Loading ...
Sorry, an error occurred while loading the content.

postfix stopped relaying after client changed IP address

Expand Messages
  • M. Fioretti
    Greetings, my home computer (CLIENT) has postfix configured to relay all outgoing email to my actual email SERVER, that is running on a VPS. The current
    Message 1 of 7 , Jan 29, 2013
    • 0 Attachment
      Greetings,

      my home computer (CLIENT) has postfix configured to relay all outgoing
      email to my actual email SERVER, that is running on a VPS. The current
      outputs of postconf -n for both boxes are below.

      For reasons not really relevant here, a while ago I had configured the
      SERVER to only relay for 2 IP addresses: the one of another VPS I manage,
      and the one of my home computer. Everything worked fine until this
      morning, when there was a blackout at home. When the ADSL modem restarted,
      it got a different IP address from the provider, 2.39.122.159 . This was
      not unexpected, it's a known fact with that provider. So, after the
      blackout, I logged into the SERVER, updated the IP address of my home
      computer in main.cf and restarted postfix. This "strategy" has worked
      without problems after other blackouts and changes of IP address at home.
      This morning, it didn't. Every email I try to send from the CLIENT is now
      ejected by the SERVER as follows:

      Jan 29 05:38:22 vps728 postfix/smtpd[13107]: connect from
      net-2-39-122-159.cust.dsl.vodafone.it[2.39.122.159]
      Jan 29 05:38:22 vps728 postfix/smtpd[13107]: NOQUEUE: reject: RCPT from
      net-2-39-122-159.cust.dsl.vodafone.it[2.39.122.159]: 554
      <mfioretti@...>: Recipient address rejected: Access denied;
      from=<mfioretti@...> to=<mfioretti@...> proto=ESMTP
      helo=<polaris.local>
      Jan 29 05:38:22 vps728 postfix/smtpd[13107]: disconnect from
      net-2-39-122-159.cust.dsl.vodafone.it[2.39.122.159]


      which looks like postfix on the SERVER was not aware that now 2.39.122.159
      IS in mynetworks. Why? Any help to figure out what is happening is
      welcome. I mean, until literally one minute before the blackout at home I
      was merrily sending email from home, with the very same configuration you
      see below, just the then current IP address of my home modem in the SERVER
      main.cf. Why shouldn't it work with a different address and a postfix
      restart?

      TIA,
      Marco

      ###############################################################################

      postconf -n on the SERVER:
      alias_database = hash:/etc/aliases
      alias_maps = hash:/etc/aliases
      command_directory = /usr/sbin
      config_directory = /etc/postfix
      daemon_directory = /usr/libexec/postfix
      debug_peer_level = 2
      disable_vrfy_command = yes
      html_directory = /usr/share/doc/postfix-2.4.3-documentation/html
      inet_interfaces = all
      mail_owner = postfix
      mailq_path = /usr/bin/mailq.postfix
      manpage_directory = /usr/share/man
      mydestination = $myhostname, localhost
      mydomain = $myhostname
      myhostname = a.mx.nexaima.net
      mynetworks = 127.0.0.0/8, 212.48.186.219, 2.39.122.59
      myorigin = $mydomain
      newaliases_path = /usr/bin/newaliases.postfix
      queue_directory = /var/spool/postfix
      readme_directory = /usr/share/doc/postfix-2.4.3-documentation/readme
      relay_domains =
      relayhost =
      sample_directory = /etc/postfix
      sendmail_path = /usr/sbin/sendmail.postfix
      setgid_group = postdrop
      smtpd_helo_required = yes
      smtpd_helo_restrictions =
      smtpd_recipient_restrictions = reject_invalid_hostname,
      reject_non_fqdn_hostname, reject_non_fqdn_sender,
      reject_non_fqdn_recipient, reject_unknown_sender_domain,
      reject_unknown_recipient_domain,
      permit_mynetworks,
      permit_sasl_authenticated,
      reject_unauth_destination,
      check_helo_access hash:/etc/postfix/reject_own_helo
      smtpd_sasl_auth_enable = yes
      smtpd_tls_auth_only = yes
      smtpd_tls_cert_file = /etc/myssl/mycert.pem
      smtpd_tls_key_file = /etc/myssl/mycert.pem
      smtpd_tls_loglevel = 1
      strict_rfc821_envelopes = yes
      unknown_address_reject_code = 554
      unknown_client_reject_code = 554
      unknown_hostname_reject_code = 554
      unknown_local_recipient_reject_code = 550
      virtual_alias_maps = hash:/etc/postfix/mymaps/valias.map
      virtual_gid_maps = static:5000
      virtual_mailbox_base = /var/mail/mymail_storage
      virtual_mailbox_domains = /etc/postfix/mymaps/vhosts.map
      virtual_mailbox_maps = hash:/etc/postfix/mymaps/vmailboxes.map
      virtual_transport = procmail
      virtual_uid_maps = static:5000

      ###############################################################################
      postconf -n on the CLIENT:

      alias_maps = hash:/etc/aliases
      biff = no
      canonical_maps = hash:/etc/postfix/canonical
      command_directory = /usr/sbin
      config_directory = /etc/postfix
      daemon_directory = /usr/libexec/postfix
      data_directory = /var/lib/postfix
      debug_peer_level = 2
      debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
      $daemon_directory/$process_name $process_id & sleep 5
      default_privs = nobody
      default_transport = smtp
      defer_transports = smtp
      disable_dns_lookups = yes
      disable_mime_output_conversion = no
      html_directory = /usr/share/doc/packages/postfix/html
      inet_interfaces = all
      inet_protocols = all
      mail_owner = postfix
      mail_spool_directory = /var/spool/mail
      mailbox_command =
      mailbox_size_limit = 0
      mailbox_transport =
      mailq_path = /usr/bin/mailq
      manpage_directory = /usr/share/man
      masquerade_classes = envelope_sender, header_sender, header_recipient
      masquerade_domains = digifreedom.net
      masquerade_exceptions = root
      message_size_limit = 10240000
      mydestination = $myhostname, localhost.$mydomain, localhost
      mydomain = digifreedom.net
      myhostname = polaris.local
      mynetworks = 192.168.1.0/24, 127.0.0.0/8
      myorigin = $mydomain
      newaliases_path = /usr/bin/newaliases
      queue_directory = /var/spool/postfix
      readme_directory = /usr/share/doc/postfix-2.9.4/README_FILES
      relayhost = 213.179.193.33:587
      relocated_maps = hash:/etc/postfix/relocated
      sample_directory = /usr/share/doc/postfix-2.9.4/samples
      sender_canonical_maps = hash:/etc/postfix/sender_canonical
      sendmail_path = /usr/sbin/sendmail
      setgid_group = postdrop
      smtp_sasl_auth_enable = no
      smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
      smtp_use_tls = no
      smtpd_client_restrictions =
      smtpd_helo_required = no
      smtpd_helo_restrictions =
      smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
      smtpd_sasl_auth_enable = no
      smtpd_sender_restrictions = hash:/etc/postfix/access
      smtpd_use_tls = no
      strict_8bitmime = no
      strict_rfc821_envelopes = no
      transport_maps = hash:/etc/postfix/transport
      unknown_local_recipient_reject_code = 550
      virtual_maps = hash:/etc/postfix/virtual
      ################################################################
    • M. Fioretti
      ... I have no idea if it is relevant and what it may mean, but I have found out just now that: 1) the control panel of my modem says my public IP address is
      Message 2 of 7 , Jan 29, 2013
      • 0 Attachment
        On Tue, January 29, 2013 11:43 am, M. Fioretti wrote:
        > Greetings,
        >
        > my home computer (CLIENT) has postfix configured to relay all outgoing
        > email to my actual email SERVER, that is running on a VPS. The current
        > outputs of postconf -n for both boxes are below.
        >
        > For reasons not really relevant here, a while ago I had configured the
        > SERVER to only relay for 2 IP addresses: the one of another VPS I manage,
        > and the one of my home computer. Everything worked fine until this
        > morning, when there was a blackout at home. When the ADSL modem restarted,
        > it got a different IP address from the provider, 2.39.122.159 . This was
        > not unexpected, it's a known fact with that provider. So, after the
        > blackout, I logged into the SERVER, updated the IP address of my home
        > computer in main.cf and restarted postfix. This "strategy" has worked
        > without problems after other blackouts and changes of IP address at home.
        > This morning, it didn't. Every email I try to send from the CLIENT is now
        > ejected by the SERVER as follows:
        >
        > Jan 29 05:38:22 vps728 postfix/smtpd[13107]: connect from
        > net-2-39-122-159.cust.dsl.vodafone.it[2.39.122.159]
        > Jan 29 05:38:22 vps728 postfix/smtpd[13107]: NOQUEUE: reject: RCPT from
        > net-2-39-122-159.cust.dsl.vodafone.it[2.39.122.159]: 554
        > <mfioretti@...>: Recipient address rejected: Access denied;
        > from=<mfioretti@...> to=<mfioretti@...> proto=ESMTP
        > helo=<polaris.local>
        > Jan 29 05:38:22 vps728 postfix/smtpd[13107]: disconnect from
        > net-2-39-122-159.cust.dsl.vodafone.it[2.39.122.159]

        I have no idea if it is relevant and what it may mean, but I have found
        out just now that:

        1) the control panel of my modem says my public IP address is 2.39.122.159
        2) which is the same address that postfix in the server sees, cfr the log
        above
        3) but if I ask http://www.whatismyip.com/ what my current public IP
        address is, I get a _different_ value 108.162.231.39

        more and more puzzled...
      • Tom Hendrikx
        ... Hash: SHA1 - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ... It isn t in mynetworks. Fix the typo. - - -- Tom - -----BEGIN PGP SIGNATURE----- Version:
        Message 3 of 7 , Jan 29, 2013
        • 0 Attachment
          -----BEGIN PGP SIGNED MESSAGE-----
          Hash: SHA1

          - -----BEGIN PGP SIGNED MESSAGE-----
          Hash: SHA1

          On 01/29/2013 11:43 AM, M. Fioretti wrote:
          >
          > which looks like postfix on the SERVER was not aware that now
          > 2.39.122.159 IS in mynetworks. Why? Any help to figure out what is
          > happening is


          > mynetworks = 127.0.0.0/8, 212.48.186.219, 2.39.122.59

          It isn't in mynetworks. Fix the typo.

          - - --
          Tom
          - -----BEGIN PGP SIGNATURE-----
          Version: GnuPG v1.4.11 (GNU/Linux)
          Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

          iQIcBAEBAgAGBQJRB7BwAAoJEJPfMZ19VO/12u4QAJda6Mx4GgO/c5Z9Cf4PaAxa
          oQGyiHO3Xo1esw4TAZADw91lPgdf1s65k+diYgxQydg8SGNITQEholFcuYTkdZqa
          RPZzABkSYRds34+EAShR5+gknoKo5P8aprTQQv/Zs9XX9E/P6cxMfmuz6dnRKRTx
          jIM28iESie3qVl+vOV8pl/aZhG5pIs3lvaylbKng3lkHe+SBFWhblY33RTE1AkNl
          7mBRRVL9PoC+HKUfqsZpFbmqD3r8vF+k+OVDVZN1BzCj6SacLNLJwyZto88BZh5Z
          9Sz0fY6LaKjdfTfJwCBsVUpd4SL6JYO8HO65vG3H6QYa94zvEI0k7VLD5XHQ/rXa
          pUa9O5sK3jyY63X/2Pb1DYw06ER5SQCffF31VcCsSl7BPvXUlyyn1QJ6UGK+ffgI
          MgMhtygjuHUrQCW3hCJVEPyf61fJTM89ayFHdUrU4IYWYv5LB8QX2Ni32foc1QEh
          1IqP9C+hTmjasEzjsJjfrlpEYhehj0Io9IS4N86wMmsSdVCVLFWuX2qWDhWQLTG8
          BGKiWWcFmH08++ZsuttNb3BL18g1asR5Dxzx02UPl+QOwwY0DYA8/eAzDGCWkywS
          /ZFKwGcPvOGfP3bsPUUAIICa2vw8szSTaRoelQhkkbsT4L9LtlYrcJyx0f/iCPfb
          zdQPtoP2jFtF+heQXOT/
          =NdW9
          - -----END PGP SIGNATURE-----
          -----BEGIN PGP SIGNATURE-----
          Version: GnuPG v1.4.11 (GNU/Linux)
          Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

          iQIcBAEBAgAGBQJRB7CSAAoJEJPfMZ19VO/1fEkP/j3UA+qYzuQfedkBflcqpDEm
          u0s9d4DCSIB5+OOFQxkNCGUt3K44Q3FgVfop1s6R3EFhDvWTtcP9BRVujMClI3hw
          H+fHnBX42vuVvlw0WDIkzL/6jRIHT2HhfDjZ734nebNHJKYrXr5Lh1YoGGmJ9ewR
          fZjv3u6JUzZHNrW+bC089Qb6t8r9DjSGPrDw/wy4B7fmyLkausJ32ys9kpT4xFok
          r2tuGP0nSB5VP3f+lWdeMlESW2AZwHLFd/7lMxt/DWK43FRY8O/vn9Pbbej1STp1
          7Qk9QzZW/Q3poEy74sUpGvh19AjqhhqaQrNNlz16Ecum2EBy5IVmgOg2Bbqx6XPM
          qVMD9h0dzj8jBJzE5r8wIhpj2LkifuJ0e5UJztcBSGltnv7jgBXP4vTc4BV/j5Cw
          sZZlurrJ7bx07G4f5nTU2lk3F2+vYDwRpQUc4tqISCHmiU2Ay7WhaIV8jIe4MFMp
          IinSXt/bFpd4wxITIajbn2F9+3tHCu9bUelACuYiK8unf47zG7Q6jqDOTG9MQ4P0
          kb2zcnn92aXAReX7MS8oigJGaIHb313UktbnffPsBnwfPUO8Ayrh6uoHkzXnbGOK
          Z0L9TlEqhCW/87BqcminqTcZRHI/uoDOST213cXZ3RwcQ/rPOLzOr84tE7onP7pE
          YR3J1SQg0XLCYZJPd56f
          =Msvh
          -----END PGP SIGNATURE-----
        • M. Fioretti
          there are times when a refreshing, if a bit embarrassing shock from others is the only way out of a problem. I can t remember how many times I DID check that
          Message 4 of 7 , Jan 29, 2013
          • 0 Attachment
            there are times when a refreshing, if a bit embarrassing "shock" from
            others is the only way out of a problem.

            I can't remember how many times I DID check that string I had typed to be
            sure there were no typos before posting for help, but of course, it was
            159, not 59, sorry.

            Thanks!
            of course, any comment on this is still welcome, as well as on any
            weakness in my server postconf -n output.

            Marco

            > 1) the control panel of my modem says my public IP address is 2.39.122.159
            > 2) which is the same address that postfix in the server sees, cfr the log
            > above
            > 3) but if I ask http://www.whatismyip.com/ what my current public IP
            > address is, I get a _different_ value 108.162.231.39
          • Mark Goodge
            ... 2.39.122.159
            Message 5 of 7 , Jan 29, 2013
            • 0 Attachment
              On 29/01/2013 10:43, M. Fioretti wrote:
              >
              > which looks like postfix on the SERVER was not aware that now 2.39.122.159
              > IS in mynetworks. Why?
              >
              > mynetworks = 127.0.0.0/8, 212.48.186.219, 2.39.122.59

              2.39.122.159 <--- does not match ------------------^

              Mark
              --
              http://mark.goodge.co.uk
            • Bjørn Ruberg
              ... That s probably a (transparent?) HTTP proxy. Since SMTP != HTTP, you should trust your modem in this case. Particularly since your Postfix relay seems to
              Message 6 of 7 , Jan 29, 2013
              • 0 Attachment
                On 01/29/2013 12:14 PM, M. Fioretti wrote:
                > I have no idea if it is relevant and what it may mean, but I have found
                > out just now that:
                >
                > 1) the control panel of my modem says my public IP address is 2.39.122.159
                > 2) which is the same address that postfix in the server sees, cfr the log
                > above
                > 3) but if I ask http://www.whatismyip.com/ what my current public IP
                > address is, I get a _different_ value 108.162.231.39
                >
                > more and more puzzled...

                That's probably a (transparent?) HTTP proxy.

                Since SMTP != HTTP, you should trust your modem in this case.
                Particularly since your Postfix relay seems to agree with your modem.

                --
                Bjørn
              • /dev/rob0
                ... The original issue was to be able to relay from a dynamic residential IP address on your server. Your solution, adding the dynamic IP to mynetworks, is
                Message 7 of 7 , Jan 30, 2013
                • 0 Attachment
                  On Tue, Jan 29, 2013 at 12:22:35PM +0100, M. Fioretti wrote:
                  > of course, any comment on this is still welcome, as well as on any
                  > weakness in my server postconf -n output.

                  The original issue was to be able to relay from a dynamic residential
                  IP address on your server. Your solution, adding the dynamic IP to
                  mynetworks, is less than ideal in many ways. For one thing, it's a
                  high-maintenance solution, where you must change mynetworks with
                  every IP address change. For another, what if you don't get to it?
                  What if the new owner of your previous IP address is running malware
                  with an open relay tester? What if that malware finds you? Ouch!

                  The standard solution is SASL AUTH (typically also requiring TLS
                  encryption for security.) This is covered here:

                  http://www.postfix.org/SOHO_README.html#client_sasl_enable

                  A less common, but very good, solution is TLS authentication, which
                  is covered here:

                  http://www.postfix.org/TLS_README.html#server_access

                  If you don't want to get into all that, you can use a VPN like
                  openvpn to make a tunnel through which to send your mail, and add
                  your tunnel IP address to mynetworks.
                  --
                  http://rob0.nodns4.us/ -- system administration and consulting
                  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
                Your message has been successfully submitted and would be delivered to recipients shortly.