Postgrey (greylisting) on Mandriva problems

wheel · 02-08-2007, 02:31 PM

I've installed greylisting/postgrey on my server using the Mandriva (2006) install tools. Everything seems to be installed and running fine, mail is getting deferred (and apparently lots of bounces and the like from mail servers not responding - I'm guessing that's the spam getting dropped).

I've run into a problem - I can't send email from my PC. I added one line to my main.cf file (as required by postgrey) and adding it in or removing it turns off or turns on my ability to send email from here. Here's my main.cf, the last line is the killer.

readme_directory = /usr/share/doc/postfix-2.1.5/README_FILES
sample_directory = /usr/share/doc/postfix-2.1.5/samples
html_directory = /usr/share/doc/postfix-2.1.5/html
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
command_directory = /usr/sbin
manpage_directory = /usr/share/man
daemon_directory = /usr/lib/postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
queue_directory = /var/spool/postfix
mail_owner = postfix
myhostname = mail.XXXXXXXX.com
inet_interfaces = all
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_alias_domains = $virtual_alias_maps
mynetworks_style = host
delay_warning_time = 4h
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mandrakelinux)
unknown_local_recipient_reject_code = 450
append_at_myorigin = yes
smtp-filter_destination_concurrency_limit = 2
setgid_group = postdrop
command_directory = /usr/sbin
manpage_directory = /usr/share/man
daemon_directory = /usr/lib/postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
queue_directory = /var/spool/postfix
mail_owner = postfix
myhostname = mail.XXXXXXXX.com
inet_interfaces = all
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_alias_domains = $virtual_alias_maps
mynetworks_style = host
delay_warning_time = 4h
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mandrakelinux)
unknown_local_recipient_reject_code = 450
append_at_myorigin = yes
smtp-filter_destination_concurrency_limit = 2
lmtp-filter_destination_concurrency_limit = 2
smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2
mynetworks = XX.XX.XX.XX {my IP address}
mydestination = $myhostname, $mydomain, localhost.$mydomain, mail.$mydomain, {additional list of domains}
smtpd_helo_required = yes
#the following line causes the problem - but is required for greylisting
#smtpd_recipient_restrictions = check_policy_service unix:extern/postgrey/socket

Bonus question

: Is there a file somewhere that can be used to moniter what's going on with the greylisting, like status or logs? I had a look at the list of files containing 'postgrey' but nothing stands out. And documentation online seems slim.

billymayday · 02-08-2007, 03:00 PM

According to the postfix site, and this method works for me, the smtpd_recipient_restrictions is

check_policy_service unix

rivate/policy

Give that a go

wheel · 02-08-2007, 03:55 PM

Thanks Billy. I tried that and it didn't work, same symptom.

I'm suspicious that the problem is not directly the newly added line, but instead something else in the file. Now that I scratch my head a bit I remember I've seen similiar behaviour in the past when I've made changes to main.cf. Something else I'm doing in that file causes this to happen, likely something I've added to increase security or limit spam. Unfortunately I'm postfix illiterate and most of the stuff in there is either default or cut and paste from the internet

.

Anyway, still open to suggestions. In the meantime I'll do some investigating on other aspects of that config file.

billymayday · 02-08-2007, 04:28 PM

Podt the output of postconf -n

wheel · 02-09-2007, 07:33 AM

Output of postconf -n before adding that line:

append_at_myorigin = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
delay_warning_time = 4h
html_directory = /usr/share/doc/postfix-2.1.5/html
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, $mydomain, localhost.$mydomain, mail.$mydomain, {other domains}
smtpd_helo_required = yes
myhostname = mail.insurancesquared.com
mynetworks = xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx
mynetworks_style = host
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.1.5/README_FILES
sample_directory = /usr/share/doc/postfix-2.1.5/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mandrakelinux)
smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2
unknown_local_recipient_reject_code = 450
virtual_alias_domains = $virtual_alias_maps
virtual_alias_maps = hash:/etc/postfix/virtual

Output of postconf -n after adding that line added to main.cf and with postgrey running:

append_at_myorigin = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
delay_warning_time = 4h
html_directory = /usr/share/doc/postfix-2.1.5/html
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, $mydomain, localhost.$mydomain, mail.$mydomain, {list of domains}
smtpd_helo_required = yes
myhostname = mail.insurancesquared.com
mynetworks = xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx
mynetworks_style = host
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.1.5/README_FILES
sample_directory = /usr/share/doc/postfix-2.1.5/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mandrakelinux)
smtpd_recipient_restrictions = check_policy_service unix:extern/postgrey/socket
smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2
unknown_local_recipient_reject_code = 450
virtual_alias_domains = $virtual_alias_maps
virtual_alias_maps = hash:/etc/postfix/virtual

Doesn't seem to be anything funky there.

billymayday · 02-09-2007, 01:13 PM

What does the log say after you've tried to send?

Child of Wonder · 02-09-2007, 02:22 PM

There's nothing in your smtpd_recipients check to bypass greylisting for your PC.

Take a look at mine:

Quote:

smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unlisted_recipient
reject_unauth_destination
reject_non_fqdn_recipient
reject_unknown_recipient_domain
check_policy_service inet:127.0.0.1:60000

Look at each entry as a step.

permit_mynetworks - Is the connecting IP part of mynetworks? Yes, you get to skip the rest of the recipient checks. No, go to next step.

permit_sasl_authenticated - Did the connecting IP authenticate? Yes, they can skip the rest of the recipient checks. No, go to next step.

... etc... etc..

Those first two checks are essential because it allows any IP in "mynetworks" or anyone who authenticates via SASL to bypass the checks normally associated with incoming mail, such as Greylisting (check_policy_service inet:127.0.0.1:60000).

wheel · 02-09-2007, 02:24 PM

Hey, thanks so much for the clear outline. I don't know postfix very well, but I can certainly take it from here, given your explanation.