On Wed, 2010-05-26 at 15:40 +0100, Steve wrote:
> On a gentoo mailserver, I'm running Postfix 2.6.5 - and, having followed
> some howto or other, quite a long time ago, I have this section at the
> end of my main.cf:
>
> --
> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_unauth_destination,
> reject_non_fqdn_sender,
> reject_rbl_client sbl-xbl.spamhaus.org,
> reject_rbl_client list.dsbl.org,
> reject_rbl_client bl.spamcop.net,
> reject_unknown_sender_domain,
> reject_rhsbl_sender bogusmx.rfc-ignorant.org
> --
>
> While it might not be optimal, it worked extremely well for a long
> time. The block lists were a godsend as I receive(d) quite a lot of
> spam which had threatened to bog down spamassassin. For ages, I just
> used my ISP's SMTP server to send, and only received on my own.
>
> I've bought a smart phone (an HTC HD2 on Windows Mobile 6.5) and need to
> use it to access my email on this server - both via mobile and Wi-Fi
> connectivity. The IMAP(s) side works OK for my inbox (after a few
> dovecot tweaks) - and, after a setting up SASL, I can now send email
> from my phone via my own SMTP server, which gateways this to my ISP...
> all secured by a complex password. So far, so good - and I can send
> email from home over Wi-Fi from my phone. The problem arises
> elsewhere... where I'm not connected to my local (W)LAN (i.e. where I'm
> not in "permit_mynetworks") - where the phone reports:
>
> --
> The server returned the following error message:
>
> 554 5.7.1 Service unavailable; Client host 149.254.48.170 blocked using
> sbl-xbl.spamhouse.org; http://www.spamhous.org/query/bl?ip=149.254.48.170
> --
>
> The block comes as no surprise as 149.254.48.170 isn't exclusively under
> my control - and, likely, is a vector for lots of spam - now mobile data
> services are cheap and difficult to trace. What I didn't expect is for
> my connection to be rejected even though I had the right username and
> password.
>
> So... the questions:
>
> * How can I alter the configuration to process email from blocked
> locations if and only if the client authenticates?
> * How can I verify that SMTP auth has been done (when connecting from my
> LAN) - it would be a disaster if I inadvertently created an open relay.
> (I don't think I have - but better safe than sorry, etc.)
>
> Thanks in advance for any replies...
>
>
You want to split your rules between smtpd_recipient_restrictions,
smtpd_sender_restrictions, and smtpd_client_restrictions. The first will
apply rules to the recipient address, controlling the destinations to
which the mail server will send mail. The second will apply rules to the
sender address. The third will restrict who is allowed to connect to
your mail server in the first place. By default,
smtpd_recipient_restrictions permits mynetworks and rejects unauthorized
recipients, smtp_sender_restrictions permits everything, and
smtpd_client_restrictions allows all connections. In all, the first
restriction that matches is applied.
What you want it something closer to this:
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client bl.spamcop.net,
reject_rhsbl_sender bogusmx.rfc-ignorant.org
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
smtpd_sender_restrictons =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain
Note that I have not tested this exact configuration, but I have
something similar on my mail server. This configuration will allow all
mail from your local network and any authenticated client. If neither of
these conditions are met, the remote client is blocked if they are on
one of the DNS block lists, the sender address is not known, or the mail
is addressed to an unauthorized destination. If the client is on the
local network or authenticated, none of the other rules will apply. You
can of course test the rules by using one of the many mail relay testing
websites or simply connecting from outside your network with and without
using authentication.
For more information on these rules, look at the postfix documentation,
which is quite comprehensive:
* http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions
* http://www.postfix.org/postconf.5.html#smtpd_client_restrictions
* http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions
You might also want to take a look at smtpd_helo_restrictions and
smtpd_data_restrictions for further tuning. Also, note that spamhaus
recommends zen.spamhaus.org instead of sbl-xbl.spamhaus.org. The former
is more comprehensive while the latter is geared only toward exploits.
Do not include both, as zen includes sbl-xbl.
For more in-depth information, you probably want to ask the
postfix-users mailing list, as your issue relates to Postfix more than
Gentoo.
I hope the above helps.
Regards,
Brandon Vargo
