From: Yves Dorfsman on
Hello,

I am using postfix version 2.5.6.

For years I have been using the settings:




smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
permit

smtpd_client_restrictions =
permit_sasl_authenticated,
reject_unknown_address,
reject_unknown_client,
reject_unknown_reverse_client_hostname,
check_client_access hash:/etc/postfix/access,
reject_rbl_client sbl-xbl.spamhaus.org



And that has been useful to fight some of the spam.

Now I need to connect from different places, from outside "mynetworks", from
hotels etc... and some of them can't be reverse looked up. So I setup TLS and
sasl, I get prompted for a password and it only accept the right password, so
it is basically working (and I can see the TLS connection in the log). But,
when I do that from outside mynetworks, and from an ip that cannot be reverse
looked up, the only way I can get it working is by commenting out the three
"*unknown*", otherwise I get a "450 4.7.1 Client host rejected: cannot find
your reverse hostname":




smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
permit


smtpd_client_restrictions =
permit_sasl_authenticated,
# reject_unknown_address,
# reject_unknown_client,
# reject_unknown_reverse_client_hostname,
check_client_access hash:/etc/postfix/access,
reject_rbl_client sbl-xbl.spamhaus.org




Is there anyway to tell postfix to accept to relay mail from an authenticated
host, even if it is on an ip that cannot be reverse looked up, but yet, reject
non-authenticated connections from hosts with this type of address.


I realise this is the wrong mailing list for this, but just in case, is there
a way to tell thunderbird to use the same password for the smtp connection as
it used for the imap connection ?


Thanks.
--
Yves. http://www.SollerS.ca/

From: Wietse Venema on
Yves Dorfsman:
> Hello,
>
> I am using postfix version 2.5.6.
>
> For years I have been using the settings:
>
> smtpd_recipient_restrictions =
> permit_mynetworks,
> reject_unauth_destination,
> permit

This allows relaying only from "local" clients.

> smtpd_client_restrictions =
> permit_sasl_authenticated,
> reject_unknown_address,
> reject_unknown_client,
> reject_unknown_reverse_client_hostname,
> check_client_access hash:/etc/postfix/access,
> reject_rbl_client sbl-xbl.spamhaus.org

This allows everything from SASL-authenticated clients, REGARDLESS of
what follows after permit_sasl_authenticated.

> Now I need to connect from different places, from outside "mynetworks", from
> hotels etc... and some of them can't be reverse looked up. So I setup TLS and
> sasl, I get prompted for a password and it only accept the right password, so
> it is basically working (and I can see the TLS connection in the log). But,
> when I do that from outside mynetworks, and from an ip that cannot be reverse
> looked up, the only way I can get it working is by commenting out the three
> "*unknown*", otherwise I get a "450 4.7.1 Client host rejected: cannot find
> your reverse hostname":

Then Postfix is not configured in the way that YOU believe it is
configured.

This is why you should have followed the mailing list welcome
instructions, and posted "postconf -n" command output instead of
main.cf cut-and-paste fragments.

Here's the welcome message again:

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail

TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Thank you for using Postfix.

From: Yves Dorfsman on
Wietse Venema wrote:
>>
>> For years I have been using the settings:
>>
>> smtpd_recipient_restrictions =
>> permit_mynetworks,
>> reject_unauth_destination,
>> permit
>
> This allows relaying only from "local" clients.
>
>> smtpd_client_restrictions =
>> permit_sasl_authenticated,
>> reject_unknown_address,
>> reject_unknown_client,
>> reject_unknown_reverse_client_hostname,
>> check_client_access hash:/etc/postfix/access,
>> reject_rbl_client sbl-xbl.spamhaus.org
>
> This allows everything from SASL-authenticated clients, REGARDLESS of
> what follows after permit_sasl_authenticated.

Yes, this is my understanding from the documentation. But then, why do I get
"450 4.7.1 Client host rejected: cannot find your reverse hostname" unless I
comment out the three "reject_*"?


> This is why you should have followed the mailing list welcome
> instructions, and posted "postconf -n" command output instead of
> main.cf cut-and-paste fragments.

Sorry, I apologise, here's the output from my postconf -n:

broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
local_recipient_maps =
mail_owner = postfix
mail_spool_directory = /export/mail
mailbox_size_limit = 1000000000
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_domains = $mydomain
message_size_limit = 1000000000
myhostname = home.zioup.com
mynetworks = 127.0.0.0/8,192.168.0.0/21
myorigin = zioup.com
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES
relay_domains = $mydestination, woup.net, unikservice.com, unikservice.net,
unikservice.org
relayhost = shawmail.cg.shawcable.net
sample_directory = /usr/share/doc/postfix-2.5.6/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = permit_sasl_authenticated,
check_client_access hash:/etc/postfix/access,
reject_rbl_client sbl-xbl.spamhaus.org
smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_non_fqdn_hostname,
reject_invalid_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/lib/postfix/private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_non_fqdn_sender
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
strict_rfc821_envelopes = yes
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/valias
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/mail/virtual
virtual_mailbox_domains = zioup.com sollers.ca
virtual_mailbox_limit = 1000000000
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 1000
virtual_transport = dovecot
virtual_uid_maps = static:5000


--
Yves. http://www.SollerS.ca/

From: Wietse Venema on
Yves Dorfsman:
> Wietse Venema wrote:
> >>
> >> For years I have been using the settings:
> >>
> >> smtpd_recipient_restrictions =
> >> permit_mynetworks,
> >> reject_unauth_destination,
> >> permit
> >
> > This allows relaying only from "local" clients.
> >
> >> smtpd_client_restrictions =
> >> permit_sasl_authenticated,
> >> reject_unknown_address,
> >> reject_unknown_client,
> >> reject_unknown_reverse_client_hostname,
> >> check_client_access hash:/etc/postfix/access,
> >> reject_rbl_client sbl-xbl.spamhaus.org
> >
> > This allows everything from SASL-authenticated clients, REGARDLESS of
> > what follows after permit_sasl_authenticated.
>
> Yes, this is my understanding from the documentation. But then, why do I get
> "450 4.7.1 Client host rejected: cannot find your reverse hostname" unless I
> comment out the three "reject_*"?

Because you did not look at "postconf -n" command output.

> > This is why you should have followed the mailing list welcome
> > instructions, and posted "postconf -n" command output instead of
> > main.cf cut-and-paste fragments.
>
> Sorry, I apologise, here's the output from my postconf -n:

There's no reject_unknown_* in there, so this does not reproduce
the complaint.

Wietse

From: Yves Dorfsman on
Wietse Venema wrote:
>
> There's no reject_unknown_* in there, so this does not reproduce
> the complaint.

Right, because I had commented them out in order to make it work. I put them
back, here's the output of postconf -n


broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
local_recipient_maps =
mail_owner = postfix
mail_spool_directory = /export/mail
mailbox_size_limit = 1000000000
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_domains = $mydomain
message_size_limit = 1000000000
myhostname = home.zioup.com
mynetworks = 127.0.0.0/8,192.168.0.0/21
myorigin = zioup.com
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES
relay_domains = $mydestination, woup.net, unikservice.com, unikservice.net,
unikservice.org
relayhost = shawmail.cg.shawcable.net
sample_directory = /usr/share/doc/postfix-2.5.6/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = permit_sasl_authenticated,
reject_unknown_address, reject_unknown_client,
reject_unknown_reverse_client_hostname,
check_client_access hash:/etc/postfix/access,
reject_rbl_client sbl-xbl.spamhaus.org
smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_non_fqdn_hostname,
reject_invalid_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/lib/postfix/private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_non_fqdn_sender
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
strict_rfc821_envelopes = yes
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/valias
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/mail/virtual
virtual_mailbox_domains = zioup.com sollers.ca
virtual_mailbox_limit = 1000000000
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 1000
virtual_transport = dovecot
virtual_uid_maps = static:5000


--
Yves. http://www.SollerS.ca/

gmail, jabber, LiveJournal, nimbuzz, ovi, dreamhost xim.ca:
xmpp:yves(a)zioup.com