After migrating mail to NS8, I can't receive

EddieA · March 23, 2024, 12:17am

After migrating my mail from NS7 → NS8 I can no longer receive mail addressed to me. Here’s the MailBoxes:

And what happens if I try and send something to myself:

root@The-Tardis:~# telnet 192.168.0.225 25
Trying 192.168.0.225...
Connected to 192.168.0.225.
Escape character is '^]'.
220 ns8.bogolinux.net ESMTP Postfix
helo hi
250 ns8.bogolinux.net
mail from: <me@home.net>
250 2.1.0 Ok
rcpt to: <eddie@bogolinux.net>
554 5.7.1 <eddie@bogolinux.net>: Recipient address rejected: access denied
^Cquit
quit
Connection closed by foreign host.
root@The-Tardis:~# telnet 192.168.0.225 25
Trying 192.168.0.225...
Connected to 192.168.0.225.
Escape character is '^]'.
220 ns8.bogolinux.net ESMTP Postfix
helo hi
250 ns8.bogolinux.net
mail from: <me@home.net>
250 2.1.0 Ok
rcpt: <Eddie@bogolinux.net>
221 2.7.0 Error: I can break rules, too. Goodbye.
Connection closed by foreign host.
root@The-Tardis:~#

Cheers.

davidep · March 23, 2024, 8:49am

I’m not sure what’s happening: “access denied”.

Check the destination address is not internal Mail server — NS8 documentation
You’re connecting to port 25. Clients must use port 587 with authentication to be granted relay permission Mail server — NS8 documentation

EddieA · March 23, 2024, 6:10pm

I was simulating what I saw when mail was sent to me from an external source. Here’s what was logged by my mail receptor the day before I migrated the mail:

Mar 21, 2024, 16:00:08 Session 0: connection from 31.3.104.34 accepted on 192.168.0.252:25
Mar 21, 2024, 16:00:08 Session 0: 220 Nethserver.BogoLinux.net ESMTP Postfix
Mar 21, 2024, 16:00:08 Session 0: EHLO smtp.tuxis.nl
Mar 21, 2024, 16:00:08 Session 0: 250-Nethserver.BogoLinux.net
Mar 21, 2024, 16:00:08 Session 0: 250-PIPELINING
Mar 21, 2024, 16:00:08 Session 0: 250-SIZE 20000000
Mar 21, 2024, 16:00:08 Session 0: 250-VRFY
Mar 21, 2024, 16:00:08 Session 0: 250-ETRN
Mar 21, 2024, 16:00:08 Session 0: 250-ENHANCEDSTATUSCODES
Mar 21, 2024, 16:00:08 Session 0: 250-8BITMIME
Mar 21, 2024, 16:00:08 Session 0: 250 DSN
Mar 21, 2024, 16:00:08 Session 0: MAIL FROM:<root@pbs001.tuxis.net> SIZE=2758
Mar 21, 2024, 16:00:08 Session 0: 250 2.1.0 Ok
Mar 21, 2024, 16:00:08 Session 0: RCPT TO:<Eddie@BogoLinux.net>
Mar 21, 2024, 16:00:08 Session 0: 250 2.1.5 Ok
Mar 21, 2024, 16:00:08 Session 0: DATA
Mar 21, 2024, 16:00:08 Session 0: X-CleanMail-MessageID: 65FCBBF800000022
Mar 21, 2024, 16:00:08 Session 0: 354 Start mail input; end with <CRLF>.<CRLF>
Mar 21, 2024, 16:00:09 Session 0: Subject: Pruning datastore 'DB1696_DavyJonesLocker' successful
Mar 21, 2024, 16:00:09 Session 0: From: root@pbs001.tuxis.net
Mar 21, 2024, 16:00:09 Session 0: To: Eddie@BogoLinux.net
Mar 21, 2024, 16:00:09 Session 0: (DNSBL Filter) query start: 34.104.3.31.bl.spamcop.net
Mar 21, 2024, 16:00:09 Session 0: (DNSBL Filter) query start: 34.104.3.31.ix.dnsbl.manitu.net
Mar 21, 2024, 16:00:09 Session 0: received end of data, mail size 2kB
Mar 21, 2024, 16:00:09 Session 0: (Fingerprint Filter) Fingerprint hash: 58AABZSDm0vceIgX0uy+W3ZV48M=
Mar 21, 2024, 16:00:09 Session 0: (Fingerprint Filter) Fingerprint hash: kZ/N89+LKFrMl7oQq51bgXHt8Ok=
Mar 21, 2024, 16:00:09 Session 0: (Fingerprint Filter) Fingerprint hash: B5fk3bA/7XHVkdUJ62d/R9ffwQQ=
Mar 21, 2024, 16:00:09 Session 0: (Fingerprint Filter) Fingerprint hash: ouLO7Bz9CqYbcNQd2UJiodziDjA=
Mar 21, 2024, 16:00:09 Session 0: (Fingerprint Filter) Fingerprint hash: kghqFGknCUBiU8pxCPqwGo1Anu4=
Mar 21, 2024, 16:00:09 Session 0: (Fingerprint Filter) Fingerprint hash: UstPyrTSfX5kKa9EJQuJsAqJrb4=

And the day after migrating:

Mar 22, 2024, 16:00:08 Session 0: connection from 31.3.104.34 accepted on 192.168.0.252:25
Mar 22, 2024, 16:00:08 Session 0: 220 ns8.bogolinux.net ESMTP Postfix
Mar 22, 2024, 16:00:08 Session 0: EHLO smtp.tuxis.nl
Mar 22, 2024, 16:00:08 Session 0: 250-ns8.bogolinux.net
Mar 22, 2024, 16:00:08 Session 0: 250-PIPELINING
Mar 22, 2024, 16:00:08 Session 0: 250-SIZE 100000000
Mar 22, 2024, 16:00:08 Session 0: 250-VRFY
Mar 22, 2024, 16:00:08 Session 0: 250-ETRN
Mar 22, 2024, 16:00:08 Session 0: 250-ENHANCEDSTATUSCODES
Mar 22, 2024, 16:00:08 Session 0: 250-8BITMIME
Mar 22, 2024, 16:00:08 Session 0: 250-DSN
Mar 22, 2024, 16:00:08 Session 0: 250 SMTPUTF8
Mar 22, 2024, 16:00:08 Session 0: MAIL FROM:<root@pbs001.tuxis.net> SIZE=2758
Mar 22, 2024, 16:00:08 Session 0: 250 2.1.0 Ok
Mar 22, 2024, 16:00:08 Session 0: RCPT TO:<Eddie@BogoLinux.net>
Mar 22, 2024, 16:00:08 Session 0: 554 5.7.1 <Eddie@BogoLinux.net>: Recipient address rejected: access denied
Mar 22, 2024, 16:00:08 Session 0: DATA
Mar 22, 2024, 16:00:08 Session 0: 554 No valid recipients
Mar 22, 2024, 16:00:08 Session 0: QUIT
Mar 22, 2024, 16:00:08 Session 0: connection closed by client
Mar 22, 2024, 16:00:08 Session 0: 221 2.0.0 Bye
Mar 22, 2024, 16:00:08 Session 0: connection from 31.3.104.34 closed

Cheers.

davidep · March 23, 2024, 7:32pm

What is the user domain name? Is it AD or OpenLDAP?

EddieA · March 23, 2024, 7:41pm

On the NS7 side, it’s the Samba AD.

And after poking around a bit more, I’m guessing that nothing that needs user verification on NS8 is going to work until I do the AD migration, as the accounts aren’t available in NS8 before then.

[root@NS8 ~]# id eddie
id: ‘eddie’: no such user
[root@NS8 ~]# id plex
id: ‘plex’: no such user
[root@NS8 ~]#

Cheers.

davidep · March 23, 2024, 8:16pm

It is normal: ad users are not Unix users.

Check your Mailboxes page: you should see eddie there.

BTW, what is the ad domain name?

EddieA · March 23, 2024, 10:33pm

Right, but I thought in this half-migrated state, NS8 was passing this type of inquiry over to NS7, where the same command displays the AD information.

‘NS8.bogolinux.net’

Cheers.

davidep · March 24, 2024, 8:42am

Did you use mixed case in the domain names configuration? E.g. BogoLinux.net and bogolinux.net

Can you attach the Postfix configuration?

You can obtain it with

runagent -m mail1 podman exec -i postfix postconf -n

Replace mail1 as necessary

EddieA · March 24, 2024, 7:38pm

Unfortunately I do have a habit of doing that.

[root@NS8 ~]# runagent -m mail1 podman exec -i postfix postconf -n
address_verify_cache_cleanup_interval = 4h
address_verify_map =
address_verify_negative_cache = yes
address_verify_negative_expire_time = 2h
address_verify_negative_refresh_time = 15m
address_verify_positive_expire_time = 24h
address_verify_positive_refresh_time = 8h
alias_database =
alias_maps =
command_directory = /usr/sbin
compatibility_level = 3.6
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_delivery =
debug_peer_level = 2
debug_peer_list = ${debug_delivery?{$mynetworks}:{}}
debug_rewrite =
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd / & sleep 5
html_directory = no
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 120h
message_size_limit = 100000000
meta_directory = /etc/postfix
mydestination =
myhostname = ns8.bogolinux.net
mynetworks = 127.0.0.1/32 10.5.4.0/24 sqlite:$meta_directory/mynetworks.cf
myorigin = bogolinux.net
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/readme
recipient_delimiter = +
relay_domains =
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtpd_milters = inet:localhost:11332
smtpd_recipient_restrictions = reject_non_fqdn_recipient, check_recipient_access inline:{ BogoLinux.net=reject_unverified_recipient bogolinux.net=reject_unverified_recipient },
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access inline:{{ bogolinux.net = REJECT access denied }}, check_recipient_access sqlite:$meta_directory/internal_access.cf,
smtpd_sasl_local_domain = $myorigin
smtpd_sasl_path = /var/lib/umail/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_non_fqdn_sender,
smtpd_tls_auth_only = yes
smtpd_tls_chain_files = /etc/ssl/postfix/fullchain.pem
smtpd_tls_dh1024_param_file = /etc/ssl/postfix/dh.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
transport_maps = inline:{ bogolinux.net=lmtp:unix:/var/lib/umail/lmtp }
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_recipient_reject_reason = ${debug_rewrite?{}:{lookup failed}}
virtual_alias_domains = BogoLinux.net
virtual_alias_maps = sqlite:$meta_directory/aliases.cf, sqlite:$meta_directory/wildcards.cf, , ldap:$meta_directory/ldest.cf, sqlite:$meta_directory/userforwards.cf, inline:{{@BogoLinux.net=@bogolinux.net}},
virtual_mailbox_domains = bogolinux.net
[root@NS8 ~]#

Cheers.

davidep · March 24, 2024, 11:19pm

it’s a good to find bugs

I confirm it is the mixed case that confuses the configuration logic.

To workaround the issue you can override the config line by removing that inline table.

You find override instructions here ns8-mail/README.md at main · NethServer/ns8-mail · GitHub

EddieA · March 25, 2024, 4:47pm

# print the config values that differ from Postfix defaults
# WARNING! changing one of them may be dangerous!
podman exec -ti dovecot doveconf -n
Error: no container with name or ID "dovecot" found: no such container

Hmmmm, I think the manual really should have said:

# print the config values that differ from Postfix defaults
# WARNING! changing one of them may be dangerous!
podman exec -ti postfix postconf -n
Error: no container with name or ID "postfix" found: no such container

# start the editor
podman exec -ti postfix vi /etc/postfix/main.cf.d/myoverride.cf
Error: no container with name or ID "postfix" found: no such container

Cheers.

davidep · March 25, 2024, 4:52pm

Those command must be executed under the module environment. For instance, get a shell for them with:

runagent -m mail1

dnutan · March 25, 2024, 4:52pm

I think you need to enter into the user instance with runagent or prepend it to the comands:

runagent -m mail1

EddieA · March 25, 2024, 5:27pm

I’m still a complete novice as far as containers and pods go.

Cheers.

EddieA · March 25, 2024, 11:35pm

'Fraid that didn’t work:

Mar 25, 2024, 16:30:35 Session 0: connection from 216.55.147.163 accepted on 192.168.0.252:25
Mar 25, 2024, 16:30:35 Session 0: 220 ns8.bogolinux.net ESMTP Postfix
Mar 25, 2024, 16:30:35 Session 0: EHLO mail163c45.carrierzone.com
Mar 25, 2024, 16:30:35 Session 0: 250-ns8.bogolinux.net
Mar 25, 2024, 16:30:35 Session 0: 250-PIPELINING
Mar 25, 2024, 16:30:35 Session 0: 250-SIZE 100000000
Mar 25, 2024, 16:30:35 Session 0: 250-VRFY
Mar 25, 2024, 16:30:35 Session 0: 250-ETRN
Mar 25, 2024, 16:30:35 Session 0: 250-ENHANCEDSTATUSCODES
Mar 25, 2024, 16:30:35 Session 0: 250-8BITMIME
Mar 25, 2024, 16:30:35 Session 0: 250-DSN
Mar 25, 2024, 16:30:35 Session 0: 250 SMTPUTF8
Mar 25, 2024, 16:30:35 Session 0: MAIL From:<Eddie_Atherton@attglobal.net> SIZE=2140 BODY=7BIT
Mar 25, 2024, 16:30:35 Session 0: 250 2.1.0 Ok
Mar 25, 2024, 16:30:35 Session 0: RCPT To:<eddie@BogoLinux.net>
Mar 25, 2024, 16:30:38 Session 0: 550 5.1.1 <eddie@BogoLinux.net>: Recipient address rejected: undeliverable address: lookup failed
Mar 25, 2024, 16:30:38 Session 0: RSET
Mar 25, 2024, 16:30:38 Session 0: 250 2.0.0 Ok
Mar 25, 2024, 16:30:39 Session 0: QUIT
Mar 25, 2024, 16:30:39 Session 0: 221 2.0.0 Bye
Mar 25, 2024, 16:30:39 Session 0: connection from 216.55.147.163 closed

Here’s the updated Postfix configuration:

[root@NS8 ~]# runagent -m mail1 podman exec -i postfix postconf -n
postconf: warning: /etc/postfix/main.cf, line 126: overriding earlier entry: smtpd_relay_restrictions=permit_mynetworks,  permit_sasl_authenticated,  reject_unauth_destination,  check_recipient_access inline:{{ bogolinux.net = REJECT access denied }},  check_recipient_access sqlite:$meta_directory/internal_access.cf,
address_verify_cache_cleanup_interval = 4h
address_verify_map =
address_verify_negative_cache = yes
address_verify_negative_expire_time = 2h
address_verify_negative_refresh_time = 15m
address_verify_positive_expire_time = 24h
address_verify_positive_refresh_time = 8h
alias_database =
alias_maps =
command_directory = /usr/sbin
compatibility_level = 3.6
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_delivery =
debug_peer_level = 2
debug_peer_list = ${debug_delivery?{$mynetworks}:{}}
debug_rewrite =
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd / & sleep 5
html_directory = no
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 120h
message_size_limit = 100000000
meta_directory = /etc/postfix
mydestination =
myhostname = ns8.bogolinux.net
mynetworks = 127.0.0.1/32 10.5.4.0/24 sqlite:$meta_directory/mynetworks.cf
myorigin = bogolinux.net
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/readme
recipient_delimiter = +
relay_domains =
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtpd_milters = inet:localhost:11332
smtpd_recipient_restrictions = reject_non_fqdn_recipient, check_recipient_access inline:{ BogoLinux.net=reject_unverified_recipient bogolinux.net=reject_unverified_recipient },
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access sqlite:$meta_directory/internal_access.cf,
smtpd_sasl_local_domain = $myorigin
smtpd_sasl_path = /var/lib/umail/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_non_fqdn_sender,
smtpd_tls_auth_only = yes
smtpd_tls_chain_files = /etc/ssl/postfix/fullchain.pem
smtpd_tls_dh1024_param_file = /etc/ssl/postfix/dh.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
transport_maps = inline:{ bogolinux.net=lmtp:unix:/var/lib/umail/lmtp }
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_recipient_reject_reason = ${debug_rewrite?{}:{lookup failed}}
virtual_alias_domains = BogoLinux.net
virtual_alias_maps = sqlite:$meta_directory/aliases.cf, sqlite:$meta_directory/wildcards.cf, , ldap:$meta_directory/ldest.cf, sqlite:$meta_directory/userforwards.cf, inline:{{@BogoLinux.net=@bogolinux.net}},
virtual_mailbox_domains = bogolinux.net
[root@NS8 ~]#

Cheers.

davidep · March 26, 2024, 5:57pm

This is a reproducible bug Bad Mail config with mixed case domain name · Issue #6906 · NethServer/dev · GitHub

Remove any previously added custom configuration file.

Then you can try the following workaround. It enables case-insensitive searches in the domains SQLite table, used by the configuration logic.

runagent -m mail1 podman exec -w /srv -i postfix sqlite3 pcdb.sqlite <<'EOF'
PRAGMA foreign_keys=off;                                                                                                                                                                                                                                                                                             
BEGIN TRANSACTION;              
CREATE TABLE temp_domains AS SELECT * FROM domains;                                    
DROP TABLE domains;
CREATE TABLE domains (
    domain TEXT PRIMARY KEY COLLATE NOCASE,
    -- domain name
    transport TEXT DEFAULT NULL,
    -- after applying rewrite rules (like catchall value and destmap
    -- records), messages for the domain are passed to the given
    -- transport; SMTP protocol implies a "relay" domain, LMTP implies a
    -- "mailbox" domain. A NULL transport implies an "alias" domain:
    -- rewrite rules must resolve to an address that is either in a
    -- mailbox domain or a domain reachable with the default DNS-based
    -- transport rules.
    addusers INT DEFAULT 0,
    -- if set to 1, the domain accepts additional user addresses like
    -- user@domain. The address is rewritten to user@$myorigin. See
    -- POSTFIX_ORIGIN in the README. This setting is incompatible with the
    -- "catchall" one and has higher priority over it.
    addgroups INT DEFAULT 0,
    -- if set to 1, the domain accepts additional group addresses like
    -- group@domain. The group members list is retrieved from LDAP and
    -- the address is rewritten to user1, user2, user3, etc. See
    -- POSTFIX_ORIGIN in the README.
    catchall TEXT DEFAULT NULL,
    -- fallback rewrite rule for addresses that do not match any record in
    -- the "destmap" table. It can be a virtual mailbox name. This setting
    -- has lower priority over the "addusers" one.
    bccaddr TEXT DEFAULT NULL,
    -- email address where any message directed to the domain is
    -- sent in BCC.
    ddesc TEXT DEFAULT ""
    -- free text description of the domain
);
INSERT INTO domains SELECT * FROM temp_domains;
DROP TABLE temp_domains;
COMMIT;
PRAGMA foreign_keys=on;
EOF

Finally

runagent -m mail1 systemctl --user reload postfix

EddieA · March 26, 2024, 10:03pm

Can confirm the above solution. Many thanks @davidep

Cheers.