Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Oliver Schinagl (oliverschinagl.nl)
Date: Thu Apr 22 2010 - 07:02:31 CDT
On 04/22/10 04:49, Noel Jones wrote:
> On 4/21/2010 9:03 PM, Oliver Schinagl wrote:
>> On 04/22/10 03:55, Noel Jones wrote:
>>> On 4/21/2010 8:39 PM, Oliver Schinagl wrote:
>>>> Heh, I suppose it wasn't as straightforward as that; I'll look more
>>>> it after some sleep, I enabled it with the following:
>>>> submission inet n - n - - smtpd
>>>> # -o smtpd_tls_security_level=encrypt
>>>> -o smtpd_sasl_auth_enable=yes
>>>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>>> # -o milter_macro_daemon_name=ORIGINATING
>>>> (even tried uncommenting both, which shouldn't matter inmo?)
>>>> But got denied errors, telnet didn't tell me much, thunderbird told me
>>>> slightly more:
>>>> An error occurred sending mail: The mail server sent an incorrect
>>>> greeting: 5.7.1<yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy]>: Client host
>>>> rejected: Access denied.
>>>> It won't even ask me for my sasl password, nothing. A mistery for the
>>>> next day.
>>> Please show your current "postconf -n" and the error message from the
>>> postfix logs. Showing error messages from the client or from telnet
>>> are not particularly useful.
>>> -- Noel Jones
>> My current postconf -n is exactly as above in the mail; i hadn't changed
>> anything, i only pasted the relevant part from master.conf that i
> I don't see a postconf -n in this mail. I asked for a new copy to
> make sure of its current contents, and because I deleted your previous
> messages and don't feel like rummaging around in the trash.
I'm sorry, I didn't realize. Here it is :)
biff = no
broken_sasl_auth_clients = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib64/postfix
data_directory = /var/lib/postfix
debug_peer_level = 1
disable_vrfy_command = yes
home_mailbox = .maildir/
html_directory = /usr/share/doc/postfix-2.6.5/html
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 20480000
mydomain = example.com
myhostname = foo.example.com
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.5/readme
recipient_delimiter = +
relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname NO UCE ESMTP
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, permit_mx_backup, reject_rbl_client
zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client
smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, permit_mx_backup, check_policy_service
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem
smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-alias-maps.cf
virtual_gid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-gid-maps.cf
virtual_mailbox_base = /var/vmail
virtual_mailbox_limit_override = yes
virtual_maildir_extended = yes
virtual_maildir_limit_message = "Sorry, the recipients mailbox is
currently full. Please try again later."
virtual_overquota_bounce = no
virtual_trash_count = no
virtual_trash_name = ".Trash"
virtual_uid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-uid-maps.cf
>> Apr 21 21:39:19 example postfix/smtpd: connect from
>> Apr 21 21:39:19 example postfix/smtpd: NOQUEUE: reject: CONNECT
>> from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]
>> : 554 5.7.1<yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]>: Client host
>> rejected: Access denied; proto=SMTP
>> Apr 21 21:39:24 example postfix/smtpd: disconnect from
> The client was rejected during the CONNECT stage. This implies you
> are using "smtpd_delay_reject = no".
> Don't do that, the client doesn't get a chance to authenticate.
Hmm, You are absolutely right here, I was using that. I don't understand
however, because I do have 'permit_sasl_auth' before the rbl stuff. It
does fix the submission delivery port issue. So thanks on that :) Tested
But I don't think this will fix my initial issue, with clients being
rejected on the RBL Auth issue does it? I think I did read that
smtpd_delay_reject was good. Ontop of that, I do have it set to no on my
own server, where I can send with sasl auth just fine :S I'm still
puzzled. I won't be able to verify all this though until tomorrow, when
I'm at a pbl'ed adls line again.
>> is the corresponding postfix error; Basically what thunderbird
>> reported :)
> The postfix log is far more useful; it tells us your problem is (at
> least) you need to unset smtpd_delay_reject. There may be other
> problems exposed once you fix this one.
Alright, I will also attach the log snippets after I tested the next bit.
>> Looking at the message you sent David Cottle, I think he's doing what
>> Matt suggested I should do? Use submission to bypass RBL stuff; I'd
>> gladly add those 2 options as well, but why would they not be in the
>> default config? You'd think that the default submission bit was exactly
>> that, allow users to bypass everything and submit messages directly. I'm
>> to tired to think atm so I'll check it all out again tomorrow :)
>> Sleep well :)
> There is no evidence David's client ever authenticates. Not quite the
> same problem. Your client doesn't authenticate either, but that's
> because you don't give them the chance.
> Using the "submission" port is an accepted solution to the common
> problems of how to allow mobile users to send mail to your server.
> The main advantage is it allows you to specify a different policy
> for authenticated users.
> You can add "-o smtpd_delay_reject=yes" to the submission entry in
> master.cf to insure that changes to that parameter in main.cf won't
> affect the submission service. But a better solution is just don't
> mess with that setting; leave it at the default "yes".
> "submission" is commented out in the default postfix config because a
> relatively small subset of folks using postfix need it, and it's not
> nice to open ports not needed.
>  IP listed in RBL. ISP or hotspot blocks port 25 access.
>  accept mail from authenticated clients no matter how screwed up
> their mailer or their IP
> -- Noel Jones
I see, thank you so far! I will report my findings when I can.