Bug ID 1198869
Summary [Tumbleweed][postfix][Build_20220423] Postfix relay failed to send when sending mail from vm3 to vm2 via a relay server(vm1)
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware x86-64
OS openSUSE Tumbleweed
Status NEW
Severity Normal
Priority P5 - None
Component Other
Assignee screening-team-bugs@suse.de
Reporter weixuan.hao@suse.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

## Summary
Postfix working as a relay server failed to relay mail to recipient server,
while sending/receiving mail directly works fine for both server.


## Observation
Setting up 3 vms, vm1 works as mail server and relay server, vm2 works as mail
server and vm3 is the client. Mails sent directly from vm3 to vm1 and vm2 are
successful while mails sent from vm3 to vm2 with vm1 as the relay server
failed. Similar issue also observed in sle15-sp4 under fips mode. I'm not sure
if this is a misconfiguration issue or some other reason caused this.


## Environment
# uname -m
x86_64
# cat /etc/*release
NAME="openSUSE Tumbleweed"
# VERSION="20220423"
ID="opensuse-tumbleweed"
ID_LIKE="opensuse suse"
VERSION_ID="20220423"
PRETTY_NAME="openSUSE Tumbleweed"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:tumbleweed:20220423"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:Tumbleweed"
LOGO="distributor-logo-Tumbleweed"


## Reproducible
Basically follow all steps in:
https://bugzilla.suse.com/tr_show_case.cgi?case_id=1769966
Note that:
1. 'hash' is not supported in postfix configurations in main.cf now, default
replacement is using 'lmdb'
2. Additional dependencies are required, for sle15sp4 cyrus-sasl-saslauthd need
to be installed along with metamail installed via package hub; for tumbleweed
cyrus-sasl-saslauthd and cyrus-sasl-plain need to be installed

Other detailed configurations:

VM01:
# postconf -n
alias_maps = lmdb:/etc/aliases
biff = no
canonical_maps = lmdb:/etc/postfix/canonical
command_directory = /usr/sbin
compatibility_level = 3.6
content_filter =
daemon_directory = /usr/lib/postfix/bin/
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
defer_transports =
delay_warning_time = 1h
disable_dns_lookups = yes
disable_mime_output_conversion = no
disable_vrfy_command = yes
html_directory = /usr/share/doc/packages/postfix-doc/html
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 0
message_strip_characters = \0
mydestination = $myhostname, localhost
mydomain = example1.com
myhostname = mail.example1.com
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES
relay_clientcerts =
relay_domains = $mydestination, lmdb:/etc/postfix/relay
relay_recipient_maps = lmdb:/etc/postfix/relay_recipients
relayhost =
relocated_maps = lmdb:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix-doc/samples
sender_canonical_maps = lmdb:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_enforce_tls = yes
smtp_sasl_auth_enable = no
smtp_sasl_password_maps =
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/ssl/ca-bundle.pem
smtp_tls_CApath =
smtp_tls_cert_file =
smtp_tls_key_file =
smtp_tls_loglevel = 2
smtp_tls_session_cache_database =
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions =
smtpd_delay_reject = yes
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sasl_type = cyrus
smtpd_sender_restrictions = lmdb:/etc/postfix/access
smtpd_tls_CAfile =
smtpd_tls_CApath =
smtpd_tls_ask_ccert = no
smtpd_tls_cert_file = /etc/postfix/ssl/server1_crt.pem
smtpd_tls_exclude_ciphers = RC4
smtpd_tls_key_file = /etc/postfix/ssl/server1_key.pem
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_use_tls = yes
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = lmdb:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = lmdb:/etc/postfix/virtual

VM02:
# postconf -n
alias_maps = lmdb:/etc/aliases
biff = no
canonical_maps = lmdb:/etc/postfix/canonical
command_directory = /usr/sbin
compatibility_level = 3.6
content_filter =
daemon_directory = /usr/lib/postfix/bin/
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
defer_transports =
delay_warning_time = 1h
disable_dns_lookups = yes
disable_mime_output_conversion = no
disable_vrfy_command = yes
html_directory = /usr/share/doc/packages/postfix-doc/html
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 0
message_strip_characters = \0
mydestination = $myhostname, localhost
mydomain = example2.com
myhostname = mail.example2.com
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES
relay_clientcerts =
relay_domains = $mydestination lmdb:/etc/postfix/relay
relay_recipient_maps = lmdb:/etc/postfix/relay_recipients
relayhost =
relocated_maps = lmdb:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix-doc/samples
sender_canonical_maps = lmdb:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_enforce_tls = no
smtp_sasl_auth_enable = no
smtp_sasl_password_maps =
smtp_sasl_security_options =
smtp_tls_CAfile =
smtp_tls_CApath =
smtp_tls_cert_file =
smtp_tls_key_file =
smtp_tls_session_cache_database =
smtp_use_tls = no
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions =
smtpd_delay_reject = yes
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sasl_type = cyrus
smtpd_sender_restrictions = lmdb:/etc/postfix/access
smtpd_tls_CAfile =
smtpd_tls_CApath =
smtpd_tls_ask_ccert = no
smtpd_tls_cert_file = /etc/postfix/ssl/server2_crt.pem
smtpd_tls_exclude_ciphers = RC4
smtpd_tls_key_file = /etc/postfix/ssl/server2_key.pem
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_use_tls = yes
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = lmdb:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = lmdb:/etc/postfix/virtual

## Error result
Log from vm01:
# journactl -u postfix.service
Apr 26 15:15:56 vm01 postfix/smtp[14526]: certificate verification failed for
mail.example2.com[]:25: self-signed certificate
Apr 26 15:15:56 vm01 postfix/smtp[14526]: mail.example2.com[]:25:
subject_CN=Shawn, issuer_CN=Shawn, fingerprint=, pkey_fingerpr>
Apr 26 15:15:56 vm01 postfix/smtp[14526]: Untrusted TLS connection established
to mail.example2.com[]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256
bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) se>
Apr 26 15:15:56 vm01 postfix/smtp[14526]: CB7AE32CB: to=<root@example2.com>,
relay=mail.example2.com[]:25, delay=0.11, delays=0.07/0.02/0.02/0, dsn=4.7.5,
status=deferred (Server certificate not verified)

## Expected result
mail should be sent to vm02 successfully

You are receiving this mail because: