Loading ...
Sorry, an error occurred while loading the content.

Re: "421 4.4.2" (fqdn hostname) "Error: timeout exceeded" with ssl

Expand Messages
  • Juri Grabowski
    ... thanks for the hint, here is postconf -n output: address_verify_map = btree:$data_directory/verify_cache address_verify_negative_cache = yes
    Message 1 of 6 , Apr 23, 2013
    • 0 Attachment
      On Mon, Apr 22, 2013 at 02:41:56PM -0400, Wietse Venema wrote:
      > Perhaps you did not notice that you should send "postconf -n" output.
      thanks for the hint, here is "postconf -n" output:

      address_verify_map = btree:$data_directory/verify_cache
      address_verify_negative_cache = yes
      address_verify_negative_expire_time = 2m
      address_verify_negative_refresh_time = 1m
      alias_database = hash:/etc/aliases
      alias_maps = hash:/etc/aliases
      append_dot_mydomain = no
      biff = no
      config_directory = /etc/postfix
      inet_interfaces = all
      mailbox_size_limit = 0
      message_size_limit = 10240000
      mydestination = www.mail.domain, remote.mail.domain, localhost.mail.domain, localhost
      myhostname = remote.mail.domain
      mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 1.2.3.4/32 192.168.172.0/24 172.16.0.0/16
      myorigin = /etc/mailname
      readme_directory = no
      recipient_delimiter = +
      relay_domains = mail.domain
      relayhost =
      smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
      smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
      smtpd_client_restrictions = check_client_access hash:/etc/postfix/access
      smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_sender_access hash:/etc/postfix/access, check_policy_service inet:127.0.0.1:12525, reject_unknown_recipient_domain, reject_unverified_recipient, reject_unauth_pipelining, permit
      smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
      smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
      smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
      smtpd_use_tls = yes
      transport_maps = hash:/etc/postfix/transport
      unverified_recipient_reject_code = 577
      unverified_recipient_reject_reason = 'Mailbox unknown'
    • Wietse Venema
      ... What does the server log when a client connects and times out? Show complete logfile records, not only the text at the end. Wietse
      Message 2 of 6 , Apr 23, 2013
      • 0 Attachment
        Juri Grabowski:
        > On Mon, Apr 22, 2013 at 02:41:56PM -0400, Wietse Venema wrote:
        > > Perhaps you did not notice that you should send "postconf -n" output.
        > thanks for the hint, here is "postconf -n" output:

        What does the server log when a client connects and times out?
        Show complete logfile records, not only the text at the end.

        Wietse
      • Viktor Dukhovni
        ... A 2 minute timeout seems rather aggressive to me. Try 15 minutes or more, in practice nobody is legitimately sending mail to an email address until after
        Message 3 of 6 , Apr 23, 2013
        • 0 Attachment
          On Tue, Apr 23, 2013 at 11:05:14AM +0200, Juri Grabowski wrote:
          > On Mon, Apr 22, 2013 at 02:41:56PM -0400, Wietse Venema wrote:

          > address_verify_negative_expire_time = 2m
          > address_verify_negative_refresh_time = 1m

          A 2 minute timeout seems rather aggressive to me. Try 15 minutes
          or more, in practice nobody is legitimately sending mail to an
          email address until after it has been communicated to the sender,
          so it should valid on the first delivery attempt.

          If this is intended to support internal senders involved in requesting
          the new mailbox, separate the mail flow so that internal senders are not
          subject to address verification.

          > relay_domains = mail.domain

          You may also want "parent_domain_matches_subdomains = smtp_access_maps"
          or just empty.

          > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

          Why? I don't see any other TLS settings.

          > smtpd_client_restrictions =
          > check_client_access hash:/etc/postfix/access
          >
          > smtpd_recipient_restrictions =
          > permit_mynetworks,
          > reject_unauth_destination,
          > check_sender_access hash:/etc/postfix/access,

          I am not a big fan of overloading a single access file for both sender
          and recipient checks, you should probably use separate access files for
          each check.

          > reject_unknown_recipient_domain,

          This is mostly harmful *after* reject_unauth_destination, unless you're
          trying to allow relay to all subdomains, but only if they exist in DNS.

          > smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
          > smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key

          You should probably generate a different key/cert pair.

          > smtpd_use_tls = yes

          The non-obsolete syntax is:

          smtpd_tls_security_level = may

          > unverified_recipient_reject_code = 577
          > unverified_recipient_reject_reason = 'Mailbox unknown'

          577 is not a valid SMTP response code, both of these should be left
          at their default values (remove these from main.cf).

          --
          Viktor.
        • Juri Grabowski
          The problem is solved, thanks for yours hints. It is too bad connection to server and few RAM. The following lines should help other people by the same
          Message 4 of 6 , Apr 23, 2013
          • 0 Attachment
            The problem is solved, thanks for yours hints. It is too bad connection to server and few RAM.
            The following lines should help other people by the same problem.

            /etc/postfix/main.cf
            +smtpd_timeout = ${stress?300}${stress:300}s
            +address_verify_poll_count = ${stress?5}${stress:5}
            +smtpd_hard_error_limit = ${stress?20}${stress:20}
            +smtpd_junk_command_limit = ${stress?100}${stress:100}

            /etc/postfix/master.cf
            +smtp inet n - - - 2 smtpd -o smtpd_proxy_filter=127.0.0.1:10024 -o smtpd_client_connection_count_limit=20 -o stress=


            TIA,

            Juri
          Your message has been successfully submitted and would be delivered to recipients shortly.