On 01/19/17 09:53, Petr Bena wrote:
> On 01/18/17 15:35, Noel Jones wrote:
>> If you need more help, please show "postconf -nf" and "postconf -Mf"
>>
>>
>>
>> -- Noel Jones
> Hi Noel,
>
> Here is the output:
>
> # postconf -nf
> alias_maps = hash:/etc/aliases
> always_add_missing_headers = yes
> bounce_notice_recipient = postmaster
> bounce_queue_lifetime = 5d
> broken_sasl_auth_clients = yes
> command_directory = /opt/zimbra/postfix/sbin
> config_directory = /opt/zimbra/postfix-2.10.3.2z/conf
> content_filter = smtp-amavis:[127.0.0.1]:10024
> daemon_directory = /opt/zimbra/postfix/libexec
> delay_warning_time = 0h
> disable_dns_lookups = no
> header_checks =
> import_environment =
> in_flow_delay = 1s
> inet_protocols = ipv4
> lmtp_connection_cache_destinations =
> lmtp_connection_cache_time_limit = 4s
> lmtp_host_lookup = dns
> local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated
> mail_owner = postfix
> mailbox_size_limit = 0
> mailq_path = /opt/zimbra/postfix/sbin/mailq
> manpage_directory = /opt/zimbra/postfix/man
> maximal_backoff_time = 4000s
> message_size_limit = 10240000
> milter_command_timeout = 30s
> milter_connect_timeout = 30s
> milter_content_timeout = 300s
> milter_default_action = tempfail
> minimal_backoff_time = 300s
> mydestination = localhost
> myhostname = in-vx182.prod.homecredit.in
> mynetworks = trimmed
> newaliases_path = /opt/zimbra/postfix/sbin/newaliases
> non_smtpd_milters =
> notify_classes = resource,software
> propagate_unmatched_extensions = canonical
> queue_directory = /opt/zimbra/data/postfix/spool
> queue_run_delay = 300s
> recipient_delimiter =
> relayhost = trimmed
> sender_canonical_maps = proxy:ldap:/opt/zimbra/conf/ldap-scm.cf
> sendmail_path = /opt/zimbra/postfix/sbin/sendmail
> setgid_group = zimbra
> smtp_cname_overrides_servername = no
> smtp_fallback_relay =
> smtp_helo_name = $myhostname
> smtp_sasl_auth_enable = no
> smtp_sasl_mechanism_filter =
> smtp_sasl_password_maps =
> smtp_sasl_security_options = noplaintext,noanonymous
> smtp_tls_security_level =
> smtpd_banner = $myhostname ESMTP $mail_name
> smtpd_client_port_logging = no
> smtpd_client_restrictions = reject_unauth_pipelining
> smtpd_data_restrictions = reject_unauth_pipelining
> smtpd_end_of_data_restrictions =
> smtpd_error_sleep_time = 1s
> smtpd_hard_error_limit = 20
> smtpd_helo_required = yes
> smtpd_milters =
> smtpd_proxy_timeout = 100s
> smtpd_recipient_restrictions = check_recipient_access
> hash:/opt/zimbra/postfix/conf/recipient_domains,
> reject_unlisted_recipient,
> reject_invalid_helo_hostname, reject_non_fqdn_sender, reject
> smtpd_reject_unlisted_recipient = no
> smtpd_reject_unlisted_sender = no
> smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks,
> reject_unauth_destination
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = no
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
> smtpd_sender_restrictions = check_sender_access
> regexp:/opt/zimbra/postfix/conf/tag_as_originating.re,
> permit_mynetworks,
> permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access
> regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re
> smtpd_soft_error_limit = 10
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
> smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
> smtpd_tls_loglevel = 1
> smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
> smtpd_tls_protocols = !SSLv2,!SSLv3
> smtpd_tls_security_level = may
> transport_maps = proxy:ldap:/opt/zimbra/conf/ldap-transport.cf
> virtual_alias_domains = proxy:ldap:/opt/zimbra/conf/ldap-vad.cf
> virtual_alias_expansion_limit = 10000
> virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf
> virtual_mailbox_domains = proxy:ldap:/opt/zimbra/conf/ldap-vmd.cf
> virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf
> virtual_transport = error
>
> # postconf -Mf
> smtp inet n - n - - smtpd
> -o smtpd_tls_security_level=may
> 465 inet n - n - - smtpd
> -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions= -o smtpd_data_restrictions=
> -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=
> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> -o syslog_name=postfix/smtps -o milter_macro_daemon_name=ORIGINATING
> submission inet n - n - - smtpd
> -o smtpd_etrn_restrictions=reject -o smtpd_sasl_auth_enable=yes
> -o smtpd_tls_security_level=may
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> -o smtpd_data_restrictions= -o smtpd_helo_restrictions=
> -o smtpd_recipient_restrictions=
> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> -o syslog_name=postfix/submission -o
> milter_macro_daemon_name=ORIGINATING
> scan unix - - n - 10 smtp
> -o smtp_send_xforward_command=yes -o disable_mime_output_conversion=yes
> -o smtp_generic_maps=
> pickup unix n - n 60 1 pickup
> cleanup unix n - n - 0 cleanup
> qmgr unix n - n 300 1 qmgr
> tlsmgr unix - - n 1000? 1 tlsmgr
> rewrite unix - - n - - trivial-rewrite
> bounce unix - - n - 0 bounce
> defer unix - - n - 0 bounce
> trace unix - - n - 0 bounce
> verify unix - - n - 1 verify
> flush unix n - n 1000? 0 flush
> proxymap unix - - n - - proxymap
> smtp unix - - n - - smtp
> relay unix - - n - - smtp
> showq unix n - n - - showq
> error unix - - n - - error
> retry unix - - n - - error
> discard unix - - n - - discard
> local unix - n n - - local
> virtual unix - n n - - virtual
> lmtp unix - - n - - lmtp
> anvil unix - - n - 1 anvil
> scache unix - - n - 1 scache
> maildrop unix - n n - - pipe
> flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
> old-cyrus unix - n n - - pipe
> flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
> cyrus unix - n n - - pipe
> user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension}
> ${user}
> uucp unix - n n - - pipe
> flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
> ($recipient)
> ifmail unix - n n - - pipe
> flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> bsmtp unix - n n - - pipe
> flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
> $recipient
> smtp-amavis unix - - n - 10 smtp
> -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes
> -o disable_dns_lookups=yes -o max_use=20
> [127.0.0.1]:10025 inet n - n - - smtpd
> -o content_filter= -o local_recipient_maps= -o virtual_mailbox_maps=
> -o virtual_alias_maps= -o relay_recipient_maps=
> -o smtpd_restriction_classes= -o smtpd_delay_reject=no
> -o smtpd_client_restrictions=permit_mynetworks,reject
> -o smtpd_data_restrictions= -o smtpd_end_of_data_restrictions=
> -o smtpd_helo_restrictions= -o smtpd_milters= -o
> smtpd_sender_restrictions=
> -o smtpd_reject_unlisted_sender=no -o smtpd_relay_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o mynetworks_style=host -o mynetworks=127.0.0.0/8,[::1]/128
> -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0
> -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000
> -o smtpd_client_connection_count_limit=0
> -o smtpd_client_connection_rate_limit=0
> -o
> receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
> -o local_header_rewrite_clients= -o syslog_name=postfix/amavisd
> [127.0.0.1]:10030 inet n - n - - smtpd
> -o local_recipient_maps= -o virtual_mailbox_maps= -o virtual_alias_maps=
> -o relay_recipient_maps= -o smtpd_restriction_classes=
> -o smtpd_delay_reject=no -o smtpd_milters=inet:localhost:8465
> -o smtpd_client_restrictions=permit_mynetworks,reject
> -o smtpd_sender_restrictions= -o smtpd_helo_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o smtpd_reject_unlisted_sender=no -o smtpd_relay_restrictions=
> -o smtpd_data_restrictions= -o smtpd_end_of_data_restrictions=
> -o syslog_name=postfix/dkimmilter
> -o content_filter=smtp-amavis:[127.0.0.1]:10032
> [127.0.0.1]:10027 inet n n n - - spawn
> -o smtp_send_xforward_command=yes user=zimbra
> argv=/opt/zimbra/postfix-journal/bin/postjournal
> [127.0.0.1]:10028 inet n - n - - smtpd
> -o smtpd_authorized_xforward_hosts=127.0.0.0/8
> -o smtpd_client_restrictions= -o smtpd_proxy_filter=
> -o smtpd_helo_restrictions= -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o smtpd_data_restrictions= -o smtpd_reject_unlisted_sender=no
> -o mynetworks=127.0.0.0/8,[::1]/128
> -o receive_override_options=no_unknown_recipient_checks
> -o syslog_name=postfix/reinject
> [127.0.0.1]:10029 inet n - n - - smtpd
> -o smtpd_client_restrictions= -o smtpd_proxy_filter= -o content_filter=
> -o smtpd_helo_restrictions= -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o smtpd_reject_unlisted_sender=no -o smtpd_data_restrictions=
> -o mynetworks=127.0.0.0/8,[::1]/128
> -o receive_override_options=no_unknown_recipient_checks
> -o syslog_name=postfix/archive
It seems that the problem is in configuration for port 465, the guy who
managed to bypass the restriction was using this port to connect to
postfix. I will try to change this config and see if it helps.
