I have a multi-server setup with separate spamfiltering (eFa) for in- and outbound mailtraffic. This works like a charm using relayhost and native lmtp and smtp host lookup in postfix's main.cf. (Because eFa is in the same internal network I want to use /etc/hosts before dns for host lookup) Code: relayhost = [eFa servername]:25 (setup via ISPConfig) ... some other relayhost related settings lmtp_host_lookup = native smtp_host_lookup = native To catch SPF issues for forwarded emails I've installed PostSRS on my mailservers. PostSRS by itself too works like a charm but has a major negative side effect. The relayhost and host lookup settings are completely ignored. Postfix is doing host lookups in DNS only and relays directly to one of the found MX records. Does anyone have a solution to how to tackle this side effect and make postfix do native host lookups again and relay to the host I've set? It happens on older CentOS 7 servers and newer Ubuntu 20 servers so it's not OS related but purely postfix (version 2 and 3).
That's what happens when you copy-paste from manuals without fully dissecting and understanding what you're doing One of the settings added to postfix's main.cf for postsrsd is Code: default_transport = smtp:127.0.0.1:10022 which takes precedence over the relayhost setting. Now to find a way to get around this. To make emails pass through postsrsd and still be able to make use of settings like relayhost after. I was wrong to say native host lookups also didn't work anymore. That seems to be working just fine.
Installation of Postsrsd will also break sender_dependent_relayhost_maps because of the use of default_transport to call Postsrsd. So besides it breaking ISPConfig's ability to set a relayhost at serverlevel it also breaks setting a relayhost per domain. Any pointers to other SRS solution would be much appreciated. I found this thread https://forum.howtoforge.com/threads/ispconfig-postsrsd-sending-domain.83785/ where there's talk about a srs-milter. But that hasn't been maintained in over 9 years and the code is far from nice and clean.
I managed to relay from postsrsd to somewhere else by altering the postsrsd config in master.cf Old: Code: 127.0.0.1:10022 inet n - n - - smtpd ... -o content_filter=smtp ... New: Code: 127.0.0.1:10022 inet n - n - - smtpd ... -o content_filter=smtp:[127.0.0.1]:2525 ... [127.0.0.1]:2525 is a 2nd postfix instance. I created this instance because I want to be able to make use of ISPConfig's ability to relay domains to specific hosts (sender_dependent_relayhost_maps) and all else to a specific host (relayhost) which is broken by postsrsd's added config in main.cf (although relayhost needs to be set manually in the 2nd instance's main.cf because ISPConfig writes in the primary main.cf) Code: default_transport = smtp:127.0.0.1:10022 Outgoing emails are now bouncing between the primary postfix instance and the 2nd. Because for some reason emails are sent to amavis by the 2nd instance. From there they return to the queue of the primary instance, go through postsrsd again , to postfix's 2nd instance, to amavis etc etc. I can't figure out why emails are sent to amavis by postfix's 2nd instance. Incoming emails and local delivery are working fine as they only make use of postfix's primary instance. Any tips or other help is much appreciated. Key question is: Where is postfix linked to amavis and how can I keep it in postfix's primary instance but loose it in the 2nd instance.
The configuration is in main.cf. Take a look at this file from ISPConfig installer starting with line 1677 to see what the installer configures for amavis: https://git.ispconfig.org/ispconfig/ispconfig3/-/blob/develop/install/lib/installer_base.lib.php
Key seems to me to be lines 1715 - 1718 which created these lines in /etc/postfix/main.cf: Code: content_filter = lmtp:[127.0.0.1]:10024 receive_override_options = no_address_mappings address_verify_virtual_transport = smtp:[127.0.0.1]:10025 address_verify_transport_maps = static:smtp:[127.0.0.1]:10025 My 2nd postfix instance is called 'postfix-relay' and has its config in /etc/postfix-relay Those lines aren't there in /etc/postfix-relay/main.cf. Also any amavis related lines are deleted from /etc/postfix-relay/master.cf. This is what is logged, separated by queue id: Received from some mta>> sent to amavis Code: Nov 18 00:00:10 myserver postfix/smtpd[28402]: 38749C60329: client=some.mta.com[1.2.3.4] Nov 18 00:00:10 myserver postfix/cleanup[30968]: 38749C60329: message-id=<[email protected]> Nov 18 00:00:10 myserver postfix/qmgr[28385]: 38749C60329: from=<[email protected]>, size=8617, nrcpt=1 (queue active) Nov 18 00:00:10 myserver postfix/lmtp[30980]: 38749C60329: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.84, delays=0.16/0.01/0.01/0.67, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as DA41FC6086D) Nov 18 00:00:10 myserver postfix/qmgr[28385]: 38749C60329: removed Sent to amavis and back >> delivered to dovecot >> back to forward >> sent to postsrsd Code: Nov 18 00:00:10 myserver postfix/smtpd[31311]: DA41FC6086D: client=localhost[127.0.0.1] Nov 18 00:00:10 myserver postfix/cleanup[30968]: DA41FC6086D: message-id=<[email protected]> Nov 18 00:00:10 myserver postfix/qmgr[28385]: DA41FC6086D: from=<[email protected]>, size=9054, nrcpt=2 (queue active) Nov 18 00:00:10 myserver amavis[1592]: (01592-13) Passed CLEAN {RelayedOpenRelay}, [127.0.0.1] [1.2.3.4] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: vSi3wZ8wEiwy, Hits: -3.012, size: 8610, queued_as: DA41FC6086D, dkim_sd=selector:abc.com, 669 ms Nov 18 00:00:10 myserver postfix/lmtp[30980]: 38749C60329: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.84, delays=0.16/0.01/0.01/0.67, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as DA41FC6086D) Nov 18 00:00:10 myserver postfix/lmtp[30980]: DA41FC6086D: to=<[email protected]>, relay=myserver.xyz.com[private/dovecot-lmtp], delay=0.11, delays=0.03/0.01/0.03/0.04, dsn=2.0.0, status=sent (250 2.0.0 <[email protected]> 5SsQOfq8dmNuegAAo43SQw Saved) Nov 18 00:00:11 myserver postfix/smtp[31340]: DA41FC6086D: to=<[email protected]>, orig_to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10022, delay=0.12, delays=0.03/0.04/0.02/0.04, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as F1A26C60329) Nov 18 00:00:11 myserver postfix/qmgr[28385]: DA41FC6086D: removed Rewritten by postsrsd >> sent to 2nd postfix instance (postfix-relay) Code: Nov 18 00:00:10 myserver postfix/srs/smtpd[31353]: F1A26C60329: client=localhost[127.0.0.1] Nov 18 00:00:11 myserver postfix/srs/cleanup[31364]: F1A26C60329: message-id=<[email protected]> Nov 18 00:00:11 myserver postfix/qmgr[28385]: F1A26C60329: from=<[email protected]>, size=9245, nrcpt=1 (queue active) Nov 18 00:00:11 myserver postfix/smtp[31340]: DA41FC6086D: to=<[email protected]>, orig_to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10022, delay=0.12, delays=0.03/0.04/0.02/0.04, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as F1A26C60329) Nov 18 00:00:11 myserver postfix/smtp[31340]: F1A26C60329: to=<[email protected]>, relay=myserver.xyz.com[127.0.0.1]:2525, delay=0.14, delays=0.04/0/0.06/0.04, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 19066CE0055) Nov 18 00:00:11 myserver postfix/qmgr[28385]: F1A26C60329: removed Received by 2nd postfix instance (postfix-relay) >> sent to amavis and back Code: Nov 18 00:00:11 myserver postfix-relay/smtpd[31386]: 19066CE0055: client=localhost[127.0.0.1] Nov 18 00:00:11 myserver postfix-relay/cleanup[31427]: 19066CE0055: message-id=<[email protected]> Nov 18 00:00:11 myserver postfix-relay/qmgr[28399]: 19066CE0055: from=<[email protected]>, size=9437, nrcpt=1 (queue active) Nov 18 00:00:11 myserver postfix/smtp[31340]: F1A26C60329: to=<[email protected]>, relay=myserver.xyz.com[127.0.0.1]:2525, delay=0.14, delays=0.04/0/0.06/0.04, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 19066CE0055) Nov 18 00:00:11 myserver postfix-relay/lmtp[31444]: 19066CE0055: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.62, delays=0.04/0.01/0/0.57, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as A4FFCC60329) Nov 18 00:00:11 myserver postfix-relay/qmgr[28399]: 19066CE0055: removed Sent to amavis and back >> sent to postsrsd Code: Nov 18 00:00:11 myserver postfix/smtpd[31754]: A4FFCC60329: client=localhost[127.0.0.1] Nov 18 00:00:11 myserver postfix/cleanup[30968]: A4FFCC60329: message-id=<[email protected]> Nov 18 00:00:11 myserver postfix/qmgr[28385]: A4FFCC60329: from=<[email protected]>, size=10556, nrcpt=1 (queue active) Nov 18 00:00:11 myserver amavis[1594]: (01594-13) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [127.0.0.1] [1.2.3.4] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: B8foS9CXFlWu, Hits: -0.912, size: 9430, queued_as: A4FFCC60329, dkim_sd=selector:abc.com, dkim_new=dkim:srs.xyz.com, 568 ms Nov 18 00:00:11 myserver postfix-relay/lmtp[31444]: 19066CE0055: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.62, delays=0.04/0.01/0/0.57, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as A4FFCC60329) Nov 18 00:00:11 myserver postfix/smtp[31385]: A4FFCC60329: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10022, delay=0.07, delays=0.02/0.02/0.01/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as B0CB1C6086D) Nov 18 00:00:11 myserver postfix/qmgr[28385]: A4FFCC60329: removed Received unchanged from postsrsd >> sent to 2nd postfix instance (postfix-relay) Code: Nov 18 00:00:11 myserver postfix/srs/smtpd[31353]: B0CB1C6086D: client=localhost[127.0.0.1] Nov 18 00:00:11 myserver postfix/srs/cleanup[31364]: B0CB1C6086D: message-id=<[email protected]> Nov 18 00:00:11 myserver postfix/qmgr[28385]: B0CB1C6086D: from=<[email protected]>, size=10747, nrcpt=1 (queue active) Nov 18 00:00:11 myserver postfix/smtp[31385]: A4FFCC60329: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10022, delay=0.07, delays=0.02/0.02/0.01/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as B0CB1C6086D) Nov 18 00:00:11 myserver postfix/smtp[31340]: B0CB1C6086D: to=<[email protected]>, relay=myserver.xyz.com[127.0.0.1]:2525, delay=0.04, delays=0.02/0/0.01/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as B72EBCE0055) Nov 18 00:00:11 myserver postfix/qmgr[28385]: B0CB1C6086D: removed Sent to amavis and back Code: Nov 18 00:00:11 myserver postfix-relay/smtpd[31386]: B72EBCE0055: client=localhost[127.0.0.1] Nov 18 00:00:11 myserver postfix-relay/cleanup[31427]: B72EBCE0055: message-id=<[email protected]> Nov 18 00:00:11 myserver postfix-relay/qmgr[28399]: B72EBCE0055: from=<[email protected]>, size=10939, nrcpt=1 (queue active) Nov 18 00:00:11 myserver postfix/smtp[31340]: B0CB1C6086D: to=<[email protected]>, relay=myserver.xyz.com[127.0.0.1]:2525, delay=0.04, delays=0.02/0/0.01/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as B72EBCE0055) Nov 18 00:00:16 myserver postfix-relay/lmtp[31444]: B72EBCE0055: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=4.7, delays=0.02/0/0.01/4.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as 6E774C60329) Nov 18 00:00:16 myserver postfix-relay/qmgr[28399]: B72EBCE0055: removed Sent to amavis and back >> sent to postsrsd Code: Nov 18 00:00:16 myserver postfix/smtpd[31754]: 6E774C60329: client=localhost[127.0.0.1] Nov 18 00:00:16 myserver postfix/cleanup[30968]: 6E774C60329: message-id=<[email protected]> Nov 18 00:00:16 myserver postfix/qmgr[28385]: 6E774C60329: from=<[email protected]>, size=11403, nrcpt=1 (queue active) Nov 18 00:00:16 myserver amavis[1592]: (01592-14) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [127.0.0.1] [1.2.3.4] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: X67oZS4nBGkd, Hits: -0.911, size: 10932, queued_as: 6E774C60329, dkim_sd=dkim:srs.xyz.com,selector:abc.com, 4718 ms Nov 18 00:00:16 myserver postfix-relay/lmtp[31444]: B72EBCE0055: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=4.7, delays=0.02/0/0.01/4.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as 6E774C60329) Nov 18 00:00:16 myserver postfix/smtp[31385]: 6E774C60329: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10022, delay=0.04, delays=0.02/0/0/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 73239C6086D) Nov 18 00:00:16 myserver postfix/qmgr[28385]: 6E774C60329: removed etc. etc. It keeps bouncing around between postfix, amavis, postsrsd and postfix-relay. I think Amavis on port 10026 is for DKIM signing? So what I can't figure out is how that is hooked into postfix (mainly my 2nd instance). Disabling DKIM signing srs.xyz.com doesn't make any difference.
Spam filter and DKIM signing. Btw. Have you considered updating your system to use Rspamd instead of Amavis? All newer ISPConfig systems use Rspamd now as it's faster, uses less resources and is a more effective spam filter. See https://www.howtoforge.com/replacing-amavisd-with-rspamd-in-ispconfig/
I'll take that advise into consideration. As this server in not in production yet it's probably the best thing to do anyway. But that still doesn't explain why I'm running into the current loop. And notice the use of different amavis ports. On first receive you see ports 10024 and 10025 in the logs. When the loop occurs after postsrsd and relay to postfix-relay instance you see 10026 and 10027.
use grep command in /etc/postfix directory to get a list of all config files that contain a certain port number.
That's just it. They don't exist in postfix-relay's (2nd instance) main.cf nor master.cf. So I'm clueless to why this happens.
There are other files which may contain it, run e.g.: grep -r -n 10026 /etc/postfix/ to find all occurrences of that port and then do it with the other ports.
Found the hook in postfix to 10026 but couldn't get everything to work as I wanted. In the meantime I've replaced amavis with rspamd. Now everything seems to work as I want it to. - Emails are still received and delivered just fine - Outgoing (and thus also forwarded) emails are passed through postsrsd, rewritten if needed and passed to the 2nd postfix instance - 2nd postfix instance relays to my external spamfilter or sender dependent relayhost Only thing I noticed is that emails are DKIM signed twice and the signatures differ. But sending an email to mail-tester.com scores 10/10, so there doesn't seem to be any problem.
Solved the double DKIM signing too. Added this to master.cf: Code: 127.0.0.1:10022 inet n - n - - smtpd ... -o smtpd_milters= -o non_smtpd_milters= ... which prevents emails going through rspmd a 2nd time.
Although everything is now working as expected with postsrsd and a 2nd postfix instance in place I would really like to see it working without the need of a 2nd postfix instance. That way relayhost will work again too straight from within ISPConfig and not having to manually copy-paste to postfix' 2nd instance main.cf. I don't know if this is possible at all but if I could somehow map ONLY emails to postsrsd that - are not originating from AND - not send to an in ISPConfig configured domain (thus forwarded) then according to my reasoning default_transport in postfix' primary instance main.cf becomes redundant and after deletion would reinstate functioning of relayhost and sender_dependent_relayhost_maps in the same instance (straight from within ISPConfig).
