Enabling postscreen breaks /usr/local/psa/admin/sbin/mchk command

[danami]

---------------------------------------------------------------
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Product version: 12.0.18 Update #53
Update date: 2015/07/02 09:01
Build date: 2015/06/15 10:00
Build target: CentOS 6
Revision: 333059
Architecture: 64-bit
Wrapper version: 1.1
CentOS release 6.6 (Final)
Kernel: 2.6.32-504.16.2.el6.x86_64

PROBLEM DESCRIPTION
Enabling postscreen breaks the mchk command. Postscreen is a great program to stop bots and spam for Postfix. See:
http://www.postfix.org/POSTSCREEN_README.html

Unfortunately when you enable it mchk fails because mailsrv_conf_init can no longer parse the /etc/postfix/master.cf config file.

STEPS TO REPRODUCE

To enable postscreen:
Edit /etc/postfix/master.cf

Default
smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy

Uncomment and change to
#smtp inet n - n - - smtpd
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy

ACTUAL RESULT
/usr/local/psa/admin/sbin/mchk --with-spam now fails

/usr/lib64/plesk-9.0/mailsrv_conf_init
Fatal error: plesk::mail:ostfix:ostfixConfigurationError(unable to parse /etc/postfix/master.cf)
Fatal error: plesk::mail:ostfix:ostfixConfigurationError(unable to parse /etc/postfix/master.cf)

EXPECTED RESULT
/usr/lib64/plesk-9.0/mailsrv_conf_init should be able to parse the changed config file as Postfix says that its a valid config file
--------------------------------------------------------------

 

[UFHH01]

Hi danami,

I can't recommend the usage of postscreen, if you don't explizit whitelist all Microsoft Outlook Protection servers ( *.outbound.protection.outlook.com ) with its IPs and all other servers with thousands IPs using a similar outbound protection as Microsoft.

Explanation: In the mentioned case, there are about 120 different IPs, which are not whitelisted in the first place, when you newly configure and use postscreen. Because postscreen needs an answer from the corresponding mail-server(s), before they will be whilisted, this can take weeks for all about 120 different IPs, because the request will never be answered from the IP you are requesting the answer from and instead that, your server will receive an answer from one of the 120 servers. The specific eMail will stay on hold ( 4XX failure ) and will be redirected to the next server - this action takes about 1 to 6 hours. The chance, that you reach the "correct" server that the request must be answered from is 1:120 ... so if you multiply this with the redirect - delay for each eMail, untill the "correct" server answers to your mail, it might take over 1200 hours.... and this only to whitelist the very first IP from all 120 servers. This procedure has to be repeated for all 120 IPs, untill all of the "*.outbound.protection.outlook.com" - IPs are whitelisted. Please make your very own calculation, when this whole procedure will be finished to whitelist all 120 IPs!


Apart from that, postscreen is an addon and adding this addon will result in a non-default configuration. The Plesk - mchk - tool should always correct the non-default-configuration, even if the parse error wouldn't exist, to restore the default postfix configuration.

 

[danami]

Hi danami,

I can't recommend the usage of postscreen, if you don't explizit whitelist all Microsoft Outlook Protection servers ( *.outbound.protection.outlook.com ) with its IPs and all other servers with thousands IPs using a similar outbound protection as Microsoft.

Apart from that, postscreen is an addon and adding this addon will result in a non-default configuration. The Plesk - mchk - tool should always correct the non-default-configuration, even if the parse error wouldn't exist, to restore the default postfix configuration.

I believe that's only if you are using postscreens "deep protocol tests". If you don't use those options then postscreen can hand off the "live" connection to a Postfix SMTP server process without having the mail server retry. You can still enable options like postscreen_greet_action, postscreen_dnsbl_action, etc without having any delays.

Also you should already be whitelisting Office 365 as the Microsoft servers don't handle greylisting properly which causes huge delays already:
/usr/local/psa/bin/grey_listing --update-server -domains-whitelist "add:*outbound.protection.outlook.com"

Also postscreen isn't an addon. You don't need to install any additional software. It's included with Postfix 2.8 and later by default. The options are just commented out for you to choose to use it or not.

One last note that postscreen allows you to whitelist Cidrs very easily if you want to enable deep protocol tests:
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr

So you could easily whitelist Office 365 by looking up their SPF records:
According to their SPF Record (spf.protection.outlook.com) these are the IP Ranges:
104.47.0.0/17
134.170.132.0/24
134.170.140.0/24
157.55.133.0/25
157.55.158.0/23
157.55.234.0/24
157.56.110.0/23
157.56.112.0/24
157.56.116.0/25
157.56.120.0/25
157.56.87.192/26
207.46.100.0/24
207.46.108.0/25
207.46.163.0/24
207.46.51.64/26
213.199.154.0/24
213.199.180.0/24
216.32.181.0/24
23.103.132.0/20
23.103.144.0/19
23.103.191.0/24
23.103.198.0/23
23.103.200.0/21
23.103.208.0/21
23.130.156.0/22
64.4.22.64/26
65.55.169.0/24
65.55.88.0/24

 

[UFHH01]

It's included with Postfix 2.8 and later by default. The options are just commented out for you to choose to use it or not.

You stated correctly, that this is "commented out" by default... so this "addon" is an addition and no standard configuration. Please understand, that I don't discuss a definition like "addon", because of it's wide, possible interpretations.

The mentioned fact is still, that the "Plesk mchk utility" should always correct manual changes to the default postfix configuration, because that's why this tool was invented for: to correct non-standard configuration settings to default ( working ) settings.