Re: Outlook 2010 problem

Thu, 16 Jun 2011 07:55:09 -0700 

On Thu, Jun 16, 2011 at 07:00:25PM +0530, Jayanta Ghosh wrote:

> Jun 16 12:54:19 mail postfix/smtpd[933]: NOQUEUE: reject: RCPT from
> unknown[115.241.25.154]: 554 5.7.1 <jghosh...@gmail.com>: Recipient
> address rejected: Access denied; from=<bo...@rpg.in> to=<jghosh.
> 2...@gmail.com> proto=ESMTP helo=<JayantaGhosh>

The client connected from 115.241.25.154 and DID NOT use SASL
authentication.

> mynetworks = 127.0.0.0/8, 10.50.0.0/16

Your trusted clients are on 10.50.0.0/16, so this client is not
trusted by IP address.

> smtpd_client_restrictions =
>       check_sender_access hash:/etc/postfix/rbl_sender_exception,
>       reject_rbl_client <too-late-to-hide-access-code>.r.mail-abuse.com,
>       reject_rbl_client <too-late-to-hide-access-code>.q.mail-abuse.com
> smtpd_recipient_restrictions =
>       permit_mynetworks,         
>       permit_auth_destination,
>       permit_sasl_authenticated,
>       reject

The restrictions above are more simply expressed via the more standard:

    smtpd_recipient_restrictions =
            permit_mynetworks,         
            permit_sasl_authenticated,
            reject_unauth_destination,
            # Do you really mean to enforce the RBLs for mynetworks and/or
            # SASL authenticated users? This version exempts the 2 cases,
            # and possibly obviates your rbl_sender_exceptions list.
            #
            check_sender_access hash:/etc/postfix/rbl_sender_exception,
            reject_rbl_client <too-late-to-hide-access-code>.r.mail-abuse.com,
            reject_rbl_client <too-late-to-hide-access-code>.q.mail-abuse.com

You should ask mail-abuse.com for a new access code, your current one has
been compromised. Regardless, with either your, or the more sensible version,
the user in question is naturally rejected, since SASL is not used, and there
is no match against mynetworks.

Finally, excepting RBLs by an easily spoofed sender address may not be wise,
but if you can keep the sender addresses in question secret, and they're not
easily guessed, perhaps that's OK. Generally, RBL exceptions should by client
IP address.

> smtpd_sender_restrictions =
>       permit_mynetworks,
>       check_client_access hash:/etc/postfix/client_access,
>       reject_unknown_sender_domain,        
>       check_sender_access regexp:/etc/postfix/sender_access,        
>       permit_sasl_authenticated

It is not clear what the point of this is, certainly the
permit_sasl_authenticated at the bottom serves no purpose. What
is this group of checks trying to achieve?

-- 
        Viktor.

Reply via email to