Prev: Why was this message rejected by postfix
Next: postfix smtp_loop() breaks SMTP
From: Matt Hayes on 21 Apr 2010 21:38


On 04/21/2010 09:23 PM, David Cottle wrote:
>
>
> Sent from my iPhone
>
> On 22/04/2010, at 10:28, Matt Hayes <dominian(a)slackadelic.com> wrote:
>
>>
>> On 04/21/2010 08:14 PM, webmaster(a)aus-city.com wrote:
>>> Quoting Matt Hayes <dominian(a)slackadelic.com>:
>>>
>>>> n 04/21/2010 07:35 PM, David Cottle wrote:
>>>>
>>>>> #submission inet n - n - - smtpd
>>>>> # -o smtpd_tls_security_level=encrypt
>>>>> # -o smtpd_sasl_auth_enable=yes
>>>>> # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>>>> # -o milter_macro_daemon_name=ORIGINATING
>>>>
>>>> Seems submission is commented out?
>>>>
>>>> -matt
>>>>
>>>
>>> Hi Matt,
>>>
>>> No its not look further down:
>>>
>>> smtpd_tls_wrappermode=yes
>>> submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
>>> smtpd_sasl_auth_enable=yes -o
>>> smtpd_client_restrictions=permit_sasl_authenticated,reject -o
>>> smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025
>>>
>>>
>>>
>>
>>
>> ahhh missed that!
>>
>> If you have smtpd_recipient_restrictions defined in main.cf you'll have
>> to negate them just as you did with smtpd_sender_restrictions
>>
>> -Matt
>
> Hi Matt,
>
> In main.cf I have got in smptd sender restrictions permit sasl
> authenticated.
>
> It's also in smtpd recipient restrictions as the 3rd after mynetworks
> and a plesk no relay check.
>
> smtpd client restrictions it's 2nd after a plesk blacklist check.
>
> In client restrictions it's the 2nd one, as my whitelists is first.
>
> I know it's RBL killing as it's complaints about ISP dynamic message.
>
> I can post my actual main.cf later when I have PC as I am on iPhone.
>
> Is there also a command to dump the config?
>
> Thanks!
>
>


The best way: postconf -n


-Matt

From: Noel Jones on 21 Apr 2010 22:00
On 4/21/2010 6:35 PM, David Cottle wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I am having some issues with my server blocking ISP IP addresses.
>
> I know a recent update to plesk-9.5.1 changed my postfix main.cf and
> master.cf (the timestamps changed). I managed to fix main.cf as on
> the smtpd_client_restrictions, they put the RBLs first.
>
> Can anyone see what is wrong in the master.cf?
>
> I just want submission on 587 able to bypass RBL checks:

you must have missed the answer yesterday.

>
> #
> # Postfix master process configuration file. For details on the format
> ==========================================================================
[...]
> submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
> smtpd_sasl_auth_enable=yes -o
> smtpd_client_restrictions=permit_sasl_authenticated,reject -o
> smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025

add here:

-o smtpd_helo_restrictions=
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject


-- Noel Jones

From: David Cottle on 21 Apr 2010 22:01


Sent from my iPhone

On 22/04/2010, at 11:38, Matt Hayes <dominian(a)slackadelic.com> wrote:

>
>
> On 04/21/2010 09:23 PM, David Cottle wrote:
>>
>>
>> Sent from my iPhone
>>
>> On 22/04/2010, at 10:28, Matt Hayes <dominian(a)slackadelic.com> wrote:
>>
>>>
>>> On 04/21/2010 08:14 PM, webmaster(a)aus-city.com wrote:
>>>> Quoting Matt Hayes <dominian(a)slackadelic.com>:
>>>>
>>>>> n 04/21/2010 07:35 PM, David Cottle wrote:
>>>>>
>>>>>> #submission inet n - n - - smtpd
>>>>>> # -o smtpd_tls_security_level=encrypt
>>>>>> # -o smtpd_sasl_auth_enable=yes
>>>>>> # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>>>>> # -o milter_macro_daemon_name=ORIGINATING
>>>>>
>>>>> Seems submission is commented out?
>>>>>
>>>>> -matt
>>>>>
>>>>
>>>> Hi Matt,
>>>>
>>>> No its not look further down:
>>>>
>>>> smtpd_tls_wrappermode=yes
>>>> submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
>>>> smtpd_sasl_auth_enable=yes -o
>>>> smtpd_client_restrictions=permit_sasl_authenticated,reject -o
>>>> smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025
>>>>
>>>>
>>>>
>>>
>>>
>>> ahhh missed that!
>>>
>>> If you have smtpd_recipient_restrictions defined in main.cf you'll
>>> have
>>> to negate them just as you did with smtpd_sender_restrictions
>>>
>>> -Matt
>>
>> Hi Matt,
>>
>> In main.cf I have got in smptd sender restrictions permit sasl
>> authenticated.
>>
>> It's also in smtpd recipient restrictions as the 3rd after mynetworks
>> and a plesk no relay check.
>>
>> smtpd client restrictions it's 2nd after a plesk blacklist check.
>>
>> In client restrictions it's the 2nd one, as my whitelists is first.
>>
>> I know it's RBL killing as it's complaints about ISP dynamic message.
>>
>> I can post my actual main.cf later when I have PC as I am on iPhone.
>>
>> Is there also a command to dump the config?
>>
>> Thanks!
>>
>>
>
>
> The best way: postconf -n
>
>
> -Matt

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = all
local_recipient_maps = $virtual_mailbox_maps
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20480000
mydestination = localhost.$mydomain, localhost, localhost.localdomain
mynetworks = 127.0.0.0/8, 10.0.0.0/8, 10.0.10.1/32 [::1]/128
[fe80::%eth0]/64, 192.168.0.0/24, 203.19.70.65, 202.129.79.106, 203.217.18.104/30
, 203.206.180.36/30, 203.206.129.128/27
newaliases_path = /usr/bin/newaliases.postfix
notify_classes =
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.5.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_send_xforward_command = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_authorized_xforward_hosts = 127.0.0.0/8
smtpd_client_restrictions = check_client_access hash:/etc/postfix/
whitelist, permit_sasl_authenticated, check_client_access hash:/etc/
postfix/check_backscatterer, check_client_access hash:/etc/postfix/
check_spamcannibal, check_client_access cidr:/etc/postfix/postfix-
dnswl-permit, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org
, reject_rbl_client b.barracudacentral.org
smtpd_proxy_timeout = 3600s
smtpd_recipient_restrictions = permit_mynetworks, check_client_access
pcre:/var/spool/postfix/plesk/no_relay.re, permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = check_sender_access hash:/var/spool/
postfix/plesk/blacklists, permit_sasl_authenticated,
check_client_access pcre:/var/spool/postfix/plesk/non_auth.re
smtpd_timeout = 3600s
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
transport_maps = hash:/var/spool/postfix/plesk/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/
virtual
virtual_gid_maps = static:31
virtual_mailbox_base = /var/qmail/mailnames
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/
postfix/plesk/virtual_domains
virtual_mailbox_maps = hash:/var/spool/postfix/plesk/vmailbox
virtual_transport = plesk_virtual
virtual_uid_maps = static:110

From: Noel Jones on 21 Apr 2010 22:08
On 4/21/2010 9:01 PM, David Cottle wrote:
>> The best way: postconf -n
>>
>>
>> -Matt
>
> smtpd_client_restrictions = check_client_access
> hash:/etc/postfix/whitelist, permit_sasl_authenticated,
> check_client_access hash:/etc/postfix/check_backscatterer,
> check_client_access hash:/etc/postfix/check_spamcannibal,
> check_client_access cidr:/etc/postfix/postfix-dnswl-permit,
> reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org,
> reject_rbl_client b.barracudacentral.org

OK, permit_sasl_authenticated comes before reject_rbl_client.

> smtpd_recipient_restrictions = permit_mynetworks, check_client_access
> pcre:/var/spool/postfix/plesk/no_relay.re, permit_sasl_authenticated,
> reject_unauth_destination

OK, permit_sasl_authenticated comes before reject_rbl_client.

> smtpd_sender_restrictions = check_sender_access
> hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated,
> check_client_access pcre:/var/spool/postfix/plesk/non_auth.re

OK, no RBL checks.


Conclusion: If a client is rejected by RBL checks, they
didn't authenticate. You can verify this in your postfix logs.

-- Noel Jones

First  |  Prev  | 
Pages: 1 2
Prev: Why was this message rejected by postfix
Next: postfix smtp_loop() breaks SMTP