LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 09-05-2008, 08:34 AM   #1
t3chn0m0nk3y
LQ Newbie
 
Registered: Aug 2008
Posts: 20

Rep: Reputation: 0
How can I configure postfix as a receive only intranet mail server??


As the title suggests I have a strange request as I'm building kind of a Frankenstein development box. The ultimate goal is to have my other servers email specially formated daily/periodic reports to my dev box and have a custom script parse the emails in order to dynamically generate wiki pages on media wiki.

I'm sure you imagine the usefulness of such a project.

However, I'm fairly new to configuring postfix and despite a lot of googling and forum trolling I can't seem to find anyone that's attempted to build a receive only server (however I did find plenty of send only's).

Let me clarify, I do need to be able to send mail out, but only from root@mysever.mydomain.com and only to my existing mail server (zimbra FOSS on Ubuntu) to be delivered to my internal email address for reports and such.

here are the details:

HP proliant ML330 server
Ubuntu 8.04 LTS Server
Local network is 192.168.0.0/16
hostname dev.mydomain.com
*edit* uname 2.6.24-19-server

I need to have other servers email from their respective root accounts (root@server.mydomain.com) to "wiki@dev.mydomain.com" and stored in /home/wiki/Maildir/

I will then parse the individual messages stored there with a shell script and I will ask about the mediawiki piece of it in another thread.

I ran sudo apt-get install postfix and choose the option for internet and smart host

and I edited the /etc/postfix/main.cf to use Maildir/ over mbox.

Issue 1) Just to make sure the system is up and running, I tried to telnet to port 25 and ehlo / mail to. It will accept from root@dev.mydomain.com but not accept rcpt to wiki@dev.mydomain.com showing an error "Unable to relay for wiki@dev.mydomain.com"

Issue 2) Now how do I get it to receive only from specificuser@*.mydomain.com and send only from root@dev.mydomain.com? I do not need or want this server to be fully qualified, and I want it to deny any sender OTHER than a list I specify.

Issue 3) At this time the /home/anyuser/Maildir/ isn't present. Do I have to run something special to get these to populate?

Advice?

-TM

Last edited by t3chn0m0nk3y; 09-05-2008 at 08:39 AM.
 
Old 09-06-2008, 12:13 AM   #2
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 63
Issue 1) Show postconf -n and relevant log lines that shows the failure.

Issue 2) Postfix will accept mail for only listed recipients from the relevant recipient classes. You can use a check_recipient_access list to reject all but the single address you want. Same with senders, but using check_sender_access.

Issue 3) The simplest way is to send a mail message to that user - postfix will create the maildir. You can use commands such as maildirmake to create the maildir's as well.
 
Old 09-08-2008, 09:42 AM   #3
t3chn0m0nk3y
LQ Newbie
 
Registered: Aug 2008
Posts: 20

Original Poster
Rep: Reputation: 0
postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
mailbox_command =
mailbox_size_limit = 0
mydestination = dev.mydomain.com, localhost.mydomain.com, , localhost
myhostname = dev.mydomain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/16
myorigin = dev.mydomain.com
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_generic_maps = hash:/etc/postfix/generic
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

**actual domain replaced with "mydomain.com"

/var/log/mail.log:

Sep 8 07:44:38 vpdev postfix/smtp[3982]: fatal: open database /etc/postfix/generic.db: No such file or directory
Sep 8 07:44:39 vpdev postfix/master[1100]: warning: process /usr/lib/postfix/smtp pid 3982 exit status 1
Sep 8 07:44:39 vpdev postfix/master[1100]: warning: /usr/lib/postfix/smtp: bad command startup -- throttling

(repeated)

Iĺl see if I can google the check_send/recip_access lists and report back.

not sure how to use maildirmake, i've heard of it before, but when I try to run from command line it gives an error. apt-get doesn't recognize it either? Please give a little more info - still a newb with mail services.

-TM
 
Old 09-08-2008, 03:03 PM   #4
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 63
Re each issue:

1) wiki@dev.mydomain.com is not accepted as a recipient because you don't have a local wiki user defined (eg. /etc/passwd, or the postfix alias database /etc/aliases). /etc/passwd and /etc/aliases are for LOCAL users (eg. those with unix/linux user accounts). So you either need to create the user wiki on the dev.mydomain.com system, or use a virtual mailbox.

2) Don't use google as your first source for these postfix questions; use the very good postfix documentation first, and google for additional help:

http://www.postfix.org/documentation.html

and these are important docs for access control:

http://www.postfix.org/SMTPD_ACCESS_README.html
http://www.postfix.org/RESTRICTION_CLASS_README.html

You are asking how to allow envelope senders specificuser@*.mydomain.com and root@dev.mydomain.com, but reject all other envelope senders.

An example of a simple smtpd_sender_restrictions:
Code:
main.cf:
     smtpd_sender_restrictions = 
        check_sender_access pcre:/etc/postfix/sender_checks
        permit

/etc/postfix/sender_checks:
    /^root@dev\.mydomain\.com$/         OK
    /^specificuser@.*\.mydomain\.com$/  OK
    /./                                 REJECT This mail server does not accept mail from you
This accepts mail sent from root@dev.mydomain.com and specificuser at any subdomain under mydomain.com. You can replace the ".*" subdomain with specific subdomains, duplicating the line and setting the specific subdomain. You should know that envelope sender is trivial to spoof, so this is not a strong form of access control.

Consider that there may be other local accounts that you may want to receive email from.

I don't understand your statement about not wanting a fully qualified domain name, yet your examples are all fully qualified!

3) Just send a test email to the user to create the user's Maildir.
 
1 members found this post helpful.
Old 09-09-2008, 08:39 AM   #5
t3chn0m0nk3y
LQ Newbie
 
Registered: Aug 2008
Posts: 20

Original Poster
Rep: Reputation: 0
Actually i did create a user 'wiki' and set a password and verify that all the account details were in place before attempting to mail to it. So I'm not sure what to say in response, maybe you can revisit the unable to receive mail issue knowing this? Is there any further info I can supply?

I also did scroll through the postfix docs heavily, but honestly some of it was rather cryptic. Upon which I moved to google. But I will definately work off your supplied code to see if I can get things moving in the right direction - THANKS!

To answer your question about using a FQDN: our local domain is actually something.mydomain.com and is internally managed by a windows 2003 PDC. However our internal servers are NOT visible to the external domain which is more accurately mydomain.com. We have a set number of ext. IP addresses and they are assigned through a hardware firewall to forward those ports to the appropriate servers (such as our actual mail server and a sun global desktop server). Why it was set up like this I have no idea, i'm a new hire and everything was...well, cluster-f***d when I got here. So I DO NOT want the dev box to be visible outside of our intranet, but visible to everything in side of our 192.168.0.0/16 network, which is controlled by our windows PDC/DNS server.


-TM

Last edited by t3chn0m0nk3y; 09-09-2008 at 08:55 AM.
 
Old 09-09-2008, 03:55 PM   #6
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Postfix probably isn't running given the error in the log.

Look at "ps aux | grep master" to see if it's running, you will either need to comment out

smtp_generic_maps = hash:/etc/postfix/generic

or run

postmap /etc/postfix/generic

since the log is pretty clear that generic.db doesn't exist (postmap will create this from generic)
 
Old 09-12-2008, 01:16 PM   #7
t3chn0m0nk3y
LQ Newbie
 
Registered: Aug 2008
Posts: 20

Original Poster
Rep: Reputation: 0
Well, seems some things are working now, others are not.

Running the postmap /etc/postfix/generic seemed to allow one of the messages from root@ to push through and be delivered.

I also did another EHLO test:

telnet localhost 25
trying 127.0.0.1...
Escape charater is '^]'.
220 dev.mydomain.com ESMTP Postfix (Ubuntu)
EHLO
501 syntax: EHLO hostname
MAIL FROM: me@dev.mydomain.com
250 2.1.0 Ok
RCPT TO: me@mydomain.com
250 2.1.5 Ok
DATA
354 End data with <CF><LF>.<CF><LF>
test message
.
250 2.0.0 Ok: queued as 3E42B13C10B

looked good. but it never got delivered. what else can I check?

-TM
 
Old 09-12-2008, 03:46 PM   #8
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 63
This shows the mail was queued for delivery, but does not show anything after that. Always show the relevent postfix logs for the mail queue ID (in this case 3E42B13C10B):

grep 3E42B13C10B /var/log/mail*
 
Old 09-15-2008, 10:09 AM   #9
t3chn0m0nk3y
LQ Newbie
 
Registered: Aug 2008
Posts: 20

Original Poster
Rep: Reputation: 0
log info followup

Sorry, should have assumed.

/var/log/mail.info.0:Sep 11 08:15:10 vpdev postfix/smtpd[20463]: 3E42B13C10B: client=localhost[127.0.0.1]
/var/log/mail.info.0:Sep 11 08:15:37 vpdev postfix/cleanup[20477]: 3E42B13C10B: message-id=<20080911121510.3E42B13C10B@vpdev.int.mydomain.com>
/var/log/mail.info.0:Sep 11 08:15:37 vpdev postfix/qmgr[20342]: 3E42B13C10B: from=<me@vpdev.int.mydomain.com>, size=398, nrcpt=1 (queue active)
/var/log/mail.info.0:Sep 11 08:15:37 vpdev postfix/smtp[20483]: 3E42B13C10B: to=<me@mydomain.com>, relay=none, delay=44, delays=44/0.04/0.02/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=mydomain.com type=A: Host found but no data record of requested type)
/var/log/mail.info.0:Sep 11 08:15:37 vpdev postfix/bounce[20484]: 3E42B13C10B: sender non-delivery notification: C91E913CD01
/var/log/mail.info.0:Sep 11 08:15:37 vpdev postfix/qmgr[20342]: 3E42B13C10B: removed
/var/log/mail.log.0:Sep 11 08:15:10 vpdev postfix/smtpd[20463]: 3E42B13C10B: client=localhost[127.0.0.1]
/var/log/mail.log.0:Sep 11 08:15:37 vpdev postfix/cleanup[20477]: 3E42B13C10B: message-id=<20080911121510.3E42B13C10B@vpdev.int.mydomain.com>
/var/log/mail.log.0:Sep 11 08:15:37 vpdev postfix/qmgr[20342]: 3E42B13C10B: from=<me@vpdev.int.mydomain.com>, size=398, nrcpt=1 (queue active)
/var/log/mail.log.0:Sep 11 08:15:37 vpdev postfix/smtp[20483]: 3E42B13C10B: to=<me@mydomain.com>, relay=none, delay=44, delays=44/0.04/0.02/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=mydomain.com type=A: Host found but no data record of requested type)
/var/log/mail.log.0:Sep 11 08:15:37 vpdev postfix/bounce[20484]: 3E42B13C10B: sender non-delivery notification: C91E913CD01
/var/log/mail.log.0:Sep 11 08:15:37 vpdev postfix/qmgr[20342]: 3E42B13C10B: removed

-TM

Last edited by t3chn0m0nk3y; 09-15-2008 at 10:13 AM.
 
Old 09-15-2008, 11:13 AM   #10
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 63
Ok, the log line:

/var/log/mail.info.0:Sep 11 08:15:37 vpdev postfix/smtp[20483]: 3E42B13C10B: to=<me@mydomain.com>, relay=none, delay=44, delays=44/0.04/0.02/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=mydomain.com type=A: Host found but no data record of requested type)

shows that your DNS server to the recipient domain "mydomain.com" is not returning correct results. Either a proper MX or A record must be returned. But why is postfix trying to find where to send mail? Because it does not consider itself final destination for the recipient. Let's see why:

In your last postconf -n output, mydestination was:

mydestination = dev.mydomain.com, localhost.mydomain.com, , localhost

This would not let postfix believe that me@mydomain.com is a local email address. You would have to add mydomain.com to mydestination if you wanted mail delivered locally. Or, you have to change the recipient address to me@dev.mydomain.com.
 
Old 09-15-2008, 03:10 PM   #11
t3chn0m0nk3y
LQ Newbie
 
Registered: Aug 2008
Posts: 20

Original Poster
Rep: Reputation: 0
I understand, however for the sake of clarifiation, if me@mydomain.com is an actual address on our actual mail server (mail.mydomain.com) which is publicly accessible, is where I want the outgoing mail from wiki@dev.int.mydomain.com to go, how would it find it if I change destinations to allow me@mydomain.com to be local??

-TM
 
Old 09-15-2008, 03:36 PM   #12
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Can you resolve the mx for mydomain.com from your machine? Try

dig mx mydomain.com
 
Old 09-16-2008, 09:28 AM   #13
t3chn0m0nk3y
LQ Newbie
 
Registered: Aug 2008
Posts: 20

Original Poster
Rep: Reputation: 0
; <<>> DiG 9.4.2-P1 <<>> mx vpsupply.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60636
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;mydomain.com. IN MX

;; AUTHORITY SECTION:
mydomain.com. 3600 IN SOA win_srv.int.mydomain.com. hostmaster.int.mydomain.com. 11 900 600 86400 3600

;; Query time: 7 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Tue Sep 16 10:24:28 2008
;; MSG SIZE rcvd: 92

These are weird results. Shouldnt the MX record point to the external address of the mail server?
We have a windows DNS server configured to allow internal access, but you dig mail.mydomain.com it forces external resolution to the real world. Since all internal mail clients are configured to connect to "mail.mydomain.com" it always does external name caching.

-TM
 
Old 09-16-2008, 02:29 PM   #14
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 63
I think there are a number of confusions here; the terminology you are using is somewhat loose, and may be causing some of the confusion. Concepts that need to be clear:

1) Internal (LAN) vs. External (WAN) DNS.
2) MX and A records.
3) How postfix knows the domains for which it is the final (or relay) destination.

1) It appears that layer8hosting.com is the authoritative DNS server for your domain:
Code:
$ dig vpsupply.com           

; <<>> DiG 9.5.0-P2 <<>> vpsupply.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49761
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;vpsupply.com.                  IN      A

;; ANSWER SECTION:
vpsupply.com.           2829    IN      A       74.43.252.133

;; AUTHORITY SECTION:
vpsupply.com.           2829    IN      NS      dns1.layer8hosting.com.
vpsupply.com.           2829    IN      NS      dns2.layer8hosting.com.

You also need to run an internal (LAN-based) DNS server that provides DNS resolution for your postfix server which appears to be on NAT'd LAN addresses. So you are creating a split-DNS system, where you provide LAN answers to LAN clients, and the other server provides WAN answers to querying clients on the WAN.

2) MX and A records on the WAN-facing DNS server must be WAN IP addresses. And they are:
Code:
$ host  vpsupply.com       
vpsupply.com has address 74.43.252.133
vpsupply.com mail is handled by 10 mail.vpsupply.com.
But for the LAN, you use LAN IP addresses. Hence the split-view DNS indicated in (1). The MX record points to your mail server's IP address; the public IP on the WAN DNS side, and the private IP on the LAN side. Same for A records.

3) Postfix knows it is final destination if the mail domains are listed in mydestination (for the local address class). So, you must configure mydestination correctly. We'll ignore the virtual alias domains, and virtual mailbox domains for now, as well as virtual aliases.

Hopefully this clarifies some things a bit. You've already exposed your real domain (vpsupply.com), and since it is public there is no worry about using it. In further discussions here, just use it and exact server names to help keep things straight.

Last edited by Mr. C.; 09-16-2008 at 02:33 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
postfix mail server cant receive mail outside LAN shio Linux - Networking 2 10-05-2007 05:01 AM
Postfix intranet mail server cbekannan06 Linux - Software 3 03-15-2006 02:14 AM
Postfix Mail Server, OE can't receive but Webmail can read rickylim *BSD 2 03-14-2006 03:09 AM
Getting nuts. Can't receive e-mail and can't configure a dns server (virtual host) stormrider_may Linux - Networking 22 02-14-2006 05:44 AM
cannot receive email from mail server installed with postfix charles168 Linux - Software 4 08-15-2003 02:06 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 07:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration