On 31 Oct 2019, at 19:52, Andrew Sullivan wrote:
Hi,
I _know_ I am overlooking something, and I need a clue-bat.
I use postscreen on the SMTP (25) port and smptd on the submission
port; the latter requires authentication via dovecot. This usually
works except every now and then when sending mail, almost always from
hotel networks (where I spend a lot of time), I get one of these:
Oct 31 23:31:56 mx4 postfix/smtpd[2575]: connect from
unknown[66.171.166.114]
Oct 31 23:31:56 mx4 postfix/smtpd[2575]: Anonymous TLS connection
established from unknown[66.171.166.114]: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Oct 31 23:31:56 mx4 postfix/smtpd[2575]: NOQUEUE: reject: RCPT from
unknown[66.171.166.114]: 554 5.7.1 Service unavailable; Client host
[66.171.166.114] blocked using sbl.spamhaus.org;
https://www.spamhaus.org/sbl/query/SBLCSS;
from=<a...@anvilwalrusden.com> to=<REDACTED> proto=ESMTP
helo=<anvilwalrusden.com>
Oct 31 23:31:56 mx4 postfix/smtpd[2575]: lost connection after RCPT
from unknown[66.171.166.114]
Oct 31 23:31:56 mx4 postfix/smtpd[2575]: disconnect from
unknown[66.171.166.114] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1
commands=5/6
Are you SURE that's not port 25?
The "postfix/smtpd" label will be used by the smtpd process that
postscreen hands off to, so it is helpful to assign a unique syslog_name
in master.cf to the smtpd that is run on the submission port.
It seems to me that I have somehow managed to put the DNSBL filters on
my submission port, which seems (1) obviously wrong and (2)
mystifying. So I'm wondering whether anyone has a hint on what I
should start looking at so that I can fix this. It's clear to me that
I didn't know what I was doing when I set this up or this wouldn't
have happened; but I'm really, really sure that I am unable to read
all the parts of the documentation now (like this week) to understand
what I did wrong without a clue about where to start digging. Hence
the plea.
Your master.cf should override whichever smtpd_whatever_restrictions
list applies your DNSBL restrictions. For example, I put my DNSBL
restrictions (and almost everything else) in
smtpd_recipient_restrictions, so my master.cf has this entry:
submission inet n - n - - smtpd
-o syslog_name=postfix/submit
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
