Bug 45488 – Postfix performs quota check on incoming mail even for mail to be relayed

Bug 45488 - Postfix performs quota check on incoming mail even for mail to be relayed


Summary:	Postfix performs quota check on incoming mail even for mail to be relayed

Status:	NEEDMOREINFO

Product:	UCS
Classification:	Unclassified
Component:	Mail - Dovecot
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Mail maintainers
QA Contact:	Mail maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-10-05 15:09 CEST by Sönke Schwardt-Krummrich
Modified:	2021-05-14 16:50 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.091
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sönke Schwardt-Krummrich

2017-10-05 15:09:46 CEST

Customer scenario with 2 mail servers with postfix+dovecot:
If mail is delivered via port 25 to the first mail system, postfix performs in any case a quota check, even if the target mailbox is not located on that system and is relayed to the target "univentionMailHomeServer".

I think the quota check is only reliable, if performed on the target mail server.

Workaround (disabling quota check): 
ucr unset mail/postfix/smtpd/restrictions/recipient/80

Old values was: 
mail/postfix/smtpd/restrictions/recipient/80=\
                 "check_policy_service inet:127.0.0.1:12340"

Comment 1 Daniel Tröder

2017-10-06 11:09:13 CEST

All mail servers for incoming mail should have access to the quota system, so they can reject mails instead of creating back scatter.

On the IMAP server this can be archived with:

$ ucr set mail/dovecot/quota-status/ip=<external IP>

And open firewall on port mail/dovecot/quota-status/port (12340).

Then set mail/postfix/smtpd/restrictions/recipient/80 on the SMTP server to that IP:port.

If this is a common scenario (with school customers?) it should be mentioned in the manual.

Comment 2 Sönke Schwardt-Krummrich

2017-10-06 12:06:17 CEST

Each dovecot system calculates the quota for the IMAP accounts hosted locally.
So if the IMAP accounts are distributed over several dovecot servers, there is currently no single instance in the UCS domain with the knowledge of the quota of all IMAP accounts. Therefore redirecting the check to another system doesn't work here → REOPEN

Also(1): correct my if I'm wrong: the quota check is performed in recipient_restrictions after "permit_mynetworks". Therefore mails coming from $mynetworks are accepted without quota checks (→ possible backscatter).
"permit_sasl_authenticated" is also in the list prior to the quota check.

Also(2): if the dovecot service is down (→ quota check is unavailable), postfix does not accept mail any longer due to failing quota checks. I would have expected that mails are accepted and held in queue until local LMTP/dovecot is up again.

Comment 3 Ingo Steuwer

2020-07-03 20:51:07 CEST

This issue has been filed against UCS 4.2.

UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.

Comment 4 Ingo Steuwer

2021-05-14 16:41:08 CEST

Reopen without comment?

Comment 5 Ingo Steuwer

2021-05-14 16:50:56 CEST

should be still relevant for UCS 4.4