From: Wietse Venema on
Yves Dorfsman:
> Wietse Venema wrote:
> >
> > There's no reject_unknown_* in there, so this does not reproduce
> > the complaint.
>
> Right, because I had commented them out in order to make it work. I put them
> back, here's the output of postconf -n

It's like sending your brother to the doctor for examination
instead of yourself.

> smtpd_client_restrictions = permit_sasl_authenticated,
> reject_unknown_address, reject_unknown_client,
> reject_unknown_reverse_client_hostname,
> check_client_access hash:/etc/postfix/access,
> reject_rbl_client sbl-xbl.spamhaus.org

This accepts mail from SASL-authenticated clients and rejects
unknown stuff from SASL-unauthenticated clients.

Your mail is rejected because the client is not SASL authenticated.
You probably have an SMTP-based content filter in the middle of
your Postfix system, and failed to configure the post-filter SMTP
server per the FILTER_README instructions.

Wietse

From: Yves Dorfsman on
>
>> smtpd_client_restrictions = permit_sasl_authenticated,
>> reject_unknown_address, reject_unknown_client,
>> reject_unknown_reverse_client_hostname,
>> check_client_access hash:/etc/postfix/access,
>> reject_rbl_client sbl-xbl.spamhaus.org
>
> This accepts mail from SASL-authenticated clients and rejects
> unknown stuff from SASL-unauthenticated clients.
>
> Your mail is rejected because the client is not SASL authenticated.

That's right I get rejected before I even have the time to authenticate, right
after the helo (I tried manually with telnet)

> You probably have an SMTP-based content filter in the middle of
> your Postfix system, and failed to configure the post-filter SMTP
> server per the FILTER_README instructions.

No I do not.

However I do have helo_restrictions:

postconf -n |grep helo
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_non_fqdn_hostname,
reject_invalid_hostname

I will comment them out and see if it works. I suspect they don't do a lot in
terms of fighting spam anyway.

--
Yves. http://www.SollerS.ca/

From: Noel Jones on
On 4/4/2010 8:03 PM, Yves Dorfsman wrote:
>>
>>> smtpd_client_restrictions = permit_sasl_authenticated,
>>> reject_unknown_address, reject_unknown_client,
>>> reject_unknown_reverse_client_hostname, check_client_access
>>> hash:/etc/postfix/access, reject_rbl_client sbl-xbl.spamhaus.org
>>
>> This accepts mail from SASL-authenticated clients and rejects unknown
>> stuff from SASL-unauthenticated clients.
>>
>> Your mail is rejected because the client is not SASL authenticated.
>
> That's right I get rejected before I even have the time to authenticate,
> right after the helo (I tried manually with telnet)

That sounds as if you've set
smtpd_delay_reject = no

Don't do that.


> However I do have helo_restrictions:
>
> postconf -n |grep helo
> smtpd_helo_required = yes
> smtpd_helo_restrictions = reject_non_fqdn_hostname, reject_invalid_hostname
>
> I will comment them out and see if it works. I suspect they don't do a
> lot in terms of fighting spam anyway.
>

Each smtpd_*_restrictions section should start with
"permit_mynetworks, permit_sasl_authenticated" if you don't
want to reject mail from authorized clients.

It's challenging to give definitive answers when the
conditions keep changing.

-- Noel Jones

From: /dev/rob0 on
On Sun, Apr 04, 2010 at 07:03:56PM -0600, Yves Dorfsman wrote:
> smtpd_helo_restrictions = reject_non_fqdn_hostname,
> reject_invalid_hostname
>
> I will comment them out and see if it works. I suspect they
> don't do a lot in terms of fighting spam anyway.

This guess would be very wrong. reject_non_fqdn_helo_hostname (you
are using deprecated syntax) is the single best low-cost antispam
weapon in the arsenal. When I have checked, it seems to block around
25% of all connections, and no known problems from using it.

Of course, I use it right. If I was going to have client submission
on the same port, I would precede it with the appropriate permit_*
restrictions as needed.

You might also benefit from consolidation of your restrictions into
smtpd_recipient_restrictions. It's easier to understand what's going
on that way.

Reference:
http://www.postfix.org/SMTPD_ACCESS_README.html
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

From: Yves Dorfsman on
Noel Jones wrote:
> On 4/4/2010 8:03 PM, Yves Dorfsman wrote:
>>>
>>> This accepts mail from SASL-authenticated clients and rejects unknown
>>> stuff from SASL-unauthenticated clients.
>>>
>>> Your mail is rejected because the client is not SASL authenticated.
>>
>> That's right I get rejected before I even have the time to authenticate,
>> right after the helo (I tried manually with telnet)
>
> That sounds as if you've set
> smtpd_delay_reject = no

I did indeed. I changed it to yes, and added the sasl_permission to
smtpd_helo_required ; kept all the other restrictions, and it is now working
as expected.

It makes sense now, the server needs to give the client a chance to auth with
sasl before rejecting it.

Thanks very much, I really appreciate.

--
Yves. http://www.SollerS.ca/

gmail, jabber, LiveJournal, nimbuzz, ovi, dreamhost xim.ca:
xmpp:yves(a)zioup.com