Recipient address rejected
Hi all,
I have been googling around the past day, but I can't seem to get this fixed:
said: 550 5.1.1
test2@mydomain.com: Recipient address rejected: User unknown in local
recipient table (in reply to RCPT TO command)
Final-Recipient: rfc822;test2@mydomain.com
Original-Recipient: rfc822; rfc822%3Btest2@hkserv.ugent.betest2@m ydomain.com
Action: failed
Status: 5.1.1
Remote-MTA: dns; test2@mydomain.com
Diagnostic-Code: smtp; 550 5.1.1 test2@mydomain.com: Recipient address
rejected: User unknown in local recipient table
These are the most important parts from te configfiles:
/etc/postfix/main.cf
myhostname = mydomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mydomain.com, <cut away>, localhost
relayhost = smtprelay.ugent.be
mynetworks = 127.0.0.0/8 # [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = #procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
mailman_destination_recipient_limit = 1
DEFAULT_EMAIL_HOST and DEFAULT_URL_HOST are both set to mydomain.com in /etc/mailman/mm_cfg.py. MTA=None
/etc/postfix/transport contains: mydomain.com mailman:
I followed the guide at https://help.ubuntu.com/community/Mailman
Any help, please? I'm getting pretty desperate...
Greetings, Sergei
-- Sergei Maertens Commissie ICT Home Boudewijn 2010-2011 ICT Home Konvent 2010-2011 Vaste Medewerker Web/ICT VTK 2009-2011
Sergei Maertens wrote:
test2@hkserv.ugent.be>: host mydomain.com[1.2.3.4] said: 550 5.1.1
test2@mydomain.com: Recipient address rejected: User unknown in local
recipient table (in reply to RCPT TO command)
Final-Recipient: rfc822;test2@mydomain.com
Original-Recipient: rfc822; rfc822%3Btest2@hkserv.ugent.betest2@m ydomain.com
Action: failed
Status: 5.1.1
Remote-MTA: dns; test2@mydomain.com
Diagnostic-Code: smtp; 550 5.1.1 test2@mydomain.com: Recipient address
rejected: User unknown in local recipient table
These are the most important parts from te configfiles:
/etc/postfix/main.cf
myhostname = mydomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mydomain.com, <cut away>, localhost
relayhost = smtprelay.ugent.be
mynetworks = 127.0.0.0/8 # [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = #procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
mailman_destination_recipient_limit = 1
DEFAULT_EMAIL_HOST and DEFAULT_URL_HOST are both set to mydomain.com in /etc/mailman/mm_cfg.py. MTA=None
/etc/postfix/transport contains: mydomain.com mailman:
I followed the guide at https://help.ubuntu.com/community/Mailman
Which is for installation of the Debian/Ubuntu Mailman package using the officially unsupported by the GNU Mailman project postfix_to_mailman.py script for delivery to Mailman.
That said, There is something amis, as your list mail is apparently being handled by Postfix's local transport (per the "User unknown in local recipient table" error) and not by the 'mailman' transport specified in /etc/postfix/transport.
Is the mailman transport defined in master.cf?
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Hello,
Starting Friday this particular office started having massive Internet trouble (dual T1s). Running a speedtest shows 2.75Mbps download (fine) and about .09Mbps upload (not fine). There are about 15 active lists on this server, a few of the lists have a few thousand members.
We traced the network issues to our mailman server. With Mailman server turned off, network is fine. As soon as it comes back up, bandwidth consumed.
Using Postfix as the MTA, set the default_process_limit to 3 in the master.cf file. Other settings are postfix defaults (main.cf)
Haven't been able to figure out exactly what's up - but I do know if I set an iptables rule to block all inbound port 25 traffic, issues go away - so...
I've done some basic testing for open relays, so far I have not found anything indicating it's an open relay. Packet sniffing shows connections from a number of IP addresses to the Mailman server. Outside test shows the hostname is not an open relay, and I can't telnet on port 25 with standard HELO command. All internal mail comes to a Barrucuda spam filter unit.
/usr/local/mailman/logs/post shows 19 posts today to the various lists.
from my main.cf:
mynetworks = 172.10.0.0/16, 127.0.0.0/8 #relay_domains = $mydestination mydestination = $myhostname, $mydomain, localhost myhostname = lists.lists.mydomain.com mydomain = lists.mydomain.com
At this point I can't tell if I have a Postfix problem or Mailman problem. Any ideas? Thanks!!
Scott
Scott Race wrote:
Haven't been able to figure out exactly what's up - but I do know if I set an iptables rule to block all inbound port 25 traffic, issues go away - so...
So, assuming you are also blocking port 25 connects from the local host via the loopback interface, you are blocking Mailman's connects to Postfix, thus preventing Mailman from connecting to Postfix and the resultant sending from Postfix of whatever Mailman is sending.
Take a look at Mailman's queues, particularly virgin, out and retry to see what's there. Use Mailman's bin/dumpdb to see an individual entry's message and metadata or bin/show_quefiles to see one or more entries' messages.
[...]
At this point I can't tell if I have a Postfix problem or Mailman problem. Any ideas? Thanks!!
I suspect the actual network traffic is coming from Postfix sending the stuff that Mailman is delivering to it. The question is what is Mailman doing. Check the queues as above and also Mailman's smtp and perhaps other logs.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Thanks for the reply.
So it sounds like my iptables rule:
iptables -A INPUT -p tcp --dport 25 -j REJECT
also blocks outbound mail too. Is there a preferred way to secure mailman SMTP traffic with iptables? In our case, we would just need an inbound filter that only accepts mail from a few hosts, I thought this would do it, but mailman wouldn't send mail with rules like this:
# accept mail from two hosts, drop the rest iptables -A INPUT -p tcp -s 192.168.1.245 --dport 25 -j ACCEPT iptables -A INPUT -p tcp -s 192.168.1.246 --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j REJECT
For the queues - I guess it's fine today - still reviewing the logs, and I will use those bin utilities to see the messages, that will be helpful...thanks!!
Scott
-----Original Message----- From: Mark Sapiro [mailto:mark@msapiro.net] Sent: Tuesday, November 23, 2010 4:16 PM To: Scott Race; mailman-users@python.org Subject: Re: [Mailman-Users] Mailman server consuming entire Internet pipe (dualT1)
Scott Race wrote:
Haven't been able to figure out exactly what's up - but I do know if I set an iptables rule to block all inbound port 25 traffic, issues go away - so...
So, assuming you are also blocking port 25 connects from the local host via the loopback interface, you are blocking Mailman's connects to Postfix, thus preventing Mailman from connecting to Postfix and the resultant sending from Postfix of whatever Mailman is sending.
Take a look at Mailman's queues, particularly virgin, out and retry to see what's there. Use Mailman's bin/dumpdb to see an individual entry's message and metadata or bin/show_quefiles to see one or more entries' messages.
[...]
At this point I can't tell if I have a Postfix problem or Mailman problem. Any ideas? Thanks!!
I suspect the actual network traffic is coming from Postfix sending the stuff that Mailman is delivering to it. The question is what is Mailman doing. Check the queues as above and also Mailman's smtp and perhaps other logs.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 11/24/2010 11:16 AM, Scott Race wrote:
Thanks for the reply.
So it sounds like my iptables rule:
iptables -A INPUT -p tcp --dport 25 -j REJECT
also blocks outbound mail too. Is there a preferred way to secure mailman SMTP traffic with iptables? In our case, we would just need an inbound filter that only accepts mail from a few hosts, I thought this would do it, but mailman wouldn't send mail with rules like this:
# accept mail from two hosts, drop the rest iptables -A INPUT -p tcp -s 192.168.1.245 --dport 25 -j ACCEPT iptables -A INPUT -p tcp -s 192.168.1.246 --dport 25 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j REJECT
I can't really answer that without knowing much more detail about your Mailman/Barracuda/Postfix configuration, but by default, Mailman delivers output (all list posts and other messages FROM Mailman) via SMTP to the MTA listening on localhost port 25 (127.0.0.1:25). If you reject packets with addressed to port 25, Mailman won't be able to deliver anything. Every message in the out/ queue will result in a connection refused upon attempted delivery and will be logged in Mailman's smtp-failure log and put in the retry/ queue to be retried at intervals of DELIVERY_RETRY_WAIT (default 1 hour) for a total time of DELIVERY_RETRY_PERIOD (default 5 days).
Accepting port 25 connects from 192.168.1.245 and 192.168.1.246 probably won't help at all with Mailman's outgoing delivery as those connects come from localhost (127.0.0.1).
As far as delivery of Mail to Mailman is concerned, this mail is queued by Postfix in Mailman's queues so it gets to the Barracuda appliance somehow which then delivers it to Postfix on some port other than 25 and Postfix either pipes it to Mailman's mail wrapper based on aliases or perhaps via some script like postfix_to_mailman.py depending on how Postfix is configured, and Mailman's Mail wrapper queues the message for Mailman.
If you want to secure all SMTP traffic, I suggest you set up a separate SMTP listener in Postfix on some unused port and tell Mailman to deliver to that port by setting SMTPPORT in mm_cfg.py. Then you can block port 25 with iptables or just configure Postfix to not listen on port 25 at all.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Scott Race wrote:
[...]
I've done some basic testing for open relays, so far I have not found anything indicating it's an open relay. Packet sniffing shows connections >from a number of IP addresses to the Mailman server. Outside test shows the hostname is not an open relay, and I can't telnet on port 25 with >standard HELO command. All internal mail comes to a Barrucuda spam filter unit.
/usr/local/mailman/logs/post shows 19 posts today to the various lists.
The Postfix logs would be of more benefit I think here, as well as the mail queue.
You say you route mails through a Barracuda host, do you allow traffic directly into this machine on port 25 externally? Is this machine hosting lists only, and if so, how is the Barracuda/Postfix server verifying recipients as early as possible (in case the domain is receiving large amounts of bounced mail and is rejecting with a full NDR and not a bounce at SMTP stage? Does outbound mail get delivered direct from Postfix or are you smarthosting to the Barracuda?
Thanks. Andrew.
Was scrolling through the maillog just now, nothing out of the ordinary other than list traffic that I can tell.
So no, all inbound mail comes to the Barracuda, gets cleaned and sent to the Mailman server. Each day about 600 inbound junk mails get blocked and around 50 legit emails. It is hosting just lists only, no other inbound or outbound mail. Outbound does get sent directly out the Postfix and is not sent through any smart host.
Good question on the verifying recipients - not quite sure the exact answer - I think the mailman server is processing bounces because I'll see bounced emails in the log to "johnsmith@lists.mydomain.com does not exist". So invalid recipients do seem to hit the Mailman server. Maybe filtering recipients at the Barrcuda could help?
On the note of the traffic - today everything is fine. Not sure why for 5 days it was consuming the pipe, but have not found any indication of an open relay or malicious intent. We did throttle back the simulaneous connections, maybe that will help a bit.
My Postfix maillog shows a ton of these:
(lost connection with spool.santarosa.org[216.222.240.7] while sending end of data -- message may be sent more than once)
and
(conversation with mail.laguna-hills.ca.us[68.203.215.26] timed out while sending end of data -- message may be sent more than once)
11,968 matches of (lost connection) and 9202 matches of (conversation with) in a log file covering 4 days (Nov 21 01:18 - Nov 24 9:07).
One thing that did change was the internal DNS servers on the network, I almost have to assume it has to do with that.....
-----Original Message----- From: Andrew Hodgson [mailto:andrew@hodgsonfamily.org] Sent: Wednesday, November 24, 2010 10:34 AM To: Scott Race; mailman-users@python.org Subject: RE: [Mailman-Users] Mailman server consuming entire Internet pipe (dual T1)
Scott Race wrote:
[...]
I've done some basic testing for open relays, so far I have not found anything indicating it's an open relay. Packet sniffing shows connections >from a number of IP addresses to the Mailman server. Outside test shows the hostname is not an open relay, and I can't telnet on port 25 with >standard HELO command. All internal mail comes to a Barrucuda spam filter unit.
/usr/local/mailman/logs/post shows 19 posts today to the various lists.
The Postfix logs would be of more benefit I think here, as well as the mail queue.
You say you route mails through a Barracuda host, do you allow traffic directly into this machine on port 25 externally? Is this machine hosting lists only, and if so, how is the Barracuda/Postfix server verifying recipients as early as possible (in case the domain is receiving large amounts of bounced mail and is rejecting with a full NDR and not a bounce at SMTP stage? Does outbound mail get delivered direct from Postfix or are you smarthosting to the Barracuda?
Thanks. Andrew.
In going through some security procedures yesterday, we decided to change our list passwords on all our lists.
The new password works, as does the old one still. Restarting mailmanctl process does not fix.
We are running Mailman 2.1.13 on RHEL5.
Any ideas? Haven't restarted the server yet. Thanks.
Scott
Scott Race wrote:
In going through some security procedures yesterday, we decided to change our list passwords on all our lists.
The new password works, as does the old one still. Restarting mailmanctl process does not fix.
If the list shared the old password with the site password, then using the old password (i.e, the site password) will get you past most password prompts in Mailman.
http://wiki.list.org/pages/viewpage.action?pageId=4030543
Andrew.
participants (4)
-
Andrew Hodgson
-
Mark Sapiro
-
Scott Race
-
Sergei Maertens