Queue write file error: No valid recipients
Martin Steigerwald
martin at lichtvoll.de
Do Jan 18 11:01:33 CET 2018
Hallo Ralf.
Danke für die prompte Antwort.
Ralf Hildebrandt - 18.01.18, 10:38:
> * Martin Steigerwald <martin at lichtvoll.de>:
> > Ich bekomme von bestimmten SMTP-Servern freier
> > Software-/Community-Projekte, die mir Mails zu Mailinglisten senden,
> > manchmal "queue write file error" von
> > meinem MTA zurück:
> Hast Du pre-queue Filterung?
Ich vermute mal postscreen qualifiziert sich als pre-queue-Filter.
Ich oute mich mal mit meiner Konfiguration, auf dass ihr fröhlich Fehler
findet :)
% postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
delay_warning_time = 4h
header_checks = pcre:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT" -d "$USER"
mailbox_size_limit = 2000000000
message_size_limit = 20000000
mydestination = mondschein.lichtvoll.de, mondschein, localhost.localdomain, localhost
myhostname = mail.lichtvoll.de
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_cache_map = lmdb:$data_directory/postscreen_cache
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.mailspike.net*2 bl.spameatingmonkey.net dnsbl-1.uceprotect.net safe.dnsbl.sorbs.net ix.dnsbl.manitu.net bl.blocklist.de ubl.unsubscore.com psbl.surriel.com bl.spamcop.net dnsbl.inps.de swl.spamhaus.org*-3 list.dnswl.org=127.0.[0..255].0*-1 list.dnswl.org=127.0.[0..255].1*-2 list.dnswl.org=127.0.[0..255].[2..3]*-3 wl.mailspike.net=127.0.0.[17;18]*-1 wl.mailspike.net=127.0.0.[19;20]*-2
postscreen_dnsbl_threshold = 3
postscreen_greet_action = drop
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = yes
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
smtp_bind_address = 194.150.191.11
smtp_sasl_auth_enable = no
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_loglevel = 1
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = permit_sasl_authenticated
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated reject_non_fqdn_recipient reject_unknown_recipient_domain check_sender_access pcre:/etc/postfix/sender_checks check_policy_service inet:127.0.0.1:12525
smtpd_relay_restrictions = permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_non_fqdn_sender
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /var/lib/dehydrated/certs/lichtvoll.de/fullchain.pem
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_key_file = /var/lib/dehydrated/certs/lichtvoll.de/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_preempt_cipherlist = yes
virtual_alias_domains = lichtvoll.de […]
virtual_alias_maps = hash:/etc/postfix/virtual_domains
virtual_mailbox_limit = 2000000000
SpamAssassin via hab ich auch mit drin, den prüfe ich aber via
header_checks. Und policyd-weight.
mondschein:~> cat /etc/postfix/master.cf
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
#smtp inet n - - - - smtpd -vv
#submission inet n - - - - smtpd
# -o smtpd_etrn_restrictions=reject
#628 inet n - - - - qmqpd
tlsproxy unix - - y - 0 tlsproxy
dnsblog unix - - y - 0 dnsblog
smtp inet n - y - 1 postscreen
smtpd pass y - y - - smtpd
# -o content_filter=scan:[127.0.0.1]:10025
-o smtpd_proxy_filter=127.0.0.1:10025
-o smtpd_client_connection_count_limit=10
# -o check_policy_service=inet:127.0.0.1:12525
pickup fifo n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
#qmgr fifo n - - 300 1 oqmgr
qmgr fifo n - y 300 1 qmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - y - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
#
# Interfaces to non-Postfix software. Be sure to examine the manual
[…]
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
# only used by postfix-tls
#tlsmgr fifo - - n 300 1 tlsmgr
#smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o content_filter=
tlsmgr unix - - y 1000? 1 tlsmgr
scache unix - - y - 1 scache
discard unix - - y - - discard
retry unix - - y - - error
# spampd und SpamAssassin
scan unix - - n - 10 smtp
localhost:10026 inet n - n - 10 smtpd
-o content_filter=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_unknown_recipient_checks
#spamassassin unix - n n - - pipe
# user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
mondschein:~> grep X-Spam /etc/postfix/header_checks
/^X-Spam-Flag:.YES/ REJECT Your mail appears to be spam
Ich möchte da einige der integrierten Teile mal durch rspamd ersetzen. Also
am liebsten nur noch postscreen und rspamd, aber policyd-weight loswerden,
da ohnehin nicht mehr viel macht. Oder sowas gar nichts mehr:
mondschein:~> cat /etc/policyd-weight.conf
# DNS MX / HELO-Einstellungen
$REJECTLEVEL = 5; # Mails with scores which exceed this
# REJECTLEVEL will be rejected
## DNSBL settings
$MAXDNSBLHITS = 3; # If Client IP is listed in MORE
# DNSBLS than this var, it gets
# REJECTed immediately
## RHSBL settings
@rhsbl_score = (
);
## Macht Postscreen bereits
@dnsbl_score = (
# HOST, HIT SCORE, MISS SCORE, LOG NAME
);
# Siehe Mail von Florian und RFC 5321
#
# Re: [ltp] broken mail server setup for linux-thinkpad mailing list
# Florian Reitmeir […]
#
# http://tools.ietf.org/html/rfc5321
@client_ip_eq_helo_score = (0, 0 );
@helo_from_mx_eq_ip_score = (0, 0 );
@helo_numeric_score = (0, 0 );
Hmmm, ich denke, ich schalte das mal ab.
Hmmm, und TLS-Hardening wäre auch mal sinnvoll.
Es macht, denke ich, Sinn, da mal wieder etwas Zeit für einzuplanen.
> > zgrep -i "recipients" /var/log/mail.log*
>
> Besser nach der IP des einliefernden Servers suchen.
Dann finde ich aber alle Mails sämtlicher KDE-Mailinglisten und das sind einige. Ich suchte bereits nach der Mailinglisten-Adresse, aber das sind auch einige Mails.
--
Martin
Mehr Informationen über die Mailingliste Postfixbuch-users