Using Sasl authentication and RBL
in [Postfix]
|
Prev: Email attachment parsing via mime4j
Next: problem with postdrop: warning: mail_queue_enter: create file maildrop/631329.7980: Permission denied
From: Oliver Schinagl on 21 Apr 2010 10:35 Hello all, I've been trying to figure out why a new server I setup using postfix doesn't allow me to relay messages after I authenticate (using cyrus-sasl). It appears then I can authenticate just fine, but when I try to send a message, I get a RBL error. I obviously want my ADSL IP not to be whitelisted from the sending end (as it's dhcp and just a regular adsl ip) but I would have expected that after authentication the RBL would be bypassed? I thought I pretty much set it up the same way as my older server, which accepts my mail just fine! Guess I was wrong, and I can't find the differences. As I've setup my server, I tried to document it as well as possible over at the gentoo-wiki; http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server The entire postfix server seems to be running excellently as far as I can tell, except for not being able to send from remote 'internet' IP's that are on the PBL. Find below my postconf -n (having replaced the real hostname with foo.example) === postconf -n biff = no broken_sasl_auth_clients = no command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib64/postfix data_directory = /var/lib/postfix debug_peer_level = 1 disable_vrfy_command = yes home_mailbox = .maildir/ html_directory = /usr/share/doc/postfix-2.6.5/html mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 20480000 mydomain = example.com myhostname = foo.example.com mynetworks_style = host newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.5/readme recipient_delimiter = + relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_banner = $myhostname NO UCE ESMTP smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net smtpd_delay_reject = no smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, check_policy_service inet:127.0.0.1:2525, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-alias-maps.cf virtual_gid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-gid-maps.cf virtual_mailbox_base = /var/vmail virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-domains.cf virtual_mailbox_limit_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-limit-maps.cf virtual_mailbox_limit_override = yes virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-maps.cf virtual_maildir_extended = yes virtual_maildir_limit_message = "Sorry, the recipients mailbox is currently full. Please try again later." virtual_overquota_bounce = no virtual_trash_count = no virtual_trash_name = ".Trash" virtual_uid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-uid-maps.cf
From: mouss on 21 Apr 2010 17:47 Oliver Schinagl a �crit : > Hello all, > > I've been trying to figure out why a new server I setup using postfix > doesn't allow me to relay messages after I authenticate (using > cyrus-sasl). It appears then I can authenticate just fine, but when I > try to send a message, I get a RBL error. I obviously want my ADSL IP > not to be whitelisted from the sending end (as it's dhcp and just a > regular adsl ip) but I would have expected that after authentication the > RBL would be bypassed? > Show logs that prove your claims: 1- user was authenticated 2- relay was denied for (1), you should find a line like this: Apr 21 00:11:06 imlil postfix/smtpd[41827]: 454E8E54888: client=ouzoud.netoyen.net[82.239.111.75], sasl_method=PLAIN, sasl_username=mouss(a)ml.netoyen.net > I thought I pretty much set it up the same way as my older server, which > accepts my mail just fine! Guess I was wrong, and I can't find the > differences. > > As I've setup my server, I tried to document it as well as possible over > at the gentoo-wiki; > > http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server > > > The entire postfix server seems to be running excellently as far as I > can tell, except for not being able to send from remote 'internet' IP's > that are on the PBL. > > Find below my postconf -n (having replaced the real hostname with > foo.example) > === > postconf -n > biff = no > broken_sasl_auth_clients = no > command_directory = /usr/sbin > config_directory = /etc/postfix > daemon_directory = /usr/lib64/postfix > data_directory = /var/lib/postfix > debug_peer_level = 1 > disable_vrfy_command = yes > home_mailbox = .maildir/ > html_directory = /usr/share/doc/postfix-2.6.5/html > mail_owner = postfix > mailq_path = /usr/bin/mailq > manpage_directory = /usr/share/man > message_size_limit = 20480000 > mydomain = example.com > myhostname = foo.example.com > mynetworks_style = host > newaliases_path = /usr/bin/newaliases > queue_directory = /var/spool/postfix > readme_directory = /usr/share/doc/postfix-2.6.5/readme > recipient_delimiter = + > relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf > sendmail_path = /usr/sbin/sendmail > setgid_group = postdrop > smtpd_banner = $myhostname NO UCE ESMTP > smtpd_client_restrictions = permit_mynetworks, > permit_sasl_authenticated, permit_mx_backup, reject_rbl_client > zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client > bl.spamcop.net > smtpd_delay_reject = no > smtpd_helo_required = yes > smtpd_helo_restrictions = reject_invalid_hostname > smtpd_recipient_restrictions = permit_mynetworks, > permit_sasl_authenticated, permit_mx_backup, check_policy_service > inet:127.0.0.1:2525, reject_unauth_destination > smtpd_sasl_auth_enable = yes > smtpd_sasl_authenticated_header = no > smtpd_sasl_local_domain = > smtpd_sasl_security_options = noanonymous > smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem > smtpd_tls_auth_only = no > smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem > smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem > smtpd_tls_loglevel = 0 > smtpd_tls_received_header = yes > smtpd_tls_session_cache_timeout = 3600s > smtpd_use_tls = yes > soft_bounce = no > tls_random_source = dev:/dev/urandom > unknown_local_recipient_reject_code = 550 > virtual_alias_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-alias-maps.cf > virtual_gid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-gid-maps.cf > virtual_mailbox_base = /var/vmail > virtual_mailbox_domains = > pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-domains.cf > virtual_mailbox_limit_maps = > pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-limit-maps.cf > virtual_mailbox_limit_override = yes > virtual_mailbox_maps = > pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-maps.cf > virtual_maildir_extended = yes > virtual_maildir_limit_message = "Sorry, the recipients mailbox is > currently full. Please try again later." > virtual_overquota_bounce = no > virtual_trash_count = no > virtual_trash_name = ".Trash" > virtual_uid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-uid-maps.cf
From: Noel Jones on 21 Apr 2010 21:55 On 4/21/2010 8:39 PM, Oliver Schinagl wrote: >> > Heh, I suppose it wasn't as straightforward as that; I'll look more into > it after some sleep, I enabled it with the following: > submission inet n - n - - smtpd > # -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > # -o milter_macro_daemon_name=ORIGINATING > (even tried uncommenting both, which shouldn't matter inmo?) > > But got denied errors, telnet didn't tell me much, thunderbird told me > slightly more: > An error occurred sending mail: The mail server sent an incorrect > greeting: 5.7.1<yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy]>: Client host > rejected: Access denied. > It won't even ask me for my sasl password, nothing. A mistery for the > next day. Please show your current "postconf -n" and the error message from the postfix logs. Showing error messages from the client or from telnet are not particularly useful. -- Noel Jones
From: Oliver Schinagl on 21 Apr 2010 22:03 On 04/22/10 03:55, Noel Jones wrote: > On 4/21/2010 8:39 PM, Oliver Schinagl wrote: >>> >> Heh, I suppose it wasn't as straightforward as that; I'll look more into >> it after some sleep, I enabled it with the following: >> submission inet n - n - - smtpd >> # -o smtpd_tls_security_level=encrypt >> -o smtpd_sasl_auth_enable=yes >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject >> # -o milter_macro_daemon_name=ORIGINATING >> (even tried uncommenting both, which shouldn't matter inmo?) >> >> But got denied errors, telnet didn't tell me much, thunderbird told me >> slightly more: >> An error occurred sending mail: The mail server sent an incorrect >> greeting: 5.7.1<yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy]>: Client host >> rejected: Access denied. >> It won't even ask me for my sasl password, nothing. A mistery for the >> next day. > > Please show your current "postconf -n" and the error message from the > postfix logs. Showing error messages from the client or from telnet > are not particularly useful. > > -- Noel Jones My current postconf -n is exactly as above in the mail; i hadn't changed anything, i only pasted the relevant part from master.conf that i changed. Apr 21 21:39:19 example postfix/smtpd[21360]: connect from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] Apr 21 21:39:19 example postfix/smtpd[21360]: NOQUEUE: reject: CONNECT from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] : 554 5.7.1 <yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]>: Client host rejected: Access denied; proto=SMTP Apr 21 21:39:24 example postfix/smtpd[21360]: disconnect from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] is the corresponding postfix error; Basically what thunderbird reported :) Looking at the message you sent David Cottle, I think he's doing what Matt suggested I should do? Use submission to bypass RBL stuff; I'd gladly add those 2 options as well, but why would they not be in the default config? You'd think that the default submission bit was exactly that, allow users to bypass everything and submit messages directly. I'm to tired to think atm so I'll check it all out again tomorrow :) Sleep well :)
From: Noel Jones on 21 Apr 2010 22:49
On 4/21/2010 9:03 PM, Oliver Schinagl wrote: > On 04/22/10 03:55, Noel Jones wrote: >> On 4/21/2010 8:39 PM, Oliver Schinagl wrote: >>>> >>> Heh, I suppose it wasn't as straightforward as that; I'll look more into >>> it after some sleep, I enabled it with the following: >>> submission inet n - n - - smtpd >>> # -o smtpd_tls_security_level=encrypt >>> -o smtpd_sasl_auth_enable=yes >>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject >>> # -o milter_macro_daemon_name=ORIGINATING >>> (even tried uncommenting both, which shouldn't matter inmo?) >>> >>> But got denied errors, telnet didn't tell me much, thunderbird told me >>> slightly more: >>> An error occurred sending mail: The mail server sent an incorrect >>> greeting: 5.7.1<yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy]>: Client host >>> rejected: Access denied. >>> It won't even ask me for my sasl password, nothing. A mistery for the >>> next day. >> >> Please show your current "postconf -n" and the error message from the >> postfix logs. Showing error messages from the client or from telnet >> are not particularly useful. >> >> -- Noel Jones > My current postconf -n is exactly as above in the mail; i hadn't changed > anything, i only pasted the relevant part from master.conf that i changed. I don't see a postconf -n in this mail. I asked for a new copy to make sure of its current contents, and because I deleted your previous messages and don't feel like rummaging around in the trash. > > Apr 21 21:39:19 example postfix/smtpd[21360]: connect from > yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] > Apr 21 21:39:19 example postfix/smtpd[21360]: NOQUEUE: reject: CONNECT > from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] > : 554 5.7.1<yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]>: Client host > rejected: Access denied; proto=SMTP > Apr 21 21:39:24 example postfix/smtpd[21360]: disconnect from > yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] The client was rejected during the CONNECT stage. This implies you are using "smtpd_delay_reject = no". Don't do that, the client doesn't get a chance to authenticate. > > > is the corresponding postfix error; Basically what thunderbird reported :) The postfix log is far more useful; it tells us your problem is (at least) you need to unset smtpd_delay_reject. There may be other problems exposed once you fix this one. > Looking at the message you sent David Cottle, I think he's doing what > Matt suggested I should do? Use submission to bypass RBL stuff; I'd > gladly add those 2 options as well, but why would they not be in the > default config? You'd think that the default submission bit was exactly > that, allow users to bypass everything and submit messages directly. I'm > to tired to think atm so I'll check it all out again tomorrow :) > Sleep well :) There is no evidence David's client ever authenticates. Not quite the same problem. Your client doesn't authenticate either, but that's because you don't give them the chance. Using the "submission" port is an accepted solution to the common problems[1] of how to allow mobile users to send mail to your server. The main advantage is it allows you to specify a different policy[2] for authenticated users. You can add "-o smtpd_delay_reject=yes" to the submission entry in master.cf to insure that changes to that parameter in main.cf won't affect the submission service. But a better solution is just don't mess with that setting; leave it at the default "yes". "submission" is commented out in the default postfix config because a relatively small subset of folks using postfix need it, and it's not nice to open ports not needed. [1] IP listed in RBL. ISP or hotspot blocks port 25 access. [2] accept mail from authenticated clients no matter how screwed up their mailer or their IP -- Noel Jones |