Loading ...
Sorry, an error occurred while loading the content.

Mail transmission/re-injection question

Expand Messages
  • Des Dougan
    Hi, I m fairly new to postfix and have recently set up an instance on a site with a newly-allocated static IP address. Mail was generally flowing in and out
    Message 1 of 5 , Apr 30, 2011
    • 0 Attachment
      Hi,

      I'm fairly new to postfix and have recently set up an instance on a site with a newly-allocated static IP address. Mail was generally flowing in and out after I configured the postfix and dovecot; however, some messages were not being sent, showing "Client host rejected: Access denied" messages in the logs.

      As I analyzed this, it seemed to be caused by the static IP not having a good reputation with some sites' RBL policies. I therefore set the system up to relay via the ISP's mail servers, which is working OK. That said, I'm still seeing sending attempts (in /var/log/maillog) by what appear to be previous messages that didn't go out. These are not going via the relay; neither, though, do they show in the mail queue (via "postqueue -p").

      Is there a way to re-inject these messages via the updated configuration so that they go out via the ISP as new messages are doing? I've done a fair bit of Googling but can't see how this might be achieved.

      Thanks,

      Des

      --

      Des Dougan
      Principal
      Dougan Consulting Group Inc.

      http://www.DouganConsulting.tel <-- Get all my contact information here.
      http://www.DouganConsulting.com

      Peace of Mind, One Computer at a Time.

      ---

      Imagine anyone on the planet being able to find and then contact you with a single click. YourName.tel is all you will give anyone ever again. Want in?

      http://registertel.tel/
    • Noel Jones
      ... To requeue mail, use postsuper -r QUEUEID or postsuper -r ALL http://www.postfix.org/postsuper.1.html but if the mail doesn t show up in postqueue -p
      Message 2 of 5 , Apr 30, 2011
      • 0 Attachment
        On 4/30/2011 4:26 PM, Des Dougan wrote:
        > Hi,
        >
        > I'm fairly new to postfix and have recently set up an instance on a site with a newly-allocated static IP address. Mail was generally flowing in and out after I configured the postfix and dovecot; however, some messages were not being sent, showing "Client host rejected: Access denied" messages in the logs.
        >
        > As I analyzed this, it seemed to be caused by the static IP not having a good reputation with some sites' RBL policies. I therefore set the system up to relay via the ISP's mail servers, which is working OK. That said, I'm still seeing sending attempts (in /var/log/maillog) by what appear to be previous messages that didn't go out. These are not going via the relay; neither, though, do they show in the mail queue (via "postqueue -p").
        >
        > Is there a way to re-inject these messages via the updated configuration so that they go out via the ISP as new messages are doing? I've done a fair bit of Googling but can't see how this might be achieved.
        >
        > Thanks,
        >
        > Des


        To requeue mail, use "postsuper -r QUEUEID" or "postsuper -r ALL"
        http://www.postfix.org/postsuper.1.html

        but if the mail doesn't show up in "postqueue -p" then the
        mail isn't in postfix. Maybe you still have sendmail installed?

        If you need more help, please provide more evidence.
        http://www.postfix.org/DEBUG_README.html#mail



        -- Noel Jones
      • Des Dougan
        ... Noel, Thanks for your reply. From this log example, it does seem to be a postfix-related message (and there are no sendmail daemons active): Apr 30
        Message 3 of 5 , Apr 30, 2011
        • 0 Attachment
          On April 2011, at 3:11 PM, Noel Jones wrote:

          > On 4/30/2011 4:26 PM, Des Dougan wrote:
          >> Hi,
          >>
          >> I'm fairly new to postfix and have recently set up an instance on a site with a newly-allocated static IP address. Mail was generally flowing in and out after I configured the postfix and dovecot; however, some messages were not being sent, showing "Client host rejected: Access denied" messages in the logs.
          >>
          >> As I analyzed this, it seemed to be caused by the static IP not having a good reputation with some sites' RBL policies. I therefore set the system up to relay via the ISP's mail servers, which is working OK. That said, I'm still seeing sending attempts (in /var/log/maillog) by what appear to be previous messages that didn't go out. These are not going via the relay; neither, though, do they show in the mail queue (via "postqueue -p").
          >>
          >> Is there a way to re-inject these messages via the updated configuration so that they go out via the ISP as new messages are doing? I've done a fair bit of Googling but can't see how this might be achieved.
          >>
          >> Thanks,
          >>
          >> Des
          >
          >
          > To requeue mail, use "postsuper -r QUEUEID" or "postsuper -r ALL"
          > http://www.postfix.org/postsuper.1.html
          >
          > but if the mail doesn't show up in "postqueue -p" then the mail isn't in postfix. Maybe you still have sendmail installed?
          >
          > If you need more help, please provide more evidence.
          > http://www.postfix.org/DEBUG_README.html#mail
          >
          >
          >
          > -- Noel Jones

          Noel,

          Thanks for your reply. From this log example, it does seem to be a postfix-related message (and there are no sendmail daemons active):

          Apr 30 15:14:55 enterprise postfix/smtpd[29644]: NOQUEUE: reject: RCPT from AAA-AA-AAA.AAAAAAAA.AAAAA.AAA[DDD.DDD.DDD.DDD]: 554 5.7.1 <AAA-AA-AAA.AAAAAAAA.AAAAA.AAA[DDD.DDD.DDD.DDD]>: Client host rejected: Access denied; from=<AAA@...> to=<AAAAAAAA@...> proto=ESMTP helo=<[DD.DDD.DDD.DDD]>

          I notice that the above is from a remote location. The client settings have been configured to authenticate (or were, at any rate). If they had been reset, is this the message that would show in authentication was not in place?

          postconf -n is as follows:

          [root@enterprise ~]# postconf -n
          alias_database = hash:/etc/aliases
          alias_maps = hash:/etc/aliases
          broken_sasl_auth_clients = yes
          command_directory = /usr/sbin
          config_directory = /etc/postfix
          daemon_directory = /usr/libexec/postfix
          debug_peer_level = 2
          home_mailbox = Maildir/
          html_directory = no
          inet_interfaces = all
          mail_owner = postfix
          mailq_path = /usr/bin/mailq.postfix
          manpage_directory = /usr/share/man
          mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
          mynetworks = 127.0.0.0/8
          newaliases_path = /usr/bin/newaliases.postfix
          queue_directory = /var/spool/postfix
          readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
          relayhost = [AAAA.AAAAA.net]
          sample_directory = /usr/share/doc/postfix-2.3.3/samples
          sendmail_path = /usr/sbin/sendmail.postfix
          setgid_group = postdrop
          smtp_tls_security_level = may
          smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
          smtpd_sasl_auth_enable = yes
          smtpd_sasl_path = private/auth
          smtpd_sasl_security_options = noanonymous
          smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
          smtpd_sasl_type = dovecot
          smtpd_tls_cert_file = /etc/pki/tls/certs/mail.iprc.ca.cert
          smtpd_tls_key_file = /etc/pki/tls/private/mail.iprc.ca.key
          smtpd_tls_security_level = may
          tls_random_source = dev:/dev/urandom
          unknown_local_recipient_reject_code = 550


          Regards,

          Des
          --

          Des Dougan
          Principal
          Dougan Consulting Group Inc.

          http://www.DouganConsulting.tel <-- Get all my contact information here.
          http://www.DouganConsulting.com

          Peace of Mind, One Computer at a Time.

          ---

          Imagine anyone on the planet being able to find and then contact you with a single click. YourName.tel is all you will give anyone ever again. Want in?

          http://registertel.tel/
        • Noel Jones
          ... This is mail trying to enter postfix, and postfix doesn t accept it. Is this you or your authorized client? If they successfully AUTH postfix would log a
          Message 4 of 5 , Apr 30, 2011
          • 0 Attachment
            On 4/30/2011 5:36 PM, Des Dougan wrote:
            >
            > On April 2011, at 3:11 PM, Noel Jones wrote:
            >
            >> On 4/30/2011 4:26 PM, Des Dougan wrote:
            >>> Hi,
            >>>
            >>> I'm fairly new to postfix and have recently set up an instance on a site with a newly-allocated static IP address. Mail was generally flowing in and out after I configured the postfix and dovecot; however, some messages were not being sent, showing "Client host rejected: Access denied" messages in the logs.
            >>>
            >>> As I analyzed this, it seemed to be caused by the static IP not having a good reputation with some sites' RBL policies. I therefore set the system up to relay via the ISP's mail servers, which is working OK. That said, I'm still seeing sending attempts (in /var/log/maillog) by what appear to be previous messages that didn't go out. These are not going via the relay; neither, though, do they show in the mail queue (via "postqueue -p").
            >>>
            >>> Is there a way to re-inject these messages via the updated configuration so that they go out via the ISP as new messages are doing? I've done a fair bit of Googling but can't see how this might be achieved.
            >>>
            >>> Thanks,
            >>>
            >>> Des
            >>
            >>
            >> To requeue mail, use "postsuper -r QUEUEID" or "postsuper -r ALL"
            >> http://www.postfix.org/postsuper.1.html
            >>
            >> but if the mail doesn't show up in "postqueue -p" then the mail isn't in postfix. Maybe you still have sendmail installed?
            >>
            >> If you need more help, please provide more evidence.
            >> http://www.postfix.org/DEBUG_README.html#mail
            >>
            >>
            >>
            >> -- Noel Jones
            >
            > Noel,
            >
            > Thanks for your reply. From this log example, it does seem to be a postfix-related message (and there are no sendmail daemons active):
            >
            > Apr 30 15:14:55 enterprise postfix/smtpd[29644]: NOQUEUE: reject: RCPT from AAA-AA-AAA.AAAAAAAA.AAAAA.AAA[DDD.DDD.DDD.DDD]: 554 5.7.1<AAA-AA-AAA.AAAAAAAA.AAAAA.AAA[DDD.DDD.DDD.DDD]>: Client host rejected: Access denied; from=<AAA@...> to=<AAAAAAAA@...> proto=ESMTP helo=<[DD.DDD.DDD.DDD]>
            >
            > I notice that the above is from a remote location. The client settings have been configured to authenticate (or were, at any rate). If they had been reset, is this the message that would show in authentication was not in place?

            This is mail trying to enter postfix, and postfix doesn't
            accept it.

            Is this you or your authorized client? If they successfully
            AUTH postfix would log a line containing
            ... sasl_method=METHOD, sasl_username=userid, ...

            or if they tried to AUTH and were unsuccessful, postfix would log
            ... authentication failed ...

            The ACCESS DENIED message is from a REJECT command, and the
            "Client host rejected" means the reject was either a bare
            reject in smtpd_client_restrictions, or the result of a
            check_client_access map lookup.

            I don't see either of those anywhere in your config. Maybe
            the client is connecting to another port, ie. submission or
            smtps, with custom master.cf settings.

            At any rate, if there is no message about either successful or
            failed AUTH, then the client didn't attempt AUTH and was
            correctly rejected.


            -- Noel Jones

            >
            > postconf -n is as follows:
            >
            > [root@enterprise ~]# postconf -n
            > alias_database = hash:/etc/aliases
            > alias_maps = hash:/etc/aliases
            > broken_sasl_auth_clients = yes
            > command_directory = /usr/sbin
            > config_directory = /etc/postfix
            > daemon_directory = /usr/libexec/postfix
            > debug_peer_level = 2
            > home_mailbox = Maildir/
            > html_directory = no
            > inet_interfaces = all
            > mail_owner = postfix
            > mailq_path = /usr/bin/mailq.postfix
            > manpage_directory = /usr/share/man
            > mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
            > mynetworks = 127.0.0.0/8
            > newaliases_path = /usr/bin/newaliases.postfix
            > queue_directory = /var/spool/postfix
            > readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
            > relayhost = [AAAA.AAAAA.net]
            > sample_directory = /usr/share/doc/postfix-2.3.3/samples
            > sendmail_path = /usr/sbin/sendmail.postfix
            > setgid_group = postdrop
            > smtp_tls_security_level = may
            > smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
            > smtpd_sasl_auth_enable = yes
            > smtpd_sasl_path = private/auth
            > smtpd_sasl_security_options = noanonymous
            > smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
            > smtpd_sasl_type = dovecot
            > smtpd_tls_cert_file = /etc/pki/tls/certs/mail.iprc.ca.cert
            > smtpd_tls_key_file = /etc/pki/tls/private/mail.iprc.ca.key
            > smtpd_tls_security_level = may
            > tls_random_source = dev:/dev/urandom
            > unknown_local_recipient_reject_code = 550
            >
            >
            > Regards,
            >
            > Des
            > --
            >
            > Des Dougan
            > Principal
            > Dougan Consulting Group Inc.
            >
            > http://www.DouganConsulting.tel<-- Get all my contact information here.
            > http://www.DouganConsulting.com
            >
            > Peace of Mind, One Computer at a Time.
            >
            > ---
            >
            > Imagine anyone on the planet being able to find and then contact you with a single click. YourName.tel is all you will give anyone ever again. Want in?
            >
            > http://registertel.tel/
            >
          • Des Dougan
            ... Noel, Thanks for this. I ll follow-up with the client to ensure they re correctly set up. Regards, Des -- Des Dougan Principal Dougan Consulting Group Inc.
            Message 5 of 5 , May 1 2:08 PM
            • 0 Attachment
              On April 2011, at 3:52 PM, Noel Jones wrote:

              > On 4/30/2011 5:36 PM, Des Dougan wrote:
              >>
              >> On April 2011, at 3:11 PM, Noel Jones wrote:
              >>
              >>> On 4/30/2011 4:26 PM, Des Dougan wrote:
              >>>> Hi,
              >>>>
              >>>> I'm fairly new to postfix and have recently set up an instance on a site with a newly-allocated static IP address. Mail was generally flowing in and out after I configured the postfix and dovecot; however, some messages were not being sent, showing "Client host rejected: Access denied" messages in the logs.
              >>>>
              >>>> As I analyzed this, it seemed to be caused by the static IP not having a good reputation with some sites' RBL policies. I therefore set the system up to relay via the ISP's mail servers, which is working OK. That said, I'm still seeing sending attempts (in /var/log/maillog) by what appear to be previous messages that didn't go out. These are not going via the relay; neither, though, do they show in the mail queue (via "postqueue -p").
              >>>>
              >>>> Is there a way to re-inject these messages via the updated configuration so that they go out via the ISP as new messages are doing? I've done a fair bit of Googling but can't see how this might be achieved.
              >>>>
              >>>> Thanks,
              >>>>
              >>>> Des
              >>>
              >>>
              >>> To requeue mail, use "postsuper -r QUEUEID" or "postsuper -r ALL"
              >>> http://www.postfix.org/postsuper.1.html
              >>>
              >>> but if the mail doesn't show up in "postqueue -p" then the mail isn't in postfix. Maybe you still have sendmail installed?
              >>>
              >>> If you need more help, please provide more evidence.
              >>> http://www.postfix.org/DEBUG_README.html#mail
              >>>
              >>>
              >>>
              >>> -- Noel Jones
              >>
              >> Noel,
              >>
              >> Thanks for your reply. From this log example, it does seem to be a postfix-related message (and there are no sendmail daemons active):
              >>
              >> Apr 30 15:14:55 enterprise postfix/smtpd[29644]: NOQUEUE: reject: RCPT from AAA-AA-AAA.AAAAAAAA.AAAAA.AAA[DDD.DDD.DDD.DDD]: 554 5.7.1<AAA-AA-AAA.AAAAAAAA.AAAAA.AAA[DDD.DDD.DDD.DDD]>: Client host rejected: Access denied; from=<AAA@...> to=<AAAAAAAA@...> proto=ESMTP helo=<[DD.DDD.DDD.DDD]>
              >>
              >> I notice that the above is from a remote location. The client settings have been configured to authenticate (or were, at any rate). If they had been reset, is this the message that would show in authentication was not in place?
              >
              > This is mail trying to enter postfix, and postfix doesn't accept it.
              >
              > Is this you or your authorized client? If they successfully AUTH postfix would log a line containing
              > ... sasl_method=METHOD, sasl_username=userid, ...
              >
              > or if they tried to AUTH and were unsuccessful, postfix would log
              > ... authentication failed ...
              >
              > The ACCESS DENIED message is from a REJECT command, and the "Client host rejected" means the reject was either a bare reject in smtpd_client_restrictions, or the result of a check_client_access map lookup.
              >
              > I don't see either of those anywhere in your config. Maybe the client is connecting to another port, ie. submission or smtps, with custom master.cf settings.
              >
              > At any rate, if there is no message about either successful or failed AUTH, then the client didn't attempt AUTH and was correctly rejected.
              >
              >
              > -- Noel Jones

              Noel,

              Thanks for this. I'll follow-up with the client to ensure they're correctly set up.

              Regards,

              Des
              --

              Des Dougan
              Principal
              Dougan Consulting Group Inc.

              http://www.DouganConsulting.tel <-- Get all my contact information here.
              http://www.DouganConsulting.com

              Peace of Mind, One Computer at a Time.

              ---

              Imagine anyone on the planet being able to find and then contact you with a single click. YourName.tel is all you will give anyone ever again. Want in?

              http://registertel.tel/
            Your message has been successfully submitted and would be delivered to recipients shortly.