Postfix - antispam and relay package
-
Argh… upgraded to 2.2, postfix forwarder down in flames along with our email. Not a trivial matter.
Tried (trying?) to restore a full 2.1.5 backup and the GUI is a mess and things (including postfix forwarder) still seem broken.
Selecting OpenVPN results in:
Fatal error: Call-time pass-by-reference has been removed in /usr/local/www/vpn_openvpn_server.php on line 333
Selecting postfix forwarder results in:
Fatal error: Call-time pass-by-reference has been removed in /usr/local/www/pkg_edit.php on line 143
Main page shows 2.1.5-RELEASE (amd64) as well as the "Packages are currently being reinstalled in the background." which doesn't seem to actually mean anything.
Has anyone been successful restoring a full backup (2.1.5?) after encountering the borked postfix forwarder on 2.2?
-
When I try to reboot our Netgate chimes as if it's going to reboot, but then this appears:
Fatal error: Call-time pass-by-reference has been removed in /etc/inc/shaper.inc on line 395
So it seems as if we can't reboot either.
-
For the benefit of others running into this issue… rebooting and halting the system did not work, even though they triggered the reboot and halt chimes on our Netgate running pfsense. After a hard reboot (and some praying) our services, including postfix forwarder and OpenVPN, began working again under the restored 2.1.5.
-
Found out the hard way that this is intended to relay mail to an internal server and not a hosted server (host monster, Bluehost)
Because of SPF and the fact that this package cant do SRS.
-
I'm, kind of, discovering pfSense in prod :-[
Now that I've migrated to pfSense, and although I do understand that from guru's standpoint, pfSense acts as firewall and should only be used as firewall ;) I would like to run some additional "embedded" services. I know this is not theoretically correct but this is however the most convenient way to provide services locally.This said, I'm also facing issues while trying to run Postfix relay on 2.2. So, for the time being and waiting for fix, I'm not relaying but forward packets to mail server on DMZ :-\
Unless I misunderstand the way it works, once this package will be fixed, there is one feature that will still prevent me to use it as a relay. Let me try to explain:
- for fail-over purpose, I'm relying on 2 different ISP, meaning 2 WAN, 2 IP
- I've one single domain managed by third provider. Using this provider's web interface, I'm able to customize public DNS for this domain, including MX, SPF
- each ISP permits to customize PTR
So far so good but… if I want to use pfSense Postfix relay (assuming issues with 2.2 are fixed) it will not work for some senders in case sender performs SMTP Reverse DNS control because this package doesn't permit to customize banner per listening IP from GUI.
I may find a way to customize master.cf and hard-code the right banner here for each interface but it would be nice to have this capability directly from GUI. Or is there something is misunderstand?
PS: I know that state-of-the-art implementation if I need complete fail-over would be to deploy 2 different MTA behind 2 différent FW, furthermore having each FW made of highly available pfSense using CARP.... but this is totally over-kill and I will end up with more problems due to complexity than real improved levle of service. What I would like to handle is WAN fail-over, with only one single pfSense cluster. Does it make sense ?
-
Just set the PTR record for both IP address to be the same!
-
Just set the PTR record for both IP address to be the same!
This doesn't work, at least for me, and I'll try to explain why :)
I'm relying on 3 different providers:
- two ISP owing each one of my two public IP
- another (different) provider registering my domain.
In term of DNS management, it means that I'm dealing with PTR records through interfaces provided by each ISP while I manage (public) DNS content from my domain provider's web interface.
So far so good :-) but in order to achieve what you suggest, it would means that I have to configure 2 different A records (one for each public IP) with same hostname. This can be done, although somewhat strange.
Problem is that when customizing PTR, I'm facing an issue with at least one ISP because interface used to customize PTR checks if PTR you set matches IP address. This does make sense but as my DNS contains 2 different IPs for same hostname, it resolves this hostname (round-robin mode) with different IP thus PTR customization is not allowed.From my standpoint, such control from ISP makes sense. It help ensuring consistency between PTR and IP/hostnames.
The right approach, unless I'm wrong, it to set up one banner per public IP.
I did it with my previous Postfix implementation using this syntax:1.1.1.1:smtp inet n - - - - smtpd -o myhostname=host1.domain.com 2.2.2.2:smtp inet n - - - - smtpd -o myhostname=host2.domain.comThis obviously works as expected ;D
Then I do realize that I'm total pfSense noob: I still don't know how to customize master.cf so that content is not erased when configuration is changed using GUI :-[
On top of that, I need to improve my understanding of postscreen => smtpd is then listening on local port only isn't it? -
Replying to myself ;D but hopping it may help other users:
For what I understand, having spent some time reading Postfix and postscreen documentation, unless it can be significantly customized, Postfix forwarder package will not fit with what I'm trying to achieve. It would mean, for each external interface, one postscreen line in master.cf passing to one smtpd defined with its own mailhost and banner.
Nothing really complex from Postfix standpoint but definitely not the way it works for the time being, even aside 2.2 related bugs.Something like:
1.1.1.1:smtp inet n - n - 1 postscreen -o smtpd_service_name=smtpd1 -o postscreen_greet_banner=whatever...... -o user=postfix -o soft_bounce=yes smtpd1 pass - - n - - smtpd -o myhostname=host1.domain.com -o smtpd_banner=host1.domain.com-xxxxxx 2.2.2.2:smtp inet n - n - 1 postscreen -o smtpd_service_name=smtpd2 -o postscreen_greet_banner=whatever2...... -o user=postfix -o soft_bounce=yes smtpd2 pass - - n - - smtpd -o myhostname=host2.domain.com -o smtpd_banner=host2.domain.com-xxxxxx -
Two pf machines reverted to 2.1.5 after all + postfix upgraded to 2.2 Postfix failed in exactly the fashion mentioned in #525 this thread. Running in two KVM VM's 64 bit.
Was this ever tested before the release? Did it ever work? What configurations were tested that worked? I waited to upgrade only a few days ago, thought it would be all good.. but not so much. No emails forwarded whatever.
-
I also faced the postfix issue described after upgrading to 2.2
Mar 13 13:24:12 postfix/master[19564]: warning: process /usr/local/libexec/postfix/qmgr pid 11100 exit status 1 Mar 13 13:24:12 postfix/master[19564]: warning: /usr/local/libexec/postfix/qmgr: bad command startup -- throttling Mar 13 13:24:12 postfix/master[19564]: warning: process /usr/local/libexec/postfix/pickup pid 11315 exit status 1 Mar 13 13:24:12 postfix/master[19564]: warning: /usr/local/libexec/postfix/pickup: bad command startup -- throttlingReason is, pickup can't find libspf2.so.2
76972: 0.012799723 access("/lib/libspf2.so.2",0) ERR#2 'No such file or directory' 76972: 0.012872347 access("/usr/lib/libspf2.so.2",0) ERR#2 'No such file or directory' 19564: 28.015840537 wait4(-1,{ EXITED,val=1 },WNOHANG,0x0) = 77346 (0x12e22) 76972: 0.012977425 write(2,"Shared object "libspf2.so.2" not found, required by "pickup"",60) = 60 (0x3c)The package ships with this library, but the linker does'nt seem to pick it up. In any case since this was not the only issue after the upgrade to 2.2 and I was pretty annoyed, here is just a very bad and ugly hack around that.
Login to the firewall
# cd /usr/local/lib # ln -s /usr/pbi/postfix-amd64/local/lib/libspf2.so.2Hope this helps.
-
<snip>In any case since this was not the only issue after the upgrade to 2.2 and I was pretty annoyed, here is just a very bad and ugly hack around that.</snip>
Does anyone know what the status of a new release is with major issues like the broken postfix forwarder addressed?
-
Does anyone know what the status of a new release is with major issues like the broken postfix forwarder addressed?
Completely orthogonal, I'd say :P
-
Hi. It is possible to save contents message to hard disk ? I have pfsense 2.1.5 and postfix services.
-
Hi. It is possible to save contents message to hard disk ? I have pfsense 2.1.5 and postfix services.
NO! This is a firewall, not a mailserver. And the package is a relay.
-
I am almost a newbie on PFsense. Nice project. Thanks!
My patrorm is an old VMware ESXi. Will the Postfix package be able to install on PFsense 2.2.1 as is and could it route to more than one internal mail host? Can I also use the MailScanner package with Postfix and PFsense 2.2.1? -
Unfortunately it's currently broken. This is one of the ongoing issues with pfSense, while the base/core functionality works well, you really can't rely on packages as packages tend to get abandoned and left in broken states on a moderately frequent basis.
You can work around the issue as discussed in this thread, but if you do, you may find that future updates of the package break due to the workaround, leaving you a larger mess to resolve, so given the amount of time it has been since this package was functional, I'd suggest installing postfix on another server and port-forwarding as needed. Your mileage may vary.
-
@The:
Unfortunately it's currently broken. …/... I'd suggest installing postfix on another server and port-forwarding as needed.
+1
That's pretty clear and obvious.
What is somewhat frustrating is that such comment and conclusion should come from pfSense.
It would be much easier to have pfSense interface not allowing any additional package as package support and reliability is at least questionable rather than having pfSense allowing to install it easily in a way that could make some people thinking that packages are fully part of pfSense :-\ -
I installed postfix and mailscanner and then uninstalled them. Does this cause any problems in the future?
-
I agree that package support is not always the greatest, but you also have to understand that Developers of these packages do it on their own free time and usually without any monetary gain. There are just a handful of Developers that I see maintaining packages at this time.
Its the fact in "Open Source" where a handful code and the balance profit from their work.
Suggestions -
- Support pfSense with a Gold Subscription
- Post bug reports that have enough detail for a Dev to be able to reproduce.
- Take the time to help Test Packages as no Dev can see all possible conditions by himself. Each network is different. So participation is really key.
- Support the Devs in other ways to keep them interested to maintain and upgrade their package(s) at each version change of pfSense.
Also realize that the Devs are planning on changing PHP to Python in v3.0. What does this mean? Well, a lot of work for the Developers to re-code all of their work and/or the work of the previous maintainer.
And I don't mean to say this in any Negative way.. we all love to use pfSense and for myself, I try to contribute in as many ways as I can, as that commitment is returned back to me in other ways. Lets keep pfSense Strong!
My 2 Cents!
-
As I noted elsewhere, the PBI disaster does not help either; no surprise people are not exactly keen to maintain the packages.
