From: Oliver Schinagl on
Hello all,

I've been trying to figure out why a new server I setup using postfix
doesn't allow me to relay messages after I authenticate (using
cyrus-sasl). It appears then I can authenticate just fine, but when I
try to send a message, I get a RBL error. I obviously want my ADSL IP
not to be whitelisted from the sending end (as it's dhcp and just a
regular adsl ip) but I would have expected that after authentication the
RBL would be bypassed?

I thought I pretty much set it up the same way as my older server, which
accepts my mail just fine! Guess I was wrong, and I can't find the
differences.

As I've setup my server, I tried to document it as well as possible over
at the gentoo-wiki;

http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server


The entire postfix server seems to be running excellently as far as I
can tell, except for not being able to send from remote 'internet' IP's
that are on the PBL.

Find below my postconf -n (having replaced the real hostname with
foo.example)
===
postconf -n
biff = no
broken_sasl_auth_clients = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib64/postfix
data_directory = /var/lib/postfix
debug_peer_level = 1
disable_vrfy_command = yes
home_mailbox = .maildir/
html_directory = /usr/share/doc/postfix-2.6.5/html
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 20480000
mydomain = example.com
myhostname = foo.example.com
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.5/readme
recipient_delimiter = +
relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname NO UCE ESMTP
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, permit_mx_backup, reject_rbl_client
zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client
bl.spamcop.net
smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, permit_mx_backup, check_policy_service
inet:127.0.0.1:2525, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem
smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-alias-maps.cf
virtual_gid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-gid-maps.cf
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains =
pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-domains.cf
virtual_mailbox_limit_maps =
pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-limit-maps.cf
virtual_mailbox_limit_override = yes
virtual_mailbox_maps =
pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-maps.cf
virtual_maildir_extended = yes
virtual_maildir_limit_message = "Sorry, the recipients mailbox is
currently full. Please try again later."
virtual_overquota_bounce = no
virtual_trash_count = no
virtual_trash_name = ".Trash"
virtual_uid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-uid-maps.cf

From: mouss on
Oliver Schinagl a �crit :
> Hello all,
>
> I've been trying to figure out why a new server I setup using postfix
> doesn't allow me to relay messages after I authenticate (using
> cyrus-sasl). It appears then I can authenticate just fine, but when I
> try to send a message, I get a RBL error. I obviously want my ADSL IP
> not to be whitelisted from the sending end (as it's dhcp and just a
> regular adsl ip) but I would have expected that after authentication the
> RBL would be bypassed?
>

Show logs that prove your claims:
1- user was authenticated
2- relay was denied

for (1), you should find a line like this:
Apr 21 00:11:06 imlil postfix/smtpd[41827]: 454E8E54888:
client=ouzoud.netoyen.net[82.239.111.75], sasl_method=PLAIN,
sasl_username=mouss(a)ml.netoyen.net



> I thought I pretty much set it up the same way as my older server, which
> accepts my mail just fine! Guess I was wrong, and I can't find the
> differences.
>
> As I've setup my server, I tried to document it as well as possible over
> at the gentoo-wiki;
>
> http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server
>
>
> The entire postfix server seems to be running excellently as far as I
> can tell, except for not being able to send from remote 'internet' IP's
> that are on the PBL.
>
> Find below my postconf -n (having replaced the real hostname with
> foo.example)
> ===
> postconf -n
> biff = no
> broken_sasl_auth_clients = no
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/lib64/postfix
> data_directory = /var/lib/postfix
> debug_peer_level = 1
> disable_vrfy_command = yes
> home_mailbox = .maildir/
> html_directory = /usr/share/doc/postfix-2.6.5/html
> mail_owner = postfix
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/share/man
> message_size_limit = 20480000
> mydomain = example.com
> myhostname = foo.example.com
> mynetworks_style = host
> newaliases_path = /usr/bin/newaliases
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.6.5/readme
> recipient_delimiter = +
> relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf
> sendmail_path = /usr/sbin/sendmail
> setgid_group = postdrop
> smtpd_banner = $myhostname NO UCE ESMTP
> smtpd_client_restrictions = permit_mynetworks,
> permit_sasl_authenticated, permit_mx_backup, reject_rbl_client
> zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client
> bl.spamcop.net
> smtpd_delay_reject = no
> smtpd_helo_required = yes
> smtpd_helo_restrictions = reject_invalid_hostname
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated, permit_mx_backup, check_policy_service
> inet:127.0.0.1:2525, reject_unauth_destination
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = no
> smtpd_sasl_local_domain =
> smtpd_sasl_security_options = noanonymous
> smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem
> smtpd_tls_auth_only = no
> smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem
> smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem
> smtpd_tls_loglevel = 0
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> soft_bounce = no
> tls_random_source = dev:/dev/urandom
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-alias-maps.cf
> virtual_gid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-gid-maps.cf
> virtual_mailbox_base = /var/vmail
> virtual_mailbox_domains =
> pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-domains.cf
> virtual_mailbox_limit_maps =
> pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-limit-maps.cf
> virtual_mailbox_limit_override = yes
> virtual_mailbox_maps =
> pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-maps.cf
> virtual_maildir_extended = yes
> virtual_maildir_limit_message = "Sorry, the recipients mailbox is
> currently full. Please try again later."
> virtual_overquota_bounce = no
> virtual_trash_count = no
> virtual_trash_name = ".Trash"
> virtual_uid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-uid-maps.cf

From: Noel Jones on
On 4/21/2010 8:39 PM, Oliver Schinagl wrote:
>>
> Heh, I suppose it wasn't as straightforward as that; I'll look more into
> it after some sleep, I enabled it with the following:
> submission inet n - n - - smtpd
> # -o smtpd_tls_security_level=encrypt
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> # -o milter_macro_daemon_name=ORIGINATING
> (even tried uncommenting both, which shouldn't matter inmo?)
>
> But got denied errors, telnet didn't tell me much, thunderbird told me
> slightly more:
> An error occurred sending mail: The mail server sent an incorrect
> greeting: 5.7.1<yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy]>: Client host
> rejected: Access denied.
> It won't even ask me for my sasl password, nothing. A mistery for the
> next day.

Please show your current "postconf -n" and the error message
from the postfix logs. Showing error messages from the client
or from telnet are not particularly useful.

-- Noel Jones

From: Oliver Schinagl on
On 04/22/10 03:55, Noel Jones wrote:
> On 4/21/2010 8:39 PM, Oliver Schinagl wrote:
>>>
>> Heh, I suppose it wasn't as straightforward as that; I'll look more into
>> it after some sleep, I enabled it with the following:
>> submission inet n - n - - smtpd
>> # -o smtpd_tls_security_level=encrypt
>> -o smtpd_sasl_auth_enable=yes
>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>> # -o milter_macro_daemon_name=ORIGINATING
>> (even tried uncommenting both, which shouldn't matter inmo?)
>>
>> But got denied errors, telnet didn't tell me much, thunderbird told me
>> slightly more:
>> An error occurred sending mail: The mail server sent an incorrect
>> greeting: 5.7.1<yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy]>: Client host
>> rejected: Access denied.
>> It won't even ask me for my sasl password, nothing. A mistery for the
>> next day.
>
> Please show your current "postconf -n" and the error message from the
> postfix logs. Showing error messages from the client or from telnet
> are not particularly useful.
>
> -- Noel Jones
My current postconf -n is exactly as above in the mail; i hadn't changed
anything, i only pasted the relevant part from master.conf that i changed.

Apr 21 21:39:19 example postfix/smtpd[21360]: connect from
yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]
Apr 21 21:39:19 example postfix/smtpd[21360]: NOQUEUE: reject: CONNECT
from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]
: 554 5.7.1 <yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]>: Client host
rejected: Access denied; proto=SMTP
Apr 21 21:39:24 example postfix/smtpd[21360]: disconnect from
yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]


is the corresponding postfix error; Basically what thunderbird reported :)



Looking at the message you sent David Cottle, I think he's doing what
Matt suggested I should do? Use submission to bypass RBL stuff; I'd
gladly add those 2 options as well, but why would they not be in the
default config? You'd think that the default submission bit was exactly
that, allow users to bypass everything and submit messages directly. I'm
to tired to think atm so I'll check it all out again tomorrow :)
Sleep well :)

From: Noel Jones on
On 4/21/2010 9:03 PM, Oliver Schinagl wrote:
> On 04/22/10 03:55, Noel Jones wrote:
>> On 4/21/2010 8:39 PM, Oliver Schinagl wrote:
>>>>
>>> Heh, I suppose it wasn't as straightforward as that; I'll look more into
>>> it after some sleep, I enabled it with the following:
>>> submission inet n - n - - smtpd
>>> # -o smtpd_tls_security_level=encrypt
>>> -o smtpd_sasl_auth_enable=yes
>>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>> # -o milter_macro_daemon_name=ORIGINATING
>>> (even tried uncommenting both, which shouldn't matter inmo?)
>>>
>>> But got denied errors, telnet didn't tell me much, thunderbird told me
>>> slightly more:
>>> An error occurred sending mail: The mail server sent an incorrect
>>> greeting: 5.7.1<yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy]>: Client host
>>> rejected: Access denied.
>>> It won't even ask me for my sasl password, nothing. A mistery for the
>>> next day.
>>
>> Please show your current "postconf -n" and the error message from the
>> postfix logs. Showing error messages from the client or from telnet
>> are not particularly useful.
>>
>> -- Noel Jones
> My current postconf -n is exactly as above in the mail; i hadn't changed
> anything, i only pasted the relevant part from master.conf that i changed.

I don't see a postconf -n in this mail. I asked for a new
copy to make sure of its current contents, and because I
deleted your previous messages and don't feel like rummaging
around in the trash.

>
> Apr 21 21:39:19 example postfix/smtpd[21360]: connect from
> yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]
> Apr 21 21:39:19 example postfix/smtpd[21360]: NOQUEUE: reject: CONNECT
> from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]
> : 554 5.7.1<yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]>: Client host
> rejected: Access denied; proto=SMTP
> Apr 21 21:39:24 example postfix/smtpd[21360]: disconnect from
> yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]

The client was rejected during the CONNECT stage. This
implies you are using "smtpd_delay_reject = no".

Don't do that, the client doesn't get a chance to authenticate.


>
>
> is the corresponding postfix error; Basically what thunderbird reported :)

The postfix log is far more useful; it tells us your problem
is (at least) you need to unset smtpd_delay_reject. There may
be other problems exposed once you fix this one.

> Looking at the message you sent David Cottle, I think he's doing what
> Matt suggested I should do? Use submission to bypass RBL stuff; I'd
> gladly add those 2 options as well, but why would they not be in the
> default config? You'd think that the default submission bit was exactly
> that, allow users to bypass everything and submit messages directly. I'm
> to tired to think atm so I'll check it all out again tomorrow :)
> Sleep well :)

There is no evidence David's client ever authenticates. Not
quite the same problem. Your client doesn't authenticate
either, but that's because you don't give them the chance.

Using the "submission" port is an accepted solution to the
common problems[1] of how to allow mobile users to send mail
to your server. The main advantage is it allows you to
specify a different policy[2] for authenticated users.

You can add "-o smtpd_delay_reject=yes" to the submission
entry in master.cf to insure that changes to that parameter in
main.cf won't affect the submission service. But a better
solution is just don't mess with that setting; leave it at the
default "yes".

"submission" is commented out in the default postfix config
because a relatively small subset of folks using postfix need
it, and it's not nice to open ports not needed.

[1] IP listed in RBL. ISP or hotspot blocks port 25 access.

[2] accept mail from authenticated clients no matter how
screwed up their mailer or their IP

-- Noel Jones