Timeout issue and 'open relay' issue

Danilo Godec danilo.godec at agenda.si
Wed Jan 30 09:45:03 CET 2013


On 29. 01. 2013 12:59, Cedric Knight wrote:
> I'll take a stab at both problems:

Thank you, I'll add my comments inline...

> On 29/01/13 09:49, Danilo Godec wrote:
>> content_filter=smtp:[127.0.0.1]:10024
>>
>> localhost:10025 inet    n       -       n       -       -       smtpd -o
>> smtpd_autorized_xforward_hosts=127.0.0.0/8 -o content_filter= -o
>> receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_address_mappings
> I see a typo in the reinjection line: smtpd_autorized_xforward_hosts
> should be smtpd_authorized_xforward_hosts.  Could this cause
> postfix/smtpd to time out on a reused connection?

Thank you, I corrected the error, but the problem persisted.

I did spot that the 'global' smtpd_timeout in main.cf is set quite low -
15 seconds, so I added '-o smtpd_timeout=300s' to the above reinjection
line - so far, there was no more errors...

> snip part of logs:
>>> Jan 29 09:10:55 mail amavis[24469]: (24469-11) smtp cmd> RCPT
>>> TO:<recipient at recipient_domain> ORCPT=rfc822;recipient at recipient_domain
>>> Jan 29 09:10:55 mail amavis[24469]: (24469-11) smtp cmd> DATA
>>> Jan 29 09:10:55 mail amavis[24469]: (24469-11) rw_loop: needline=0,
>>> flush=1, wr=1, timeout=120
>>> Jan 29 09:10:55 mail amavis[24469]: (24469-11) rw_loop: receiving
>>> Jan 29 09:10:55 mail amavis[24469]: (24469-11) rw_loop read 49 chars<
>>> 421 4.4.2 mail.sender_domain Error: timeout exceeded\r\n
>> What timeout would that be? I'm running several amavisd-new setups and I
>> can't remember having to increase Postfix timeouts...
> The relevant one should be:
> smtpd_timeout = ${stress?10}${stress:300}s
> In other words, 5 minutes, not immediately.  There is something wrong
> with the smtpd daemon, perhaps the typo.
>
> When was the previous network read?  Was the postfix banner and EHLO
> response read by amavis correctly?

I suppose it was - it seems this is only happening on larger mails with
attachments and the above 'smtpd_timeout' may resolve this.


> Open relay:
>
>> The other issue is this - despite having 'mynetworks' setup correctly (I
>> think, as we use 192.168.0.0/23), amavisd still consideres my local IP's
>> as 'non-local' and marks outgoing mail as 'RelayedOpenRelay':
>>
>>
>>> Jan 29 09:51:17 mail amavis[15819]: (15819-15)
>>> fish_out_ip_from_received: 192.168.0.213
>>> Jan 29 09:51:17 mail amavis[15819]: (15819-15) lookup_ip_acl
>>> (publicnetworks) arr.obj: key="192.168.0.213" matches
>>> "!192.168.0.0/16", result=0
>>> Jan 29 09:51:17 mail amavis[15819]: (15819-15)
>>> parse_ip_address_from_received: 192.168.0.213
>>> Jan 29 09:51:17 mail amavis[15819]: (15819-15) Passed CLEAN
>>> {RelayedOpenRelay}, [192.168.0.213] <sender at sender_domain> ->
>>> <recipient at recipient_domain>, Message-ID: <51078D0A.3040904 at inles.si>,
>>> mail_id: qM5I2
>>> vutMZVM, Hits: -0.999, size: 27788, queued_as: A7B2B76338, 449 ms
>>> Jan 29 09:51:17 mail amavis[15819]: (15819-15) Open relay? Nonlocal
>>> recips but not originating: recipient at recipient_domain
>>
>> What's wrong there?
> Nothing much, probably.  By "local IPs", I take you to mean
> authenticated users from a LAN. Does the same relay also handle incoming
> mail?  If so, how is amavis supposed to tell the difference?  Are LAN
> users using a submission port?

By 'local IPs' I mean those that are listed in 'mynetworks' and are in
fact local LAN.

Yes, the same relay handles incoming mail and as far as I know LAN users
are also using port 25.


> As Mark says at
> http://lists.amavis.org/pipermail/amavis-users/2011-March/000063.html
> "For more complex setups where your users submit mail from foreign
> networks, you need to set up a dedicated policy bank with
> originating=>1, attach it to a dedicated TCP port, then configure
> Postfix to pass authenticated mail from MSA to such port."
>
> Alternatively, if you had dedicated postfix smtp daemons to deliver to
> the content filter ("amavisfeed") you can set the override on them "-o
> smtp_send_xforward_command=yes".  Then the value of @mynetworks is
> respected.  See
> http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks-ex


Looking at my log's it seems like amavis has a pretty good idea where
mails originate from as it shows correct IP's:

> Jan 30 09:31:55 mail amavis[20609]: (20609-19) Passed CLEAN
> {RelayedOpenRelay}, [192.168.0.167] <sender at sender_domain> ->
> <recipient at recipient_domain>, Message-ID:
> <5108DA63.1040708 at sender_domain>, mail_id: AYF7j5uuh06p, Hits: -1,
> size: 36016, queued_as: 43D4476338, 484 ms

'sender_domain' is '$mydomain' in amavisd.conf...


I did add '-o smtp_send_xforward_command=yes' to my 'smtp' line in
'master.cf':

> smtp      inet  n       -       n       -       10       smtpd -o
> receive_override_options=no_address_mappings -o
> content_filter=smtp:[127.0.0.1]:10024 -o smtp_send_xforward_command=yes

But it was all the same.




   Regards,

 Danilo



More information about the amavis-users mailing list