certain mail not being delivered.

[rbtux]

http://www.policyd-weight.org

[Shayne]

ahhh I get it.. I noticed a restriction which said multi-recipient bounce.. Will test and let you know!

Thanks guys for all the help!

[nesto]

Hello - I do have quite the same problem.

My system details and current status:

- I am running ispCP RC7 on Debian Etch.
- I have additionally installed the SSL services and also Maia following the howtos.
- The debugging of email howto gives me the impression of everything working properly so far.
- Most of my users enjoy having spam-free mailboxes now ... but some complain about not receiving certain emails at all.

Reading the logs I found smtp-rejects on "helo/hostname mismatch" which I could reproduce with telnet from a remote linux box - and following google all this seems to be a very common and mostly wanted behaviour as it is caused by malformed HELO or something.

Anyway I changed my /etc/postfix/main.cf as follows:

Code:

smtpd_helo_restrictions      = permit_mynetworks,
                               permit_sasl_authenticated
#                               reject_invalid_helo_hostname
#                               reject_non_fqdn_helo_hostname

Eventhough now I cannot reproduce the reject by telnet anymore it obviously didn't take the intended effect as policyd-weight still causes rejects (/var/log/mail.log):

Type I - exchange server sending email:

Code:

Apr 20 12:14:02 ix012 postfix/smtpd[17670]: connect from 135.sub194.dcf.nl[83.136.194.135]
Apr 20 12:14:15 ix012 postfix/policyd-weight[23844]: weighted check:  DYN_NJABL=ERR NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 DSBL_ORG=ERR CL_IP_NE_HELO=1.5 RESOLVED_IP_IS_NOT_HELO=1.5 (check from: .prinsdokkum. - helo: .nt1.ntzone. - helo-domain: .ntzone.)  FROM_NOT_FAILED_HELO(DOMAIN)=3 <client=83.136.194.135> <helo=nt1.ntzone.local> <from=w.schuster@#DOMAIN-B#> <to=markus.bachmann@#DOMAIN-A#>, rate: 1.5
Apr 20 12:14:15 ix012 postfix/policyd-weight[23844]: decided action=550 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: nt1.ntzone.local, MTA hostname: 135.sub194.dcf.nl[83.136.194.135] (helo/hostname mismatch)
Apr 20 12:14:15 ix012 postfix/smtpd[17670]: NOQUEUE: reject: RCPT from 135.sub194.dcf.nl[83.136.194.135]: 550 5.7.1 <markus.bachmann@#DOMAIN-A#>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: nt1.ntzone.local, MTA hostname: 135.sub194.dcf.nl[83.136.194.135] (helo/hostname mismatch); from=<w.schuster@#DOMAIN-B#> to=<markus.bachmann@#DOMAIN-A#> proto=ESMTP helo=<NT1.ntzone.local>
Apr 20 12:14:15 ix012 postfix/smtpd[17670]: disconnect from 135.sub194.dcf.nl[83.136.194.135]

Type II - external script sending email (from dynamic IP):

Code:

Apr 20 14:23:00 ix012 postfix/smtpd[5166]: connect from p579CE60B.dip.t-dialin.net[87.156.230.11]
Apr 20 14:23:00 ix012 postfix/smtpd[5166]: warning: p579CE60B.dip.t-dialin.net[87.156.230.11]: SASL ntlm authentication failed: authentication failure
Apr 20 14:23:00 ix012 postfix/smtpd[5166]: warning: p579CE60B.dip.t-dialin.net[87.156.230.11]: SASL login authentication failed: authentication failure
Apr 20 14:23:13 ix012 postfix/policyd-weight[3295]: weighted check:  DYN_NJABL=ERR NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 DSBL_ORG=ERR CL_IP_NE_HELO=1.5 RESOLVED_IP_IS_NOT_HELO=1.5 HELO_NUMERIC=1.5 (check from: .com-part. - helo: .andyx8. - helo-domain: .andyx8.)  FROM_NOT_FAILED_HELO(DOMAIN)=3 <client=87.156.230.11> <helo=andyx8> <from=registrierung@#DOMAIN-B#> <to=am@#DOMAIN-A#>, rate: 3
Apr 20 14:23:13 ix012 postfix/policyd-weight[3295]: decided action=550 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: andyx8, MTA hostname: p579ce60b.dip.t-dialin.net[87.156.230.11] (helo/hostname mismatch)
Apr 20 14:23:13 ix012 postfix/smtpd[5166]: NOQUEUE: reject: RCPT from p579CE60B.dip.t-dialin.net[87.156.230.11]: 550 5.7.1 <am@#DOMAIN-A#>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: andyx8, MTA hostname: p579ce60b.dip.t-dialin.net[87.156.230.11] (helo/hostname mismatch); from=<registrierung@#DOMAIN-B#> to=<am@#DOMAIN-A#> proto=ESMTP helo=<AndyX8>
Apr 20 14:23:13 ix012 postfix/smtpd[5166]: lost connection after RCPT from p579CE60B.dip.t-dialin.net[87.156.230.11]
Apr 20 14:23:13 ix012 postfix/smtpd[5166]: disconnect from p579CE60B.dip.t-dialin.net[87.156.230.11]

Note: In this log snipplets I replaced the domain names by #DOMAIN-A# and #DOMAIN-B# and changed real names.

My questions (from most to least important):
- Do I have to fully deactivate policyd-weight or can I make further modifications to only prevent from rejecting these mismatches? I wouldn't mind if emails were marked as spam if at least not rejected
- What is the difference of reject_invalid_helo_hostname and reject_non_fqdn_helo_hostname?
- Why do I have authentication failures (e.g. with scripts using .NET trying to send email - see Type II, two warnings)?

Any help would be very much appreciated!

[rbtux]

(04-21-2009 01:32 AM)nesto Wrote:  Hello - I do have quite the same problem.

Great... :-)

(04-21-2009 01:32 AM)nesto Wrote:  - Do I have to fully deactivate policyd-weight or can I make further modifications to only prevent from rejecting these mismatches? I wouldn't mind if emails were marked as spam if at least not rejected

No you don't as I mentioned above...
Alter or generate a config policyd-weight.conf (in /etc or /usr/local/etc or distro specific depends on how you have installed policyd-weight) that contains:

Code:

$dnsbl_checks_only = 1;

and restart policyd-weight

(04-21-2009 01:32 AM)nesto Wrote:  - What is the difference of reject_invalid_helo_hostname and reject_non_fqdn_helo_hostname?

from man 5 postconf

Code:

reject_invalid_helo_hostname (with Postfix < 2.3: reject_invalid_hostname)
    Reject the request when the HELO or EHLO hostname syntax is invalid.
    The invalid_hostname_reject_code specifies the response code for rejected requests (default: 501).
reject_non_fqdn_helo_hostname (with Postfix < 2.3: reject_non_fqdn_hostname)
    Reject the request when the HELO or EHLO hostname is not in fully-qualified domain form, as required by the RFC.
    The non_fqdn_reject_code parameter specifies the response code for rejected requests (default: 504).

means some none ascii chars in helo is rejected by reject_invalid_helo_hostname,
helos like "MSEXCH01" (yes this is very common;-)) are rejected by reject_non_fqdn_hostname

(04-21-2009 01:32 AM)nesto Wrote:  - Why do I have authentication failures (e.g. with scripts using .NET trying to send email - see Type II, two warnings)?

you might need to enable some other mechanisms -> output of postconf -n might help...

[nesto]

Thank you - rbtux - that was really quick

I was looking for a policyd-weight.conf but couldn't find a real one:

Code:

ix012:~# updatedb
ix012:~# locate policyd-weight.conf
/usr/share/man/man5/policyd-weight.conf.5.gz
/var/lib/dpkg/info/policyd-weight.conffiles

Can I just start a new file and enter that line? Any ideas how to find the correct path? As I mentioned it's Debian Etch and an all-over standard installation with the common ispcp installation following the documentation.

I assumed in ispcp all that moved to some mystic database or something ...

Here's my postconf-output:

Code:

ix012:~# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_at_myorigin = yes
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
inet_interfaces = all
local_destination_recipient_limit = 1
local_recipient_maps = unix:passwd.byname $alias_database
local_transport = local
mail_spool_directory = /var/mail
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 0
mydestination = $myhostname, $mydomain
mydomain = ix012.#MY-DOMAIN#
myhostname = ix012.#MY-DOMAIN#
mynetworks_style = subnet
myorigin = $myhostname
recipient_delimiter = +
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP ispCP 1.0.0 RC7 OMEGA Managed
smtpd_data_restrictions = reject_multi_recipient_bounce,                               reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,                               permit_sasl_authenticated
smtpd_recipient_restrictions = reject_non_fqdn_recipient,                               reject_unknown_recipient_domain,                               permit_mynetworks,                               permit_sasl_authenticated,                               reject_unauth_destination,                               reject_unlisted_recipient,                               check_policy_service inet:127.0.0.1:12525,                               check_policy_service inet:127.0.0.1:60000,                               permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = reject_non_fqdn_sender,                               reject_unknown_sender_domain,                               permit_mynetworks,                               permit_sasl_authenticated
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/ispcp/transport
virtual_alias_maps = hash:/etc/postfix/ispcp/aliases
virtual_gid_maps = static:8
virtual_mailbox_base = /var/mail/virtual
virtual_mailbox_domains = hash:/etc/postfix/ispcp/domains
virtual_mailbox_limit = 0
virtual_mailbox_maps = hash:/etc/postfix/ispcp/mailboxes
virtual_minimum_uid = 1001
virtual_transport = virtual
virtual_uid_maps = static:1001

Thanks again.

[rbtux]

(04-21-2009 02:54 AM)nesto Wrote:  Can I just start a new file and enter that line? Any ideas how to find the correct path? As I mentioned it's Debian Etch and an all-over standard installation with the common ispcp installation following the documentation.

Don't search the path, set the path ;-)
in /etc/init.d/policyd-weight add

Code:

DAEMON_OPTS="-f /etc/policyd-weight.conf"

after the line DAEMON...

then

Code:

echo "$dnsbl_checks_only = 1;" > /etc/policyd-weight.conf
/etc/init.d/policyd-weight restart

For the authentication part: How does your script authenticate with the server, which methods does it use?

[nesto]

Makes perfect sense - just one correction:

Code:

echo '$dnsbl_checks_only = 1;' > /etc/policyd-weight.conf

See the difference?

I'll keep watching the logs but for now it seems solved.

How should someone be happy without this config change? Anyone following the standard installation should experience this effect sooner or later and might want to get rid of it.

Now I'll gain information for the second question.

Once more: THANK YOU so far!

PS: The auth warnings do not avoid the sending itself!

[rbtux]

(04-21-2009 04:21 AM)nesto Wrote:  Makes perfect sense - just one correction:

Code:

echo '$dnsbl_checks_only = 1;' > /etc/policyd-weight.conf

See the difference?

jep, sry was quick during work typing ;-)

(04-21-2009 04:21 AM)nesto Wrote:  How should someone be happy without this config change? Anyone following the standard installation should experience this effect sooner or later and might want to get rid of it.

don't ask me, I would never use this default configuration. But hey it's the server of the responsible admin and he should care about what he puts online... (yeah I know, I'm kind of idealistic ;-)

(04-21-2009 04:21 AM)nesto Wrote:  Now I'll gain information for the second question.

PS: The auth warnings do not avoid the sending itself!

Ah Ok, you might wan't to remove ntlm from the possible sasl auth mechanisms. I personally use dovecot-sasl (not cyrus-sasl) on all server, so I do not know out of my mind where to change that...

[nesto]

(04-21-2009 05:36 AM)rbtux Wrote:  Ah Ok, you might wan't to remove ntlm from the possible sasl auth mechanisms. I personally use dovecot-sasl (not cyrus-sasl) on all server, so I do not know out of my mind where to change that ...

Okay, I'll maybe fix that some day ...

Edit: ntlm auth now discussed here: Windows Mobile und NTLM auth Fehler (German).

From my point of view this thread could be closed as my server works much better now and I do not expect any further troubles in this area.

But I wasn't the one opening it

Good job - rbtux!!