Timeout issue and 'open relay' issue

Cedric Knight cedric at gn.apc.org
Tue Jan 29 12:59:49 CET 2013 

I'll take a stab at both problems:

On 29/01/13 09:49, Danilo Godec wrote:
> Hello,
> 
> I have amavisd-new 2.7.0 and postfix 2.5.13 running on SLES 11. It's
> setup in a pretty much standard 'SuSE' way:
> 
> master.cf:
> 
> smtp      inet  n       -       n       -       10       smtpd -o
> receive_override_options=no_address_mappings -o
> content_filter=smtp:[127.0.0.1]:10024
> 
> localhost:10025 inet    n       -       n       -       -       smtpd -o
> smtpd_autorized_xforward_hosts=127.0.0.0/8 -o content_filter= -o
> receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_address_mappings

I see a typo in the reinjection line: smtpd_autorized_xforward_hosts
should be smtpd_authorized_xforward_hosts.  Could this cause
postfix/smtpd to time out on a reused connection?

> Jan 29 09:10:55 mail amavis[24469]: (24469-11) (!!)TROUBLE in
> process_request: Error writing to socket: Broken pipe at
> /usr/sbin/amavisd line 6843.

snip part of logs:
>> Jan 29 09:10:55 mail amavis[24469]: (24469-11) smtp cmd> RCPT
>> TO:<recipient at recipient_domain> ORCPT=rfc822;recipient at recipient_domain
>> Jan 29 09:10:55 mail amavis[24469]: (24469-11) smtp cmd> DATA
>> Jan 29 09:10:55 mail amavis[24469]: (24469-11) rw_loop: needline=0,
>> flush=1, wr=1, timeout=120
>> Jan 29 09:10:55 mail amavis[24469]: (24469-11) rw_loop: receiving
>> Jan 29 09:10:55 mail amavis[24469]: (24469-11) rw_loop read 49 chars<
>> 421 4.4.2 mail.sender_domain Error: timeout exceeded\r\n

> What timeout would that be? I'm running several amavisd-new setups and I
> can't remember having to increase Postfix timeouts...

The relevant one should be:
smtpd_timeout = ${stress?10}${stress:300}s
In other words, 5 minutes, not immediately.  There is something wrong
with the smtpd daemon, perhaps the typo.

When was the previous network read?  Was the postfix banner and EHLO
response read by amavis correctly?

Open relay:

> The other issue is this - despite having 'mynetworks' setup correctly (I
> think, as we use 192.168.0.0/23), amavisd still consideres my local IP's
> as 'non-local' and marks outgoing mail as 'RelayedOpenRelay':
> 
> 
>> Jan 29 09:51:17 mail amavis[15819]: (15819-15)
>> fish_out_ip_from_received: 192.168.0.213
>> Jan 29 09:51:17 mail amavis[15819]: (15819-15) lookup_ip_acl
>> (publicnetworks) arr.obj: key="192.168.0.213" matches
>> "!192.168.0.0/16", result=0
>> Jan 29 09:51:17 mail amavis[15819]: (15819-15)
>> parse_ip_address_from_received: 192.168.0.213
>> Jan 29 09:51:17 mail amavis[15819]: (15819-15) Passed CLEAN
>> {RelayedOpenRelay}, [192.168.0.213] <sender at sender_domain> ->
>> <recipient at recipient_domain>, Message-ID: <51078D0A.3040904 at inles.si>,
>> mail_id: qM5I2
>> vutMZVM, Hits: -0.999, size: 27788, queued_as: A7B2B76338, 449 ms
>> Jan 29 09:51:17 mail amavis[15819]: (15819-15) Open relay? Nonlocal
>> recips but not originating: recipient at recipient_domain
> 
> 
> What's wrong there?

Nothing much, probably.  By "local IPs", I take you to mean
authenticated users from a LAN. Does the same relay also handle incoming
mail?  If so, how is amavis supposed to tell the difference?  Are LAN
users using a submission port?

As Mark says at
http://lists.amavis.org/pipermail/amavis-users/2011-March/000063.html
"For more complex setups where your users submit mail from foreign
networks, you need to set up a dedicated policy bank with
originating=>1, attach it to a dedicated TCP port, then configure
Postfix to pass authenticated mail from MSA to such port."

Alternatively, if you had dedicated postfix smtp daemons to deliver to
the content filter ("amavisfeed") you can set the override on them "-o
smtp_send_xforward_command=yes".  Then the value of @mynetworks is
respected.  See
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks-ex

HTH

C

More information about the amavis-users mailing list