Loading ...
Sorry, an error occurred while loading the content.
 

how to see my_networks check in peer_debug, level 2 or greater?

Expand Messages
  • lconrad@...
    postconf mail_version mail_version = 2.3.3 uname -a Linux ..... 2.6.18-128.2.1.el5 #1 SMP Wed Jul 8 11:54:47 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux got an
    Message 1 of 5 , Aug 16, 2013
      postconf mail_version
      mail_version = 2.3.3


      uname -a
      Linux ..... 2.6.18-128.2.1.el5 #1 SMP Wed Jul 8 11:54:47 EDT 2009
      x86_64 x86_64 x86_64 GNU/Linux

      got an "access denied" for an IP that is in a /20 postconf confirms is
      in mynetworks

      the only match_hostname I see is for
      smtpd_client_event_limit_exceptions

      Thanks
      Len
    • /dev/rob0
      ... If by peer_debug in the Subject header, you are referring to the debug_peer_list parameter, that s generally most useful for looking for bugs in Postfix
      Message 2 of 5 , Aug 16, 2013
        On Fri, Aug 16, 2013 at 04:22:50PM -0500, lconrad@... wrote:
        > postconf mail_version
        > mail_version = 2.3.3
        >
        >
        > uname -a
        > Linux ..... 2.6.18-128.2.1.el5 #1 SMP Wed Jul 8 11:54:47 EDT 2009
        > x86_64 x86_64 x86_64 GNU/Linux
        >
        > got an "access denied" for an IP that is in a /20 postconf confirms
        > is in mynetworks

        If by peer_debug in the Subject header, you are referring to the
        debug_peer_list parameter, that's generally most useful for looking
        for bugs in Postfix itself. Since you are using a version which was
        EOL four years ago, there is no point in looking for bugs.

        Perhaps you'd do better here by describing the problem and goal,
        showing your "postconf -n" and relevant NON-verbose logs for one mail
        which wasn't handled as you expected.

        If your smtpd(8) instance has any -o option overrides, you must show
        those as well. Pro tip: any smtpd or other daemon definition with -o
        overrides should also include a " -o syslog_name=postfix/foo" where
        "foo" is something relevant to what this instance does.

        "Access denied" means a "reject" restriction or access(5) lookup
        result was encountered. There are of course 52.001 gazillion reasons
        which could cause this.

        Good luck. I suggest you review this before posting again:

        http://www.postfix.org/DEBUG_README.html#mail

        > the only match_hostname I see is for
        > smtpd_client_event_limit_exceptions
        --
        http://rob0.nodns4.us/ -- system administration and consulting
        Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
      • Len Conrad
        ... ok, ok, been doing this postfix stuff for 10+ years, it s simpler than full debug_readme: smtpd_recipient_restrictions = check_client_access
        Message 3 of 5 , Aug 19, 2013
          >On Fri, Aug 16, 2013 at 04:22:50PM -0500, lconrad@... wrote:
          >> postconf mail_version
          >> mail_version = 2.3.3
          >>
          >>
          >> uname -a
          >> Linux ..... 2.6.18-128.2.1.el5 #1 SMP Wed Jul 8 11:54:47 EDT 2009
          >> x86_64 x86_64 x86_64 GNU/Linux
          >>
          >> got an "access denied" for an IP that is in a /20 postconf confirms
          >> is in mynetworks
          >
          >If by peer_debug in the Subject header, you are referring to the
          >debug_peer_list parameter, that's generally most useful for looking
          >for bugs in Postfix itself. Since you are using a version which was
          >EOL four years ago, there is no point in looking for bugs.
          >
          >Perhaps you'd do better here by describing the problem and goal,
          >showing your "postconf -n" and relevant NON-verbose logs for one mail
          >which wasn't handled as you expected.
          >
          >If your smtpd(8) instance has any -o option overrides, you must show
          >those as well. Pro tip: any smtpd or other daemon definition with -o
          >overrides should also include a " -o syslog_name=postfix/foo" where
          >"foo" is something relevant to what this instance does.
          >
          >"Access denied" means a "reject" restriction or access(5) lookup
          >result was encountered. There are of course 52.001 gazillion reasons
          >which could cause this.
          >
          >Good luck. I suggest you review this before posting again:


          >http://www.postfix.org/DEBUG_README.html#mail

          ok, ok, been doing this postfix stuff for 10+ years, it's simpler than full debug_readme:


          smtpd_recipient_restrictions =
          check_client_access hash:/etc/postfix/mta_clients_black.map,
          check_client_access hash:/etc/postfix/webmail_client.class,
          check_helo_access pcre:/etc/postfix/4tuple_main_unfiltered.pcre,
          reject_unauth_pipelining,
          reject_unknown_sender_domain,
          reject_unknown_recipient_domain,
          permit_mynetworks,
          ...
          permit_sasl_authenticated,
          reject

          the IPs with "Access denied" probably from the final "reject" after "permit_sasl_authenticated" are:

          NOT matching before mynetworks and

          are all in the mynetworks as members of 3 /20s,

          so they should have not been denied access.

          debug shows only match_hostname for "smtpd_client_event_limit_exceptions", but not for peer debugging.

          thanks,
          Len

          ================



          >> the only match_hostname I see is for
          >> smtpd_client_event_limit_exceptions
          >--
          > http://rob0.nodns4.us/ -- system administration and consulting
          > Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
        • Wietse Venema
          ... The permit_mynetworks function logs its name, the client name, and the client IP address when the debugging level is non-zero. If you don t see
          Message 4 of 5 , Aug 19, 2013
            Len Conrad:
            > smtpd_recipient_restrictions =
            > check_client_access hash:/etc/postfix/mta_clients_black.map,
            > check_client_access hash:/etc/postfix/webmail_client.class,
            > check_helo_access pcre:/etc/postfix/4tuple_main_unfiltered.pcre,
            > reject_unauth_pipelining,
            > reject_unknown_sender_domain,
            > reject_unknown_recipient_domain,
            > permit_mynetworks,
            > ...
            > permit_sasl_authenticated,
            > reject
            >
            > the IPs with "Access denied" probably from the final "reject"
            > after "permit_sasl_authenticated" are:
            >
            > NOT matching before mynetworks and
            >
            > are all in the mynetworks as members of 3 /20s,
            >
            > so they should have not been denied access.
            >
            > debug shows only match_hostname for "smtpd_client_event_limit_exceptions",
            > but not for peer debugging.

            The permit_mynetworks function logs its name, the client name, and
            the client IP address when the debugging level is non-zero.

            If you don't see permit_mynetworks logging, then the REJECT happens earlier.

            Wietse
          • Charles Marcus
            ... Good gawd... The reason no one has responded most likely is because you are using such an ancient and most importantly unsupported version. You need to
            Message 5 of 5 , Aug 20, 2013
              On 2013-08-16 5:22 PM, lconrad@... <lconrad@...> wrote:
              postconf mail_version
              mail_version = 2.3.3

              Good gawd...

              The reason no one has responded most likely is because you are using such an ancient and most importantly unsupported version.

              You need to upgrade...

              --

              Best regards,

              Charles
            Your message has been successfully submitted and would be delivered to recipients shortly.