[Valvula] Valvula does not filter any emails
Oscar Manuel Seoane Cereijo
oscar.seoane en osux64.com
Mie Feb 6 20:10:48 CET 2019
Thank you Francis
This is the ultimate test. I send 100 emails. I paste here the beginning of the logs (/var/log/maillog)
All emails (100) arrived on the gmail account.
Feb 6 13:10:01 mfgalera1 valvulad[5291]: info: mod-quota: updating accounting info
Feb 6 13:10:01 mfgalera1 valvulad[5291]: info: Checking now is 13:10 (start 09:00 - end 21:00)
Feb 6 13:10:01 mfgalera1 valvulad[5291]: info: Selecting sending mquota period with label [day quota] limits g: 300, h: 100, m: 15
Feb 6 13:11:01 mfgalera1 valvulad[5291]: info: mod-quota: updating accounting info
Feb 6 13:11:01 mfgalera1 valvulad[5291]: info: Checking now is 13:11 (start 09:00 - end 21:00)
Feb 6 13:11:01 mfgalera1 valvulad[5291]: info: Selecting sending mquota period with label [day quota] limits g: 300, h: 100, m: 15
Feb 6 13:11:51 mfgalera1 postfix/smtpd[16832]: connect from unknown[172.17.35.5]
Feb 6 13:11:51 mfgalera1 valvulad[5291]: info: DUNNO: roberto.gomez en hex2016.lab.triara.com -> esit.triara en gmail.com (sasl_user=), port 3080, rcpt count=0, queue-id , from 172.17.35.5, no-tls
Feb 6 13:11:51 mfgalera1 postfix/smtpd[16832]: E322E605960C: client=unknown[172.17.35.5]
Feb 6 13:11:51 mfgalera1 postfix/cleanup[16837]: E322E605960C: message-id=<>
Feb 6 13:11:51 mfgalera1 postfix/qmgr[4919]: E322E605960C: from=<roberto.gomez en hex2016.lab.triara.com>, size=476, nrcpt=1 (queue active)
Feb 6 13:11:53 mfgalera1 valvulad[5291]: info: DUNNO: roberto.gomez en hex2016.lab.triara.com -> esit.triara en gmail.com (sasl_user=), port 3080, rcpt count=0, queue-id , from 172.17.35.5, no-tls
Feb 6 13:11:53 mfgalera1 postfix/smtpd[16832]: 01B86605960D: client=unknown[172.17.35.5]
Feb 6 13:11:53 mfgalera1 postfix/cleanup[16837]: 01B86605960D: message-id=<>
Feb 6 13:11:53 mfgalera1 postfix/qmgr[4919]: 01B86605960D: from=<roberto.gomez en hex2016.lab.triara.com>, size=476, nrcpt=1 (queue active)
Feb 6 13:11:53 mfgalera1 postfix/smtp[16838]: E322E605960C: to=<esit.triara en gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.177.26]:25, delay=1.3, delays=0.06/0.01/0.92/0.31, dsn=2.0.0, status=sent (250 2.0.0 OK 1549479631 8si4301733ybq.59 - gsmtp)
Feb 6 13:11:53 mfgalera1 postfix/qmgr[4919]: E322E605960C: removed
Feb 6 13:11:54 mfgalera1 valvulad[5291]: info: DUNNO: roberto.gomez en hex2016.lab.triara.com -> esit.triara en gmail.com (sasl_user=), port 3080, rcpt count=0, queue-id , from 172.17.35.5, no-tls
Feb 6 13:11:54 mfgalera1 postfix/smtpd[16832]: 083CC605960B: client=unknown[172.17.35.5]
Feb 6 13:11:54 mfgalera1 postfix/cleanup[16837]: 083CC605960B: message-id=<>
Feb 6 13:11:54 mfgalera1 postfix/qmgr[4919]: 083CC605960B: from=<roberto.gomez en hex2016.lab.triara.com>, size=476, nrcpt=1 (queue active)
Feb 6 13:11:54 mfgalera1 postfix/smtp[16839]: 01B86605960D: to=<esit.triara en gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.177.26]:25, delay=2.3, delays=1/0.01/0.86/0.43, dsn=2.0.0, status=sent (250 2.0.0 OK 1549479632 v199si4238420ybv.44 - gsmtp)
Feb 6 13:11:54 mfgalera1 postfix/qmgr[4919]: 01B86605960D: removed
Feb 6 13:11:54 mfgalera1 postfix/smtp[16838]: connect to gmail-smtp-in.l.google.com[2607:f8b0:4002:c08::1b]:25: Network is unreachable
Feb 6 13:11:55 mfgalera1 valvulad[5291]: info: DUNNO: roberto.gomez en hex2016.lab.triara.com -> esit.triara en gmail.com (sasl_user=), port 3080, rcpt count=0, queue-id , from 172.17.35.5, no-tls
Feb 6 13:11:55 mfgalera1 postfix/smtpd[16832]: 0E85E605960D: client=unknown[172.17.35.5]
Feb 6 13:11:55 mfgalera1 postfix/cleanup[16837]: 0E85E605960D: message-id=<>
Feb 6 13:11:55 mfgalera1 postfix/qmgr[4919]: 0E85E605960D: from=<roberto.gomez en hex2016.lab.triara.com>, size=476, nrcpt=1 (queue active)
Feb 6 13:11:55 mfgalera1 postfix/smtp[16838]: 083CC605960B: to=<esit.triara en gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.219.26]:25, delay=2.1, delays=1/0/0.89/0.24, dsn=2.0.0, status=sent (250 2.0.0 OK 1549479633 n72si4133419yba.225 - gsmtp)
Feb 6 13:11:55 mfgalera1 postfix/qmgr[4919]: 083CC605960B: removed
Feb 6 13:11:56 mfgalera1 postfix/smtp[16839]: 0E85E605960D: to=<esit.triara en gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.219.26]:25, conn_use=2, delay=2, delays=1/0/0.75/0.23, dsn=2.0.0, status=sent (250 2.0.0 OK 1549479634 n72si4133419yba.225 - gsmtp)
Feb 6 13:11:56 mfgalera1 postfix/qmgr[4919]: 0E85E605960D: removed
Feb 6 13:11:56 mfgalera1 valvulad[5291]: info: DUNNO: roberto.gomez en hex2016.lab.triara.com -> esit.triara en gmail.com (sasl_user=), port 3080, rcpt count=0, queue-id , from 172.17.35.5, no-tls
Feb 6 13:11:56 mfgalera1 postfix/smtpd[16832]: 12338605960B: client=unknown[172.17.35.5]
Feb 6 13:11:56 mfgalera1 postfix/cleanup[16837]: 12338605960B: message-id=<>
Feb 6 13:11:56 mfgalera1 postfix/qmgr[4919]: 12338605960B: from=<roberto.gomez en hex2016.lab.triara.com>, size=476, nrcpt=1 (queue active)
Feb 6 13:11:56 mfgalera1 postfix/smtp[16838]: connect to gmail-smtp-in.l.google.com[2607:f8b0:4002:c08::1b]:25: Network is unreachable
Feb 6 13:11:57 mfgalera1 valvulad[5291]: info: DUNNO: roberto.gomez en hex2016.lab.triara.com -> esit.triara en gmail.com (sasl_user=), port 3080, rcpt count=0, queue-id , from 172.17.35.5, no-tls
Feb 6 13:11:57 mfgalera1 postfix/smtpd[16832]: 17BB9605960C: client=unknown[172.17.35.5]
Feb 6 13:11:57 mfgalera1 postfix/cleanup[16837]: 17BB9605960C: message-id=<>
Feb 6 13:11:57 mfgalera1 postfix/qmgr[4919]: 17BB9605960C: from=<roberto.gomez en hex2016.lab.triara.com>, size=476, nrcpt=1 (queue active)
El Mie, 6 de Feb de 19, a las 12:23 PM, Francis Brosnan Blázquez escribió:
> Hello Oscar,
>
> Given your logs, valvula is not receiving any indication about emails
> your are sending...which also means postfix is not receiving those
> emails to be filtered or at least the smtpd postfix process connected
> to valvula.
>
> The pipeline you are describing (more or less) is:
>
> Your client SMTP software ->
> contacts with your haproxy at some port ->
> Haproxy contacts postfix at 25 ->
> postfix (due to smtpd_recipient_restrictions=) contacts valvula at 3080 ->
> valvula generate a DUNNO, OK, REJECT or error log.
>
> Because at some point this pipeline is not connected, valvula is not
> receiving any request to reject, accept or whatever...
>
> Once you manage to contact your postfix and have your postfix contact
> valvula, you will see it working..
>
> El mié, 06-02-2019 a las 12:55 -0500, Oscar Manuel Seoane Cereijo
> escribió: Hello Francis.
>
> Thanks for your answer.
>
> If I send a pack of 100 mails, all emails arrives on the destination.
> Ten minutes after, If I send another pack of 500 emails, all arrives on
> the destination.
>
> All emails are sending from the same account using a script.
>
> tail -f /var/log/messages
>
> Feb 6 11:21:01 mfgalera1 check-valvulad.py: check-valvula: info:
> Valvulad server is working right
>
> Regards
>
>
> El Mie, 6 de Feb de 19, a las 11:02 AM, Francis Brosnan Blázquez escribió:
> > > Hello Oscar,
> > >
> > > How are you testing your solution to come to the conclusion valvula is
> > > not filtering?
> > >
> > > What about log files at /var/log/{syslog,messages}?
> > >
> > > First impression is that your configuration is ok...
> > >
> > >
> > > El mié, 06-02-2019 a las 11:51 -0500, Oscar Manuel Seoane Cereijo
> > > escribió: Hello
> > >
> > > I am testing a solution based on postfix, haproxy and valvula. I have a
> > > server with haproxy like a load balancer. Also I have three servers
> > > with galera (MariaDB Cluster) and valvula installed.
> > >
> > > The problem is valvula does not filter any mails.
> > >
> > > The load balancer (haproxy) runs fine.
> > > Galera runs ok on the three servers.
> > > Valvula does not have any errors.
> > > Postfix have open relay to my network and runs ok.
> > >
> > > [root en mfgalera1 ~]# valvulad -b
> > > INFO: Database connection working OK
> > >
> > > [root en mfgalera1 ~]# netstat -ntpl
> > > Active Internet connections (only servers)
> > > Proto Recv-Q Send-Q Local Address Foreign Address
> > > State PID/Program name
> > > tcp 0 0 127.0.0.1:3080 0.0.0.0:*
> > > LISTEN 5291/valvulad
> > > tcp 0 0 0.0.0.0:3306 0.0.0.0:*
> > > LISTEN 5127/mysqld
> > > tcp 0 0 0.0.0.0:22 0.0.0.0:*
> > > LISTEN 4765/sshd
> > > tcp 0 0 0.0.0.0:4567 0.0.0.0:*
> > > LISTEN 5127/mysqld
> > > tcp 0 0 0.0.0.0:25 0.0.0.0:*
> > > LISTEN 4911/master
> > > tcp6 0 0 :::22 :::*
> > > LISTEN 4765/sshd
> > > tcp6 0 0 :::25 :::*
> > > LISTEN 4911/master
> > >
> > > [root en mfgalera1 ~]# systemctl status postfix
> > > postfix.service - Postfix Mail Transport Agent
> > > Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled;
> > > vendor preset: disabled)
> > > Active: active (running) since mar 2019-02-05 12:29:57 CST; 22h ago
> > > Process: 4798 ExecStart=/usr/sbin/postfix start (code=exited,
> > > status=0/SUCCESS)
> > > Process: 4786 ExecStartPre=/usr/libexec/postfix/chroot-update
> > > (code=exited, status=0/SUCCESS)
> > > Process: 4763 ExecStartPre=/usr/libexec/postfix/aliasesdb
> > > (code=exited, status=0/SUCCESS)
> > > Main PID: 4911 (master)
> > > CGroup: /system.slice/postfix.service
> > > ├─3374 pickup -l -t unix -u
> > > ├─4911 /usr/libexec/postfix/master -w
> > > ├─4919 qmgr -l -t unix -u
> > > ├─6193 smtpd -n smtp -t inet -u -o stress= -s 2 -o
> > > smtpd_recipient_restrictions=check_policy_service,inet:127.0.0.1:3080,permit_mynetworks,permit_sasl_authenticated,reject
> > > └─6194 proxymap -t unix -u
> > >
> > > And this is my valvula.conf
> > >
> > > <?xml version='1.0' ?>
> > > <valvula>
> > > <!-- -*- nxml -*- -->
> > > <!-- server configuration -->
> > > <global-settings>
> > > <!-- make valvula server to run with a low privileges user -->
> > > <running user='valvulad' group='valvulad' enabled='no' />
> > > <!-- uncomment the following instruction to make valvula to log
> > > all SQL sentences run by the engine. It is not recommended to
> > > have it enabled by default: it create lots of logs -->
> > > <!-- <debug-queries debug="yes" /> -->
> > > <log-reporting enabled='yes' use-syslog='yes' />
> > > <!-- Default signal action to take when a wrong signal is
> > > recevied (SIGSEGV or SIGABRT).
> > > reexec : do a fresh server restart
> > > hold : holds the process until it is killed for debugging.
> > > backtrace : prints a backtrace to the console
> > > default : if nothing is configured, kills the process after receiving
> > > this signal
> > > -->
> > > <signal action='reexec' />
> > > <!-- request line limit (leave it as is unless you know what you
> > > are doing). This is the number of lines a request can have
> > > before closing the connection. A request should be served in
> > > 80 lines as much. -->
> > > <request-line limit='80' />
> > > </global-settings>
> > > <!-- GENERAL: configuration -->
> > > <general>
> > > <listen host='127.0.0.1' port='3080'>
> > > <run module='mod-mquota' />
> > > </listen>
> > > </general>
> > > <database>
> > > <!-- default mysql configuration -->
> > > <config driver='mysql' dbname='policyv' user='root' password=''
> > > host='localhost' port='' />
> > > </database>
> > > <enviroment>
> > > <!-- the following declaration will make valvula server to
> > > detect
> > > postfix configuration by opening its configuration, and
> > > taking a look into virtual_mailbox_domains and other postfix
> > > declarations. If everything works ok, the server will be able
> > > to know what domains, accounts and aliases are considered
> > > local so valvula can make better decisions. -->
> > > <local-domains config='autodetect' />
> > > <!-- if previous declaration does not work, try one these -->
> > > <!-- <local-domains
> > > config="mysql:user:password:database:hosts:SELECT domain FROM
> > > domain_table WHERE domain='%s' AND is_active = 1" /> -->
> > > <!-- <local-domains config="file:///etc/postfix/local_domains" <file:///etc/postfix/local_domains%3E>
> > > <file:///etc/postfix/local_domains%3E> /> -->
> > > <!-- mod-slm configuration -->
> > > <!-- Last paramter (allow-empty-mail-from) will allow sending
> > > empty mail from:<> as defined by RFC. This is
> > > something that should be left enabled if you want to get DSN
> > > and/or mail error notifications.
> > > Of course, there are people that do not agree. If any case, if
> > > you want a recommendation, leave it on (yes).
> > > For more information see:
> > > https://lists.debian.org/debian-isp/2004/01/msg00259.html
> > >
> > > If nothing is configured, it is assumed
> > > allow-empty-mail-from="yes"
> > > -->
> > > <sender-login-mismatch mode='same-domain'
> > > allow-empty-mail-from='yes' />
> > > <!-- sending and receiving quotas: used by mod-mquota -->
> > > <default-sending-quota status='full' if-no-match='first'
> > > debug='yes'>
> > > <!-- account limit: 150/minute, 250/hour and 750/global
> > > from 09:00 to 21:00
> > > domain limit: 300/minute, 500/hour and 2500/global
> > >
> > > note: use -1 to disable any of the limits.
> > > For example, to disable global limit, use globa-limit="-1"
> > > -->
> > > <limit label='day quota' from='9:00' to='21:00'
> > > status='full' minute-limit='15' hour-limit='100' global-limit='300'
> > > domain-minute-limit='15' domain-hour-limit='100'
> > > domain-global-limit='300' />
> > > <!-- limit 15/minute, 50/hour and 150/global from 21:00 to
> > > 09:00 -->
> > > <limit label='night quota' from='21:00' to='9:00'
> > > status='full' minute-limit='5' hour-limit='50' global-limit='150'
> > > domain-minute-limit='5' domain-hour-limit='50'
> > > domain-global-limit='150' />
> > > </default-sending-quota>
> > > <!-- <bwl debug="no" /> -->
> > > <!-- <lmm debug="no" /> -->
> > > <!-- mod-mw : mysql works -->
> > > <!-- It allows to run user defined sql queries with the provided
> > > credentials. Each SQL query is then personalized with support
> > > substitutions. All substitutions takes the value indicated or
> > > evals to emtpy string. -->
> > > <!-- Allowed substitutions are:
> > >
> > > - #queue-id# if defined, it is replaced by reported queue id
> > > - #size# if defined, it is replaced by reported size (single size,
> > > you may have to consider having this value by #rpct-count# to have
> > > actual size to handle/send.
> > > - #sasl_user# if defined, it is replaced by sasl user account used.
> > > - #mail-from# if defined, it is replaced by mail from: reported
> > > account used.
> > > - #rcpt-count# if defined, it is replaced by reported recipient count
> > > (recipient_count reported by postfix).This value is only reliable if
> > > valvula is connected to smtpd_data_restrictions.
> > > - #rcpt-to# if defined, it is replaced by reported rcpt to: This
> > > value isn't reliable if connected to smtpd_data_restrictions (it may be
> > > empty for multi recipients operations). Connect valvula to
> > > smtpd_sender_restrictions if you want a reliable #rcpt-to# value.
> > > - #client-address# if defined, it is replaced by reported connecting
> > > ip
> > > -->
> > > <!-- configuration example follows: -->
> > > <!--
> > > <mysql-works>
> > > <with-db-def use="valvula" port="3579">
> > > <run-on-request sql="INSERT INTO example_table (sasl_user, mail_from,
> > > rcpt_count) VALUES ('#sasl_user#', '#mail-from#', '#rcpt-count#')" />
> > > <run-every-hour sql="DELETE FROM example_table" />
> > > </with-db-def>
> > > </mysql-works> -->
> > > </enviroment>
> > > <!-- MODULE: configuration -->
> > > <modules>
> > > <!-- directory where to find modules to load -->
> > > <directory src='/etc/valvula/mods-enabled' />
> > > </modules>
> > > </valvula>
> > >
> > > Any idea?
> > >
> > > Best regards.
> > > _______________________________________________
> > > Valvula mailing list
> > > > Valvula en lists.aspl.es
> > > > http://lists.aspl.es/cgi-bin/mailman/listinfo/valvula
> > > >
> > >
> >
> --
>
> Francis Brosnan Blázquez -- ASPL --ASPLhosting
> Foro de soporte: https://support.asplhosting.com
> Síguenos en Twitter: @aspl_es @asplhosting
> 91 134 14 22 - 91 134 14 45
>
> http://asplhosting.com
> http://aspl.es
> https://www.linkedin.com/in/francis-brosnan-bl%C3%A1zquez-1353a218/
>
> AVISO LEGAL
>
> Este mensaje se dirige exclusivamente a su destinatario. Los datos
> incluidos en el presente correo son confidenciales y sometidos a
> secreto profesional, se prohíbe divulgarlos, en virtud de las leyes
> vigentes. Si usted no lo es y lo ha recibido por error o tiene
> conocimiento del mismo por cualquier motivo, le rogamos que nos lo
> comunique por este medio y proceda a destruirlo o borrarlo.
>
> En virtud de lo dispuesto en la Ley Orgánica 15/1999, de 13 de
> diciembre, de Protección de Datos de Carácter Personal, le informamos
> de que sus datos de carácter personal, recogidos de fuentes accesibles
> al público o datos que usted nos ha facilitado previamente, proceden de
> bases de datos propiedad de Advanced Software Production Line, S.L.
> (ASPL). No obstante, usted puede ejercitar sus derechos de acceso,
> rectificación, cancelación y oposición dispuestos en la mencionada Ley
> Orgánica, notificándolo por escrito a: ASPL - Protección Datos,
> C/Antonio Suárez 10 A-102, 28802, Alcalá de Henares (Madrid).
Más información sobre la lista de distribución Valvula