On 04/22/10 02:42, Matt Hayes wrote:
>
> On 04/21/2010 08:33 PM, Oliver Schinagl wrote:
>
>> On 04/22/10 02:10, Matt Hayes wrote:
>>
>>> On 04/21/2010 07:19 PM, Oliver Schinagl wrote:
>>>
>>>
>>>> On 04/21/10 23:47, mouss wrote:
>>>>
>>>>
>>>>> Oliver Schinagl a écrit :
>>>>>
>>>>>
>>>>>
>>>>>> Hello all,
>>>>>>
>>>>>> I've been trying to figure out why a new server I setup using postfix
>>>>>> doesn't allow me to relay messages after I authenticate (using
>>>>>> cyrus-sasl). It appears then I can authenticate just fine, but when I
>>>>>> try to send a message, I get a RBL error. I obviously want my ADSL IP
>>>>>> not to be whitelisted from the sending end (as it's dhcp and just a
>>>>>> regular adsl ip) but I would have expected that after authentication the
>>>>>> RBL would be bypassed?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> Show logs that prove your claims:
>>>>> 1- user was authenticated
>>>>> 2- relay was denied
>>>>>
>>>>> for (1), you should find a line like this:
>>>>> Apr 21 00:11:06 imlil postfix/smtpd[41827]: 454E8E54888:
>>>>> client=ouzoud.netoyen.net[82.239.111.75], sasl_method=PLAIN,
>>>>> sasl_username=mo...@ml.netoyen.net
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Sorry for forgetting,
>>>>
>>>> I can post 2; I'm having troubles finding 1, because I think that's
>>>> whats going wrong ;)
>>>>
>>>> Apr 19 14:30:36 example postfix/smtpd[26549]: connect from
>>>> xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
>>>> Apr 19 14:30:36 example postfix/smtpd[26549]: NOQUEUE: reject: CONNECT
>>>> from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]: 554 5.7.1 Service
>>>> unavailable; Client host [xx.xxx.xx.xx] blocked using zen.spamhaus.org;
>>>> http://www.spamhaus.org/query/bl?ip=xx.xxx.xx.xx; proto=SMTP
>>>> Apr 19 14:30:36 example postfix/smtpd[26549]: too many errors after
>>>> CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
>>>> Apr 19 14:30:36 example postfix/smtpd[26549]: disconnect from
>>>> xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]
>>>>
>>>> What does work however, is if i telnet from my own host (which isn't in
>>>> the pbl so it makes testing for me really hard (unless I could fake my
>>>> domain temporarly to be on the pbl?) and AUTH LOGIN and send a message
>>>> it does work, so sasl_auth must be working right?
>>>>
>>>> Apr 21 19:17:42 example postfix/smtpd[27551]: 3A47410E63:
>>>> client=yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy], sasl_method=LOGIN,
>>>> sasl_username=theuser
>>>>
>>>>
>>>> Either thunderbird isn't trying to auth at all (even though I told it
>>>> to) or it gets RBLed before it could even try to auth, which is what I'm
>>>> thinking.
>>>>
>>>> My test box, (diff server basically) which is on the pbl normally, is
>>>> down for maintanance atm (broken nic :S) so all I got is users
>>>> complaining unable to send mail on the new server, and I can't figure
>>>> out what I have done wrong.
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>> I thought I pretty much set it up the same way as my older server, which
>>>>>> accepts my mail just fine! Guess I was wrong, and I can't find the
>>>>>> differences.
>>>>>>
>>>>>> As I've setup my server, I tried to document it as well as possible over
>>>>>> at the gentoo-wiki;
>>>>>>
>>>>>> http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server
>>>>>>
>>>>>>
>>>>>> The entire postfix server seems to be running excellently as far as I
>>>>>> can tell, except for not being able to send from remote 'internet' IP's
>>>>>> that are on the PBL.
>>>>>>
>>>>>> Find below my postconf -n (having replaced the real hostname with
>>>>>> foo.example)
>>>>>> ===
>>>>>> postconf -n
>>>>>> biff = no
>>>>>> broken_sasl_auth_clients = no
>>>>>> command_directory = /usr/sbin
>>>>>> config_directory = /etc/postfix
>>>>>> daemon_directory = /usr/lib64/postfix
>>>>>> data_directory = /var/lib/postfix
>>>>>> debug_peer_level = 1
>>>>>> disable_vrfy_command = yes
>>>>>> home_mailbox = .maildir/
>>>>>> html_directory = /usr/share/doc/postfix-2.6.5/html
>>>>>> mail_owner = postfix
>>>>>> mailq_path = /usr/bin/mailq
>>>>>> manpage_directory = /usr/share/man
>>>>>> message_size_limit = 20480000
>>>>>> mydomain = example.com
>>>>>> myhostname = foo.example.com
>>>>>> mynetworks_style = host
>>>>>> newaliases_path = /usr/bin/newaliases
>>>>>> queue_directory = /var/spool/postfix
>>>>>> readme_directory = /usr/share/doc/postfix-2.6.5/readme
>>>>>> recipient_delimiter = +
>>>>>> relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf
>>>>>> sendmail_path = /usr/sbin/sendmail
>>>>>> setgid_group = postdrop
>>>>>> smtpd_banner = $myhostname NO UCE ESMTP
>>>>>> smtpd_client_restrictions = permit_mynetworks,
>>>>>> permit_sasl_authenticated, permit_mx_backup, reject_rbl_client
>>>>>> zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client
>>>>>> bl.spamcop.net
>>>>>> smtpd_delay_reject = no
>>>>>> smtpd_helo_required = yes
>>>>>> smtpd_helo_restrictions = reject_invalid_hostname
>>>>>> smtpd_recipient_restrictions = permit_mynetworks,
>>>>>> permit_sasl_authenticated, permit_mx_backup, check_policy_service
>>>>>> inet:127.0.0.1:2525, reject_unauth_destination
>>>>>> smtpd_sasl_auth_enable = yes
>>>>>> smtpd_sasl_authenticated_header = no
>>>>>> smtpd_sasl_local_domain =
>>>>>> smtpd_sasl_security_options = noanonymous
>>>>>> smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem
>>>>>> smtpd_tls_auth_only = no
>>>>>> smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem
>>>>>> smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem
>>>>>> smtpd_tls_loglevel = 0
>>>>>> smtpd_tls_received_header = yes
>>>>>> smtpd_tls_session_cache_timeout = 3600s
>>>>>> smtpd_use_tls = yes
>>>>>> soft_bounce = no
>>>>>> tls_random_source = dev:/dev/urandom
>>>>>> unknown_local_recipient_reject_code = 550
>>>>>> virtual_alias_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-alias-maps.cf
>>>>>> virtual_gid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-gid-maps.cf
>>>>>> virtual_mailbox_base = /var/vmail
>>>>>> virtual_mailbox_domains =
>>>>>> pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-domains.cf
>>>>>> virtual_mailbox_limit_maps =
>>>>>> pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-limit-maps.cf
>>>>>> virtual_mailbox_limit_override = yes
>>>>>> virtual_mailbox_maps =
>>>>>> pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-maps.cf
>>>>>> virtual_maildir_extended = yes
>>>>>> virtual_maildir_limit_message = "Sorry, the recipients mailbox is
>>>>>> currently full. Please try again later."
>>>>>> virtual_overquota_bounce = no
>>>>>> virtual_trash_count = no
>>>>>> virtual_trash_name = ".Trash"
>>>>>> virtual_uid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-uid-maps.cf
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>> Is there some reason you aren't using the submission port (587) ?
>>>
>>> -matt
>>>
>>>
>> Because it's the first time I've heard of it! :) (I did notice google
>> was running services on that port, so I suppose that is what that is?)
>>
>> I followed years ago the inital howto, and re-wrote the howto from the
>> gentoo wiki, neither mention submission. Also in the default config it
>> is disabled.
>>
>> I'm all for enabling it too (and updating the howto for it); It brings
>> up a few questions though.
>> What is it speficially for? It seems it's yet another port to listen for
>> incoming mail, but on 587 instead of 25 forcing the use of TLS and Sasl
>> auth?
>> Why is it commented default?
>> It won't fix why i'm hitting the RBL list when trying to send externally
>> right? Just a nother way for users to submit their messages?
>>
>> I do like having it though I admit for when smtps wouldn't be available.
>>
>
> Yes, it is another smtpd, however, its specifically for user submission
> of email.
>
> This allows you the flexibility to give your authed users ways to bypass
> things like.. RBL checks and it forces users to authenticate to send
> email, which in-turn, can help verify they are who they say they are etc.
>
> -Matt
>
Ok, thanks I'll enable that one as well, atleast I can get my users to
mail properly using 587; I'll still have to figure out why auth won't
work on the regular port 25 though :S, simply because it bugs me :S
