Sorry for the long post, but I am leaving in the entire quoted message. On Tue, Mar 06, 2012 at 12:03:23PM -0500, Alex wrote: > I have a postfix-2.8.7 system with amavisd on fedora15 and am > having some problems with users being rejected by zen even when > connecting to the server using the submission port. I believe this > has to do with my smtpd_client_restrictions being incorrect. > Because of the way in which I have the ordering, I've had to > duplicate the check_client_access and check_sender_access because > my original location wasn't effective. I'm just confused. > > Probably unrelated, but another issue I'm having is the always_bcc > user mail is being duplicated. I've found references to "-o > smtp_send_xforward_command=yes" being used to prevent duplicated mail > for always_bcc, but I must be doing something wrong here too. > > I've just noticed I'm using reject_rbl_client and have postscreen > using the RBLs as well. I'll remove the ones from the > smtpd_client_restrictions, but could this possibly be causing mail to > be rejected even when connecting via the submission port?
My two cents on that: when implementing postscreen, leave your smtpd_*_restrictions alone. They were working before, so keep them in reserve. For example, when under stress, it is possible that DNSBL queries will not return before the 2-second timeout period. In the time it takes to pass the connection to smtpd and for smtpd to do checks, those queries may have returned and been cached. It's very cheap to do a DNS query from your local cache. > Mar 6 05:29:28 portal postfix/smtpd[21316]: NOQUEUE: reject: RCPT > from cpe-76-181-55-14.columbus.res.rr.com[76.XXX.YYY.14]: 554 5.7.1 > Service unavailable; Client host [76.XXX.YYY.14] blocked using > zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=76.XXX.YYY.14; > from=<pa...@example.com> to=<vi...@example.com> proto=ESMTP > helo=<PattyTHINK> > > Any ideas greatly appreciated. > > --System Parameters-- > mail_version = 2.8.7 > hostname = portal.example.com > uname = Linux portal.example.com 2.6.41.10-3.fc15.x86_64 #1 SMP Mon > Jan 23 15:46:37 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux > > --Packaging information-- > looks like this postfix comes from RPM package: postfix-2.8.7-1.fc15.x86_64 > > --main.cf non-default parameters-- > alias_database = hash:/etc/postfix/aliases > alias_maps = hash:/etc/postfix/aliases > allow_mail_to_files = alias,forward > always_bcc = bcc-user > biff = no > body_checks = regexp:/etc/postfix/body_checks.pcre > bounce_queue_lifetime = 2d > content_filter = smtp-amavis:[127.0.0.1]:10024 > default_process_limit = 140 > delay_warning_time = 4h > disable_vrfy_command = yes > header_checks = pcre:/etc/postfix/header_checks > initial_destination_concurrency = 20 > mailbox_command = /usr/bin/procmail > mailbox_size_limit = 821200000 > manpage_directory = /usr/share/man > maximal_queue_lifetime = 2d > message_size_limit = 50240000 > mime_header_checks = pcre:/etc/postfix/mime_header_checks > mydestination = $myhostname, localhost.$mydomain > mynetworks = 127.0.0.0/8, 192.168.1.0/24, 68.XXX.YYY.40/29, > 64.XXX.YYY.0/27, 66.XXX.YYY.96/28, 204.XXX.YYY.0/24 > postscreen_access_list = permit_mynetworks, > cidr:/etc/postfix/postscreen_access.cidr > postscreen_blacklist_action = enforce > postscreen_dnsbl_action = enforce > postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1 > b.barracudacentral.org*1 > postscreen_dnsbl_threshold = 2 > postscreen_greet_action = enforce > rbl_reply_maps = ${stress?hash:/etc/postfix/rbl_reply_maps} > readme_directory = /usr/share/doc/postfix-2.8.7/README_FILES > relay_domains = $mydestination, $transport_maps $mydestination in relay_domains was a backward compatibility measure. Being listed in $mydestination overrides relay_domains, so you do not need that. Listing $transport_maps here can become very dangerous if you later decide to use transport_maps for other purposes. A popular idea is to use a special throttled transport for Yahoo ... oops, yahoo.com becomes one of your relay_domains. relay_domains without relay_recipient_maps can cause backscatter. You need either per-address ONLY transport_maps or recipient address verification. We can't see into your transport_maps, and there is no evidence of verification being done. > sample_directory = /usr/share/doc/postfix-2.8.7/samples > smtpd_authorized_xforward_hosts = $mynetworks > smtpd_client_restrictions = check_client_access > cidr:/etc/postfix/sinokorea.cidr, check_client_access > cidr:/etc/postfix/asian-ip5.txt No DNSBL lookups here. > smtpd_recipient_restrictions = reject_non_fqdn_recipient, > check_client_access hash:/etc/postfix/client_checks_special, > check_sender_access hash:/etc/postfix/sender_checks_special, These access(5) lookups MUST NOT return a permit result. If they do, you are allowing relay. http://www.postfix.org/SMTPD_ACCESS_README.html#danger > reject_non_fqdn_sender, permit_mynetworks, permit_sasl_authenticated, > reject_unauth_destination, reject_unknown_sender_domain, > reject_unknown_recipient_domain, > reject_invalid_helo_hostname, check_recipient_access > pcre:/etc/postfix/relay_recips_ecartis, check_client_access > hash:/etc/postfix/client_checks, check_sender_access > hash:/etc/postfix/sender_checks, check_recipient_access > pcre:/etc/postfix/relay_recips_access, reject_rbl_client > zen.spamhaus.org, reject_rbl_client psbl.surriel.com, permit But there it is, long after permit_sasl_authenticated, so an authenticated client is not affected. We can only guess that PattyTHINK above failed to authenticate. > smtpd_sasl_auth_enable = yes > smtpd_sasl_authenticated_header = yes > smtpd_sasl_local_domain = $myhostname > smtpd_sasl_path = private/auth > smtpd_sasl_security_options = noanonymous, noplaintext > smtpd_sasl_tls_security_options = noanonymous > smtpd_sasl_type = dovecot > smtpd_tls_ask_ccert = yes > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/postfix/newcert/example-startssl-cert.pem > smtpd_tls_key_file = /etc/postfix/newcert/example-startssl.key > smtpd_tls_loglevel = 2 > smtpd_tls_received_header = yes > smtpd_tls_security_level = may > smtpd_tls_session_cache_database = > btree:/var/lib/postfix/smtpd_tls_session_cache > smtp_send_xforward_command = yes > smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt > smtp_tls_note_starttls_offer = yes > smtp_use_tls = yes > transport_maps = hash:/etc/postfix/transport > virtual_alias_maps = hash:/etc/postfix/virtual > > --master.cf-- > submission inet n - n - - smtpd > -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o smtpd_client_restrictions=permit_sasl_authenticated,reject You might also want to override your smtpd_recipient_restrictions here. You can define a variable in main.cf, for example: submission_recipient_restrictions = [ stuff that you want applied against submission users ], permit_sasl_authenticated, reject And then use it here: -o smtpd_recipient_restrictions=$submission_recipient_restrictions > -o milter_macro_daemon_name=ORIGINATING This also needs " -o syslog_name=postfix/submission", which is a recently-added default. Thus we can see for sure that we're on submission and not smtp. > dovecot unix - n n - - pipe > flags=DRhu user=dovecot:dovecot argv=/usr/libexec/dovecot/deliver -f > ${sender} -d ${recipient} -a "${RECIPIENT}" > pickup fifo n - n 60 1 pickup > cleanup unix n - n - 0 cleanup > qmgr fifo n - n 300 1 qmgr > tlsmgr unix - - n 1000? 1 tlsmgr > rewrite unix - - n - - trivial-rewrite > bounce unix - - n - 0 bounce > defer unix - - n - 0 bounce > trace unix - - n - 0 bounce > verify unix - - n - 1 verify > flush unix n - n 1000? 0 flush > proxymap unix - - n - - proxymap > proxywrite unix - - n - 1 proxymap > smtp unix - - n - - smtp > relay unix - - n - - smtp > -o smtp_fallback_relay= > showq unix n - n - - showq > error unix - - n - - error > retry unix - - n - - error > discard unix - - n - - discard > local unix - n n - - local > virtual unix - n n - - virtual > lmtp unix - - n - - lmtp > anvil unix - - n - 1 anvil > scache unix - - n - 1 scache > smtp-amavis unix - - n - 2 smtp > -o smtp_data_done_timeout=1200 > -o smtp_send_xforward_command=yes > -o disable_dns_lookups=yes > -o max_use=20 > 127.0.0.1:10025 inet n - n - - smtpd > -o content_filter= > -o smtpd_delay_reject=no > -o smtpd_client_restrictions=permit_mynetworks,reject > -o smtpd_helo_restrictions= > -o smtpd_sender_restrictions= > -o smtpd_recipient_restrictions=permit_mynetworks,reject > -o smtpd_data_restrictions=reject_unauth_pipelining > -o smtpd_end_of_data_restrictions= > -o smtpd_restriction_classes= > -o mynetworks=127.0.0.0/8 > -o smtpd_error_sleep_time=0 > -o smtpd_soft_error_limit=1001 > -o smtpd_hard_error_limit=1000 > -o smtpd_client_connection_count_limit=0 > -o smtpd_client_connection_rate_limit=0 > -o > receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters > -o local_header_rewrite_clients= > #-o > receive_override_options=no_unknown_recipient_checks,no_address_mappings,no_header_body_checks > # > http://old.nabble.com/duplicate-emails-using-always_bcc-and-amavisd-new-td22872426.html > smtp inet n - n - 1 postscreen > smtpd pass - - n - - smtpd > -o receive_override_options=no_address_mappings > dnsblog unix - - n - 0 dnsblog > tlsproxy unix - - n - 0 tlsproxy > > -- end of postfinger output -- -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
