FreeBSD 8: Postfix policyd-weight not working!!!

perikillo perikillo at gmail.com
Sun Apr 11 02:33:34 UTC 2010 

On Thu, Apr 8, 2010 at 3:29 PM, perikillo <perikillo at gmail.com> wrote:

>
>
> On Thu, Apr 8, 2010 at 2:57 PM, Noel Jones <noeldude at gmail.com> wrote:
>
>> On Thu, Apr 8, 2010 at 9:29 AM, perikillo <perikillo at gmail.com> wrote:
>> >  Hi people.
>> >
>> >  I'm working in my first spam gateway, using Postfix + policyd-weight.
>> >
>> >  I have 2 jails for this, the jail-A is the mail server, where the
>> mailboxes
>> > exist, they are on each user home directory:
>> >
>> >  /home/user-1
>> >  /home/user-2
>> >  /home/user-3
>> > ...
>> >  /home/user-N
>> >
>> >  This jail-A have samba+ldap=PDC, nss_ldap+pam_ldap working +
>> > dovecot+postfix working to.
>> >
>> >  id test
>> > uid=10003(test) gid=513(Domain Users) groups=513(Domain Users)
>> > id root
>> > uid=0(root) gid=0(wheel) groups=0(wheel),5(operator),512(Domain Admins)
>> >
>> >  I can add users without a issue using smbldap-tools.
>> >
>> >  I have test dovecot+postfix and I can send emails with that jail.
>> >
>> > Now I want to setup my spam gateway, is another jail called jail-B, I
>> have
>> > setup nss_ldap+pam_ldap to contact my PDC(jail-A) and is working:
>> >
>> > id user1
>> > uid=10002(user1) gid=513(Domain Users) groups=513(Domain Users)
>> > id test
>> > uid=10003(test) gid=513(Domain Users) groups=513(Domain Users)
>> >
>> > Now, the part is the one is not working is postfix+ policyd-weight.
>> >
>> > Went I test with other machine in the network using telnet, for some
>> reason
>> > once postfix accept the mail wants to send the email to the outside not
>> > internally. I have setup transport to send the email jail-A but I don't
>> see
>> > any task doing this, check:
>> >
>> > Apr  8 07:02:01 filtro postfix/qmgr[6723]: 97002BB47C2: from=<test at X.org
>> >,
>> > size=409, nrcpt=1 (queue active)
>> > Apr  8 07:02:04 filtro postfix/smtpd[6727]: connect from filtro.X.org
>> > [192.168.49.7]
>> > Apr  8 07:02:31 filtro postfix/smtp[6725]: connect to X.org[X.Y.Z.W]:25:
>> > Operation timed out
>> > Apr  8 07:02:31 filtro postfix/smtp[6725]: 97002BB47C2: to=<user2 at X.org
>> >,
>> > relay=none, delay=869, delays=839/0.03/30/0, dsn=4.4.1, status=deferred
>> > (connect to X.org[X.Y.Z.W]:25: Operation timed out)
>>
>> You say that X.org should be delivered locally.  Postfix doesn't think
>> X.org is a local domain.
>>
>> > Apr  8 07:10:00 filtro postfix/sendmail[6763]: fatal: root(0): No
>> recipient
>> > addresses found in message header
>>
>> This appears that you've used "sendmail -t" to inject some mail, and
>> there was no To: header.
>> Don't rely on headers for mail routing.
>>
>>
>> >
>> > X.Y.Z.W --> Public address.
>> >
>> > My postfix settings are this:
>> >
>> > alias_maps = hash:/etc/aliases
>> > command_directory = /usr/local/sbin
>> > config_directory = /usr/local/etc/postfix
>> > daemon_directory = /usr/local/libexec/postfix
>> > data_directory = /var/db/postfix
>> > debug_peer_level = 2
>> > home_mailbox = Maildir/
>> > html_directory = /usr/local/share/doc/postfix
>> > inet_interfaces = all
>> > local_destination_concurrency_limit = 2
>> > mail_owner = postfix
>> > mailq_path = /usr/local/bin/mailq
>> > manpage_directory = /usr/local/man
>> > mydomain = X.org
>> > myhostname = filtro.X.org
>>
>> You might want to add
>> mydestination = $mydomain $myhostname localhost
>>
>>
>> > myorigin = $mydomain
>> > newaliases_path = /usr/local/bin/newaliases
>> > queue_directory = /var/spool/postfix
>> > readme_directory = /usr/local/share/doc/postfix
>> > relay_domains = $transport_maps
>>
>> Bad idea.  If you add a transport for eg. hotmail, you become an
>> instant open relay.  Don't reuse transport_maps this way.
>>
>> If mail is delivered locally on this box, relay_domains should be
>> explicitly set empty.
>> relay_domains =
>>
>>
>> > sample_directory = /usr/local/etc/postfix
>> > sendmail_path = /usr/local/sbin/sendmail
>> > setgid_group = maildrop
>> > smtpd_delay_reject = yes
>> > smtpd_helo_required = yes
>> > smtpd_recipient_restrictions = permit_mynetworks,
>> > reject_unauth_destination,      reject_non_fqdn_recipient,
>> > reject_invalid_helo_hostname,   check_policy_service
>> > inet:[192.168.49.7]:12525
>> > soft_bounce = no
>> > transport_maps = hash:/usr/local/etc/postfix/transport
>> > unknown_local_recipient_reject_code = 550
>> >
>> > Now, my transport file is:
>> >
>> > nis.X.org    smtp:[192.168.49.6]  ----->jail-A
>> >
>> > Is created:  transport.db
>> >
>> > Another think, in the log I don't see went is touching "policyd-weight:
>> > 12525" or this is just for the outside connections?
>>
>> Mail that's permitted by "permit_mynetworks" or submitted via the
>> sendmail(1) interface won't trigger the policy server in your config.
>>
>>
> Thanks Noel for your quick answer, just would like to inform u that this is
> a spam server not a email server, once this server accept the email, he need
> to send it to the real mail server, is other machine in the network(other
> jail).
>
>  This is why I'm using the transport stuff, if exist a more secure way
> please let me know, spam server + email server exist in the same
> network(jails).
>
>  The test  was made with telnet, about the sendmail, I don't know went I
> setup something about sendmail, I just have been working with postfix.
>
>  Thanks again!!!
>
>
>>  -- Noel Jones
>>
>
>
Fix it:

alias_maps = hash:/etc/aliases
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
content_filter = amavisfeed:[127.0.0.3]:10024
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
inet_interfaces = all
local_destination_concurrency_limit = 2
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydomain = X.org
myhostname = filtro.X.org
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relay_domains = $transport_maps
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination,        reject_non_fqdn_recipient,
reject_invalid_helo_hostname,        check_policy_service
inet:[127.0.0.3]:12525
soft_bounce = no
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550

smtp      inet  n       -       n       -       -       smtpd

amavisfeed unix    -       -       n       -       2     smtp
     -o smtp_data_done_timeout=1200
     -o smtp_send_xforward_command=yes
     -o disable_dns_lookups=yes
#     -o max_use=20
127.0.0.3:10025 inet    n    -       n       -       -     smtpd
     -o content_filter=
     -o receive_overrride_options=no_unknown_recipient_checks
     -o local_recipient_maps=
     -o relay_recipient_maps=
     -o smtpd_restriction_classes=
     -o smtpd_delay_reject=no
     -o smtpd_client_restrictions=
     -o smtpd_helo_restrictions=
     -o smtpd_sender_restrictions=
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o mynetworks=127.0.0.0/8
     -o smtpd_error_sleep_time=0
     -o smtpd_soft_error_limit=1001
     -o smtpd_hard_error_limit=1000
     -o smtpd_client_connection_count_limit=0
     -o smtpd_client_connection_rate_limit=0
     -o strict_rfc821_envelopes=yes

One of my issues was that this jail had 192.168.49.7 and amavisd didn't like
it, as soon as I change the settings above and change my jail to 127.0.0.3
everything start working.

Thanks!!!

More information about the freebsd-questions mailing list