最後更新: 2018-09-27

 

目錄

• master.cf 與 main.cf
• 設置 helo
• maildir 保存 mail
• Soft Bounce
• SMTP Status Code
• 一些常用的指令
• Mail Queue(postqueue)
• 對 Queue 內的 Mail 作處理(postsuper)
• Tuning
• Anti-Spam & Virus
• Log
• 陷阱
• Debian 上可用的 maps
• Banner
• Postfix MySQL client configuration
• Client IP to DNS lookup
• Debug
• 沒有 TCP wrappers 的 postfix
• 陷阱
• Debian 上可用的 maps
• bounce_queue_lifetime
• Timeout setting
• Does not resolve to address
• Duplicate(enable_original_recipient)
• DNS lookup
• mailbox_command
• postfix using sub-interface IP to sent out mail
• reject_unknown_X
• defer_if_permit
• smtpd_client_connection_count_limit
• chroot
• delay_warning_time
• Domain not found
• 限制一信可以 To, Cc, Bcc 幾多人
• Troubleshoot

 

---

master.cf 與 main.cf

 

Postfix 的 configure file

• master.cf             <== 它設定 smtp, pickup, qmgr 等的運行方式(listen port 係由 "master" daemon 負責)

service type  private unpriv  chroot  wakeup  maxproc command + args
              (yes)   (yes)   (yes)   (never) (100)
smtp      inet  n       -       n       -       -       smtpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
bounce    unix  -       -       n       -       0       bounce

dovecot   unix  -       n       n       -       -       pipe

• main.cf        <==   Postfix 的設定值

 

master.cf 內的 "-o"

在 master.cf 內用 "-o" arguments 係唔可以用 spaces 去分隔 options 的

define variables in main.cf and use them in

main.cf:

2025_smtpd_client_restrictions =
        check_client_access hash:/etc/postfix/printer_access

master.cf

2025      inet  n       -       n       -       -     smtpd
      -o cleanup_service_name=pre-cleanup
      -o message_size_limit=10240000
      -o smtpd_client_restrictions=${2025_smtpd_client_restrictions}

 

---

Parameter

 

Comments

# This lines is comments.

Whitespace

By starting a line with whitespace, you tell Postfix that the line is a continuation of the previous line.

i.e.

mydestination = localhost
                datahunter.org
                mail.datahunter.org

Order

the parameter contents the order of the keywords may matter.

parameter = A, B
parameter = B, A

dollar sign

a dollar sign directly followed by the name of the parameter whose value you wish to obtain

mydomain = example.com

myhostname mail.example.com

mydestination = $myhostname, localhost.$mydomain, localhost

 

---

postconf ( 查看及修改設定值 )

 

# 查看現在生效

postconf mydestination

mydestination = datahunter.org, mail.datahunter.org lamp, localhost.localdomain, localhost

查看 default 的值

postconf -d mydestination

mydestination = $myhostname, localhost.$mydomain, localhost

# 修改

$ postconf –e relay_domains=example.com

 

---

postfix ( 一些常用的指令 )

 

postfix [-D] [stop | start | reload | flush]

check        # 檢查 directory/file  ownership  or  permission 錯誤

abort         # stop immediately

flush         # 強制將目前正在郵件佇列的郵件寄出！

reload       # 重新讀入設定檔，也就是 /etc/postfix/main.cf

-D             # Run each Postfix daemon under control of a debugger

 

---

postmap

 

postmap command is used to compile the input file

written by the user to a binary format the Postfix reads.

remember to use postmap after editing the file.

# 查看支援什麼 map

postconf -m

btree
cidr
environ
hash
ldap
mysql
nis
pcre
proxy
regexp
static
unix

 

---

master file

 

一直在行

/usr/lib/postfix/master

pickup -l -t fifo -u -c
qmgr -l -t fifo -u

 

---

Status

 

postfix status

postfix/postfix-script: the Postfix mail system is running: PID: 28661

 

 

---

出信/收信的 Domain 名

 

# affect how Postfix transforms hostnames that are not fully qualifie
# Default: T$myhostname minus the first component, or "localdomain"

mydomain = example.com

# greets a client and when the SMTP client says HELLO to
# By default  myhostname = lamp.localdomain

myhostname =

# be used to qualify e-mail addresses that have no domain part at all
# By default, myorigin = $myhostname

myorigin = $myhostname

# domains are considered local,
# By default mydestination = $myhostname, localhost.$mydomain, localhost

mydestination =

# 設定是否用 "myorigin", Default: yes

append_at_myorigin = yes

 

---

設置 helo

 

Send Mail 時用什麼名稱來 helo 對方

smtp_helo_name = $myhostname

 

---

maildir 保存 mail

 

home_mailbox (default 會影響 local)

Default: empty

Maildir

 *  "/" for qmail-style delivery

由

home_mailbox = Mailbox

改成

home_mailbox = Maildir/

log

Oct 26 10:35:26 c1383 postfix/local[31423]: 4F5F940D73DE: to=<x@y>, 
  relay=local, delay=0.56, delays=0.52/0.01/0/0.04, dsn=2.0.0, status=sent (delivered to maildir)

Dovecot

Dovecot 2

Basic

mail_location = maildir:~/Maildir

Adv.

# %h - home directory
mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/

 

---

Soft Bounce

 

soft_bounce = no    <-- 把所有 5xx 的 Error 回報成 4xx

 

SMTP Status Code

 

4XX         # temporary routing issue ( soft bounce )
5xx          # permanent failure

4XX

• 421 Service not available, closing transmission channel (This may be a reply to any command if the service knows it must shut down)
• 432 4.7.12 A password transition is needed [3]
• 450 Requested mail action not taken: mailbox unavailable (e.g., mailbox busy or temporarily blocked for policy reasons)
• 451 Requested action aborted: local error in processing
• 451 4.4.1 IMAP server unavailable [4]
• 452 Requested action not taken: insufficient system storage
• 454 4.7.0 Temporary authentication failure [3]
• 455 Server unable to accommodate parameters

5XX

• 500 Syntax error, command unrecognized
  (This may include errors such as command line too long)
• 500 5.5.6 Authentication Exchange line is too long
• 501 Syntax error in parameters or arguments
• 501 5.5.2 Cannot Base64-decode Client responses
• 501 5.7.0 Client initiated Authentication Exchange
  (only when the SASL mechanism specified that client does not begin the authentication exchange)
• 502 Command not implemented
• 503 Bad sequence of commands
• 504 Command parameter is not implemented
• 504 5.5.4 Unrecognized authentication type
• 521 Server does not accept mail
• 523 Encryption Needed
• 530 5.7.0 Authentication required
• 534 5.7.9 Authentication mechanism is too weak
• 535 5.7.8 Authentication credentials invalid
• 538 5.7.11 Encryption required for requested authentication mechanism
• 550 Requested action not taken: mailbox unavailable
  (e.g., mailbox not found, no access, or command rejected for policy reasons)
• 551 User not local; please try <forward-path>
• 552 Requested mail action aborted: exceeded storage allocation
• 553 Requested action not taken: mailbox name not allowed
• 554 Transaction has failed (Or, in the case of a connection-opening response, "No SMTP service here")
• 554 5.3.4 Message too big for system
• 556 Domain does not accept mail

 

---

其他設定

 

inet_protocols = ipv4  <-- default 是 all 的

in_flow_delay = 1s <-- 每個 incoming 的 connection 都會 delay 1s 才回應, default: on

header_checks = regexp:/etc/postfix/header_checks

smtpd_banner = $myhostname ESMTP $mail_name

smtpd_use_tls = no

 

SASL Login:

smtpd_sasl_auth_enable = yes

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

 

不同 imap server 的 agent:

virtual_transport = dovecot

dovecot_destination_recipient_limit = 1

maildrop_destination_concurrency_limit = 1

maildrop_destination_recipient_limit = 1

 

---

mail size

 

設定每 Mail 的 Size:

# Unit: bytes

# 15 Mbyte
message_size_limit = 15728640

當 Over 時會 log

... warning: Mail-ID: queue file size limit exceede

# ehlo HELLO_NAME 才看到 Server 支援的 mesg size

The SMTP server can inform the client what is the maximum message size

C: ehlo mail.datahunter.org
S: ...
S: 250-SIZE 52428800
S: ...

當 Size 超過時, 就會自動斷線.

# Server Log

... postfix/smtpd[3182]: connect from unknown[R.R.R.R]
# 效果如同 Client side proccss 被 kill
... postfix/smtpd[3182]: lost connection after EHLO from unknown[R.R.R.R]
... postfix/smtpd[3182]: disconnect from unknown[R.R.R.R]

由於未到 FROM 及 RCPT, 所以 Server 唔會知誰發信比誰

 * QUIT 沒有呢句 "... lost connection after ..."

解決方案: smtpd_discard_ehlo_keywords

SIZE

15 Mbytes 的 data 相當於 21 Mbytes EML

所以如果要寄 15 MB mail, 那就 set 22 MB 較安全

SMTP SIZE command

The client can inform the SMTP server the (estimated) size of the e-mail message that will be sent.

模擬 Oversize

C: MAIL FROM:<[email protected]> SIZE=52428801

S: 552 5.3.4 Message size exceeds fixed limit

mail.log

May 28 13:21:15 sf3 postfix/smtpd[29539]: NOQUEUE: reject:
 MAIL from unknown[n.n.n.n]: 552 5.3.4 
 Message size exceeds fixed limit; proto=ESMTP helo=<mail.datahunter.org>

 

---

postqueue (Mail Queue)

 

對於高流量的 E-Mail 服務器來講, mail queue 可以說是它們的精髓來

現在大部份 E-Mail Server 都是存放多個 E-Mail Domain 的 !! 所以, Queue 更為重要.

在 Postfix 上的所有 Queue 都以目錄形式存放在 /var/spool/postfix 內

• incoming <-- 存放新到的信, 一會兒會去 ative queue
• active     <-- 準備要處理的信
• deferred <-- 等待 retry 的信
• maildrop <-- sendmail(postdrop) command 放入來要寄的信
• hold  <-- 要 admin 人手決定去留的信
• corrupt <-- 受損的信, 可以用 postcat 查看它的內容

查看 queue 的情況:

mailq = postqueue -p

-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
6CC4B4740BB4     9392 Sun Feb 12 18:18:25  <Sender>
            (temporary failure. Command output: maildrop: maildir over quota.)
                                         <Recipient>

remark

• * 代表在 active queue
• ! 代表在 hold queue

查看在 queue 內 mail 的內容:

postcat -q <queue id>

立即重寄某個 Domain 的 E-Mail

postqueue -s example.com

立即重寄某個 E-Mail

postqueue -i queue_id

立即重寄所有 E-Mail

postfix flush = postqueue -f

 

---

對 Queue 內的 Mail 作處理(postsuper)

 

它是用來控制一封 E-Mail 的去留

不帶參數時相當於 -s -p

-p    刪除無用的tmp file

-s    Structure check and structure repair (name files = inode number)

-v     Enable verbose logging for debugging purposes.

Usage

postsuper -v

postsuper: name_mask: ipv4
postsuper: inet_addr_local: configured 2 IPv4 addresses
postsuper: queue: defer
postsuper: queue: bounce
postsuper: queue: maildrop
postsuper: queue: incoming
postsuper: queue: active
postsuper: queue: deferred
postsuper: queue: hold
postsuper: queue: flush

刪除 queue 內某一 E-Mail

postsuper  -d <queue-id>       <--- default: hold, incoming, active and deferred

postsuper -d 6CC4B4740BB4
postsuper: 6CC4B4740BB4: removed
postsuper: Deleted: 1 message

清空 queue 內的所有 E-mail

postsuper -d All [deferred]   <--- 在 Centos 上要用 "ALL"

刪除一天前無法發出的郵件

find /var/spool/postfix/deferred -type f -mtime +1 -exec rm -f  {} \;

暫時發送一郵件

postsuper -h <queue-id>

繼續發送

postsuper -H <queue-id>

Requeue 某 mail, Queue (hold, incoming, active 及 deferred)

postsuper -r <queue-id>

 

---

Postfix After-Queue Content Filter

 

mailq

704463219F8     1080 Mon Jan 25 11:00:14  nagios@myserver
                                                  (mail transport unavailable)
                                         admin@myserver

postcat -q 704463219F8

.............
content_filter: amavis:[128.0.0.1]:10024
.............

 

-r queue_id

Requeue the message with the named queue ID from  the  named  mail  queue(s)  
(default:  hold, incoming,  active  and  deferred).

A requeued message is moved to the maildrop queue, from where it is copied  by  the  pickup(8)
 and cleanup(8) daemons to a new queue file.

* The message is not subjected to the smtpd_milters or non_smtpd_milters settings.
* The  message  is  subjected  again to mail address rewriting and substitution.

Jan 25 16:05:49 mail postfix/postsuper[7773]: Requeued: 25 messages

---

Tuning

 

當 postfix 用 default setting 時, 好有可能會有以下後果 !!!

 

 

是的, 它 "爆Q" 了 ...

經此一事, 明白了default setting 是很大食的 ....

最後, 我認為比教好的設定是

default_process_limit = 20

# 它定義了每種 daemon 同時執行的個數, default: 100
# 最終是以 master.cf 的設定值作準的

master.cf:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================

 

Client-Error

smtpd_soft_error_limit = 5
# 當 client 對 smtpd 有 5 次 Error 時, 那慢速回應

smtpd_hard_error_limit = 10
# 當達 10 次 Error 時, 那就斷線

smtpd_error_sleep_time=1s
# 超過 soft_error 時, 每次 Error 後, 就 Delay 1 秒

# 這裡的 Error 包括 helo, rcpt to ...

 

Deliver

default_destination_concurrency_limit = 5
# 有幾多信可以同時去一個 Domain
# 它是以信為單位, 不計收件人數量

default_destination_recipient_limit = 5
# 信內的收件人數量(有幾個 "to" 的情況)
# 當大於此值時, 就會拆開來 Send

local_destination_concurrency_limit = 2 (default: 2)
local_destination_recipient_limit = 1 (default: 1)
# 以上設定組合成本地的收信人同一個時間可以收 1 封信
# 而同一個 Domain 同一個時間可以入兩封信

 

Postfix retry period (resend mail)

 

# 多久才放棄再寄未送出的 mail, 0  代表當失敗後不再嘗試

maximal_queue_lifetime = 1h (Default: 5d)

bounce_queue_lifetime = 900s (Default: 5d)

# qmgr 多久才檢查 deferred queue  一次

# This parameter should be set less than or equal to $minimal_backoff_time.

queue_run_delay = 600s

# 在 min 到 max 期間嘗試送信

maximal_backoff_time = 900s (default: 4000s)

minimal_backoff_time = 300s (default: 1000s)

Warning:

warning: bounce_queue_lifetime is larger than maximal_queue_lifetime - adjusting bounce_queue_lifetime

 

---

---

Anti-Spam & Virus

 

停用 ISPConfig 的 Amavisd:

#content_filter = amavis:[127.0.0.1]:10024               // transport:destination
                                                                             // 此 filter 在 access(5), header_checks(5), body_checks(5) 之後

#receive_override_options = no_address_mappings     // default: empty, 控制 cleanup service

選項有:

• no_unknown_recipient_checks
• no_address_mappings (virtual alias map, BCC)
• no_header_body_checks
• no_milters (Disable Milter (mail filter))

# 在 BEFORE  content filter 時用

# AFTER content filter 在 master.cf  設定

Example: AFTER content filter

127.0.0.1:10025 inet n  -   -   -   -  smtpd
  .............
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

以下設定會

main.cf: content_filter = smtp-amavis:[127.0.0.1]:10024
amavisd.conf: $forward_method = 'smtp:[127.0.0.1]:10025';

形成這樣的 log

Feb  5 12:28:43 mail postfix/smtp[3310]: F217042105: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, 
delay=0.45, delays=0.08/0.02/0/0.35, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 3C9864210B)

 

如果沒有用到 per user filter, 建議用以下 setting 去提高 performance 及方便 Alias 的 debug  (no_address_mappings 加在 main.cf)

master.cf

127.0.0.1:10025 inet n  -   -   -   -  smtpd
    .............
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

main.cf

receive_override_options=no_address_mappings

log

第一次入來 C82793FCE6, 第二次入來 058163FDB1

.........
Feb  5 15:46:40 mail postfix/smtpd[4488]: C82793FCE6: client=unknown[1.2.3.4]
Feb  5 15:46:40 mail postfix/cleanup[4495]: C82793FCE6: message-id=<[email protected]>
Feb  5 15:46:40 mail postfix/qmgr[4486]: C82793FCE6: from=<[email protected]>, size=1936, nrcpt=1 (queue active)
.........
Feb  5 15:46:41 mail postfix/smtp[4496]: C82793FCE6: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, 
delay=0.36, delays=0.08/0.01/0/0.26, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 058163FDB1)
Feb  5 15:46:41 mail postfix/qmgr[4486]: C82793FCE6: removed
Feb  5 15:46:41 mail postfix/pipe[4500]: 058163FDB1: to=<[email protected]>, relay=dovecot, 
delay=0.31, delays=0.06/0.02/0/0.23, dsn=2.0.0, status=sent (delivered via dovecot service)
Feb  5 15:46:41 mail postfix/pipe[4501]: 058163FDB1: to=<[email protected]>, relay=dovecot, 
delay=0.39, delays=0.06/0.04/0/0.3, dsn=2.0.0, status=sent (delivered via dovecot service)
Feb  5 15:46:41 mail postfix/pipe[4503]: 058163FDB1: to=<[email protected]>, relay=dovecot, 
delay=0.39, delays=0.06/0.06/0/0.27, dsn=2.0.0, status=sent (delivered via dovecot service)
Feb  5 15:46:41 mail postfix/qmgr[4486]: 058163FDB1: removed

Postfix "message-id" format (msgid)

• A message-id is assigned by the MUA or postfix if the message doesn't have one.
• The message-id is in the header of the email.
• An email header will also have the original emails message-id if it's an reply.
• The postfix queue ID is NOT in the header of the emails.

GMT時間.上游的PQID@上游HOSTNAME

telnet -> mx1 server -> mail server

如果上游係 telnet, 那它會收到此 "上游的PQID"

ie.

# 最後收到的信 log

... mail postfix/cleanup[7495]: 9DDFF20CB7: message-id=<20220616090504[email protected]>

當 MUA(telnet) 無入 msgid 時的 EML

...
Message-Id: <20220616090504[email protected]>

當 MUA(Thunderbird) 有 message-id 時的 EML

Message-ID: <UUID@DOMAIN>

 

---

在 main.cf 控制 maxproc

 

amavis_destination_concurrency_limit = 2

 

---

Log

 

helo msg

mail.warn 內有

Dec 16 20:37:19 vps2 postfix/smtpd[22342]: warning: x.x.x.x: address not listed for hostname x.y.z

是無害的, 它意思是 Hello 時的 "x.y.z" 與此 Domain 的 IP 與來者 x.x.x.x是不相同

log name

# A prefix that is prepended to the process name in syslog records,
# so that, for example, "smtpd" becomes "prefix/smtpd".

-o syslog_name=postfix/smtp-in

Oct  6 03:07:24 vm postfix/smtp-in/smtpd[29556]: disconnect from ....

 

---

陷阱

 

<1>

disable_dns_lookups=yes

當它 no 時, 外寄的信就不會查 MX record 去寄, 而是直接用收信 Domain 的 IP

<2>

Error: User unknown in local recipient table

功能: keeps undeliverable mail out of your queue

• local_recipient_maps parameter specifies lookup tables with all names or addresses of local recipients.
• local: $mydestination, $inet_interfaces or $proxy_interfaces

解決方法:

turn off

/etc/postfix/main.cf:
    local_recipient_maps =

virtual

    local_transport = virtual
    local_recipient_maps = $virtual_mailbox_maps

 

---

Debian 上可用的 maps

 

可用的 maps 設置在

/etc/postfix/dynamicmaps.cf

如果用到 mysq 的 map, 那要安裝 postfix-mysql 包

# Postfix dynamic maps configuration file.
#
# The first match found is the one that is used.  Wildcards are not supported
# as of postfix 2.0.2
#
#type   location of .so file                    open function   (mkmap func)
#====   ================================        =============   ============
tcp     /usr/lib/postfix/dict_tcp.so            dict_tcp_open
mysql  /usr/lib/postfix/dict_mysql.so          dict_mysql_open

 

---

Banner

 

telnet port 25 時會見到的資料

220 youhost.localdomain ESMTP Postfix (Debian/GNU)

相關設定:

• myhostname
• mydomain

 

---

Postfix MySQL client configuration

 

man 5 mysql_table

 

---

Client IP to DNS lookup (smtpd_peername_lookup)

 

# lookup client hostname from IP->rdns, or return "unknown"
# Turning off name lookup reduces delays due to DNS lookup
# Default: yes
smtpd_peername_lookup = yes

 

---

Debug

 

# default: yes

smtpd_delay_reject = yes

Wait until the RCPT TO command before evaluating

$smtpd_client_restrictions, $smtpd_helo_restrictions and $smtpd_sender_restrictions,

在輸入 "rcpt to " 之後才 block

 

---

沒有 TCP wrappers 的 postfix

 

postfix 並沒有 link "libwrap"

smtpd_client_restrictions (default: empty)

check_client_access                  # client IP/Networks  address

permit_inet_interfaces              # Permit the request when the client IP address matches $inet_interfaces.

permit

reject                                         # Reject the request.

                                                      This restriction is useful at the end of a restriction list,

                                                               to make the default policy explicit.
    
/etc/postfix/main.cf:

smtpd_client_restrictions =
 check_client_access hash:/etc/postfix/access,
 permit_inet_interfaces,
 reject

/etc/postfix/access:

1.2.3   REJECT
1.2.3.4 OK

當被 Deny 時會有以下的 log

Apr 20 18:07:13 lxc postfix/smtpd[32294]: NOQUEUE: reject: RCPT from unknown[203.169.xxx.xxx]: 554 5.7.1 <unknown[203.169.xxx.xxx]>: Client host rejected: Access denied; from=<[email protected]> to=<root> proto=SMTP helo=<domain.net>

用 smtpd_delay_reject = no 設定時, 當 client 一 connect 就會有以下 msg

554 5.7.1 <unknown[x.x.x.x]>: Client host rejected: Access denied

 

---

bounce_queue_lifetime

 

bounce_queue_lifetime (default: 5d)

The  maximal  time  a  'BOUNCE MESSAGE' is queued before it is considered undeliverable.

* Specify 0 when mail delivery should be tried only once.

# 在 mx server 記得加上它.
# Prevent too many "MAILER-DAEMON" msg

bounce_queue_lifetime = 4h

 

---

Timeout setting

 

# default: 30s
# The Postfix SMTP client time limit for completing a TCP connection

smtp_connect_timeout = 5s

# HELO or EHLO

smtp_helo_timeout = 10s

# MAIL FROM

smtp_mail_timeout = 10s

# RCPT TO

smtp_rcpt_timeout = 10s

# The Postfix SMTP client time limit for sending the SMTP "."

smtp_data_done_timeout = 300s

# The time limit for sending a Postfix SMTP server response and for receiving a remote SMTP client request.

smtpd_timeout = 300s

 

---

Does not resolve to address

 

在 log 內見到有

Aug 20 10:50:55 vm postfix/smtpd[17223]: connect from unknown[202.180.164.xxx]
Aug 20 10:50:55 vm postfix/smtpd[17223]: lost connection after EHLO from unknown[202.180.164.xxx]
Aug 20 10:50:55 vm postfix/smtpd[17223]: disconnect from unknown[202.180.164.xxx]
Aug 20 10:50:55 vm postfix/smtpd[17223]: warning: hostname 164-xxx.static.onebb.com does not resolve to 
address 202.180.164.xxx: Name or service not known

原因是

host 202.180.164.xxx

解釋到

xxx.164.180.202.in-addr.arpa domain name pointer 164-xxx.static.onebb.com.

不過

ping 164-xxx.static.onebb.com

沒有反應或不相對

原因係

smtpd_peername_lookup (default: yes)

Attempt to look up the remote SMTP client hostname, and verify that the name matches the client IP address.

A client name is set to "unknown" when it cannot be looked up or verified, or when name lookup is disabled.

Turning off name lookup reduces delays due to DNS lookup and increases the maximal inbound delivery rate.

 

---

Duplicate(enable_original_recipient)

 

enable_original_recipient (default: yes)

Enable support for the "X-Original-To" message header. This header is needed for multi-recipient mailboxes.

When this parameter is set to

yes:

the cleanup(8) daemon performs duplicate elimination on distinct pairs of (original recipient, rewritten recipient),

and generates non-empty original recipient queue file records.

no:

the cleanup(8) daemon performs duplicate elimination on the rewritten recipient address only,

and generates empty original recipient queue file records.

Example:

[情況1]

u1@, u2@, u3@ -> datahunter@       # catchall / alias

假設有人發信到 u1@, u2@, u3@,

enable_original_recipient

• yes: datahunter@  # 用一個 S/N, 會收到 3 封信
• no:  datahunter@  # 只收到 1 封信

[情況2]

假設有以下兩個 list

• all: admin@, info@
• manager: admin@, postmaster@

在 enable_original_recipient=yes 的情況下 (Default)

假設有人發信到 "all@" 及 "manager@", "admin" 就會收到 2 mail

Feb  5 12:55:01 mail postfix/smtp[3624]: ED3343FCE6: 
 to=<[email protected]>, orig_to=<[email protected]>, 
 relay=127.0.0.1[127.0.0.1]:10024, delay=2, delays=1.3/0.02/0/0.67, dsn=2.0.0, 
 status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 908CA3FDB1)

在 "enable_original_recipient=no" 時

"admin" 只會收到 1 個 mail, 不過會無左 "orig_to=" 這有用的 info, 而且 log 會變成

Feb  5 12:28:43 mail postfix/qmgr[1681]: F217042105:
 from=<[email protected]>, size=1936, nrcpt=3 (queue active)

解決沒有了的 "orig_to="

方法1:

cleanup   unix  n       -       -       -       0       cleanup -v

log 得太勁 ...

方法2:

main.cf:

smtpd_end_of_data_restrictions =
  check_sender_access static:WARN log_orig_to

log

Dec 28 15:07:39 mail postfix/smtpd[29519]: 0FB5F21A91:
 warn: END-OF-MESSAGE from unknown[r.r.r.r]: log_orig_to;
 from=<sender@from> to=<recipient@to> proto=ESMTP helo=<myserver>

 

---

DNS lookup

 

# 找出有關 lookup setting

postconf | grep lookup

# deprecated, 建議改用 smtp_dns_support_level
disable_dns_lookups = no

empty_address_relayhost_maps_lookup_key = <>
ignore_mx_lookup_error = no
lmtp_host_lookup = dns
smtp_host_lookup = dns
smtpd_null_access_lookup_key = <>
smtpd_peername_lookup = yes

<1> 如果想 lookup "/etc/hosts" 先, 那要以下 setting

# Default: smtp_host_lookup = dns
smtp_host_lookup=native,dns

OR

smtp_dns_support_level=disabled

* 這樣會令到完全停了 MX lookup

較好的方法是

在 main.cf 加入

transport_maps = hash:/etc/postfix/transport_maps

在 transport_maps 加入

server.domain            smtp:[192.168.0.2]:25

 

---

mailbox_command

 

mailbox_command (default: empty)

Optional external command that the local(8) delivery agent should use for mailbox delivery.

The command is run with the user ID and the primary group ID privileges of the recipient.

    Exception: command delivery for root executes with $default_privs privileges.

    This is not a problem, because 1) mail for root should always be aliased to a real user and 2) don't log in as root, use "su" instead.

The precedence of local(8) delivery features from high to low is:

1. aliases
2. .forward files
3. mailbox_transport_maps
4. mailbox_transport
5. mailbox_command_maps
6. mailbox_command
7. home_mailbox
8. mail_spool_directory
9. fallback_transport_maps
10. fallback_transport
11. luser_relay

The following environment variables are exported to the command:

CLIENT_ADDRESS

Remote client network address. Available in Postfix version 2.2 and later.

CLIENT_HELO

Remote client EHLO command parameter. Available in Postfix version 2.2 and later.

CLIENT_HOSTNAME

Remote client hostname. Available in Postfix version 2.2 and later.

CLIENT_PROTOCOL

Remote client protocol. Available in Postfix version 2.2 and later.

DOMAIN

The domain part of the recipient address.

EXTENSION

The optional address extension.

HOME

The recipient home directory.

LOCAL

The recipient address localpart.

LOGNAME

The recipient's username.

ORIGINAL_RECIPIENT

The entire recipient address, before any address rewriting or aliasing.

RECIPIENT

The full recipient address.

SASL_METHOD

SASL authentication method specified in the remote client AUTH command. Available in Postfix version 2.2 and later.

SASL_SENDER

SASL sender address specified in the remote client MAIL FROM command. Available in Postfix version 2.2 and later.

SASL_USER

SASL username specified in the remote client AUTH command. Available in Postfix version 2.2 and later.

SENDER

The full sender address.

SHELL

The recipient's login shell.

USER

The recipient username.
 

Examples:

mailbox_command = /some/where/procmail
mailbox_command = /some/where/procmail -a "$EXTENSION"
mailbox_command = /some/where/maildrop -d "$USER" -f "$SENDER" "$EXTENSION"

應用: procmail

 

---

postfix using sub-interface IP to sent out mail

 

# 此 setting 不會影響 listen

# incoming 與 outgoing 用不同 IP

smtp      unix  -       -       n       -       -       smtp
        -o smtp_bind_address=192.168.8.3

 

---

---

reject_unknown_X

 

reject_unknown_reverse_client_hostname (ip -> ptr)

Reject the request when the client IP address has no address->name mapping.

This is a weaker restriction than the reject_unknown_client_hostname feature,

It only that the address->name and name->address mappings exist

response code: unknown_client_reject_code (default: 450)

reject_unknown_client_hostname (ip -> ptr) & (ptr -> ip)

Reject the request when

1) the client IP address->name mapping fails,
2) the name->address mapping fails, or
3) the name->address mapping does not match the client IP address.

but also that the two mappings reproduce the client IP address.

response code: unknown_client_reject_code (default: 450)

reject_unknown_recipient_domain

加了它, 那 client 出信時, 如果 DNS lookup 唔到, 咁就會有 "Domain not found"

Reject the request when Postfix is not final destination for the recipient domain, and the RCPT TO domain has

1) no DNS MX and no DNS A record or

2) a malformed MX record such as a record with a zero-length MX hostname

The reply is specified with the "unknown_address_reject_code" (default: 450) and "unknown_address_tempfail_action" (default: defer_if_permit)

unknown_address_tempfail_action = $reject_tempfail_action

reject_tempfail_action = defer_if_permit

reject_unknown_sender_domain

Reject the request when Postfix is not final destination for the sender address, and the MAIL FROM domain

1) no DNS MX and no DNS A record

reject_unknown_helo_hostname

Reject the request when the HELO or EHLO hostname has no DNS A or MX record.

* helo name 不關 ptr 事

unknown_?_reject_code

# Postfix SMTP server rejects a sender or recipient address because its domain is unknown
# one of the possible replies from the restrictions reject_unknown_sender_domain and reject_unknown_recipient_domain

unknown_address_reject_code = 450

# hostname specified with the HELO or EHLO command
# rejected by the reject_unknown_helo_hostname restriction

unknown_hostname_reject_code = 554

 

---

---

defer_if_permit

 

Defer the request if some later restriction would result in an explicit or implicit PERMIT action.

 

 

 

---

smtpd_client_connection_count_limit

 

# Default: 50
smtpd_client_connection_count_limit = 50

The maximum number of connections that an SMTP client may make simultaneously.

log

Aug  3 11:57:00 ns8 postfix/smtpd[4678]: warning: Connection concurrency limit exceeded: 
 51 from unknown[x.x.x.x] for service smtp

 

---

chroot

 

Some Postfix processes are running in a chroot environment by default.

(用 /etc/postfix/master.cf 設定某會被 chroot)

Therefore there usually is something to provide them with the necessary files on startup.

cp /etc/resolv.conf /var/spool/postfix/etc

 

---

delay_warning_time

 

Default: 0h      # Disable

the sender receives a copy of the message headers of mail that is still queued

confirm_delay_cleared

Default: no

After sending a "your message is delayed" notification, inform the sender when the delay clears up.
 

---

Domain not found

 

450 4.1.2 <x@Y>: Recipient address rejected: Domain not found

原因1: DNS timeout

原因2: chroot 了的 postfix 沒有 resolv.conf

fix_chroot_postfix.sh

#!/bin/bash
#
# copy all necessary files inside the chroot
#

cd /var/spool/postfix/etc

cp -f /etc/resolv.conf    ./
cp -f /etc/localtime      ./
cp -f /etc/services       ./
cp -f /etc/hosts          ./
cp -f /etc/nsswitch.conf  ./

 

---

限制一信可以 To, Cc, Bcc 幾多人

 

收信

smtpd_recipient_limit (default: 1000)

The maximal number of recipients that the Postfix SMTP server accepts per message delivery request.

(Submit mail via SMTP instead of /usr/sbin/sendmail)

測試

當 "smtpd_recipient_limit = 3" 時

C: mail from: [email protected]
C: rcpt to: postmaster@A
C: rcpt to: postmaster@B
C: rcpt to: postmaster@C
C: rcpt to: postmaster@D
S: 452 4.5.3 Error: too many recipients
C: data
S: 354 End data with <CR><LF>.<CR><LF>
C: test msg.
C: .
S: 250 2.0.0 Ok: queued as 44A083EAFE

出信

default_destination_recipient_limit (default: 50)

This is the default limit for delivery via the lmtp(8), pipe(8), smtp(8) and virtual(8) delivery agents.

Remark

transport_destination_recipient_limit

 

---

Troubleshoot

 

[1]

service postfix start

postfix: error while loading shared libraries: libmysqlclient.so.16: cannot open shared object file: No such file or directory

[fix]

find /usr -name libmysqlclient.so

/usr/lib64/libmysqlclient.so

ln -s /usr/lib64/libmysqlclient.so /usr/lib64/libmysqlclient.so.16

ldconfig

[2] virtual_alias_maps / catchall_maps 失效

Setting:

virtual_alias_maps = ...
 proxy:mysql:/etc/postfix/mysql/catchall_maps.cf

log

... mail postfix/pipe[2284]: A444B3E94A: to=<[email protected]>,
relay=dovecot, delay=0.04, delays=0.02/0/0/0.02, dsn=5.1.1, status=bounced (user unknown)

[原因]

加了 "receive_override_options = no_address_mappings" 但沒有過 filter

no_address_mappings 功能:

防止 aliases (and other mappings) 展開