certain mail not being delivered.

certain mail not being delivered. - Printable Version

+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Support Area (/forum-30.html)
+--- Forum: Usage (/forum-34.html)
+--- Thread: certain mail not being delivered. (/thread-6465.html)

Pages: 1 2

RE: certain mail not being delivered. - rbtux - 04-20-2009 10:55 PM

http://www.policyd-weight.org

RE: certain mail not being delivered. - Shayne - 04-20-2009 11:01 PM

ahhh I get it.. I noticed a restriction which said multi-recipient bounce.. Will test and let you know!

Thanks guys for all the help!

RE: certain mail not being delivered. - nesto - 04-21-2009 01:32 AM

Hello - I do have quite the same problem.

My system details and current status:

- I am running ispCP RC7 on Debian Etch.
- I have additionally installed the SSL services and also Maia following the howtos.
- The debugging of email howto gives me the impression of everything working properly so far.
- Most of my users enjoy having spam-free mailboxes now ... but some complain about not receiving certain emails at all.

Reading the logs I found smtp-rejects on "helo/hostname mismatch" which I could reproduce with telnet from a remote linux box - and following google all this seems to be a very common and mostly wanted behaviour as it is caused by malformed HELO or something.

Anyway I changed my /etc/postfix/main.cf as follows:

Code:

smtpd_helo_restrictions      = permit_mynetworks,

                               permit_sasl_authenticated

#                               reject_invalid_helo_hostname

#                               reject_non_fqdn_helo_hostname

Eventhough now I cannot reproduce the reject by telnet anymore it obviously didn't take the intended effect as policyd-weight still causes rejects (/var/log/mail.log):

Type I - exchange server sending email:

Code:

Apr 20 12:14:02 ix012 postfix/smtpd[17670]: connect from 135.sub194.dcf.nl[83.136.194.135]

Apr 20 12:14:15 ix012 postfix/policyd-weight[23844]: weighted check:  DYN_NJABL=ERR NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 DSBL_ORG=ERR CL_IP_NE_HELO=1.5 RESOLVED_IP_IS_NOT_HELO=1.5 (check from: .prinsdokkum. - helo: .nt1.ntzone. - helo-domain: .ntzone.)  FROM_NOT_FAILED_HELO(DOMAIN)=3 <client=83.136.194.135> <helo=nt1.ntzone.local> <from=w.schuster@#DOMAIN-B#> <to=markus.bachmann@#DOMAIN-A#>, rate: 1.5

Apr 20 12:14:15 ix012 postfix/policyd-weight[23844]: decided action=550 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: nt1.ntzone.local, MTA hostname: 135.sub194.dcf.nl[83.136.194.135] (helo/hostname mismatch)

Apr 20 12:14:15 ix012 postfix/smtpd[17670]: NOQUEUE: reject: RCPT from 135.sub194.dcf.nl[83.136.194.135]: 550 5.7.1 <markus.bachmann@#DOMAIN-A#>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: nt1.ntzone.local, MTA hostname: 135.sub194.dcf.nl[83.136.194.135] (helo/hostname mismatch); from=<w.schuster@#DOMAIN-B#> to=<markus.bachmann@#DOMAIN-A#> proto=ESMTP helo=<NT1.ntzone.local>

Apr 20 12:14:15 ix012 postfix/smtpd[17670]: disconnect from 135.sub194.dcf.nl[83.136.194.135]

Type II - external script sending email (from dynamic IP):

Code:

Apr 20 14:23:00 ix012 postfix/smtpd[5166]: connect from p579CE60B.dip.t-dialin.net[87.156.230.11]

Apr 20 14:23:00 ix012 postfix/smtpd[5166]: warning: p579CE60B.dip.t-dialin.net[87.156.230.11]: SASL ntlm authentication failed: authentication failure

Apr 20 14:23:00 ix012 postfix/smtpd[5166]: warning: p579CE60B.dip.t-dialin.net[87.156.230.11]: SASL login authentication failed: authentication failure

Apr 20 14:23:13 ix012 postfix/policyd-weight[3295]: weighted check:  DYN_NJABL=ERR NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 DSBL_ORG=ERR CL_IP_NE_HELO=1.5 RESOLVED_IP_IS_NOT_HELO=1.5 HELO_NUMERIC=1.5 (check from: .com-part. - helo: .andyx8. - helo-domain: .andyx8.)  FROM_NOT_FAILED_HELO(DOMAIN)=3 <client=87.156.230.11> <helo=andyx8> <from=registrierung@#DOMAIN-B#> <to=am@#DOMAIN-A#>, rate: 3

Apr 20 14:23:13 ix012 postfix/policyd-weight[3295]: decided action=550 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: andyx8, MTA hostname: p579ce60b.dip.t-dialin.net[87.156.230.11] (helo/hostname mismatch)

Apr 20 14:23:13 ix012 postfix/smtpd[5166]: NOQUEUE: reject: RCPT from p579CE60B.dip.t-dialin.net[87.156.230.11]: 550 5.7.1 <am@#DOMAIN-A#>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: andyx8, MTA hostname: p579ce60b.dip.t-dialin.net[87.156.230.11] (helo/hostname mismatch); from=<registrierung@#DOMAIN-B#> to=<am@#DOMAIN-A#> proto=ESMTP helo=<AndyX8>

Apr 20 14:23:13 ix012 postfix/smtpd[5166]: lost connection after RCPT from p579CE60B.dip.t-dialin.net[87.156.230.11]

Apr 20 14:23:13 ix012 postfix/smtpd[5166]: disconnect from p579CE60B.dip.t-dialin.net[87.156.230.11]

Note: In this log snipplets I replaced the domain names by #DOMAIN-A# and #DOMAIN-B# and changed real names.

My questions (from most to least important):
- Do I have to fully deactivate policyd-weight or can I make further modifications to only prevent from rejecting these mismatches? I wouldn't mind if emails were marked as spam if at least not rejected Wink

- What is the difference of reject_invalid_helo_hostname and reject_non_fqdn_helo_hostname?
- Why do I have authentication failures (e.g. with scripts using .NET trying to send email - see Type II, two warnings)?

Any help would be very much appreciated!

RE: certain mail not being delivered. - rbtux - 04-21-2009 02:37 AM

(04-21-2009 01:32 AM)nesto Wrote: Hello - I do have quite the same problem.

Great... :-)

(04-21-2009 01:32 AM)nesto Wrote: - Do I have to fully deactivate policyd-weight or can I make further modifications to only prevent from rejecting these mismatches? I wouldn't mind if emails were marked as spam if at least not rejected

No you don't as I mentioned above...
Alter or generate a config policyd-weight.conf (in /etc or /usr/local/etc or distro specific depends on how you have installed policyd-weight) that contains:

Code:

$dnsbl_checks_only = 1;

and restart policyd-weight

(04-21-2009 01:32 AM)nesto Wrote: - What is the difference of reject_invalid_helo_hostname and reject_non_fqdn_helo_hostname?

from man 5 postconf

Code:

reject_invalid_helo_hostname (with Postfix < 2.3: reject_invalid_hostname)

    Reject the request when the HELO or EHLO hostname syntax is invalid.

    The invalid_hostname_reject_code specifies the response code for rejected requests (default: 501).

reject_non_fqdn_helo_hostname (with Postfix < 2.3: reject_non_fqdn_hostname)

    Reject the request when the HELO or EHLO hostname is not in fully-qualified domain form, as required by the RFC.

    The non_fqdn_reject_code parameter specifies the response code for rejected requests (default: 504).

means some none ascii chars in helo is rejected by reject_invalid_helo_hostname,
helos like "MSEXCH01" (yes this is very common;-)) are rejected by reject_non_fqdn_hostname

(04-21-2009 01:32 AM)nesto Wrote: - Why do I have authentication failures (e.g. with scripts using .NET trying to send email - see Type II, two warnings)?

you might need to enable some other mechanisms -> output of postconf -n might help...

RE: certain mail not being delivered. - nesto - 04-21-2009 02:54 AM

Thank you - rbtux - that was really quick Smile

I was looking for a policyd-weight.conf but couldn't find a real one:

Code:

ix012:~# updatedb

ix012:~# locate policyd-weight.conf

/usr/share/man/man5/policyd-weight.conf.5.gz

/var/lib/dpkg/info/policyd-weight.conffiles

Can I just start a new file and enter that line? Any ideas how to find the correct path? As I mentioned it's Debian Etch and an all-over standard installation with the common ispcp installation following the documentation.

I assumed in ispcp all that moved to some mystic database or something ...

Here's my postconf-output:

Code:

ix012:~# postconf -n

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

append_at_myorigin = yes

append_dot_mydomain = no

biff = no

broken_sasl_auth_clients = yes

command_directory = /usr/sbin

config_directory = /etc/postfix

content_filter = amavis:[127.0.0.1]:10024

daemon_directory = /usr/lib/postfix

inet_interfaces = all

local_destination_recipient_limit = 1

local_recipient_maps = unix:passwd.byname $alias_database

local_transport = local

mail_spool_directory = /var/mail

mailbox_command = procmail -a "$EXTENSION"

mailbox_size_limit = 0

message_size_limit = 0

mydestination = $myhostname, $mydomain

mydomain = ix012.#MY-DOMAIN#

myhostname = ix012.#MY-DOMAIN#

mynetworks_style = subnet

myorigin = $myhostname

recipient_delimiter = +

setgid_group = postdrop

smtpd_banner = $myhostname ESMTP ispCP 1.0.0 RC7 OMEGA Managed

smtpd_data_restrictions = reject_multi_recipient_bounce,                               reject_unauth_pipelining

smtpd_helo_required = yes

smtpd_helo_restrictions = permit_mynetworks,                               permit_sasl_authenticated

smtpd_recipient_restrictions = reject_non_fqdn_recipient,                               reject_unknown_recipient_domain,                               permit_mynetworks,                               permit_sasl_authenticated,                               reject_unauth_destination,                               reject_unlisted_recipient,                               check_policy_service inet:127.0.0.1:12525,                               check_policy_service inet:127.0.0.1:60000,                               permit

smtpd_sasl_auth_enable = yes

smtpd_sasl_authenticated_header = yes

smtpd_sasl_local_domain =

smtpd_sasl_security_options = noanonymous

smtpd_sender_restrictions = reject_non_fqdn_sender,                               reject_unknown_sender_domain,                               permit_mynetworks,                               permit_sasl_authenticated

smtpd_tls_auth_only = no

smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem

smtpd_tls_key_file = /etc/postfix/postfix.key.pem

smtpd_tls_loglevel = 2

smtpd_tls_received_header = yes

smtpd_use_tls = yes

transport_maps = hash:/etc/postfix/ispcp/transport

virtual_alias_maps = hash:/etc/postfix/ispcp/aliases

virtual_gid_maps = static:8

virtual_mailbox_base = /var/mail/virtual

virtual_mailbox_domains = hash:/etc/postfix/ispcp/domains

virtual_mailbox_limit = 0

virtual_mailbox_maps = hash:/etc/postfix/ispcp/mailboxes

virtual_minimum_uid = 1001

virtual_transport = virtual

virtual_uid_maps = static:1001

Thanks again.

RE: certain mail not being delivered. - rbtux - 04-21-2009 03:05 AM

(04-21-2009 02:54 AM)nesto Wrote: Can I just start a new file and enter that line? Any ideas how to find the correct path? As I mentioned it's Debian Etch and an all-over standard installation with the common ispcp installation following the documentation.

Don't search the path, set the path ;-)
in /etc/init.d/policyd-weight add

Code:

DAEMON_OPTS="-f /etc/policyd-weight.conf"

after the line DAEMON...

then

Code:

echo "$dnsbl_checks_only = 1;" > /etc/policyd-weight.conf

/etc/init.d/policyd-weight restart

For the authentication part: How does your script authenticate with the server, which methods does it use?

RE: certain mail not being delivered. - nesto - 04-21-2009 04:21 AM

Makes perfect sense - just one correction:

Code:

echo '$dnsbl_checks_only = 1;' > /etc/policyd-weight.conf

See the difference? Cool

I'll keep watching the logs but for now it seems solved.

How should someone be happy without this config change? Anyone following the standard installation should experience this effect sooner or later and might want to get rid of it.

Now I'll gain information for the second question.

Once more: THANK YOU so far!

PS: The auth warnings do not avoid the sending itself!

RE: certain mail not being delivered. - rbtux - 04-21-2009 05:36 AM

(04-21-2009 04:21 AM)nesto Wrote: Makes perfect sense - just one correction:

Code:

echo '$dnsbl_checks_only = 1;' > /etc/policyd-weight.conf

See the difference?

jep, sry was quick during work typing ;-)

(04-21-2009 04:21 AM)nesto Wrote: How should someone be happy without this config change? Anyone following the standard installation should experience this effect sooner or later and might want to get rid of it.

don't ask me, I would never use this default configuration. But hey it's the server of the responsible admin and he should care about what he puts online... (yeah I know, I'm kind of idealistic ;-)

(04-21-2009 04:21 AM)nesto Wrote: Now I'll gain information for the second question.

PS: The auth warnings do not avoid the sending itself!

Ah Ok, you might wan't to remove ntlm from the possible sasl auth mechanisms. I personally use dovecot-sasl (not cyrus-sasl) on all server, so I do not know out of my mind where to change that...

RE: certain mail not being delivered. - nesto - 04-21-2009 03:03 PM

(04-21-2009 05:36 AM)rbtux Wrote: Ah Ok, you might wan't to remove ntlm from the possible sasl auth mechanisms. I personally use dovecot-sasl (not cyrus-sasl) on all server, so I do not know out of my mind where to change that ...

Okay, I'll maybe fix that some day ...

Edit: ntlm auth now discussed here: Windows Mobile und NTLM auth Fehler (German).

From my point of view this thread could be closed as my server works much better now and I do not expect any further troubles in this area.

But I wasn't the one opening it Big Grin

Good job - rbtux!!