problems with permit_sasl and unknown_address
in [Postfix]
|
From: Yves Dorfsman on 2 Apr 2010 02:42 Hello, I am using postfix version 2.5.6. For years I have been using the settings: smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, permit smtpd_client_restrictions = permit_sasl_authenticated, reject_unknown_address, reject_unknown_client, reject_unknown_reverse_client_hostname, check_client_access hash:/etc/postfix/access, reject_rbl_client sbl-xbl.spamhaus.org And that has been useful to fight some of the spam. Now I need to connect from different places, from outside "mynetworks", from hotels etc... and some of them can't be reverse looked up. So I setup TLS and sasl, I get prompted for a password and it only accept the right password, so it is basically working (and I can see the TLS connection in the log). But, when I do that from outside mynetworks, and from an ip that cannot be reverse looked up, the only way I can get it working is by commenting out the three "*unknown*", otherwise I get a "450 4.7.1 Client host rejected: cannot find your reverse hostname": smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit smtpd_client_restrictions = permit_sasl_authenticated, # reject_unknown_address, # reject_unknown_client, # reject_unknown_reverse_client_hostname, check_client_access hash:/etc/postfix/access, reject_rbl_client sbl-xbl.spamhaus.org Is there anyway to tell postfix to accept to relay mail from an authenticated host, even if it is on an ip that cannot be reverse looked up, but yet, reject non-authenticated connections from hosts with this type of address. I realise this is the wrong mailing list for this, but just in case, is there a way to tell thunderbird to use the same password for the smtp connection as it used for the imap connection ? Thanks. -- Yves. http://www.SollerS.ca/
From: Wietse Venema on 2 Apr 2010 08:18 Yves Dorfsman: > Hello, > > I am using postfix version 2.5.6. > > For years I have been using the settings: > > smtpd_recipient_restrictions = > permit_mynetworks, > reject_unauth_destination, > permit This allows relaying only from "local" clients. > smtpd_client_restrictions = > permit_sasl_authenticated, > reject_unknown_address, > reject_unknown_client, > reject_unknown_reverse_client_hostname, > check_client_access hash:/etc/postfix/access, > reject_rbl_client sbl-xbl.spamhaus.org This allows everything from SASL-authenticated clients, REGARDLESS of what follows after permit_sasl_authenticated. > Now I need to connect from different places, from outside "mynetworks", from > hotels etc... and some of them can't be reverse looked up. So I setup TLS and > sasl, I get prompted for a password and it only accept the right password, so > it is basically working (and I can see the TLS connection in the log). But, > when I do that from outside mynetworks, and from an ip that cannot be reverse > looked up, the only way I can get it working is by commenting out the three > "*unknown*", otherwise I get a "450 4.7.1 Client host rejected: cannot find > your reverse hostname": Then Postfix is not configured in the way that YOU believe it is configured. This is why you should have followed the mailing list welcome instructions, and posted "postconf -n" command output instead of main.cf cut-and-paste fragments. Here's the welcome message again: TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html Thank you for using Postfix.
From: Yves Dorfsman on 2 Apr 2010 18:33 Wietse Venema wrote: >> >> For years I have been using the settings: >> >> smtpd_recipient_restrictions = >> permit_mynetworks, >> reject_unauth_destination, >> permit > > This allows relaying only from "local" clients. > >> smtpd_client_restrictions = >> permit_sasl_authenticated, >> reject_unknown_address, >> reject_unknown_client, >> reject_unknown_reverse_client_hostname, >> check_client_access hash:/etc/postfix/access, >> reject_rbl_client sbl-xbl.spamhaus.org > > This allows everything from SASL-authenticated clients, REGARDLESS of > what follows after permit_sasl_authenticated. Yes, this is my understanding from the documentation. But then, why do I get "450 4.7.1 Client host rejected: cannot find your reverse hostname" unless I comment out the three "reject_*"? > This is why you should have followed the mailing list welcome > instructions, and posted "postconf -n" command output instead of > main.cf cut-and-paste fragments. Sorry, I apologise, here's the output from my postconf -n: broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 disable_vrfy_command = yes html_directory = no local_recipient_maps = mail_owner = postfix mail_spool_directory = /export/mail mailbox_size_limit = 1000000000 mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_domains = $mydomain message_size_limit = 1000000000 myhostname = home.zioup.com mynetworks = 127.0.0.0/8,192.168.0.0/21 myorigin = zioup.com newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES relay_domains = $mydestination, woup.net, unikservice.com, unikservice.net, unikservice.org relayhost = shawmail.cg.shawcable.net sample_directory = /usr/share/doc/postfix-2.5.6/samples sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_restrictions = permit_sasl_authenticated, check_client_access hash:/etc/postfix/access, reject_rbl_client sbl-xbl.spamhaus.org smtpd_delay_reject = no smtpd_helo_required = yes smtpd_helo_restrictions = reject_non_fqdn_hostname, reject_invalid_hostname smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit smtpd_sasl_auth_enable = yes smtpd_sasl_path = /var/lib/postfix/private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = reject_non_fqdn_sender smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache strict_rfc821_envelopes = yes unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/valias virtual_gid_maps = static:5000 virtual_mailbox_base = /var/mail/virtual virtual_mailbox_domains = zioup.com sollers.ca virtual_mailbox_limit = 1000000000 virtual_mailbox_maps = hash:/etc/postfix/vmailbox virtual_minimum_uid = 1000 virtual_transport = dovecot virtual_uid_maps = static:5000 -- Yves. http://www.SollerS.ca/
From: Wietse Venema on 2 Apr 2010 19:24 Yves Dorfsman: > Wietse Venema wrote: > >> > >> For years I have been using the settings: > >> > >> smtpd_recipient_restrictions = > >> permit_mynetworks, > >> reject_unauth_destination, > >> permit > > > > This allows relaying only from "local" clients. > > > >> smtpd_client_restrictions = > >> permit_sasl_authenticated, > >> reject_unknown_address, > >> reject_unknown_client, > >> reject_unknown_reverse_client_hostname, > >> check_client_access hash:/etc/postfix/access, > >> reject_rbl_client sbl-xbl.spamhaus.org > > > > This allows everything from SASL-authenticated clients, REGARDLESS of > > what follows after permit_sasl_authenticated. > > Yes, this is my understanding from the documentation. But then, why do I get > "450 4.7.1 Client host rejected: cannot find your reverse hostname" unless I > comment out the three "reject_*"? Because you did not look at "postconf -n" command output. > > This is why you should have followed the mailing list welcome > > instructions, and posted "postconf -n" command output instead of > > main.cf cut-and-paste fragments. > > Sorry, I apologise, here's the output from my postconf -n: There's no reject_unknown_* in there, so this does not reproduce the complaint. Wietse
From: Yves Dorfsman on 2 Apr 2010 20:38
Wietse Venema wrote: > > There's no reject_unknown_* in there, so this does not reproduce > the complaint. Right, because I had commented them out in order to make it work. I put them back, here's the output of postconf -n broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 disable_vrfy_command = yes html_directory = no local_recipient_maps = mail_owner = postfix mail_spool_directory = /export/mail mailbox_size_limit = 1000000000 mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_domains = $mydomain message_size_limit = 1000000000 myhostname = home.zioup.com mynetworks = 127.0.0.0/8,192.168.0.0/21 myorigin = zioup.com newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES relay_domains = $mydestination, woup.net, unikservice.com, unikservice.net, unikservice.org relayhost = shawmail.cg.shawcable.net sample_directory = /usr/share/doc/postfix-2.5.6/samples sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_restrictions = permit_sasl_authenticated, reject_unknown_address, reject_unknown_client, reject_unknown_reverse_client_hostname, check_client_access hash:/etc/postfix/access, reject_rbl_client sbl-xbl.spamhaus.org smtpd_delay_reject = no smtpd_helo_required = yes smtpd_helo_restrictions = reject_non_fqdn_hostname, reject_invalid_hostname smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit smtpd_sasl_auth_enable = yes smtpd_sasl_path = /var/lib/postfix/private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = reject_non_fqdn_sender smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache strict_rfc821_envelopes = yes unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/valias virtual_gid_maps = static:5000 virtual_mailbox_base = /var/mail/virtual virtual_mailbox_domains = zioup.com sollers.ca virtual_mailbox_limit = 1000000000 virtual_mailbox_maps = hash:/etc/postfix/vmailbox virtual_minimum_uid = 1000 virtual_transport = dovecot virtual_uid_maps = static:5000 -- Yves. http://www.SollerS.ca/ gmail, jabber, LiveJournal, nimbuzz, ovi, dreamhost xim.ca: xmpp:yves(a)zioup.com |