On May 5, 2009, at 12:57 AM, Gaël Lams wrote:
What seems to happen is that some providers transparently send emails through their own smtp server instead of allowing our users to use the configured smtp server. The check_sender_access check is after permit_sasl_authenticated with the idea that the request would be permittted when the client is successfully authenticated, thinking that it would do the trick (afterall, the user submits a username and a password which are corrects) but still the email is blocked by the check_sender_access control.
I believe you need to move your users to the alternate submission port. The normal widely used port for this is 587. Some people will lock down port 587 to only allow authenticated and encrypted connections. Others will allow non crypto, but mandate authentication.
You can not trust any connection your "road warriors" or even desktop users are on. Most ISP's I have had to deal with block port 25, many hotels and hotspots will blindly intercept port 25, and route it through their machines.
You have no idea what they do with that traffic; they could relay it on, or they could be storing and relaying, or flat out intercepting for nefarious means.
Switch your users to port 587, assuming you have set up the submission port in master.cf and you should be good to go. I suggest also enabling TLS as well.
-- Scott * If you contact me off list replace talklists@ with scott@ *
