On Tue, Sep 8, 2009 at 8:01 AM, Noel Jones <njo...@megan.vbhcs.org> wrote:
> Looks like the client disconnected. > > Test your TLS implementation with > openssl s_client -connect IP:port -starttls smtp > > If you get a > 250 DSN > or similar message after all the SSL handshake goop, then it worked. > > OK, all is well here. maps_rbl_domains = blackholes.mail-abuse.org >> > > maps_rbl_domains parameter is deprecated. See the reject_rbl_client > command instead. > > > smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, >> reject_invalid_hostname, permit >> > > You need permit_sasl_authenticated right after permit_mynetworks. > > smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated >> > > This is a no-op, you can remove it. > > I don't see an smtpd_recipient_restrictions here. You will need at least: > smtpd_recipient_restrictions = > permit_mynetworks > permit_sasl_authenticated > reject_unauth_destination > > > smtpd_recipient_restrictions was there, as specified. So that's alright. > > smtpd_tls_loglevel = 3 >> > > Everything you may need should be logged at level 1. > > strict_rfc821_envelopes = yes >> > > This may reject legit mail. > > OK, I fixed those. I cranked logging up in vain hope of finding something indicative. > >> --master.cf-- >> >> smtp inet n - n - 200 smtpd >> >> -o content_filter=filter: >> >> -o smtpd_tls_wrappermode=yes >> > > Ouch! Don't do that! > This is likely why the client disconnected; your server was speaking SSL > and the client was speaking normal SMTP. It looked like garbage to the > client. > Wrappermode should only be used on a dedicated port, typically 465 "smtps". > Hmm, that's been here forever, but I guess it was obsoleted by the recent authentication changes. Well, it looks like I am seeing some deliveries being logged, so maybe it's fixed. Any idea if I should care about this? Sep 8 08:06:57 shuttle postfix/smtpd[61994]: warning: network_biopair_interop: error reading 11 bytes from the network: Connection reset by peer I see it's a warning but the only mention I found in the Google was that it was fixed "in the next release" and that was some time ago. -- Paul Beard / www.paulbeard.org/
