PMGW uses IPv6 after Upgrade to Version 9

[n3obasher]

Hello together,

I changed a setting in the main.cf file in postfix, after I deactivated IPv6 and saw several: Network is unreachable in my syslog. This was months ago. After Upgrading to Version 9, I think my settings got overwritten or they change the file location for the postfix main.cf template.

Anyway. Just in case you get to the same problem. You will have to set again the config: inet_protocols = ipv4 in main.cf located in /etc/pmg/templates/main.cf.in.

Would appreciate if any proxmox employee could verify this. I remember getting asked that my templates are different than the ones the update would deploy.

EDIT: I just changed the config again, used pmgconfig sync --restart 1 command and although I have my main.cf.in file in the templates folder, it still ignores it.

Best regards
Stelios

 

[Stoiko Ivanov]

Anyway. Just in case you get to the same problem. You will have to set again the config: inet_protocols = ipv4 in main.cf located in /etc/pmg/templates/main.cf.in.

Would appreciate if any proxmox employee could verify this. I remember getting asked that my templates are different than the ones the update would deploy.

yes - the postfix configuration in PMG is handled by the templating system:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine
if you want to change it - copying the one from /var/lib/pmg/templates to /etc/pmg/templates and running `pmgconfig sync --restart 1` is the way to get
a newly rendered version of /etc/postfix/main.cf

EDIT: I just changed the config again, used pmgconfig sync --restart 1 command and although I have my main.cf.in file in the templates folder, it still ignores it.

how does the resulting /etc/postfix/main.cf look like - how does your /etc/pmg/templates/main.cf.in look like?

 

[n3obasher]

Hey Stoiko, thanks for your message.

Im familiar with the template system. Been using it since months, as I mentioned.

But something changed with the update to Version 9 of PMGW.

main.cf file:
# auto-generated by proxmox

compatibility_level = 3.11
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix

# appending .domain is the MUA's job.
append_dot_mydomain = yes

smtpd_banner = $myhostname mx01.XXX
biff = no


delay_warning_time = 4h

best_mx_transport = local
message_size_limit = 52428800
mailbox_size_limit = 104857600

mydomain = mx01.XXX
myhostname = mx01.XXX

parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localhost, $myhostname
mynetworks = 10.10.3.0/24 10.10.3.6/32 10.10.3.7/32 127.0.0.0/8 [::1]/128

relay_domains = hash:/etc/pmg/domains

transport_maps = hash:/etc/pmg/transport

content_filter=scan:127.0.0.1:10024
lmtp_data_done_timeout = 600s

mail_name = Proxmox


smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_non_fqdn_helo_hostname reject_invalid_helo_hostname


postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/postscreen_access


postscreen_dnsbl_sites = zen.spamhaus.org,psbl.surriel.com,b.barracudacentral.org
postscreen_dnsbl_threshold = 2


postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce

smtpd_sender_restrictions =
permit_mynetworks
reject_non_fqdn_sender
check_client_access cidr:/etc/postfix/clientaccess
check_sender_access regexp:/etc/postfix/senderaccess
check_sender_access hash:/etc/pmg/tls_inbound_domains
check_recipient_access regexp:/etc/postfix/rcptaccess reject_unknown_client_hostname

smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
reject_non_fqdn_recipient
check_recipient_access regexp:/etc/postfix/rcptaccess check_sender_access regexp:/etc/postfix/senderaccess check_client_access cidr:/etc/postfix/clientaccess check_policy_service inet:127.0.0.1:10022



smtpd_data_restrictions = reject_unauth_pipelining

smtpd_forbid_bare_newline = normalize
smtpd_forbid_bare_newline_exclusions =
$mynetworks,
cidr:/etc/postfix/clientaccess

smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 5
smtpd_client_message_rate_limit = 20


smtp_tls_security_level = may
smtp_tls_policy_maps = hash:/etc/pmg/tls_policy
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/pmg/pmg-tls.pem
smtpd_tls_key_file = $smtpd_tls_cert_file

lmtp_tls_security_level = $smtp_tls_security_level
lmtp_tls_policy_maps = $smtp_tls_policy_maps
lmtp_tls_CAfile = $smtp_tls_CAfile

smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
lmtp_tls_loglevel = $smtp_tls_loglevel

smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
lmtp_tls_session_cache_database = btree:/var/lib/postfix/lmtp_tls_session_cache

unverified_recipient_reject_reason = Recipient address lookup failed

smtputf8_enable = no

default_destination_concurrency_limit = 40
lmtp_destination_concurrency_limit = 20
relay_destination_concurrency_limit = 20
smtp_destination_concurrency_limit = 20
virtual_destination_concurrency_limit = 20

recipient_delimiter = +

etc/pmg/templates/main.cf file:

# auto-generated by proxmox

compatibility_level = 3.11
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix

# appending .domain is the MUA's job.
append_dot_mydomain = yes

smtpd_banner = $myhostname [% pmg.mail.banner %]
biff = no

[% IF pmg.mail.dwarning %]
delay_warning_time = [% pmg.mail.dwarning %]h
[% END %]

best_mx_transport = local
message_size_limit = [% pmg.mail.maxsize %]
mailbox_size_limit = [% ((pmg.mail.maxsize*2 > 51200000) ? pmg.mail.maxsize*2 : 51200000) %]

mydomain = [% dns.domain %]
myhostname = [% dns.hostname %].[% dns.domain %]

parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localhost, $myhostname
mynetworks = [% postfix.mynetworks %]

relay_domains = hash:/etc/pmg/domains

transport_maps = hash:/etc/pmg/transport

[% IF pmg.mail.relay %]
[% IF pmg.mail.relayprotocol == 'lmtp' %]
relay_transport = [% pmg.mail.relayprotocol %]:inet:[% pmg.mail.relay %]:[% pmg.mail.relayport %]
[% ELSE %]
[% IF pmg.mail.relaynomx %]
relay_transport = [% pmg.mail.relayprotocol %]:[[% pmg.mail.relay %]]:[% pmg.mail.relayport %]
[% ELSE %]
relay_transport = [% pmg.mail.relayprotocol %]:[% pmg.mail.relay %]:[% pmg.mail.relayport %]
[% END %]
[% END %]
[% END %]

[% IF pmg.mail.smarthost %]
default_transport = smtp:[% pmg.mail.smarthost %]:[% pmg.mail.smarthostport %]
[% END %]

[% IF pmg.mail.before_queue_filtering -%]
smtpd_proxy_timeout = [% pmg.mail.item('filter-timeout') %]s
[% ELSE %]
content_filter=scan:127.0.0.1:10024
lmtp_data_done_timeout = [% pmg.mail.item('filter-timeout') %]s
[%- END %]

mail_name = Proxmox

[% IF pmg.mail.helotests %]
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_non_fqdn_helo_hostname reject_invalid_helo_hostname
[% ELSE %]
smtpd_helo_restrictions =
[% END %]

postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/postscreen_access

[% IF postfix.dnsbl_sites %]
postscreen_dnsbl_sites = [% postfix.dnsbl_sites %]
postscreen_dnsbl_threshold = [% postfix.dnsbl_threshold %]
[% END %]

postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce

smtpd_sender_restrictions =
permit_mynetworks
reject_non_fqdn_sender
check_client_access cidr:/etc/postfix/clientaccess
check_sender_access regexp:/etc/postfix/senderaccess
check_sender_access hash:/etc/pmg/tls_inbound_domains
check_recipient_access regexp:/etc/postfix/rcptaccess
[%- IF pmg.mail.rejectunknown %] reject_unknown_client_hostname[% END %]
[%- IF pmg.mail.rejectunknownsender %] reject_unknown_sender_domain[% END %]

smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
reject_non_fqdn_recipient
check_recipient_access regexp:/etc/postfix/rcptaccess
[%- IF postfix.usepolicy %] check_sender_access regexp:/etc/postfix/senderaccess[% END %]
[%- IF postfix.usepolicy %] check_client_access cidr:/etc/postfix/clientaccess[% END %]
[%- IF postfix.usepolicy %] check_policy_service inet:127.0.0.1:10022[% END %]
[%- IF pmg.mail.verifyreceivers %] reject_unknown_recipient_domain[% END %]
[%- IF pmg.mail.verifyreceivers %] reject_unverified_recipient[% END %]

[% IF pmg.mail.verifyreceivers %]
unverified_recipient_reject_code = [% pmg.mail.verifyreceivers %]
[% END %]

smtpd_data_restrictions = reject_unauth_pipelining

smtpd_forbid_bare_newline = normalize
smtpd_forbid_bare_newline_exclusions =
$mynetworks,
cidr:/etc/postfix/clientaccess

smtpd_client_connection_count_limit = [% pmg.mail.conn_count_limit %]
smtpd_client_connection_rate_limit = [% pmg.mail.conn_rate_limit %]
smtpd_client_message_rate_limit = [% pmg.mail.message_rate_limit %]

[% IF pmg.mail.tls %]
smtp_tls_security_level = may
smtp_tls_policy_maps = hash:/etc/pmg/tls_policy
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/pmg/pmg-tls.pem
smtpd_tls_key_file = $smtpd_tls_cert_file

lmtp_tls_security_level = $smtp_tls_security_level
lmtp_tls_policy_maps = $smtp_tls_policy_maps
lmtp_tls_CAfile = $smtp_tls_CAfile
[% IF pmg.mail.tlslog %]
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
lmtp_tls_loglevel = $smtp_tls_loglevel
[% END %]
[% IF pmg.mail.tlsheader %]
smtpd_tls_received_header = yes
[% END %]
[% END %]

smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
lmtp_tls_session_cache_database = btree:/var/lib/postfix/lmtp_tls_session_cache

[% IF pmg.mail.hide_received %]
unverified_recipient_reject_reason = Recipient address lookup failed
[% END %]

[% IF ! pmg.mail.smtputf8 %]
smtputf8_enable = no
[% END %]


default_destination_concurrency_limit = 40
lmtp_destination_concurrency_limit = 20
relay_destination_concurrency_limit = 20
smtp_destination_concurrency_limit = 20
virtual_destination_concurrency_limit = 20

recipient_delimiter = +

I keep on setting the setting: inet_protocols = ipv4, but its always away, when I sync the config, thats my problem. It was working until I upgraded to PMGW 9

 

[Stoiko Ivanov]

please use code tags for config-files - this helps a lot to see where it starts and where it ends.... - thanks!

etc/pmg/templates/main.cf file

the template needs to be called: main.cf.in - does your template have the .in extension? (maybe that's the issue...)

I keep on setting the setting: inet_protocols = ipv4, but its always away, when I sync the config, thats my problem. It was working until I upgraded to PMGW 9

I don't see that line in the template you pasted?

I hope this helps!

 

[n3obasher]

Here the ls output.


Yes, cant see it either. Because after syncing it, its gone.

 

[Stoiko Ivanov]

Yes, cant see it either. Because after syncing it, its gone.

is this maybe a clustered PMG system? (the templates get synced from the master node to the others..) - else I don't think there is anything in PMG that overwrites your /etc/pmg/templates/ files...