Noel Jones escribió:
Miguel Da Silva - Centro de Matemática wrote:
Dear users, I realized today that the local SMTP server is not working
as expected.
I found these lines in the log files:
Mar 2 22:42:48 smtp postfix/smtpd[30427]: 1A66913105B:
client=r190-134-zz-xx.dialup.adsl.anteldata.net.uy[190.134.zz.xx], sa
sl_method=PLAIN, sasl_username=usuario1
Mar 2 22:42:49 mordred postfix/cleanup[30478]: 1A66913105B:
message-id=<49ac7fbf.1050...@cmat.edu.uy>
Mar 2 18:41:59 smtp postfix/smtpd[15652]: TLS connection established
from r190-134-zz-xx.dialup.adsl.anteldata.net.uy[190.134
.zz.xx]: TLSv1 with cipher RC4-MD5 (128/128 bits)
Mar 2 18:42:02 smtp postfix/smtpd[15652]: NOQUEUE: reject: RCPT from
r190-134-zz-xx.dialup.adsl.anteldata.net.uy[190.134.zz.
xx]: 450 4.7.1 <dest...@cmat.edu.uy>: Recipient address rejected:
Greylisting in action, please come back later.; from=<usuar...@c
mat.edu.uy> to=<dest...@cmat.edu.uy> proto=ESMTP helo=<UserPC>
So, the first 2 lines shows usuario1 sending mail through this server
and everything goes fine. His client is using SASL authentication and
that's ok. On the other hand, the last 2 lines shows usuario2 can not
use the SMTP server. The mail he is sending is being rejected. But,
the rejection is due to greylisting (postgrey is being used), not due
to lack of authentication. Note both users are sending mails from
their homes.
Obviously usuario2 did not authenticate.
Here goes some lines from main.cf:
smtpd_recipient_restrictions =
reject_rbl_client sbl.spamhaus.org
reject_rbl_client bl.spamcop.net
Do you really want to subject authenticated users to the above checks?
Many users' home ISPs will be listed in spamhaus and/or spamcop and
won't be able to submit mail. These checks should be moved below
reject_unauth_destination. and you should probably use zen.spamhaus.org
rather than sbl.
check_recipient_access hash:/etc/postfix/bloqueados
It's generally unwise to put access tables before
reject_unauth_destination. Accidental entries can make you an open relay.
http://www.postfix.org/SMTPD_ACCESS_README.html#danger
permit_sasl_authenticated
permit_mynetworks
reject_unauth_destination
reject_unknown_recipient_domain
reject_unverified_recipient
check_policy_service inet:127.0.0.1:10026
smtpd_sender_restrictions =
regexp:/etc/postfix/sender.regexp,
reject_non_fqdn_sender,
reject_unknown_sender_domain
Sugestions?! My idea is, if you are not part to $mynetworks, then
authenticating is the only way to get mail relaid trough this server.
Greetings.
-- Noel Jones
Thank you for your advices. I changed the position of those restrictions
and now it is:
smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/bloqueados
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
reject_rbl_client zen.spamhaus.org
reject_rbl_client bl.spamcop.net
reject_unknown_recipient_domain
reject_unverified_recipient
check_policy_service inet:127.0.0.1:10026
By the way, I kept check_recipient_access as the first one because it is
written correctly and all it does is reject mail to 2 local users that
must not recieve any message no matter how send it.
But, the main issue remains... I could not enforce authentication.
Let's keep reading...
Greetings.
--
Miguel Da Silva
Administrador Junior de Sistemas Unix
Centro de Matemática - http://www.cmat.edu.uy
Facultad de Ciencias - http://www.fcien.edu.uy
Universidad de la República - http://www.rau.edu.uy
