1

Topic: Problem with outgoing mail, only to one domain.

==== Required information ====
- iRedMail version: latest smile
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Debian Squeeze
- Related log if you're reporting an issue:
====

Hi,

Im having problems with sending emails to our partner. They doesn't receive our emails and we receive no warrning/error messages. Looks like emails are gone somewhere.
here is a log from mail.log:

Jul 30 12:58:15 mail amavis[1241]: (01241-13) Passed CLEAN, MYNETS/MYUSERS LOCAL [10.0.0.12] [10.0.0.12] <xxx@yyy.com> -> <aaa@bbb.pl>, Message-ID: <bda576715f33e10f02599ca19c6aed15@10.0.0.12>, mail_id: uRx+Iv7VbAIB, Hits: -8.807, size: 12298, queued_as: AA1B44F402B, 392 ms
Jul 30 12:58:15 mail postfix/smtp[1421]: 398714F4027: to=<ccc@bbb.pl>, relay=127.0.0.1[127.0.0.1]:10024, delay=17, delays=1/15/0.03/0.4, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=01241-13, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as AA1B44F402B)
Jul 30 12:58:15 mail postfix/smtp[1600]: AA1B44F402B: enabling PIX workarounds: disable_esmtp delay_dotcrlf for relay1.luxmed.pl[91.220.39.10]:25
Jul 30 12:58:16 mail amavis[1241]: (01241-14) Passed CLEAN, MYNETS/MYUSERS LOCAL [10.0.0.12] [10.0.0.12] <xxx@yyy.com> -> <aaa@bbb.pl>, Message-ID: <bda576715f33e10f02599ca19c6aed15@10.0.0.12>, mail_id: 98hsAgtIoUOY, Hits: -8.807, size: 12298, queued_as: 0C0BA4F402C, 329 ms
Jul 30 12:58:16 mail postfix/smtp[1421]: 398714F4027: to=<aaa@bbb.pl>, relay=127.0.0.1[127.0.0.1]:10024, delay=17, delays=1/15/0.02/0.35, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=01241-14, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0C0BA4F402C)
Jul 30 12:58:16 mail postfix/smtp[1604]: 0C0BA4F402C: enabling PIX workarounds: disable_esmtp delay_dotcrlf for relay1.luxmed.pl[91.220.39.10]:25
Jul 30 13:06:18 mail postfix/smtp[2234]: CE18D17A010: enabling PIX workarounds: disable_esmtp delay_dotcrlf for relay1.luxmed.pl[91.220.39.10]:25
Jul 30 13:06:18 mail postfix/smtp[1595]: 2FA0F17A009: enabling PIX workarounds: disable_esmtp delay_dotcrlf for relay1.luxmed.pl[91.220.39.10]:25
Jul 30 13:08:16 mail postfix/smtp[1600]: AA1B44F402B: to=<ccc@bbb.pl>, relay=relay1.luxmed.pl[91.220.39.10]:25, delay=601, delays=0.02/0.03/0.23/600, dsn=4.4.2, status=deferred (conversation with relay1.luxmed.pl[91.220.39.10] timed out while sending end of data -- message may be sent more than once)
Jul 30 13:08:16 mail postfix/smtp[1604]: 0C0BA4F402C: to=<aaa@bbb.pl>, relay=relay1.luxmed.pl[91.220.39.10]:25, delay=600, delays=0.03/0.02/0.11/600, dsn=4.4.2, status=deferred (conversation with relay1.luxmed.pl[91.220.39.10] timed out while sending end of data -- message may be sent more than once)

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Problem with outgoing mail, only to one domain.

PawelRaczkowski wrote:

Jul 30 13:08:16 mail postfix/smtp[1604]: 0C0BA4F402C: to=<aaa@bbb.pl>, relay=relay1.luxmed.pl[91.220.39.10]:25, delay=600, delays=0.03/0.02/0.11/600, dsn=4.4.2, status=deferred (conversation with relay1.luxmed.pl[91.220.39.10] timed out while sending end of data -- message may be sent more than once)

This email was relayed to "relay1.luxmed.pl", and connection to this server timed out.

3

Re: Problem with outgoing mail, only to one domain.

ZhangHuangbin wrote:
PawelRaczkowski wrote:

Jul 30 13:08:16 mail postfix/smtp[1604]: 0C0BA4F402C: to=<aaa@bbb.pl>, relay=relay1.luxmed.pl[91.220.39.10]:25, delay=600, delays=0.03/0.02/0.11/600, dsn=4.4.2, status=deferred (conversation with relay1.luxmed.pl[91.220.39.10] timed out while sending end of data -- message may be sent more than once)

This email was relayed to "relay1.luxmed.pl", and connection to this server timed out.

I understand, but my connection to this server is very good. And if i'm sending emails from another account from my domain to luxmed.pl all are sent ok. This is only for 1 account. They saied we are on white list and no check for our mails is active.

4

Re: Problem with outgoing mail, only to one domain.

No idea yet. Could you please show us output of command "postconf -n" to help troubleshoot? Do you have any custom settings in Postfix?

5

Re: Problem with outgoing mail, only to one domain.

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 0h
disable_vrfy_command = yes
enable_original_recipient = no
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
maximal_backoff_time = 4000s
maximal_queue_lifetime = 1d
message_size_limit = 104857600
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhost                      name
mydomain = pl.xxx.com
myhostname = mail.pl.xxx.com
mynetworks = 127.0.0.0/8, aaa.ccc.mmm.122, www.ddd.rrrr.227
mynetworks_style = subnet
myorigin = mail.pl.april.com
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $myde                      stination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domai                      ns $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps                       $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_doma                      ins $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_se                      nder_restrictions
queue_run_delay = 300s
readme_directory = no
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf,                       proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
relayhost =
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:                      mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated, check_hel                      o_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_reci                      pient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted                      _recipient, check_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_                      sasl_authenticated, reject_unauth_destination, reject_non_fqdn_helo_hostname, re                      ject_invalid_helo_hostname, check_policy_service inet:127.0.0.1:10031
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
smtpd_tls_key_file = /etc/ssl/private/mail.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:my                      sql:/etc/postfix/mysql/transport_maps_domain.cf
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy                      :mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/c                      atchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:1001
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains                      .cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 1001
virtual_transport = dovecot
virtual_uid_maps = static:1001

No i don't have any custom settings.

6

Re: Problem with outgoing mail, only to one domain.

No idea yet, maybe caused by Cisco router stands front of your mail server.
You can try to increase Postfix parameter "smtp_data_done_timeout" to "800s" (default is 600s) and see whether it occurs again.

7

Re: Problem with outgoing mail, only to one domain.

i do not have Cisco, im using Netasq. I'll try incarace this parameter and we will see.

8 (edited by Hoper 2014-06-23 14:51:00)

Re: Problem with outgoing mail, only to one domain.

I have this truble too.
Jun 16 12:19:08 post-lin64-s4 postfix/smtp[11199]: 52F9048744: enabling PIX workarounds: disable_esmtp delay_dotcrlf for dc2.dbbel.com[86.57.253.57]:25

I search the next:
http://www.arschkrebs.de/postfix/postfi … bugs.shtml - bug in Cisco PIX (may be in new version iOS he fix it, dc2.dbbel.com use version iOS with bug sad )
=========================
Problem description:

SMTP session is disconnected during DATA phase of a SMTP transaction for mail messages with a DKIM signature, where the start of a string "content-type" or "content-transfer-encoding" in a tag's value of an "h" tag of a DKIM signature happens to fall on a packet boundary at a start of a packet. The session is dropped with the next packet containing a Content-Type or Content-Transfer-Encoding header field.

Platform:
ASA5580-40
Cisco Adaptive Security Appliance Software Version 8.1(2)

To be fixed in releases 8.1.2(22) and 8.1.3
===========================

On Fri, Mar 23, 2012 at 12:43 PM, Giles Coochey <gi...@coochey.net> wrote: 
> On 23/03/2012 15:37, francis picabia wrote: 
>> 
>> On Fri, Mar 23, 2012 at 11:33 AM, francis picabia<fpic...@gmail.com> 
>>  wrote: 
>>> 
>>> We have a difficulty delivering to a site running a barracuda appliance. 
>>> I can email them from a gmail account, or via a telnet session, 
>>> but not via postfix on our SMTP gateway. I've contacted the remote 
>>> site from my gmail to discuss it but no progress so far. 
>>> 
>>> I have the default pix conf settings and we are running postfix 2.8.6 
>>> 
>>> In the logs we see it times out. 
>>> 
>>> Mar 21 15:01:30 thabit postfix-internal/smtpd[9296]: 6E7211F44DD: 
>>> client=localhost[127.0.0.1] 
>>> Mar 21 15:01:30 thabit postfix-internal/cleanup[9274]: 6E7211F44DD: 
>>> message-id=<moodlepo...@acorn.mydomain.ca> 
>>> Mar 21 15:01:30 thabit postfix-internal/qmgr[28954]: 6E7211F44DD: 
>>> from=<lms....@mydomain.ca>, size=6449, nrcpt=1 (queue active) 
>>> Mar 21 15:01:30 thabit postfix-internal/lmtp[9288]: 2A0561F44EE: 
>>> to=<user...@theirdomain.ca>, relay=127.0.0.1[127.0.0.1]:10026, 
>>> delay=189085, delays=189084/0.03/0.01/0.3, dsn=2.0.0, status=sent (250 
>>> 2.0.0 Ok, id=09101-06, from MTA([127.0.0.1]:10027): 250 2.0.0 Ok: 
>>> queued as 6E7211F44DD) 
>>> Mar 21 15:01:30 thabit postfix-internal/smtp[9198]: 6E7211F44DD: 
>>> enabling PIX workarounds: disable_esmtp delay_dotcrlf for 
>>> barracuda1.theirdomain.ca[24.224.X.Y]:25 
>>> Mar 21 15:11:30 thabit postfix-internal/smtp[9198]: 6E7211F44DD: 
>>> conversation with barracuda1.theirdomain.ca[24.224.X.Y] timed out 
>>> while sending end of data -- message may be sent more than once 
>>> 
>>> I saw an older article about delivering to a barracuda gateway and 
>>> tried the solution with 
>>> 
>>> smtp_discard_ehlo_keyword_address_maps = 
>>> hash:/etc/postfix-internal/smtp_discard_ehlo 
>>> 
>>> and that file containing: 
>>> 
>>> 24.224.X.Y      pipelining 
>>> 
>>> This setting made no difference in the result and error. 
>>> 
>>> I wonder if the pix settings are not the right fit for this case? 
>>> 
>>> Is there a method to not use the pix workarounds for a single 
>>> destination? 
>> 
>> I read another old thread about Cisco firewalls associated with the 
>> pix workaround. 
>> 
>> When I telnet to the remote site, the response shows: 
>> 
>> 220 ************************************************************ 
>> 
>> Is this a sign of the Cisco firewall or could it be something else masked? 
>> 
>> Should I look at suppressing dkim headers? 
>> 
> It is a sign of the PIX firewall removing data. 
> 
> To disable: 
> 
> 1. Logon to firewall command line 
> 2. type enable 
> 3. enter enable password or secret 
> 4. type configure terminal 
> 5. use 'no fixup protocol smtp 25' to disable SMTP protocol mangling 
> 6. type 'write memory' to save config to device 
> 7. restart or reload the PIX firewall 

Maybe try to change:
===================
       smtp_pix_workaround_delay_time (10s)
              How   long   the  Postfix  SMTP  client  pauses  before  sending
              ".<CR><LF>"  in  order  to  work   around   the   PIX   firewall
              "<CR><LF>.<CR><LF>" bug.

       smtp_pix_workaround_threshold_time (500s)
              How long a message must be queued before the Postfix SMTP client
              turns on the PIX firewall "<CR><LF>.<CR><LF>" bug workaround for
              delivery through firewalls with "smtp fixup" mode turned on.

       smtp_pix_workarounds (disable_esmtp, delay_dotcrlf)
              A  list  that  specifies  zero or more workarounds for CISCO PIX
              firewall bugs.

       smtp_pix_workaround_maps (empty)
              Lookup tables, indexed by the remote SMTP server  address,  with
              per-destination workarounds for CISCO PIX firewall bugs.
===================
What say ZhangHuangbin?
How fix it's trouble on our side?
Disabled ESMTP global - it's not good idea.
But may be disabled for one server - dc2.dbbel.com[86.57.253.57]?

9

Re: Problem with outgoing mail, only to one domain.

The latest Postfix fixes this issue (no warning anymore).

10

Re: Problem with outgoing mail, only to one domain.

In what version is fixed it?
My version postfix:
#postconf -d | grep mail_version
mail_version = 2.9.6
and I have this issue  sad

11

Re: Problem with outgoing mail, only to one domain.

As i can remember, it's 2.10.x.

12

Re: Problem with outgoing mail, only to one domain.

ZhangHuangbin wrote:

As i can remember, it's 2.10.x.

Hm,
#uname -a
Linux server-mail 3.5.0-51-generic #77~precise1-Ubuntu SMP Thu Jun 5 00:48:28 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
I updated soft on this server (ubuntu 12.04, iRedMail 0.8.6, LDAP )
#sudo apt-get update && sudo apt-get upgrade
and latest version the postfix in official repositories - 2.9.6
How do it fix?

13

Re: Problem with outgoing mail, only to one domain.

Did you check your Cisco router/firewall? Any option to disable this?

14

Re: Problem with outgoing mail, only to one domain.

ZhangHuangbin wrote:

Did you check your Cisco router/firewall? Any option to disable this?

It don't my cisco firewall, it is on other side.

15

Re: Problem with outgoing mail, only to one domain.

No idea yet. I suggest you post this issue in Postfix mailing list.