Re: Too Many Hops - mail looping somewhere?
mouss
> I'm doing some small testing - sending messages from a hotmail account
> to valid and invalid users. Just making sure my rules are okay. I got
> bounce back in my hotmail account from one of my front end servers to my
> hotmail account..
>
> The original message was received at Thu, 13 Dec 2007 22:16:34 -0500from
> ip104-104.businessgrade.com [66.151.104.104] (may be forged) -----
> The following addresses had permanent fatal errors
> -----<ang...@enhtech.com> (reason: 554 5.4.6 Too many hops) -----
> Transcript of session follows -----554 5.4.6 Too many hops 36 (35 max):
> from <ern...@hotmail.com> via ip104-104.businessgrade.com, to
> <ang...@enhtech.com>
>
> My front end systems perform virus and spam, greylisting, etc. I'm
> wondering why this message wasn't bounced because the user is invalid.
> Is there something I need to specifically configure to get postfix to
> bounce?
>
when you report problems or ask for help, you must follow the directions in
http://www.postfix.org/DEBUG_README.html#mail
(as suggested in the list welcome message)
In particular, you should send output of 'postconf -n' and relevant
logs. bounce messages are useless.
mouss
> Quoting mouss <mlist...@free.fr>:
>
>>
>> when you report problems or ask for help, you must follow the
>> directions in
>> http://www.postfix.org/DEBUG_README.html#mail
>> (as suggested in the list welcome message)
>
>> In particular, you should send output of 'postconf -n' and relevant
>> logs. bounce messages are useless.
>
> address_verify_map = /etc/postfix/verify
> alias_database = hash:/etc/postfix/aliases
> alias_maps = hash:/etc/postfix/aliases
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> debug_peer_level = 2
> fallback_transport = cyrus
> html_directory = /usr/share/doc/postfix-2.4.5-documentation/html
> mail_owner = postfix
> mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> mydestination = $myhostname, mysql:/etc/postfix/mysql-mydestination.cf
> myhostname = mail3.businessgrade.com
> newaliases_path = /usr/bin/newaliases.postfix
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.4.5-documentation/readme
> sample_directory = /etc/postfix
> sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> permit_mynetworks, reject_unauth_destination
> reject_uknown_recipient_domain, reject_unverified_recipient
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain =
> smtpd_sasl_security_options = noanonymous
> soft_bounce = no
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual.cf,
> proxy:mysql:/etc/postfix/mysql-alias.cf
> [root@VS2005 ~]#
>
> As far as logs go...
>
> Dec 13 22:33:16 VS2005 postfix/smtp[7510]: 6BE6D8E45C7:
> to=<errol...@enhtech.com>,
> relay=mailscanner.businessgrade.com[66.151.104.42]:25, delay=0.15,
> delays=0.07/0.01/0.03/0.05, dsn=2.0.0, status=sent (250 2.0.0
> lBE3X4Go021787 Message accepted for delivery)
> Dec 13 22:38:16 VS2005 postfix/smtp[7581]: 84D8C8E45C7:
> to=<errol...@enhtech.com>,
> relay=mailscanner.businessgrade.com[66.151.104.42]:25, delay=0.25,
> delays=0.06/0.05/0.09/0.05, dsn=2.0.0, status=sent (250 2.0.0
> lBE3c4cS022926 Message accepted for delivery)
> Dec 13 22:43:16 VS2005 postfix/smtp[7597]: 9A19B8E45C7:
> to=<errol...@enhtech.com>,
> relay=mailscanner.businessgrade.com[66.151.104.42]:25, delay=0.28,
> delays=0.09/0.05/0.05/0.09, dsn=2.0.0, status=sent (250 2.0.0
> lBE3h4SF024052 Message accepted for delivery)
>
Next time, show logs for a _whole_ transaction, from the time the
message is received until it is delivered/bounced/.... In general, a
grep of the queueid (9A19B8E45C7 in the last log line you posted) should
find the related logs. (The above shows nothing more than the fact that
the smtp service sent 3 messages to the mailscanner box. just because
the to=<...> is the same means nothing).
anyway, this not necessary anymore. the loop is caused by a
misconfiguration of mail filtering. The filter passes the message back
to postfix, which then filters the mail, ... consider using a special
(IP,port) on the postfix box and use it to receive filtered mail (only
from the filtering box). see the FILTER README for more details.
BTW. the headers you posted are for a message that was received by
_Sendmail_, not postfix. recipient validation must be implemented on the
edge of the network. once one of your systems accepts mail, you should
not bounce it. It is too late. see the backscatter README.
mouss
> Quoting mouss <mlist...@free.fr>:
>
>>
>> Next time, show logs for a _whole_ transaction, from the time the
>> message is received until it is delivered/bounced/.... In general, a
>> grep of the queueid (9A19B8E45C7 in the last log line you posted)
>> should find the related logs. (The above shows nothing more than the
>> fact that the smtp service sent 3 messages to the mailscanner box. just
>> because the to=<...> is the same means nothing).
>>
>
then your machine is owned ;-p
postfix will log when the message is received, from where, what happened
to (cleanup) and how it was delivered (qmgr). the logs may be in an old
log file, but they must be somewhere.
> A message for a
> good recipient will show lmtp delivering the message to the user's
> mailbox. For users that have an invalid user-name part, but a valid
> domain part, I don't get any more detail than what I've provided.
>
here is an example of logs that you can see for a transaction:
Dec 14 00:05:59 ouzoud postfix/smtpd[26162]: 98A3279123:
client=foo.example.com[192.0.2.1]
=> message is received via smtp from 192.0.2.1
Dec 14 00:05:59 ouzoud postfix/cleanup[3197]: 98A3279123:
message-id=<4761B9CA...@blah.example.com>
=> cleanup show message id
Dec 14 00:05:59 ouzoud postfix/qmgr[28609]: 98A3279123:
from=<us...@example.com>, size=4753, nrcpt=1 (queue active)
=> qmgr shows sender address, ...
Dec 14 00:06:11 ouzoud postfix/smtp[24978]: 98A3279123:
to=<f...@here.example>, relay=192.168.1.2[1192.168.1.2]:10024, delay=11,
delays=0.24/0.02/0.01/11, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued
as DB7EB7912A)
=> message is relayed with the "smtp" transport.
Dec 14 00:06:11 ouzoud postfix/qmgr[28609]: 98A3279123: removed
=> qmgr says it's done with the message
you only showed the postfix/smtp log line.
>> anyway, this not necessary anymore. the loop is caused by a
>> misconfiguration of mail filtering. The filter passes the message back
>> to postfix, which then filters the mail, ... consider using a special
>> (IP,port) on the postfix box and use it to receive filtered mail (only
>> from the filtering box). see the FILTER README for more details.
>
> I'll read the filter readme thanks..
>
>> BTW. the headers you posted are for a message that was received by
>> _Sendmail_, not postfix. recipient validation must be implemented on
>> the edge of the network. once one of your systems accepts mail, you
>> should not bounce it. It is too late. see the backscatter README.
>
> Yes, we validate on the network edge. The problem? Postfix is not
> rejecting invalid users.
do you validate users on the Sendmail that runs on the edge? If not, you
need to do that as well. because if sendmail accepts the message, but
then postfix later rejects it, the sendmail box will send a bounce, and
this is bad (backscatter).
> This has been the issue I need to resolve and
> what I've been trying to communicate (probably inefficiently. Our
> postfix system is a migration of email from Imail. Our address
> validation worked fine there. Now my issue is one of
> how-to-configure-postfix, but I want to be clear that our mail routing
> is near flawless.
>
> Thanks for your help.. I'll read the filter read me and get back with
> you :)
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
>
>