I've got a very annoying problem. I'm at the end of my rope. If someone could help, I'd really appreciate it.

For a couple of years had a RedHat server running sendmail on my DMZ that forwards mail to my Exchange 5.5 server. I needed to upgrade so, I built a new Mandrake 9.2 box. The goal of this server is to be a spam filter and to then forward all mail to our existing Exchange 5.5 server. The problem I am having is that the linux box isn't forwarding any of the mail. I haven't seen any non-delivery reports on any of the mail I have sent to test it, and my firewall logs show that the mail made it to the linux server, but it never makes it to the Exchange server.

I'm wondering if there is some way to check logs, or queues inside of postfix to see if the mail has been blocked or rejected or if it's some kind of misconfiguration.

I also have a second question, there is an email "tester" at http://www.dnsreport.com that I've been using to test. I put in postmaster@mydomain.com and it give me the following error: "Could not connect: Could not receive data: Operation timed out." With my former server in place, it gives me a 200 OK.

Any ideas? Let me know if you need more information.

Thanks!

Ok, I completely removed spamassassin to rule out that software and now I'm getting a totally different response when I test it.

Now I'm getting "451: Server configuration error"


Any ideas??

You have to make sure that your postfix gateway doesn't consider itself the final destination of your mail-domain(s).
This is achived by setting mydestination i main.cf to the local host only:

mydestination = $myhostname, localhost.$mydomain

Then You have to verify your transport maps, so postfix knows what to do with the mail destined for the exchange server. My transport file is in /etc/postfix/, and sample line in transport could be:

mail.destination.dom smtp:[exchange_ip_address] (brackets included)

Remember to run "postmap /etc/postfix/transport" after you've edited the transport file. Also make sure to have transport_maps = hash:/etc/postfix/transport in your main.cf.

Oh, and remember to do a "postfix reload"

Regards,
LTJ

I think I have mydestination wrong, and I'm going to check that asap.

I already have the transport file but I accept mail for 3 domains so I have mine setup like this:

domain1.com smtp:[exchange_ip_address]
domain2.com smtp:[exchange_ip_address]
domain3.com smtp:[exchange_ip_address]


Your example shows:

mail.domain1.com smtp:[exchange_ip_address]

Do I need the mail dot prefix? or just the domain that the mail is being sent to?

Thanks again,

I'll reply on how the mydestination changes affect my testing.

No, You're right about that. Just the domain. Apologies for a bad example

/LTJ

Ok, THANKS SO MUCH. I've gotten just a little bit closer now.

This never happened before, but now, I'm getting Error emails sent to my mailbox (on the exchange server) which means the linux box is now sending to the Exchange server correctly.

This is an example of what I'm receiving:

____________________________________________________
From: MAILER-DAEMON@ns1.mydomain.com
To: Postmaster@mydomain.com

Subject: Postfix SMTP server: errors from unknown[66.137.223.193]

Transcript of session follows.

Out: 220 mail.ervincable.com
In: EHLO pmoexchange.lambert-stl.org
Out: 250-ns1.ervincable.com
Out: 250-PIPELINING
Out: 250-SIZE 100000000
Out: 250-VRFY
Out: 250-ETRN
Out: 250 8BITMIME
In: MAIL FROM:<PJHilmes@lambert-stl.org> SIZE=57795
Out: 250 Ok
In: RCPT TO:<PWard@apextv.com>
Out: 451 Server configuration error
In: RSET
Out: 250 Ok
In: QUIT
Out: 221 Bye

_______________________________________________

Is this when You are sending or recieving mails on the exchange server, perhaps both?

You can check your postfix configuration by running "postfix check"

/LTJ

I get that message sent to my "postmaster" mailbox whenever outside email hits the server trying to get to a mailbox on the Exchange Server.

zzero,

Could you please disclose your main.cf and master.cf. You can leave out ip-addresses and other security compromising stuff.

Also make sure that name-resolution is configured correctly on the postfix box. Postfix should be able to do forward lookups when sending mail, and reverse lookups when recieving.

Does postfix report anything from the postfix check?

Here's my main.cf file...

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
delay_warning_time = 4
inet_interfaces = all
local_recipient_maps =
local_transport = no local mail delivery
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail -Y -a $DOMAIN
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maps_rbl_domains = sbl.spamhaus.org, relays.ordb.org, opm.blitzed.org, dun.dnsrbl.net, spam.dnsrbl.net
message_size_limit = 100000000
mydestination = $myhostname, localhost.$mydomain
myhostname = ns1.ervincable.com
mynetworks = 10.0.0.0/16, 192.0.0.0/16
myorigin = ervincable.com
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.0.13/README_FILES
relayhost = firewall.ervincable.com
sample_directory = /usr/share/doc/postfix-2.0.13/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = mail.ervincable.com
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, reject_maps_rbl
smtpd_recipient_restrictions = permit_mynetworks
smtpd_sender_restrictions = reject_non_rqdn_sender, reject_unknown_sender_domain
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 450

Here's master.cf


# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
#smtps inet n - y - - smtpd
# -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - y - - smtpd
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
pickup fifo n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
#qmgr fifo n - n 300 1 qmgr
qmgr fifo n - y 300 1 nqmgr
#tlsmgr fifo - - n 300 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
local unix - n n - - local
virtual unix - n y - - virtual
lmtp unix - - y - - lmtp

maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}

cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

smtp-amavis unix - - y - 2 smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes

127.0.0.1:10025 inet n - y - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_helo_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.1/8
-o strict_rfc821_envelopes=yes


Postfix check shows no errors.

Looks OK to me, but I can see that you're working on som filtering with postfix as well.
In general when working with postfix, i'd suggest that you make the things work one at a time, otherwise you'll be toying with your sanity

Comments to your main.cf:

Add 127.0.0.0/8 here to allow relaying from lo-net

relayhost is the "last resort" destination for mail domains not in the transport map. In a gateway environment you should rely on your transports only. So comment this line unless it's really needed.

Not sure you need this one, if you can settle with postalias

I'm kind of sure that according to the rfc it should read:
smtpd_banner = $myhostname ESMTP some_text

Again. Not really sure this is a good idea on a gateway


I recently did a setup resembling yours, and I got a great deal of help from this documentation:
http://www.securitysage.com/guides/postfix_uce.html

Good luck.

I'm sure you are right about getting postfix working before trying the spamblocking software. I'm introducing too many problems at one time. I've made so many changes, I think I'm going to start with a clean installation and go from there.

I was following a guide http://www.geocities.com/scottlhende...pamfilter.html when I built this server and the guide adds all the software at once.

I've been reading the Postfix documentation and I have a much better grasp on it now, than when I started. I think if I leave the spamfiltering off, and just do a basic forwarding setup, I can get it working and then move on from there.

Thanks for all your help. I really appreciate you taking the time to help me out.

I read the Postfix documentation last night from home and went through each line of my config with the document beside me and wrote a new main.cf.

I used my new main.cf this morning and it worked perfectly!

I have Spamassassin running on it now, and I'm not seeing much spam, but SOME valid emails aren't making it in either. I'm going to take a look at that spamassassin link you sent me, and see how it goes.

Thanks for all the help. I guess when all else fails, RTM.

ZZ

This is a great article, I thought I'd post it for anyone else that might need help.

It tells how to setup a linux server as a spam filtering mail gateway.

http://www.flakshack.com/anti-spam/