On 4/21/2010 9:03 PM, Oliver Schinagl wrote:
On 04/22/10 03:55, Noel Jones wrote:
On 4/21/2010 8:39 PM, Oliver Schinagl wrote:
Heh, I suppose it wasn't as straightforward as that; I'll look more into
it after some sleep, I enabled it with the following:
submission inet n - n - - smtpd
# -o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
(even tried uncommenting both, which shouldn't matter inmo?)
But got denied errors, telnet didn't tell me much, thunderbird told me
slightly more:
An error occurred sending mail: The mail server sent an incorrect
greeting: 5.7.1<yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy]>: Client host
rejected: Access denied.
It won't even ask me for my sasl password, nothing. A mistery for the
next day.
Please show your current "postconf -n" and the error message from the
postfix logs. Showing error messages from the client or from telnet
are not particularly useful.
-- Noel Jones
My current postconf -n is exactly as above in the mail; i hadn't changed
anything, i only pasted the relevant part from master.conf that i changed.
I don't see a postconf -n in this mail. I asked for a new
copy to make sure of its current contents, and because I
deleted your previous messages and don't feel like rummaging
around in the trash.
Apr 21 21:39:19 example postfix/smtpd[21360]: connect from
yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]
Apr 21 21:39:19 example postfix/smtpd[21360]: NOQUEUE: reject: CONNECT
from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]
: 554 5.7.1<yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]>: Client host
rejected: Access denied; proto=SMTP
Apr 21 21:39:24 example postfix/smtpd[21360]: disconnect from
yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]
The client was rejected during the CONNECT stage. This
implies you are using "smtpd_delay_reject = no".
Don't do that, the client doesn't get a chance to authenticate.
is the corresponding postfix error; Basically what thunderbird reported :)
The postfix log is far more useful; it tells us your problem
is (at least) you need to unset smtpd_delay_reject. There may
be other problems exposed once you fix this one.
Looking at the message you sent David Cottle, I think he's doing what
Matt suggested I should do? Use submission to bypass RBL stuff; I'd
gladly add those 2 options as well, but why would they not be in the
default config? You'd think that the default submission bit was exactly
that, allow users to bypass everything and submit messages directly. I'm
to tired to think atm so I'll check it all out again tomorrow :)
Sleep well :)
There is no evidence David's client ever authenticates. Not
quite the same problem. Your client doesn't authenticate
either, but that's because you don't give them the chance.
Using the "submission" port is an accepted solution to the
common problems[1] of how to allow mobile users to send mail
to your server. The main advantage is it allows you to
specify a different policy[2] for authenticated users.
You can add "-o smtpd_delay_reject=yes" to the submission
entry in master.cf to insure that changes to that parameter in
main.cf won't affect the submission service. But a better
solution is just don't mess with that setting; leave it at the
default "yes".
"submission" is commented out in the default postfix config
because a relatively small subset of folks using postfix need
it, and it's not nice to open ports not needed.
[1] IP listed in RBL. ISP or hotspot blocks port 25 access.
[2] accept mail from authenticated clients no matter how
screwed up their mailer or their IP
-- Noel Jones
