Feb 062021
 

EDIT: update, I think I have solved this via help on IRC. See solution.

I need help configuring Postfix. I am overwhelmed by the options available and I need to stay on track by working on the rest of the git changes.

I have changed references to the FreshPorts domain. I’m using example.org instead.

Background

FreshPorts processes incoming subversion commit emails to create XML which is then loaded into the database.

I need help configuring a new host: mx-ingress04

Mail goes from the FreeBSD mailing list to mx-ingress02 which then distributes it to other nodes.

mx-ingress04 is on AWS and this is what I’m having trouble with. This host is restricted by AWS on outgoing port 25 connections. To solve that, I can use relayhost to another mail server which is configured to relay.

The problem

When I enable relay on mx-ingress04, it breaks the delivery which works now. All incoming mail goes out via relay instead of going to the ingress host for processing.

Logs with relayhost=10.0.17.21:

Feb  6 20:39:43 mx-ingress04 postfix/smtpd[77346]: connect from unknown[198.51.100.203]
Feb  6 20:39:43 mx-ingress04 postfix/smtpd[77346]: CA1BABCFB: client=unknown[198.51.100.203]
Feb  6 20:39:43 mx-ingress04 postfix/cleanup[77352]: CA1BABCFB: message-id=<20210206203943.99D71EC81@mx-ingress02.example.org>
Feb  6 20:39:43 mx-ingress04 postfix/qmgr[77341]: CA1BABCFB: from=<dan@mx-ingress02.example.org>, size=572, nrcpt=1 (queue active)
Feb  6 20:39:43 mx-ingress04 postfix/smtpd[77346]: disconnect from unknown[198.51.100.203] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Feb  6 20:39:43 mx-ingress04 postfix/cleanup[77352]: CED1DBD8F: message-id=<20210206203943.99D71EC81@mx-ingress02.example.org>
Feb  6 20:39:43 mx-ingress04 postfix/local[77353]: CA1BABCFB: to=<production@mx-ingress04.example.org>, relay=local, delay=0.03, delays=0.02/0.01/0/0, dsn=2.0.0, status=sent (forwarded as CED1DBD8F)
Feb  6 20:39:43 mx-ingress04 postfix/qmgr[77341]: CED1DBD8F: from=<dan@mx-ingress02.example.org>, size=732, nrcpt=1 (queue active)
Feb  6 20:39:43 mx-ingress04 postfix/qmgr[77341]: CA1BABCFB: removed
Feb  6 20:39:43 mx-ingress04 postfix/smtp[77354]: CED1DBD8F: to=<ingress_svn@[127.163.0.10]>, orig_to=<production@mx-ingress04.example.org>, relay=10.0.17.21[10.0.17.21]:25, delay=0.03, delays=0/0.01/0.01/0, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D4EDA2E2EB)
Feb  6 20:39:43 mx-ingress04 postfix/qmgr[77341]: CED1DBD8F: removed

Logs without relayhost:

Feb  6 20:39:26 mx-ingress04 postfix/smtpd[77211]: connect from unknown[198.51.100.203]
Feb  6 20:39:26 mx-ingress04 postfix/smtpd[77211]: 5A7A9BD76: client=unknown[198.51.100.203]
Feb  6 20:39:26 mx-ingress04 postfix/cleanup[77217]: 5A7A9BD76: message-id=<20210206203926.1938AEB7D@mx-ingress02.example.org>
Feb  6 20:39:26 mx-ingress04 postfix/smtpd[77211]: disconnect from unknown[198.51.100.203] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Feb  6 20:39:26 mx-ingress04 postfix/qmgr[77205]: 5A7A9BD76: from=<dan@mx-ingress02.example.org>, size=572, nrcpt=1 (queue active)
Feb  6 20:39:26 mx-ingress04 postfix/cleanup[77217]: 5D2F9BCF9: message-id=<20210206203926.1938AEB7D@mx-ingress02.example.org>
Feb  6 20:39:26 mx-ingress04 postfix/local[77218]: 5A7A9BD76: to=<production@mx-ingress04.example.org>, relay=local, delay=0.01, delays=0.01/0/0/0, dsn=2.0.0, status=sent (forwarded as 5D2F9BCF9)
Feb  6 20:39:26 mx-ingress04 postfix/qmgr[77205]: 5D2F9BCF9: from=<dan@mx-ingress02.example.org>, size=732, nrcpt=1 (queue active)
Feb  6 20:39:26 mx-ingress04 postfix/qmgr[77205]: 5A7A9BD76: removed
Feb  6 20:39:26 mx-ingress04 postfix/smtp[77219]: 5D2F9BCF9: to=<ingress_svn@[127.163.0.10]>, orig_to=<production@mx-ingress04.example.org>, relay=127.163.0.10[127.163.0.10]:25, delay=0.05, delays=0/0/0.04/0, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 683A35F665)
Feb  6 20:39:26 mx-ingress04 postfix/qmgr[77205]: 5D2F9BCF9: removed

The goal

At mx-ingress04, Incoming mail for production@mx-ingress04.example.org goes to ingress_svn@[127.163.0.10].

Any mail originating on mx-ingress04 is relayed out to 10.0.17.21.

Existing configuration

This is the existing configuration on mx-ingress04:

# postconf -n
alias_maps = hash:/etc/mail/aliases
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = 127.163.0.25, [redacted]:1a17:f712:6854:4175:9eaa
inet_protocols = ipv4, ipv6
mail_owner = postfix
mailbox_command = /usr/local/bin/maildrop -d ${USER}
mailbox_size_limit = 102400000
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 102400000
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_tls_CAfile = /usr/local/etc/ssl/ca.cer
smtp_tls_cert_file = /usr/local/etc/ssl/mx-ingress04.example.org.fullchain.cer
smtp_tls_fingerprint_digest = sha1
smtp_tls_key_file = /usr/local/etc/ssl/mx-ingress04.example.org.key
smtp_tls_policy_maps = hash:/usr/local/etc/postfix/tls_policy
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_scache
smtpd_tls_CAfile = /usr/local/etc/ssl/ca.cer
smtpd_tls_cert_file = /usr/local/etc/ssl/mx-ingress04.example.org.fullchain.cer
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /usr/local/etc/ssl/mx-ingress04.example.org.key
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache
soft_bounce = yes
unknown_local_recipient_reject_code = 550
virtual_maps = hash:/usr/local/etc/postfix/mx-ingress04.example.org.virtual-virtual_alias_maps
# cat mx-ingress04.example.org.virtual-virtual_alias_maps
postmaster@mx-ingress04.example.org   dan@langille.org
production@mx-ingress04.example.org   ingress_svn@[127.163.0.10]

Since writing this, I’ve found some help via IRC

Solution

This is what I am using now. In short I have:

  1. Removed virtual_maps
  2. Removed relayhost
  3. Added a new alias_maps
  4. Added a new transport_maps

The new alias_maps is:

[root@mx-ingress04 /usr/local/etc/postfix]# cat mx-ingress04-alias-maps
production:	ingress_svn@[127.163.0.10]

This says

  • any mail for local user production gets sent to ingress_svn@[127.163.0.10]

The new transport_maps is:

[root@mx-ingress04 /usr/local/etc/postfix]# cat mx-ingress04-transport
[127.163.0.10] :
* :[10.0.17.21]

This says:

  • [127.163.0.10] will be delivered locally
  • all other mail will be relayed via 10.0.17.21

The current configuration is:

# postconf -n
alias_maps = hash:/etc/mail/aliases, hash:/usr/local/etc/postfix/mx-ingress04-alias-maps
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = 127.163.0.25, [redacted]:1a17:f712:6854:4175:9eaa
inet_protocols = ipv4, ipv6
mail_owner = postfix
mailbox_command = /usr/local/bin/maildrop -d ${USER}
mailbox_size_limit = 102400000
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 102400000
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_tls_CAfile = /usr/local/etc/ssl/ca.cer
smtp_tls_cert_file = /usr/local/etc/ssl/mx-ingress04.example.org.fullchain.cer
smtp_tls_fingerprint_digest = sha1
smtp_tls_key_file = /usr/local/etc/ssl/mx-ingress04.example.org.key
smtp_tls_policy_maps = hash:/usr/local/etc/postfix/tls_policy
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_scache
smtpd_tls_CAfile = /usr/local/etc/ssl/ca.cer
smtpd_tls_cert_file = /usr/local/etc/ssl/mx-ingress04.example.org.fullchain.cer
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /usr/local/etc/ssl/mx-ingress04.example.org.key
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache
soft_bounce = yes
transport_maps = hash:/usr/local/etc/postfix/mx-ingress04-transport
unknown_local_recipient_reject_code = 550
[root@mx-ingress04 /usr/local/etc/postfix]# 
Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive