cmallon
2010-12-09 02:16:00 UTC
Hi,
I need help with one of my postfix servers and the set up is complicated. We host this server for one of our clients and they generate a lot of mail. This server receives mail from internal applications via the load balancer and never receives mail from external users.
We do use domain keys and I've created an internal black list by scanning the logs and compiling a blacklist.db file as well as a permanent blacklist that is created by scanning 4 days of blacklist logs. (This way, temporary failures aren't blacklisted forever). It's important to us to not generate unwanted emails or backscatter. Email recipients have to opt in and do have an opt out option through the customer's site.
My problem is, email addresses that I know are in the permanent blacklist are still being delivered. To make matters worse, my incoming mail queue grows out of control (though I'm not seeing a lot bounces and defers in the queues). My mail service is very slow -- mail doesn't get delivered for hours, sometimes days. Domain keys are signing and I'm worried that email is lining up to get signed before the restrictions are applied.
So is it possible to have postfix apply the smtp_recipient_restrictions before passing the email to dkfilter? (The customer is unable to use dkim) It seems silly to sign an email that I want discarded.
My blacklist used to work, but appears to no longer be honored -- can someone take a look at my conf file and see if I've got everything in the right order? I've reviewed http://www.postfix.org/postconf.5.html and http://www.postfix.org/SMTPD_ACCESS_README.html but I'm still not getting it right.
Thank you for your time,
mail2:/var/spool/postfix root# uname -a
Darwin mail2.back.my_company.com 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC Power Macintosh
mail2:/var/spool/postfix root# postconf -n
2bounce_notice_recipient = postmaster
alias_maps = hash:/etc/aliases
always_bcc =
append_at_myorigin = no
append_dot_mydomain = no
bounce_notice_recipient = myclientpostmaster
bounce_queue_lifetime = 0
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
enable_server_options = yes
html_directory = no
inet_interfaces = all
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 1d
message_size_limit = 10240000
mydestination = $myhostname,localhost.$mydomain
mydomain = myclientmail.mycompany.com
mydomain_fallback = localhost
myhostname = myclientmail.mycompany.com
mynetworks = 127.0.0.1/32,10.1.0.0/16,192.168.3.0/24,172.16.0.0/12,10.1.18.24,192.168.0.0/16
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
owner_request_special = no
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtp_destination_concurrency_limit = 50
smtpd_client_restrictions =
smtpd_enforce_tls = no
smtpd_pw_server_security_options = plain,login,cram-md5,gssapi
smtpd_recipient_restrictions = reject_unauth_destination, check_recipient_access hash:/etc/postfix/recipient_blacklist, hash:/etc/postfix/perm_blacklist, hash:/etc/postfix/hold, check_sender_access hash:/etc/postfix/sender_access, permit_sasl_authenticated, permit_mynetworks
smtpd_sasl_auth_enable = yes
smtpd_tls_key_file =
smtpd_tls_loglevel = 0
smtpd_use_pw_server = yes
smtpd_use_tls = no
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual_alias
virtual_transport = lmtp:unix:/var/imap/socket/lmtp debug_peer_list = 127.0.0.1
I am postmapping my directories:
LICENSE
TLS_LICENSE relocated
access master.cf.default sasl
aliases main.cf.system_default sender_access
aliases.db obsolete_files sender_access.db
bounce.cf.default perm_blacklist
canonical perm_blacklist.db transport
header_checks postfix-files transport.system_default
hold post-install
hold.db postfix-script
main.cf recipient_blacklist
master.cf recipient_blacklist.0.gz virtual_alias
recipient_blacklist.1.gz virtual_alias.db
recipient_blacklist.2.gz virtual
recipient_blacklist.3.gz
recipient_blacklist.db
mail2:/var/spool/postfix root# ls -l
total 24
drwx------ 19 _postfix wheel 646 Dec 8 17:11 active
drwx------ 4 _postfix wheel 136 Dec 8 17:11 bounce
-rwxrwxrwx 1 root wheel 125 Nov 2 16:55 check
drwx------ 2 _postfix wheel 68 Aug 22 2005 corrupt
-rwxrwxrwx 1 root wheel 124 Dec 8 16:01 count
drwx------ 18 _postfix wheel 612 Nov 2 16:36 defer
drwx------ 18 _postfix wheel 612 Mar 16 2007 deferred
drwx------ 3 _postfix wheel 102 Nov 30 07:54 flush
drwx------ 2 _postfix wheel 68 Aug 22 2005 hold
drwx------ 46246 _postfix wheel 37223948 Dec 8 17:11 incoming
drwx------ 57617 _postfix wheel 57664578 Dec 6 12:50 incoming.1206
drwx------ 60089 _postfix wheel 6499474 Dec 6 22:36 incoming.old
-rwxrwxrwx 1 root wheel 604 Dec 7 15:45 mailbyUser
drwx-wx--- 2 _postfix _postdrop 68 Dec 8 16:58 maildrop
drwxr-xr-x 20 root wheel 680 Oct 19 18:10 pid
drwx------ 26 _postfix wheel 884 Dec 8 09:29 private
drwx--x--- 7 _postfix _postdrop 238 Dec 8 08:59 public
drwx------ 2 _postfix wheel 68 Aug 22 2005 saved
drwx------ 17 _postfix wheel 578 Nov 19 2009 trace
Here is an email for a user that I know is on the blacklist:
Dec 8 17:13:32 mail2 postfix/smtp[63218]: 1E2488D6B572: to= ***@gmx.co.uk, relay=127.0.0.1[127.0.0.1]:10027, conn_use=3, delay=11319, delays=11318/0.11/0.01/1.1, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as BD21E8DA15B7)
I need help with one of my postfix servers and the set up is complicated. We host this server for one of our clients and they generate a lot of mail. This server receives mail from internal applications via the load balancer and never receives mail from external users.
We do use domain keys and I've created an internal black list by scanning the logs and compiling a blacklist.db file as well as a permanent blacklist that is created by scanning 4 days of blacklist logs. (This way, temporary failures aren't blacklisted forever). It's important to us to not generate unwanted emails or backscatter. Email recipients have to opt in and do have an opt out option through the customer's site.
My problem is, email addresses that I know are in the permanent blacklist are still being delivered. To make matters worse, my incoming mail queue grows out of control (though I'm not seeing a lot bounces and defers in the queues). My mail service is very slow -- mail doesn't get delivered for hours, sometimes days. Domain keys are signing and I'm worried that email is lining up to get signed before the restrictions are applied.
So is it possible to have postfix apply the smtp_recipient_restrictions before passing the email to dkfilter? (The customer is unable to use dkim) It seems silly to sign an email that I want discarded.
My blacklist used to work, but appears to no longer be honored -- can someone take a look at my conf file and see if I've got everything in the right order? I've reviewed http://www.postfix.org/postconf.5.html and http://www.postfix.org/SMTPD_ACCESS_README.html but I'm still not getting it right.
Thank you for your time,
mail2:/var/spool/postfix root# uname -a
Darwin mail2.back.my_company.com 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC Power Macintosh
mail2:/var/spool/postfix root# postconf -n
2bounce_notice_recipient = postmaster
alias_maps = hash:/etc/aliases
always_bcc =
append_at_myorigin = no
append_dot_mydomain = no
bounce_notice_recipient = myclientpostmaster
bounce_queue_lifetime = 0
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
enable_server_options = yes
html_directory = no
inet_interfaces = all
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 1d
message_size_limit = 10240000
mydestination = $myhostname,localhost.$mydomain
mydomain = myclientmail.mycompany.com
mydomain_fallback = localhost
myhostname = myclientmail.mycompany.com
mynetworks = 127.0.0.1/32,10.1.0.0/16,192.168.3.0/24,172.16.0.0/12,10.1.18.24,192.168.0.0/16
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
owner_request_special = no
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtp_destination_concurrency_limit = 50
smtpd_client_restrictions =
smtpd_enforce_tls = no
smtpd_pw_server_security_options = plain,login,cram-md5,gssapi
smtpd_recipient_restrictions = reject_unauth_destination, check_recipient_access hash:/etc/postfix/recipient_blacklist, hash:/etc/postfix/perm_blacklist, hash:/etc/postfix/hold, check_sender_access hash:/etc/postfix/sender_access, permit_sasl_authenticated, permit_mynetworks
smtpd_sasl_auth_enable = yes
smtpd_tls_key_file =
smtpd_tls_loglevel = 0
smtpd_use_pw_server = yes
smtpd_use_tls = no
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual_alias
virtual_transport = lmtp:unix:/var/imap/socket/lmtp debug_peer_list = 127.0.0.1
I am postmapping my directories:
LICENSE
TLS_LICENSE relocated
access master.cf.default sasl
aliases main.cf.system_default sender_access
aliases.db obsolete_files sender_access.db
bounce.cf.default perm_blacklist
canonical perm_blacklist.db transport
header_checks postfix-files transport.system_default
hold post-install
hold.db postfix-script
main.cf recipient_blacklist
master.cf recipient_blacklist.0.gz virtual_alias
recipient_blacklist.1.gz virtual_alias.db
recipient_blacklist.2.gz virtual
recipient_blacklist.3.gz
recipient_blacklist.db
mail2:/var/spool/postfix root# ls -l
total 24
drwx------ 19 _postfix wheel 646 Dec 8 17:11 active
drwx------ 4 _postfix wheel 136 Dec 8 17:11 bounce
-rwxrwxrwx 1 root wheel 125 Nov 2 16:55 check
drwx------ 2 _postfix wheel 68 Aug 22 2005 corrupt
-rwxrwxrwx 1 root wheel 124 Dec 8 16:01 count
drwx------ 18 _postfix wheel 612 Nov 2 16:36 defer
drwx------ 18 _postfix wheel 612 Mar 16 2007 deferred
drwx------ 3 _postfix wheel 102 Nov 30 07:54 flush
drwx------ 2 _postfix wheel 68 Aug 22 2005 hold
drwx------ 46246 _postfix wheel 37223948 Dec 8 17:11 incoming
drwx------ 57617 _postfix wheel 57664578 Dec 6 12:50 incoming.1206
drwx------ 60089 _postfix wheel 6499474 Dec 6 22:36 incoming.old
-rwxrwxrwx 1 root wheel 604 Dec 7 15:45 mailbyUser
drwx-wx--- 2 _postfix _postdrop 68 Dec 8 16:58 maildrop
drwxr-xr-x 20 root wheel 680 Oct 19 18:10 pid
drwx------ 26 _postfix wheel 884 Dec 8 09:29 private
drwx--x--- 7 _postfix _postdrop 238 Dec 8 08:59 public
drwx------ 2 _postfix wheel 68 Aug 22 2005 saved
drwx------ 17 _postfix wheel 578 Nov 19 2009 trace
Here is an email for a user that I know is on the blacklist:
Dec 8 17:13:32 mail2 postfix/smtp[63218]: 1E2488D6B572: to= ***@gmx.co.uk, relay=127.0.0.1[127.0.0.1]:10027, conn_use=3, delay=11319, delays=11318/0.11/0.01/1.1, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as BD21E8DA15B7)