Hello,
Thanks for your reply. My postconf -nf and postconf -Mf are below as
is the relevant log portions. I'm suspecting that my various smtpd*
restrictions are wrong.
If you need any other files let me know.
Thanks.
Dave.
#postconf -nf
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1h
bounce_template_file = /usr/local/etc/postfix/bounce.cf
broken_sasl_auth_clients = no
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
delay_warning_time = 4h
disable_vrfy_command = yes
header_checks = pcre:/usr/local/etc/postfix/header_checks,
regexp:/usr/local/etc/postfix/phish419.regexp
html_directory = /usr/local/share/doc/postfix
in_flow_delay = 1s
inet_interfaces = xxx.xxx.xxx.xxx, 127.0.0.1
inet_protocols = ipv4
local_recipient_maps = $virtual_mailbox_maps
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maximal_backoff_time = 15m
maximal_queue_lifetime = 1h
message_size_limit = 52428800
meta_directory = /usr/local/libexec/postfix
milter_default_action = accept
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}"
milter_protocol = 6
mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks
minimal_backoff_time = 5m
mydestination = localhost
mydomain = domain.com
myhostname = mail.domain.com
mynetworks = $config_directory/mynetworks
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
non_smtpd_milters = $smtpd_milters
postscreen_access_list = permit_mynetworks,
cidr:/usr/local/etc/postfix/postscreen_access.cidr,
cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_reply_map =
pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com
bl.mailspike.net swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = drop
queue_directory = /var/spool/postfix
queue_run_delay = 5m
readme_directory = /usr/local/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
show_user_unknown_table_name = no
smtp_helo_timeout = 60s
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_ciphers = high
smtp_tls_key_file = $smtpd_tls_key_file
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3, !TLSv1
smtp_tls_protocols = !SSLv2,!SSLv3, !TLSv1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = permit_mynetworks check_client_access
hash:/usr/local/etc/postfix/without_ptr reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname
smtpd_milters = unix:/var/run/rspamd/milter.sock,inet:127.0.0.1:8472
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_destination check_helo_access
hash:/usr/local/etc/postfix/helo_access, ,check_helo_access
pcre:/usr/local/etc/postfix/helo_checks ,check_sender_mx_access
cidr:/usr/local/etc/postfix/bogus_mx check_sender_access
hash:/usr/local/etc/postfix/safe_addresses check_sender_access
hash:/usr/local/etc/postfix/auto-whtlst check_client_access
cidr:/usr/local/etc/postfix/spamfarms check_client_access
cidr:/usr/local/etc/postfix/sinokorea.cidr check_recipient_access
mysql:/usr/local/etc/postfix/db/recipient-access.cf permit_dnswl_client
list.dnswl.org=127.0.[2..14].[1..3] check_reverse_client_hostname_access
pcre:/usr/local/etc/postfix/fqrdns.pcre
reject_unknown_reverse_client_hostname reject_non_fqdn_sender
reject_invalid_helo_hostname reject_unlisted_recipient reject_rhsbl_client
dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org reject_rhsbl_helo
dbl.spamhaus.org check_policy_service unix:private/spf-policy
check_policy_service unix:private/dovecot-quota check_policy_service
unix:private/p0f-policy
smtpd_reject_unlisted_sender = yes
smtpd_relay_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 3
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /usr/local/etc/ssl/acme/domain.com/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /etc/ssl/dhparam.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_key_file = /usr/local/etc/ssl/acme/private/domain.com/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 !TLSv1.1 TLSv1.2
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1 !TLSv1.1 TLSv1.2
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
smtputf8_enable = yes
soft_bounce = no
spf-policy_time_limit = 3600s
strict_rfc821_envelopes = yes
swap_bangpath = no
tls_high_cipherlist =
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
tls_preempt_cipherlist = yes
tls_ssl_options = no_ticket, no_compression
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/db/aliases.cf
virtual_gid_maps = static:999
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/db/domains.cf
virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/db/accounts.cf
virtual_minimum_uid = 999
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:999
#postconf -Mf
smtp inet n - n - 1 postscreen
-o smtpd_sasl_auth_enable=no
smtpd pass - - n - - smtpd
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_dh1024_param_file=/etc/ssl/dhparam.pem
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
-o
smtpd_sender_login_maps=mysql:/usr/local/etc/postfix/db/sender-login-maps.cf
-o tls_preempt_cipherlist=yes
-o cleanup_service_name=submission-header-cleanup
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
submission-header-cleanup unix n - n - 0 cleanup
-o header_checks=regexp:/usr/local/etc/postfix/submission_header_cleanup
spf-policy unix - n n - 0 spawn user=vmail
argv=/usr/local/bin/perl /usr/local/libexec/postfix-policyd-spf-perl
dfilt unix - n n - - pipe flags=Rq
user=filter argv=/usr/local/etc/postfix/disclaimer -f ${sender} -r
${recipient}
scan unix - - n - 16 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
p0f-policy unix - n n - - spawn user=p0f
argv=/usr/local/bin/perl /usr/local/etc/postfix/p0f-policy.pl
#cat postfix.log
Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: connect from
Connecting-Host-and-IP
Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: Anonymous
TLS connection established from Connecting-Host-and-IP: TLSv1.2 with
cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: NOQUEUE:
reject: RCPT from Connecting-Host-and-IP: 554 5.7.1 <[email protected]>:
Relay access denied; from=<[email protected]> to=<[email protected]>
proto=ESMTP helo=<[192.168.1.107]>
Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: disconnect
from Connecting-Host-and-IP ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1
rset=1 quit=1 commands=7/8
On 4/22/18, /dev/rob0 <[email protected]> wrote:
> On Sun, Apr 22, 2018 at 07:24:42PM -0400, David Mehler wrote:
>> Is anyone using Android's Aquamail to send mail through postfix?
>> If so, how do you have it configured?
>>
>> My postfix is rejecting mail from Aquamail because it's helo is:
>>
>> <[192.168.1.1]> basically it's internal ip.
>
> What restriction do you have that is blocking this? Include
> "postconf -nf ; postconf -Mf" and the entire non-verbose logs showing
> the rejection. Perhaps you have a check_helo_access lookup; you
> should also show us what is in that lookup.
>
> While you can, and I do, block such HELOs on port 25, you must not
> apply such a restriction to submitting clients. A HELO like that is
> perfectly valid per RFC.
>
> So perhaps the actual problem is that you're submitting on port 25,
> and your fix is to require users to submit on submission[s], ports
> 587 or 465, and don't accept submitted mail on 25. Your reply as
> detailed above will show this.
>
>> I do not want to remove my restrictions can I get around this with
>> a map?
>
> That would be a bad idea, and anyway, a question we couldn't answer
> without knowing how you blocked it. The various Postfix HELO
> restrictions, such as:
> + reject_invalid_helo_hostname
> + reject_non_fqdn_helo_hostname
> + reject_unknown_helo_hostname
> will NOT block that HELO string.
> --
> http://rob0.nodns4.us/
> Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
>
