Loading ...
Sorry, an error occurred while loading the content.

mynetworks hash issue

Expand Messages
  • Blake
    Greetings Postfix users, I am building a postfix system to act as our SMTP relay at the network edge. The system will be used by servers and applications to
    Message 1 of 9 , Oct 7, 2013
    • 0 Attachment
      Greetings Postfix users,

      I am building a postfix system to act as our SMTP relay at the network edge.  The system will be used by servers and applications to send email both internal to our network and external as needed.

      I have a postfix system specifying the mynetworks parameter noted below and checking the hash via "postmap -s hash:/etc/postfix/network_table" returns a list of ips.

      However when I check the config after restarting or reloading postfix the parameter does not seem to be updated when reviewing postconf -d.

      Doing a quick command line check to send email on the system with postfix mail is sent without issue however sending it from my desktop through that relay server with the noted command it is failing with connection rejected which is why I believe the mynetworks parameter is the issue.

      All help and suggestions are appreciated.
      Thanks
      Blake



      mynetwork parameter
      mynetworks = hash:/etc/postfix/network_table

      # postmap -s hash:/etc/postfix/network_table
      11      10.147.9.0/24
      13      10.148.1.0/24
      15      10.148.120.0/24
      17      10.148.17.0/24
      19      10.148.24.0/24
      2       10.147.1.32
      20      10.148.32.0/24
      22      10.149.16.0/24

      # postconf -d | grep mynetworks
      mynetworks = 127.0.0.0/8 10.148.17.0/24
      mynetworks_style = subnet
      parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
      proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
      smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
      smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

      # postconf -n
      alias_database = hash:/etc/aliases
      alias_maps = hash:/etc/aliases
      command_directory = /usr/sbin
      config_directory = /etc/postfix
      daemon_directory = /usr/libexec/postfix
      data_directory = /var/lib/postfix
      debug_peer_level = 2
      html_directory = no
      inet_interfaces = all
      inet_protocols = all
      mail_owner = postfix
      mailq_path = /usr/bin/mailq.postfix
      manpage_directory = /usr/share/man
      masquerade_domains = withheld.com
      mydestination = $myhostname, localhost.$mydomain, localhost
      mydomain = withheld.com
      myhostname = relay01.withheld.com
      mynetworks = hash:/etc/postfix/network_
      table
      myorigin = $mydomain
      newaliases_path = /usr/bin/newaliases.postfix
      notify_classes = resource, software, bounce
      queue_directory = /var/spool/postfix
      readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
      relay_domains =
      relayhost = [smtp.withheld.com]
      sample_directory = /usr/share/doc/postfix-2.6.6/samples
      sendmail_path = /usr/sbin/sendmail.postfix
      setgid_group = postdrop
      unknown_local_recipient_reject_code = 550
    • Wietse Venema
      ... That is backwards. The IP address is the lookup key. Wietse
      Message 2 of 9 , Oct 7, 2013
      • 0 Attachment
        Blake:
        > mynetworks = hash:/etc/postfix/network_table
        >
        > # postmap -s hash:/etc/postfix/network_table
        > 11 10.147.9.0/24

        That is backwards. The IP address is the lookup key.

        Wietse
      • Viktor Dukhovni
        ... Not surprising, postconf -d returns compiled-in defaults as documented. This allows you to quickly compare your actual settings (as returned by
        Message 3 of 9 , Oct 7, 2013
        • 0 Attachment
          On Mon, Oct 07, 2013 at 09:12:41AM -0600, Blake wrote:

          > However when I check the config after restarting or reloading postfix the
          > parameter does not seem to be updated when reviewing postconf -d.

          Not surprising, "postconf -d" returns compiled-in defaults as
          documented. This allows you to quickly compare your actual settings
          (as returned by "postconf" or "postconf -n") with the compiled-in
          default values.

          A small number of compiled-in defaults are in fact compiled functions
          to compute the value, rather than a fixed value. The value is
          computed by examining the running system (its hostname, domainname
          and connected interfaces). Thus the default values for myhostname,
          mydomain and mynetworks are not fixed.

          > # postmap -s hash:/etc/postfix/network_table
          > 11 10.147.9.0/24
          > 13 10.148.1.0/24
          > 15 10.148.120.0/24
          > 17 10.148.17.0/24
          > 19 10.148.24.0/24
          > 2 10.147.1.32
          > 20 10.148.32.0/24
          > 22 10.149.16.0/24

          To use CIDR blocks in a table, you MUST use a CIDR table. Hash
          tables cannot be used for this:

          mynetworks.cidr:
          # RHS required, though value is otherwise ignored.
          10.147.9.0/24 trusted
          10.148.1.0/24 trusted
          10.148.120.0/24 trusted
          10.148.17.0/24 trusted
          10.148.24.0/24 trusted
          10.147.1.32 trusted
          10.148.32.0/24 trusted
          10.149.16.0/24 trusted

          > # postconf -d | grep mynetworks

          See above, this is futile.

          > mynetworks = hash:/etc/postfix/network_table

          Try:

          cidr = cidr:${config_directory}/
          mynetworks = ${cidr}mynetworks.cidr

          --
          Viktor.
        • Blake
          Thank you to Victor & Wietse for your response. I thought the mynetworks parameter was the issue in terms of rejecting clients from access. I tried Victor s
          Message 4 of 9 , Oct 7, 2013
          • 0 Attachment
            Thank you to Victor & Wietse for your response.

            I thought the mynetworks parameter was the issue in terms of rejecting clients from access.

            I tried Victor's soltuion adding the code he noted however postfix would fail to reload or restart generating the following errors.
            Oct  7 12:47:32 relay01 postfix[22897]: warning: macro name syntax error: "/etc/postfix/"
            Oct  7 12:47:32 relay01 postfix[22897]: fatal: dictionary mail_dict: macro processing error
            Oct  7 12:48:14 relay01 postfix/smtpd[22901]: warning: macro name syntax error: "/etc/postfix/"
            Oct  7 12:48:14 relay01 postfix/smtpd[22901]: fatal: dictionary mail_dict: macro processing error


            In testing Wietse's soltuion I updated my hash file and hasted it again using portmap.
            10.147.1.31 1
            10.147.1.32 2
            10.147.1.38 3
            10.147.11.0/24 4
            10.147.11.132 5

            While postfix will start with this solution it does not appear to have resolved my issue which I though was based around an issue with the mynetworks parameter.

            The error I receive when trying to relay mail through the server is as follows.
            An error occurred while sending mail. The mail server responded:  5.7.1 <unknown[10.147.X.X]>: Client host rejected: Access denied. Please check the message recipient blake@... and try again.

            The email address is valid in both sending and receiving.  My goal is to allow any host specified with the mynetworks parameter send mail to the public internet.  Correct me if my understanding is wrong but by configuring this server as such should prevent it from being an open relay.  I am also implemented no inbound SMTP in our firewall for the NAT address.

            Thanks again for your help, it is appreciated.


            On Mon, Oct 7, 2013 at 9:24 AM, Viktor Dukhovni <postfix-users@...> wrote:
            On Mon, Oct 07, 2013 at 09:12:41AM -0600, Blake wrote:

            > However when I check the config after restarting or reloading postfix the
            > parameter does not seem to be updated when reviewing postconf -d.

            Not surprising, "postconf -d" returns compiled-in defaults as
            documented.  This allows you to quickly compare your actual settings
            (as returned by "postconf" or "postconf -n") with the compiled-in
            default values.

            A small number of compiled-in defaults are in fact compiled functions
            to compute the value, rather than a fixed value.  The value is
            computed by examining the running system (its hostname, domainname
            and connected interfaces).  Thus the default values for myhostname,
            mydomain and mynetworks are not fixed.

            > # postmap -s hash:/etc/postfix/network_table
            > 11      10.147.9.0/24
            > 13      10.148.1.0/24
            > 15      10.148.120.0/24
            > 17      10.148.17.0/24
            > 19      10.148.24.0/24
            > 2       10.147.1.32
            > 20      10.148.32.0/24
            > 22      10.149.16.0/24

            To use CIDR blocks in a table, you MUST use a CIDR table.  Hash
            tables cannot be used for this:

                mynetworks.cidr:
                    # RHS required, though value is otherwise ignored.
                    10.147.9.0/24           trusted
                    10.148.1.0/24           trusted
                    10.148.120.0/24         trusted
                    10.148.17.0/24          trusted
                    10.148.24.0/24          trusted
                    10.147.1.32             trusted
                    10.148.32.0/24          trusted
                    10.149.16.0/24          trusted

            > # postconf -d | grep mynetworks

            See above, this is futile.

            > mynetworks = hash:/etc/postfix/network_table

            Try:

                cidr = cidr:${config_directory}/
                mynetworks = ${cidr}mynetworks.cidr

            --
                    Viktor.

          • Wietse Venema
            ... As Victor noted, the form 10.147.11.0/24 does not work with indexed files. This also written in the access(5) manpage. If you must use this, use cidr:
            Message 5 of 9 , Oct 7, 2013
            • 0 Attachment
              Blake:
              > 10.147.11.0/24 4

              As Victor noted, the form 10.147.11.0/24 does not work with indexed
              files. This also written in the access(5) manpage. If you must use
              this, use cidr: format instead.

              Wietse
            • Viktor Dukhovni
              ... Your settings deviated from what I advised. ... Use the above verbatim. Do not use ${$config_directory}, ${/etc/postfix/} or similar... To report a
              Message 6 of 9 , Oct 7, 2013
              • 0 Attachment
                On Mon, Oct 07, 2013 at 01:06:59PM -0600, Blake wrote:

                > I tried Victor's soltuion adding the code he noted however postfix would
                > fail to reload or restart generating the following errors.
                > Oct 7 12:47:32 relay01 postfix[22897]: warning: macro name syntax error:
                > "/etc/postfix/"

                Your settings deviated from what I advised.

                > > To use CIDR blocks in a table, you MUST use a CIDR table. Hash
                > > tables cannot be used for this:
                > >
                > > mynetworks.cidr:
                > > # RHS required, though value is otherwise ignored.
                > > 10.147.9.0/24 trusted
                > > 10.148.1.0/24 trusted
                > > 10.148.120.0/24 trusted
                > > 10.148.17.0/24 trusted
                > > 10.148.24.0/24 trusted
                > > 10.147.1.32 trusted
                > > 10.148.32.0/24 trusted
                > > 10.149.16.0/24 trusted
                > >
                > > Try:
                > >
                > > cidr = cidr:${config_directory}/
                > > mynetworks = ${cidr}mynetworks.cidr

                Use the above verbatim. Do not use ${$config_directory},
                ${/etc/postfix/} or similar...

                To report a problem, send output of "postconf -n". Only if that
                command is failing due to severe configuration syntax issues, attach
                the raw main.cf file (don't cut/paste it, that can introduce substantial
                difference from the actual content).

                --
                Viktor.
              • Blake Farmer
                I tried that method verbatium without success, postfix is able to start without issue however it continues to reject the machines I am using to test access and
                Message 7 of 9 , Oct 7, 2013
                • 0 Attachment
                  I tried that method verbatium without success, postfix is able to start
                  without issue however it continues to reject the machines I am using to
                  test access and denied access.

                  Your recomendation I beleive assigns the path and file designation to
                  the variable cidr when then continues to the next line calling that
                  variable however for some unknown reason it is not working as intended
                  through I would agree with you that it should work.

                  If I understand the cidr_table(5) correctly then the first match is
                  taken so an accept as example below would allow sending access of the
                  client?

                  Method 1
                  [root@relay01 postfix]# grep cidr main.cf
                  cidr = cidr:${config_directory}/
                  mynetworks = ${cidr}mynetworks.cidr
                  #mynetworks = cidr:/etc/postfix/mynetworks.cidr
                  [root@relay01 postfix]# postconf | grep mynetwork
                  mynetworks = 127.0.0.0/8 10.148.17.0/24 [::1]/128 [fe80::%eth0]/64
                  mynetworks_style = subnet
                  parent_domain_matches_subdomains =
                  debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
                  proxy_read_maps = $local_recipient_maps $mydestination
                  $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
                  $virtual_mailbox_domains $relay_recipient_maps $relay_domains
                  $canonical_maps $sender_canonical_maps $recipient_canonical_maps
                  $relocated_maps $transport_maps $mynetworks $sender_bcc_maps
                  $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
                  smtpd_client_event_limit_exceptions =
                  ${smtpd_client_connection_limit_exceptions:$mynetworks}
                  smtpd_client_restrictions = permit_mynetworks, reject
                  smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

                  Method 2
                  [root@relay01 postfix]# grep cidr main.cf
                  #cidr = cidr:${config_directory}/
                  # mynetworks = ${cidr}mynetworks.cidr
                  mynetworks = cidr:/etc/postfix/mynetworks.cidr
                  [root@relay01 postfix]# postconf | grep mynetwork
                  mynetworks = cidr:/etc/postfix/mynetworks.cidr
                  mynetworks_style = subnet
                  parent_domain_matches_subdomains =
                  debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
                  proxy_read_maps = $local_recipient_maps $mydestination
                  $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
                  $virtual_mailbox_domains $relay_recipient_maps $relay_domains
                  $canonical_maps $sender_canonical_maps $recipient_canonical_maps
                  $relocated_maps $transport_maps $mynetworks $sender_bcc_maps
                  $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
                  smtpd_client_event_limit_exceptions =
                  ${smtpd_client_connection_limit_exceptions:$mynetworks}
                  smtpd_client_restrictions = permit_mynetworks, reject
                  smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

                  [root@relay01 postfix]# more mynetworks.cidr
                  #IP and status required being (trusted:reject) required, though value is
                  otherwise ignored.
                  10.147.1.31 trusted
                  10.147.1.32 trusted
                  10.147.1.38 trusted
                  10.147.11.0/24 trusted
                  10.147.11.11 reject

                  In looking at other options would it be possible to use mysql with a
                  table which consisted of the fields for IP, and status or would that not
                  be possible for the mynetworks property?

                  Thanks again for the help.
                • Viktor Dukhovni
                  ... The above is broken. http://www.postfix.org/postconf.5.html Each and every Postfix configuration variable setting in main.cf MUST begin a line with NO
                  Message 8 of 9 , Oct 7, 2013
                  • 0 Attachment
                    On Mon, Oct 07, 2013 at 03:34:38PM -0600, Blake Farmer wrote:

                    > Method 1
                    > [root@relay01 postfix]# grep cidr main.cf
                    > cidr = cidr:${config_directory}/
                    > mynetworks = ${cidr}mynetworks.cidr
                    > #mynetworks = cidr:/etc/postfix/mynetworks.cidr

                    The above is broken.

                    http://www.postfix.org/postconf.5.html

                    Each and every Postfix configuration variable setting in main.cf
                    MUST begin a line with NO LEADING WHITESPACE.

                    Make sure that "mynetworks = ..." is the left-most column of the file.

                    --
                    Viktor.
                  • Viktor Dukhovni
                    One more thing to keep in mind. When used with mynetworks, as I already explained the RHS of the table entries is ignored. Therefore, your attempt at a reject
                    Message 9 of 9 , Oct 7, 2013
                    • 0 Attachment
                      One more thing to keep in mind. When used with mynetworks, as
                      I already explained the RHS of the table entries is ignored.

                      Therefore, your attempt at a reject rule:

                      10.147.11.11 reject

                      is completely ineffective. If you want to use CIDR rules with
                      exceptions to define trusted clients, you need an access(5) table.
                      Therefore, you'd need to replace all instances of:

                      permit_mynetworks

                      with

                      check_client_access ${cidr}trusted-clients.cidr

                      and then the RHS values are as documented in access(5).

                      http://www.postfix.org/access.5.html

                      Keep in mind that CIDR table matching is order dependent, first
                      match wins regardless of specificity. Therefore, list more
                      specific patterns above less specific ones:

                      10.147.11.11 REJECT November 11 is an unwelcome enemy
                      10.147.11.0/24 OK All other days in November are good

                      or:

                      10.147.11.11 DUNNO November 11 is a stranger in a strange land
                      10.147.11.0/24 OK All other days in November are fine

                      --
                      Viktor.
                    Your message has been successfully submitted and would be delivered to recipients shortly.