Hi, I have a postfix-2.8.7 system with amavisd on fedora15 and am having some problems with users being rejected by zen even when connecting to the server using the submission port. I believe this has to do with my smtpd_client_restrictions being incorrect. Because of the way in which I have the ordering, I've had to duplicate the check_client_access and check_sender_access because my original location wasn't effective. I'm just confused.
Probably unrelated, but another issue I'm having is the always_bcc user mail is being duplicated. I've found references to "-o smtp_send_xforward_command=yes" being used to prevent duplicated mail for always_bcc, but I must be doing something wrong here too. I've just noticed I'm using reject_rbl_client and have postscreen using the RBLs as well. I'll remove the ones from the smtpd_client_restrictions, but could this possibly be causing mail to be rejected even when connecting via the submission port? Mar 6 05:29:28 portal postfix/smtpd[21316]: NOQUEUE: reject: RCPT from cpe-76-181-55-14.columbus.res.rr.com[76.XXX.YYY.14]: 554 5.7.1 Service unavailable; Client host [76.XXX.YYY.14] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=76.XXX.YYY.14; from=<pa...@example.com> to=<vi...@example.com> proto=ESMTP helo=<PattyTHINK> Any ideas greatly appreciated. --System Parameters-- mail_version = 2.8.7 hostname = portal.example.com uname = Linux portal.example.com 2.6.41.10-3.fc15.x86_64 #1 SMP Mon Jan 23 15:46:37 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux --Packaging information-- looks like this postfix comes from RPM package: postfix-2.8.7-1.fc15.x86_64 --main.cf non-default parameters-- alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases allow_mail_to_files = alias,forward always_bcc = bcc-user biff = no body_checks = regexp:/etc/postfix/body_checks.pcre bounce_queue_lifetime = 2d content_filter = smtp-amavis:[127.0.0.1]:10024 default_process_limit = 140 delay_warning_time = 4h disable_vrfy_command = yes header_checks = pcre:/etc/postfix/header_checks initial_destination_concurrency = 20 mailbox_command = /usr/bin/procmail mailbox_size_limit = 821200000 manpage_directory = /usr/share/man maximal_queue_lifetime = 2d message_size_limit = 50240000 mime_header_checks = pcre:/etc/postfix/mime_header_checks mydestination = $myhostname, localhost.$mydomain mynetworks = 127.0.0.0/8, 192.168.1.0/24, 68.XXX.YYY.40/29, 64.XXX.YYY.0/27, 66.XXX.YYY.96/28, 204.XXX.YYY.0/24 postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr postscreen_blacklist_action = enforce postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1 b.barracudacentral.org*1 postscreen_dnsbl_threshold = 2 postscreen_greet_action = enforce rbl_reply_maps = ${stress?hash:/etc/postfix/rbl_reply_maps} readme_directory = /usr/share/doc/postfix-2.8.7/README_FILES relay_domains = $mydestination, $transport_maps sample_directory = /usr/share/doc/postfix-2.8.7/samples smtpd_authorized_xforward_hosts = $mynetworks smtpd_client_restrictions = check_client_access cidr:/etc/postfix/sinokorea.cidr, check_client_access cidr:/etc/postfix/asian-ip5.txt smtpd_recipient_restrictions = reject_non_fqdn_recipient, check_client_access hash:/etc/postfix/client_checks_special, check_sender_access hash:/etc/postfix/sender_checks_special, reject_non_fqdn_sender, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_invalid_helo_hostname, check_recipient_access pcre:/etc/postfix/relay_recips_ecartis, check_client_access hash:/etc/postfix/client_checks, check_sender_access hash:/etc/postfix/sender_checks, check_recipient_access pcre:/etc/postfix/relay_recips_access, reject_rbl_client zen.spamhaus.org, reject_rbl_client psbl.surriel.com, permit smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_ask_ccert = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/newcert/example-startssl-cert.pem smtpd_tls_key_file = /etc/postfix/newcert/example-startssl.key smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache smtp_send_xforward_command = yes smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_note_starttls_offer = yes smtp_use_tls = yes transport_maps = hash:/etc/postfix/transport virtual_alias_maps = hash:/etc/postfix/virtual --master.cf-- submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING dovecot unix - n n - - pipe flags=DRhu user=dovecot:dovecot argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient} -a "${RECIPIENT}" pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o smtp_fallback_relay= showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache smtp-amavis unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters -o local_header_rewrite_clients= #-o receive_override_options=no_unknown_recipient_checks,no_address_mappings,no_header_body_checks # http://old.nabble.com/duplicate-emails-using-always_bcc-and-amavisd-new-td22872426.html smtp inet n - n - 1 postscreen smtpd pass - - n - - smtpd -o receive_override_options=no_address_mappings dnsblog unix - - n - 0 dnsblog tlsproxy unix - - n - 0 tlsproxy -- end of postfinger output --
