Russell Horn wrote:
Hi,

I've a user who had their mail rejected for not presenting a FQDN as part of the SMTP HELO, yet they were sasl authenticated.

The log says:

Apr 1 01:06:31 paddington postfix/smtpd[3215]: NOQUEUE: reject: RCPT from xxx.blueyonder.co.uk <http://xxx.blueyonder.co.uk>[92.xxx.xxx.xxx]: 504 <titan>: Helo command rejected: need fully-qualified hostname; from=<b...@example.com <mailto:b...@example.com>> to=<russ...@example.com <mailto:russ...@example.com>> proto=ESMTP helo=<titan>

[press the "plain text" button when posting from gmail]

Do you have evidence the user really authenticated?

more notes below...

And main.cf <http://main.cf> has

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/access, reject_unauth_destination hash:/etc/postfix/block, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_invalid_hostname, reject_unknown_sender_domain, check_relay_domains

I thought is premit_sasl_authenticated came first, then that would take precidence over the reject_non_fqdn, is that not the case, or is something else wrong? postconf -n is below.

Restrictions are evaluated in the order listed. Either the client didn't authenticate or you have reject_non_fqdn_hostname elsewhere in your config.

Do you have a "submission" or "smtps" service with different settings defined in master.cf?

Best guess at this point is the client didn't authenticate.


--- postconf -n ---

access_map_reject_code = 550

Better to remove this to leave at its default.

default_destination_concurrency_limit = 20

This is the default.  Better to remove default values.

default_process_limit = 20

This is quite low, the current default is 100. OK for a very low volume and/or low memory site.

disable_dns_lookups = no

Again, better to remove default values.

invalid_hostname_reject_code = 501

another default.

local_recipient_maps =

Very bad if you have local users. You will accept and bounce undeliverable mail, making you a backscatter source. Besides clogging your queue with undeliverable bounces, if you annoy enough innocent bystanders you'll get blacklisted.

mail_name = Postfix ESMTP $myhostname

Very odd.  Best to remove this.

maps_rbl_domains = blackholes.mail-abuse.org <http://blackholes.mail-abuse.org>, sbl.spamhaus.org <http://sbl.spamhaus.org>, bl.spamcop.net <http://bl.spamcop.net>, blackholes.easynet.nl <http://blackholes.easynet.nl>

maps_rbl_domains is deprecated; you should remove the above and use explicit reject_rbl_client statements instead.

mail-abuse.org is a pay service (with questionable effectiveness). Remove it unless you have a subscription.

sbl.spamhaus.org is OK, but zen.spamhaus.org is far more effective. Note spamhaus' usage policy has changed, they are no longer free for "high-volume" sites and will block queries if you exceed their limits.

maps_rbl_reject_code = 550

Best left at the default.

mynetworks = 87.117.xxx.xxx

It's not required, but generally a good idea to include 127.0.0.1 in mynetworks.

reject_code = 550
relay_domains_reject_code = 550

both these are best left at defaults.

smtpd_client_restrictions = hash:/etc/postfix/access, reject_maps_rbl

Much better to use
  check_client_access hash:/etc/postfix/access
rather than depending on the undocumented implied check_{SECTION}_access.

It's best to prefix these with
  permit_mynetworks, permit_sasl_authenticated
so you don't reject your own users if their home connection happens to be on an RBL.

Even better, move these checks to smtpd_recipient_restrictions.

smtpd_delay_reject = no

Generally unwise. This prevents excluding authenticated clients from smtpd_client_restrictions or smtpd_helo_restrictions because the client hasn't authenticated yet. Also reduces the usefulness of logged rejections since the sender and intended recipient can't be logged.

But OK if your authenticated users are connecting to "submission" or "smtps" with alternate settings.

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/access,

I see you've duplicated your client access map here.
Remove one of them.

reject_unauth_destination hash:/etc/postfix/block,

another bare map name.  Far better to use
  check_recipient_access hash:/etc/postfix/block

reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_invalid_hostname, reject_unknown_sender_domain, check_relay_domains

check_relay_domains is deprecated and should not be used. Since you already have reject_unauth_destination above, just remove this.

This is a fine place to move your RBL restrictions
  reject_rbl_client zen.spamhaus.org
  reject_rbl_client bl.spamcop.net

unknown_address_reject_code = 450
unknown_client_reject_code = 450
unknown_hostname_reject_code = 450
unknown_local_recipient_reject_code = 450

Better to change all these to 550 unless you are having trouble with rejecting mail you want - and are watching the logs for it.


  -- Noel Jones

Reply via email to