On 8/3/09 12:26 AM, Nick Sharp wrote:
Hi all,
Since adding check_sender_access to stop our domain from emailing unauthed
from the outside and our Wireless Broadband now being in the
pbl.spamhaus.org list, we want to allow TLS/SASL Auth'd users to email from
their broadband cards and get them bypassing the rbl's, ie RBL checks on
port 25 without auth, no rbl checks on 587 but reject those not
authenticated.
I thought I could just overwrite smtpd restrictions from main.cf with
additional rules in master.cf and get it working, but all combinations I
have tried have failed.
A sample submission entry in master.cf:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_auth_only=yes
-o smtpd_sasl_auth_enable=yes
-o broken_sasl_auth_clients=yes
-o receive_override_options=no_header_body_checks,no_address_mappings
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o content_filter=lmtp-amavis:[127.0.0.1]:10026
The key is the smtpd_recipient_restrictions' permit_sasl_authenticated
coming first or early. Thus, port 587 users who authenticate pass the
green light.
Do I have to move main.cf smtpd_(client|recipient|sender)_restrictions into
master.cf under smtp and then use the alternative restrictions under the
submission port? If so I wonder what else will loose restriction options.
Tailor as you see fit for your users. The restrictions you'll add under
submission overrides those in main.cf.
I am pretty sure that I can whitelist their subnet, but I must be able to
bypass the rbl checks for any auth'ed user on port 587.
Whitelisting == not so good.
Any suggestions gratefully received.
The error I seem to get if its not the rbl error;
Aug 3 15:39:14 mail1 postfix/smtpd[25528]: NOQUEUE: reject: CONNECT from
unknown[58.171.177.107]: 554 5.7.1<unknown[58.171.177.107]>: Client host
rejected: Access denied; proto=SMTP
