Postfix (Ubuntu 9.10 x64) said: 421 4.4.1 Connection timed out (in reply to end of DATA command)
in [Postfix]
|
Prev: change return-path to custom value
Next: Postfix (Ubuntu 9.10 x64) said: 421 4.4.1 Connection timed out(in reply to end of DATA command)
From: "Ioannis Tsouvalas" on 28 May 2010 09:46 > >Ioannis Tsouvalas: >> 451 Requested action aborted: local error in processing > >This is not a Postfix error mesage. It is an error in a non-Postfix MTA. >Please do not shoot the messenger. > >> 451 Temporary local problem - please try later > >This is not a Postfix error message. It is an error in a non-Postfix MTA. >Please do not shoot the messenger. > >> 421 4.4.1 Connection timed out (in reply to end of DATA command) > >This is not a Postfix error message. It is an error in a non-Postfix MTA. >Please do not shoot the messenger. > >> said: 421 4.4.2 mxfront39.mail.yandex.net Error: timeout exceeded (in reply >> to end of DATA command) > >This is an error message from a remote system. >Please do not shoot the messenger. > >> (lost connection with mx1.mail.eu.yahoo.com[77.238.177.9] while sending end >> of data -- message may be sent more than once) > >Here, Postfix lost the connection with Yahoo. This is "not unusual". > >All these errors happen outside Postfix. You're better off spending the >energy on other things. > > Wietse Wietse, by all means, no reason to shoot the messenger, not my intentions. Ok let's take it from scratch, your suggestion is to look on other directions, where would that be when my only issues so far have been on postfix's communication. The reason I'm posting on postfix-users is as simple as that, the only way someone might have faced these errors, would have been through implementing (probably not that well) postfix. I guess it makes more sense to turn to you than to shorewall or ubuntu in general right? You name it, and I'll go running for it, though for a reason (maybe a wrong one) I feel like you would have much more insight on the issue than anyone else (you as in postfix user, admin, guru, lover, hard coder etc) -- Ioannis __________ Information from ESET Smart Security, version of virus signature database 5152 (20100528) __________ The message was checked by ESET Smart Security. http://www.eset.com
From: "Ioannis Tsouvalas" on 28 May 2010 11:12 >Ioannis Tsouvalas: >> > >> >Ioannis Tsouvalas: >> >> 451 Requested action aborted: local error in processing >> >> 451 Temporary local problem - please try later > >These you can do nothing about, except perhaps retry when the remote >system is under less stress. > >> >> 421 4.4.1 Connection timed out (in reply to end of DATA command) >> >> 421 4.4.2 mxfront39.mail.yandex.net Error: timeout exceeded (in >> >> reply to end of DATA command) > >These could be a network-level problem such as broken IP path MTU >discovery, or TCP options that are mis-implemented by an and system >or by an intermediate system (such as a cheap firewall). > >There is some 12 years of discussion archived on-line that covers >IP path MTU problems, and some 5 years for mis-implemented TCP >options (Sack, Wscale, ...). I see that you have already turned >off some of those. > >This can be debugged by capturing network packets and making sense >of the flags, windows, ACK offsets, and retransmissions. I have >done that in earlier years but can no longer afford the time. > > Wietse Dear Wietse thank you for your reply, it's definitely eye opening as well as frightening to say the least. I took things a step further, with setting things up the way I described on my first post, and it seems to me that I got myself into a situation I shouldn't have. I will keep looking on different ways to go around those issues, forward is the only option. Still if someone is willing to go down that debugging path with me, or has any other suggestions, I'm all ears, now more than ever. With respect, Ioannis - __________ Information from ESET Smart Security, version of virus signature database 5153 (20100528) __________ The message was checked by ESET Smart Security. http://www.eset.com
From: "Ioannis Tsouvalas" on 28 May 2010 12:59 Postconf -n output: alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix delay_warning_time = 4h disable_vrfy_command = yes inet_interfaces = all local_recipient_maps = mailbox_size_limit = 0 masquerade_domains = mail.mydomain.gr www.mydomain.gr masquerade_exceptions = root maximal_backoff_time = 8000s maximal_queue_lifetime = 7d minimal_backoff_time = 1000s mydestination = mydomain = mydomain.gr mynetworks = 192.168.1.1 192.168.100.20 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mynetworks_style = 192.168.100.20 host myorigin = aplawyers.gr readme_directory = no recipient_delimiter = + relay_domains = mysql:/etc/postfix/mysql_relay.cf relayhost = smtp_data_xfer_timeout = 600s smtp_helo_timeout = 60s smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_hard_error_limit = 12 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_recipient_limit = 16 smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit smtpd_sender_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit smtpd_soft_error_limit = 3 smtpd_tls_cert_file = /etc/postfix/postfix.cert smtpd_tls_key_file = /etc/postfix/postfix.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes transport_maps = mysql:/etc/postfix/mysql_transport.cf unknown_local_recipient_reject_code = 450 virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf virtual_mailbox_base = /var/spool/mail/virtual virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf standing by, Ioannis Does any part of the postconf -n appear to have any issues? - Ioannis __________ Information from ESET Smart Security, version of virus signature database 5154 (20100528) __________ The message was checked by ESET Smart Security. http://www.eset.com
From: "Ioannis Tsouvalas" on 30 May 2010 10:47 >From: Stan Hoeppner (stanhardwarefreak.com) >Date: Fri May 28 2010 - 18:09:48 CDT > >IIRC from his initial post, Ioannis has 3 virtual machines atop ESXi: one a >dedicated Ubuntu Shorewall instance, one running Ubuntu Shorewall (again) and >Postfix, one running Microsoft SBS plus Exchange. > >A basic network diagram would be helpful at this point, although out of the >scope of Postfix. > >At first glance this network setup seems an unnecessary mess of "geek toys", >wrought with unneeded complexity for the sake of "neato!" complexity. Tandem >packet firewalls across VMware guests? > >Ioannis, disable all the firewalls but for basic SPI NAT/PAT (if you're using >NAT) on the dedicated Shorewall guest. Route TCP 25 inbound via a PAT rule to >the Postfix guest. See if that eliminates the timeout and related TCP errors. > >-- >Stan Stan thanks for the reply, and please excuse me for the time interval in between your post and my reply. "Geek" and "neato!" wasn't exactly what I was aiming for, but still I appreciate that you identified the "geeky" complexity of the idea that I had in my head on this implementation. I have to admit that except the insight to get this thing going, you also did get me searching through the dictionary! Nevertheless, based on the fact that I highly appreciate anyone's time and thinking, I thought I should write back first and then give it a try, so let me get back to you later on, today I hope! As far as the network diagram its hidden between the lines of my first post (net,fw,dmz,loc - shorewall three interface firewall) but I will be more thorough and descriptive if what I have at hand doesn't get me going. Gratefull, -- Ioannis __________ Information from ESET Smart Security, version of virus signature database 5155 (20100530) __________ The message was checked by ESET Smart Security. http://www.eset.com
From: "Ioannis Tsouvalas" on 30 May 2010 15:46
I have disabled shorewall on Postfix machine using #shorewall clear , but I'm still working on clearing shorewall on the dedicated machine, but I haven't managed to make it happen since all the NAT has been implemented on the shorewall configuration. I'm still trying to figure out a safe way to move from shorewall to iptables. So here is the diagram in case that anything else comes in mind. NETWORK DIAGRAM INTERNET | | | ADSL ROUTER +ZONE NET+ | ESXI VER. 4 UPDATE 1 |(PHYSICAL 1ST ADAPTER) | +===========================|===============================+ | | | | |VMXNET3(VIRT ADPT) | | (SMTP/ACCEPT) | | | +---------------------SHOREWALL +ZONE FIREWALL+ | | | (UBUNTU X64) | | | | | | | |VMXNET3(VIRT ADPT) | | VMXNET3(VIRT ADPT) | | | | | | |POSTFIX +ZONE DMZ+ | +-----------------+ | |(UBUNTU X64) |(SMTP/ | | | | ACCEPT) | | | | | | | |VMXNET3 | | | |(VIRT ADPT) | | | | | | | | | | | EXCHANGE 2007 +ZONE LOCAL+ | | | WINDOWS SBS 2008 | | +=====================================================|=====+ |(PHYSICAL 2ND | ADAPTER) | LOCAL SWITCH +ZONE LOCAL+ Ioannis __________ Information from ESET Smart Security, version of virus signature database 5155 (20100530) __________ The message was checked by ESET Smart Security. http://www.eset.com |