On 31.05.21 16:48, Matus UHLAR - fantomas wrote:
looking at postfix logs I found out that with standard restrictions
inherited from main.cf at ports 465/587, the client gets error message like:
May 30 12:05:04 mail postfix/submission/smtpd[22649]: NOQUEUE: reject: RCPT from unknown[192.0.2.1]:
504 5.5.2 <redacted>: Helo command rejected: need fully-qualified hostname;
from=<x...@example.com> to=<y...@example.com> proto=ESMTP helo=<redacted>
On 31.05.21 11:39, Wietse Venema wrote:
This was blocked by reject_unknown_client_hostname .
still better than not to reject, but this is why I'm searching for better
way to reject unauthenticated submission(s) clients.
On 31.05.21 16:48, Matus UHLAR - fantomas wrote:
while the proper message could be "authentication required".
standard master.cf contains proposed overrides for submission/submissions
services:
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
On 31.05.21 16:57, Jaroslaw Rafa wrote:
These lines are commented out. Did you uncomment them in master.cf? If you
didn't, then you are probably keeping global values from main.cf for these
parameters without overriding them.
I haven't uncommented these yet, because the $mua_* are undefined/empty
which would mean no restrictions there and want to reject unauthenticated
clients.
On 31.05.21 11:39, Wietse Venema wrote:
If you don't uncomment all lines with
-o smtpd_xxx_restrictions=$mua_xxx_restrictions,
then your submission/smtps service will use the main.cf
smtpd_xxx_restrictions, and that is where you have configured
reject_unknown_client_hostname.
I have lived with this until now, when I realized people could get better
error messages when they don't authenticate.
Which brings me back to the question:
On 31.05.21 16:48, Matus UHLAR - fantomas wrote:
So, I'd go with something like:
mua_client_restrictions=permit_sasl_authenticated, reject
mua_helo_restrictions=permit_sasl_authenticated, reject
...I would not override smtpd_sender_restrictions because I have list of
senders to be disabled globally
However, these provide standard reject_code "554"
even if it was safe to change reject_code to different value via
-o reject_code=530
that still would only change the basic error code, not the extended code nor
the message.
looking at google/hotmail servers they provide error messages:
530-5.7.0 Authentication Required. Learn more at
530 5.7.0 https://support.google.com/mail/?p=WantAuthError z19sm15110351wmk.8
- gsmtp
530 5.7.57 Client not authenticated to send mail.
and I think "530 5.7.0 Authentication Required." would be better message on
those ports.
what's the cleanest way to force this error?
Can I provide "530 5.7.0 Authentication Required." error in
smtpd_client_restrictions/smtpd_helo_restrictions somehow?
I can think of using:
mua_client_restrictions = permit_sasl_authenticated, check_client_access
static:{"530 5.7.0 Authentication Required."}
and probably use the same for mua_helo_restrictions (or leave it empty)
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.
