Join Log in
Score:3
Vilx- avatar Server

Postfix doesn't queue outgoing email, but all settings are default. Why?

in flag
Vilx-

I've set up a mailserver with Postfix, Roundcube and Dovecot. All works well - almost.

In my country there's a popular free email service by the name of inbox.lv. And they have an anti-spam rule set up that when a new server tries to send emails to them, they first greylist it for 10 minutes and require the server to re-send the email. Fair enough.

However when using Postfix to send outgoing emails (either from Roundcube or Thunderbird) it doesn't queue the message. Instead it immediately returns with an error. There's also a log entry (newlines/spacing added by me for legibility; IP and email addresses redacted for privacy):

May 31 23:17:18 21 postfix/smtpd[24814]: NOQUEUE: reject: RCPT from unknown[MY.IP.ADDRESS.HERE]: 
    450 4.1.1 <[email protected]>: Recipient address rejected: unverified address:
    host mx1.inbox.lv[194.152.32.74] said: 450 4.7.1 <unknown[SERVER.IP.ADDRESS.HERE]>:
    Client host rejected: greylisted, please retry in 597 seconds (in reply to RCPT TO command);
    from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.1.216]>

All the queue settings are left at defaults. Postfix version is 2.10.1.

Why is this happening and how can I make Postfix queue the messages and retry in 10 minutes?

Added: Postfix config (anonymized):

[root@myserver etc]# postconf mail_version
mail_version = 2.10.1

[root@myserver etc]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 100000000
milter_default_action = accept
mydestination = localhost
mydomain = mydomain.lv
myhostname = mydomain.lv
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = reject_unverified_recipient
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mydomain.lv/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mydomain.lv/privkey.pem
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_mailbox_domains = d1.lv d2.lv d3.lv d4.lv
virtual_mailbox_limit = 0
virtual_transport = lmtp:unix:/var/run/dovecot/lmtp

[root@myserver etc]# postconf -M
smtp       inet  n       -       n       -       -       smtpd
submission inet  n       -       n       -       -       smtpd
smtps      inet  n       -       n       -       -       smtpd
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
[root@myserver etc]#
361
1 + 3
anx avatar
fr flag
anx
If that isnt a copying error, there is something *very* wrong with your postfix version. I do not think there is a properly maintained 2.10 series distribution out there. If you are setting up something new, start with a modern distribution. If you are making changes to an old system, look for what sort of maintenance it currently receives and plan for a migration to much more modern versions now.
0
Reply
Vilx- avatar
in flag
Vilx-
@anx I'm running Centos 7 and that's the latest official one they have...
0
Reply
Vilx- avatar
in flag
Vilx-
@anx I just checked the version history and... oh my... I'll see about upgrading asap.
1
Reply
Score:4
anx avatar Server
fr flag
anx

You configured postfix to connect to remote destinations to ask them about recipients - as a requisite before you accept anything into your local queue.

smtpd_recipient_restrictions = reject_unverified_recipient

On a general purpose mail server, this is inappropriate for anything but domains under your control or with whose operators you have an agreement.

Asking remote servers for whether they have certain users without delivering mails will make quite a number of servers stop wanting to interact with you. Before knowing what you will send, they cannot easily tell whether you are a spammer trying to wash a list of his next victims or someone intending to deliver mail.

The simplest change to address that concern and solve your original problem:

smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination, reject_unverified_recipient

Because the restrictions are processed in the order specified, This exempts your authenticated users, and unrelated relay requests (rejected anyway). This way you can still enforce reject_unverified_recipient on incoming messages (where dovecot will presumably confirm addresses without delay). But without nagging remote servers about recipients that at a time you do not have mail for yet. You have to get more complex than this, though, if you want the feature also enabled for your users writing messages to each other. The ADDRESS_VERIFICATION_README file in your postfix documentation is.. a but old, but should still give you a general overview.

I generally recommend using the master.cf (which comes with suitable templates, at least in more recent times) to setup partially separated smtpd instances, one on port 25 for general internet use, one of port 465 for mandatory-authenticated user submissions. That way you can in a reasonably maintainable fashion enforce different rules on a per-service basis, further easing the task of treating relay traffic different from incoming traffic.

+ 4
Vilx- avatar
in flag
Vilx-
Hmm... so, my situation is a fairly standard one: the server will host emails for several domains (d1.lv, d2.lv, etc). For my users it will be both the incoming and outgoing mail server (POP3/IMAP via Dovecot; SMTP via postfix). For other people it will be the target mail server for those domains. Obviously I don't want an open relay. So... when a connection is incoming, Postfix should do one of two things - if the user authenticated, then it will allow relaying to any domain (plus queue and retry). It will even run opendkim on the email. [Contd.]
0
Reply
Vilx- avatar
in flag
Vilx-
Bonus points if it limits [FROM] address to the authenticated user. If, on the other hand, the incoming connection does not authenticate, it should only allow emails for one of the existing mailboxes. That means it should check against Dovecot that the target mailbox exists. I suppose that merely checking the domain part would also be acceptable if nothing else, but I'd prefer checking the whole address. If `reject_unverified_recipient` isn't the way to go, then what is the correct way of achieving this?
0
Reply
anx avatar
fr flag
anx
@Vilx- Go with the fairly standard route, then. I generally recommend using the master.cf (which comes with suitable templates, at least in more recent times) to setup partially separated smtpd instances, one on port 25 for general internet use, one of port 465 for mandatory-authenticated user submissions. That way you can in a reasonably maintainable fashion enforce different rules on a per-service basis, further easing the task of treating relay traffic different from incoming traffic.
1
Reply
Vilx- avatar
in flag
Vilx-
Sounds like good idea. I came up with another one - what if I changed it to `smtpd_recipient_restrictions = permit_sasl_authenticated reject_unverified_recipient`? Would that do the trick?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.