Hi all,
Since adding check_sender_access to stop our domain from emailing unauthed
from the outside and our Wireless Broadband now being in the
pbl.spamhaus.org list, we want to allow TLS/SASL Auth'd users to email from
their broadband cards and get them bypassing the rbl's, ie RBL checks on
port 25 without auth, no rbl checks on 587 but reject those not
authenticated.
I thought I could just overwrite smtpd restrictions from main.cf with
additional rules in master.cf and get it working, but all combinations I
have tried have failed.
Do I have to move main.cf smtpd_(client|recipient|sender)_restrictions into
master.cf under smtp and then use the alternative restrictions under the
submission port? If so I wonder what else will loose restriction options.
I am pretty sure that I can whitelist their subnet, but I must be able to
bypass the rbl checks for any auth'ed user on port 587.
Any suggestions gratefully received.
The error I seem to get if its not the rbl error;
Aug 3 15:39:14 mail1 postfix/smtpd[25528]: NOQUEUE: reject: CONNECT from
unknown[58.171.177.107]: 554 5.7.1 <unknown[58.171.177.107]>: Client host
rejected: Access denied; proto=SMTP
master.cf;
smtp inet n - - - 50 smtpd
-o cleanup_service_name=pre-cleanup
-o content_filter=procmail:filter
#submission inet n - - - - smtpd
# -o smtpd_enforce_tls=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
#628 inet n - - - - qmqpd
587 inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
#tried various combinations of these 3 (with and without reject)
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
-o mime_header_checks=
-o nested_header_checks=
-o body_checks=
-o header_checks=
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - n 300 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#Vacation Handler
#vacation unix - n n - - pipe
# flags=Rhu user=vacation argv=/var/spool/vacation/vacation.pl
#Procmail
procmail unix - n n - - pipe
flags=Rq user=virtual argv=/usr/bin/procmail -t -m /etc/procmailrc
${sender} ${recipient}
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o strict_rfc821_envelopes=yes
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1001
pre-cleanup unix n - - - 0 cleanup
-o virtual_alias_maps=
-o canonical_maps=
-o sender_canonical_maps=
-o recipient_canonical_maps=
-o masquerade_domains=
postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
delay_warning_time = 4h
disable_vrfy_command = yes
inet_interfaces = all
mailbox_size_limit = 0
message_size_limit = 26214400
mydestination =
myhostname = <hostname>
mynetworks = <various networks>
myorigin = /etc/mailname
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/mysql_relay_domains.cf
relayhost =
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = permit_sasl_authenticated, reject_rbl_client
blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org, reject_rbl_client
zen.spamhaus.org, reject_rbl_client relays.mail-abuse.org, reject_rbl_client
whois.rfc-ignorant.org, reject_rbl_client nonconfirm.mail-abuse.org,
reject_rbl_client dialups.mail-abuse.org, reject_rbl_client sc.surbl.org,
reject_rbl_client ws.surbl.org, reject_rbl_client ob.surbl.org,
reject_rbl_client ab.surbl.org, reject_rbl_client multi.surbl.org,
reject_rbl_client black.uribl.com
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit
smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient,
reject_unauth_destination, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated,
permit_mynetworks,reject_non_fqdn_sender, reject_unauth_pipelining,
check_sender_access hash:/etc/postfix/spoofprotection, permit
smtpd_timeout = 60s
smtpd_tls_cert_file = /etc/apache2/ssl/somefile.crt
smtpd_tls_key_file = /etc/apache2/ssl/somefile.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = mysql:/etc/postfix/mysql_transport2.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_transport = mysql:/etc/postfix/mysql_transport2.cf
virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf
TIA
Nick
