
>> > unknown_local_recipient_reject_code = 550
>> >
>> > Now, my transport file is:
>> >
>> > nis.X.org smtp:[192.168.49.6] ----->jail-A
>> >
>> > Is created: transport.db
>> >
>> > Another think, in the log I don't see went is touching "policyd-weight:
>> > 12525" or this is just for the outside connections?
>>
>> Mail that's permitted by "permit_mynetworks" or submitted via the
>> sendmail(1) interface won't trigger the policy server in your config.
>>
>>
> Thanks Noel for your quick answer, just would like to inform u that this is
> a spam server not a email server, once this server accept the email, he need
> to send it to the real mail server, is other machine in the network(other
> jail).
>
> This is why I'm using the transport stuff, if exist a more secure way
> please let me know, spam server + email server exist in the same
> network(jails).
>
> The test was made with telnet, about the sendmail, I don't know went I
> setup something about sendmail, I just have been working with postfix.
>
> Thanks again!!!
>
>
>> -- Noel Jones
>>
>
>
Fix it:
alias_maps = hash:/etc/aliases
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
content_filter = amavisfeed:[127.0.0.3]:10024
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
inet_interfaces = all
local_destination_concurrency_limit = 2
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydomain = X.org
myhostname = filtro.X.org
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relay_domains = $transport_maps
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination, reject_non_fqdn_recipient,
reject_invalid_helo_hostname, check_policy_service
inet:[127.0.0.3]:12525
soft_bounce = no
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550
smtp inet n - n - - smtpd
amavisfeed unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
# -o max_use=20
127.0.0.3:10025 inet n - n - - smtpd
-o content_filter=
-o receive_overrride_options=no_unknown_recipient_checks
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o strict_rfc821_envelopes=yes
One of my issues was that this jail had 192.168.49.7 and amavisd didn't like
it, as soon as I change the settings above and change my jail to 127.0.0.3
everything start working.
Thanks!!!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?k2i51d7a5161004101933ke291cee2hff01be467cfae503>