Yesterday I did an ispconfig update from ISPConfig 3.1.15p3 to the current stable ISPConfig version 3.2.5. I have a multiserver installation - mail on one and all other services on the main server. I did the update on the mail server first - then on the main server (correct order??). No errors, but no mails were delivered after the update was completed. Neither were external mails delivered to local mailboxes, nor were internal mails delivered to external recipients. After some analysis, I found out that amavis is causing the problem (I did NOT update amavis, but did a "reconfigure services" when updating). Mailserver is Debian 8, main server is Debian 9! External TO Internal: Jul 26 13:09:42 mail amavis[7566]: (07566-15) (!)connect to 127.0.0.1:* failed, attempt #1: Can't connect to socket 127.0.0.1:* using module IO::Socket::IP: Connection refused Jul 26 13:09:42 mail amavis[7566]: (07566-15) (!)tBI_1wk2LurH FWD from <[email protected]> -> <[email protected]>, 451 4.5.0 From MTA() during fwd-connect (All attempts (1) failed connecting to smtp:127.0.0.1:*): id=07566-15 Jul 26 13:09:42 mail amavis[7566]: (07566-15) Blocked MTA-BLOCKED {TempFailedInternal}, LOCAL [127.0.0.1] [46.91.196.52] <[email protected]> -> <[email protected]>, Message-ID: <trinity-6866a56b-49e4-482b-bf96-9a645a8f59b5-1627296502509@3c-app-webde-bap17>, mail_id: tBI_1wk2LurH, Hits: -1.374, size: 2543, dkim_sd=dbaedf251592:web.de, 214 ms Jul 26 13:09:42 mail postfix/lmtp[8077]: CD968A2722: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=1280, delays=1257/3.4/20/0.21, dsn=4.5.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 id=07566-15 - Temporary MTA failure on relaying, From MTA() during fwd-connect (All attempts (1) failed connecting to smtp:127.0.0.1:*): id=07566-15 (in reply to end of DATA command)) Internal TO External: Jul 26 12:43:19 mail amavis[4666]: (04666-02) (!)connect to 127.0.0.1:* failed, attempt #1: Can't connect to socket 127.0.0.1:* using module IO::Socket::IP: Connection refused Jul 26 12:43:19 mail amavis[4666]: (04666-02) (!)E0chsoK-1Y4N FWD from <[email protected]> -> <[email protected]>, 451 4.5.0 From MTA() during fwd-connect (All attempts (1) failed connecting to smtp:127.0.0.1:*): id=04666-02 Jul 26 12:43:19 mail amavis[4666]: (04666-02) Blocked MTA-BLOCKED {TempFailedOutbound}, ORIGINATING LOCAL [127.0.0.1] [146.88.36.113] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: E0chsoK-1Y4N, Hits: -2.9, size: 722, 191 ms Jul 26 12:43:19 mail postfix/lmtp[4687]: 19147A20D4: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=958, delays=957/0.05/0.48/0.19, dsn=4.5.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 id=04666-02 - Temporary MTA failure on relaying, From MTA() during fwd-connect (All attempts (1) failed connecting to smtp:127.0.0.1:*): id=04666-02 (in reply to end of DATA command)) For now I disabled Amavis by doing the following changes in /etc/postfix/main.cf FROM: smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re TO: smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf And commenting out: #content_filter = amavis:[127.0.0.1]:10024 #receive_override_options = no_address_mappings The issue seems to be related to https://www.howtoforge.com/community/threads/no-mails-are-being-received-or-sent.86957/ but I am not sure. Can you help?
I would update the master first, but having done it this way, once you do update the master you might run the installer on your slave another time and answer Yes to updating permissions in the master database. (I think there were db schema changes related to at least php versions and web/db backups, so it may not matter on your configuration, but just to be safe...). That sounds like the downstream smtp instances (ports 10025 and 10027) are not open, what does your /etc/postifx/master.cf look like? You might also run the diagnostic script in the "read before posting" thread, or at least post output of "netstat -tnau" - what ports is postfix listening on? FWIW, debian 8 is not supported on 3.2, I don't know what you should expect from that system offhand.
Thanx Jesse for your feedback and your help!! I rerun the update on the slave-mail-server - just to be sure ;-) Regarding the amavis problem: I am wondering what's going wrong, as I did just an update ... Output of master.cf: ######################### # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master" or # on-line: http://www.postfix.org/master.5.html). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - - - - smtpd submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject ##smtp inet n - - - - smtpd #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy #submission inet n - - - - smtpd # Falls clients sich nicht verbinden koennen: -o smtpd_tls_dh1024_param_file=${config_directory}/dh1024.pem # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - - - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - - - - qmqpd pickup unix n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRhu user=vmail null_sender=MAILER-DAEMON@localhost argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop} ########################### And output of netstat -tnau: Aktive Internetverbindungen (Server und stehende Verbindungen) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:14922 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:9100 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:9104 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:9105 0.0.0.0:* LISTEN tcp 0 0 188.68.32.28:53 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp 0 0 188.68.32.28:25 150.188.85.225:49420 SYN_RECV tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN tcp 0 216 188.68.32.28:14922 46.91.196.52:57437 VERBUNDEN tcp 0 0 127.0.0.1:51398 127.0.0.1:3306 VERBUNDEN tcp 0 0 127.0.0.1:51418 127.0.0.1:3306 VERBUNDEN tcp 0 0 127.0.0.1:51284 127.0.0.1:3306 VERBUNDEN tcp 0 0 188.68.32.28:993 46.223.162.217:19502 VERBUNDEN tcp 0 0 188.68.32.28:143 46.88.227.223:54935 VERBUNDEN tcp 0 0 127.0.0.1:51419 127.0.0.1:3306 VERBUNDEN tcp 0 0 188.68.32.28:25 150.188.85.225:49320 TIME_WAIT tcp 0 0 127.0.0.1:51413 127.0.0.1:3306 TIME_WAIT tcp 0 0 127.0.0.1:51424 127.0.0.1:3306 VERBUNDEN tcp 0 0 127.0.0.1:51415 127.0.0.1:3306 VERBUNDEN tcp 0 0 188.68.32.28:25 150.188.85.225:49323 TIME_WAIT tcp 0 0 188.68.32.28:993 46.223.162.217:19435 VERBUNDEN tcp 0 0 127.0.0.1:51414 127.0.0.1:3306 VERBUNDEN tcp 0 0 127.0.0.1:51425 127.0.0.1:3306 VERBUNDEN tcp 0 0 188.68.32.28:995 109.40.3.160:25350 VERBUNDEN tcp 0 0 127.0.0.1:51427 127.0.0.1:3306 VERBUNDEN tcp 0 0 188.68.32.28:995 109.40.3.160:27428 VERBUNDEN tcp 0 0 188.68.32.28:993 46.223.162.217:19407 VERBUNDEN tcp 0 330 188.68.32.28:993 77.9.124.20:52558 FIN_WAIT1 tcp 0 0 188.68.32.28:993 46.223.162.217:19553 VERBUNDEN tcp 0 0 127.0.0.1:51426 127.0.0.1:3306 VERBUNDEN tcp 0 0 188.68.32.28:465 5.188.206.238:56073 VERBUNDEN tcp 0 0 188.68.32.28:993 46.223.162.217:19548 VERBUNDEN tcp 0 0 127.0.0.1:51283 127.0.0.1:3306 VERBUNDEN tcp 0 0 127.0.0.1:51422 127.0.0.1:3306 VERBUNDEN tcp 0 0 127.0.0.1:51421 127.0.0.1:3306 VERBUNDEN tcp 0 0 188.68.32.28:143 37.120.190.158:44578 TIME_WAIT tcp 0 0 127.0.0.1:51420 127.0.0.1:3306 VERBUNDEN tcp 0 0 188.68.32.28:143 37.120.190.158:44580 TIME_WAIT tcp 0 0 188.68.32.28:25 150.188.85.225:49335 TIME_WAIT tcp 0 0 127.0.0.1:51401 127.0.0.1:3306 TIME_WAIT tcp 0 0 188.68.32.28:25 37.0.8.138:43578 TIME_WAIT tcp 0 0 188.68.32.28:25 150.188.85.225:49376 TIME_WAIT tcp 0 0 188.68.32.28:25 150.188.85.225:49368 TIME_WAIT tcp 0 0 127.0.0.1:51417 127.0.0.1:3306 VERBUNDEN tcp 0 0 127.0.0.1:51423 127.0.0.1:3306 VERBUNDEN tcp 0 0 188.68.32.28:993 46.223.162.217:19528 VERBUNDEN tcp 0 0 188.68.32.28:995 46.223.162.217:19561 VERBUNDEN tcp 0 0 188.68.32.28:25 150.188.85.225:49365 TIME_WAIT tcp 0 0 188.68.32.28:49334 37.120.190.158:3306 TIME_WAIT tcp 0 0 188.68.32.28:25 37.0.8.138:36124 TIME_WAIT tcp 0 0 188.68.32.28:49332 37.120.190.158:3306 TIME_WAIT tcp 0 0 127.0.0.1:51416 127.0.0.1:3306 VERBUNDEN tcp 0 0 188.68.32.28:49333 37.120.190.158:3306 TIME_WAIT tcp6 0 0 :::1993 :::* LISTEN tcp6 0 0 ::1:10026 :::* LISTEN tcp6 0 0 :::3306 :::* LISTEN tcp6 0 0 :::14922 :::* LISTEN tcp6 0 0 :::587 :::* LISTEN tcp6 0 0 :::1995 :::* LISTEN tcp6 0 0 :::236 :::* LISTEN tcp6 0 0 :::237 :::* LISTEN tcp6 0 0 :::110 :::* LISTEN tcp6 0 0 ::1:783 :::* LISTEN tcp6 0 0 :::143 :::* LISTEN tcp6 0 0 :::465 :::* LISTEN tcp6 0 0 :::2003 :::* LISTEN tcp6 0 0 :::53 :::* LISTEN tcp6 0 0 :::1110 :::* LISTEN tcp6 0 0 :::1143 :::* LISTEN tcp6 0 0 :::25 :::* LISTEN tcp6 0 0 ::1:953 :::* LISTEN tcp6 0 0 :::993 :::* LISTEN tcp6 0 0 :::995 :::* LISTEN tcp6 0 0 :::389 :::* LISTEN tcp6 0 0 ::1:10024 :::* LISTEN tcp6 0 0 127.0.0.1:3306 127.0.0.1:51416 VERBUNDEN tcp6 0 0 127.0.0.1:3306 127.0.0.1:51424 VERBUNDEN tcp6 0 0 188.68.32.28:237 37.120.190.158:58036 VERBUNDEN tcp6 0 0 127.0.0.1:3306 127.0.0.1:51415 VERBUNDEN tcp6 0 0 127.0.0.1:3306 127.0.0.1:51418 VERBUNDEN tcp6 0 0 127.0.0.1:3306 127.0.0.1:51425 VERBUNDEN tcp6 0 0 188.68.32.28:237 37.120.190.158:56954 VERBUNDEN tcp6 0 0 127.0.0.1:3306 127.0.0.1:51284 VERBUNDEN tcp6 0 0 127.0.0.1:3306 127.0.0.1:51427 VERBUNDEN tcp6 0 0 127.0.0.1:3306 127.0.0.1:51417 VERBUNDEN tcp6 0 0 127.0.0.1:3306 127.0.0.1:51398 VERBUNDEN tcp6 0 0 127.0.0.1:3306 127.0.0.1:51283 VERBUNDEN tcp6 0 0 188.68.32.28:237 37.120.190.158:57750 VERBUNDEN tcp6 0 0 127.0.0.1:3306 127.0.0.1:51426 VERBUNDEN tcp6 0 0 127.0.0.1:3306 127.0.0.1:51420 VERBUNDEN tcp6 0 0 188.68.32.28:237 134.3.103.55:64889 VERBUNDEN tcp6 0 0 188.68.32.28:237 134.3.103.55:65035 FIN_WAIT2 tcp6 0 0 127.0.0.1:3306 127.0.0.1:51423 VERBUNDEN tcp6 0 0 127.0.0.1:3306 127.0.0.1:51414 VERBUNDEN tcp6 0 0 127.0.0.1:3306 127.0.0.1:51421 VERBUNDEN tcp6 0 0 188.68.32.28:237 37.120.190.158:57538 VERBUNDEN tcp6 0 0 127.0.0.1:3306 127.0.0.1:51419 VERBUNDEN tcp6 0 0 188.68.32.28:237 37.120.190.158:56860 VERBUNDEN tcp6 0 0 127.0.0.1:3306 127.0.0.1:51422 VERBUNDEN udp 0 0 188.68.32.28:53 0.0.0.0:* udp 0 0 127.0.0.1:53 0.0.0.0:* udp 0 0 188.68.32.28:123 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* udp6 0 0 :::53 :::* udp6 0 0 fe80::e4e3:11ff:feb:123 :::* udp6 0 0 ::1:123 :::* udp6 0 0 :::123 :::*
I have updated the protocol in my first post as some lines were cut off + added the debug script output from mail-slave-server.
Your master.cf does not have entries for 10025 and 10027. You could try changing the content filter from amavis to rspamd (in server config), then back - maybe it'll get fixed up. Short of that we could try troubleshooting why that happens, but you really might start with a quick upgrade to supported OS version (possibly debian 8 isn't recognized/handled?).
Hi, it seems that master.cf and main.cf have not been updated correctly on my machine (or I missed a step). But after rerunning update_ispconfig.sh --force I got new versions of the files which included also the rules for 10025 and 10027. Thanx Jesse for your support!!