problems with permit_sasl and unknown_address
in [Postfix]
|
From: Wietse Venema on 3 Apr 2010 09:07 Yves Dorfsman: > Wietse Venema wrote: > > > > There's no reject_unknown_* in there, so this does not reproduce > > the complaint. > > Right, because I had commented them out in order to make it work. I put them > back, here's the output of postconf -n It's like sending your brother to the doctor for examination instead of yourself. > smtpd_client_restrictions = permit_sasl_authenticated, > reject_unknown_address, reject_unknown_client, > reject_unknown_reverse_client_hostname, > check_client_access hash:/etc/postfix/access, > reject_rbl_client sbl-xbl.spamhaus.org This accepts mail from SASL-authenticated clients and rejects unknown stuff from SASL-unauthenticated clients. Your mail is rejected because the client is not SASL authenticated. You probably have an SMTP-based content filter in the middle of your Postfix system, and failed to configure the post-filter SMTP server per the FILTER_README instructions. Wietse
From: Yves Dorfsman on 4 Apr 2010 21:03 > >> smtpd_client_restrictions = permit_sasl_authenticated, >> reject_unknown_address, reject_unknown_client, >> reject_unknown_reverse_client_hostname, >> check_client_access hash:/etc/postfix/access, >> reject_rbl_client sbl-xbl.spamhaus.org > > This accepts mail from SASL-authenticated clients and rejects > unknown stuff from SASL-unauthenticated clients. > > Your mail is rejected because the client is not SASL authenticated. That's right I get rejected before I even have the time to authenticate, right after the helo (I tried manually with telnet) > You probably have an SMTP-based content filter in the middle of > your Postfix system, and failed to configure the post-filter SMTP > server per the FILTER_README instructions. No I do not. However I do have helo_restrictions: postconf -n |grep helo smtpd_helo_required = yes smtpd_helo_restrictions = reject_non_fqdn_hostname, reject_invalid_hostname I will comment them out and see if it works. I suspect they don't do a lot in terms of fighting spam anyway. -- Yves. http://www.SollerS.ca/
From: Noel Jones on 4 Apr 2010 21:36 On 4/4/2010 8:03 PM, Yves Dorfsman wrote: >> >>> smtpd_client_restrictions = permit_sasl_authenticated, >>> reject_unknown_address, reject_unknown_client, >>> reject_unknown_reverse_client_hostname, check_client_access >>> hash:/etc/postfix/access, reject_rbl_client sbl-xbl.spamhaus.org >> >> This accepts mail from SASL-authenticated clients and rejects unknown >> stuff from SASL-unauthenticated clients. >> >> Your mail is rejected because the client is not SASL authenticated. > > That's right I get rejected before I even have the time to authenticate, > right after the helo (I tried manually with telnet) That sounds as if you've set smtpd_delay_reject = no Don't do that. > However I do have helo_restrictions: > > postconf -n |grep helo > smtpd_helo_required = yes > smtpd_helo_restrictions = reject_non_fqdn_hostname, reject_invalid_hostname > > I will comment them out and see if it works. I suspect they don't do a > lot in terms of fighting spam anyway. > Each smtpd_*_restrictions section should start with "permit_mynetworks, permit_sasl_authenticated" if you don't want to reject mail from authorized clients. It's challenging to give definitive answers when the conditions keep changing. -- Noel Jones
From: /dev/rob0 on 4 Apr 2010 21:46 On Sun, Apr 04, 2010 at 07:03:56PM -0600, Yves Dorfsman wrote: > smtpd_helo_restrictions = reject_non_fqdn_hostname, > reject_invalid_hostname > > I will comment them out and see if it works. I suspect they > don't do a lot in terms of fighting spam anyway. This guess would be very wrong. reject_non_fqdn_helo_hostname (you are using deprecated syntax) is the single best low-cost antispam weapon in the arsenal. When I have checked, it seems to block around 25% of all connections, and no known problems from using it. Of course, I use it right. If I was going to have client submission on the same port, I would precede it with the appropriate permit_* restrictions as needed. You might also benefit from consolidation of your restrictions into smtpd_recipient_restrictions. It's easier to understand what's going on that way. Reference: http://www.postfix.org/SMTPD_ACCESS_README.html -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
From: Yves Dorfsman on 6 Apr 2010 12:16
Noel Jones wrote: > On 4/4/2010 8:03 PM, Yves Dorfsman wrote: >>> >>> This accepts mail from SASL-authenticated clients and rejects unknown >>> stuff from SASL-unauthenticated clients. >>> >>> Your mail is rejected because the client is not SASL authenticated. >> >> That's right I get rejected before I even have the time to authenticate, >> right after the helo (I tried manually with telnet) > > That sounds as if you've set > smtpd_delay_reject = no I did indeed. I changed it to yes, and added the sasl_permission to smtpd_helo_required ; kept all the other restrictions, and it is now working as expected. It makes sense now, the server needs to give the client a chance to auth with sasl before rejecting it. Thanks very much, I really appreciate. -- Yves. http://www.SollerS.ca/ gmail, jabber, LiveJournal, nimbuzz, ovi, dreamhost xim.ca: xmpp:yves(a)zioup.com |