-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Since enabling tlsproxy+postscreen I'm seeing greylisting on TLS connections:
Sep 18 16:06:03 smitty postfix/postscreen[11721]: CONNECT from [50.31.151.68]:39082 Sep 18 16:06:10 smitty postfix/tlsproxy[11727]: CONNECT from [50.31.151.68]:39082 Sep 18 16:06:10 smitty postfix/tlsproxy[11727]: setting up TLS connection from [50.31.151.68]:39082 Sep 18 16:06:10 smitty postfix/tlsproxy[11727]: Anonymous TLS connection established from [50.31.151.68]:39082: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Sep 18 16:06:10 smitty postfix/postscreen[11721]: NOQUEUE: reject: RCPT from [50.31.151.68]:39082: 450 4.3.2 Service currently unavailable; from=<nanog-bounces+zerbey=wibble.co...@nanog.org>, to=<zer...@wibble.co.uk>, proto=ESMTP, helo=<sc1.nanog.org> .... Sep 18 16:22:12 smitty postfix/postscreen[11800]: CONNECT from [50.31.151.68]:48179 Sep 18 16:22:12 smitty postfix/postscreen[11800]: PASS OLD [50.31.151.68]:48179 Sep 18 16:22:12 smitty postfix/smtpd[11802]: connect from sc1.nanog.org[50.31.151.68] Sep 18 16:22:13 smitty postfix/smtpd[11802]: setting up TLS connection from sc1.nanog.org[50.31.151.68] Sep 18 16:22:13 smitty postfix/smtpd[11802]: Anonymous TLS connection established from sc1.nanog.org[50.31.151.68]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) (Message delivers as normal) I don't seen anything about this in the postscreen documentation so I'm wondering if I missed a step? (postconf -n below) Chris - -- Chris Horry zer...@wibble.co.uk http://www.twitter.com/zerbey $ postconf -n address_verify_map = hash:/etc/postfix/verify_map alias_database = mysql:/etc/postfix/aliases.cf alias_maps = mysql:/etc/postfix/aliases.cf biff = no body_checks = bounce_template_file = /etc/postfix/bounce.cf canonical_maps = mysql:/etc/postfix/canonical.cf command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 2 disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks home_mailbox = Maildir/ html_directory = no inet_interfaces = all inet_protocols = ipv4 local_recipient_maps = mail_owner = postfix mailbox_command = /usr/lib/dovecot/deliver mailbox_size_limit = 51200000 mailq_path = /usr/sbin/mailq manpage_directory = /usr/share/man message_size_limit = 10240000 mime_header_checks = regexp:/etc/postfix/mime mydestination = /etc/postfix/mydestination mydomain = horry.org myhostname = smitty.horry.org mynetworks = $config_directory/mynetworks myorigin = $myhostname newaliases_path = /usr/sbin/newaliases notify_classes = resource, software postscreen_bare_newline_enable = yes postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = bl.spamcop.net, zen.spamhaus.org, cbl.abuseat.org postscreen_greet_action = enforce postscreen_non_smtp_command_enable = yes queue_directory = /var/spool/postfix readme_directory = no relay_recipient_maps = hash:/etc/postfix/relay_recipients relocated_maps = mysql:/etc/postfix/relocated.cf sample_directory = /etc/postfix sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtp_host_lookup = dns, native smtp_sasl_auth_enable = no smtp_sasl_password_maps = hash:/etc/postfix/saslpass smtp_sasl_security_options = noplaintext smtp_tls_cert_file = $smtpd_tls_cert_file smtp_tls_key_file = $smtpd_tls_key_file smtp_tls_loglevel = 1 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_restrictions = permit_sasl_authenticated, reject_unauth_pipelining, check_client_access $maintenance_map, reject_invalid_hostname, reject_unlisted_sender, reject_unknown_recipient_domain, reject_unknown_reverse_client_hostname, reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_invalid_hostname, cidr:/etc/postfix/cidr, cidr:/etc/postfix/sinokoreacidr, reject_rhsbl_sender dsn.rfc-ignorant.org, permit smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_delay_reject = yes smtpd_error_sleep_time = 0 smtpd_etrn_restrictions = permit_mynetworks, permit_sasl_authenticated, reject smtpd_helo_required = yes smtpd_proxy_options = speed_adjust smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_sender_access hash:/etc/postfix/check_bounce_sender, check_sender_access hash:/etc/postfix/sender_access, check_recipient_access pcre:/etc/postfix/recipient_checks.pcre check_helo_access hash:/etc/postfix/helo_checks, reject_unauth_destination reject_unlisted_recipient smtpd_restriction_classes = check_bounce_recipient smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth-client smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks smtpd_tls_CAfile = /etc/postfix/cert/2011-12/demoCA/cacert.pem smtpd_tls_CApath = /usr/local/ssl/certs smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/cert/2011-12/newcert.pem smtpd_tls_key_file = /etc/postfix/cert/2011-12/newreq.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtpd_use_tls = yes strict_rfc821_envelopes = yes tls_random_source = dev:/dev/urandom transport_maps = mysql:/etc/postfix/transport.cf unverified_recipient_reject_code = 550 virtual_alias_maps = mysql:/etc/postfix/virtual.cf virtual_transport = dovecot -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBY2SMACgkQnAAeGCtMZU5yXACdFTCubf9QrGPip1fNjrRm5vJv jt0An0n5NlR7xAkimqD/3CPQoMQ1z080 =yn8j -----END PGP SIGNATURE-----
