Loading ...
Sorry, an error occurred while loading the content.

setting up postscreen on a system with multiple external interfaces

Expand Messages
  • Erik Slagter
    Hello all, Please help me with the following. I have here a postfix system that listens on multiple (external) interfaces, e.g. one of them receives e-mail
    Message 1 of 25 , Feb 21, 2013
    • 0 Attachment
      Hello all,

      Please help me with the following. I have here a postfix system that
      listens on multiple (external) interfaces, e.g. one of them receives
      e-mail from the internet, one of them receives more or less secure mail
      from associated institutions.

      E-mail received on the "internet" interface receives full processing,
      including amavis which calls spamassassin (by proxy filter) and it
      should offer "may" level TLS (no discussion about that please ;-)).

      The e-mail received on the "secure" interface receives limited
      processing, e.g. no amavis and it doesn't need to offer TLS.

      Besides that there are also a few "internal" interfaces postfix listens
      on as well, with minimal processing, but with dkim signing.

      So there are actually multiple flows through the system, depending on
      the interface the mail was received on.

      I want to start using postscreen. Of course I am not going to "test" in
      a production environment, so I made a comparable postfix installation
      and with that installation I ran into a problem:

      The options (-o) that I specify on the various per-interface smtpd
      instances are NOT honoured anymore. I can check that quite easily
      because the hello string varies per interface and also TLS is no longer
      offered (disabled in the main.cf and enable on a per-interface basis in
      the master.cf file). When I revert to non-postscreen operation, it works
      like expected.

      Is this intentional? A know bug? Or something I should do another way?
      Anyone that has this configuration running, with postscreen?

      I must say the "howto" isn't very clear on this matter, it assumes you
      only have only one external interface.

      Thanks in advance.
    • Wietse Venema
      ... If you have a problem yoo MUST show actual concrete evidence, so that it is clear whether YOU screwed or I did so. http://www.postfix.org/DEBUG_README.html
      Message 2 of 25 , Feb 21, 2013
      • 0 Attachment
        Erik Slagter:
        > I want to start using postscreen. Of course I am not going to "test" in
        > a production environment, so I made a comparable postfix installation
        > and with that installation I ran into a problem:
        >
        > The options (-o) that I specify on the various per-interface smtpd
        > instances are NOT honoured anymore. I can check that quite easily

        If you have a problem yoo MUST show actual concrete evidence, so
        that it is clear whether YOU screwed or I did so.

        http://www.postfix.org/DEBUG_README.html

        Wietse
      • DTNX Postmaster
        ... http://www.postfix.org/POSTSCREEN_README.html Have you followed those instructions? AFAIK, you can bind postscreen to a specific interface by specifying
        Message 3 of 25 , Feb 21, 2013
        • 0 Attachment
          On Feb 21, 2013, at 10:31, Erik Slagter <erik@...> wrote:

          > Hello all,
          >
          > Please help me with the following. I have here a postfix system that
          > listens on multiple (external) interfaces, e.g. one of them receives
          > e-mail from the internet, one of them receives more or less secure mail
          > from associated institutions.
          >
          > E-mail received on the "internet" interface receives full processing,
          > including amavis which calls spamassassin (by proxy filter) and it
          > should offer "may" level TLS (no discussion about that please ;-)).
          >
          > The e-mail received on the "secure" interface receives limited
          > processing, e.g. no amavis and it doesn't need to offer TLS.
          >
          > Besides that there are also a few "internal" interfaces postfix listens
          > on as well, with minimal processing, but with dkim signing.
          >
          > So there are actually multiple flows through the system, depending on
          > the interface the mail was received on.
          >
          > I want to start using postscreen. Of course I am not going to "test" in
          > a production environment, so I made a comparable postfix installation
          > and with that installation I ran into a problem:
          >
          > The options (-o) that I specify on the various per-interface smtpd
          > instances are NOT honoured anymore. I can check that quite easily
          > because the hello string varies per interface and also TLS is no longer
          > offered (disabled in the main.cf and enable on a per-interface basis in
          > the master.cf file). When I revert to non-postscreen operation, it works
          > like expected.
          >
          > Is this intentional? A know bug? Or something I should do another way?
          > Anyone that has this configuration running, with postscreen?
          >
          > I must say the "howto" isn't very clear on this matter, it assumes you
          > only have only one external interface.
          >
          > Thanks in advance.

          http://www.postfix.org/POSTSCREEN_README.html

          Have you followed those instructions?

          AFAIK, you can bind 'postscreen' to a specific interface by specifying
          a hostname or an IP address in front of the port name or number in
          'master.cf';

          192.0.2.1:smtp inet .... postscreen

          And then have a regular Postfix instance on a seperate address;

          192.0.2.2:smtp inet .... smtpd

          If you cannot simplify your setup, you may need this;

          http://www.postfix.org/MULTI_INSTANCE_README.html

          Other than that, post proof that options are not honored anymore. The
          most likely cause is that you are trying to apply something to
          'postscreen' that is only supported for 'smtpd'?

          Cya,
          Jona
        • Erik Slagter
          ... Yes I did (of course). The README does NOT give any information on the use of multiple interfaces. It says change ... into ... but my master file doesn t
          Message 4 of 25 , Feb 21, 2013
          • 0 Attachment
            On 21-02-13 13:04, DTNX Postmaster wrote:

            >> Please help me with the following. I have here a postfix system that
            >> listens on multiple (external) interfaces, e.g. one of them receives
            >> e-mail from the internet, one of them receives more or less secure mail
            >> from associated institutions.
            >>
            >> E-mail received on the "internet" interface receives full processing,
            >> including amavis which calls spamassassin (by proxy filter) and it
            >> should offer "may" level TLS (no discussion about that please ;-)).
            >>
            >> The e-mail received on the "secure" interface receives limited
            >> processing, e.g. no amavis and it doesn't need to offer TLS.
            >>
            >> Besides that there are also a few "internal" interfaces postfix listens
            >> on as well, with minimal processing, but with dkim signing.
            >>
            >> So there are actually multiple flows through the system, depending on
            >> the interface the mail was received on.
            >>
            >> I want to start using postscreen. Of course I am not going to "test" in
            >> a production environment, so I made a comparable postfix installation
            >> and with that installation I ran into a problem:
            >>
            >> The options (-o) that I specify on the various per-interface smtpd
            >> instances are NOT honoured anymore. I can check that quite easily
            >> because the hello string varies per interface and also TLS is no longer
            >> offered (disabled in the main.cf and enable on a per-interface basis in
            >> the master.cf file). When I revert to non-postscreen operation, it works
            >> like expected.
            >>
            >> Is this intentional? A know bug? Or something I should do another way?
            >> Anyone that has this configuration running, with postscreen?
            >>
            >> I must say the "howto" isn't very clear on this matter, it assumes you
            >> only have only one external interface.
            >>
            >> Thanks in advance.
            >
            > http://www.postfix.org/POSTSCREEN_README.html
            > Have you followed those instructions?

            Yes I did (of course).

            The README does NOT give any information on the use of multiple
            interfaces. It says "change ... into ..." but my master file doesn't
            have these lines. It would be much better if it would explain HOW it
            works so you can do the adjustments yourself.

            > AFAIK, you can bind 'postscreen' to a specific interface by specifying
            > a hostname or an IP address in front of the port name or number in
            > 'master.cf';
            >
            > 192.0.2.1:smtp inet .... postscreen
            >
            > And then have a regular Postfix instance on a seperate address;
            >
            > 192.0.2.2:smtp inet .... smtpd

            I tried another variant:

            192.168.0.1:smtp inet ... postscreen
            -o options...

            192.168.0.1:pass inet ... smtpd
            -o options...

            This resembles the approach in the README most closely.

            Postfix does start, but it doesn't honour the options, on both
            instances. It's very simple to check, because I have postcheck report
            another welcome string on every interface. Now it shows the "default"
            welcome string, without postscreen, it gives the proper welcome string.

            > If you cannot simplify your setup, you may need this;
            > http://www.postfix.org/MULTI_INSTANCE_README.html

            Read that too. It is not completely clear to me, but I suspect this
            gives me multiples queues too, which is not what I want, I want to route
            e-mail between all interfaces.

            > Other than that, post proof that options are not honored anymore. The
            > most likely cause is that you are trying to apply something to
            > 'postscreen' that is only supported for 'smtpd'?

            See above, SMTP welcome string. Which I added as an option to both the
            smtpd and the postscreen line... None of them were honoured.
          • Birta Levente
            ... It s mine: postscreen_greet_banner = $smtpd_banner/Postscreen enabled
            Message 5 of 25 , Feb 21, 2013
            • 0 Attachment
              On 21/02/2013 15:32, Erik Slagter wrote:
              > On 21-02-13 13:04, DTNX Postmaster wrote:
              >
              >>> Please help me with the following. I have here a postfix system that
              >>> listens on multiple (external) interfaces, e.g. one of them receives
              >>> e-mail from the internet, one of them receives more or less secure mail
              >>> from associated institutions.
              >>>
              >>> E-mail received on the "internet" interface receives full processing,
              >>> including amavis which calls spamassassin (by proxy filter) and it
              >>> should offer "may" level TLS (no discussion about that please ;-)).
              >>>
              >>> The e-mail received on the "secure" interface receives limited
              >>> processing, e.g. no amavis and it doesn't need to offer TLS.
              >>>
              >>> Besides that there are also a few "internal" interfaces postfix listens
              >>> on as well, with minimal processing, but with dkim signing.
              >>>
              >>> So there are actually multiple flows through the system, depending on
              >>> the interface the mail was received on.
              >>>
              >>> I want to start using postscreen. Of course I am not going to "test" in
              >>> a production environment, so I made a comparable postfix installation
              >>> and with that installation I ran into a problem:
              >>>
              >>> The options (-o) that I specify on the various per-interface smtpd
              >>> instances are NOT honoured anymore. I can check that quite easily
              >>> because the hello string varies per interface and also TLS is no longer
              >>> offered (disabled in the main.cf and enable on a per-interface basis in
              >>> the master.cf file). When I revert to non-postscreen operation, it works
              >>> like expected.
              >>>
              >>> Is this intentional? A know bug? Or something I should do another way?
              >>> Anyone that has this configuration running, with postscreen?
              >>>
              >>> I must say the "howto" isn't very clear on this matter, it assumes you
              >>> only have only one external interface.
              >>>
              >>> Thanks in advance.
              >>
              >> http://www.postfix.org/POSTSCREEN_README.html
              >> Have you followed those instructions?
              >
              > Yes I did (of course).
              >
              > The README does NOT give any information on the use of multiple
              > interfaces. It says "change ... into ..." but my master file doesn't
              > have these lines. It would be much better if it would explain HOW it
              > works so you can do the adjustments yourself.
              >
              >> AFAIK, you can bind 'postscreen' to a specific interface by specifying
              >> a hostname or an IP address in front of the port name or number in
              >> 'master.cf';
              >>
              >> 192.0.2.1:smtp inet .... postscreen
              >>
              >> And then have a regular Postfix instance on a seperate address;
              >>
              >> 192.0.2.2:smtp inet .... smtpd
              >
              > I tried another variant:
              >
              > 192.168.0.1:smtp inet ... postscreen
              > -o options...
              >
              > 192.168.0.1:pass inet ... smtpd
              > -o options...
              >
              > This resembles the approach in the README most closely.
              >
              > Postfix does start, but it doesn't honour the options, on both
              > instances. It's very simple to check, because I have postcheck report
              > another welcome string on every interface. Now it shows the "default"
              > welcome string, without postscreen, it gives the proper welcome string.
              >

              It's mine:

              postscreen_greet_banner = $smtpd_banner/Postscreen enabled




              >> If you cannot simplify your setup, you may need this;
              >> http://www.postfix.org/MULTI_INSTANCE_README.html
              >
              > Read that too. It is not completely clear to me, but I suspect this
              > gives me multiples queues too, which is not what I want, I want to route
              > e-mail between all interfaces.
              >
              >> Other than that, post proof that options are not honored anymore. The
              >> most likely cause is that you are trying to apply something to
              >> 'postscreen' that is only supported for 'smtpd'?
              >
              > See above, SMTP welcome string. Which I added as an option to both the
              > smtpd and the postscreen line... None of them were honoured.
              >
            • Birta Levente
              ... As I understand, you verify the new postscreen enabled configuration with welcome string, which as I understand is the smtp banner. Postscreen enabled smtp
              Message 6 of 25 , Feb 21, 2013
              • 0 Attachment
                On 21/02/2013 15:56, Erik Slagter wrote:
                > On 21-02-13 14:41, Birta Levente wrote:
                >>> Postfix does start, but it doesn't honour the options, on both
                >>> instances. It's very simple to check, because I have postcheck report
                >>> another welcome string on every interface. Now it shows the "default"
                >>> welcome string, without postscreen, it gives the proper welcome string.
                >>
                >> It's mine:
                >>
                >> postscreen_greet_banner = $smtpd_banner/Postscreen enabled
                >
                > I don't understand?
                >

                As I understand, you verify the new postscreen enabled configuration
                with welcome string, which as I understand is the smtp banner.

                Postscreen enabled smtp banner is set by postscreen_greet_banner.

                Levi
              • DTNX Postmaster
                ... [snip] ... Postscreen has its own set of options. Read the documentation; http://www.postfix.org/postscreen.8.html Also, avoid trying to optimize for
                Message 7 of 25 , Feb 21, 2013
                • 0 Attachment
                  On Feb 21, 2013, at 14:32, Erik Slagter <erik@...> wrote:

                  > On 21-02-13 13:04, DTNX Postmaster wrote:
                  >
                  >> http://www.postfix.org/POSTSCREEN_README.html
                  >> Have you followed those instructions?
                  >
                  > Yes I did (of course).
                  >
                  > The README does NOT give any information on the use of multiple
                  > interfaces. It says "change ... into ..." but my master file doesn't
                  > have these lines. It would be much better if it would explain HOW it
                  > works so you can do the adjustments yourself.

                  [snip]

                  >> Other than that, post proof that options are not honored anymore. The
                  >> most likely cause is that you are trying to apply something to
                  >> 'postscreen' that is only supported for 'smtpd'?
                  >
                  > See above, SMTP welcome string. Which I added as an option to both the
                  > smtpd and the postscreen line... None of them were honoured.

                  Postscreen has its own set of options. Read the documentation;

                  http://www.postfix.org/postscreen.8.html

                  Also, avoid trying to 'optimize' for cosmetic reasons. Things like the
                  welcome string are generally only seen by machines, have no impact on
                  the operation of the mail server in general, and so on. But if you
                  cannot resist doing so, this may be what you are looking for;

                  http://www.postfix.org/postconf.5.html#postscreen_greet_banner

                  Cya,
                  Jona
                • Erik Slagter
                  ... man postscreen. The postscreen (and fwiw tslproxy) has it s own set of options which are... by default... copied from the standard smtpd_* options! Also
                  Message 8 of 25 , Feb 21, 2013
                  • 0 Attachment
                    On 21-02-13 15:29, DTNX Postmaster wrote:
                    >> See above, SMTP welcome string. Which I added as an option to both the
                    >> smtpd and the postscreen line... None of them were honoured.
                    >
                    > Postscreen has its own set of options. Read the documentation;
                    > http://www.postfix.org/postscreen.8.html

                    man postscreen.

                    The postscreen (and fwiw tslproxy) has it's own set of options which
                    are... by default... copied from the standard smtpd_* options!

                    Also tried it with setting these options explicitly (with no success),
                    but didn't want to flood information.

                    > Also, avoid trying to 'optimize' for cosmetic reasons. Things like the
                    > welcome string are generally only seen by machines, have no impact on
                    > the operation of the mail server in general, and so on. But if you
                    > cannot resist doing so, this may be what you are looking for;
                    >
                    > http://www.postfix.org/postconf.5.html#postscreen_greet_banner

                    The welcome string is very important for me, because, as may be obvious
                    now, that's a very quick way to check if per-interface settings are
                    honoured. This is completely NOT about the welcome string on itself,
                    it's about per-interface options not being honoured, so I end up without
                    TLS support on the outside interface, whilst if I disable postscreen, it
                    simply works!

                    The only thing I need is an example of a master.cf file where postfix
                    listens on various interfaces with different options, and then the same
                    with postscreen enabled and still working (i.e. the per-interface smtpd
                    options are honoured).

                    Or a good explanation of the workflow of postscreen, a.o. what the two
                    "example" lines in the README actually do, so I can adapt that to my
                    situation.

                    Thx.
                  • Wietse Venema
                    ... If you don t show the exact options and the exact logging then no-one can say what mistake YOU are making. Wietse
                    Message 9 of 25 , Feb 21, 2013
                    • 0 Attachment
                      Erik Slagter:
                      > I tried another variant:
                      >
                      > 192.168.0.1:smtp inet ... postscreen
                      > -o options...
                      >
                      > 192.168.0.1:pass inet ... smtpd
                      > -o options...

                      If you don't show the exact options and the exact logging
                      then no-one can say what mistake YOU are making.

                      Wietse
                    • Erik Slagter
                      ... Okay, I didn t post the complete master.cf because I thought it wouldn t be necessary, so here it comes. This is the plain version that works, without
                      Message 10 of 25 , Feb 21, 2013
                      • 0 Attachment
                        On 21-02-13 15:50, Wietse Venema wrote:
                        > Erik Slagter:
                        >> I tried another variant:
                        >>
                        >> 192.168.0.1:smtp inet ... postscreen
                        >> -o options...
                        >>
                        >> 192.168.0.1:pass inet ... smtpd
                        >> -o options...
                        >
                        > If you don't show the exact options and the exact logging
                        > then no-one can say what mistake YOU are making.

                        Okay, I didn't post the complete master.cf because I thought it wouldn't
                        be necessary, so here it comes. This is the "plain" version that works,
                        without postscreen enabled. If somebody can explain to me how to
                        transform this into something working with postscreen enabled AND TLS
                        working on the outside interface (ppp0, ipv4 and ipv6), I'd be very
                        grateful, but really I've tried various approaches without luck.
                        Postscreen on itself is working fine, btw.

                        # ==========================================================================
                        # service type private unpriv chroot wakeup maxproc command + args
                        # (yes) (yes) (yes) (never) (100)
                        # ==========================================================================

                        #smtp inet n - n - 1 smtpd
                        #smtp inet n - n - 1 postscreen
                        #smtpd pass - - n - - smtpd
                        #dnsblog unix - - n - 0 dnsblog
                        #tlsproxy unix - - n - 0 tlsproxy

                        #
                        # outside -> inside
                        # postfix(25) -> amavis(10025)
                        #

                        mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
                        -o myhostname=eriks.xs4all.nl
                        -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25
                        -o smtpd_tls_security_level=may
                        -o postscreen_tls_security_level=may
                        -o tlsproxy_tls_security_level=may
                        -o smtpd_proxy_filter=nemesis.ipv4:10025
                        -o soft_bounce=no
                        -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4

                        mx1.ipv6.slagter.name:smtp inet n - n - 2 smtpd
                        -o myhostname=mx1.ipv6.slagter.name
                        -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv6-25
                        -o smtpd_tls_security_level=may
                        -o postscreen_tls_security_level=may
                        -o tlsproxy_tls_security_level=may
                        -o smtpd_proxy_filter=nemesis.ipv4:10025
                        -o soft_bounce=no
                        -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv6

                        #
                        # amavis(10025) -> postfix(10026)
                        #

                        nemesis.ipv4:10026 inet n - n - 2 smtpd
                        -o smtpd_recipient_restrictions=permit_mynetworks,reject
                        -o
                        receive_override_options=no_unknown_recipient_checks,no_header_body_checks
                        -o body_checks=
                        -o header_checks=
                        -o myhostname=nemesis.slagter.name
                        -o smtp_helo_name=nemesis.slagter.name
                        -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-lo-ipv4-10026
                        -o smtpd_client_restrictions=
                        -o smtpd_authorized_xforward_hosts=10.1.1.1

                        #
                        # postfix(25) -> dkimproxy(11025)
                        #

                        nemesis.ipv4:smtp inet n - n - 2 smtpd
                        -o smtpd_recipient_restrictions=permit_mynetworks,reject
                        -o body_checks=
                        -o header_checks=
                        -o myhostname=nemesis.slagter.name
                        -o smtp_helo_name=nemesis.slagter.name
                        -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-eth0-ipv4-25
                        -o mynetworks=127.0.0.0/8
                        -o smtpd_proxy_filter=nemesis.ipv4:11025

                        nemesis.ipv6:smtp inet n - n - 2 smtpd
                        -o smtpd_recipient_restrictions=permit_mynetworks,reject
                        -o body_checks=
                        -o header_checks=
                        -o myhostname=nemesis.slagter.name
                        -o smtp_helo_name=nemesis.slagter.name
                        -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-eth0-ipv6-25
                        -o smtpd_proxy_filter=nemesis.ipv4:11025

                        #
                        # dkimproxy(11025) -> postfix(11026)
                        #

                        nemesis.ipv4:11026 inet n - n - 2 smtpd
                        -o smtpd_recipient_restrictions=permit_mynetworks,reject
                        -o
                        receive_override_options=no_unknown_recipient_checks,no_header_body_checks
                        -o body_checks=
                        -o header_checks=
                        -o myhostname=nemesis.slagter.name
                        -o smtp_helo_name=nemesis.slagter.name
                        -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-lo-ipv4-11026
                        -o smtpd_client_restrictions=
                        -o smtpd_authorized_xforward_hosts=10.1.1.1

                        #
                        # locally generated
                        #

                        #localhost.ipv4:smtp inet n - n - - postscreen
                        localhost.ipv4:smtp inet n - n - - smtpd
                        -o smtpd_recipient_restrictions=permit_mynetworks,reject
                        -o body_checks=
                        -o header_checks=
                        -o myhostname=nemesis.slagter.name
                        -o smtp_helo_name=nemesis.slagter.name
                        -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-lo-ipv4-25
                        -o mynetworks=127.0.0.0/8

                        #nemesis.ipv4:smtp inet n - n - - postscreen
                        nemesis.ipv4:smtp inet n - n - - smtpd
                        -o smtpd_recipient_restrictions=permit_mynetworks,reject
                        -o body_checks=
                        -o header_checks=
                        -o myhostname=nemesis.slagter.name
                        -o smtp_helo_name=nemesis.slagter.name
                        -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-vlan2-alt-ipv4-25
                        -o mynetworks=10.0.2.0/24

                        ::1:smtp inet n - n - - smtpd
                        -o smtpd_recipient_restrictions=permit_mynetworks,reject
                        -o body_checks=
                        -o header_checks=
                        -o myhostname=nemesis.slagter.name
                        -o smtp_helo_name=nemesis.slagter.name
                        -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-lo-ipv6-25

                        pickup fifo n - n 60 1 pickup
                        cleanup unix n - n - 0 cleanup
                        qmgr fifo n - n 300 1 qmgr
                        tlsmgr unix - - n 1000? 1 tlsmgr
                        rewrite unix - - n - - trivial-rewrite
                        bounce unix - - n - 0 bounce
                        defer unix - - n - 0 bounce
                        trace unix - - n - 0 bounce
                        verify unix - - n - 1 verify
                        flush unix n - n 1000? 0 flush
                        proxymap unix - - n - - proxymap
                        smtp unix - - n - - smtp
                        relay unix - - n - - smtp -o
                        smtp_helo_timeout=5 -o smtp_connect_timeout=5
                        showq unix n - n - - showq
                        error unix - - n - - error
                        local unix - n n - - local
                        virtual unix - n n - - virtual
                        lmtp unix - - n - - lmtp
                        anvil unix - - n - 1 anvil

                        smtp-inside unix - - n - - smtp
                        -o myhostname=nemesis.slagter.name
                        -o smtp_helo_name=nemesis.slagter.name
                        -o smtp_bind_address6=2001:980:5fef:1::1

                        smtp-default unix - - n - - smtp
                        -o myhostname=eriks.xs4all.nl
                        -o smtp_helo_name=eriks.xs4all.nl
                        -o smtp_bind_address6=2001:980:5fef::1
                        -o smtp_tls_security_level=may
                      • Wietse Venema
                        ... TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html Thank you for using Postfix.
                        Message 11 of 25 , Feb 21, 2013
                        • 0 Attachment
                          Erik Slagter:
                          > On 21-02-13 15:50, Wietse Venema wrote:
                          > > Erik Slagter:
                          > >> I tried another variant:
                          > >>
                          > >> 192.168.0.1:smtp inet ... postscreen
                          > >> -o options...
                          > >>
                          > >> 192.168.0.1:pass inet ... smtpd
                          > >> -o options...
                          > >
                          > > If you don't show the exact options and the exact logging
                          > > then no-one can say what mistake YOU are making.
                          >
                          > Okay, I didn't post the complete master.cf because I thought it wouldn't
                          > be necessary, so here it comes. This is the "plain" version that works,
                          > without postscreen enabled. If somebody can explain to me how to

                          TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail

                          TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

                          Thank you for using Postfix.
                        • Erik Slagter
                          ... And I always thought I could be blunt at moments ;-) PROBLEM (apparently this is a problem ) * Summary Setting up postscreen on a system with multiple
                          Message 12 of 25 , Feb 21, 2013
                          • 0 Attachment
                            On 21-02-13 16:16, Wietse Venema wrote:
                            > Erik Slagter:
                            > TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
                            > TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
                            > Thank you for using Postfix.

                            And I always thought I could be blunt at moments ;-)

                            PROBLEM (apparently this is a "problem")

                            * Summary

                            Setting up postscreen on a system with multiple external interfaces
                            causes per-interface smtpd options not to be honoured

                            * Complete error messages

                            None.

                            * Postfix logging

                            None relevant (really! the logging is exactly the same for postscreen
                            and non-postscreen operation, up to the problem the problem occurs).

                            * Postconf -n

                            alias_database = hash:/etc/postfix/aliases
                            alias_maps = hash:/etc/postfix/aliases
                            allow_mail_to_commands = alias,forward
                            allow_mail_to_files = alias,forward
                            append_at_myorigin = yes
                            append_dot_mydomain = yes
                            command_time_limit = 300
                            config_directory = /etc/postfix
                            data_directory = /var/lib/postfix
                            default_destination_concurrency_limit = 2
                            default_privs = amavis
                            default_transport = smtp-default
                            delay_warning_time = 4
                            fast_flush_domains = $mydomain
                            inet_protocols = ipv6 ipv4
                            local_destination_concurrency_limit = 2
                            local_transport = local
                            mail_owner = postfix
                            mailbox_size_limit = 0
                            masquerade_domains = $mydomain
                            masquerade_exceptions = root
                            maximal_backoff_time = 1h
                            maximal_queue_lifetime = 21d
                            message_size_limit = 100000000
                            minimal_backoff_time = 2m
                            mydestination = nemesis.slagter.name, eriks.xs4all.nl, $myhostname,
                            localhost.$mydomain, localhost
                            mydomain = slagter.name
                            myhostname = nemesis.slagter.name
                            mynetworks = 10.0.0.0/8, 127.0.0.0/8, [2001:980:5fef::]/48 [::1]/128
                            [fe80::]/10
                            myorigin = $mydomain
                            notify_classes = bounce,2bounce,data,delay,resource,software
                            postscreen_access_list = permit_mynetworks,
                            cidr:/etc/postfix/postscreen_access.cidr
                            postscreen_bare_newline_action = enforce
                            postscreen_bare_newline_enable = yes
                            postscreen_blacklist_action = enforce
                            postscreen_cache_retention_time = 30d
                            postscreen_greet_action = enforce
                            postscreen_greet_banner = $smtpd_banner postscreen
                            postscreen_greet_ttl = 1h
                            postscreen_greet_wait = 2s
                            postscreen_non_smtp_command_action = enforce
                            postscreen_non_smtp_command_enable = yes
                            postscreen_pipelining_enable = yes
                            queue_directory = /var/spool/postfix
                            queue_minfree = 0
                            queue_run_delay = 5m
                            recipient_delimiter = +
                            relay_domains = slagter.name, erikslag@..., eriks.xs4all.nl
                            setgid_group = postdrop
                            smtp_helo_name = eriks.xs4all.nl
                            smtp_send_xforward_command = yes
                            smtp_tls_block_early_mail_reply = yes
                            smtp_tls_cert_file = /etc/postfix/mx1_slagter_name_all_crt.pem
                            smtp_tls_key_file = /etc/postfix/mx1_slagter_name_key.pem
                            smtp_tls_loglevel = 1
                            smtp_tls_security_level = none
                            smtpd_authorized_xforward_hosts = 127.0.0.0/8,10.1.0.0/16,10.0.0.0/16
                            smtpd_banner = $myhostname ESMTP $mail_name
                            smtpd_client_restrictions = permit
                            smtpd_delay_reject = no
                            smtpd_etrn_restrictions = permit
                            smtpd_helo_required = yes
                            smtpd_helo_restrictions = permit
                            smtpd_recipient_restrictions = reject_non_fqdn_recipient
                            reject_unauth_destination check_recipient_access
                            hash:/etc/postfix/local_users permit
                            smtpd_sender_restrictions = permit
                            smtpd_tls_ask_ccert = yes
                            smtpd_tls_cert_file = /etc/postfix/mx1_slagter_name_all_crt.pem
                            smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
                            smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
                            smtpd_tls_key_file = /etc/postfix/mx1_slagter_name_key.pem
                            smtpd_tls_loglevel = 1
                            smtpd_tls_received_header = yes
                            smtpd_tls_req_ccert = no
                            smtpd_tls_security_level = none
                            strict_rfc821_envelopes = no
                            tls_random_source = dev:/dev/urandom
                            transport_maps = hash:/etc/postfix/transport
                            virtual_alias_maps = hash:/etc/postfix/virtual

                            * Postfinger

                            ostfinger - postfix configuration on do feb 21 16:32:28 CET 2013
                            version: 1.30

                            Warning: postfinger output may show private configuration information,
                            such as ip addresses and/or domain names which you do not want to show
                            to the public. If this is the case it is your responsibility to modify
                            the output to hide this private information. [Remove this warning with
                            the --nowarn option.]

                            --System Parameters--
                            mail_version = 2.9.4
                            hostname = nemesis
                            uname = Linux nemesis 3.5.3 #1 SMP Thu Aug 30 18:52:19 CEST 2012 x86_64
                            x86_64 x86_64 GNU/Linux

                            --Packaging information--
                            looks like this postfix comes from RPM package: postfix-2.9.4-2.fc17.x86_64

                            --main.cf non-default parameters--
                            alias_database = hash:/etc/postfix/aliases
                            alias_maps = hash:/etc/postfix/aliases
                            allow_mail_to_commands = alias,forward
                            allow_mail_to_files = alias,forward
                            command_time_limit = 300
                            default_destination_concurrency_limit = 2
                            default_privs = amavis
                            default_transport = smtp-default
                            delay_warning_time = 4
                            fast_flush_domains = $mydomain
                            inet_protocols = ipv6 ipv4
                            local_transport = local
                            mailbox_size_limit = 0
                            masquerade_domains = $mydomain
                            masquerade_exceptions = root
                            maximal_backoff_time = 1h
                            maximal_queue_lifetime = 21d
                            message_size_limit = 100000000
                            minimal_backoff_time = 2m
                            mydestination = nemesis.slagter.name, eriks.xs4all.nl, $myhostname,
                            localhost.$mydomain, localhost
                            mydomain = slagter.name
                            myhostname = nemesis.slagter.name
                            mynetworks = 10.0.0.0/8, 127.0.0.0/8, [2001:980:5fef::]/48 [::1]/128
                            [fe80::]/10
                            myorigin = $mydomain
                            notify_classes = bounce,2bounce,data,delay,resource,software
                            postscreen_access_list = permit_mynetworks,
                            cidr:/etc/postfix/postscreen_access.cidr
                            postscreen_bare_newline_action = enforce
                            postscreen_bare_newline_enable = yes
                            postscreen_blacklist_action = enforce
                            postscreen_cache_retention_time = 30d
                            postscreen_greet_action = enforce
                            postscreen_greet_banner = $smtpd_banner postscreen
                            postscreen_greet_ttl = 1h
                            postscreen_greet_wait = 2s
                            postscreen_non_smtp_command_action = enforce
                            postscreen_non_smtp_command_enable = yes
                            postscreen_pipelining_enable = yes
                            queue_run_delay = 5m
                            recipient_delimiter = +
                            relay_domains = slagter.name, erikslag@..., eriks.xs4all.nl
                            smtpd_authorized_xforward_hosts = 127.0.0.0/8,10.1.0.0/16,10.0.0.0/16
                            smtpd_client_restrictions = permit
                            smtpd_delay_reject = no
                            smtpd_etrn_restrictions = permit
                            smtpd_helo_required = yes
                            smtpd_helo_restrictions = permit
                            smtpd_recipient_restrictions = reject_non_fqdn_recipient
                            reject_unauth_destination check_recipient_access
                            hash:/etc/postfix/local_users permit
                            smtpd_sender_restrictions = permit
                            smtpd_tls_ask_ccert = yes
                            smtpd_tls_cert_file = /etc/postfix/mx1_slagter_name_all_crt.pem
                            smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
                            smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
                            smtpd_tls_key_file = /etc/postfix/mx1_slagter_name_key.pem
                            smtpd_tls_loglevel = 1
                            smtpd_tls_received_header = yes
                            smtpd_tls_security_level = none
                            smtp_helo_name = eriks.xs4all.nl
                            smtp_send_xforward_command = yes
                            smtp_tls_block_early_mail_reply = yes
                            smtp_tls_cert_file = /etc/postfix/mx1_slagter_name_all_crt.pem
                            smtp_tls_key_file = /etc/postfix/mx1_slagter_name_key.pem
                            smtp_tls_loglevel = 1
                            smtp_tls_security_level = none
                            transport_maps = hash:/etc/postfix/transport
                            virtual_alias_maps = hash:/etc/postfix/virtual

                            --master.cf--
                            mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
                            -o myhostname=eriks.xs4all.nl
                            -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25
                            -o smtpd_tls_security_level=may
                            -o postscreen_tls_security_level=may
                            -o tlsproxy_tls_security_level=may
                            -o smtpd_proxy_filter=nemesis.ipv4:10025
                            -o soft_bounce=no
                            -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4
                            mx1.ipv6.slagter.name:smtp inet n - n - 2 smtpd
                            -o myhostname=mx1.ipv6.slagter.name
                            -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv6-25
                            -o smtpd_tls_security_level=may
                            -o postscreen_tls_security_level=may
                            -o tlsproxy_tls_security_level=may
                            -o smtpd_proxy_filter=nemesis.ipv4:10025
                            -o soft_bounce=no
                            -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv6
                            nemesis.ipv4:10026 inet n - n - 2 smtpd
                            -o smtpd_recipient_restrictions=permit_mynetworks,reject
                            -o
                            receive_override_options=no_unknown_recipient_checks,no_header_body_checks
                            -o body_checks=
                            -o header_checks=
                            -o myhostname=nemesis.slagter.name
                            -o smtp_helo_name=nemesis.slagter.name
                            -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-lo-ipv4-10026
                            -o smtpd_client_restrictions=
                            -o smtpd_authorized_xforward_hosts=10.1.1.1
                            nemesis.ipv4:smtp inet n - n - 2 smtpd
                            -o smtpd_recipient_restrictions=permit_mynetworks,reject
                            -o body_checks=
                            -o header_checks=
                            -o myhostname=nemesis.slagter.name
                            -o smtp_helo_name=nemesis.slagter.name
                            -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-eth0-ipv4-25
                            -o mynetworks=127.0.0.0/8
                            -o smtpd_proxy_filter=nemesis.ipv4:11025
                            nemesis.ipv6:smtp inet n - n - 2 smtpd
                            -o smtpd_recipient_restrictions=permit_mynetworks,reject
                            -o body_checks=
                            -o header_checks=
                            -o myhostname=nemesis.slagter.name
                            -o smtp_helo_name=nemesis.slagter.name
                            -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-eth0-ipv6-25
                            -o smtpd_proxy_filter=nemesis.ipv4:11025
                            nemesis.ipv4:11026 inet n - n - 2 smtpd
                            -o smtpd_recipient_restrictions=permit_mynetworks,reject
                            -o
                            receive_override_options=no_unknown_recipient_checks,no_header_body_checks
                            -o body_checks=
                            -o header_checks=
                            -o myhostname=nemesis.slagter.name
                            -o smtp_helo_name=nemesis.slagter.name
                            -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-lo-ipv4-11026
                            -o smtpd_client_restrictions=
                            -o smtpd_authorized_xforward_hosts=10.1.1.1
                            localhost.ipv4:smtp inet n - n - - smtpd
                            -o smtpd_recipient_restrictions=permit_mynetworks,reject
                            -o body_checks=
                            -o header_checks=
                            -o myhostname=nemesis.slagter.name
                            -o smtp_helo_name=nemesis.slagter.name
                            -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-lo-ipv4-25
                            -o mynetworks=127.0.0.0/8
                            nemesis.ipv4:smtp inet n - n - - smtpd
                            -o smtpd_recipient_restrictions=permit_mynetworks,reject
                            -o body_checks=
                            -o header_checks=
                            -o myhostname=nemesis.slagter.name
                            -o smtp_helo_name=nemesis.slagter.name
                            -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-vlan2-alt-ipv4-25
                            -o mynetworks=10.0.2.0/24
                            ::1:smtp inet n - n - - smtpd
                            -o smtpd_recipient_restrictions=permit_mynetworks,reject
                            -o body_checks=
                            -o header_checks=
                            -o myhostname=nemesis.slagter.name
                            -o smtp_helo_name=nemesis.slagter.name
                            -o smtpd_banner=nemesis.slagter.name-ESMTP-$mail_name-lo-ipv6-25
                            pickup fifo n - n 60 1 pickup
                            cleanup unix n - n - 0 cleanup
                            qmgr fifo n - n 300 1 qmgr
                            tlsmgr unix - - n 1000? 1 tlsmgr
                            rewrite unix - - n - - trivial-rewrite
                            bounce unix - - n - 0 bounce
                            defer unix - - n - 0 bounce
                            trace unix - - n - 0 bounce
                            verify unix - - n - 1 verify
                            flush unix n - n 1000? 0 flush
                            proxymap unix - - n - - proxymap
                            smtp unix - - n - - smtp
                            relay unix - - n - - smtp -o
                            smtp_helo_timeout=5 -o smtp_connect_timeout=5
                            showq unix n - n - - showq
                            error unix - - n - - error
                            local unix - n n - - local
                            virtual unix - n n - - virtual
                            lmtp unix - - n - - lmtp
                            anvil unix - - n - 1 anvil
                            smtp-inside unix - - n - - smtp
                            -o myhostname=nemesis.slagter.name
                            -o smtp_helo_name=nemesis.slagter.name
                            -o smtp_bind_address6=2001:980:5fef:1::1
                            smtp-default unix - - n - - smtp
                            -o myhostname=eriks.xs4all.nl
                            -o smtp_helo_name=eriks.xs4all.nl
                            -o smtp_bind_address6=2001:980:5fef::1
                            -o smtp_tls_security_level=may

                            -- end of postfinger output --

                            * All other paragraphs are not relevant.

                            Thank you for your attention.
                          • Reindl Harald
                            ... and how should this be supposed to use postscreen with smtpd instead of postscreen as command?
                            Message 13 of 25 , Feb 21, 2013
                            • 0 Attachment
                              Am 21.02.2013 16:35, schrieb Erik Slagter:

                              > mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
                              > -o myhostname=eriks.xs4all.nl
                              > -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25
                              > -o smtpd_tls_security_level=may
                              > -o postscreen_tls_security_level=may
                              > -o tlsproxy_tls_security_level=may
                              > -o smtpd_proxy_filter=nemesis.ipv4:10025
                              > -o soft_bounce=no
                              > -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4

                              and how should this be supposed to use postscreen
                              with "smtpd" instead of "postscreen" as command?
                            • Erik Slagter
                              If I set up postscreen as closely as possible to the postscreen README document, I get this (diff to previous message) (I m sorry lots of it has been folded).
                              Message 14 of 25 , Feb 21, 2013
                              • 0 Attachment
                                If I set up postscreen as closely as possible to the postscreen README
                                document, I get this (diff to previous message) (I'm sorry lots of it
                                has been folded). The log says "address already in use for 10.1.1.1",
                                this is interesting because none of the changes involved 10.1.1.1.

                                --- a 2013-02-21 16:37:18.348109048 +0100
                                +++ b 2013-02-21 17:25:24.337265305 +0100
                                @@ -8,7 +8,7 @@

                                * Postfix logging

                                -None relevant (really! the logging is exactly the same for postscreen
                                and non-postscreen operation, up to the problem the problem occurs).
                                +Feb 21 16:46:03 nemesis-vlan1 postfix/master[28268]: fatal: bind
                                10.1.1.1 port 25: Address already in use

                                * Postconf -n

                                @@ -93,7 +93,7 @@

                                * Postfinger

                                -Postfinger - postfix configuration on do feb 21 16:32:28 CET 2013
                                +postfinger - postfix configuration on do feb 21 17:24:49 CET 2013
                                version: 1.30

                                Warning: postfinger output may show private configuration information,
                                @@ -178,7 +178,10 @@
                                virtual_alias_maps = hash:/etc/postfix/virtual

                                --master.cf--
                                -mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
                                +smtp inet n - n - 1 postscreen
                                +dnsblog unix - - n - 0 dnsblog
                                +tlsproxy unix - - n - 0 tlsproxy
                                +mx1.ipv4.slagter.name:smtp pass n - n - 2 smtpd
                                -o myhostname=eriks.xs4all.nl
                                -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25
                                -o smtpd_tls_security_level=may
                                @@ -187,7 +190,7 @@
                                -o smtpd_proxy_filter=nemesis.ipv4:10025
                                -o soft_bounce=no
                                -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4
                                -mx1.ipv6.slagter.name:smtp inet n - n - 2 smtpd
                                +mx1.ipv6.slagter.name:smtp pass n - n - 2 smtpd
                                -o myhostname=mx1.ipv6.slagter.name
                                -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv6-25
                                -o smtpd_tls_security_level=may
                                @@ -288,3 +291,6 @@
                                -- end of postfinger output --
                              • Erik Slagter
                                Another variation I tried ( pass and postscreen the other way around). This works, but gives the original problem, the smtpd options are not honoured
                                Message 15 of 25 , Feb 21, 2013
                                • 0 Attachment
                                  Another variation I tried ("pass" and "postscreen" the other way
                                  around). This works, but gives the original problem, the smtpd options
                                  are not honoured (especially banner and starttls="may"), even though I
                                  set both:

                                  -o smtpd_tls_security_level=may
                                  -o postscreen_tls_security_level=may

                                  Output of postfinger, diff to first non-postscreen config:

                                  --- a 2013-02-21 17:35:41.568369098 +0100
                                  +++ c 2013-02-21 17:38:58.274633686 +0100
                                  @@ -1,4 +1,4 @@
                                  -Postfinger - postfix configuration on do feb 21 16:32:28 CET 2013
                                  +postfinger - postfix configuration on do feb 21 17:38:58 CET 2013
                                  version: 1.30

                                  Warning: postfinger output may show private configuration information,
                                  @@ -83,7 +83,10 @@
                                  virtual_alias_maps = hash:/etc/postfix/virtual

                                  --master.cf--
                                  -mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
                                  +smtpd pass - - n - - smtpd
                                  +dnsblog unix - - n - 0 dnsblog
                                  +tlsproxy unix - - n - 0 tlsproxy
                                  +mx1.ipv4.slagter.name:smtp inet n - n - 2 postscreen
                                  -o myhostname=eriks.xs4all.nl
                                  -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25
                                  -o smtpd_tls_security_level=may
                                  @@ -92,7 +95,7 @@
                                  -o smtpd_proxy_filter=nemesis.ipv4:10025
                                  -o soft_bounce=no
                                  -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4
                                  -mx1.ipv6.slagter.name:smtp inet n - n - 2 smtpd
                                  +mx1.ipv6.slagter.name:smtp pass n - n - 2 postscreen
                                  -o myhostname=mx1.ipv6.slagter.name
                                  -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv6-25
                                  -o smtpd_tls_security_level=may

                                  * Log output

                                  Feb 21 17:42:40 nemesis-vlan1 postfix/master[4547]: daemon started --
                                  version 2.9.4, configuration /etc/postfix
                                  Feb 21 17:42:42 nemesis-vlan1 postfix/postscreen[4553]: CONNECT from
                                  [10.1.1.5]:49309 to [83.163.214.71]:25
                                  Feb 21 17:42:42 nemesis-vlan1 postfix/postscreen[4553]: WHITELISTED
                                  [10.1.1.5]:49309
                                  Feb 21 17:42:42 nemesis-vlan1 postfix/postscreen[4553]: cache
                                  btree:/var/lib/postfix/postscreen_cache-ipv4 full cleanup: retained=5
                                  dropped=0 entries
                                  Feb 21 17:42:42 nemesis-vlan1 postfix/smtpd[4554]: connect from
                                  eos.ipv4.slagter.name[10.1.1.5]
                                  Feb 21 17:42:50 nemesis-vlan1 postfix/smtpd[4554]: disconnect from
                                  eos.ipv4.slagter.name[10.1.1.5]
                                • Reindl Harald
                                  ... postscreen != smtpd so why should it do so? http://www.postfix.org/postscreen.8.html The Postfix postscreen(8) server provides additional pro- tection
                                  Message 16 of 25 , Feb 21, 2013
                                  • 0 Attachment
                                    Am 21.02.2013 17:46, schrieb Erik Slagter:
                                    > Another variation I tried ("pass" and "postscreen" the other way around). This works, but gives the original
                                    > problem, the smtpd options are not honoured (especially banner and starttls="may"), even though I set both:

                                    postscreen != smtpd so why should it do so?
                                    http://www.postfix.org/postscreen.8.html

                                    The Postfix postscreen(8) server provides additional pro-
                                    tection against mail server overload. One postscreen(8)
                                    process handles multiple inbound SMTP connections, and
                                    decides which clients may talk to a Postfix SMTP server
                                    process.
                                  • Erik Slagter
                                    ... Interesting how anybody is keen on telling me I am doing it wrong, which I sort of already had figured because it doesn t work... On the other hand nobody
                                    Message 17 of 25 , Feb 21, 2013
                                    • 0 Attachment
                                      On 21-02-13 16:45, Reindl Harald wrote:
                                      > Am 21.02.2013 16:35, schrieb Erik Slagter:
                                      >
                                      >> mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
                                      >> [ ... ]

                                      > and how should this be supposed to use postscreen
                                      > with "smtpd" instead of "postscreen" as command?

                                      Interesting how anybody is keen on telling me I am doing it wrong, which
                                      I sort of already had figured because it doesn't work... On the other
                                      hand nobody has given a hint on how to do it "right" then.

                                      Likewise people pointing me to the postscreen HOWTO, which I've been
                                      reading numerous times now and really does _not_ give an answer to this
                                      problem.

                                      >> mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
                                      >> [ ... ]

                                      > and how should this be supposed to use postscreen
                                      > with "smtpd" instead of "postscreen" as command?

                                      Well don't ask me, I don't know, I am just trying "everything" because
                                      the documentation doesn't tell me how to do it?
                                    • DTNX Postmaster
                                      ... You keep blaming the documentation and the software, when the problem is most likely in your understanding of it. Simplify your configuration. Don t assume
                                      Message 18 of 25 , Feb 21, 2013
                                      • 0 Attachment
                                        On Feb 21, 2013, at 18:28, Erik Slagter <erik@...> wrote:

                                        > On 21-02-13 16:45, Reindl Harald wrote:
                                        >> Am 21.02.2013 16:35, schrieb Erik Slagter:
                                        >>
                                        >>> mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
                                        > >> [ ... ]
                                        >
                                        >> and how should this be supposed to use postscreen
                                        >> with "smtpd" instead of "postscreen" as command?
                                        >
                                        > Interesting how anybody is keen on telling me I am doing it wrong, which I sort of already had figured because it doesn't work... On the other hand nobody has given a hint on how to do it "right" then.
                                        >
                                        > Likewise people pointing me to the postscreen HOWTO, which I've been reading numerous times now and really does _not_ give an answer to this problem.
                                        >
                                        > >> mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
                                        > >> [ ... ]
                                        >
                                        > > and how should this be supposed to use postscreen
                                        > > with "smtpd" instead of "postscreen" as command?
                                        >
                                        > Well don't ask me, I don't know, I am just trying "everything" because the documentation doesn't tell me how to do it?

                                        You keep blaming the documentation and the software, when the problem
                                        is most likely in your understanding of it.

                                        Simplify your configuration. Don't assume that what goes for 'smtpd'
                                        goes for 'postscreen' as well. Pick sensible defaults for 'main.cf',
                                        and override only the options that are absolutely necessary.

                                        If you have a legitimate reason (as in, contractual obligations or
                                        whatnot) to require seperate hostnames, greetings, TLS settings and
                                        such, use the multi-instance features and seperate them. Otherwise the
                                        KISS principle applies.

                                        Cya,
                                        Jona
                                      • Noel Jones
                                        ... You ve shared too much. By now no one has any idea what you re doing. Overview: Postscreen is a front-end listener for smtpd. It s not a proxy. Incoming
                                        Message 19 of 25 , Feb 21, 2013
                                        • 0 Attachment
                                          On 2/21/2013 10:46 AM, Erik Slagter wrote:
                                          > Another variation I tried ("pass" and "postscreen" the other way
                                          > around).


                                          You've shared too much. By now no one has any idea what you're doing.

                                          Overview:

                                          Postscreen is a front-end listener for smtpd. It's not a proxy.
                                          Incoming connections are handled by postscreen until postscreen
                                          either decides it's clean and passes the connection endpoint to
                                          smtpd, or rejected. This is covered in more detail in the
                                          POSTSCREEN_README.

                                          When postscreen decides to pass the connection to smtpd, postscreen
                                          is no longer involved, and smtpd has no knowledge of what transpired
                                          between postscreen and a client.


                                          Solution:

                                          [this is not a complete how-to, but will show you how to use
                                          multiple interfaces]

                                          At some point you reported:


                                          > mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
                                          > -o myhostname=eriks.xs4all.nl
                                          > -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25
                                          > -o smtpd_tls_security_level=may

                                          Ok.

                                          > -o postscreen_tls_security_level=may
                                          > -o tlsproxy_tls_security_level=may

                                          both these belong in main.cf, or better, set main.cf:
                                          "smtpd_security_level = may" and leave these at their defaults.

                                          > -o smtpd_proxy_filter=nemesis.ipv4:10025
                                          > -o soft_bounce=no
                                          > -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4

                                          The cache map parameter belongs in main.cf. Probably a mistake to
                                          create separate caches.

                                          Same comments as above for the smtpd listener below.

                                          >
                                          > mx1.ipv6.slagter.name:smtp inet n - n - 2 smtpd
                                          > -o myhostname=mx1.ipv6.slagter.name
                                          > -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv6-25
                                          > -o smtpd_tls_security_level=may
                                          > -o postscreen_tls_security_level=may
                                          > -o tlsproxy_tls_security_level=may
                                          > -o smtpd_proxy_filter=nemesis.ipv4:10025
                                          > -o soft_bounce=no
                                          > -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv6



                                          For the TLS part, it will be much easier to turn TLS on in main.cf,
                                          then turn it off on the interfaces where you don't want to offer it
                                          with "-o smtpd_tls_security_level=none".

                                          # main.cf
                                          smtpd_tls_security_level = may

                                          For the greeting banners, set them as macros in main.cf and then
                                          refer to them by $name in master.cf

                                          # main.cf
                                          postscreen_greet_v4 = postscreen.v4.mx1 ESMTP greets you
                                          postscreen_greet_v6 = postscreen.v6.mx1 ESTMP greets you


                                          Now tell postscreen which ports to listen on and to enable the banner:

                                          # master.cf

                                          mx1.ipv4.slagter.name:smtp inet n - n - 1 postscreen
                                          -o postscreen_greet_banner=$postscreen_greet_v4

                                          mx1.ipv6.slagter.name:smtp inet n - n - 1 postscreen
                                          -o postscreen_greet_banner=$postscreen_greet_v6



                                          Next we tell smtpd to get it's connections from postscreen.
                                          On your existing "smtp ... smtpd" entries where you want postscreen,
                                          change the "smtp inet n" part to "smtp pass -"
                                          This is described in detail in
                                          http://www.postfix.org/POSTSCREEN_README.html#config

                                          so your existing entry:
                                          > mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd

                                          would become:
                                          mx1.ipv4.slagter.name:smtp pass - - n - 2 smtpd




                                          Good luck.



                                          -- Noel Jones
                                        • Erik Slagter
                                          ... Yes I blame the documentation, but not the software. I ve been using postfix for, well, something like ten years or more, I think it s the best thing since
                                          Message 20 of 25 , Feb 21, 2013
                                          • 0 Attachment
                                            On 21-02-13 19:17, DTNX Postmaster wrote:

                                            > You keep blaming the documentation and the software, when the problem
                                            > is most likely in your understanding of it.

                                            Yes I blame the documentation, but not the software. I've been using
                                            postfix for, well, something like ten years or more, I think it's the
                                            best thing since sliced bread, especially compared to sendmail, qmail
                                            and exchange.

                                            The way I've configured it now, really suits the demands. I cannot
                                            remember any phrases in the documentation recommending not to do it this
                                            way (i.e. start multiple smtp listeners on different addresses with
                                            different options, in one master process). If it actually appears to be
                                            disrecommended, then that's clear to me, no problem.

                                            > Simplify your configuration. Don't assume that what goes for 'smtpd'
                                            > goes for 'postscreen' as well.

                                            I'd like to, but where do I find what I CAN assume? The factual
                                            documentation of postscreen is so sparse, it's mostly HOWTO,
                                            monkey-see-monkey-do.

                                            > Pick sensible defaults for 'main.cf',
                                            > and override only the options that are absolutely necessary.

                                            That's already done.

                                            > If you have a legitimate reason (as in, contractual obligations or
                                            > whatnot) to require seperate hostnames, greetings, TLS settings and
                                            > such, use the multi-instance features and seperate them. Otherwise the
                                            > KISS principle applies.

                                            Actually this way is much more KISS to me than running multiple
                                            instances of "master".

                                            I'm starting to think that the reason this operation is not documented,
                                            is because it's not possible. It looks like the postscreen layer
                                            literaly sits between the remote client and the smtp process, and the
                                            information where the connection took place (interface/address) is not
                                            available at the point where the smtpd is invoked.

                                            If that's the case, postscreen is not the way to go for me. I assumed
                                            postscreen was implemented a bit like proxy-filter, where you can run
                                            any number of filters on any number of addresses.
                                          • Erik Slagter
                                            ... I m just following the REPORT A PROBLEM procedure I was kindly pointed at... ... Yes at this point the smtpd/master has no knowledge of the
                                            Message 21 of 25 , Feb 21, 2013
                                            • 0 Attachment
                                              On 21-02-13 19:30, Noel Jones wrote:

                                              > You've shared too much. By now no one has any idea what you're doing.

                                              I'm just following the "REPORT A PROBLEM" procedure I was kindly pointed
                                              at...

                                              > When postscreen decides to pass the connection to smtpd, postscreen
                                              > is no longer involved, and smtpd has no knowledge of what transpired
                                              > between postscreen and a client.

                                              Yes at this point the smtpd/master has no knowledge of the
                                              interface/address, that's exactly the thing I fear.

                                              > At some point you reported:
                                              > [ .. ]
                                              >> -o postscreen_tls_security_level=may
                                              >> -o tlsproxy_tls_security_level=may
                                              >
                                              > both these belong in main.cf, or better, set main.cf:
                                              > "smtpd_security_level = may" and leave these at their defaults.

                                              Tried both, doesn't matter. The thing is that what way you set the smtpd
                                              options (in main.cf) you cannot override them with postscreen. So if you
                                              set the default value suitable for address a and b, they must be
                                              override for address c and d and vv. Yes, I have some internal address
                                              that need to have tls_security=none and yes, that works like a charm
                                              without postscreen enabled.

                                              >> -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4
                                              >
                                              > The cache map parameter belongs in main.cf. Probably a mistake to
                                              > create separate caches.

                                              Nope, the cache map cannot be shared between two smtpd processes (see
                                              documentation ;-)). It's not a problem though, because one db holds ipv4
                                              addresses and the other is ipv6 addresses.

                                              > For the TLS part, it will be much easier to turn TLS on in main.cf,
                                              > then turn it off on the interfaces where you don't want to offer it
                                              > with "-o smtpd_tls_security_level=none".

                                              All relevant options for tls are actually set in main.cf. It's only that
                                              it's not enabled there, it's enabled on a per-address base. Which works.

                                              > For the greeting banners, set them as macros in main.cf and then
                                              > refer to them by $name in master.cf

                                              That's a possibility, but it's not necessary and doesn't solve the problem.

                                              > Now tell postscreen which ports to listen on and to enable the banner:
                                              >
                                              > # master.cf
                                              >
                                              > mx1.ipv4.slagter.name:smtp inet n - n - 1 postscreen
                                              > -o postscreen_greet_banner=$postscreen_greet_v4
                                              >
                                              > mx1.ipv6.slagter.name:smtp inet n - n - 1 postscreen
                                              > -o postscreen_greet_banner=$postscreen_greet_v6
                                              >
                                              > Next we tell smtpd to get it's connections from postscreen.
                                              > On your existing "smtp ... smtpd" entries where you want postscreen,
                                              > change the "smtp inet n" part to "smtp pass -"
                                              > This is described in detail in
                                              > http://www.postfix.org/POSTSCREEN_README.html#config
                                              >
                                              > so your existing entry:
                                              >> mx1.ipv4.slagter.name:smtp inet n - n - 2 smtpd
                                              >
                                              > would become:
                                              > mx1.ipv4.slagter.name:smtp pass - - n - 2 smtpd

                                              I get your drift, but IIRC I already tried this (multiple times, with
                                              slight variations) and also reported about the outcoming of that:
                                              "fatal: address already in use".

                                              Did I already mention I have followed all the steps from the README as
                                              closely as possible?
                                            • Viktor Dukhovni
                                              ... Take a DEEP breath, relax and don t *try* implementing new configurations you don t yet understand. The shots in the dark will just get you more confused.
                                              Message 22 of 25 , Feb 21, 2013
                                              • 0 Attachment
                                                On Thu, Feb 21, 2013 at 05:46:26PM +0100, Erik Slagter wrote:

                                                > Another variation I tried ("pass" and "postscreen" the other way
                                                > around). This works, but gives the original problem, the smtpd
                                                > options are not honoured (especially banner and starttls="may"),
                                                > even though I set both:

                                                Take a DEEP breath, relax and don't *try* implementing new
                                                configurations you don't yet understand. The shots in the dark will
                                                just get you more confused.

                                                It is time to try to *understand*.

                                                1. A running Postfix instance is a collection of separate background
                                                services (daemons) launched by an inetd-like service supervisor known
                                                as "master. These services run independently in separate processes
                                                and communicate with each other using unix-domain sockets.

                                                They are configured either via main.cf (best practice) or via
                                                master.cf "-o parameter=$value" overrides (when you must).

                                                The MOST important thing you need to understand about this is:

                                                Adding "-o FOO=BAR" to the master.cf entry for SERVICEA has
                                                NO EFFECT on the value of FOO in SERVICEB!

                                                Even when the MESSAGE is passed from SERVICEA to SERVICEB the
                                                parameter settings ARE NOT.

                                                Thus when you convert an existing "smtpd" entry to a "postscreen"
                                                entry, it is a grave mistake to leave the "smtpd" (-o options)
                                                that tune the functionality of smtpd attached to the "postscreen"
                                                service. It (postscreen) won't care and the destination "smtpd"
                                                to which the message is handed off will no longer know the parameters.

                                                2. To provide multiple smtpd personalities, you need to implement multiple
                                                "smtpd" services each with their own settings. (As you do when smtpd
                                                listens directly on an "inet" socket).

                                                3. To implement 2. with postscreen, each "inet" listening postscreen
                                                (with settings relevant for postscreen) must hand the message off
                                                to an "smtpd" appropriate for its listening IP address.

                                                4. Therefore, you need multiple "smtpd" "pass" services for "postscreen"
                                                to hand the connection to. The postscreen(8) manual page refers you to

                                                http://www.postfix.org/postconf.5.html#smtpd_service_name

                                                which must specify the service name of a "pass" entry in master.cf,
                                                you need one of these for each distinct postscreen instance.

                                                192.0.2.1:25 inet ... postscreen
                                                -o smtpd_service_name=25@192.0.2.1
                                                -o <postscreen-related-settings> ...
                                                25@192.0.2.1 pass ... smtpd
                                                -o <smtpd-related-settings> ...

                                                Lather, rinse, repeat:

                                                192.0.2.1:587 inet ... postscreen
                                                -o smtpd_service_name=587@192.0.2.1
                                                -o <postscreen-related-settings> ...
                                                587@192.0.2.1 pass ... smtpd
                                                -o <smtpd-related-settings> ...

                                                Lather, rinse, repeat:

                                                192.0.2.2:25 inet ... postscreen
                                                -o smtpd_service_name=25@192.0.2.2
                                                -o <postscreen-related-settings> ...
                                                25@192.0.2.2 pass ... smtpd
                                                -o <smtpd-related-settings> ...

                                                Lather, rinse, repeat:

                                                192.0.2.3:25 inet ... postscreen
                                                -o smtpd_service_name=25@192.0.2.3
                                                -o <postscreen-related-settings> ...
                                                25@192.0.3.2 pass ... smtpd
                                                -o <smtpd-related-settings> ...

                                                ... but do stop eventually ... :-)

                                                --
                                                Viktor.
                                              • Erik Slagter
                                                ... And THAT is exactly the clue I was looking for! It works! The only thing that would have to be in the README file is the need to use smtpd service names
                                                Message 23 of 25 , Feb 22, 2013
                                                • 0 Attachment
                                                  On 21-02-13 20:07, Viktor Dukhovni wrote:

                                                  > [ ... ] (lot of patronising text removed)

                                                  > 4. Therefore, you need multiple "smtpd" "pass" services for "postscreen"
                                                  > to hand the connection to. The postscreen(8) manual page refers you to
                                                  >
                                                  > http://www.postfix.org/postconf.5.html#smtpd_service_name
                                                  >
                                                  > which must specify the service name of a "pass" entry in master.cf,
                                                  > you need one of these for each distinct postscreen instance.

                                                  And THAT is exactly the clue I was looking for! It works!

                                                  The only thing that would have to be in the README file is the need to
                                                  use "smtpd service names" in case of multiple smtp listeners, point to
                                                  http://www.postfix.org/postconf.5.html#smtpd_service_name and then add a
                                                  bit of really helpful text to the current one:

                                                  "The internal service that postscreen(8) hands off allowed connections
                                                  to. In a future version there may be different classes of SMTP service."

                                                  If you google for this command, you'll get references to either this
                                                  text or this thread :-(

                                                  So for other people seeking to do the same, this does the trick, it's
                                                  also simple once you know, the "service" parameter of a "pass" service
                                                  is not an address:portno combo but an identifier:

                                                  #
                                                  # outside -> inside
                                                  # postfix(25) -> amavis(10025)
                                                  #

                                                  mx1.ipv4.slagter.name:smtp inet n - n - 1 postscreen
                                                  -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv4
                                                  -o
                                                  postscreen_greet_banner=mx1.slagter.name-ESMTP-mx1-postscreen-1-ppp0-ipv4-25
                                                  -o smtpd_banner=mx1.slagter.name-ESMTP-mx1-postscreen-2-ppp0-ipv4-25
                                                  -o postscreen_tls_security_level=none
                                                  -o smtpd_service_name=mx1_ipv4

                                                  mx1_ipv4 pass - - n - - smtpd
                                                  -o myhostname=mx1.slagter.name
                                                  -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv4-25
                                                  -o smtpd_tls_security_level=may
                                                  -o smtpd_proxy_filter=nemesis.ipv4:10025 # amavis

                                                  mx1.ipv6.slagter.name:smtp inet n - n - 1 postscreen
                                                  -o postscreen_cache_map=btree:$data_directory/postscreen_cache-ipv6
                                                  -o
                                                  postscreen_greet_banner=mx1.slagter.name-ESMTP-mx1-postscreen-1-ppp0-ipv6-25
                                                  -o smtpd_banner=mx1.slagter.name-ESMTP-mx1-postscreen-2-ppp0-ipv6-25
                                                  -o postscreen_tls_security_level=none
                                                  -o smtpd_service_name=mx1_ipv6

                                                  mx1_ipv6 pass - - n - - smtpd
                                                  -o myhostname=mx1.slagter.name
                                                  -o smtpd_banner=mx1.slagter.name-ESMTP-$mail_name-mx1-ppp0-ipv6-25
                                                  -o smtpd_tls_security_level=may
                                                  -o smtpd_proxy_filter=nemesis.ipv4:10025 # amavis
                                                • Viktor Dukhovni
                                                  On Fri, Feb 22, 2013 at 11:04:34AM +0100, Erik Slagter wrote: First, a quick comment, all of the sturm and drang in this thread is the result of a peculiar
                                                  Message 24 of 25 , Feb 22, 2013
                                                  • 0 Attachment
                                                    On Fri, Feb 22, 2013 at 11:04:34AM +0100, Erik Slagter wrote:

                                                    First, a quick comment, all of the sturm and drang in this thread
                                                    is the result of a peculiar reluctance of most users to heed the
                                                    advice in MULTI_INSTANCE_README and simplify their configurations
                                                    by handling each distinct message flow in a separate Postfix
                                                    instance, each of which can be configured with few if any master.cf
                                                    tweaks, and understood and maintained much more easily.

                                                    A combination of MULTI_INSTANCE_README and POSTSCREEN_README would
                                                    get you there much more quickly, and even allow simpler configuration
                                                    of cases where identical policies apply to multiple protocol:address
                                                    endpoints, since you can just set inet_interfaces in main.cf to list
                                                    one or more network addresses for a given instance.

                                                    I strongly recommend that you take the time to refactor your
                                                    configuration to separate each flow into its own queue. The initial
                                                    investment of time pays off quickly in easier to manage configurations
                                                    and operational support (e.g. separate queues make it easier to
                                                    see which flow is having problems).

                                                    > On 21-02-13 20:07, Viktor Dukhovni wrote:
                                                    >
                                                    > > [ ... ] (lot of patronising text removed)

                                                    Text that is required background knowledge to understand what
                                                    follows, misconstrued to be patronizing rather than emphatic. Chill
                                                    man, the blustery tone of this thread is mostly the result of your
                                                    reticense to (AFAIK you never did) post the actual master.cf
                                                    configuration that failed to meet your expectations. You should
                                                    probably also not have included the text below in the initial post:

                                                    The options (-o) that I specify on the various per-interface
                                                    smtpd instances are NOT honoured anymore. ...

                                                    Is this intentional? A know[n] bug? ...

                                                    I must say the "howto" isn't very clear on this matter, it assumes you
                                                    only have only one external interface.

                                                    This is rude to the developers who take great pains to make Postfix
                                                    unusually robust and well documented. The "patronising" text is
                                                    sufficient to logically deduce that (and why) you need multiple
                                                    smtpd "pass" services, at which point one looks for a parameter to
                                                    specify the pass service, and finds it (in this case clustered
                                                    sub-optimally with unrelated settings, we'll fix that) in the postscreen(8)
                                                    manpage.

                                                    If Wietse is still reading this, we should move "smtpd_service_name"
                                                    to its ownn section nearer the top of the postscreen(8) manpage.

                                                    Fortunately, the parameter name is just what you'd expect if you've
                                                    ever seen "cleanup_service_name" which plays the same role one
                                                    handoff downstream.

                                                    > >4. Therefore, you need multiple "smtpd" "pass" services for "postscreen"
                                                    > > to hand the connection to. The postscreen(8) manual page refers you to
                                                    > >
                                                    > > http://www.postfix.org/postconf.5.html#smtpd_service_name
                                                    > >
                                                    > > which must specify the service name of a "pass" entry in master.cf,
                                                    > > you need one of these for each distinct postscreen instance.
                                                    >
                                                    > And THAT is exactly the clue I was looking for! It works!

                                                    Naturally, since it is simply a logical consequence of understanding
                                                    the patronising text. :-) Perhaps some people even spotted the
                                                    transposition error in the last "Lather, rinse, repeat" example.
                                                    (It has been observed that students pay more attention to technical
                                                    books that contain minor errors that require them to pause and
                                                    think, and that they learn more from these than from polished
                                                    material that requires less attention).

                                                    [
                                                    Plus the fact that "unix" and "pass" service names are just file
                                                    names in /var/spool/postfix/private/ which I started to describe
                                                    in my first post, but decided to keep it more concise in the hope
                                                    that this will be apparent from context.

                                                    The master.cf services live in one of three namespaces:

                                                    - inet/public (inet can't be private).

                                                    - unix/public

                                                    - unix/private

                                                    Each of the "unix" cases subsumes "unix", "fifo" and "pass" since these
                                                    all are accessed via paths in /var/spool/postfix/{public,private}.

                                                    All delivery agents are "private" while "pickup", "qmgr", "flush"
                                                    and "showq" are "public" to support postdrop(1) and postqueue(1)
                                                    and their sendmail(1) interfaces. Almost everything else is private,
                                                    except for cleanup(8) which AFAIK is public only for historical
                                                    reasons.
                                                    ]

                                                    --
                                                    Viktor.
                                                  • Wietse Venema
                                                    ... This was changed from private into public , so that postdrop could directly submit mail into cleanup, using the maildrop directory only as a fall-back
                                                    Message 25 of 25 , Feb 22, 2013
                                                    • 0 Attachment
                                                      Viktor Dukhovni:
                                                      > All delivery agents are "private" while "pickup", "qmgr", "flush"
                                                      > and "showq" are "public" to support postdrop(1) and postqueue(1)
                                                      > and their sendmail(1) interfaces. Almost everything else is private,
                                                      > except for cleanup(8) which AFAIK is public only for historical
                                                      > reasons.

                                                      This was changed from "private" into "public", so that postdrop
                                                      could directly submit mail into cleanup, using the maildrop directory
                                                      only as a fall-back mechanism in case cleanup transaction failed.
                                                      Recovering from all possible failure modes is complicated and I did
                                                      not get around to write that code (and there are few people who I
                                                      would trust to write it).

                                                      Wietse
                                                    Your message has been successfully submitted and would be delivered to recipients shortly.