On 04/22/10 02:10, Matt Hayes wrote: > On 04/21/2010 07:19 PM, Oliver Schinagl wrote: > >> On 04/21/10 23:47, mouss wrote: >> >>> Oliver Schinagl a écrit : >>> >>> >>>> Hello all, >>>> >>>> I've been trying to figure out why a new server I setup using postfix >>>> doesn't allow me to relay messages after I authenticate (using >>>> cyrus-sasl). It appears then I can authenticate just fine, but when I >>>> try to send a message, I get a RBL error. I obviously want my ADSL IP >>>> not to be whitelisted from the sending end (as it's dhcp and just a >>>> regular adsl ip) but I would have expected that after authentication the >>>> RBL would be bypassed? >>>> >>>> >>>> >>> Show logs that prove your claims: >>> 1- user was authenticated >>> 2- relay was denied >>> >>> for (1), you should find a line like this: >>> Apr 21 00:11:06 imlil postfix/smtpd[41827]: 454E8E54888: >>> client=ouzoud.netoyen.net[82.239.111.75], sasl_method=PLAIN, >>> sasl_username=mo...@ml.netoyen.net >>> >>> >>> >> Sorry for forgetting, >> >> I can post 2; I'm having troubles finding 1, because I think that's >> whats going wrong ;) >> >> Apr 19 14:30:36 example postfix/smtpd[26549]: connect from >> xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] >> Apr 19 14:30:36 example postfix/smtpd[26549]: NOQUEUE: reject: CONNECT >> from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]: 554 5.7.1 Service >> unavailable; Client host [xx.xxx.xx.xx] blocked using zen.spamhaus.org; >> http://www.spamhaus.org/query/bl?ip=xx.xxx.xx.xx; proto=SMTP >> Apr 19 14:30:36 example postfix/smtpd[26549]: too many errors after >> CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] >> Apr 19 14:30:36 example postfix/smtpd[26549]: disconnect from >> xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] >> >> What does work however, is if i telnet from my own host (which isn't in >> the pbl so it makes testing for me really hard (unless I could fake my >> domain temporarly to be on the pbl?) and AUTH LOGIN and send a message >> it does work, so sasl_auth must be working right? >> >> Apr 21 19:17:42 example postfix/smtpd[27551]: 3A47410E63: >> client=yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy], sasl_method=LOGIN, >> sasl_username=theuser >> >> >> Either thunderbird isn't trying to auth at all (even though I told it >> to) or it gets RBLed before it could even try to auth, which is what I'm >> thinking. >> >> My test box, (diff server basically) which is on the pbl normally, is >> down for maintanance atm (broken nic :S) so all I got is users >> complaining unable to send mail on the new server, and I can't figure >> out what I have done wrong. >> >>> >>> >>>> I thought I pretty much set it up the same way as my older server, which >>>> accepts my mail just fine! Guess I was wrong, and I can't find the >>>> differences. >>>> >>>> As I've setup my server, I tried to document it as well as possible over >>>> at the gentoo-wiki; >>>> >>>> http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server >>>> >>>> >>>> The entire postfix server seems to be running excellently as far as I >>>> can tell, except for not being able to send from remote 'internet' IP's >>>> that are on the PBL. >>>> >>>> Find below my postconf -n (having replaced the real hostname with >>>> foo.example) >>>> === >>>> postconf -n >>>> biff = no >>>> broken_sasl_auth_clients = no >>>> command_directory = /usr/sbin >>>> config_directory = /etc/postfix >>>> daemon_directory = /usr/lib64/postfix >>>> data_directory = /var/lib/postfix >>>> debug_peer_level = 1 >>>> disable_vrfy_command = yes >>>> home_mailbox = .maildir/ >>>> html_directory = /usr/share/doc/postfix-2.6.5/html >>>> mail_owner = postfix >>>> mailq_path = /usr/bin/mailq >>>> manpage_directory = /usr/share/man >>>> message_size_limit = 20480000 >>>> mydomain = example.com >>>> myhostname = foo.example.com >>>> mynetworks_style = host >>>> newaliases_path = /usr/bin/newaliases >>>> queue_directory = /var/spool/postfix >>>> readme_directory = /usr/share/doc/postfix-2.6.5/readme >>>> recipient_delimiter = + >>>> relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf >>>> sendmail_path = /usr/sbin/sendmail >>>> setgid_group = postdrop >>>> smtpd_banner = $myhostname NO UCE ESMTP >>>> smtpd_client_restrictions = permit_mynetworks, >>>> permit_sasl_authenticated, permit_mx_backup, reject_rbl_client >>>> zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client >>>> bl.spamcop.net >>>> smtpd_delay_reject = no >>>> smtpd_helo_required = yes >>>> smtpd_helo_restrictions = reject_invalid_hostname >>>> smtpd_recipient_restrictions = permit_mynetworks, >>>> permit_sasl_authenticated, permit_mx_backup, check_policy_service >>>> inet:127.0.0.1:2525, reject_unauth_destination >>>> smtpd_sasl_auth_enable = yes >>>> smtpd_sasl_authenticated_header = no >>>> smtpd_sasl_local_domain = >>>> smtpd_sasl_security_options = noanonymous >>>> smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem >>>> smtpd_tls_auth_only = no >>>> smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem >>>> smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem >>>> smtpd_tls_loglevel = 0 >>>> smtpd_tls_received_header = yes >>>> smtpd_tls_session_cache_timeout = 3600s >>>> smtpd_use_tls = yes >>>> soft_bounce = no >>>> tls_random_source = dev:/dev/urandom >>>> unknown_local_recipient_reject_code = 550 >>>> virtual_alias_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-alias-maps.cf >>>> virtual_gid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-gid-maps.cf >>>> virtual_mailbox_base = /var/vmail >>>> virtual_mailbox_domains = >>>> pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-domains.cf >>>> virtual_mailbox_limit_maps = >>>> pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-limit-maps.cf >>>> virtual_mailbox_limit_override = yes >>>> virtual_mailbox_maps = >>>> pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-maps.cf >>>> virtual_maildir_extended = yes >>>> virtual_maildir_limit_message = "Sorry, the recipients mailbox is >>>> currently full. Please try again later." >>>> virtual_overquota_bounce = no >>>> virtual_trash_count = no >>>> virtual_trash_name = ".Trash" >>>> virtual_uid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-uid-maps.cf >>>> >>>> >>> >>> >> > > Is there some reason you aren't using the submission port (587) ? > > -matt > Because it's the first time I've heard of it! :) (I did notice google was running services on that port, so I suppose that is what that is?)
I followed years ago the inital howto, and re-wrote the howto from the gentoo wiki, neither mention submission. Also in the default config it is disabled. I'm all for enabling it too (and updating the howto for it); It brings up a few questions though. What is it speficially for? It seems it's yet another port to listen for incoming mail, but on 587 instead of 25 forcing the use of TLS and Sasl auth? Why is it commented default? It won't fix why i'm hitting the RBL list when trying to send externally right? Just a nother way for users to submit their messages? I do like having it though I admit for when smtps wouldn't be available.
