Asai:
After investigating this issue further, it looks like there might be
something I'm missing regarding postscreen. My reasoning for this is
yesterday a client said she couldn't send email. I looked at her phone
and the postfix logs and could see that her IP address was being
rejected by postscreen:
Wietse:
As documented ***DO NOT*** run postscreen on the server port
that is used by mail client programs.
Asai:
I'm wondering if I have something wrong in master.cf:
587 inet n - n - - smtpd
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd
In that case one mistake is that the client connected to the wrong
service: they connected to service smtp(=port 25) instead of service
submission(=port 587). That's also why postscrfeen rejected the
client: the client came from a IP address dynamic pool.
Another mistake may be that you offer AUTH service on port 25.
An unrelated mistake is that you have two submission service entries
in master.cf: one called 587 and one called submission. Only the
last entry will be used, so it is a good idea to remove the first
one.
Wietse
After doing a little more reading I enabled *smtpd_tls_auth_only.
*Hopefully that will help.
