Following upgrade, postfix send refused

Discussion in 'Installation/Configuration' started by tfboy, Mar 21, 2022.

  1. tfboy

    tfboy Member

    I just ran the upgrade script and selected to reconfigure the services.
    Everything post-upgrade seems to run fine except for postfix sending email.
    Upon inspection, there are a few differences in the main.cf file.

    Old file before upgrade:
    Code:
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions $smtp_sasl_password_maps $sender_dependent_relayhost_maps
    smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, reject_unknown_helo_hostname, permit
    smtpd_sender_restrictions = check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf,  check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unlisted_sender, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
    smtpd_reject_unlisted_sender = no
    smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_unauth_pipelining, permit
    
    New file post upgrade:
    Code:
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions
    smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, ,reject_unknown_helo_hostname, permit
    smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:/etc/postfix/tag_as_foreign.re, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf
    smtpd_reject_unlisted_sender = yes
    smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_unauth_pipelining , permit
    
    Having temporarily restored the old version, email can be sent, but I'm concerned this might have loosened security.
    Any idea what to check? Is there another component that I've missed?
    Thanks!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Is this about ISPConfig? As you posted in the forum for non ISPConfig systems.
     
  3. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Check the mail logs, which will tell you why sending failed, and go from there.
     
  4. tfboy

    tfboy Member

    Sorry, Till, Yes, ISPConfig3. Thank you for moving the thread.

    Logs revealed some errors:
    Code:
    Mar 21 14:56:12 mail1 postfix/proxymap[839554]: warning: request for unapproved table: "mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf"
    Mar 21 14:56:12 mail1 postfix/proxymap[839554]: warning: to approve this table for read-only access, list proxy:mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf in main.cf:proxy_read_maps
    Mar 21 14:56:12 mail1 postfix/trivial-rewrite[839930]: fatal: proxymap service is not configured for table "mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf"
    Mar 21 14:56:13 mail1 postfix/master[839551]: warning: process /usr/lib/postfix/sbin/trivial-rewrite pid 839930 exit status 1
    Mar 21 14:56:13 mail1 postfix/master[839551]: warning: /usr/lib/postfix/sbin/trivial-rewrite: bad command startup -- throttling
    
    Looking at the differences between the files:
    • new version does not have "$smtp_sasl_password_maps $sender_dependent_relayhost_maps" in the proxy_read_maps list.
    • new version has additional "reject_invalid_helo_hostname" in smtp_helo_restrictions
    • new version does not have "reject_unlisted_sender" in smtpd_sender_restrictions
    • new version has smtpd_reject_unlisted_sender = yes (old version = no)
    What I'm trying to understand is why the error and if the new file is correct, does that point to some other data migration or configuration change which hasn't been correctly executed.
    Thanks :)
     
  5. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Do you have any custom postfix templates?
     
  6. tfboy

    tfboy Member

    Er no, just the defaults as initially installed by ISP.
     
  7. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Checking just this point, the upstream templates have this correct, so it's safe to say either you have custom templates that need updated, or something went wrong when you thought you had reconfigured services.
     
  8. tfboy

    tfboy Member

    Very strange, I re-ran the upgrade script and it seems to have made a few more changes elsewhere and the problem has now disappeared. Thanks for the pointers and help :)
     

Share This Page