Postfix forwarder - undeliverable to internal mail server?
-
[SECOND UPDATE] I disabled "Soft Bounce" in the postfix forwarder configuration, but the following still occurred:
Feb 17 10:17:47 pfsense postfix/postscreen[97751]: NOQUEUE: reject: RCPT from [209.85.219.43]:49529: 450 4.3.2 Service currently unavailable; from=<"COMPANYEMAILINGME">, to=<"MYEMAILADDRESS">, proto=ESMTP, helo= <mail-oa0-f43.google.com>Is there another postfix forwarder function other than "Soft Bounce" that will generate these things? This is Google's 4th attempt now on delivering this email. I checked /var/log/maillog and the IP is yet another new one.</mail-oa0-f43.google.com>
I have now restarted the postfix forwarder service and these soft bounces are still occurring even though "Soft Bounce" has been disabled.
Whatever feature is responsible for soft bouncing the first IP address… it's a mess when dealing with services like Google. Looking through /var/log/maillog, I'm seeing not only Gmails but also Google Apps customers emails taking hours to arrive. Actually, some of these emails that I need to see and have been waiting for still have not arrived.
I'm going to try disabling "Zombie Blocker" per:
https://forum.pfsense.org/index.php/topic,43028.0.html
And hope that is the function responsible for soft bouncing the first IP address.
[UPDATE] It appears "Zombie Blocker" is the function causing the soft bounces on the first IP address. I disabled it and I got a test email from my Gmail right away… which, no surprise, had yet another unique IP address and would have been delayed had I not disabled "Zombie Blocker." I'm seeing these errors (lots of them) in /var/log/maillog now after disabling "Zombie Blocker":
Feb 17 11:22:59 pfsense postfix/smtpd[53186]: warning: connect to private/anvil: Connection refused
[SECOND UPDATE] I see "Zombie Blocker" is actually postscreen? Disabling it kills postscreen entirely, including Anvil if it is set to be enabled with postscreen.
Isn't there a way to just disable generating soft bounces for first-seen IP addresses in postscreen?
-
I don't know of any way to turn off just the soft bounce but postscreen is definitely the thing that stops a lot of crap from reaching your mail server.
Google (and others) retrying from a different IP each time is a pain. Seems there are some whitelisting workarounds out there - using DNSBL - but I haven't gone too deeply into that.
What I have read is that whitelisting seems to have been made a little easier with postfix 2.11.
I don't know what plans marcelloc might have to update the package to 2.11.
If you get a lot of traffic from gmail maybe it wouldn't take too long to collect a decent-sized postscreen cache of gmail IPs.
-
On my LAN, 10.0.1.201 is accessible and port 25 answers… the problem is that for some reason postfix forwarder (on my firewall running pfsense) cannot forward mail to it. If I leave my original NAT rule on for port 25 (any on port 25 to 10.0.1.201) then mail servers are able to hit my internal mail server fine through the firewall... but postfix forwarder is not in the mix in this scenario.
When I disable that NAT rule (as the postfix forwarder instructions say to do) and add the rule I mentioned above, postfix forwarder answers on port 25, which is great... but mail never gets from postfix forwarder to 10.0.1.201. I get the error mentioned above, which to me looks like for some reason postfix forwarder cannot "see" or connect to 10.0.1.201. I'm not sure how else to explain. Maybe a screenshot of my rules?
Waking up an old topic since I got the exact same problem - I dont seem to find any solution on this in the thread…. so dreadnought did you ever found a solution to this?
-
SOLVED - listen to single LAN ip was the key.
On my LAN, 10.0.1.201 is accessible and port 25 answers… the problem is that for some reason postfix forwarder (on my firewall running pfsense) cannot forward mail to it. If I leave my original NAT rule on for port 25 (any on port 25 to 10.0.1.201) then mail servers are able to hit my internal mail server fine through the firewall... but postfix forwarder is not in the mix in this scenario.
When I disable that NAT rule (as the postfix forwarder instructions say to do) and add the rule I mentioned above, postfix forwarder answers on port 25, which is great... but mail never gets from postfix forwarder to 10.0.1.201. I get the error mentioned above, which to me looks like for some reason postfix forwarder cannot "see" or connect to 10.0.1.201. I'm not sure how else to explain. Maybe a screenshot of my rules?
Waking up an old topic since I got the exact same problem - I dont seem to find any solution on this in the thread…. so dreadnought did you ever found a solution to this?