Ek het 'n postfix-bediener geërf wat op RedHat loop. Dit is 'n ongedokumenteerde gebou, maar krities vir sakebedrywighede (Is ons nie almal lief daarvoor nie?)

Dit het probleme ontwikkel met vertraagde en agterstallige posaflewering. Die kwessies is 'n paar weke gelede vir die eerste keer aangemeld, maar kan 'n onbepaalde tyd teruggaan.

My *nix-ervaring is verroes, maar ek kon genoeg in die stelsel rondkyk om vas te stel dat wanneer die bediener agterstand ervaar, dit verbinding-time-outs aan die stroomop-SMTP-relais by my organisasie rapporteer.

Voorbeeld fout:

*3D27412A016
4187 Di 19 Apr 17:04:26
[email protected]

(aflewering tydelik opgeskort: koppel aan UpstreamRelayA4.doi.net[10.xx.xx.206]:25: Verbinding het uitgetel)

[email protected] *

Die stroomop-afloseienaars rapporteer egter dat hulle geen ooreenstemmende foute in hul logboeke vanaf hierdie SMTP-bediener het nie. Vir my organisasie is daar 'n enkele MX-rekord met 4 aflosbedieners ingesluit. Al 4 kan vanaf my SMTP-bediener bereik word via telnet op poort 25, maar 3 van die 4 vertraag egter in die postfix-logs.

Enige wenke oor hoe om op te spoor hoekom postfix dink hulle is besig om uit te loop?

Bygevoeg 4/20/22 - postconf -n uitvoer

    [[email protected] ~]$ postconf -n

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

broken_sasl_auth_clients = yes

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/libexec/postfix

debug_peer_level = 2

debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
 
$daemon_directory/$process_name $process_id & sleep 5

disable_vrfy_command = yes

html_directory = no

inet_interfaces = all

inet_protocols = ipv4

local_recipient_maps =

mail_owner = postfix

mail_spool_directory = /var/mail

mailbox_size_limit = 0

mailq_path = /usr/bin/mailq.postfix

manpage_directory = /usr/share/man

maximal_queue_lifetime = 1d

message_size_limit = 30720000

mydestination = $myhostname, localhost.$mydomain, localhost

myhostname = mailer.domain.org.com

mynetworks = 

127.0.0.0/8,165.83.0.0/16,10.0.0.0/8,64.241.25.0/24,172.16.0.0/12

myorigin = $mydomain

newaliases_path = /usr/bin/newaliases.postfix

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES

relayhost = relayLOCATION.parentorg.com

sample_directory = /usr/share/doc/postfix-2.10.1/samples

sendmail_path = /usr/sbin/sendmail.postfix

setgid_group = postdrop

smtp_tls_note_starttls_offer = yes

smtp_use_tls = yes

smtpd_delay_reject = yes

smtpd_helo_required = yes

smtpd_helo_restrictions = 
permit_mynetworks,reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,permit

smtpd_policy_service_max_idle = 5s

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

smtpd_sasl_auth_enable = yes

smtpd_sasl_authenticated_header = yes

smtpd_sasl_local_domain =

smtpd_sasl_security_options = noanonymous

smtpd_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,permit

smtpd_tls_CAfile = /etc/postfix/ssl/mailer_DOMAIN_ORG_COM.pem

smtpd_tls_auth_only = no

smtpd_tls_cert_file = /etc/postfix/ssl/mailer_DOMAIN_ORG_COM.crt

smtpd_tls_key_file = /etc/postfix/ssl/mailer_DOMAIN_ORG_COM.key

smtpd_tls_loglevel = 1

smtpd_tls_security_level = may

smtpd_use_tls = yes

tls_random_source = dev:/dev/urandom

transport_maps = hash:/etc/postfix/transport

[[email protected] ~]$

Bygevoeg 4/20/22 - postconf -M uitset

[[email protected] ~]$ postconf -M
smtp       inet  n       -       n       -       -       smtpd
pickup     fifo  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp -o fallback_relay=
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
maildrop   unix  -       n       n       -       -       pipe flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus  unix  -       n       n       -       -       pipe flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
cyrus      unix  -       n       n       -       -       pipe user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
uucp       unix  -       n       n       -       -       pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail     unix  -       n       n       -       -       pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp      unix  -       n       n       -       -       pipe flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
retry      unix  -       -       n       -       -       error
proxywrite unix  -       -       n       -       1       proxymap
[[email protected] ~]$

Bygevoeg 4/20/22 - Toestelle tussen e-posherlei

Ons het nie sigbaarheid in die netwerk of sekuriteitstoestelle tussen die relais nie. Traceroute dui slegs 3 hops aan, wat almal heel waarskynlik standaardrouters is gebaseer op hul IP-adresse in ons netwerkuitleg.

Bygevoeg 4/20/22 - Postfix-weergawe

Postfix blyk weergawe 2.10.1 te wees, wat die installering rondom 2013 volgens die Postfix Releases-bladsy sal plaas

Bygevoeg 4/22/22 - openssl Verbindingstoets

[[email protected] ~]$ openssl s_client -connect UPSTREAM_RELAY.ORG.net:25 -starttls smtp -crlf
CONNECTED(00000003)
depth=1 DC = net, DC = ORG, CN = CA_Server
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/C=US/ST=STATE/L=CITY/O=PARENT_ORG/OU=PARENT_ORG/CN=UPSTREAM_RELAY.ORG.net
   i:/DC=net/DC=ORG/CN=CA_Server
 1 s:/DC=net/DC=ORG/CN=CA_Server
   i:/CN=ORGRootCA2
---
Server certificate
-----BEGIN CERTIFICATE-----

[Cert contents removed]

-----END CERTIFICATE-----
subject=/C=US/ST=STATEA/L=CITY/O=PARENT_ORG/OU=PARENT_ORG/CN=UPSTREAM_RELAY.ORG.net
issuer=/DC=net/DC=ORG/CN=CA_Server
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 5841 bytes and written 538 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: [REMOVED]
    Session-ID-ctx:
    Master-Key: [REMOVED]
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1650649689
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
250 XSHADOWREQUEST
 (Functional console after this)

Bygevoeg 4/22/22 - Maillog grep vir nie-werkende bediener

[[email protected] ~]$  sudo mailq | grep  UPSTREAM_RELAY_103.ORG.net

(delivery temporarily suspended: conversation with UPSTREAM_RELAY_103.ORG.net[10.x.x.125] timed out while sending end of data -- message may be sent more than once)

(conversation with UPSTREAM_RELAY_103.ORG.net[10.x.x.125] timed out while sending end of data -- message may be sent more than once)

[Verwyder duplikate, Alle inskrywings vir daardie bediener is presies dieselfde twee boodskappe]

Finale wysiging 27/4/2022

Tydens die probleemoplossing verlede week het ons ontdek dat /etc/resolv.conf 'n naambediener het wat nie meer bestaan ​​nie. Nadat ons dit verwyder het en postfix herbegin het, lyk dit of ons nie meer time-outs in die logs kry nie, en pos vloei vinnig.

Soos genoem deur @anx in die opmerkings, maak dit nie baie sin met betrekking tot die verbinding-time-outs nie, maar sodra dit reggestel is en postfix herbegin is, het ons uitgaande versendings drasties toegeneem in spoed, en ons het nog geen gehad nie. vertraag kwessies sedert, ten spyte van die byvoeging van meer as 20 000 ekstra uitgaande toets-e-posse per dag (ongeveer 'n 30% toename teenoor gewone posvolume).

answer

So goed as wat ons kon uitvind, is hierdie probleem veroorsaak deur 'n ongeldige DNS-inskrywing in /etc/resolv.conf. Sodra die slegte inskrywing verwyder is, het ons opgehou om probleme in die logs te hê, en pos het teruggekeer om behoorlik te vloei met minimale uitgaande vertraging.