Postfix after server IP change

ScApi · Jun 22nd 2012

First off all Server was running couple of months without any problems directly connected to ISP, but I had to change ISP and now server is behind NAT/Router with internal static IP and redirected ports on Router.

Now the difficult part, Apache/FTP is working without any problems but postfix have problems with accepting mails, I know that it has something to do with my networking config, postfix cannot resolve incoming hostnames and sends it to spam (only warns now after re-configuring)

LOG:

Code

Jun 22 19:21:52 data postfix/smtpd[2862]: connect from unknown[192.168.1.1]Jun 22 19:21:53 data postfix/policyd-weight[2507]: weighted check: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 IN_IPv6_RBL=4.25 CL_IP_NE_HELO=5.75 RESOLVED_IP_IS_NOT_HELO=1.5 (check from: .otodom. - helo: .smtpfarm2.allegro. - helo-domain: .allegro.) FROM_NOT_FAILED_HELO(DOMAIN)=7.25; <client=192.168.1.1> <helo=smtpfarm2.allegro.pl> <from=otodom@otodom.pl> <to=biuro@m4-nieruchomosci.pl>; rate: 14.25Jun 22 19:21:53 data postfix/policyd-weight[2507]: decided action=550 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: smtpfarm2.allegro.pl, MTA hostname: unknown[192.168.1.1] (helo/hostname mismatch); <client=192.168.1.1> <helo=smtpfarm2.allegro.pl> <from=otodom@otodom.pl> <to=biuro@m4-nieruchomosci.pl>; delay: 1s

main.cf

Code

# ====================================================================
# i-MSCP Internet - Multi Server Control Panel
#
# @copyright 2010-2012 by i-MSCP | http://www.i-mscp.net
# @link http://www.i-mscp.net
# @author i-MSCP Team
# Postfix directory settings; These are critical for normal Postfix MTA functionallity
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
# Some common configuration parameters
inet_protocols = ipv4, ipv6
inet_interfaces = all
mynetworks_style = host
myhostname = data.goldcart.pl
mydomain = data.goldcart.pl.local
myorigin = $myhostname
smtpd_banner = $myhostname ESMTP i-MSCP 1.0.2.1 Managed
setgid_group = postdrop
# Receiving messages parameters
mydestination = $myhostname, $mydomain
append_dot_mydomain = no
append_at_myorigin = yes
local_transport = local
transport_maps = hash:/etc/postfix/imscp/transport
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
# Delivering local messages parameters
mail_spool_directory = /var/mail
# Mailboxquota
# => 0 for unlimited
# => 104857600 for 100 MB
mailbox_size_limit = 0
mailbox_command = procmail -a "$EXTENSION"
# Message size limit
# => 0 for unlimited
# => 104857600 for 100 MB
message_size_limit = 0
biff = no
recipient_delimiter = +
local_destination_recipient_limit = 1
local_recipient_maps = unix:passwd.byname $alias_database
# i-MSCP Autoresponder parameters
imscp-arpl_destination_recipient_limit = 1
# Delivering virtual messages parameters
virtual_mailbox_base = /var/mail/virtual
virtual_mailbox_limit = 0
virtual_mailbox_domains = hash:/etc/postfix/imscp/domains
virtual_mailbox_maps = hash:/etc/postfix/imscp/mailboxes
virtual_alias_maps = hash:/etc/postfix/imscp/aliases
virtual_minimum_uid = 999
virtual_uid_maps = static:999
virtual_gid_maps = static:8
# SASL parameters
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit_mynetworks,
permit_sasl_authenticated
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unlisted_recipient,
check_client_access hash:/etc/postfix/policyd_whitelist,
warn_if_reject check_policy_service inet:127.0.0.1:12525,
check_policy_service inet:127.0.0.1:10023,
permit
smtpd_data_restrictions = reject_multi_recipient_bounce,
reject_unauth_pipelining
# TLS parameters
smtpd_tls_security_level = may
smtpd_tls_loglevel = 2
smtpd_tls_cert_file = /etc/imscp/data.goldcart.pl.pem
smtpd_tls_key_file = /etc/imscp/data.goldcart.pl.pem
smtpd_tls_auth_only = no
smtpd_tls_received_header = yes
# AMaViS parameters; activate, if available/used
#content_filter = amavis:[127.0.0.1]:10024
# Quota support; activate, if available/used
#virtual_create_maildirsize = yes
#virtual_mailbox_extended = yes
#virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
#virtual_mailbox_limit_override = yes
#virtual_maildir_limit_message = "The user you're trying to reach is over mailbox quota."
#virtual_overquota_bounce = yes
smtpd_sasl_local_domain =
virtual_transport = virtual

Display More

What I have done wrong ?

**c0urier** · Jun 22nd 2012

A quick fix and it's recommended to do anyway is to disable HELO check, since you'll catch a lot of false positives with this. A lot of people have HELO mismatches, and even though it catches some spam, it's not that big of a difference.

Test this:

Code

policyd-weight defaults | sed s/"$dnsbl_checks_only = 0"/"$dnsbl_checks_only = 1"/ > /etc/policyd-weight.conf

Then:
/etc/init.d/postfix restart

And try again.

ScApi · Jun 23rd 2012

Thank You for that tip, now receiving works like it suppose to.

Code

Jun 23 11:38:16 data postfix/policyd-weight[2583]: cache_query: ask 192.168.1.1 scapi@op.pl op.plJun 23 11:38:16 data postfix/policyd-weight[2583]: cache_query: "ask192.168.1.1scapi@op.pl 0" vs "ask192.168.1.1scapi@op.pl "Jun 23 11:38:16 data postfix/policyd-weight[2583]: decided action=PREPEND X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 IN_IPv6_RBL=4.25 (only DNSBL check requested); <instance=a49.4fe58e88.1f4a3.0> <client=192.168.1.1> <helo=smtpo28.poczta.onet.pl> <from=scapi@op.pl> <to=admin@scapi.zgora.pl>; delay: 0sJun 23 11:38:16 data postgrey[1704]: action=pass, reason=client AWL, client_name=unknown, client_address=192.168.1.1, sender=scapi@op.pl, recipient=admin@scapi.zgora.plJun 23 11:38:16 data postfix/smtpd[2633]: 83FC21A809E: client=unknown[192.168.1.1]Jun 23 11:38:16 data postfix/cleanup[2635]: 83FC21A809E: message-id=<86896784-7e85f2ee777e80e2ef282c13a121dbdd@pkn6.m5r2.onet>Jun 23 11:38:16 data postfix/smtpd[2633]: disconnect from unknown[192.168.1.1]Jun 23 11:38:16 data postfix/qmgr[1875]: 83FC21A809E: from=<scapi@op.pl>, size=1813, nrcpt=1 (queue active)Jun 23 11:38:16 data postfix/virtual[2636]: 83FC21A809E: to=<admin@scapi.zgora.pl>, relay=virtual, delay=0.46, delays=0.46/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)Jun 23 11:38:16 data postfix/qmgr[1875]: 83FC21A809E: removed

By the way after changing IP form external to internal I'v got a problem with spam sending from server, server didn't ask for any authentication, but after changing network type from subnet to host, now I only get these:

Code

Jun 23 11:30:09 data postfix/smtpd[2539]: connect from unknown[192.168.1.1]
Jun 23 11:30:10 data postfix/smtpd[2539]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 504 5.5.2 <vqyfqute>: Helo command rejected: need fully-qualified hostname; from=<kcbft@cjrhhb.com> to=<mirui19780830@sina.com> proto=ESMTP helo=<vqyfqute>
Jun 23 11:30:11 data postfix/smtpd[2539]: lost connection after DATA from unknown[192.168.1.1]
Jun 23 11:30:11 data postfix/smtpd[2539]: disconnect from unknown[192.168.1.1]
Jun 23 11:32:14 data postfix/smtpd[2580]: initializing the server-side TLS engine
Jun 23 11:32:14 data postfix/smtpd[2580]: connect from unknown[192.168.1.1]
Jun 23 11:32:15 data postfix/smtpd[2580]: NOQUEUE: reject: RCPT from unknown[192.168.1.1]: 504 5.5.2 <hfgpilag>: Helo command rejected: need fully-qualified hostname; from=<uwhwghb@dhpretfo.com> to=<miujuile@sina.com> proto=ESMTP helo=<hfgpilag>
Jun 23 11:33:31 data postfix/smtpd[2582]: initializing the server-side TLS engine
Jun 23 11:33:31 data postfix/smtpd[2582]: connect from unknown[192.168.1.1]

Is it right solution ? Earlier when server was on public IP only authenticated clients could send mails.

P.S. Sorry for stupid questions but I'v took this server from other administrator and I don't know how he configured it.

**c0urier** · Jun 23rd 2012

For me it looks like some random spam bot is trying to send to an email address on your server. I can't really say for sure, since I don't know if any of those addresses are one of your clients. But it looks perfectly fine to me, I wouldn't be scare of it anyway =).

ScApi · Jun 24th 2012

Yes, that's spyboot, now I also have smtp login atempts.

One last question, system is running on Debian, is there any way to force postfix to resolve incoming connections to real outside IP then te local/router one ? I'v redirected almost all ports but it looks like on log. Every incomming connections are seen as local/router.

**c0urier** · Jun 24th 2012

It's because you've configured your router wrong. I run a personal server at home also and it's behind NAT and it resolves the real IPs just fine.

Can you write/draw what your setup looks like (Also what kind of router hardware/software you use)?

ScApi · Jun 25th 2012

Router is SAPIDO RB-1733 (realtek based)

WAN SIDE: Connected to ISP Device (UPC) Static IP from ISP.

LAN SIDE: DHCP Server, IP assigned by MAC, redirected SSH/FTP/WWW/SMTP/POP3/IMAP ports to Server IP.

Server is Debian 6.0, only on eth interface, DHCP Client.

**c0urier** · Jun 25th 2012

Oh I think that might be due to limitations of the router. I am not sure it supports advanced NATing. I've never heard of the product.

Sorry, but I can't help you further then this. Hope you can live with the internal IP showing, the mail should still come through.

Postfix after server IP change

Share

Similar Threads

I-MSCP and rspamd

i-MSCP 1.4.7 - Could not restart imscp_traffic service - ERROR: could not insert 'ip6_tables'

LetsEncrypt plugin - The Apache2 AWStats configuration goes away when issuing a new SSL certificate

i-MSCP 1.4.4 RELEASED

Daily visitors