postfix / postscreen Problem

Alexander Dalloz ad+lists at uni-x.org
So Nov 19 14:53:57 CET 2017


Am 19.11.2017 um 13:34 schrieb Günther J. Niederwimmer:
> Hallo Liste,
> 
> Ich komme da anscheinend nicht weiter, ich habe einen Fehler in meiner
> Konfiguration der anscheinend nicht zu finden ist ?
> Ich benutze postfix 3.2.3
> mit Centos 7.4
> 
> irgendwie ist das für mich nicht logisch ?
> 
> laut log ist die Mail ja schon abgeleht (jedefalls für mich), kommt aber
> trotzdem durch

Wo siehst Du, dass die Mail durch postscreen abgelehnt sei?

> Das ist ein auszug aus dem Log mehr steht nicht drin trotz dem Hinweis auf das
> Log ?
> 
> die domain ist meine Hauptdomain, den User gibt es nicht ??
> 
> Nov 19 12:59:27 mx01 postfix/postscreen[27782]: CONNECT from [198.2.186.15]:
> 26200 to [89.26.108.7]:25
> Nov 19 12:59:27 mx01 postfix/dnsblog[27786]: addr 198.2.186.15 listed by domain
> list.dnswl.org as 127.0.15.0
> Nov 19 12:59:27 mx01 postfix/dnsblog[27784]: addr 198.2.186.15 listed by domain
> hostkarma.junkemailfilter.com as 127.0.0.3
> Nov 19 12:59:27 mx01 postfix/dnsblog[27784]: addr 198.2.186.15 listed by domain
> hostkarma.junkemailfilter.com as 127.0.1.1
> Nov 19 12:59:29 mx01 postfix/dnsblog[27794]: addr 198.2.186.15 listed by domain
> wl.mailspike.net as 127.0.0.18

4 Listentreffer gemäß Deiner postscreen Konfiguration in main.cf:

list.dnswl.org as 127.0.15.0 => -1
hostkarma.junkemailfilter.com as 127.0.0.3 => +1
hostkarma.junkemailfilter.com as 127.0.1.1 => +1
wl.mailspike.net as 127.0.0.18 => -1

In Summe also 0 Punkte. Warum sollte postscreen also die weitere 
Bearbeitung blockieren?

> Nov 19 12:59:32 mx01 postfix/postscreen[27782]: PASS OLD [198.2.186.15]:26200

Und hier siehst Du, dass der Client bereits als PASS gecached wurde.

> Nov 19 12:59:32 mx01 postfix/smtpd[27801]: connect from
> mail186-15.suw21.mandrillapp.com[198.2.186.15]
> Nov 19 12:59:32 mx01 postfix/smtpd[27801]: Anonymous TLS connection established
> from mail186-15.suw21.mandrillapp.com[198.2.186.15]: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> Nov 19 12:59:33 mx01 postfix/smtpd[27801]: NOQUEUE: reject: RCPT from
> mail186-15.suw21.mandrillapp.com[198.2.186.15]: 450 4.1.1 <ggjn at 4gjn.com>:
> Recipient address rejected: unverified address: host 127.0.0.1[127.0.0.1] said:
> 451 4.3.0 <ggjn at 4gjn.com> Internal error occurred. Refer to server log for
> more information. (in reply to RCPT TO command); from=<bounce-
> md_30850198.5a102b70.v1-1d0c1d0322214796898a5b483cceef02 at mandrillapp.com>
> to=<ggjn at 4gjn.com> proto=ESMTP helo=<mail186-15.suw21.mandrillapp.com>
> Nov 19 12:59:33 mx01 postfix/smtpd[27801]: disconnect from
> mail186-15.suw21.mandrillapp.com[198.2.186.15] ehlo=2 starttls=1 mail=1
> rcpt=0/1 quit=1 commands=5/6
> Nov 19 13:02:53 mx01 postfix/anvil[27803]: statistics: max connection rate
> 1/60s for (smtpd:198.2.186.15) at Nov 19 12:59:32
> Nov 19 13:02:53 mx01 postfix/anvil[27803]: statistics: max connection count 1
> for (smtpd:198.2.186.15) at Nov 19 12:59:32
> Nov 19 13:02:53 mx01 postfix/anvil[27803]: statistics: max cache size 1 at Nov
> 19 12:59:32
> Nov 19 13:14:33 mx01 postfix/postscreen[28606]: CONNECT from [198.2.186.15]:
> 38242 to [89.26.108.7]:25
> Nov 19 13:14:33 mx01 postfix/dnsblog[28608]: addr 198.2.186.15 listed by domain
> hostkarma.junkemailfilter.com as 127.0.0.3
> Nov 19 13:14:33 mx01 postfix/dnsblog[28608]: addr 198.2.186.15 listed by domain
> hostkarma.junkemailfilter.com as 127.0.1.1
> Nov 19 13:14:33 mx01 postfix/dnsblog[28609]: addr 198.2.186.15 listed by domain
> list.dnswl.org as 127.0.15.0
> Nov 19 13:14:34 mx01 postfix/dnsblog[28617]: addr 198.2.186.15 listed by domain
> wl.mailspike.net as 127.0.0.18
> Nov 19 13:14:38 mx01 postfix/postscreen[28606]: PASS OLD [198.2.186.15]:38242
> Nov 19 13:14:38 mx01 postfix/smtpd[28624]: connect from
> mail186-15.suw21.mandrillapp.com[198.2.186.15]
> Nov 19 13:14:39 mx01 postfix/smtpd[28624]: Anonymous TLS connection established
> from mail186-15.suw21.mandrillapp.com[198.2.186.15]: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> Nov 19 13:14:39 mx01 postfix/smtpd[28624]: NOQUEUE: reject: RCPT from
> mail186-15.suw21.mandrillapp.com[198.2.186.15]: 450 4.1.1 <ggjn at 4gjn.com>:
> Recipient address rejected: unverified address: host 127.0.0.1[127.0.0.1] said:
> 451 4.3.0 <ggjn at 4gjn.com> Internal error occurred. Refer to server log for
> more information. (in reply to RCPT TO command); from=<bounce-
> md_30850198.5a102b70.v1-1d0c1d0322214796898a5b483cceef02 at mandrillapp.com>
> to=<ggjn at 4gjn.com> proto=ESMTP helo=<mail186-15.suw21.mandrillapp.com>
> Nov 19 13:14:39 mx01 postfix/smtpd[28624]: disconnect from
> mail186-15.suw21.mandrillapp.com[198.2.186.15] ehlo=2 starttls=1 mail=1
> rcpt=0/1 quit=1 commands=5/6
> Nov 19 13:17:59 mx01 postfix/anvil[28626]: statistics: max connection rate
> 1/60s for (smtpd:198.2.186.15) at Nov 19 13:14:38
> Nov 19 13:17:59 mx01 postfix/anvil[28626]: statistics: max connection count 1
> for (smtpd:198.2.186.15) at Nov 19 13:14:38
> 
> postconf -n
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> bounce_template_file = /etc/postfix/bounce.de-DE.cf
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> compatibility_level = 2
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix
> debug_peer_level = 2
> debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
> $daemon_directory/$process_name $process_id & sleep 5
> default_database_type = btree
> html_directory = no
> inet_interfaces = all
> lmtp_dns_support_level = dnssec
> mail_owner = postfix
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> message_size_limit = 20480000
> meta_directory = /etc/postfix
> milter_default_action = accept
> milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
> milter_protocol = 6
> milter_rcpt_macros = i {rcpt_addr}
> mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost
> myhostname = mx01.4gjn.com
> mynetworks = 89.26.108.0/28, 127.0.0.0/8, 192.168.100.0/24, [2001:470:1f0b:
> 371::]/64
> myorigin = $mydomain
> newaliases_path = /usr/bin/newaliases.postfix
> postscreen_access_list = permit_mynetworks cidr:/etc/postfix/
> postscreen_access.cidr
> postscreen_bare_newline_action = drop
> postscreen_bare_newline_enable = yes
> postscreen_blacklist_action = drop
> postscreen_cache_map = memcache:/etc/postfix/postscreen_cache
> postscreen_dnsbl_action = enforce
> postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
> postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.mailspike.net*3
> b.barracudacentral.org*2 bad.psky.me*2 psbl.surriel.com bl.blocklist.de
> bl.spamcop.net spam.spamrats.com bl.spameatingmonkey.net dnsbl.cobion.com
> ix.dnsbl.manitu.net hostkarma.junkemailfilter.com dnsbl.inps.de
> list.dnswl.org=127.0.[0..255].0*-1 list.dnswl.org=127.0.[0..255].1*-2
> list.dnswl.org=127.0.[0..255].[2..3]*-3 iadb.isipp.com=127.0.[0..255].
> [0..255]*-2 iadb.isipp.com=127.3.100.[6..200]*-2 wl.mailspike.net=127.0.0.
> [17;18]*-1 wl.mailspike.net=127.0.0.[19;20]*-2
> postscreen_dnsbl_threshold = 3
> postscreen_dnsbl_ttl = 1h
> postscreen_dnsbl_whitelist_threshold = -1
> postscreen_greet_action = enforce
> postscreen_non_smtp_command_enable = yes
> postscreen_pipelining_enable = yes
> postscreen_whitelist_interfaces = static:all
> proxy_write_maps = proxy:btree:/var/lib/postfix/postscreen_cache
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix3-3.2.3/README_FILES
> recipient_delimiter = +
> relay_domains = btree:/etc/postfix/relay_domains
> sample_directory = /usr/share/doc/postfix3-3.2.3/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> shlib_directory = /usr/lib/postfix
> smtp_dns_support_level = dnssec
> smtp_sasl_security_options = noplaintext, noanonymous
> smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
> smtp_tls_loglevel = 1
> smtp_tls_mandatory_ciphers = high
> smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
> aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
> smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
> smtp_tls_note_starttls_offer = yes
> smtp_tls_protocols = !SSLv2,!SSLv3

> smtp_tls_security_level = dane
> smtp_use_tls = yes

Warum dieser Eintrag (smtp_use_tls) in Kombination mit dem Eintrag 
davor? Lies doch noch mal die manpage.

> smtpd_helo_required = yes
> smtpd_milters = inet:localhost:11332
> smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
> reject_unauth_destination, reject_unverified_recipient, reject_invalid_hostname
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = no
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous, noplaintext
> smtpd_sasl_tls_security_options = noanonymous,
> smtpd_sasl_type = dovecot
> smtpd_sender_restrictions = check_sender_access btree:/etc/postfix/
> check_sender_access
> smtpd_tls_CAfile = /etc/pki/tls/cert.pem
> smtpd_tls_CApath = /etc/pki/tls
> smtpd_tls_ask_ccert = yes
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/letsencrypt/live/mx01.4gjn.com/fullchain.pem
> smtpd_tls_dh1024_param_file = /etc/pki/postfix/private/dh_2048.pem
> smtpd_tls_dh512_param_file = /etc/pki/postfix/private/dh_1024.pem
> smtpd_tls_eecdh_grade = ultra
> smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, MD5, PSK, aECDH, EDH-
> DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA, CAMELLIA128-SHA.
> CAMELLIA256-SHA
> smtpd_tls_key_file = /etc/pki/tls/private/4gjn.com.key
> smtpd_tls_loglevel = 1
> smtpd_tls_mandatory_ciphers = high
> smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, MD5, PSK, aECDH,
> EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA, CAMELLIA128-
> SHA. CAMELLIA256-SHA
> smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
> smtpd_tls_protocols = !SSLv2,!SSLv3
> smtpd_tls_received_header = yes

> smtpd_tls_security_level = may
> smtpd_use_tls = yes

Hier ebenso. Entferne smtpd_use_tls

> tls_preempt_cipherlist = yes
> tls_random_bytes = 128
> transport_maps = btree:/etc/postfix/transport, $relay_domains
> unknown_local_recipient_reject_code = 550
> unverified_recipient_reject_code = 577
> virtual_alias_maps = btree:/etc/postfix/virtual_alias
> 
> für jede Hilfe dankbar,
> 




Mehr Informationen über die Mailingliste Postfixbuch-users