On Tue, Mar 06, 2012 at 01:30:59PM -0600, Stan Hoeppner wrote: > On 3/6/2012 11:03 AM, Alex wrote: > > > --master.cf-- > > submission inet n - n - - smtpd > > -o smtpd_tls_security_level=encrypt > > -o smtpd_sasl_auth_enable=yes > > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > > -o smtpd_recipient_restrictions=
This will not work; smtpd_recipient_restrictions is required. See my earlier post for a workable solution. http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions > -o smtpd_sender_restrictions= > -o smtpd_helo_restrictions= > > > -o milter_macro_daemon_name=ORIGINATING > > BTW, adding the above lines will fix your current problem. They Not if/when the client fails to authenticate, which given the evidence presented, is the only conclusion I can see. (Another possibility: incomplete or inaccurate evidence was presented.) > tell your submission smtpd to ignore those 3 restriction classes > defined in main.cf. You already told it to override > smptd_client_restrictions with new settings, but you didn't > override the others, which is the cause of the problem. On Tue, Mar 06, 2012 at 01:55:10PM -0600, Stan Hoeppner wrote: > On 3/6/2012 1:23 PM, /dev/rob0 wrote: > > > My two cents on that: when implementing postscreen, leave your > > smtpd_*_restrictions alone. They were working before, so keep > > them in reserve. For example, when under stress, it is possible > > that DNSBL queries will not return before the 2-second timeout > > period. In the time it takes to pass the connection to smtpd and > > for smtpd to do checks, those queries may have returned and been > > cached. It's very cheap to do a DNS query from your local cache. > > Rob, see the recent thread titled "Delay before initial 220 > greeting". There's more in play in this OP's case WRT dnsbl > queries. In his case it might be better to increase the 2s timeout > (if possible) to prevent additional smtpds from spawning. I saw that thread, but didn't have time to comment on it. I still believe that the relatively minor cost of a redundant DNSBL lookup is worthwhile. It's not going to cause any additional smtpd, and in the vast majority of cases, it will take very little extra time or CPU. In the event of DNS SERVFAIL responses or timeouts, it can add some more time and stress, but that suggests a problem with the resolver and/or the DNSBL. I take the risk anyway. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
