https://bugzilla.suse.com/show_bug.cgi?id=1198869 Bug ID: 1198869 Summary: [Tumbleweed][postfix][Build_20220423] Postfix relay failed to send when sending mail from vm3 to vm2 via a relay server(vm1) Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs@suse.de Reporter: weixuan.hao@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- ## Summary Postfix working as a relay server failed to relay mail to recipient server, while sending/receiving mail directly works fine for both server. ## Observation Setting up 3 vms, vm1 works as mail server and relay server, vm2 works as mail server and vm3 is the client. Mails sent directly from vm3 to vm1 and vm2 are successful while mails sent from vm3 to vm2 with vm1 as the relay server failed. Similar issue also observed in sle15-sp4 under fips mode. I'm not sure if this is a misconfiguration issue or some other reason caused this. ## Environment # uname -m x86_64 # cat /etc/*release NAME="openSUSE Tumbleweed" # VERSION="20220423" ID="opensuse-tumbleweed" ID_LIKE="opensuse suse" VERSION_ID="20220423" PRETTY_NAME="openSUSE Tumbleweed" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:opensuse:tumbleweed:20220423" BUG_REPORT_URL="https://bugs.opensuse.org" HOME_URL="https://www.opensuse.org/" DOCUMENTATION_URL="https://en.opensuse.org/Portal:Tumbleweed" LOGO="distributor-logo-Tumbleweed" ## Reproducible Basically follow all steps in: https://bugzilla.suse.com/tr_show_case.cgi?case_id=1769966 Note that: 1. 'hash' is not supported in postfix configurations in main.cf now, default replacement is using 'lmdb' 2. Additional dependencies are required, for sle15sp4 cyrus-sasl-saslauthd need to be installed along with metamail installed via package hub; for tumbleweed cyrus-sasl-saslauthd and cyrus-sasl-plain need to be installed Other detailed configurations: VM01: # postconf -n alias_maps = lmdb:/etc/aliases biff = no canonical_maps = lmdb:/etc/postfix/canonical command_directory = /usr/sbin compatibility_level = 3.6 content_filter = daemon_directory = /usr/lib/postfix/bin/ data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 defer_transports = delay_warning_time = 1h disable_dns_lookups = yes disable_mime_output_conversion = no disable_vrfy_command = yes html_directory = /usr/share/doc/packages/postfix-doc/html inet_interfaces = all inet_protocols = all mail_owner = postfix mail_spool_directory = /var/mail mailbox_command = mailbox_size_limit = 0 mailbox_transport = mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root message_size_limit = 0 message_strip_characters = \0 mydestination = $myhostname, localhost mydomain = example1.com myhostname = mail.example1.com mynetworks_style = subnet newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES relay_clientcerts = relay_domains = $mydestination, lmdb:/etc/postfix/relay relay_recipient_maps = lmdb:/etc/postfix/relay_recipients relayhost = relocated_maps = lmdb:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix-doc/samples sender_canonical_maps = lmdb:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_enforce_tls = yes smtp_sasl_auth_enable = no smtp_sasl_password_maps = smtp_sasl_security_options = smtp_tls_CAfile = /etc/ssl/ca-bundle.pem smtp_tls_CApath = smtp_tls_cert_file = smtp_tls_key_file = smtp_tls_loglevel = 2 smtp_tls_session_cache_database = smtp_use_tls = yes smtpd_banner = $myhostname ESMTP smtpd_client_restrictions = smtpd_delay_reject = yes smtpd_helo_required = no smtpd_helo_restrictions = smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = smtpd smtpd_sasl_type = cyrus smtpd_sender_restrictions = lmdb:/etc/postfix/access smtpd_tls_CAfile = smtpd_tls_CApath = smtpd_tls_ask_ccert = no smtpd_tls_cert_file = /etc/postfix/ssl/server1_crt.pem smtpd_tls_exclude_ciphers = RC4 smtpd_tls_key_file = /etc/postfix/ssl/server1_key.pem smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_use_tls = yes strict_8bitmime = no strict_rfc821_envelopes = no transport_maps = lmdb:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = lmdb:/etc/postfix/virtual VM02: # postconf -n alias_maps = lmdb:/etc/aliases biff = no canonical_maps = lmdb:/etc/postfix/canonical command_directory = /usr/sbin compatibility_level = 3.6 content_filter = daemon_directory = /usr/lib/postfix/bin/ data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 defer_transports = delay_warning_time = 1h disable_dns_lookups = yes disable_mime_output_conversion = no disable_vrfy_command = yes html_directory = /usr/share/doc/packages/postfix-doc/html inet_interfaces = all inet_protocols = all mail_owner = postfix mail_spool_directory = /var/mail mailbox_command = mailbox_size_limit = 0 mailbox_transport = mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root message_size_limit = 0 message_strip_characters = \0 mydestination = $myhostname, localhost mydomain = example2.com myhostname = mail.example2.com mynetworks_style = subnet newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES relay_clientcerts = relay_domains = $mydestination lmdb:/etc/postfix/relay relay_recipient_maps = lmdb:/etc/postfix/relay_recipients relayhost = relocated_maps = lmdb:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix-doc/samples sender_canonical_maps = lmdb:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_enforce_tls = no smtp_sasl_auth_enable = no smtp_sasl_password_maps = smtp_sasl_security_options = smtp_tls_CAfile = smtp_tls_CApath = smtp_tls_cert_file = smtp_tls_key_file = smtp_tls_session_cache_database = smtp_use_tls = no smtpd_banner = $myhostname ESMTP smtpd_client_restrictions = smtpd_delay_reject = yes smtpd_helo_required = no smtpd_helo_restrictions = smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = smtpd smtpd_sasl_type = cyrus smtpd_sender_restrictions = lmdb:/etc/postfix/access smtpd_tls_CAfile = smtpd_tls_CApath = smtpd_tls_ask_ccert = no smtpd_tls_cert_file = /etc/postfix/ssl/server2_crt.pem smtpd_tls_exclude_ciphers = RC4 smtpd_tls_key_file = /etc/postfix/ssl/server2_key.pem smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_use_tls = yes strict_8bitmime = no strict_rfc821_envelopes = no transport_maps = lmdb:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = lmdb:/etc/postfix/virtual ## Error result Log from vm01: # journactl -u postfix.service Apr 26 15:15:56 vm01 postfix/smtp[14526]: certificate verification failed for mail.example2.com[]:25: self-signed certificate Apr 26 15:15:56 vm01 postfix/smtp[14526]: mail.example2.com[]:25: subject_CN=Shawn, issuer_CN=Shawn, fingerprint=, pkey_fingerpr> Apr 26 15:15:56 vm01 postfix/smtp[14526]: Untrusted TLS connection established to mail.example2.com[]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) se> Apr 26 15:15:56 vm01 postfix/smtp[14526]: CB7AE32CB: to=<root@example2.com>, relay=mail.example2.com[]:25, delay=0.11, delays=0.07/0.02/0.02/0, dsn=4.7.5, status=deferred (Server certificate not verified) ## Expected result mail should be sent to vm02 successfully -- You are receiving this mail because: You are on the CC list for the bug.