efa-project.org

Hi,

I just followed the installation using the command:
curl -sSL https://install.efa-project.org | bash

Once I started the MailScanner Webconsole I noticed that MSMilter was not running. In the maillog there was "Connection refused". I started the msmilter service manually and set the SELinux to Permissive and it started working. Is this normal behavior for a default installation? Should I start and enable MSMilter manually post-installation? Or is this an indication of something wrong?

Thank you

I installed mine like a week ago the same exact way, and I did not have this problem

Hi,

What is your SELINUX setting? This is really an out of the box installation, so I am surprised that it causes problems.

Thank you

I completely reinstalled the server following the guide on Youtube from Mailserverguru. Nothing special configured, but still Milter is not started... what is going wrong here?

It does start when I do: sudo systemctl start msmilter

Apr 27 23:50:09 efa MSMilter[2968]: MailWatch: Starting up MailWatch SQL Whitelist
Apr 27 23:50:09 efa MSMilter[2968]: MailWatch: Read 2 whitelist entries
Apr 27 23:50:09 efa root[2970]: MSMilter started
Apr 27 23:50:42 efa postfix/smtpd[1846]: warning: hostname 37.156.237.114.broad.lyg.js.dynamic.163data.com.cn does not resolve to address 114.237.156.37: Name or service not known
Apr 27 23:50:42 efa postfix/smtpd[1846]: connect from unknown[114.237.156.37]
Apr 27 23:50:42 efa postfix/smtpd[1846]: warning: connect to Milter service inet:localhost:8893: Connection refused
Apr 27 23:50:42 efa postfix/smtpd[1846]: NOQUEUE: milter-reject: CONNECT from unknown[114.237.156.37]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
Apr 27 23:50:43 efa postfix/smtpd[1846]: NOQUEUE: milter-reject: EHLO from unknown[114.237.156.37]: 451 4.7.1 Service unavailable - try again later; proto=SMTP helo=<jbwi.com>
Apr 27 23:50:43 efa postfix/smtpd[1846]: NOQUEUE: milter-reject: MAIL from unknown[114.237.156.37]: 451 4.7.1 Service unavailable - try again later; from=<pxlcpmcq@crot.com> proto=ESMTP helo=<jbwi.com>
Apr 27 23:50:43 efa postfix/smtpd[1846]: disconnect from unknown[114.237.156.37] ehlo=1 mail=0/1 quit=1 commands=2/3

A think I noticed is that also DMARC is not running:
Failed to start Domain-based Message Authentication, Reporting & Conformance (DMARC) Milter.

Share with me some details about this please...

What envrionment (hyper-v? vmware? kvm? vps? physical?)
If vps, which provider?
Any errors in /var/log/eFa/*log
Which initialization method used (web gui or console cli)?
Any errors in MailWatch GUI (such as a failure notice in the footer)?

It is Hyper-V, with Centos 7.7 Core. I have tried both initialization methods. There are two files in that /var/log/eFa/ directory build.log and eFa-Backup.log. Checked both, no indication of any error.

What I did notice is an issue that DMARC didn't want to start. For a reason unclear. When I disable DMARC it seems also to resolve the Milter issue. So likely the issue has to do with DMARC?

I don't see or get errors in the GUI. The only thing I noticed was that the MSMilter status was NO i.o. YES, which is the reason I looked into this issue.

Thanks for the info, I am running tests.

Okay, I am having trouble reproducing this on hyper-v with CentOS 7.7 Minimal. Both my milter and dmarc/dkim are up and running after setup. There has to be something unique to your situation, and we need to find it.

Can you provide me more details, such as what you have chosen during setup phase?

Hi,

The only thing that comes to mind as maybe unusual is that the netmask is 255.255.255.255 because this system is in a hosted environment of which I don't own all IPs.
My SELinux is set to permissive. Firewalld is left untouched before the installation.
The installation was start like this:
sudo yum install wget
wget -O build.bash https://install.efa-project.org
sudo bash build.bash

The options selected are:
1. Hostname: servernamewhatever
2. Domainname: mydomainname.net
3. Admin Email: postmaster@mydomainname.net
4. Interface: eth0
5. IP v4 address: 123.123.123.123
6. IP v4 Netmask: 255.255.255.255
7. IP v4 gateway: 123.123.123.254
8. IP v6 DNS: Disabled
9. IP v6 Address:
10. IP v6 Mask:
11. IP v6 Gateway:
12. Use Recursion: Enabled
13. Primary DNS:
14. Secundary DNS:
15. Web User: myuser
16. Web User PWS: <hidden>
17. CLI User: cliuser
18. CLI User PWD: <hidden>
19. Hypervisor Agents: No (while I selected Y on the question configure Virtualization)
20. Time Zone: Europe/Paris Not using UTC
21. Keyboard: fr
22. IANA Code: fr
23. Mail server: mx01.mydomain.net
24. Org Name: MyOrg

255.255.255.255 will definitely cause a problem. Even in a hosted environment. The gateway will be invalid from the perspective of the guest and reject routing to the gateway you have defined.

The smallest valid netmask would be a 255.255.255.252, which includes your machine, the gateway, and the broadcast address.

I am going to attempt to simulate that same problem and see why the MailWatch footer did not trigger a failure.

I made the same comment to the hosting company, which is a huge global hosting company, and they told me that this is not an issue due to the way how they do their routing. The server is isolated on the network, but the router will do the work. And I have to say, it works indeed. I have many servers like this in different OSes. No problems at all. But I do agree that is feels a bit unnatural indeed.

Citabria79 wrote: ↑29 Apr 2020 22:26 I made the same comment to the hosting company, which is a huge global hosting company, and they told me that this is not an issue due to the way how they do their routing. The server is isolated on the network, but the router will do the work. And I have to say, it works indeed. I have many servers like this in different OSes. No problems at all. But I do agree that is feels a bit unnatural indeed.

It'd definitely a valid, and you'll see it more and more in ipv4 as providers try to optimize there pool.

I'm working on this. I belive eFa assumes a network part and a host part when it does some of its tasks, and 255.255.255.255 is breaking them.

More to come soon.

At the moment it works fine. But I had to disable DMARC to be able to start Milter. Just for your info.

Well, I can't reproduce this locally, it seems, and I could not make the milter fail, even with an all 255 netmask. I also reviewed the code, and it doesn't look like the 255.255.255.255 should be causing any problems after all.

I am at a loss. Any other thoughts? Should I get a vps spun up on $hostingCompany and try it there?

What could result in a failure of the DMARC service? Maybe that can give an insight?

That's where I'm lost as well. The DMARC daemon is separate from the milter daemon, and they live on different ports. They have nothing in common except that they are referenced in /etc/postfix/main.cf and bind to the same address. I was hoping that something would fail so I could start debugging the problem.

Where would I find the logs for it in eFa? The main thing is that I installed it twice, with the same result. I don't do anything abnormal if I look at the guide on YouTube and review the parameter I enter.

The journalctl logs might give us some insight, but only after a fresh install.

Also a copy of dmesg after a fresh install might catch some pertinent info as well.

The problem is that it all was to be done after a fresh install, the system is used now. And impossible to reinstall... But I might try to activate DMARC and restart it. It will normally result in the same error...

Citabria79 wrote: ↑30 Apr 2020 21:20 The problem is that it all was to be done after a fresh install, the system is used now. And impossible to reinstall...

see how far back journalctl goes, it may still have the logs from when you first installed eFa

May 01 00:46:51 removedforprivacy.domain.net systemd[1]: Starting Domain-based Message Authentication, Reporting & Conformance (DMARC) Milter...
-- Subject: Unit opendmarc.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit opendmarc.service has begun starting up.
May 01 00:46:51 removedforprivacy.domain.net opendmarc[3400]: opendmarc_policy_library_init() failed
May 01 00:46:51 removedforprivacy.domain.net systemd[1]: Can't open PID file /var/run/opendmarc/opendmarc.pid (yet?) after start: No such file or directory
May 01 00:46:51 removedforprivacy.domain.net systemd[1]: Failed to start Domain-based Message Authentication, Reporting & Conformance (DMARC) Milter.
-- Subject: Unit opendmarc.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/li ... temd-devel
--
-- Unit opendmarc.service has failed.
--
-- The result is failed.
May 01 00:46:51 removedforprivacy.domain.net systemd[1]: Unit opendmarc.service entered failed state.
May 01 00:46:51 removedforprivacy.domain.net systemd[1]: opendmarc.service failed.

This makes sense now.

I think you are missing the Public Suffix List.

You should have seen this in the MailWatch footer, did you not?

"...ERROR INITIALIZATING, CHECK public suffix list..."