Discussion:
max connection for inbound/outbound smtp
(too old to reply)
Michael Peter
2015-07-24 11:12:13 UTC
Permalink
Hi,

master.cf
smtp inet n - - - 100 smtpd


I understand that the default concurrent simultaneous incoming smtp
connections is 100?

but what about outgoing smtp connections to remote smtpd servers? how many
connections postfix can establish for outgoing emails to different mail
servers simultaneously ?

For example, can postfix connect to 120 different remote smtpd servers to
for email delivery simultaneously ? and how to control this parameter ?
does it count from the smtpd maxproc mentioned in the master.cf? or this
is only for smtpd incoming connections (not outgoing) ?

Thanks

Peter Michael
Wietse Venema
2015-07-24 15:07:50 UTC
Permalink
Michael Peter:
[ Charset ISO-8859-1 converted... ]
Post by Michael Peter
Hi,
master.cf
smtp inet n - - - 100 smtpd
I understand that the default concurrent simultaneous incoming smtp
connections is 100?
There is one connection per "smtpd" process.
Post by Michael Peter
but what about outgoing smtp connections to remote smtpd servers? how many
connections postfix can establish for outgoing emails to different mail
servers simultaneously ?
There is one connection per "smtp" process.

There are also limits per destination:
transport_destination_concurrency_limit
transport_destination_rate_delay
transport_transport_rate_delay (Postfix 3.1)

See http://www.postfix.org/postconf.5.html#transport_destination_concurrency_limit
and so on.

Wietse
Viktor Dukhovni
2015-07-24 16:17:56 UTC
Permalink
On Fri, Jul 24, 2015 at 10:31:10AM +0300, Michael Peter wrote:

http://www.postfix.org/postconf.5.html#reject_unknown_sender_domain

reject_unknown_sender_domain
Reject the request when Postfix is not final destination
for the sender address, and the MAIL FROM domain has 1) no
DNS MX and no DNS A record, or 2) a malformed MX record
such as a record with a zero-length MX hostname (Postfix
version 2.3 and later). The reply is specified with the
unknown_address_reject_code parameter (default: 450),
unknown_address_tempfail_action (default: defer_if_permit),
or 550 (nullmx, Postfix 3.0 and later). See the respective
parameter descriptions for details.
I am confused that is the meaning "when postfix is not final destination
for the sender address" ?
The restriction only applies when the domain in question is not
hosted by the receiving Postfix system as determined by its address
class.

http://www.postfix.org/ADDRESS_CLASS_README.html

Sender domains in the local, virtual alias and virtual mailbox
address classes are never rejected by reject_unknown_sender_domain,
they are "known" to Postfix whether or not they are "known" to DNS.
--
Viktor.
Michael Peter
2015-07-26 12:40:56 UTC
Permalink
Thank you very much for your reply, please find my comments below.
Post by Wietse Venema
[ Charset ISO-8859-1 converted... ]
Post by Michael Peter
Hi,
master.cf
smtp inet n - - - 100 smtpd
I understand that the default concurrent simultaneous incoming smtp
connections is 100?
There is one connection per "smtpd" process.
Post by Michael Peter
but what about outgoing smtp connections to remote smtpd servers? how
many
connections postfix can establish for outgoing emails to different mail
servers simultaneously ?
Sorry, it is my mistake since i didn't ask my question correctly.

What i meant to ask, is how many outbound processes to remote email
servers can postfix handle simultaneously (in case sending emails to many
different remove hosts and not 1 specific host)

I understand that in case send to 1 host , then
transport_destination_concurrency_limit will apply. But my question is
that incase postfix is to send to 200 different remote smtpd hosts
simultaneously , then how many outbound process postfix can handle
simultaneously as default ? and how to increase its value ?

Many thanks again.

Peter Michael
Wietse Venema
2015-07-26 13:38:43 UTC
Permalink
Post by Wietse Venema
There is one connection per "smtpd" process.
Post by Michael Peter
but what about outgoing smtp connections to remote smtpd servers? how
many
connections postfix can establish for outgoing emails to different mail
servers simultaneously ?
Sorry, it is my mistake since i didn't ask my question correctly.
What i meant to ask, is how many outbound processes to remote email
servers can postfix handle simultaneously (in case sending emails to many
different remove hosts and not 1 specific host)
There is one connection per "smtp" process. You configure the process
limit (and therefore the maximum number of connections) in master.cf.

See also:
http://www.postfox.org/TUNING_README.html
http://www.postfox.org/QSHAPE_README.html

Wietse
Benny Pedersen
2015-07-26 13:46:33 UTC
Permalink
Post by Wietse Venema
http://www.postfox.org/TUNING_README.html
http://www.postfox.org/QSHAPE_README.html
incorrect domain
Michael Peter
2015-08-05 06:44:13 UTC
Permalink
Hi,

i have set on postfix that max process for SMTPD is 10 using master.cf

So once simulations concurrent connections reached 10, Postfix started
STRESS behaviour

so the SMTPD using command stress=yes

Now after the connections drooped from 10 till 5 , still postfix handle
new connections with stress=yes although the current connections is 5 and
did not reach yet again 10

so i understand from this behaviour than once stress behaviour is
activated by postfix, it remains for some time (even if the current
processes connections has decreased than the max process connections
limit).

My question is how long the time that the stress behaviour continue to be
activated after current processes connections has decreased than the max
process connections limit

I have read he documentations and searched alot but i couldn't find an
answer...

Thank you.

Michael Peter
Wietse Venema
2015-08-05 10:27:13 UTC
Permalink
Post by Michael Peter
Hi,
i have set on postfix that max process for SMTPD is 10 using master.cf
So once simulations concurrent connections reached 10, Postfix started
STRESS behaviour
so the SMTPD using command stress=yes
Now after the connections drooped from 10 till 5 , still postfix handle
new connections with stress=yes although the current connections is 5 and
did not reach yet again 10
stress=yes stays persists for some time, perhaps 1000s, to prevent
Postfix from logging tons of warnings as load fluctuates. Why does
it matter what the precise time is? Address the problem (why is the
limit reached?), not the symptom (short timeouts etc.).

Wietse
Charles Kugarakuripi
2021-03-02 22:26:54 UTC
Permalink
Post by Wietse Venema
Post by Michael Peter
Hi,
i have set on postfix that max process for SMTPD is 10 using master.cf
So once simulations concurrent connections reached 10, Postfix started
STRESS behaviour
so the SMTPD using command stress=yes
Now after the connections drooped from 10 till 5 , still postfix handle
new connections with stress=yes although the current connections is 5 and
did not reach yet again 10
stress=yes stays persists for some time, perhaps 1000s, to prevent
Postfix from logging tons of warnings as load fluctuates. Why does
it matter what the precise time is? Address the problem (why is the
limit reached?), not the symptom (short timeouts etc.).
Wietse
Hello guys
I am running postfix 2.10.1 and my problem is that when I connect my mailserver to the LAN the router restarts as if its activated DoS, could that be an issue to do with not limited concurrent connections?

Pls help

Michael Peter
2015-09-24 09:34:31 UTC
Permalink
Hello,

smtpd_tls_security_level = encrypt
smtp_tls_security_level = encrypt

I configured postfix to use encryption for incoming and outgoing emails.

but incase the receipt has untrusted certificate or self signed
certificate, postfix still deliver the email.

How to enforce postfix not to send the email incase the receipt
certificate is untrusted or self signed?

Many thanks

Michael Peter
l***@kwsoft.de
2015-09-24 12:14:47 UTC
Permalink
Post by Michael Peter
Hello,
smtpd_tls_security_level = encrypt
smtp_tls_security_level = encrypt
I configured postfix to use encryption for incoming and outgoing emails.
but incase the receipt has untrusted certificate or self signed
certificate, postfix still deliver the email.
How to enforce postfix not to send the email incase the receipt
certificate is untrusted or self signed?
Many thanks
Michael Peter
You will need "verify" level for this :
http://www.postfix.org/TLS_README.html#client_tls_verify

Regards

Andreas
Viktor Dukhovni
2015-09-24 14:25:16 UTC
Permalink
Post by l***@kwsoft.de
Post by Michael Peter
How to enforce postfix not to send the email incase the receipt
certificate is untrusted or self signed?
http://www.postfix.org/TLS_README.html#client_tls_verify
The default hostname matching policy in the "verify" level is
vulnerable to MiTM attacks that modify the MX records of the
nexthop domain. This is addressed in the "secure" level.

http://www.postfix.org/TLS_README.html#client_tls_secure

the two levels are otherwise identical, if you explicitly configure
"match=" in the policy table, or smtp_tls_{verify,secure}_cert_match
then it does not matter which level you choose. What matters is
whether or not you elect to trust hostnames obtained from insecure
MX lookups.
--
Viktor.
Michael Peter
2015-09-25 06:03:02 UTC
Permalink
Hello,

I have configured postfix to check CAfile which contains only Godaddy root
certificate as follow

smtp_tls_CAfile = /etc/certs/go-daddy-root-ca.crt

my surpirse that still postfix trust the server certificates when email is
sent to Yahoo or Gmail.. although the CAfile contains only the godaddy
root certificate...

i am confused how postix could verify Yahoo and Gmail certificates
although only godaddy root certificate existed in the CA file????

So i have removed smtp_tls_CAfile which contained only godaady root
certificate from main.cf, now postfix is not trusting Yahoo or Gmail when
sending emails to them.

This makes me more confused..

Please advise your opinion..

Many thanks

Michael Peter
Wietse Venema
2015-09-25 11:58:03 UTC
Permalink
Post by Michael Peter
This makes me more confused..
Please advise your opinion..
Please post your configration as requested in the welcome message.

wietse

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail

TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Thank you for using Postfix.
Michael Peter
2015-09-25 15:16:10 UTC
Permalink
Post by Wietse Venema
Post by Michael Peter
This makes me more confused..
Please advise your opinion..
Please post your configration as requested in the welcome message.
wietse
I have posted my configuration as per your request.. and i summarize my
questions again as follow

I have configured postfix to check CAfile which contains only Godaddy root
certificate as follow for outgoing emails.

smtp_tls_CAfile = /etc/certs/go-daddy-root-ca.crt

my surprise that still postfix trust the server certificates when email is
sent to Yahoo or Gmail.. (although they are using different provider for
SSL certificate than goaddy) although the CAfile contains only the godaddy
root certificate. I am confused how postix could verify Yahoo and Gmail
certificates although only godaddy root certificate existed in the CA
file????

So i have removed smtp_tls_CAfile which contained only godaady root
certificate from main.cf, now postfix is not trusting Yahoo or Gmail when
sending emails to them.

This makes me more confused..

My configuration when smtp_tls_CAfile is configured to only to
godaddy-root certificate is as follow

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = localhost, $myhostname
inet_protocols = all
mail_owner = postfix
mailbox_delivery_lock = fcntl
mailbox_size_limit = 150000000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 25000000
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = hidden-for-security.COM
mynetworks = 127.0.0.1, 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_CAfile = /etc/ssl/certs/godaddy-root.crt
smtp_tls_loglevel = 2
smtp_tls_security_level = may
smtpd_discard_ehlo_keywords = silent-discard, dsn
smtpd_recipient_restrictions = check_sender_access
hash:/etc/postfix/blocksender
check_recipient_access hash:/etc/postfix/blockr
reject_sender_login_mismatch
permit_sasl_authenticated check_sender_access
hash:/etc/postfix/blockforged
reject_unauth_destination
reject_invalid_helo_hostname
reject_rbl_client zen.spamhaus.org
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = hash:/etc/postfix/saslcheck
smtpd_tls_cert_file = /etc/postfix/postfix.pem
smtpd_tls_key_file = /etc/postfix/postfixkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_mailbox_lock = fcntl

with the above configuration and although smtp_tls_CAfile is configured
only to use godady root certificate, but still postfix when sending
emails to yahoo and gmail, the postfix log confirms that the certificate
is trusted...... this is weird because postfix should only trust godaddy
certificates and not any other certificates issued by different than
Godaddy based on my configuration


Now i have removed smtp_tls_CA from the configuration.. now postfix is
not trusting gmail and yahoo certificates when sending email to them... i
am confused because the in the previous configuration smtp_tls_CAfile was
pointing only to godaddy root certificate... please find my revised
configuration as follow

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = localhost, $myhostname
inet_protocols = all
mail_owner = postfix
mailbox_delivery_lock = fcntl
mailbox_size_limit = 150000000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 25000000
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = hidden-for-security.COM
mynetworks = 127.0.0.1, 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtpd_discard_ehlo_keywords = silent-discard, dsn
smtpd_recipient_restrictions = check_sender_access
hash:/etc/postfix/blocksender
check_recipient_access hash:/etc/postfix/blockr
reject_sender_login_mismatch
permit_sasl_authenticated check_sender_access
hash:/etc/postfix/blockforged
reject_unauth_destination
reject_invalid_helo_hostname
reject_rbl_client zen.spamhaus.org
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = hash:/etc/postfix/saslcheck
smtpd_tls_cert_file = /etc/postfix/postfix.pem
smtpd_tls_key_file = /etc/postfix/postfixkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_mailbox_lock = fcntl


Sorry for my long email, i just wanted to give you a full picture of the
issue for your advise..

Many Thanks
Michael Peter
Viktor Dukhovni
2015-09-25 15:40:17 UTC
Permalink
Post by Michael Peter
I have configured postfix to check CAfile which contains only Godaddy root
certificate as follow for outgoing emails.
smtp_tls_CAfile = /etc/certs/go-daddy-root-ca.crt
Which certificates are in that file? Report the output of:

openssl crl2pkcs7 -nocrl -certfile /etc/certs/go-daddy-root-ca.crt |
openssl pkcs7 -print_certs -noout
Post by Michael Peter
my surprise that still postfix trust the server certificates when email is
sent to Yahoo or Gmail..
Post the relevant logs. Do you use the same transport for Google
and Yahoo as for mail to GoDaddy? If not, are there are any
master.cf overrides for the transports in question.
Post by Michael Peter
So i have removed smtp_tls_CAfile which contained only godaady root
certificate from main.cf, now postfix is not trusting Yahoo or Gmail when
sending emails to them.
Also post logs for this outcome.
Post by Michael Peter
smtp_tls_CAfile = /etc/ssl/certs/godaddy-root.crt
smtp_tls_loglevel = 2
Too verbose, 1 is enough.

What version of Postfix are you using?
--
Viktor.
Viktor Dukhovni
2015-09-25 16:05:38 UTC
Permalink
Post by Viktor Dukhovni
What version of Postfix are you using?
Note that in Postfix prior to 2.8, setting a non-empty CAfile causes
the default system certificate store to also be enabled.
--
Viktor.
Michael Peter
2015-09-25 16:21:32 UTC
Permalink
Post by Viktor Dukhovni
Post by Michael Peter
I have configured postfix to check CAfile which contains only Godaddy
root
certificate as follow for outgoing emails.
smtp_tls_CAfile = /etc/certs/go-daddy-root-ca.crt
openssl crl2pkcs7 -nocrl -certfile /etc/certs/go-daddy-root-ca.crt |
openssl pkcs7 -print_certs -noout
subject=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root
Certificate Authority - G2
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root
Certificate Authority - G2
Post by Viktor Dukhovni
Post by Michael Peter
my surprise that still postfix trust the server certificates when email
is
sent to Yahoo or Gmail..
Post the relevant logs. Do you use the same transport for Google
and Yahoo as for mail to GoDaddy? If not, are there are any
master.cf overrides for the transports in question.
all emails use the same default transport.. my transport file is empty..
so all use same transport

incase smtp_tls_CAfile not exist in main.cf: (ca file has goddady root
certificate only)
postfix/smtp[30874]: certificate verification failed for
mta6.am0.yahoodns.net[98.138.112.32]:25: untrusted issuer
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

incase smtp_tls_CAfile exist in main.cf:(ca file has goddady root
certificate only)
postfix/smtp[30107]: Trusted TLS connection established to
mta5.am0.yahoodns.net[66.196.118.37]:25: TLSv1.2 with cipher
ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Post by Viktor Dukhovni
Post by Michael Peter
So i have removed smtp_tls_CAfile which contained only godaady root
certificate from main.cf, now postfix is not trusting Yahoo or Gmail
when
sending emails to them.
posted above
Post by Viktor Dukhovni
Also post logs for this outcome.
Post by Michael Peter
smtp_tls_CAfile = /etc/ssl/certs/godaddy-root.crt
smtp_tls_loglevel = 2
Too verbose, 1 is enough.
confirmed.
Post by Viktor Dukhovni
What version of Postfix are you using?
postfix/master[7500]: reload -- version 2.6.6, configuration /etc/postfix
Post by Viktor Dukhovni
--
Viktor.
Viktor Dukhovni
2015-09-25 16:53:22 UTC
Permalink
Post by Michael Peter
Post by Viktor Dukhovni
What version of Postfix are you using?
postfix/master[7500]: reload -- version 2.6.6, configuration /etc/postfix
That's nearly seven years old. When you enable the Web PKI by
setting smtp_tls_CAfile, that version of Postfix will also drag
in all the default system certificate files.

You can if you wish set:

# postconf -e "import_environment = $(postconf -h import_environment) SSL_CERT_FILE=/etc/postfix/certfile SSL_CERT_DIR=/etc/postfix/certdir"

and create a corresponding empty file and empty directory. That
will hide the system default locations while you're preparing to
upgrade to something less ancient.

--
Viktor.
Michael Peter
2015-09-25 16:56:15 UTC
Permalink
Post by Viktor Dukhovni
Post by Michael Peter
Post by Viktor Dukhovni
What version of Postfix are you using?
postfix/master[7500]: reload -- version 2.6.6, configuration
/etc/postfix
That's nearly seven years old. When you enable the Web PKI by
setting smtp_tls_CAfile, that version of Postfix will also drag
in all the default system certificate files.
# postconf -e "import_environment = $(postconf -h import_environment)
SSL_CERT_FILE=/etc/postfix/certfile SSL_CERT_DIR=/etc/postfix/certdir"
and create a corresponding empty file and empty directory. That
will hide the system default locations while you're preparing to
upgrade to something less ancient.
This explains every thing is detail.

Just for info, How can i know the default locations for default system
certificates which postfix drag when setting smtp_tls_CAfile ?

Thanks again.

Michael Peter
Viktor Dukhovni
2015-09-25 17:09:51 UTC
Permalink
Post by Michael Peter
Just for info, How can i know the default locations for default system
certificates which postfix drag when setting smtp_tls_CAfile ?
This is system-dependent:

$ openssl version -d
OPENSSLDIR: "/usr/pkg/etc/openssl"

Look there for a file called "certs.pem" and/or a directory called
"certs". The directory is not searched directly, its contents are
indexed (or hashed) via "c_rehash" or similar.
--
Viktor.
Viktor Dukhovni
2015-09-25 17:26:23 UTC
Permalink
Post by Viktor Dukhovni
Post by Michael Peter
Post by Viktor Dukhovni
What version of Postfix are you using?
postfix/master[7500]: reload -- version 2.6.6, configuration /etc/postfix
That's nearly seven years old. When you enable the Web PKI by
setting smtp_tls_CAfile, that version of Postfix will also drag
in all the default system certificate files.
For the record, in case you have not yet stumbled across this:

http://www.postfix.org/postconf.5.html#tls_append_default_CA

tls_append_default_CA (default: no)

This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8, 2.7.2 and later versions.

This parameter controls the use of legacy default CAs in Postfix
Post by Viktor Dukhovni
= 2.8 and sufficiently high patch levels of the previous four
releases.
--
Viktor.
Continue reading on narkive:
Loading...