[+] Postfix i odrzucanie maili z WP

Post autor: **LordRuthwen** » 03 listopada 2011, 19:45

Witam.
Mam postawiony serwer pocztowy na postfiksie i podejrzewam, że jakiś czas temu magicy/szamani z wp.pl coś namieszali, bo maszyna traktuje ich maile jako spam i je odrzuca, wcześniej było dobrze.
Naturalnie można do nich pisać, że coś jest nie tak i mieć nadzieję, że ktoś odpowie... na nadziei się skończyło. U kolegi tak samo.
Podobną sytuację mam z wiadomościami z uczelni WSIiZ z Rzeszowa, trzymają pocztę n serwerach Microsoftu i pisać można... a też wcześniej dochodziło wszystko normalnie i pewnego dnia przestało.
Oto kawałek logów:

Kod: Zaznacz cały

Nov  3 19:07:59 ns38063 postfix/smtpd[17025]: connect from mx3.wp.pl[212.77.101.7]
Nov  3 19:08:00 ns38063 postfix/smtpd[17025]: setting up TLS connection from mx3.wp.pl[212.77.101.7]
Nov  3 19:08:00 ns38063 postfix/smtpd[17025]: Anonymous TLS connection established from mx3.wp.pl[212.77.101.7]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Nov  3 19:08:01 ns38063 postfix/smtpd[17025]: NOQUEUE: reject: RCPT from mx3.wp.pl[212.77.101.7]: 550 5.7.1 <lukasz@mojadomena>: Recipient address rejected: temporarily blocked because of previous errors - retrying too fast. penalty: 30 seconds x 0 retries.; from=<xxxxxx@wp.pl> to=<lukasz@mojadomena> proto=ESMTP helo=<mx3.wp.pl>
Nov  3 19:08:01 ns38063 postfix/smtpd[17025]: disconnect from mx3.wp.pl[212.77.101.7]

Kod: Zaznacz cały

Nov  3 19:03:53 ns38063 postfix/smtpd[16736]: connect from va3ehsobe005.messaging.microsoft.com[216.32.180.31]
Nov  3 19:03:54 ns38063 postfix/smtpd[16736]: setting up TLS connection from va3ehsobe005.messaging.microsoft.com[216.32.180.31]
Nov  3 19:03:54 ns38063 postfix/smtpd[16736]: Anonymous TLS connection established from va3ehsobe005.messaging.microsoft.com[216.32.180.31]: TLSv1 with cipher AES128-SHA (128/128 bits)
Nov  3 19:04:02 ns38063 postfix/smtpd[16736]: NOQUEUE: reject: RCPT from va3ehsobe005.messaging.microsoft.com[216.32.180.31]: 550 5.7.1 <lukasz@mojadomena>: Recipient address rejected: temporarily blocked because of previous errors - retrying too fast. penalty: 30 seconds x 0 retries.; from=<wxxxx@student.wsiz.rzeszow.pl> to=<lukasz@mojadomena> proto=ESMTP helo=<VA3EHSOBE005.bigfish.com>
Nov  3 19:04:02 ns38063 postfix/smtpd[16736]: disconnect from va3ehsobe005.messaging.microsoft.com[216.32.180.31]

A oto plik main.cf, który przerobiłem już chyba na lewą stronę i nijak nie jestem w stanie dojść o co chodzi.

Kod: Zaznacz cały

command_directory            = /usr/sbin
daemon_directory             = /usr/lib/postfix

inet_interfaces              = all
mynetworks                   = 127.0.0.1
mynetworks_style             = host

myhostname                   = mail.gcth.pl
mydomain                     = ns38063.ovh.net.local
myorigin                     = $myhostname

smtpd_banner                 = $myhostname ESMTP Postfix
setgid_group                 = postdrop

mydestination                = $myhostname, $mydomain
append_dot_mydomain          = no
append_at_myorigin           = yes
local_transport              = local
virtual_transport            = virtual
transport_maps               = hash:/etc/postfix/ispcp/transport
alias_maps                   = hash:/etc/aliases
alias_database               = hash:/etc/aliases

mail_spool_directory         = /home/mail

mailbox_size_limit           = 0
mailbox_command              = procmail -a "$EXTENSION"

message_size_limit           = 50000000

biff                         = no
recipient_delimiter          = +

smtpd_tls_auth_only = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
tls_random_source = dev:/dev/urandom


local_destination_recipient_limit = 1
local_recipient_maps         = unix :p asswd.byname $alias_database

ispcp-arpl_destination_recipient_limit = 1

virtual_mailbox_base         = /home/mail/virtual
virtual_mailbox_limit        = 0

virtual_mailbox_domains      = hash:/etc/postfix/ispcp/domains
virtual_mailbox_maps         = hash:/etc/postfix/ispcp/mailboxes

virtual_alias_maps           = hash:/etc/postfix/ispcp/aliases

virtual_minimum_uid          = 5006
virtual_uid_maps             = static:5006
virtual_gid_maps             = static:8

smtpd_sasl_auth_enable       = yes
smtpd_sasl2_auth_enable       = yes
smtpd_sasl_security_options  = noanonymous
smtpd_sasl_local_domain      =
broken_sasl_auth_clients     = yes



smtpd_helo_restrictions      = permit_mynetworks,
                               permit_sasl_authenticated,
                               reject_unauth_pipelining,
                               reject_invalid_helo_hostname


smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/whitelista,
                               reject_non_fqdn_recipient,
                               reject_unknown_recipient_domain,
                               permit_mynetworks,
                               permit_sasl_authenticated,
                               reject_unauth_destination,
                               reject_unlisted_recipient,
                               check_policy_service inet:127.0.0.1:12525,
                               check_policy_service inet:127.0.0.1:10023,
                               reject_non_fqdn_helo_hostname,
                               reject_rhsbl_client revdns.rbl.tld,
                               reject_rhsbl_helo revdns.rbl.tld,
                               reject_rbl_client dul.dnsbl.sorbs.net,
                               reject_rbl_client sbl.spamhaus.org,
                               reject_rbl_client cbl.abuseat.org,
                               reject_rbl_client bl.spamcop.net,
                               permit

smtpd_client_restrictions = permit_sasl_authenticated,
                                reject_rhsbl_client revdns.rbl.tld,
                                reject_rhsbl_helo revdns.rbl.tld,
                                reject_rbl_client dul.dnsbl.sorbs.net,
                                reject_rbl_client sbl.spamhaus.org,
                                reject_rbl_client cbl.abuseat.org,
                                reject_rbl_client bl.spamcop.net

smtpd_sender_restrictions    = permit_mynetworks,
                               permit_sasl_authenticated,
                               reject_unknown_sender_domain,
                               reject_non_fqdn_sender,
                               reject_unknown_address,
                               check_sender_access pcre:/etc/postfix/sender_checks.pcre


smtpd_data_restrictions      = reject_multi_recipient_bounce,
                               reject_unauth_pipelining

smtpd_helo_required          = yes
unknown_hostname_reject_code = 550

content_filter               = scan:[127.0.0.1]:10025
receive_override_options = no_address_mappings

readme_directory = /usr/share/doc/postfix
html_directory = /usr/share/doc/postfix/html
inet_protocols = ipv4

Proszę o pomoc.
Jak coś trzeba jeszcze podać to nie ma problemu.

markossx · Post autor: **markossx** » 04 listopada 2011, 08:49

Pokaż zatem /etc/hosts...

Post autor: **LordRuthwen** » 04 listopada 2011, 09:05

Kod: Zaznacz cały

# 'hosts' file configuration.

127.0.0.1       ns38063.ovh.net.local   localhost
91.121.10.78    ns38063.ovh.net ns38063
::ffff:91.121.10.78     ns38063.ovh.net ns38063
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

sethiel · Post autor: **sethiel** » 04 listopada 2011, 11:18

Moim zdaniem błąd powoduje wymaganie podpisu przy przychodzących wiadomościach na serwerze odbiorcy.
Twój serwer usiłuje to zrobić ale jesteś "Anonymous" - być może nie mają certyfikatu wystawionego przez urząd certyfikacji tylko własnoręcznie generowany.
Zadzwoń na WSIZ może po drugiej stronie jest ktoś z rozumem to porównacie logi u siebie?
Aha, jeszcze coś takiego: link.

markossx · Post autor: **markossx** » 04 listopada 2011, 11:56

Wydaje mi się, że problem jest w nazwie hosta i jego domenie.
W main.cf masz:

Kod: Zaznacz cały

myhostname                   = mail.gcth.pl 
mydomain                     = ns38063.ovh.net.local

Ale już w /etc/hostname masz:

Kod: Zaznacz cały

91.121.10.78    ns38063.ovh.net ns38063

Trzeba to ogarnąć.
Istotne jest również, żeby "myorigin" wskazywał na /etc/mailname, w którym powinna być ustalona nazwa hosta (fqdn).
Ważne by pliki w (przy standardowej instalce):

Kod: Zaznacz cały

/var/spool/postfix/etc/*

miały swoje odzwierciedlenie w /etc.

Post autor: **LordRuthwen** » 07 listopada 2011, 10:08

Powiedz mi jeszcze co wspólnego mają błędnie (już poprawiłem) ustawione nazwy mojego hosta z odrzucaniem wiadomości przychodzących do mnie z innych serwerów?
Bo to, że niektóre odrzucają wiadomości, jeśli nadawca ma źle ustawione nazwy czy PTR to wiem.

Dodane:
Wiem chyba o co może chodzić:

Kod: Zaznacz cały

Nov  7 09:53:45 ns38063 postfix/policyd-weight[7343]: policyd-weight 0.1.15 devel-1 started and daemonized. conf:/etc/policyd-weight.conf; GID:116 116 EGID:116 116 UID:112 EUID:112; taint mode: 1
Nov  7 09:53:45 ns38063 postfix/policyd-weight[7343]: warning: cache_query: $csock couln't be created: connect: Nie ma takiego pliku ani katalogu, calling spawn_cache()
Nov  7 09:53:45 ns38063 postfix/policyd-weight[7344]: cache spawned

Kod: Zaznacz cały

# ls -alR /var/run/policyd-weight
/var/run/policyd-weight:
razem 12
drwx------  3 polw polw 4096 11-07 09:53 .
drwxr-xr-x 20 root root 4096 11-07 09:53 ..
drwxr-xr-x  4 polw polw 4096 11-07 09:53 cores
srwxrwx---  1 polw polw    0 11-07 09:53 polw.sock

/var/run/policyd-weight/cores:
razem 16
drwxr-xr-x 4 polw polw 4096 11-07 09:53 .
drwx------ 3 polw polw 4096 11-07 09:53 ..
drwxr-xr-x 2 polw polw 4096 11-07 09:53 cache
drwxr-xr-x 2 polw polw 4096 11-07 09:53 master

/var/run/policyd-weight/cores/cache:
razem 8
drwxr-xr-x 2 polw polw 4096 11-07 09:53 .
drwxr-xr-x 4 polw polw 4096 11-07 09:53 ..

/var/run/policyd-weight/cores/master:
razem 8
drwxr-xr-x 2 polw polw 4096 11-07 09:53 .
drwxr-xr-x 4 polw polw 4096 11-07 09:53 ..

Kod: Zaznacz cały

# ----------------------------------------------------------------
#  policyd-weight configuration (defaults) Version 0.1.15 devel-1 
# ----------------------------------------------------------------


   $DEBUG        = 0;               # 1 or 0 - don't comment

   $REJECTMSG    = "550 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs";

   $REJECTLEVEL  = 1;               # Mails with scores which exceed this
                                    # REJECTLEVEL will be rejected

   $DEFER_STRING = 'IN_SPAMCOP= BOGUS_MX='; 
                                    # A space separated case-sensitive list of
                                    # strings on which if found in the $RET
                                    # logging-string policyd-weight changes
                                    # its action to $DEFER_ACTION in case
                                    # of rejects.
                                    # USE WITH CAUTION!
                                    # DEFAULT: "IN_SPAMCOP= BOGUS_MX="


   $DEFER_ACTION = '450';           # Possible values: DEFER_IF_PERMIT,
                                    # DEFER_IF_REJECT, 
                                    # 4xx response codes. See also access(5)
                                    # DEFAULT: 450

   $DEFER_LEVEL  = 25;               # DEFER mail only up to this level
                                    # scores greater than DEFER_LEVEL will be
                                    # rejected
                                    # DEFAULT: 5

   $DNSERRMSG         = '450 No DNS entries for your MTA, HELO and Domain. Contact YOUR administrator';

   $dnsbl_checks_only = 0;          # 1: ON, 0: OFF (default)
                                    # If ON request that ALL clients are only
                                    # checked against RBLs

   @dnsbl_checks_only_regexps = (
    # qr/[^.]*(exch|smtp|mx|mail).*\..*\../,
    # qr/yahoo.com$/
);                                  # specify a comma-separated list of regexps
                                    # for client hostnames which shall only
                                    # be RBL checked. This does not work for
                                    # postfix' "unknown" clients.
                                    # The usage of this should not be the norm
                                    # and is a tool for people which like to
                                    # shoot in their own foot.
                                    # DEFAULT: empty
                                    

   $LOG_BAD_RBL_ONLY  = 1;          # 1: ON (default), 0: OFF
                                    # When set to ON it logs only RBLs which
                                    # affect scoring (positive or negative)
                                    
## DNSBL settings
   @dnsbl_score = (
#    HOST,                    HIT SCORE,  MISS SCORE,  LOG NAME
    'pbl.spamhaus.org',       3.25,          0,        'DYN_PBL_SPAMHAUS',
    'sbl-xbl.spamhaus.org',   4.35,       -1.5,        'SBL_XBL_SPAMHAUS',
    'bl.spamcop.net',         3.75,       -1.5,        'SPAMCOP',
    'dnsbl.njabl.org',        4.25,       -1.5,        'BL_NJABL',
    'ix.dnsbl.manitu.net',    4.35,          0,        'IX_MANITU',
    'rbl.ipv6-world.net',     4.25,          0,        'IPv6_RBL'
);

   $MAXDNSBLHITS  = 2;  # If Client IP is listed in MORE
                        # DNSBLS than this var, it gets
                        # REJECTed immediately

   $MAXDNSBLSCORE = 8;  # alternatively, if the score of
                        # DNSBLs is ABOVE this
                        # level, reject immediately

   $MAXDNSBLMSG   = '550 Your MTA is listed in too many DNSBLs';

## RHSBL settings
   @rhsbl_score = (
    'multi.surbl.org',             4,        0,        'SURBL',
    'rhsbl.ahbl.org',              4,        0,        'AHBL',
    'dsn.rfc-ignorant.org',        3.5,      0,        'DSN_RFCI',
    'postmaster.rfc-ignorant.org', 0.1,      0,        'PM_RFCI',
    'abuse.rfc-ignorant.org',      0.1,      0,        'ABUSE_RFCI'
);

   $BL_ERROR_SKIP     = 2;  # skip a RBL if this RBL had this many continuous
                            # errors

   $BL_SKIP_RELEASE   = 10; # skip a RBL for that many times

## cache stuff
   $LOCKPATH          = '/var/run/policyd-weight/';    # must be a directory (add
                                                    # trailing slash)

   $SPATH             = $LOCKPATH.'/polw.sock';     # socket path for the cache
                                                    # daemon. 

   $MAXIDLECACHE      = 60; # how many seconds the cache may be idle
                            # before starting maintenance routines
                            # NOTE: standard maintenance jobs happen
                            # regardless of this setting.

   $MAINTENANCE_LEVEL = 5;  # after this number of requests do following
                            # maintenance jobs:
                            # checking for config changes

# negative (i.e. SPAM) result cache settings ##################################

   $CACHESIZE       = 2000; # set to 0 to disable caching for spam results. 
                            # To this level the cache will be cleaned.

   $CACHEMAXSIZE    = 4000; # at this number of entries cleanup takes place

   $CACHEREJECTMSG  = '550 temporarily blocked because of previous errors';

   $NTTL            = 1;    # after NTTL retries the cache entry is deleted

   $NTIME           = 30;   # client MUST NOT retry within this seconds in order
                            # to decrease TTL counter


# positve (i.,e. HAM) result cache settings ###################################

   $POSCACHESIZE    = 1000; # set to 0 to disable caching of HAM. To this number
                            # of entries the cache will be cleaned

   $POSCACHEMAXSIZE = 2000; # at this number of entries cleanup takes place

   $POSCACHEMSG     = 'using cached result';

   $PTTL            = 60;   # after PTTL requests the HAM entry must
                            # succeed one time the RBL checks again

   $PTIME           = '3h'; # after $PTIME in HAM Cache the client
                            # must pass one time the RBL checks again.
                            # Values must be nonfractal. Accepted
                            # time-units: s, m, h, d

   $TEMP_PTIME      = '1d'; # The client must pass this time the RBL
                            # checks in order to be listed as hard-HAM
                            # After this time the client will pass
                            # immediately for PTTL within PTIME


## DNS settings
   $DNS_RETRIES     = 2;    # Retries for ONE DNS-Lookup

   $DNS_RETRY_IVAL  = 2;    # Retry-interval for ONE DNS-Lookup

   $MAXDNSERR       = 3;    # max error count for unresponded queries
                            # in a complete policy query

   $MAXDNSERRMSG    = 'passed - too many local DNS-errors';

   $PUDP            = 0;    # persistent udp connection for DNS queries.
                            # broken in Net: :D NS version 0.51. Works with
                            # Net: :D NS 0.53; DEFAULT: off

   $USE_NET_DNS     = 0;    # Force the usage of Net: :D NS for RBL lookups.
                            # Normally policyd-weight tries to use a faster
                            # RBL lookup routine instead of Net: :D NS


   $NS              = '';   # A list of space separated NS IPs
                            # This overrides resolv.conf settings
                            # Example: $NS = '1.2.3.4 1.2.3.5';
                            # DEFAULT: empty


   $IPC_TIMEOUT     = 2;    # timeout for receiving from cache instance

   $TRY_BALANCE     = 0;    # If set to 1 policyd-weight closes connections
                            # to smtpd clients in order to avoid too many
                            # established connections to one policyd-weight
                            # child

# scores for checks, WARNING: they may manipulate eachother
# or be factors for other scores.
#                                       HIT score, MISS Score
   @client_ip_eq_helo_score          = (1.5,       -1.25 );
   @helo_score                       = (1.5,       -2    );
   @helo_from_mx_eq_ip_score         = (1.5,       -3.1  );
   @helo_numeric_score               = (2.5,        0    );
   @from_match_regex_verified_helo   = (1,         -2    );
   @from_match_regex_unverified_helo = (1.6,       -1.5  );
   @from_match_regex_failed_helo     = (2.5,        0    );
   @helo_seems_dialup                = (1.5,        0    );
   @failed_helo_seems_dialup         = (2,          0    );
   @helo_ip_in_client_subnet         = (0,         -1.2  );
   @helo_ip_in_cl16_subnet           = (0,         -0.41 );
   @client_seems_dialup_score        = (3.75,       0    );
   @from_multiparted                 = (1.09,       0    );
   @from_anon                        = (1.17,       0    );
   @bogus_mx_score                   = (2.1,        0    );
   @random_sender_score              = (0.25,       0    );
   @rhsbl_penalty_score              = (3.1,        0    );
   @enforce_dyndns_score             = (3,          0    );


   $VERBOSE = 0;

   $ADD_X_HEADER        = 1;    # Switch on or off an additional 
                                # X-policyd-weight: header
                                # DEFAULT: on


   $DEFAULT_RESPONSE    = 'DUNNO default'; # Fallback response in case
                                           # the weighted check didn't
                                           # return any response (should never
                                           # appear).



#
# Syslogging options for verbose mode and for fatal errors.
# NOTE: comment out the $syslog_socktype line if syslogging does not
# work on your system.
#

   $syslog_socktype = 'unix';   # inet, unix, stream, console

   $syslog_facility = "mail";
   $syslog_options  = "pid";
   $syslog_priority = "info";
   $syslog_ident    = "postfix/policyd-weight";


#
# Process Options
#
   $USER            = "polw";      # User must be a username, no UID

   $GROUP           = "";          # specify GROUP if necessary
                                   # DEFAULT: empty, will be initialized as 
                                   # $USER

   $MAX_PROC        = 50;          # Upper limit if child processes
   $MIN_PROC        = 3;           # keep that minimum processes alive

   $TCP_PORT        = 12525;       # The TCP port on which policyd-weight 
                                   # listens for policy requests from postfix

   $BIND_ADDRESS    = '127.0.0.1'; # IP-Address on which policyd-weight will
                                   # listen for requests.
                                   # You may only list ONE IP here, if you want
                                   # to listen on all IPs you need to say 'all'
                                   # here. Default is '127.0.0.1'.
                                   # You need to restart policyd-weight if you
                                   # change this.

   $SOMAXCONN       = 1024;        # Maximum of client connections 
                                   # policyd-weight accepts
                                   # Default: 1024
                                   

   $CHILDIDLE       = 240;         # how many seconds a child may be idle before
                                   # it dies.

   $PIDFILE         = "/var/run/policyd-weight.pid";

Być może dlatego mi odrzuca te wiadomości, natomiast jak się tego pozbyć?
Znalazłem coś takiego: http://administratorblog.com/archive/20 ... fused.aspx ale neistety nie bardzo działa u mnie.

sethiel · Post autor: **sethiel** » 07 listopada 2011, 12:35

Nie jest to czasem coś z uprawnieniami?
Funkcja cache_query nie może założyć katalogu i wywala się mówiąc, że nie ma katalogu którego potrzebuje w warunku.

Post autor: **LordRuthwen** » 07 listopada 2011, 12:38

Wiem o tym, ale właścicielem katalogu jest użytkownik, na jakim działa policyd.
Uprawnienia nadane do katalogów obejmują zapis, więc teoretycznie powinno to działać, a nie chce.

sethiel · Post autor: **sethiel** » 07 listopada 2011, 13:23

Kod: Zaznacz cały

   $LOCKPATH          = '/var/run/policyd-weight/';    # must be a directory (add                                                     # trailing slash)    
   $SPATH             = $LOCKPATH.'/polw.sock';

Tu -> // <- jest babol na moje oko. $PATH po podstawieniu wartości

Kod: Zaznacz cały

$PATH = /var/run/policyd-weight[B]//[/B]polw.sock

Post autor: **LordRuthwen** » 07 listopada 2011, 13:33

Niestety to nie to, dalej pluje tym błędem w logach.