On 2010-05-26 3:32 PM, Brandon Vargo wrote: > On Wed, 2010-05-26 at 15:40 +0100, Steve wrote: >> On a gentoo mailserver, I'm running Postfix 2.6.5 - and, having followed >> some howto or other, quite a long time ago, I have this section at the >> end of my main.cf:
<snip> >> The problem arises elsewhere... where I'm not connected to my local >> (W)LAN (i.e. where I'm not in "permit_mynetworks") - where the >> phone reports: Whether or not your client is in mynetwroks is irrelevant, if you are sasl_authenticating. >> The server returned the following error message: >> >> 554 5.7.1 Service unavailable; Client host 149.254.48.170 blocked using >> sbl-xbl.spamhouse.org; http://www.spamhous.org/query/bl?ip=149.254.48.170 >> -- >> >> The block comes as no surprise as 149.254.48.170 isn't exclusively under >> my control Irrelevant... >> So... the questions: >> >> * How can I alter the configuration to process email from blocked >> locations if and only if the client authenticates? >> * How can I verify that SMTP auth has been done (when connecting from my >> LAN) - it would be a disaster if I inadvertently created an open relay. >> (I don't think I have - but better safe than sorry, etc.) >> >> Thanks in advance for any replies... > You want to split your rules between smtpd_recipient_restrictions, > smtpd_sender_restrictions, and smtpd_client_restrictions. Absolutely not necessary. In most cases - as long as the default (yes) for smtpd_delay_reject hasn't been changed - it is perfectly fine to have all restrictions under smtpd_recipient_restrictions - and in fact it is desirable because it is easier to maintain. The problem is that you are *not* sasl_authenticating - if you were, then you would not have hit that restriction. We need two things - output of postconf -n on your server, and a log snippet of a rejected send attempt. Also, contents of master.cf - are you using port 25, or the submission port (587)? You should always use the submission port if you aren't now. Charles
