Postfix Whitelist Not Working As It Should - postfix-mta

My main.cf configuration is as follows. I cannot receive emails from domains or ip addresses that I have whitelisted.
Error:
450 4.7.25 Client host rejected: cannot find your hostname...
OR
450 4.7.1 Helo command rejected: Host not found...
I guess because of reject_invalid_hostname and reject_non_fqdn_helo_hostname.
Why am I getting such an error even though I have whitelisted it?
How can I do without removing the reject_invalid_hostname rule and reject_non_fqdn_helo_hostname?
If there is a match in the filter, postfix should apply the relevant rule. If there is no match, postfix should follow the next rules. Shouldn't that be the case logically?
Can someone help me? Where did I go wrong?
Sorry for my English.
Thank you everyone in advance.
### main.cf:
..........
header_checks = regexp:/etc/postfix/header_checks
#HELO restriction
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_helo_access pcre:/etc/postfix/helo_access,
#reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_invalid_hostname,
reject_unknown_helo_hostname
#Client restrictions
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_client
#Sender restrictions
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_sender_access hash:/etc/postfix/sender_whitelist,
check_sender_access pcre:/etc/postfix/reject_domains,
reject_non_fqdn_sender,
#reject_unverified_sender,
reject_unknown_sender_domain
#Recipient restrictions
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_policy_service inet:127.0.0.1:10031,
check_recipient_access hash:/etc/postfix/sender_whitelist,
check_recipient_access hash:/etc/postfix/sender_blacklist,
reject_unauth_destination,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client b.barracudacentral.org,
reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client spam.dnsbl.anonmails.de,
reject_rbl_client dyna.spamrats.com,
reject_rbl_client spam.spamrats.com
#Relay restrictions
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_policy_service inet:127.0.0.1:10031,
reject_unauth_destination
#Other restrictions
smtpd_delay_reject = yes
unknown_local_recipient_reject_code = 550
disable_vrfy_command = yes
smtpd_data_restrictions = reject_unauth_pipelining
enable_original_recipient = no
show_user_unknown_table_name = no
.........
### sender_whitelist:
.........
mail.gelirler.gov.tr OK
#mail.gelirler.gov.tr ip adresi
212.133.164.130 OK
bplas.com.tr OK
bsmtp2.iletisim.yapikredi.com.tr OK
bsmtp3.iletisim.yapikredi.com.tr OK
.........

In your smtpd_helo_restrictions you show check_helo_access pcre:/etc/postfix/helo_access, however you do not show the contents of /etc/postfix/helo_access, do you have such a file? you are showing the contents of "sender_whitlist" if your /etc/postfix/helo_access file is similar you do not need to use "pcre" just use;
in main.cf check_helo_access hash:/etc/postfix/helo_access,
make sure you have the domain/ip in /etc/postfix/helo_access file and run postmap /etc/postfix/helo_access then reload postfix.
(if you do use regex in your etc/postfix/helo_access obviously use pcre: instead of hash:)

Related

Configure Postfix to send email on ubuntu

I'm trying to config a postfix server to use for notifications of some my scripts.
The server should be able only to send email, not to receive them.
I'm within a company network.
I'm using a fake mail address to send the email.
Actually I can send email (and receive it to my true mail address) but postfix tries to send the same email to the the address I uses to send it (and it doesn't exist) creating an infinite queue.
Could someone help me to fix it?
this is my main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = srvsviluppocentrale
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydomain = agenziamobilita.roma.it
myorigin = $mydomain
mydestination =
relayhost = [srvw04.rsm.local]:25
relay =
# mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
inet_protocols = all
# sender_canonical_maps=hash:/etc/postfix/sender_canonical

postfix throwing Recipient address rejected error when configured with virtual_mailbox_domains

I have configured postfix to send received email to local LMTP agent using virtual_mailbox_domains parameter it works fine if the received email is received for FQDN of the machine running postfix but if it's for the IP address of the machine then it throws the following error "Recipient address rejected: User unknown in local recipient table". Tried different things but no luck. I would really appreciate any tips on this scenario.
Thanks for your help in advance!
Here is the topology:
IP FQDN
Machine A (sending machine) 10.2.20.40 machine-a.test.com
Machine B (Postfix + LMTP) 10.2.20.50 mta.test.com
Machine B is running postfix + custom LMTP.
Example 1 (succeeds)
Send email to user#mta.test.com from Machine A. This use case succeeds and Postfix successfully delivers email to customer LMTP agent listening on localhost's socket.
Success case /etc/postfix/main.cf:
virtual_mailbox_domains = mta.test.com
/etc/postfix/virtual_mailbox_map:
user#mta.test.com lmtp:inet:127.0.0.1:5678
Example 2 (Failed case)
Send email to user#10.2.20.50 from Machine A. This case fails and Postfix throws this error in mail.log "NOQUEUE: reject: RCPT from unknown[10.2.20.40]: 550 5.1.1 : Recipient address rejected: User unknown in local recipient table; from= to= proto=ESMTP helo=<[127.0.1.1]>"
Failure case /etc/postfix/main.cf:
virtual_mailbox_domains = 10.2.20.50
/etc/postfix/virtual_mailbox_map:
user#10.2.20.50 lmtp:inet:127.0.0.1:5678
POSTFIX main.cf (Common config part for both cases):
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
inet_interfaces = all
inet_protocols = all
mydestination = localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
recipient_delimiter = +
smtpd_client_restrictions = permit_mynetworks, permit
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks, permit, reject_unauth_destination
resolve_numeric_domain = yes
unknown_local_recipient_reject_code = 550
myhostname = mta-machine
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox_map
virtual_transport = lmtp:inet:127.0.0.1:5678
user#10.2.20.50 is incorrect syntax.
user#[10.2.20.50] is what the RFC allows for.
But anyway: Since Postfix says "User unknown in local recipient table", the domain part is considered to be local. Not virtual.
You could try adding:
[10.2.20.50] is_a_virtual_domain
user#[10.2.20.50] someother#address
to virtual_alias_maps and check if it works, but I'm not sure about this at all.
#[10.2.20.50] syntax is rather byzantine.

Configure Postfix to forward mails to other mail addresses (ex gmail)?

I have configured Postfix on my Ubuntu server to send/receive mails.
While the sending works perfectly fine but the receiving doesn't. I want to forward all received mail to my gmail account.
My /etc/postfix/mail.cf is as follow:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.compzzz.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
virtual_alias_domains = compzzz.com
virtual_alias_maps = hash:/etc/postfix/virtual
myorigin = /etc/mailname
mydestination = droplet1.compzzz.com, localhost.compzzz.com, localhost, compzzz.com, mail.compzzz.com
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
And my /etc/postfix/virtual is:
#compzzz.com ramabc#gmail.com
Any mail I send to abc#compzzz.com, I receive a delivery failed email with unknown user error.
Am I going wrong somewhere?
Being unlucky to get any help from the techies out there forced me to go through the postfix documentation myself.
Just commenting the line which declared mydestination made it work.
i.e, replace the line
mydestination = droplet1.compzzz.com, localhost.compzzz.com, localhost, compzzz.com, mail.compzzz.com
with
#mydestination = droplet1.compzzz.com, localhost.compzzz.com, localhost, compzzz.com, mail.compzzz.com
For forwarding emails to another address (other than your server), mydestination parameter isn't required, only virtual_alias_domains and virtual_alias_maps are required.

Postfix - status=bounced (unknown user "myuser")

I am configuring Postfix and when validating by telnet and SMTP I got the status bounced error, unknown user:
Error log:
postfix/local[18718]: 4590D7DC0A51: to=myuser#mydomain.example, relay=local, delay=9.8, delays=9.8/0.01/0/0.04, dsn=5.1.1, status=bounced (unknown user: "myuser")
The "myuser" already exists, but with full domain name: myuser#mydomain.example.
User Validation:
postmap -q myuser#mydomain.example mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
Output is: "1" - so I guess it is OK.
My postfix Configuration:
root# postconf -n:
append_at_myorigin = yes
biff = no
config_directory = /etc/postfix
default_destination_concurrency_limit = 1
delay_warning_time = 8h
disable_vrfy_command = yes
dovecot_destination_concurrency_limit = 1
dovecot_destination_recipient_limit = 1
enable_original_recipient = yes
local_destination_concurrency_limit = 1
maximal_queue_lifetime = 6d
mydestination = mydomain.example
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_delay_reject = no
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unlisted_recipient, reject_unauth_destination, reject_unauth_pipelining
smtpd_sender_restrictions = permit_mynetworks, reject_unknown_sender_domain
smtpd_soft_error_limit = 5
strict_rfc821_envelopes = yes
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = dovecot
you have added mydestination = mydomain.example and so the valid users for mydomain.example will be searched in local_recipient_maps. It is very clear from the logline that local delivery agent is selected to deliver the mail, as local domain class matched. See postfix address classes for more help
Modify your main.cf like below
#/etc/postfix/main.cf
mydestination =
# set to localhost localhost.$mydomain or remove mydomain.example for now
# Ensure that postmap -q mydomain.example mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf is returning mydomain.example and
# postmap -q myuser#mydomain.example mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf succeeds
Open /etc/postfix/main.cf, look for the mydestination field and change it's value to the below
mydestination = localhost, localhost.localdomain
Don't forget to run sudo postfix reload afterwards
Use following settings in /var/postfix/main.cf
myorigin = localhost
myhostname = <your_host_name>
mydestination = localhost.$mydomain, localhost, localhost.localdomain
followed by:
sudo postmap /etc/postfix/virtual
sudo service postfix restart
For someone else, when I set mydestination=mydomain.example.
Postfix show warning do not list domain mydomain.example in BOTH mydestination and virtual_mailbox_domains. So I set it relayhost = mydomain.example
My postfix version: 3.1.0 (postconf -d | grep mail_version)

Postfix Dovecot SquirrelMail

Hoping someone can help me out with this.
Current Setup
Home Verzion router -- Dynamic IP address port 25 blocked
Windows server 2008 --> Hyper-V --> Centos6
Postfix
Dovecot
SquirrelMail
**Removed Sendmail
So i can receive an email from anywho#anywhere.com and i can now send to anywho#anywhere.com the only problem i have is that when i send to anywho#anywhere.com it comes though as me#gmail.com
I would like it to come through as me#mydomain.com
It looks like my sending domain has changed. Did i do something wrong
I could post my logs but they do not give any errors so im not sure how much that would help.
Anything else i can post let me know
[root#thenerdservice log]# grep -v \# /etc/postfix/main.cf |grep -v ^$
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mail.mydomain.com
mydomain = mydomain.com
myorigin = $myhostname
myorigin = $mydomain
inet_interfaces = all
inet_protocols = ipv4
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
mynetworks = 192.168.1.0/24, 127.0.0.0/8, 8.8.8.8
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/saslpasswd
smtp_always_send_ehlo = yes
relayhost = [smtp.gmail.com]:587
smtp_sasl_tls_security_options = noanonymous
smtp_use_tls = yes
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_sasl_tls_security_options = noanonymous
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
home_mailbox = Maildir/
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/samples
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
queue_directory = /var/spool/postfix
You're using a relayhost.
It should go out as you#gmail.com because gmail swaps the sender to reflect your gmail account.
You can send email as you#domain.com only if you have a STATIC ip. Dynamic IP addresses are blacklisted by most email providers.
If you have a static IP, just remove: relayhost, *smtp_sasl_password_maps* and generally sasl unless you know what you're doing.
To check wether you're blacklisted or not click here.

Resources