[Solved] email woes - postfix

Issues related to applications and software problems
Post Reply
lightman47
Posts: 1061
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

[Solved] email woes - postfix

Post by lightman47 » 2020/02/10 20:40:19

Last week my hosting provider did a major email server reorganization that was 'seamless' to us humans, but clobbered my fail2ban email notifications for several (5-7) machines. After some digging (with minimal email expertise) I found the emails were now being rejected by spamhaus - which talked about relaying - I needed smtp authentication now. (Not really a surprise - for over a year I was wondering HOW fail2ban was able to email me without the password!). My entire network is in house hardware - it just postfix emails to our provider hosted email account.

Realizing these were Debian oriented but following generic instructions at https://www.linode.com/docs/email/postf ... p-debian7/ , and beginning at "Configuring SMTP Usernames and Passwords" I edited mail.cnf, created the sasl file for that particular email account, ran portmap against it ... all through "Configuring the Relay Server". After the postfix restart ==> viola, I started again receiving my fail2ban emails from my machines.

I was a happy guy for a few hours until a personal email bounced back upon a send attempt - stating I had exceeded (some count that generally indicates spamming from your host sever); I've been here before. I checked what logs I could find and it seems my fail2ban machines are now all sending their system mails not to "root", but to "root@myhosteddomain.com" - which of course fail. Given all the cron jobs and activity on the numerous servers at different times of the day, I'm easily hitting the email fail limit on my provider's email sever.

Question: How do I get my system to NOT send system "root" emails out to our PERSONAL hosting provider? I guess I thought what I did was going to change only the fail2ban notifications (based on the email address it uses). I know virtually nothing about managing postfix.

Thank you.
Last edited by lightman47 on 2020/02/13 16:06:10, edited 1 time in total.
Remember - importing/building packages will likely "byte you in the butt" come update time, long after you'd forgotten you did that! Use repos whenever possible.

User avatar
KernelOops
Posts: 229
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: email woes - postfix

Post by KernelOops » 2020/02/10 20:58:31

I think your changes told postfix to always route emails to your @myhosteddomain.com. Thus a simple internal email to root, is forwarded to root@myhosteddomain.com.

A quick fix, is to edit /etc/aliases, and at the bottom, set to redirect emails to your real email address, like:

Code: Select all

# Person who should get root's mail
#root:		marc
root:                 lightman47@myhosteddomain.com
--
I love my computer - all my friends live there.
--

lightman47
Posts: 1061
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: email woes - postfix

Post by lightman47 » 2020/02/12 11:55:13

Thanks - and part II

That worked beautifully. Now my mailbox is filling up nicely (groan). It occurred to me this morning that all these notices are in the logs already on each machine. Can I just change that real address to maybe 'null@machine' or otherwise bypass the emailing of them? I almost never read root mail; I'm usually reading logs when I need info.

Thank you.
Remember - importing/building packages will likely "byte you in the butt" come update time, long after you'd forgotten you did that! Use repos whenever possible.

User avatar
KernelOops
Posts: 229
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: email woes - postfix

Post by KernelOops » 2020/02/12 14:58:04

I don't know how to disable root emails, I think that would be dangerous and you'd miss on something important.

Maybe its not what you want to hear, but maybe you should take a look at all those emails and see what they are all about, then disable/solve the root cause that generates those emails.

For example, a famous idiotic email is the errors generated by yum-cron-hourly. A well known issue that some idiot refuses to fix properly. Essentially, repos die (temporarily) quite often and yum-cron generates errors every time there is such an issue (so... hourly). Once you disable /etc/cron.hourly/0yum-hourly.cron, all those stupid emails are gone.
--
I love my computer - all my friends live there.
--

lightman47
Posts: 1061
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: email woes - postfix

Post by lightman47 » 2020/02/12 18:43:40

Heh - that remedy also occurred to me. While they're all /etc/crontab job emails, I am not sure I want to stop what they are doing. Interestingly, I just perused man cron and found:
-s This option will direct Cron to send the job output to the sys‐
tem log using syslog(3). This is useful if your system does not
have sendmail(8), installed or if mail is disabled.
I expect I have more leisurely poking around to do ... the entries already show up in the system logs; it's the emailing component I wish to disable.
Remember - importing/building packages will likely "byte you in the butt" come update time, long after you'd forgotten you did that! Use repos whenever possible.

User avatar
KernelOops
Posts: 229
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: email woes - postfix

Post by KernelOops » 2020/02/13 05:53:05

I've had a server that needed to forward mail, so this was a good opportunity to follow the same guide. I disagree with some of their options, here are my choices for main.cf:

Code: Select all

# enable SASL authentication
smtp_sasl_auth_enable = yes

# don't allow anonymous or plain text auth, except in TLS connections
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous

# where to find sasl_passwd
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

# enable STARTTLS encryption
smtp_use_tls = yes

# certificate and key
smtp_tls_cert_file = /etc/pki/tls/certs/localhost.crt
smtp_tls_key_file = /etc/pki/tls/private/localhost.key

# improved TLS
smtp_tls_security_level = may
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_ciphers = medium
smtp_tls_mandatory_ciphers = medium

# address re-writting
smtp_generic_maps = hash:/etc/postfix/generic
the most important change, is to enforce restrictions in smtp_sasl_security_options, but be less strict when under TLS encryption via the smtp_sasl_tls_security_options parameter.

I also used smtp_generic_maps to re-write addresses, so local addresses (domain.local) appear like real addresses (domain.com).

finally, I disabled SSL and enforce medium ciphers, which is the most compatible setting that works 100% reliably. If you know your remote smtp can handle better, then my suggestion is to disable TLSv1 and TLSv1.1, thus only allow TLSv1.2.
--
I love my computer - all my friends live there.
--

lightman47
Posts: 1061
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: [Solved] email woes - postfix

Post by lightman47 » 2020/02/13 16:07:47

Solved in a round-about way. I set Thunderbird to trash all the Cron messages as they arrive - the Trash folder has a 60 retention period.

:)
Remember - importing/building packages will likely "byte you in the butt" come update time, long after you'd forgotten you did that! Use repos whenever possible.

Post Reply

Return to “CentOS 7 - Software Support”