FreeBSD 8: Postfix policyd-weight not working!!!

Noel Jones noeldude at gmail.com
Thu Apr 8 21:57:13 UTC 2010 

On Thu, Apr 8, 2010 at 9:29 AM, perikillo <perikillo at gmail.com> wrote:
>  Hi people.
>
>  I'm working in my first spam gateway, using Postfix + policyd-weight.
>
>  I have 2 jails for this, the jail-A is the mail server, where the mailboxes
> exist, they are on each user home directory:
>
>  /home/user-1
>  /home/user-2
>  /home/user-3
> ...
>  /home/user-N
>
>  This jail-A have samba+ldap=PDC, nss_ldap+pam_ldap working +
> dovecot+postfix working to.
>
>  id test
> uid=10003(test) gid=513(Domain Users) groups=513(Domain Users)
> id root
> uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),512(Domain Admins)
>
>  I can add users without a issue using smbldap-tools.
>
>  I have test dovecot+postfix and I can send emails with that jail.
>
> Now I want to setup my spam gateway, is another jail called jail-B, I have
> setup nss_ldap+pam_ldap to contact my PDC(jail-A) and is working:
>
> id user1
> uid=10002(user1) gid=513(Domain Users) groups=513(Domain Users)
> id test
> uid=10003(test) gid=513(Domain Users) groups=513(Domain Users)
>
> Now, the part is the one is not working is postfix+ policyd-weight.
>
> Went I test with other machine in the network using telnet, for some reason
> once postfix accept the mail wants to send the email to the outside not
> internally. I have setup transport to send the email jail-A but I don't see
> any task doing this, check:
>
> Apr  8 07:02:01 filtro postfix/qmgr[6723]: 97002BB47C2: from=<test at X.org>,
> size=409, nrcpt=1 (queue active)
> Apr  8 07:02:04 filtro postfix/smtpd[6727]: connect from filtro.X.org
> [192.168.49.7]
> Apr  8 07:02:31 filtro postfix/smtp[6725]: connect to X.org[X.Y.Z.W]:25:
> Operation timed out
> Apr  8 07:02:31 filtro postfix/smtp[6725]: 97002BB47C2: to=<user2 at X.org>,
> relay=none, delay=869, delays=839/0.03/30/0, dsn=4.4.1, status=deferred
> (connect to X.org[X.Y.Z.W]:25: Operation timed out)

You say that X.org should be delivered locally.  Postfix doesn't think
X.org is a local domain.

> Apr  8 07:10:00 filtro postfix/sendmail[6763]: fatal: root(0): No recipient
> addresses found in message header

This appears that you've used "sendmail -t" to inject some mail, and
there was no To: header.
Don't rely on headers for mail routing.


>
> X.Y.Z.W --> Public address.
>
> My postfix settings are this:
>
> alias_maps = hash:/etc/aliases
> command_directory = /usr/local/sbin
> config_directory = /usr/local/etc/postfix
> daemon_directory = /usr/local/libexec/postfix
> data_directory = /var/db/postfix
> debug_peer_level = 2
> home_mailbox = Maildir/
> html_directory = /usr/local/share/doc/postfix
> inet_interfaces = all
> local_destination_concurrency_limit = 2
> mail_owner = postfix
> mailq_path = /usr/local/bin/mailq
> manpage_directory = /usr/local/man
> mydomain = X.org
> myhostname = filtro.X.org

You might want to add
mydestination = $mydomain $myhostname localhost


> myorigin = $mydomain
> newaliases_path = /usr/local/bin/newaliases
> queue_directory = /var/spool/postfix
> readme_directory = /usr/local/share/doc/postfix
> relay_domains = $transport_maps

Bad idea.  If you add a transport for eg. hotmail, you become an
instant open relay.  Don't reuse transport_maps this way.

If mail is delivered locally on this box, relay_domains should be
explicitly set empty.
relay_domains =


> sample_directory = /usr/local/etc/postfix
> sendmail_path = /usr/local/sbin/sendmail
> setgid_group = maildrop
> smtpd_delay_reject = yes
> smtpd_helo_required = yes
> smtpd_recipient_restrictions = permit_mynetworks,
> reject_unauth_destination,      reject_non_fqdn_recipient,
> reject_invalid_helo_hostname,   check_policy_service
> inet:[192.168.49.7]:12525
> soft_bounce = no
> transport_maps = hash:/usr/local/etc/postfix/transport
> unknown_local_recipient_reject_code = 550
>
> Now, my transport file is:
>
> nis.X.org    smtp:[192.168.49.6]  ----->jail-A
>
> Is created:  transport.db
>
> Another think, in the log I don't see went is touching "policyd-weight:
> 12525" or this is just for the outside connections?

Mail that's permitted by "permit_mynetworks" or submitted via the
sendmail(1) interface won't trigger the policy server in your config.


  -- Noel Jones

More information about the freebsd-questions mailing list