On 04/22/10 02:57, Oliver Schinagl wrote: > On 04/22/10 02:42, Matt Hayes wrote: > >> On 04/21/2010 08:33 PM, Oliver Schinagl wrote: >> >> >>> On 04/22/10 02:10, Matt Hayes wrote: >>> >>> >>>> On 04/21/2010 07:19 PM, Oliver Schinagl wrote: >>>> >>>> >>>> >>>>> On 04/21/10 23:47, mouss wrote: >>>>> >>>>> >>>>> >>>>>> Oliver Schinagl a écrit : >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> Hello all, >>>>>>> >>>>>>> I've been trying to figure out why a new server I setup using postfix >>>>>>> doesn't allow me to relay messages after I authenticate (using >>>>>>> cyrus-sasl). It appears then I can authenticate just fine, but when I >>>>>>> try to send a message, I get a RBL error. I obviously want my ADSL IP >>>>>>> not to be whitelisted from the sending end (as it's dhcp and just a >>>>>>> regular adsl ip) but I would have expected that after authentication the >>>>>>> RBL would be bypassed? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> Show logs that prove your claims: >>>>>> 1- user was authenticated >>>>>> 2- relay was denied >>>>>> >>>>>> for (1), you should find a line like this: >>>>>> Apr 21 00:11:06 imlil postfix/smtpd[41827]: 454E8E54888: >>>>>> client=ouzoud.netoyen.net[82.239.111.75], sasl_method=PLAIN, >>>>>> sasl_username=mo...@ml.netoyen.net >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> Sorry for forgetting, >>>>> >>>>> I can post 2; I'm having troubles finding 1, because I think that's >>>>> whats going wrong ;) >>>>> >>>>> Apr 19 14:30:36 example postfix/smtpd[26549]: connect from >>>>> xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] >>>>> Apr 19 14:30:36 example postfix/smtpd[26549]: NOQUEUE: reject: CONNECT >>>>> from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]: 554 5.7.1 Service >>>>> unavailable; Client host [xx.xxx.xx.xx] blocked using zen.spamhaus.org; >>>>> http://www.spamhaus.org/query/bl?ip=xx.xxx.xx.xx; proto=SMTP >>>>> Apr 19 14:30:36 example postfix/smtpd[26549]: too many errors after >>>>> CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] >>>>> Apr 19 14:30:36 example postfix/smtpd[26549]: disconnect from >>>>> xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] >>>>> >>>>> What does work however, is if i telnet from my own host (which isn't in >>>>> the pbl so it makes testing for me really hard (unless I could fake my >>>>> domain temporarly to be on the pbl?) and AUTH LOGIN and send a message >>>>> it does work, so sasl_auth must be working right? >>>>> >>>>> Apr 21 19:17:42 example postfix/smtpd[27551]: 3A47410E63: >>>>> client=yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy], sasl_method=LOGIN, >>>>> sasl_username=theuser >>>>> >>>>> >>>>> Either thunderbird isn't trying to auth at all (even though I told it >>>>> to) or it gets RBLed before it could even try to auth, which is what I'm >>>>> thinking. >>>>> >>>>> My test box, (diff server basically) which is on the pbl normally, is >>>>> down for maintanance atm (broken nic :S) so all I got is users >>>>> complaining unable to send mail on the new server, and I can't figure >>>>> out what I have done wrong. >>>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> I thought I pretty much set it up the same way as my older server, which >>>>>>> accepts my mail just fine! Guess I was wrong, and I can't find the >>>>>>> differences. >>>>>>> >>>>>>> As I've setup my server, I tried to document it as well as possible over >>>>>>> at the gentoo-wiki; >>>>>>> >>>>>>> http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server >>>>>>> >>>>>>> >>>>>>> The entire postfix server seems to be running excellently as far as I >>>>>>> can tell, except for not being able to send from remote 'internet' IP's >>>>>>> that are on the PBL. >>>>>>> >>>>>>> Find below my postconf -n (having replaced the real hostname with >>>>>>> foo.example) >>>>>>> === >>>>>>> postconf -n >>>>>>> biff = no >>>>>>> broken_sasl_auth_clients = no >>>>>>> command_directory = /usr/sbin >>>>>>> config_directory = /etc/postfix >>>>>>> daemon_directory = /usr/lib64/postfix >>>>>>> data_directory = /var/lib/postfix >>>>>>> debug_peer_level = 1 >>>>>>> disable_vrfy_command = yes >>>>>>> home_mailbox = .maildir/ >>>>>>> html_directory = /usr/share/doc/postfix-2.6.5/html >>>>>>> mail_owner = postfix >>>>>>> mailq_path = /usr/bin/mailq >>>>>>> manpage_directory = /usr/share/man >>>>>>> message_size_limit = 20480000 >>>>>>> mydomain = example.com >>>>>>> myhostname = foo.example.com >>>>>>> mynetworks_style = host >>>>>>> newaliases_path = /usr/bin/newaliases >>>>>>> queue_directory = /var/spool/postfix >>>>>>> readme_directory = /usr/share/doc/postfix-2.6.5/readme >>>>>>> recipient_delimiter = + >>>>>>> relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf >>>>>>> sendmail_path = /usr/sbin/sendmail >>>>>>> setgid_group = postdrop >>>>>>> smtpd_banner = $myhostname NO UCE ESMTP >>>>>>> smtpd_client_restrictions = permit_mynetworks, >>>>>>> permit_sasl_authenticated, permit_mx_backup, reject_rbl_client >>>>>>> zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client >>>>>>> bl.spamcop.net >>>>>>> smtpd_delay_reject = no >>>>>>> smtpd_helo_required = yes >>>>>>> smtpd_helo_restrictions = reject_invalid_hostname >>>>>>> smtpd_recipient_restrictions = permit_mynetworks, >>>>>>> permit_sasl_authenticated, permit_mx_backup, check_policy_service >>>>>>> inet:127.0.0.1:2525, reject_unauth_destination >>>>>>> smtpd_sasl_auth_enable = yes >>>>>>> smtpd_sasl_authenticated_header = no >>>>>>> smtpd_sasl_local_domain = >>>>>>> smtpd_sasl_security_options = noanonymous >>>>>>> smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem >>>>>>> smtpd_tls_auth_only = no >>>>>>> smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem >>>>>>> smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem >>>>>>> smtpd_tls_loglevel = 0 >>>>>>> smtpd_tls_received_header = yes >>>>>>> smtpd_tls_session_cache_timeout = 3600s >>>>>>> smtpd_use_tls = yes >>>>>>> soft_bounce = no >>>>>>> tls_random_source = dev:/dev/urandom >>>>>>> unknown_local_recipient_reject_code = 550 >>>>>>> virtual_alias_maps = >>>>>>> pgsql:/etc/postfix/pgsql/pgsql-virtual-alias-maps.cf >>>>>>> virtual_gid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-gid-maps.cf >>>>>>> virtual_mailbox_base = /var/vmail >>>>>>> virtual_mailbox_domains = >>>>>>> pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-domains.cf >>>>>>> virtual_mailbox_limit_maps = >>>>>>> pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-limit-maps.cf >>>>>>> virtual_mailbox_limit_override = yes >>>>>>> virtual_mailbox_maps = >>>>>>> pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-maps.cf >>>>>>> virtual_maildir_extended = yes >>>>>>> virtual_maildir_limit_message = "Sorry, the recipients mailbox is >>>>>>> currently full. Please try again later." >>>>>>> virtual_overquota_bounce = no >>>>>>> virtual_trash_count = no >>>>>>> virtual_trash_name = ".Trash" >>>>>>> virtual_uid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-uid-maps.cf >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> Is there some reason you aren't using the submission port (587) ? >>>> >>>> -matt >>>> >>>> >>>> >>> Because it's the first time I've heard of it! :) (I did notice google >>> was running services on that port, so I suppose that is what that is?) >>> >>> I followed years ago the inital howto, and re-wrote the howto from the >>> gentoo wiki, neither mention submission. Also in the default config it >>> is disabled. >>> >>> I'm all for enabling it too (and updating the howto for it); It brings >>> up a few questions though. >>> What is it speficially for? It seems it's yet another port to listen for >>> incoming mail, but on 587 instead of 25 forcing the use of TLS and Sasl >>> auth? >>> Why is it commented default? >>> It won't fix why i'm hitting the RBL list when trying to send externally >>> right? Just a nother way for users to submit their messages? >>> >>> I do like having it though I admit for when smtps wouldn't be available. >>> >>> >> Yes, it is another smtpd, however, its specifically for user submission >> of email. >> >> This allows you the flexibility to give your authed users ways to bypass >> things like.. RBL checks and it forces users to authenticate to send >> email, which in-turn, can help verify they are who they say they are etc. >> >> -Matt >> >> > Ok, thanks I'll enable that one as well, atleast I can get my users to > mail properly using 587; I'll still have to figure out why auth won't > work on the regular port 25 though :S, simply because it bugs me :S > Heh, I suppose it wasn't as straightforward as that; I'll look more into it after some sleep, I enabled it with the following: submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING (even tried uncommenting both, which shouldn't matter inmo?)
But got denied errors, telnet didn't tell me much, thunderbird told me slightly more: An error occurred sending mail: The mail server sent an incorrect greeting: 5.7.1 <yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy]>: Client host rejected: Access denied. It won't even ask me for my sasl password, nothing. A mistery for the next day.
