On 04/22/10 04:49, Noel Jones wrote: > On 4/21/2010 9:03 PM, Oliver Schinagl wrote: >> On 04/22/10 03:55, Noel Jones wrote: >>> On 4/21/2010 8:39 PM, Oliver Schinagl wrote: >>>>> >>>> Heh, I suppose it wasn't as straightforward as that; I'll look more >>>> into >>>> it after some sleep, I enabled it with the following: >>>> submission inet n - n - - smtpd >>>> # -o smtpd_tls_security_level=encrypt >>>> -o smtpd_sasl_auth_enable=yes >>>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject >>>> # -o milter_macro_daemon_name=ORIGINATING >>>> (even tried uncommenting both, which shouldn't matter inmo?) >>>> >>>> But got denied errors, telnet didn't tell me much, thunderbird told me >>>> slightly more: >>>> An error occurred sending mail: The mail server sent an incorrect >>>> greeting: 5.7.1<yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy]>: Client host >>>> rejected: Access denied. >>>> It won't even ask me for my sasl password, nothing. A mistery for the >>>> next day. >>> >>> Please show your current "postconf -n" and the error message from the >>> postfix logs. Showing error messages from the client or from telnet >>> are not particularly useful. >>> >>> -- Noel Jones >> My current postconf -n is exactly as above in the mail; i hadn't changed >> anything, i only pasted the relevant part from master.conf that i >> changed. > > I don't see a postconf -n in this mail. I asked for a new copy to > make sure of its current contents, and because I deleted your previous > messages and don't feel like rummaging around in the trash. I'm sorry, I didn't realize. Here it is :)
postconf -n biff = no broken_sasl_auth_clients = no command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib64/postfix data_directory = /var/lib/postfix debug_peer_level = 1 disable_vrfy_command = yes home_mailbox = .maildir/ html_directory = /usr/share/doc/postfix-2.6.5/html mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 20480000 mydomain = example.com myhostname = foo.example.com mynetworks_style = host newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.5/readme recipient_delimiter = + relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_banner = $myhostname NO UCE ESMTP smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net smtpd_delay_reject = no smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, check_policy_service inet:127.0.0.1:2525, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-alias-maps.cf virtual_gid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-gid-maps.cf virtual_mailbox_base = /var/vmail virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-domains.cf virtual_mailbox_limit_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-limit-maps.cf virtual_mailbox_limit_override = yes virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-maps.cf virtual_maildir_extended = yes virtual_maildir_limit_message = "Sorry, the recipients mailbox is currently full. Please try again later." virtual_overquota_bounce = no virtual_trash_count = no virtual_trash_name = ".Trash" virtual_uid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-uid-maps.cf > >> >> Apr 21 21:39:19 example postfix/smtpd[21360]: connect from >> yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] >> Apr 21 21:39:19 example postfix/smtpd[21360]: NOQUEUE: reject: CONNECT >> from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] >> : 554 5.7.1<yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]>: Client host >> rejected: Access denied; proto=SMTP >> Apr 21 21:39:24 example postfix/smtpd[21360]: disconnect from >> yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] > > The client was rejected during the CONNECT stage. This implies you > are using "smtpd_delay_reject = no". > > Don't do that, the client doesn't get a chance to authenticate. Hmm, You are absolutely right here, I was using that. I don't understand however, because I do have 'permit_sasl_auth' before the rbl stuff. It does fix the submission delivery port issue. So thanks on that :) Tested and confirmed! But I don't think this will fix my initial issue, with clients being rejected on the RBL Auth issue does it? I think I did read that smtpd_delay_reject was good. Ontop of that, I do have it set to no on my own server, where I can send with sasl auth just fine :S I'm still puzzled. I won't be able to verify all this though until tomorrow, when I'm at a pbl'ed adls line again. > > >> >> >> is the corresponding postfix error; Basically what thunderbird >> reported :) > > The postfix log is far more useful; it tells us your problem is (at > least) you need to unset smtpd_delay_reject. There may be other > problems exposed once you fix this one. Alright, I will also attach the log snippets after I tested the next bit. > >> Looking at the message you sent David Cottle, I think he's doing what >> Matt suggested I should do? Use submission to bypass RBL stuff; I'd >> gladly add those 2 options as well, but why would they not be in the >> default config? You'd think that the default submission bit was exactly >> that, allow users to bypass everything and submit messages directly. I'm >> to tired to think atm so I'll check it all out again tomorrow :) >> Sleep well :) > > There is no evidence David's client ever authenticates. Not quite the > same problem. Your client doesn't authenticate either, but that's > because you don't give them the chance. > > Using the "submission" port is an accepted solution to the common > problems[1] of how to allow mobile users to send mail to your server. > The main advantage is it allows you to specify a different policy[2] > for authenticated users. > > You can add "-o smtpd_delay_reject=yes" to the submission entry in > master.cf to insure that changes to that parameter in main.cf won't > affect the submission service. But a better solution is just don't > mess with that setting; leave it at the default "yes". > > "submission" is commented out in the default postfix config because a > relatively small subset of folks using postfix need it, and it's not > nice to open ports not needed. > > [1] IP listed in RBL. ISP or hotspot blocks port 25 access. > > [2] accept mail from authenticated clients no matter how screwed up > their mailer or their IP > > -- Noel Jones I see, thank you so far! I will report my findings when I can.
