FAQ
Hi all,

I have been googling around the past day, but I can't seem to get this
fixed:

<test2 at mydomain.com <test2 at hkserv.ugent.be>>: host mydomain.com[1.2.3.4]
said: 550 5.1.1
<test2 at mydomain.com>: Recipient address rejected: User unknown in local

recipient table (in reply to RCPT TO command)


Final-Recipient: rfc822;test2 at mydomain.com

Original-Recipient: rfc822; <rfc822%3Btest2 at hkserv.ugent.be>test2 at m
ydomain.com

Action: failed

Status: 5.1.1

Remote-MTA: dns; test2 at mydomain.com

Diagnostic-Code: smtp; 550 5.1.1 <test2 at mydomain.com>: Recipient address

rejected: User unknown in local recipient table

These are the most important parts from te configfiles:

/etc/postfix/main.cf
myhostname = mydomain.com

alias_maps = hash:/etc/aliases

alias_database = hash:/etc/aliases

myorigin = /etc/mailname

mydestination = mydomain.com, <cut away>, localhost

relayhost = smtprelay.ugent.be

mynetworks = 127.0.0.0/8 # [::ffff:127.0.0.0]/104 [::1]/128

mailbox_command = #procmail -a "$EXTENSION"

mailbox_size_limit = 0

recipient_delimiter = +

inet_interfaces = all

inet_protocols = all

home_mailbox = Maildir/

smtpd_sasl_local_domain =

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_tls_security_level = may

smtpd_tls_security_level = may

smtpd_tls_auth_only = no

smtp_tls_note_starttls_offer = yes

smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

transport_maps = hash:/etc/postfix/transport

mailman_destination_recipient_limit = 1



DEFAULT_EMAIL_HOST and DEFAULT_URL_HOST are both set to mydomain.com in
/etc/mailman/mm_cfg.py.
MTA=None

/etc/postfix/transport contains:
mydomain.com mailman:

I followed the guide at https://help.ubuntu.com/community/Mailman

Any help, please? I'm getting pretty desperate...

Greetings,
Sergei

--
Sergei Maertens
Commissie ICT Home Boudewijn 2010-2011
ICT Home Konvent 2010-2011
Vaste Medewerker Web/ICT VTK 2009-2011

Search Discussions

  • Mark Sapiro at Nov 23, 2010 at 10:57 pm

    Sergei Maertens wrote:
    <test2 at mydomain.com <test2 at hkserv.ugent.be>>: host mydomain.com[1.2.3.4]
    said: 550 5.1.1
    <test2 at mydomain.com>: Recipient address rejected: User unknown in local

    recipient table (in reply to RCPT TO command)


    Final-Recipient: rfc822;test2 at mydomain.com

    Original-Recipient: rfc822; <rfc822%3Btest2 at hkserv.ugent.be>test2 at m
    ydomain.com

    Action: failed

    Status: 5.1.1

    Remote-MTA: dns; test2 at mydomain.com

    Diagnostic-Code: smtp; 550 5.1.1 <test2 at mydomain.com>: Recipient address

    rejected: User unknown in local recipient table

    These are the most important parts from te configfiles:

    /etc/postfix/main.cf
    myhostname = mydomain.com

    alias_maps = hash:/etc/aliases

    alias_database = hash:/etc/aliases

    myorigin = /etc/mailname

    mydestination = mydomain.com, <cut away>, localhost

    relayhost = smtprelay.ugent.be

    mynetworks = 127.0.0.0/8 # [::ffff:127.0.0.0]/104 [::1]/128

    mailbox_command = #procmail -a "$EXTENSION"

    mailbox_size_limit = 0

    recipient_delimiter = +

    inet_interfaces = all

    inet_protocols = all

    home_mailbox = Maildir/

    smtpd_sasl_local_domain =

    smtpd_sasl_auth_enable = yes

    smtpd_sasl_security_options = noanonymous

    broken_sasl_auth_clients = yes

    smtpd_recipient_restrictions =
    permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
    smtp_tls_security_level = may

    smtpd_tls_security_level = may

    smtpd_tls_auth_only = no

    smtp_tls_note_starttls_offer = yes

    smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem

    smtpd_tls_loglevel = 1

    smtpd_tls_received_header = yes

    smtpd_tls_session_cache_timeout = 3600s

    tls_random_source = dev:/dev/urandom

    transport_maps = hash:/etc/postfix/transport

    mailman_destination_recipient_limit = 1



    DEFAULT_EMAIL_HOST and DEFAULT_URL_HOST are both set to mydomain.com in
    /etc/mailman/mm_cfg.py.
    MTA=None

    /etc/postfix/transport contains:
    mydomain.com mailman:

    I followed the guide at https://help.ubuntu.com/community/Mailman

    Which is for installation of the Debian/Ubuntu Mailman package using
    the officially unsupported by the GNU Mailman project
    postfix_to_mailman.py script for delivery to Mailman.

    That said, There is something amis, as your list mail is apparently
    being handled by Postfix's local transport (per the "User unknown in
    local recipient table" error) and not by the 'mailman' transport
    specified in /etc/postfix/transport.

    Is the mailman transport defined in master.cf?

    --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Scott Race at Nov 23, 2010 at 11:26 pm
    Hello,

    Starting Friday this particular office started having massive Internet trouble (dual T1s). Running a speedtest shows 2.75Mbps download (fine) and about .09Mbps upload (not fine). There are about 15 active lists on this server, a few of the lists have a few thousand members.

    We traced the network issues to our mailman server. With Mailman server turned off, network is fine. As soon as it comes back up, bandwidth consumed.

    Using Postfix as the MTA, set the default_process_limit to 3 in the master.cf file. Other settings are postfix defaults (main.cf)

    Haven't been able to figure out exactly what's up - but I do know if I set an iptables rule to block all inbound port 25 traffic, issues go away - so...

    I've done some basic testing for open relays, so far I have not found anything indicating it's an open relay. Packet sniffing shows connections from a number of IP addresses to the Mailman server. Outside test shows the hostname is not an open relay, and I can't telnet on port 25 with standard HELO command. All internal mail comes to a Barrucuda spam filter unit.

    /usr/local/mailman/logs/post shows 19 posts today to the various lists.

    from my main.cf:

    mynetworks = 172.10.0.0/16, 127.0.0.0/8
    #relay_domains = $mydestination
    mydestination = $myhostname, $mydomain, localhost
    myhostname = lists.lists.mydomain.com
    mydomain = lists.mydomain.com


    At this point I can't tell if I have a Postfix problem or Mailman problem. Any ideas? Thanks!!

    Scott
  • Mark Sapiro at Nov 24, 2010 at 12:15 am

    Scott Race wrote:
    Haven't been able to figure out exactly what's up - but I do know if I set an iptables rule to block all inbound port 25 traffic, issues go away - so...

    So, assuming you are also blocking port 25 connects from the local host
    via the loopback interface, you are blocking Mailman's connects to
    Postfix, thus preventing Mailman from connecting to Postfix and the
    resultant sending from Postfix of whatever Mailman is sending.

    Take a look at Mailman's queues, particularly virgin, out and retry to
    see what's there. Use Mailman's bin/dumpdb to see an individual
    entry's message and metadata or bin/show_quefiles to see one or more
    entries' messages.


    [...]
    At this point I can't tell if I have a Postfix problem or Mailman problem. Any ideas? Thanks!!

    I suspect the actual network traffic is coming from Postfix sending the
    stuff that Mailman is delivering to it. The question is what is
    Mailman doing. Check the queues as above and also Mailman's smtp and
    perhaps other logs.

    --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Scott Race at Nov 24, 2010 at 7:16 pm
    Thanks for the reply.

    So it sounds like my iptables rule:

    iptables -A INPUT -p tcp --dport 25 -j REJECT

    also blocks outbound mail too. Is there a preferred way to secure mailman SMTP traffic with iptables? In our case, we would just need an inbound filter that only accepts mail from a few hosts, I thought this would do it, but mailman wouldn't send mail with rules like this:

    # accept mail from two hosts, drop the rest
    iptables -A INPUT -p tcp -s 192.168.1.245 --dport 25 -j ACCEPT
    iptables -A INPUT -p tcp -s 192.168.1.246 --dport 25 -j ACCEPT
    iptables -A INPUT -p tcp --dport 25 -j REJECT

    For the queues - I guess it's fine today - still reviewing the logs, and I will use those bin utilities to see the messages, that will be helpful...thanks!!

    Scott


    -----Original Message-----
    From: Mark Sapiro [mailto:mark at msapiro.net]
    Sent: Tuesday, November 23, 2010 4:16 PM
    To: Scott Race; mailman-users at python.org
    Subject: Re: [Mailman-Users] Mailman server consuming entire Internet pipe (dualT1)

    Scott Race wrote:
    Haven't been able to figure out exactly what's up - but I do know if I set an iptables rule to block all inbound port 25 traffic, issues go away - so...

    So, assuming you are also blocking port 25 connects from the local host
    via the loopback interface, you are blocking Mailman's connects to
    Postfix, thus preventing Mailman from connecting to Postfix and the
    resultant sending from Postfix of whatever Mailman is sending.

    Take a look at Mailman's queues, particularly virgin, out and retry to
    see what's there. Use Mailman's bin/dumpdb to see an individual
    entry's message and metadata or bin/show_quefiles to see one or more
    entries' messages.


    [...]
    At this point I can't tell if I have a Postfix problem or Mailman problem. Any ideas? Thanks!!

    I suspect the actual network traffic is coming from Postfix sending the
    stuff that Mailman is delivering to it. The question is what is
    Mailman doing. Check the queues as above and also Mailman's smtp and
    perhaps other logs.

    --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Mark Sapiro at Nov 24, 2010 at 11:49 pm

    On 11/24/2010 11:16 AM, Scott Race wrote:
    Thanks for the reply.

    So it sounds like my iptables rule:

    iptables -A INPUT -p tcp --dport 25 -j REJECT

    also blocks outbound mail too. Is there a preferred way to secure mailman SMTP traffic with iptables? In our case, we would just need an inbound filter that only accepts mail from a few hosts, I thought this would do it, but mailman wouldn't send mail with rules like this:

    # accept mail from two hosts, drop the rest
    iptables -A INPUT -p tcp -s 192.168.1.245 --dport 25 -j ACCEPT
    iptables -A INPUT -p tcp -s 192.168.1.246 --dport 25 -j ACCEPT
    iptables -A INPUT -p tcp --dport 25 -j REJECT

    I can't really answer that without knowing much more detail about your
    Mailman/Barracuda/Postfix configuration, but by default, Mailman
    delivers output (all list posts and other messages FROM Mailman) via
    SMTP to the MTA listening on localhost port 25 (127.0.0.1:25). If you
    reject packets with addressed to port 25, Mailman won't be able to
    deliver anything. Every message in the out/ queue will result in a
    connection refused upon attempted delivery and will be logged in
    Mailman's smtp-failure log and put in the retry/ queue to be retried at
    intervals of DELIVERY_RETRY_WAIT (default 1 hour) for a total time of
    DELIVERY_RETRY_PERIOD (default 5 days).


    Accepting port 25 connects from 192.168.1.245 and 192.168.1.246 probably
    won't help at all with Mailman's outgoing delivery as those connects
    come from localhost (127.0.0.1).

    As far as delivery of Mail to Mailman is concerned, this mail is queued
    by Postfix in Mailman's queues so it gets to the Barracuda appliance
    somehow which then delivers it to Postfix on some port other than 25 and
    Postfix either pipes it to Mailman's mail wrapper based on aliases or
    perhaps via some script like postfix_to_mailman.py depending on how
    Postfix is configured, and Mailman's Mail wrapper queues the message for
    Mailman.

    If you want to secure all SMTP traffic, I suggest you set up a separate
    SMTP listener in Postfix on some unused port and tell Mailman to deliver
    to that port by setting SMTPPORT in mm_cfg.py. Then you can block port
    25 with iptables or just configure Postfix to not listen on port 25 at all.

    --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Andrew Hodgson at Nov 24, 2010 at 6:34 pm
    Scott Race wrote:

    [...]
    I've done some basic testing for open relays, so far I have not found anything indicating it's an open relay. Packet sniffing shows connections >from a number of IP addresses to the Mailman server. Outside test shows the hostname is not an open relay, and I can't telnet on port 25 with >standard HELO command. All internal mail comes to a Barrucuda spam filter unit.
    /usr/local/mailman/logs/post shows 19 posts today to the various lists.
    The Postfix logs would be of more benefit I think here, as well as the mail queue.

    You say you route mails through a Barracuda host, do you allow traffic directly into this machine on port 25 externally? Is this machine hosting lists only, and if so, how is the Barracuda/Postfix server verifying recipients as early as possible (in case the domain is receiving large amounts of bounced mail and is rejecting with a full NDR and not a bounce at SMTP stage? Does outbound mail get delivered direct from Postfix or are you smarthosting to the Barracuda?

    Thanks.
    Andrew.
  • Scott Race at Nov 24, 2010 at 6:55 pm
    Was scrolling through the maillog just now, nothing out of the ordinary other than list traffic that I can tell.

    So no, all inbound mail comes to the Barracuda, gets cleaned and sent to the Mailman server. Each day about 600 inbound junk mails get blocked and around 50 legit emails. It is hosting just lists only, no other inbound or outbound mail. Outbound does get sent directly out the Postfix and is not sent through any smart host.

    Good question on the verifying recipients - not quite sure the exact answer - I think the mailman server is processing bounces because I'll see bounced emails in the log to "johnsmith at lists.mydomain.com does not exist". So invalid recipients do seem to hit the Mailman server. Maybe filtering recipients at the Barrcuda could help?

    On the note of the traffic - today everything is fine. Not sure why for 5 days it was consuming the pipe, but have not found any indication of an open relay or malicious intent. We did throttle back the simulaneous connections, maybe that will help a bit.

    My Postfix maillog shows a ton of these:

    (lost connection with spool.santarosa.org[216.222.240.7] while sending end of data -- message may be sent more than once)

    and

    (conversation with mail.laguna-hills.ca.us[68.203.215.26] timed out while sending end of data -- message may be sent more than once)

    11,968 matches of (lost connection) and 9202 matches of (conversation with) in a log file covering 4 days (Nov 21 01:18 - Nov 24 9:07).

    One thing that did change was the internal DNS servers on the network, I almost have to assume it has to do with that.....


    -----Original Message-----
    From: Andrew Hodgson [mailto:andrew at hodgsonfamily.org]
    Sent: Wednesday, November 24, 2010 10:34 AM
    To: Scott Race; mailman-users at python.org
    Subject: RE: [Mailman-Users] Mailman server consuming entire Internet pipe (dual T1)

    Scott Race wrote:

    [...]
    I've done some basic testing for open relays, so far I have not found anything indicating it's an open relay. Packet sniffing shows connections >from a number of IP addresses to the Mailman server. Outside test shows the hostname is not an open relay, and I can't telnet on port 25 with >standard HELO command. All internal mail comes to a Barrucuda spam filter unit.
    /usr/local/mailman/logs/post shows 19 posts today to the various lists.
    The Postfix logs would be of more benefit I think here, as well as the mail queue.

    You say you route mails through a Barracuda host, do you allow traffic directly into this machine on port 25 externally? Is this machine hosting lists only, and if so, how is the Barracuda/Postfix server verifying recipients as early as possible (in case the domain is receiving large amounts of bounced mail and is rejecting with a full NDR and not a bounce at SMTP stage? Does outbound mail get delivered direct from Postfix or are you smarthosting to the Barracuda?

    Thanks.
    Andrew.
  • Scott Race at Nov 24, 2010 at 6:58 pm
    In going through some security procedures yesterday, we decided to change our list passwords on all our lists.

    The new password works, as does the old one still. Restarting mailmanctl process does not fix.

    We are running Mailman 2.1.13 on RHEL5.

    Any ideas? Haven't restarted the server yet.
    Thanks.

    Scott
  • Andrew Hodgson at Nov 24, 2010 at 7:14 pm

    Scott Race wrote:
    In going through some security procedures yesterday, we decided to change our list passwords on all our lists.
    The new password works, as does the old one still. Restarting mailmanctl process does not fix.
    If the list shared the old password with the site password, then using the old password (i.e, the site password) will get you past most password prompts in Mailman.

    http://wiki.list.org/pages/viewpage.action?pageId@30543

    Andrew.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-users @
categoriespython
postedNov 23, '10 at 9:10p
activeNov 24, '10 at 11:49p
posts10
users4
websitelist.org

People

Translate

site design / logo © 2022 Grokbase