I'm trying to implement a white list with check_sender_access in
smtpd_recipient_restrictions. The problem I'm running into is that the
submission port is requiring TLS even when I have set
smtpd_enforce_tls=no and smtp_enfoce_tls=no in main.cf and specified
them as options for the submission entry master.cf.
The details are, I'm trying to change the transport for white listed
domains so that the spam filters and what not are bypassed. The mail
delivery attempt via the submission port fails every time with "Must
issue a STARTTLS command first." I feel confident that I'm overlooking
something obvious but I've given all the various config settings I can
think of an attempt with the same outcome.
This is all dev stuff, none of it is set in stone. If anyone has a
better suggestion on how to bypass the spam filters and what not for
certain domains, I'm ready to listen.
From here on is my postconf -n, white_list file for
check_sender_access, submission entry from master.cf and the relevant
log entries.
postconf -n:
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
inet_interfaces = all
mailbox_size_limit = 0
maximal_backoff_time = 300s
message_size_limit = 0
minimal_backoff_time = 120s
mydestination = maildev.judelawfirm.com
myhostname = maildev.judelawfirm.com
mynetworks = 127.0.0.0/8 192.168.1.0/24
myorigin = maildev.judelawfirm.com
queue_run_delay = 120s
readme_directory = no
recipient_bcc_maps = pcre:/etc/postfix/recipient_bcc
recipient_delimiter = +
sender_bcc_maps = pcre:/etc/postfix/recipient_bcc
smtp_enforce_tls = no
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_data_restrictions = reject_unauth_pipelining
permit_mynetworks permit_sasl_authenticated
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname
reject_non_fqdn_hostname
smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated check_sender_access
hash:/etc/postfix/black_list check_sender_access
hash:/etc/postfix/white_list reject_unlisted_recipient
reject_non_fqdn_hostname reject_non_fqdn_sender
reject_non_fqdn_recipient reject_unauth_destination
reject_unauth_pipelining reject_invalid_hostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/transports
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:1000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 1000
virtual_transport = dovecot
virtual_uid_maps = static:1000
/etc/postfix/white_list:
gmail.com FILTER smtp:[127.0.0.1]:submission
submission entry from /etc/postfix/master.cf:
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_enforce_tls=no
-o smtp_enforce_tls=no
-o mynetworks=127.0.0.0/8
-o
smtpd_client_restrictions=permit_my_networks,permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o content_filter=
log entries:
Mar 4 13:48:10 mail1 postfix/smtpd[15692]: connect from
qw-out-2122.google.com[74.125.92.26]
Mar 4 13:48:11 mail1 postfix/smtpd[15692]: NOQUEUE: filter: RCPT from
qw-out-2122.google.com[74.1 25.92.26]: <jptroscl...@gmail.com>:
Sender address triggers FILTER smtp:[127.0.0.1]:submission; fr
om=<jptroscl...@gmail.com> to=<jptroscl...@itdevel.net> proto=ESMTP
helo=<qw-out-2122.google.com>
Mar 4 13:48:11 mail1 postfix/smtpd[15692]: 35B9C19C717:
client=qw-out-2122.google.com[74.125.92.2 6]
Mar 4 13:48:11 mail1 postfix/cleanup[15697]: 35B9C19C717:
message-id=<49aedb33.1020...@gmail.com>
Mar 4 13:48:11 mail1 postfix/qmgr[15691]: 35B9C19C717:
from=<jptroscl...@gmail.com>, size=1989, n rcpt=2 (queue active)
Mar 4 13:48:11 mail1 postfix/smtpd[15699]: connect from
localhost[127.0.0.1]
Mar 4 13:48:11 mail1 postfix/smtp[15698]: 35B9C19C717:
to=<jptroscl...@itdevel.net>, relay=127.0. 0.1[127.0.0.1]:587,
delay=0.34, delays=0.31/0.01/0.02/0, dsn=5.7.0, status=bounced (host
127.0.0.1 [127.0.0.1] said: 530 5.7.0 Must issue a STARTTLS
command first (in reply to MAIL FROM command))
Mar 4 13:48:11 mail1 postfix/smtp[15698]: 35B9C19C717:
to=<jptroscl...@itdevel.net.archive>, rela
y=127.0.0.1[127.0.0.1]:587, delay=0.34, delays=0.31/0.01/0.02/0,
dsn=5.7.0, status=bounced (host 1 27.0.0.1[127.0.0.1] said: 530
5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM com
mand))
Mar 4 13:48:11 mail1 postfix/smtpd[15699]: disconnect from
localhost[127.0.0.1]
Mar 4 13:48:11 mail1 postfix/cleanup[15697]: 92DAE19C71C:
message-id=<20090304194811.92DAE19C71C@ maildev.judelawfirm.com>
Mar 4 13:48:11 mail1 postfix/bounce[15700]: 35B9C19C717: sender
non-delivery notification: 92DAE1 9C71C
Mar 4 13:48:11 mail1 postfix/qmgr[15691]: 92DAE19C71C: from=<>,
size=3957, nrcpt=1 (queue active)
Mar 4 13:48:11 mail1 postfix/qmgr[15691]: 35B9C19C717: removed
Mar 4 13:48:13 mail1 postfix/smtp[15698]: 92DAE19C71C:
to=<jptroscl...@gmail.com>, relay=gmail-sm
tp-in.l.google.com[209.85.221.17]:25, delay=1.5,
delays=0.07/0/0.48/0.93, dsn=2.0.0, status=sent ( 250 2.0.0 OK
1236196153 17si1398865qyk.55)
Mar 4 13:48:13 mail1 postfix/qmgr[15691]: 92DAE19C71C: removed
Mar 4 13:48:41 mail1 postfix/smtpd[15692]: disconnect from
qw-out-2122.google.com[74.125.92.26]
