Russell Horn wrote:
Hi,
I've a user who had their mail rejected for not presenting a FQDN as
part of the SMTP HELO, yet they were sasl authenticated.
The log says:
Apr 1 01:06:31 paddington postfix/smtpd[3215]: NOQUEUE: reject: RCPT
from xxx.blueyonder.co.uk <http://xxx.blueyonder.co.uk>[92.xxx.xxx.xxx]:
504 <titan>: Helo command rejected: need fully-qualified hostname;
from=<b...@example.com <mailto:b...@example.com>> to=<russ...@example.com
<mailto:russ...@example.com>> proto=ESMTP helo=<titan>
[press the "plain text" button when posting from gmail]
Do you have evidence the user really authenticated?
more notes below...
And main.cf <http://main.cf> has
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_client_access hash:/etc/postfix/access,
reject_unauth_destination hash:/etc/postfix/block,
reject_non_fqdn_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_invalid_hostname,
reject_unknown_sender_domain, check_relay_domains
I thought is premit_sasl_authenticated came first, then that would take
precidence over the reject_non_fqdn, is that not the case, or is
something else wrong? postconf -n is below.
Restrictions are evaluated in the order listed. Either the
client didn't authenticate or you have
reject_non_fqdn_hostname elsewhere in your config.
Do you have a "submission" or "smtps" service with different
settings defined in master.cf?
Best guess at this point is the client didn't authenticate.
--- postconf -n ---
access_map_reject_code = 550
Better to remove this to leave at its default.
default_destination_concurrency_limit = 20
This is the default. Better to remove default values.
default_process_limit = 20
This is quite low, the current default is 100. OK for a very
low volume and/or low memory site.
disable_dns_lookups = no
Again, better to remove default values.
invalid_hostname_reject_code = 501
another default.
local_recipient_maps =
Very bad if you have local users. You will accept and bounce
undeliverable mail, making you a backscatter source.
Besides clogging your queue with undeliverable bounces, if you
annoy enough innocent bystanders you'll get blacklisted.
mail_name = Postfix ESMTP $myhostname
Very odd. Best to remove this.
maps_rbl_domains = blackholes.mail-abuse.org
<http://blackholes.mail-abuse.org>, sbl.spamhaus.org
<http://sbl.spamhaus.org>, bl.spamcop.net <http://bl.spamcop.net>,
blackholes.easynet.nl <http://blackholes.easynet.nl>
maps_rbl_domains is deprecated; you should remove the above
and use explicit reject_rbl_client statements instead.
mail-abuse.org is a pay service (with questionable
effectiveness). Remove it unless you have a subscription.
sbl.spamhaus.org is OK, but zen.spamhaus.org is far more
effective. Note spamhaus' usage policy has changed, they are
no longer free for "high-volume" sites and will block queries
if you exceed their limits.
maps_rbl_reject_code = 550
Best left at the default.
mynetworks = 87.117.xxx.xxx
It's not required, but generally a good idea to include
127.0.0.1 in mynetworks.
reject_code = 550
relay_domains_reject_code = 550
both these are best left at defaults.
smtpd_client_restrictions = hash:/etc/postfix/access, reject_maps_rbl
Much better to use
check_client_access hash:/etc/postfix/access
rather than depending on the undocumented implied
check_{SECTION}_access.
It's best to prefix these with
permit_mynetworks, permit_sasl_authenticated
so you don't reject your own users if their home connection
happens to be on an RBL.
Even better, move these checks to smtpd_recipient_restrictions.
smtpd_delay_reject = no
Generally unwise. This prevents excluding authenticated
clients from smtpd_client_restrictions or
smtpd_helo_restrictions because the client hasn't
authenticated yet. Also reduces the usefulness of logged
rejections since the sender and intended recipient can't be
logged.
But OK if your authenticated users are connecting to
"submission" or "smtps" with alternate settings.
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_client_access hash:/etc/postfix/access,
I see you've duplicated your client access map here.
Remove one of them.
reject_unauth_destination hash:/etc/postfix/block,
another bare map name. Far better to use
check_recipient_access hash:/etc/postfix/block
reject_non_fqdn_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_invalid_hostname,
reject_unknown_sender_domain, check_relay_domains
check_relay_domains is deprecated and should not be used.
Since you already have reject_unauth_destination above, just
remove this.
This is a fine place to move your RBL restrictions
reject_rbl_client zen.spamhaus.org
reject_rbl_client bl.spamcop.net
unknown_address_reject_code = 450
unknown_client_reject_code = 450
unknown_hostname_reject_code = 450
unknown_local_recipient_reject_code = 450
Better to change all these to 550 unless you are having
trouble with rejecting mail you want - and are watching the
logs for it.
-- Noel Jones