#8887 postfix relay config not rhel8 ready
Closed: Fixed 3 years ago by mobrien. Opened 3 years ago by pingou.

Describe what you would like us to do:


pagure-stg01 runs now on rhel8 and when one tries to comment on a ticket, the request ends with a "Gateway timeout".
Looking at the logs I can see these errors:

May 04 12:02:16 pagure-stg01.fedoraproject.org postfix/smtpd[610612]: fatal: in parameter smtpd_relay_restrictions or smtpd_recipient_restrictions, specify at least one working instance of: reject_unauth_destination, defer_unauth_destination, reject, defer, defer_if_permit or check_relay_domains
May 04 12:02:17 pagure-stg01.fedoraproject.org postfix/master[610574]: warning: process /usr/libexec/postfix/smtpd pid 610612 exit status 1
May 04 12:02:17 pagure-stg01.fedoraproject.org postfix/master[610574]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

I guess our main.cf for pagure-stg01 is not rhel8 ready and my postfix skills are not enough to fix this :(

When do you need this to be done by? (YYYY/MM/DD)


Whenever convenient, happy to help debug with someone.


I have hotfixed this issue but a full fix needs to be done as our configs are based on postfix 2.4 or older (aka el6) and we will be running postfix-3.3.1-12.el8.x86_64

Do we use TLS on our postfix setup? If not there isn't a huge difference in the conf, you fixed the only breaking change.

I see the tls configuration now. I was only working on the default main.cf file which doesn't have it but some of the others do.

i have the changes ready for that default main.cf file (there aren't too many) should I do all the others or will some of them remain on rhel7 for the moment?

There is a compatibility mode set so that if I did miss something it shouldn't fail it will just log in warning. This can be turned off once we are sure everything is up to date.

https://pagure.io/fedora-infra/ansible/pull-request/87

Hi Mark.. I needed to test postfix port allowances on a host so put in some changes to get it 'to work'. Could you test what I did to see what works and does not.. and apologies for diving ahead on this.

No problem smooge. I'll have a look

@smooge I had a look at the new main.cf.bastion01.iad2.fedoraproject.org
file you made in this commit:
https://pagure.io/fedora-infra/ansible/c/5b9d2b927d215f867ca94952d52ee8b272ffe857?branch=master

It is all postfix3 compliant and looks good except the below is needed if you want to receive mail:

smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

Metadata Update from @mobrien:
- Issue assigned to mobrien

3 years ago

PR updated for extra files as requested

PR merged and ready to be pushed out.

Metadata Update from @mobrien:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata