Univention Bugzilla – Bug 45488
Postfix performs quota check on incoming mail even for mail to be relayed
Last modified: 2021-05-14 16:50:56 CEST
Customer scenario with 2 mail servers with postfix+dovecot: If mail is delivered via port 25 to the first mail system, postfix performs in any case a quota check, even if the target mailbox is not located on that system and is relayed to the target "univentionMailHomeServer". I think the quota check is only reliable, if performed on the target mail server. Workaround (disabling quota check): ucr unset mail/postfix/smtpd/restrictions/recipient/80 Old values was: mail/postfix/smtpd/restrictions/recipient/80=\ "check_policy_service inet:127.0.0.1:12340"
All mail servers for incoming mail should have access to the quota system, so they can reject mails instead of creating back scatter. On the IMAP server this can be archived with: $ ucr set mail/dovecot/quota-status/ip=<external IP> And open firewall on port mail/dovecot/quota-status/port (12340). Then set mail/postfix/smtpd/restrictions/recipient/80 on the SMTP server to that IP:port. If this is a common scenario (with school customers?) it should be mentioned in the manual.
Each dovecot system calculates the quota for the IMAP accounts hosted locally. So if the IMAP accounts are distributed over several dovecot servers, there is currently no single instance in the UCS domain with the knowledge of the quota of all IMAP accounts. Therefore redirecting the check to another system doesn't work here → REOPEN Also(1): correct my if I'm wrong: the quota check is performed in recipient_restrictions after "permit_mynetworks". Therefore mails coming from $mynetworks are accepted without quota checks (→ possible backscatter). "permit_sasl_authenticated" is also in the list prior to the quota check. Also(2): if the dovecot service is down (→ quota check is unavailable), postfix does not accept mail any longer due to failing quota checks. I would have expected that mails are accepted and held in queue until local LMTP/dovecot is up again.
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
Reopen without comment?
should be still relevant for UCS 4.4