Postfix Policy Connection – Fixing Postfix Not Accepting Recipient Address

amavisclamavpostfixspamassassin

I thought I'd be clever and add amavis/spamassassin/clamav to my working Postfix installation. I got it working and then made a change. Walked away, had a beer, then found out I'd mucked up. This is what's happening now

Oct  2 22:01:59 wilma postfix/smtpd[1048101]: Anonymous TLS connection established from mail-pf1-f172.google.com[209.85.210.172]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Oct  2 22:01:59 wilma postfix/smtpd[1048101]: warning: connect to private/policy: Connection refused
Oct  2 22:01:59 wilma postfix/smtpd[1048101]: warning: problem talking to server private/policy: Connection refused
Oct  2 22:02:00 wilma postfix/smtpd[1048101]: warning: connect to private/policy: Connection refused
Oct  2 22:02:00 wilma postfix/smtpd[1048101]: warning: problem talking to server private/policy: Connection refused
Oct  2 22:02:00 wilma postfix/smtpd[1048101]: NOQUEUE: reject: RCPT from mail-pf1-f172.google.com[209.85.210.172]: 451 4.3.5 <[email protected]>: Recipient address rejected: Server configuration problem; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail-pf1-f172.google.com>
Oct  2 22:02:02 wilma postfix/smtpd[1048101]: disconnect from mail-pf1-f172.google.com[209.85.210.172] ehlo=2 starttls=1 mail=1 rcpt=0/1 bdat=0/1 quit=1 commands=5/7

I've searched Google high and low looking for an answer, it seems that "451 4.3.5" is a generic error thing.

Here is master.cf …

smtp       inet  n       -       n       -       -       smtpd
submission inet  n       -       n       -       -       smtpd
pickup     fifo  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp -o smtp_fallback_relay=
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
smtp-amavis unix -       -       n       -       2       smtp -o syslog_name=postfix/amavis -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 -o smtp_tls_security_level=none
127.0.0.1:10025 inet n   -       n       -       -       smtpd -o syslog_name=postfix/10025 -o content_filter= -o mynetworks_style=host -o mynetworks=127.0.0.0/8 -o local_recipient_maps= -o relay_recipient_maps= -o strict_rfc821_envelopes=yes -o smtp_tls_security_level=none -o smtpd_tls_security_level=none -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_end_of_data_restrictions= -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

main.cf is

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
content_filter = smtp-amavis:[127.0.0.1]:10024
data_directory = /var/lib/postfix
debug_peer_level = 1
debug_peer_list =
default_privs = mail
delay_warning_time = 4
header_checks = regexp:/etc/postfix/regexp_table
html_directory = no
in_flow_delay = 1s
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps = unix:passwd.byname $alias_maps
local_transport = local
mail_owner = postfix
mail_spool_directory = /var/virtual
mailbox_command = /usr/bin/procmail -a "$EXTENSION"
mailbox_size_limit = 3221225472
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 25971520
mydestination = $myhostname, localhost.$mydomain, $mydomain, lists.$mydomain
mydomain = mike-mac.gen.nz
myhostname = mail.mike-mac.gen.nz
mynetworks = 192.168.1.0/24 192.168.3.0/24 webmail.mike-mac.gen.nz localhost.localdomain localhost
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.0.13/README_FILES
receive_override_options = no_address_mappings
recipient_delimiter = +
reject_code = 550
sample_directory = /usr/share/doc/postfix-2.0.13/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_hard_error_limit = 4
smtpd_helo_required = no
smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/helo_access
smtpd_proxy_options = speed_adjust
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, check_policy_service unix:private/policy, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 2
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/letsencrypt/live/Email_cert/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/Email_cert/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
strict_mailbox_ownership = no
tls_random_source = dev:/dev/urandom
undisclosed_recipients_header = To: NotSayingWhoGetsThis:;
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_gid_maps = static:12
virtual_mailbox_base = /var/virtual
virtual_mailbox_domains = hash:/etc/postfix/vmaildomains
virtual_mailbox_limit = 2147483648
virtual_mailbox_maps = hash:/etc/postfix/vmailbox,hash:/etc/postfix/virtual-user-map-family.kiwi.nz,hash:/etc/postfix/virtual-user-map-coders.kiwi.nz,hash:/etc/postfix/virtual-user-map-mak.co.nz,hash:/etc/postfix/virtual-user-map-lessonplans.kiwi.nz
virtual_minimum_uid = 1
virtual_transport = virtual
virtual_uid_maps = static:8`

The running daemons are

systemctl status postfix postgrey amavis spamassassin clamav-freshclam
● postfix.service - Postfix Mail Transport Agent
     Loaded: loaded (/lib/systemd/system/postfix.service; enabled; vendor preset: enabled)
     Active: active (exited) since Sat 2021-10-02 21:58:34 NZDT; 29min ago
    Process: 1047688 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
   Main PID: 1047688 (code=exited, status=0/SUCCESS)

Oct 02 21:58:34 wilma systemd[1]: Starting Postfix Mail Transport Agent...
Oct 02 21:58:34 wilma systemd[1]: Finished Postfix Mail Transport Agent.

● postgrey.service - LSB: Start/stop the postgrey daemon
     Loaded: loaded (/etc/init.d/postgrey; generated)
     Active: active (running) since Sat 2021-10-02 21:58:34 NZDT; 29min ago
       Docs: man:systemd-sysv-generator(8)
    Process: 1047510 ExecStart=/etc/init.d/postgrey start (code=exited, status=0/SUCCESS)
      Tasks: 1 (limit: 17839)
     Memory: 18.7M
     CGroup: /system.slice/postgrey.service
             └─1039871 postgrey --pidfile=/var/run/postgrey.pid --daemonize --inet=10023

Oct 02 21:58:34 wilma postgrey[1047518]: whitelisted: 194.7.234.142/32
Oct 02 21:58:34 wilma postgrey[1047518]: whitelisted: 194.7.234.143/32
Oct 02 21:58:34 wilma postgrey[1047518]: whitelisted: 213.143.66.210/32
Oct 02 21:58:34 wilma postgrey[1047518]: Pid_file "/var/run/postgrey.pid" already exists.  Overwriting!
Oct 02 21:58:34 wilma postgrey[1047583]: Process Backgrounded
Oct 02 21:58:34 wilma systemd[1]: Started LSB: Start/stop the postgrey daemon.
Oct 02 21:58:34 wilma postgrey[1047510]:    ...done.
Oct 02 21:58:34 wilma postgrey[1047583]: 2021/10/02-21:58:34 postgrey (type Net::Server::Multiplex) starting! pid(1047583)
Oct 02 21:58:34 wilma postgrey[1047583]: Resolved [localhost]:10023 to [127.0.0.1]:10023, IPv4
Oct 02 21:58:34 wilma postgrey[1047583]: Binding to TCP port 10023 on host 127.0.0.1 with IPv4

● amavis.service - LSB: Starts amavisd-new mailfilter
     Loaded: loaded (/etc/init.d/amavis; generated)
     Active: active (running) since Sat 2021-10-02 21:58:35 NZDT; 29min ago
       Docs: man:systemd-sysv-generator(8)
    Process: 1047562 ExecStart=/etc/init.d/amavis start (code=exited, status=0/SUCCESS)
      Tasks: 3 (limit: 17839)
     Memory: 160.8M
     CGroup: /system.slice/amavis.service
             ├─1047705 /usr/sbin/amavisd-new (master)
             ├─1047714 /usr/sbin/amavisd-new (virgin child)
             └─1047715 /usr/sbin/amavisd-new (virgin child)

Oct 02 21:58:35 wilma amavis[1047705]: No ext program for   .zoo, tried: zoo
Oct 02 21:58:35 wilma amavis[1047705]: No ext program for   .doc, tried: ripole
Oct 02 21:58:35 wilma amavis[1047705]: No decoder for       .F
Oct 02 21:58:35 wilma amavis[1047705]: No decoder for       .doc
Oct 02 21:58:35 wilma amavis[1047705]: No decoder for       .lrz
Oct 02 21:58:35 wilma amavis[1047705]: No decoder for       .zoo
Oct 02 21:58:35 wilma amavis[1047562]: Starting amavisd: amavisd-new.
Oct 02 21:58:35 wilma amavis[1047705]: Using primary internal av scanner code for ClamAV-clamd
Oct 02 21:58:35 wilma systemd[1]: Started LSB: Starts amavisd-new mailfilter.
Oct 02 21:58:35 wilma amavis[1047705]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan

● spamassassin.service - Perl-based spam filter using text analysis
     Loaded: loaded (/lib/systemd/system/spamassassin.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2021-10-02 21:58:36 NZDT; 29min ago
    Process: 1047534 ExecStart=/usr/sbin/spamd -d --pidfile=/run/spamd.pid $OPTIONS (code=exited, status=0/SUCCESS)
   Main PID: 1047641 (spamd)
      Tasks: 3 (limit: 17839)
     Memory: 109.2M
     CGroup: /system.slice/spamassassin.service
             ├─1047641 /usr/bin/perl -T -w /usr/sbin/spamd -d --pidfile=/run/spamd.pid --create-prefs --max-children 5 --username >
             ├─1047711 spamd child
             └─1047712 spamd child

Oct 02 21:58:33 wilma systemd[1]: Starting Perl-based spam filter using text analysis...
Oct 02 21:58:36 wilma systemd[1]: Started Perl-based spam filter using text analysis.

● clamav-freshclam.service - ClamAV virus database updater
     Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2021-10-02 16:08:46 NZDT; 6h ago
       Docs: man:freshclam(1)
             man:freshclam.conf(5)
             https://www.clamav.net/documents
   Main PID: 990816 (freshclam)
      Tasks: 1 (limit: 17839)
     Memory: 227.4M
     CGroup: /system.slice/clamav-freshclam.service
             └─990816 /usr/bin/freshclam -d --foreground=true

Oct 02 21:09:46 wilma freshclam[990816]: Sat Oct  2 21:09:46 2021 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, >
Oct 02 21:09:46 wilma freshclam[990816]: Sat Oct  2 21:09:46 2021 -> bytecode.cld database is up-to-date (version: 333, sigs: 92, >
Oct 02 22:09:46 wilma freshclam[990816]: Sat Oct  2 22:09:46 2021 -> Received signal: wake up
Oct 02 22:09:46 wilma freshclam[990816]: Sat Oct  2 22:09:46 2021 -> ClamAV update process started at Sat Oct  2 22:09:46 2021
Oct 02 22:09:46 wilma freshclam[990816]: Sat Oct  2 22:09:46 2021 -> ^Your ClamAV installation is OUTDATED!
Oct 02 22:09:46 wilma freshclam[990816]: Sat Oct  2 22:09:46 2021 -> ^Local version: 0.103.2 Recommended version: 0.103.3
Oct 02 22:09:46 wilma freshclam[990816]: Sat Oct  2 22:09:46 2021 -> DON'T PANIC! Read https://www.clamav.net/documents/upgrading->
Oct 02 22:09:46 wilma freshclam[990816]: Sat Oct  2 22:09:46 2021 -> daily.cvd database is up-to-date (version: 26309, sigs: 19380>
Oct 02 22:09:46 wilma freshclam[990816]: Sat Oct  2 22:09:46 2021 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, >
Oct 02 22:09:46 wilma freshclam[990816]: Sat Oct  2 22:09:46 2021 -> bytecode.cld database is up-to-date (version: 333, sigs: 92,

I realise my biggest mistake was one of stupidity, I should have taken backups of the main and master.cf files before starting. Having said that, can anyone see what I can't ?

postconf -n
access_map_reject_code = 550
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
content_filter = smtp-amavis:[127.0.0.1]:10024
data_directory = /var/lib/postfix
debug_peer_level = 1
debug_peer_list =
default_privs = mail
delay_warning_time = 4
header_checks = regexp:/etc/postfix/regexp_table
html_directory = no
in_flow_delay = 1s
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps = unix:passwd.byname $alias_maps
local_transport = local
mail_owner = postfix
mail_spool_directory = /var/virtual
mailbox_command = /usr/bin/procmail -a "$EXTENSION"
mailbox_size_limit = 3221225472
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 25971520
mydestination = $myhostname, localhost.$mydomain, $mydomain, lists.$mydomain
mydomain = mike-mac.gen.nz
myhostname = mail.mike-mac.gen.nz
mynetworks = 192.168.1.0/24 192.168.3.0/24 webmail.mike-mac.gen.nz localhost.localdomain localhost
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.0.13/README_FILES
receive_override_options = no_address_mappings
recipient_delimiter = +
reject_code = 550
sample_directory = /usr/share/doc/postfix-2.0.13/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_hard_error_limit = 4
smtpd_helo_required = no
smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/helo_access
smtpd_proxy_options = speed_adjust
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, check_policy_service unix:private/policy, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 2
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/letsencrypt/live/Email_cert/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/Email_cert/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
strict_mailbox_ownership = no
tls_random_source = dev:/dev/urandom
undisclosed_recipients_header = To: NotSayingWhoGetsThis:;
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_gid_maps = static:12
virtual_mailbox_base = /var/virtual
virtual_mailbox_domains = hash:/etc/postfix/vmaildomains
virtual_mailbox_limit = 2147483648
virtual_mailbox_maps = hash:/etc/postfix/vmailbox,hash:/etc/postfix/virtual-user-map-family.kiwi.nz,hash:/etc/postfix/virtual-user-map-coders.kiwi.nz,hash:/etc/postfix/virtual-user-map-mak.co.nz,hash:/etc/postfix/virtual-user-map-lessonplans.kiwi.nz
virtual_minimum_uid = 1
virtual_transport = virtual
virtual_uid_maps = static:8

postconf -M
smtp       inet  n       -       n       -       -       smtpd
submission inet  n       -       n       -       -       smtpd
pickup     fifo  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp -o smtp_fallback_relay=
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
smtp-amavis unix -       -       n       -       2       smtp -o syslog_name=postfix/amavis -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 -o smtp_tls_security_level=none
127.0.0.1:10025 inet n   -       n       -       -       smtpd -o syslog_name=postfix/10025 -o content_filter= -o mynetworks_style=host -o mynetworks=127.0.0.0/8 -o local_recipient_maps= -o relay_recipient_maps= -o strict_rfc821_envelopes=yes -o smtp_tls_security_level=none -o smtpd_tls_security_level=none -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_end_of_data_restrictions= -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

Best Answer

Postfix cannot process mail because your smtpd_recipient_restrictions configuration instructs to check_policy_service, but the referenced policy service cannot be queried (likely, because it is no longer started).

smtpd_recipient_restrictions = ..., check_policy_service unix:private/policy, ...

That setting specifies a UNIX socket path relative to the chroot (i.e. /var/spool/postfix/private), but neither does the name say what this is, nor does your master.cf contain a line that would make postfix start such policy service to listen on that socket.

Since your postconf -M dump does not mention it.. you may have unintentionally deleted a line in your master.cf that was supposed start it. If it was started by other means, it would not likely be placed into the private directory.

Did you setup any additional mail filters, like rate limiting, SPF or temporary deferrals ("greylisting")? If my guess is correct and this was previously configured in your master.cf, all you have to do is

  • delete the references to the policy services from the restriction lists, if you are not using it, OR:
  • re-add the lines in master.cf that define which program is actually called when the policy service unix:private/policy is queried.

You may find useful information on what was previously listening on that UNIX socket by investigating file ownership, or searching for logs mentioning private/policy but predating your recent changes.

Related Topic