On Tue, 31 Mar 2009, Russell Horn wrote: > I've a user who had their mail rejected for not presenting a FQDN as part of > the SMTP HELO, yet they were sasl authenticated. > > The log says: > > Apr 1 01:06:31 paddington postfix/smtpd[3215]: NOQUEUE: reject: RCPT from > xxx.blueyonder.co.uk[92.xxx.xxx.xxx]: 504 <titan>: Helo command rejected: > need fully-qualified hostname; from=<b...@example.com> to=< > russ...@example.com> proto=ESMTP helo=<titan>
Can you show logging that confirms this client authenticated? For example, what is the output of: % grep 3215 /var/log/maillog | grep sasl_method > I thought is premit_sasl_authenticated came first, then that would take > precidence over the reject_non_fqdn, is that not the case, or is something > else wrong? smtpd_recipient_restrictions are applied in the order they are specified. > access_map_reject_code = 550 What's wrong with 554? > alias_database = hash:/etc/aliases > alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases > body_checks = pcre:/etc/postfix/virus > bounce_size_limit = 1000 > broken_sasl_auth_clients = yes > canonical_maps = hash:/etc/postfix/canonical > command_directory = /usr/sbin > config_directory = /etc/postfix > daemon_directory = /usr/lib/postfix > debug_peer_level = 3 > default_destination_concurrency_limit = 20 > default_process_limit = 20 > defer_transports = > disable_dns_lookups = no > disable_vrfy_command = yes > header_checks = pcre:/etc/postfix/headerchecks > html_directory = /usr/share/doc/packages/postfix/html > invalid_hostname_reject_code = 501 > lmtp_sasl_security_options = noanonymous > local_destination_concurrency_limit = 3 > local_recipient_maps = > mail_name = Postfix ESMTP $myhostname Your $smtpd_banner must look ridiculous. > mail_spool_directory = /var/mail > mailbox_transport = lmtp:unix:/var/spool/postfix/socket/lmtp > mailq_path = /usr/bin/mailq > manpage_directory = /usr/share/man > maps_rbl_domains = blackholes.mail-abuse.org, sbl.spamhaus.org, > bl.spamcop.net, blackholes.easynet.nl Obsolete; consider using reject_rbl_client instead. > maps_rbl_reject_code = 550 Why did you change this from 554? > masquerade_exceptions = root > message_size_limit = 35000000 > mime_header_checks = pcre:/etc/postfix/virus > mydestination = example.com > mynetworks = 87.117.xxx.xxx > myorigin = example.com > newaliases_path = /usr/bin/newaliases > owner_request_special = no > readme_directory = /usr/share/doc/packages/postfix/README_FILES > recipient_delimiter = + > reject_code = 550 Why? Just curious. > relay_domains_reject_code = 550 > relocated_maps = hash:/etc/postfix/relocated > sample_directory = /usr/share/doc/packages/postfix/samples > sendmail_path = /usr/sbin/sendmail > setgid_group = maildrop > smtp_sasl_security_options = > smtp_tls_CAfile = /etc/postfix/certs/ssl.ca > smtp_tls_cert_file = /etc/postfix/certs/ssl.cert > smtp_tls_key_file = /etc/postfix/certs/ssl.key > smtp_tls_loglevel = 1 > smtp_tls_note_starttls_offer = yes > smtp_tls_session_cache_database = sdbm:/etc/postfix/cache/smtp_scache > smtp_tls_session_cache_timeout = 3600s > smtp_use_tls = yes > smtpd_client_restrictions = hash:/etc/postfix/access, reject_maps_rbl This is odd. You have type:table without specifying a restriction that queries that type:table; see postconf(5). > smtpd_delay_reject = no > smtpd_helo_required = yes > smtpd_recipient_limit = 300 > smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, > check_client_access hash:/etc/postfix/access, reject_unauth_destination > hash:/etc/postfix/block, reject_non_fqdn_hostname, reject_non_fqdn_sender, > reject_non_fqdn_recipient, reject_invalid_hostname, > reject_unknown_sender_domain, check_relay_domains > smtpd_sasl_auth_enable = yes > smtpd_sasl_local_domain = foo > smtpd_sasl_security_options = noanonymous > smtpd_sender_restrictions = check_sender_access, hash:/etc/postfix/spammers Extraneous comma. -- Sahil Tandon <sa...@tandon.net>
