[Postfixbuch-users] Probleme mit externen Listen und einem Postfix-Check.

Michael Polenske mpolenske at hpce.nec.com
Mo Mai 7 10:13:59 CEST 2007


Guten Morgen,

wir haben öfters Mails im System, die von externen Accounts  unter unserer 
Domain an interne Adressen verschickt wurden (zB. von hfjgezu at hpce.nec.com 
and mpolenske at hpce.nec.com) - um das zu umgehen habe ich Ralf Methode 
eingestellt um Mails, die als Absender unsere Domain tragen und nicht von 
intern oder authorisierten Account kommen zu verweigern 
(http://www.arschkrebs.de/postfix/postfix_incoming.shtml).

Das erzeugt aber ein Problem bei Mails die von einem internen Account an einen 
externen Account geschickt werden, der wiederum ein forward auf eine Adresse 
in unserem Netz macht - die Mail wird dann logischerweise bei uns abgewiesen.

Einen Tipp wie ich das umgehen kann (außer eine Whitelist für so einen fall zu 
pflegen oder den Check abzuschalten) ?

Danke im voraus,
Michael

-------------------------------------------------------------------------------------
Beispielmail:


Return-Path: <MAILER-DAEMON at hpce.nec.com>
Received: from murder ([unix socket])
	 by imap.hpce.nec.com (Cyrus v2.2.12) with LMTPA;
	 Mon, 23 Apr 2007 21:23:34 +0200
X-Sieve: CMU Sieve 2.2
Received: from localhost (av.hpce.nec.com [193.141.139.214])
	by mail.hpce.nec.com (Postfix) with ESMTP id 463D379A4198
	for <mpolenske at hpce.nec.com>; Mon, 23 Apr 2007 21:23:34 +0200 (CEST)
Received: from localhost [127.0.0.1] for localhost (EHLO localhost) via 
	SMTP; Mon, 23 Apr 2007 21:23:34 +0200
Received: from localhost
	by localhost (AvMailGate-2.1.0-19) id 22073-veK5AB;
	Mon, 23 Apr 2007 21:23:34 +0200
Received: from mail.hpce.nec.com ([193.141.139.212])
 by localhost (av.hpce.nec.com [10.10.12.4]) (amavisd-new, port 10025)
 with ESMTP id 17282-06 for <mpolenske at hpce.nec.com>;
 Mon, 23 Apr 2007 21:23:33 +0200 (CEST)
Received: from cluster-j.mailcontrol.com (cluster-j.mailcontrol.com 
[86.111.223.190])
	by mail.hpce.nec.com (Postfix) with ESMTP id E52A379A4198
	for <mpolenske at hpce.nec.com>; Mon, 23 Apr 2007 21:23:32 +0200 (CEST)
Received: from localhost (localhost)
	by rly44j.srv.mailcontrol.com (MailControl) id l3NJNL9a007432;
	Mon, 23 Apr 2007 20:23:21 +0100
Date: Mon, 23 Apr 2007 20:23:21 +0100
From: Mail Delivery Subsystem <MAILER-DAEMON at rly44j.srv.mailcontrol.com>
Message-Id: <200704231923.l3NJNL9a007432 at rly44j.srv.mailcontrol.com>
To: <mpolenske at hpce.nec.com>
MIME-Version: 1.0
Content-Type: multipart/report;
  report-type=delivery-status;
  boundary="l3NJNL9a007432.1177356201/rly44j.srv.mailcontrol.com"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
X-AntiVirus: checked by AntiVir MailGate (version: 2.1.0-19; AVE: 7.3.1.53; 
VDF: 6.38.1.27; host: av.hpce.nec.com)
X-GData-Scanner: Clean, Agent: GData SMTP PROXY 1.6.1 on
 av.hpce.nec.com
X-Length: 6776
X-UID: 12072

This is a MIME-encapsulated message

--l3NJNL9a007432.1177356201/rly44j.srv.mailcontrol.com
The original message was received at Mon, 23 Apr 2007 20:23:19 +0100

from mail1.neceur.com [195.47.207.3]

   ----- The following addresses had permanent fatal errors -----
<ymomose at hpce.nec.com>
    (reason: 554 <mpolenske at hpce.nec.com>: Sender address rejected: 
hpce.nec.com sender? But you're not in mynetworks!)

   ----- Transcript of session follows -----
... while talking to mail.hpce.nec.com.:
>>> DATA
<<< 554 <mpolenske at hpce.nec.com>: Sender address rejected: hpce.nec.com 
sender? But you're not in mynetworks!
554 5.0.0 Service unavailable
<<< 554 Error: no valid recipients

--l3NJNL9a007432.1177356201/rly44j.srv.mailcontrol.com
Content-Type: message/delivery-status

Reporting-MTA: dns; rly44j.srv.mailcontrol.com
Received-From-MTA: DNS; mail1.neceur.com
Arrival-Date: Mon, 23 Apr 2007 20:23:19 +0100

Final-Recipient: RFC822; ymomose at hpce.nec.com
Action: failed
Status: 5.0.0
Remote-MTA: DNS; mail.hpce.nec.com
Diagnostic-Code: SMTP; 554 <mpolenske at hpce.nec.com>: Sender address rejected: 
hpce.nec.com sender? But you're not in mynetworks!
Last-Attempt-Date: Mon, 23 Apr 2007 20:23:21 +0100

--l3NJNL9a007432.1177356201/rly44j.srv.mailcontrol.com
Content-Type: message/rfc822

Return-Path: <mpolenske at hpce.nec.com>
Received: from mail1.neceur.com (mail1.neceur.com [195.47.207.3])
	by rly44j.srv.mailcontrol.com (MailControl) with ESMTP id l3NJNI9b006404
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO)
	for <ymomose at hpce.nec.com>; Mon, 23 Apr 2007 20:23:19 +0100
Received: from charon.neceur.com (charon [172.29.14.11])
	by mail1.neceur.com (Switch-3.1.8/Switch-3.1.7) with ESMTP id l3NJNI5b024082
	for <ymomose at hpce.nec.com>; Mon, 23 Apr 2007 20:23:18 +0100 (BST)
Received: from mailgate3.nec.co.jp (mailgate4.nec.co.jp [10.7.68.193])
	by charon.neceur.com (Switch-3.1.8/Switch-3.1.7) with ESMTP id l3NJNF0F021849
	for <ymomose at hpce.nec.com>; Mon, 23 Apr 2007 20:23:17 +0100 (BST)
Received: (from root at localhost) by mailgate3.nec.co.jp 
(8.11.7/3.7W-MAILGATE-NEC)
	id l3NJNEx21037 for ymomose at hpce.nec.com; Tue, 24 Apr 2007 04:23:14 +0900 
(JST)
Received: from mail-gw.bgmail.nec.co.jp (necmailsv8.bgmail.nec.co.jp 
[10.42.12.119]) by vgate02.nec.co.jp (8.11.7/3.7W-MAILSV-NEC) with ESMTP
	id l3NJNE723647 for <ymomose at hpce.nec.com>; Tue, 24 Apr 2007 04:23:14 +0900 
(JST)
Received: from rcpt-expgw4.biglobe.ne.jp
	by mail-gw.bgmail.nec.co.jp (kmfn/2514271006) with ESMTP id l3NJNEV5007077
	for <ymomose at hpce.nec.com>; Tue, 24 Apr 2007 04:23:14 +0900 (JST)
Received: from biglobe.ne.jp
	by rcpt-expgw4.biglobe.ne.jp (kbkr/4415201006) with SMTP id l3NJNEfj013055
	for <ymomose at hpce.nec.com>; Tue, 24 Apr 2007 04:23:14 +0900
Received: from rcpt-impgw2.biglobe.ne.jp by biglobe.ne.jp (RCPT_GW)
	id EAA17963; Tue, 24 Apr 2007 04:23:13 +0900 (JST)
Received: from mail.hpce.nec.com (mail.hpce.nec.com [193.141.139.212])
	by rcpt-impgw2.biglobe.ne.jp (kmfn/5109071206) with ESMTP id l3NJNBWc017899
	for <y-momose at mqh.biglobe.ne.jp>; Tue, 24 Apr 2007 04:23:12 +0900 (JST)
Authentication-Results: rcpt-impgw.biglobe.ne.jp 
smtp.mail=mpolenske at hpce.nec.com; spf=neutral
Received: from localhost (av.hpce.nec.com [193.141.139.214])
	by mail.hpce.nec.com (Postfix) with ESMTP id 72AA879A4198
	for <y-momose at mqh.biglobe.ne.jp>; Mon, 23 Apr 2007 21:23:20 +0200 (CEST)
Received: from localhost [127.0.0.1] for localhost (EHLO localhost) via 
	SMTP; Mon, 23 Apr 2007 21:23:20 +0200
Received: from localhost
	by localhost (AvMailGate-2.1.0-19) id 22002-04T4D0;
	Mon, 23 Apr 2007 21:23:20 +0200
Received: from mail.hpce.nec.com ([193.141.139.212])
 by localhost (av.hpce.nec.com [10.10.12.4]) (amavisd-new, port 10025)
 with ESMTP id 19407-05 for <y-momose at mqh.biglobe.ne.jp>;
 Mon, 23 Apr 2007 21:23:19 +0200 (CEST)
Received: from pc-poldy.poldynet.tld (dslb-084-062-053-172.pools.arcor-ip.net 
[84.62.53.172])
	by mail.hpce.nec.com (Postfix) with ESMTP id 8626C79A4198
	for <y-momose at mqh.biglobe.ne.jp>; Mon, 23 Apr 2007 21:23:16 +0200 (CEST)
From: Michael Polenske <mpolenske at hpce.nec.com>
To: y-momose at mqh.biglobe.ne.jp
Subject: Test 2
Date: Mon, 23 Apr 2007 21:23:02 +0200
User-Agent: KMail/1.9.6
Organization: NEC High Performance Computing Europe GmbH
MIME-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200704232123.03040.mpolenske at hpce.nec.com>
X-AntiVirus: checked by AntiVir MailGate (version: 2.1.0-19; AVE: 7.3.1.53; 
VDF: 6.38.1.27; host: av.hpce.nec.com)
X-GData-Scanner: Clean, Agent: GData SMTP PROXY 1.6.1 on
 av.hpce.nec.com
X-Biglobe-VirusCheck: Tue, 24 Apr 2007 04:23:14 +0900
X-Scanned-By: MailControl A-07-07-00 (www.mailcontrol.com) on 10.74.0.154


Test



unsere config:


mail:~ # postconf -n
address_verify_map = btree:/var/spool/postfix/verified_sender
alias_maps = hash:/etc/aliases          hash:/var/lib/mailman/data/aliases              
proxy:ldap:/etc/postfix/ldap/ldap_aliases.cf            
ldap:/etc/postfix/ldap/ldap_groups.cf
biff = no
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[av.tld]:10025
daemon_directory = /usr/lib/postfix
debug_peer_level = 4
defer_transports =
disable_dns_lookups = no
disable_mime_output_conversion = no
hopcount_limit = 100
inet_interfaces = 127.0.0.1 193.141.139.212 10.10.12.3
inet_protocols = all
local_recipient_maps = proxy:ldap:/etc/postfix/ldap/ldap_recipients.cf                  
$alias_maps                     ldap:/etc/postfix/ldap/mailaliases.cf
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_size_limit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 20480000
mime_header_checks = pcre:/etc/postfix/checks/mime_header_checks
mydestination = $mydomain               $myhostname             localhost               
localhost.$mydomain
mydomain = hpce.nec.com
myhostname = mail.hpce.nec.com
mynetworks = 10.10.12.0/29              193.141.139.0/24                
192.168.50.0/24         192.168.51.0/27         192.168.99.0/24         
192.168.100.0/24            192.168.101.0/24
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
recipient_delimiter = +
relocated_maps = hash:/etc/postfix/relocated
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_bind_address = 193.141.139.212
smtp_sasl_auth_enable = no
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_session_cache_database = btree:/etc/postfix/smtp_session_cache
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtpd_data_restrictions = reject_multi_recipient_bounce
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_recipient_restrictions = reject_non_fqdn_recipient        
reject_non_fqdn_sender  reject_unknown_sender_domain    
reject_unknown_recipient_domain permit_sasl_authenticated   permit_mynetworks       
reject_unauth_destination       check_recipient_access 
hash:/etc/postfix/checks/roleaccount_exceptions  reject_non_fqdn_hostname    
reject_invalid_hostname check_helo_access 
pcre:/etc/postfix/checks/helo_checks  check_sender_mx_access 
cidr:/etc/postfix/checks/bogus_mx    check_sender_access 
hash:/etc/postfix/checks/common_spam_senderdomains  check_sender_access 
regexp:/etc/postfix/checks/common_spam_keywords     reject_rbl_client 
zen.spamhaus.org  check_recipient_access hash:/etc/postfix/recipient_access       
check_sender_access hash:/etc/postfix/disallow_my_domain   
check_sender_access hash:/etc/postfix/sender_access      warn_if_reject 
reject_unverified_sender permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sender_login_maps = ldap:/etc/postfix/ldap/mail_from_login.cf
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/private/mail.hpce.nec.com-cert.pem
smtpd_tls_key_file = /etc/ssl/private/mail.hpce.nec.com-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_session_cache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_8bitmime = no
strict_rfc821_envelopes = no
tls_random_source = dev:/dev/urandom
transport_maps = ldap:/etc/postfix/ldap/ldap_trans.cf
unknown_local_recipient_reject_code = 550
virtual_alias_maps = pcre:/etc/postfix/virtual_regexp

-- 
================================================
Michael Polenske                  System Analyst
   NEC High Performance Computing Europe GmbH
Prinzenallee 11     D-40549 Duesseldorf, Germany
Tel: +49 211 5369 145     mpolenske at hpce.nec.com
Fax: +49 211 5369 199    http://www.hpce.nec.com
             GPG / PGP-Key available
                AIM: polenskeHPCE
================================================




Mehr Informationen über die Mailingliste Postfixbuch-users