Prev: Rejecting Spam Based on Spamassassin Score
Next: mail from(Return-Path) when a mail relay via alias
From: David Cottle on 21 Apr 2010 23:15


Sent from my iPhone

On 22/04/2010, at 12:00, Noel Jones <njones(a)megan.vbhcs.org> wrote:

> On 4/21/2010 6:35 PM, David Cottle wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I am having some issues with my server blocking ISP IP addresses.
>>
>> I know a recent update to plesk-9.5.1 changed my postfix main.cf and
>> master.cf (the timestamps changed). I managed to fix main.cf as on
>> the smtpd_client_restrictions, they put the RBLs first.
>>
>> Can anyone see what is wrong in the master.cf?
>>
>> I just want submission on 587 able to bypass RBL checks:
>
> you must have missed the answer yesterday.
>
>>
>> #
>> # Postfix master process configuration file. For details on the
>> format
>> ===
>> ===
>> ====================================================================
> [...]
>> submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
>> smtpd_sasl_auth_enable=yes -o
>> smtpd_client_restrictions=permit_sasl_authenticated,reject -o
>> smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025
>
> add here:
>
> -o smtpd_helo_restrictions=
> -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
>
>
> -- Noel Jones

Hi Noel,

Okay I did miss this! I will add your smtpd_helo_restrictions as above.

What exactly does that do as to not having it?

I have to get my client to try sending email again and dig out the logs.

What I can't understand is he has 3 OS on his PC.

Fedora 11 and Windows XP using thunderbird, exactly same settings and
both can RX but not send mail.
Windows 7, using thunderbird it RX and Sends.

Same details, ports, it's got the server certificate same on all 3 but
only W7 works.

It's the same broadband settings, could it be the machines host name?

Anyway as it's only one client it's hard to track.

Thanks!

From: Noel Jones on 22 Apr 2010 08:36
On 4/21/2010 10:15 PM, David Cottle wrote:
>
>
> Sent from my iPhone
>
> On 22/04/2010, at 12:00, Noel Jones <njones(a)megan.vbhcs.org> wrote:
>
>> On 4/21/2010 6:35 PM, David Cottle wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> I am having some issues with my server blocking ISP IP addresses.
>>>
>>> I know a recent update to plesk-9.5.1 changed my postfix main.cf and
>>> master.cf (the timestamps changed). I managed to fix main.cf as on
>>> the smtpd_client_restrictions, they put the RBLs first.
>>>
>>> Can anyone see what is wrong in the master.cf?
>>>
>>> I just want submission on 587 able to bypass RBL checks:
>>
>> you must have missed the answer yesterday.
>>
>>>
>>> #
>>> # Postfix master process configuration file. For details on the format
>>> ==========================================================================
>>>
>> [...]
>>> submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
>>> smtpd_sasl_auth_enable=yes -o
>>> smtpd_client_restrictions=permit_sasl_authenticated,reject -o
>>> smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025
>>
>> add here:
>>
>> -o smtpd_helo_restrictions=
>> -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
>>
>>
>> -- Noel Jones
>
> Hi Noel,
>
> Okay I did miss this! I will add your smtpd_helo_restrictions as above.
>
> What exactly does that do as to not having it?

The suggested config above prevents settings in main.cf from
interfering with settings on the submission port.


>
> I have to get my client to try sending email again and dig out the logs.
>
> What I can't understand is he has 3 OS on his PC.
>
> Fedora 11 and Windows XP using thunderbird, exactly same settings and
> both can RX but not send mail.
> Windows 7, using thunderbird it RX and Sends.
>
> Same details, ports, it's got the server certificate same on all 3 but
> only W7 works.

That's very important information. That makes this sound very
much like a client configuration issue, not postfix.

If you still think it's postfix, show your current "postconf
-n" and master.cf, and show logs demonstrating that the client
authenticates yet is rejected.

But according to the config you posted earlier, if the client
does authenticate they will bypass RBL checks. So you need to
show proof the client authenticated and was rejected.

Next nail, same client can submit mail using a different
configuration on the same hardware with the same IP. Sounds
as if they are able to authenticate with at least one config.

Without further evidence, this isn't a postfix issue. Fix the
client.

-- Noel Jones

From: webmaster on 22 Apr 2010 08:59
Quoting Noel Jones <njones(a)megan.vbhcs.org>:

> On 4/21/2010 10:15 PM, David Cottle wrote:
>>
>>
>> Sent from my iPhone
>>
>> On 22/04/2010, at 12:00, Noel Jones <njones(a)megan.vbhcs.org> wrote:
>>
>>> On 4/21/2010 6:35 PM, David Cottle wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> I am having some issues with my server blocking ISP IP addresses.
>>>>
>>>> I know a recent update to plesk-9.5.1 changed my postfix main.cf and
>>>> master.cf (the timestamps changed). I managed to fix main.cf as on
>>>> the smtpd_client_restrictions, they put the RBLs first.
>>>>
>>>> Can anyone see what is wrong in the master.cf?
>>>>
>>>> I just want submission on 587 able to bypass RBL checks:
>>>
>>> you must have missed the answer yesterday.
>>>
>>>>
>>>> #
>>>> # Postfix master process configuration file. For details on the format
>>>> ==========================================================================
>>>>
>>> [...]
>>>> submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
>>>> smtpd_sasl_auth_enable=yes -o
>>>> smtpd_client_restrictions=permit_sasl_authenticated,reject -o
>>>> smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025
>>>
>>> add here:
>>>
>>> -o smtpd_helo_restrictions=
>>> -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
>>>
>>>
>>> -- Noel Jones
>>
>> Hi Noel,
>>
>> Okay I did miss this! I will add your smtpd_helo_restrictions as above.
>>
>> What exactly does that do as to not having it?
>
> The suggested config above prevents settings in main.cf from
> interfering with settings on the submission port.
>
>
>>
>> I have to get my client to try sending email again and dig out the logs.
>>
>> What I can't understand is he has 3 OS on his PC.
>>
>> Fedora 11 and Windows XP using thunderbird, exactly same settings and
>> both can RX but not send mail.
>> Windows 7, using thunderbird it RX and Sends.
>>
>> Same details, ports, it's got the server certificate same on all 3 but
>> only W7 works.
>
> That's very important information. That makes this sound very much
> like a client configuration issue, not postfix.
>
> If you still think it's postfix, show your current "postconf -n" and
> master.cf, and show logs demonstrating that the client authenticates
> yet is rejected.
>
> But according to the config you posted earlier, if the client does
> authenticate they will bypass RBL checks. So you need to show proof
> the client authenticated and was rejected.
>
> Next nail, same client can submit mail using a different
> configuration on the same hardware with the same IP. Sounds as if
> they are able to authenticate with at least one config.
>
> Without further evidence, this isn't a postfix issue. Fix the client.
>
> -- Noel Jones
>

Hi Noel,

Sorry its got all truncated. Where exactly do I need to add that in
here? (I added a extra line between each)

plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser
argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p
/var/qmail/mailnames

mailman unix - n n - - pipe flags=R user=mailman:mailman
argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}

127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue

127.0.0.1:10026 inet n - - - - smtpd -o smtpd_client_restrictions=
-o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o
smtpd_recipient_restrictions=permit_mynetworks,reject -o
smtpd_data_restrictions= -o
receive_override_options=no_unknown_recipient_checks

127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote

plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6
dbpath=/plesk/passwd.db

smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o
smtpd_tls_wrappermode=yes

submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025

END

From: Noel Jones on 22 Apr 2010 09:19
On 4/22/2010 7:59 AM, webmaster(a)aus-city.com wrote:
> > Sorry its got all truncated. Where exactly do I need to add that in
> here? (I added a extra line between each)
>
> plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser
> argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p
> /var/qmail/mailnames
>
> mailman unix - n n - - pipe flags=R user=mailman:mailman
> argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}
>
> 127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user
> argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue
>
> 127.0.0.1:10026 inet n - - - - smtpd -o smtpd_client_restrictions= -o
> smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o
> smtpd_recipient_restrictions=permit_mynetworks,reject -o
> smtpd_data_restrictions= -o
> receive_override_options=no_unknown_recipient_checks
>
> 127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user
> argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote
>
> plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6
> dbpath=/plesk/passwd.db
>
> smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o
> smtpd_tls_wrappermode=yes
>
> submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
> smtpd_sasl_auth_enable=yes -o
> smtpd_client_restrictions=permit_sasl_authenticated,reject -o
> smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025

Add here (to the submission entry)
-o smtpd_helo_restrictions=
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject

You may also want to add these to the "smtps" entry.

But this won't fix the problem of the client not authenticating.

-- Noel Jones

First  |  Prev  | 
Pages: 1 2
Prev: Rejecting Spam Based on Spamassassin Score
Next: mail from(Return-Path) when a mail relay via alias