Postgrey does not start – postfix rejecting mail – cannot connect to check_policy

On one of our mail servers as we were transitioning to a new server had an identical configuration of postfix,  policyd and postgrey put on it,  however it was rejecting mail with the following messages.

451 4.3.5 Server configuration problem;

A look at the messages just proceeding this in the mail.log, showed the real reason.

warning: connect to Connection refused
warning: problem talking to server Connection refused

A quick look into our postfix configuration shows that we had been running our greylist policy service there.

#grep 60000 /etc/postfix/ -r
/etc/postfix/ = check_policy_service inet:

I check that the greylist service was installed correctly,  checked the open ports,  which ports the service ws supposed to run on and updated the postfix configuration file to use the correct port

# dpkg -l|grep postgrey
ii postgrey 1.34-1.2 all greylisting implementation for Postfix
#lsof -i:60000       #no results confirms that nothing is listening on port 60000
# grep OPTS /etc/default/postgrey       #a lookup of what options would run when postgrey is started shows what I should run to debug the daemon
#postgrey --inet=10023
2015/04/25-09:29:44 postgrey (type Net::Server::Multiplex) starting! pid(1569)
Resolved [localhost]:10023 to []:10023, IPv4
Resolved [localhost]:10023 to [::1]:10023, IPv6
Binding to TCP port 10023 on host with IPv4
Binding to TCP port 10023 on host ::1 with IPv6
ERROR: Can't connect to TCP port 10023 on ::1 [Cannot assign requested address] at /usr/sbin/postgrey line 776.
#lsof -i:10023       #no results confirms that nothing is already listening on port 10023

So I have two changes I had to make,

  • update the postfix and postgrey to be operating on the same port
  • Find out what is stopping postgrey from listening on port 10023

To change postfix to operate on the same channel as postgrey was a simple choice,  either tell postfix to check the policy service on 10023,  or change postgrey to be on channel 60000.  Since the postgrey was installed with apt-get and automatically choose 10023,   I figured that is more standard and since my postfix configuration is older,   i would move to 10023.

#sed -i -e's/60000/10023/' /etc/postfix/
#/etc/init.d/postfix reload

Now I have to figure out what postgrey could not start on 10023,   the first thing I will do is run it on a couple of different ports to find out if I get the same results

lsof -i:10022       #no results confirms that nothing is already listening on port 10023
#postgrey --inet=10022

A closer look at the error,  describes the problem,  postgrey is trying to start using IPv6.

Can't connect to TCP port 10023 on ::1 [Cannot assign requested address]

A quick check on the system shows that the system has IPv6 disabled.

#sysctl -a|grep 'ipv6.*disable'
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

so I tested starting postgrey explicity using the IPv4 loopback local address

#postgrey --inet=
2015/04/25-09:49:09 postgrey (type Net::Server::Multiplex) starting! pid(6085)
Binding to TCP port 10023 on host with IPv4
Setting gid to "115 115"
Setting uid to "106"

Success!  I just had to update the postgrey OPTS and restart postgrey and my postfix problems are solved

# sed -i -e 's/10023/' /etc/default/postgrey
#/etc/init.d/postgrey start
 * Starting postfix greylisting daemon postgrey 
#lsof -i:10023 #results confirm that postgrey is listening
/usr/sbin 6557 postgrey 5u IPv4 8665045 0t0 TCP localhost:10023 (LISTEN)

And there we have it,  it is now working,   I confirmed postgrey was working by greppign my mail.log for postgrey and greylist and found results,   I also confirmed that I no longer had any server rejections or errors connecting to post 60000 or 100023.