Discussion:
FreeBSD 8: Postfix policyd-weight not working!!!
(too old to reply)
perikillo
2010-04-08 14:29:11 UTC
Permalink
Hi people.

I'm working in my first spam gateway, using Postfix + policyd-weight.

I have 2 jails for this, the jail-A is the mail server, where the mailboxes
exist, they are on each user home directory:

/home/user-1
/home/user-2
/home/user-3
...
/home/user-N

This jail-A have samba+ldap=PDC, nss_ldap+pam_ldap working +
dovecot+postfix working to.

id test
uid=10003(test) gid=513(Domain Users) groups=513(Domain Users)
id root
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),512(Domain Admins)

I can add users without a issue using smbldap-tools.

I have test dovecot+postfix and I can send emails with that jail.

Now I want to setup my spam gateway, is another jail called jail-B, I have
setup nss_ldap+pam_ldap to contact my PDC(jail-A) and is working:

id user1
uid=10002(user1) gid=513(Domain Users) groups=513(Domain Users)
id test
uid=10003(test) gid=513(Domain Users) groups=513(Domain Users)

Now, the part is the one is not working is postfix+ policyd-weight.

Went I test with other machine in the network using telnet, for some reason
once postfix accept the mail wants to send the email to the outside not
internally. I have setup transport to send the email jail-A but I don't see
any task doing this, check:

Apr 8 07:02:01 filtro postfix/qmgr[6723]: 97002BB47C2: from=<***@X.org>,
size=409, nrcpt=1 (queue active)
Apr 8 07:02:04 filtro postfix/smtpd[6727]: connect from filtro.X.org
[192.168.49.7]
Apr 8 07:02:31 filtro postfix/smtp[6725]: connect to X.org[X.Y.Z.W]:25:
Operation timed out
Apr 8 07:02:31 filtro postfix/smtp[6725]: 97002BB47C2: to=<***@X.org>,
relay=none, delay=869, delays=839/0.03/30/0, dsn=4.4.1, status=deferred
(connect to X.org[X.Y.Z.W]:25: Operation timed out)
Apr 8 07:02:45 filtro postfix/smtpd[6727]: 11699BB537C: client=X.dyndns.org
[192.168.49.7]
Apr 8 07:02:50 filtro postfix/cleanup[6731]: 11699BB537C:
message-id=<***@X.org>
Apr 8 07:02:50 filtro postfix/qmgr[6723]: 11699BB537C: from=<***@X.org>,
size=399, nrcpt=1 (queue active)
Apr 8 07:02:51 filtro postfix/smtpd[6727]: disconnect from filtro.X.org
[192.168.49.7]
Apr 8 07:03:20 filtro postfix/smtp[6725]: connect to X.org[X.Y.Z.W]:25:
Operation timed out
Apr 8 07:03:20 filtro postfix/smtp[6725]: 11699BB537C: to=<***@X.org>,
relay=none, delay=45, delays=15/0/30/0, dsn=4.4.1, status=deferred (connect
to X.org[X.Y.Z.W]:25: Operation timed out)
Apr 8 07:10:00 filtro postfix/sendmail[6763]: fatal: root(0): No recipient
addresses found in message header

X.Y.Z.W --> Public address.

My postfix settings are this:

alias_maps = hash:/etc/aliases
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
inet_interfaces = all
local_destination_concurrency_limit = 2
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydomain = X.org
myhostname = filtro.X.org
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relay_domains = $transport_maps
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination, reject_non_fqdn_recipient,
reject_invalid_helo_hostname, check_policy_service
inet:[192.168.49.7]:12525
soft_bounce = no
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550

Now, my transport file is:

nis.X.org smtp:[192.168.49.6] ----->jail-A

Is created: transport.db

Another think, in the log I don't see went is touching "policyd-weight:
12525" or this is just for the outside connections?

Is my first spam server, if u see something wrong please let me know, I will
appreciated, thanks all for your time!!!
Noel Jones
2010-04-08 21:57:12 UTC
Permalink
 Hi people.
 I'm working in my first spam gateway, using Postfix + policyd-weight.
 I have 2 jails for this, the jail-A is the mail server, where the mailboxes
 /home/user-1
 /home/user-2
 /home/user-3
...
 /home/user-N
 This jail-A have samba+ldap=PDC, nss_ldap+pam_ldap working +
dovecot+postfix working to.
 id test
uid=10003(test) gid=513(Domain Users) groups=513(Domain Users)
id root
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),512(Domain Admins)
 I can add users without a issue using smbldap-tools.
 I have test dovecot+postfix and I can send emails with that jail.
Now I want to setup my spam gateway, is another jail called jail-B, I have
id user1
uid=10002(user1) gid=513(Domain Users) groups=513(Domain Users)
id test
uid=10003(test) gid=513(Domain Users) groups=513(Domain Users)
Now, the part is the one is not working is postfix+ policyd-weight.
Went I test with other machine in the network using telnet, for some reason
once postfix accept the mail wants to send the email to the outside not
internally. I have setup transport to send the email jail-A but I don't see
size=409, nrcpt=1 (queue active)
Apr  8 07:02:04 filtro postfix/smtpd[6727]: connect from filtro.X.org
[192.168.49.7]
Operation timed out
relay=none, delay=869, delays=839/0.03/30/0, dsn=4.4.1, status=deferred
(connect to X.org[X.Y.Z.W]:25: Operation timed out)
You say that X.org should be delivered locally. Postfix doesn't think
X.org is a local domain.
Apr  8 07:10:00 filtro postfix/sendmail[6763]: fatal: root(0): No recipient
addresses found in message header
This appears that you've used "sendmail -t" to inject some mail, and
there was no To: header.
Don't rely on headers for mail routing.
X.Y.Z.W --> Public address.
alias_maps = hash:/etc/aliases
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
inet_interfaces = all
local_destination_concurrency_limit = 2
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydomain = X.org
myhostname = filtro.X.org
You might want to add
mydestination = $mydomain $myhostname localhost
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relay_domains = $transport_maps
Bad idea. If you add a transport for eg. hotmail, you become an
instant open relay. Don't reuse transport_maps this way.

If mail is delivered locally on this box, relay_domains should be
explicitly set empty.
relay_domains =
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination,      reject_non_fqdn_recipient,
reject_invalid_helo_hostname,   check_policy_service
inet:[192.168.49.7]:12525
soft_bounce = no
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550
nis.X.org    smtp:[192.168.49.6]  ----->jail-A
Is created:  transport.db
12525" or this is just for the outside connections?
Mail that's permitted by "permit_mynetworks" or submitted via the
sendmail(1) interface won't trigger the policy server in your config.


-- Noel Jones
perikillo
2010-04-08 22:29:52 UTC
Permalink
Post by perikillo
Post by perikillo
Hi people.
I'm working in my first spam gateway, using Postfix + policyd-weight.
I have 2 jails for this, the jail-A is the mail server, where the
mailboxes
Post by perikillo
/home/user-1
/home/user-2
/home/user-3
...
/home/user-N
This jail-A have samba+ldap=PDC, nss_ldap+pam_ldap working +
dovecot+postfix working to.
id test
uid=10003(test) gid=513(Domain Users) groups=513(Domain Users)
id root
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),512(Domain Admins)
I can add users without a issue using smbldap-tools.
I have test dovecot+postfix and I can send emails with that jail.
Now I want to setup my spam gateway, is another jail called jail-B, I
have
Post by perikillo
id user1
uid=10002(user1) gid=513(Domain Users) groups=513(Domain Users)
id test
uid=10003(test) gid=513(Domain Users) groups=513(Domain Users)
Now, the part is the one is not working is postfix+ policyd-weight.
Went I test with other machine in the network using telnet, for some
reason
Post by perikillo
once postfix accept the mail wants to send the email to the outside not
internally. I have setup transport to send the email jail-A but I don't
see
Post by perikillo
,
size=409, nrcpt=1 (queue active)
Apr 8 07:02:04 filtro postfix/smtpd[6727]: connect from filtro.X.org
[192.168.49.7]
Operation timed out
,
relay=none, delay=869, delays=839/0.03/30/0, dsn=4.4.1, status=deferred
(connect to X.org[X.Y.Z.W]:25: Operation timed out)
You say that X.org should be delivered locally. Postfix doesn't think
X.org is a local domain.
Post by perikillo
Apr 8 07:10:00 filtro postfix/sendmail[6763]: fatal: root(0): No
recipient
Post by perikillo
addresses found in message header
This appears that you've used "sendmail -t" to inject some mail, and
there was no To: header.
Don't rely on headers for mail routing.
Post by perikillo
X.Y.Z.W --> Public address.
alias_maps = hash:/etc/aliases
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
inet_interfaces = all
local_destination_concurrency_limit = 2
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydomain = X.org
myhostname = filtro.X.org
You might want to add
mydestination = $mydomain $myhostname localhost
Post by perikillo
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relay_domains = $transport_maps
Bad idea. If you add a transport for eg. hotmail, you become an
instant open relay. Don't reuse transport_maps this way.
If mail is delivered locally on this box, relay_domains should be
explicitly set empty.
relay_domains =
Post by perikillo
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination, reject_non_fqdn_recipient,
reject_invalid_helo_hostname, check_policy_service
inet:[192.168.49.7]:12525
soft_bounce = no
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550
nis.X.org smtp:[192.168.49.6] ----->jail-A
Is created: transport.db
12525" or this is just for the outside connections?
Mail that's permitted by "permit_mynetworks" or submitted via the
sendmail(1) interface won't trigger the policy server in your config.
Thanks Noel for your quick answer, just would like to inform u that this is
a spam server not a email server, once this server accept the email, he need
to send it to the real mail server, is other machine in the network(other
jail).

This is why I'm using the transport stuff, if exist a more secure way
please let me know, spam server + email server exist in the same
network(jails).

The test was made with telnet, about the sendmail, I don't know went I
setup something about sendmail, I just have been working with postfix.

Thanks again!!!
Post by perikillo
-- Noel Jones
perikillo
2010-04-11 02:33:33 UTC
Permalink
Post by perikillo
Post by perikillo
Post by perikillo
Hi people.
I'm working in my first spam gateway, using Postfix + policyd-weight.
I have 2 jails for this, the jail-A is the mail server, where the
mailboxes
Post by perikillo
/home/user-1
/home/user-2
/home/user-3
...
/home/user-N
This jail-A have samba+ldap=PDC, nss_ldap+pam_ldap working +
dovecot+postfix working to.
id test
uid=10003(test) gid=513(Domain Users) groups=513(Domain Users)
id root
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),512(Domain Admins)
I can add users without a issue using smbldap-tools.
I have test dovecot+postfix and I can send emails with that jail.
Now I want to setup my spam gateway, is another jail called jail-B, I
have
Post by perikillo
id user1
uid=10002(user1) gid=513(Domain Users) groups=513(Domain Users)
id test
uid=10003(test) gid=513(Domain Users) groups=513(Domain Users)
Now, the part is the one is not working is postfix+ policyd-weight.
Went I test with other machine in the network using telnet, for some
reason
Post by perikillo
once postfix accept the mail wants to send the email to the outside not
internally. I have setup transport to send the email jail-A but I don't
see
Post by perikillo
,
size=409, nrcpt=1 (queue active)
Apr 8 07:02:04 filtro postfix/smtpd[6727]: connect from filtro.X.org
[192.168.49.7]
Operation timed out
,
relay=none, delay=869, delays=839/0.03/30/0, dsn=4.4.1, status=deferred
(connect to X.org[X.Y.Z.W]:25: Operation timed out)
You say that X.org should be delivered locally. Postfix doesn't think
X.org is a local domain.
Post by perikillo
Apr 8 07:10:00 filtro postfix/sendmail[6763]: fatal: root(0): No
recipient
Post by perikillo
addresses found in message header
This appears that you've used "sendmail -t" to inject some mail, and
there was no To: header.
Don't rely on headers for mail routing.
Post by perikillo
X.Y.Z.W --> Public address.
alias_maps = hash:/etc/aliases
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
inet_interfaces = all
local_destination_concurrency_limit = 2
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydomain = X.org
myhostname = filtro.X.org
You might want to add
mydestination = $mydomain $myhostname localhost
Post by perikillo
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relay_domains = $transport_maps
Bad idea. If you add a transport for eg. hotmail, you become an
instant open relay. Don't reuse transport_maps this way.
If mail is delivered locally on this box, relay_domains should be
explicitly set empty.
relay_domains =
Post by perikillo
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination, reject_non_fqdn_recipient,
reject_invalid_helo_hostname, check_policy_service
inet:[192.168.49.7]:12525
soft_bounce = no
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550
nis.X.org smtp:[192.168.49.6] ----->jail-A
Is created: transport.db
12525" or this is just for the outside connections?
Mail that's permitted by "permit_mynetworks" or submitted via the
sendmail(1) interface won't trigger the policy server in your config.
Thanks Noel for your quick answer, just would like to inform u that this is
a spam server not a email server, once this server accept the email, he need
to send it to the real mail server, is other machine in the network(other
jail).
This is why I'm using the transport stuff, if exist a more secure way
please let me know, spam server + email server exist in the same
network(jails).
The test was made with telnet, about the sendmail, I don't know went I
setup something about sendmail, I just have been working with postfix.
Thanks again!!!
Post by perikillo
-- Noel Jones
Fix it:

alias_maps = hash:/etc/aliases
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
content_filter = amavisfeed:[127.0.0.3]:10024
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
inet_interfaces = all
local_destination_concurrency_limit = 2
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydomain = X.org
myhostname = filtro.X.org
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relay_domains = $transport_maps
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination, reject_non_fqdn_recipient,
reject_invalid_helo_hostname, check_policy_service
inet:[127.0.0.3]:12525
soft_bounce = no
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550

smtp inet n - n - - smtpd

amavisfeed unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
# -o max_use=20
127.0.0.3:10025 inet n - n - - smtpd
-o content_filter=
-o receive_overrride_options=no_unknown_recipient_checks
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o strict_rfc821_envelopes=yes

One of my issues was that this jail had 192.168.49.7 and amavisd didn't like
it, as soon as I change the settings above and change my jail to 127.0.0.3
everything start working.

Thanks!!!

Loading...