On 04/22/10 03:39, Oliver Schinagl wrote: > On 04/22/10 02:57, Oliver Schinagl wrote: > >> On 04/22/10 02:42, Matt Hayes wrote: >> >> >>> On 04/21/2010 08:33 PM, Oliver Schinagl wrote: >>> >>> >>> >>>> On 04/22/10 02:10, Matt Hayes wrote: >>>> >>>> >>>> >>>>> On 04/21/2010 07:19 PM, Oliver Schinagl wrote: >>>>> >>>>> >>>>> >>>>> >>>>>> On 04/21/10 23:47, mouss wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> Oliver Schinagl a écrit : >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Hello all, >>>>>>>> >>>>>>>> I've been trying to figure out why a new server I setup using postfix >>>>>>>> doesn't allow me to relay messages after I authenticate (using >>>>>>>> cyrus-sasl). It appears then I can authenticate just fine, but when I >>>>>>>> try to send a message, I get a RBL error. I obviously want my ADSL IP >>>>>>>> not to be whitelisted from the sending end (as it's dhcp and just a >>>>>>>> regular adsl ip) but I would have expected that after authentication >>>>>>>> the >>>>>>>> RBL would be bypassed? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Show logs that prove your claims: >>>>>>> 1- user was authenticated >>>>>>> 2- relay was denied >>>>>>> >>>>>>> for (1), you should find a line like this: >>>>>>> Apr 21 00:11:06 imlil postfix/smtpd[41827]: 454E8E54888: >>>>>>> client=ouzoud.netoyen.net[82.239.111.75], sasl_method=PLAIN, >>>>>>> sasl_username=mo...@ml.netoyen.net >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> Sorry for forgetting, >>>>>> >>>>>> I can post 2; I'm having troubles finding 1, because I think that's >>>>>> whats going wrong ;) >>>>>> >>>>>> Apr 19 14:30:36 example postfix/smtpd[26549]: connect from >>>>>> xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] >>>>>> Apr 19 14:30:36 example postfix/smtpd[26549]: NOQUEUE: reject: CONNECT >>>>>> from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]: 554 5.7.1 Service >>>>>> unavailable; Client host [xx.xxx.xx.xx] blocked using zen.spamhaus.org; >>>>>> http://www.spamhaus.org/query/bl?ip=xx.xxx.xx.xx; proto=SMTP >>>>>> Apr 19 14:30:36 example postfix/smtpd[26549]: too many errors after >>>>>> CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] >>>>>> Apr 19 14:30:36 example postfix/smtpd[26549]: disconnect from >>>>>> xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] >>>>>> >>>>>> What does work however, is if i telnet from my own host (which isn't in >>>>>> the pbl so it makes testing for me really hard (unless I could fake my >>>>>> domain temporarly to be on the pbl?) and AUTH LOGIN and send a message >>>>>> it does work, so sasl_auth must be working right? >>>>>> >>>>>> Apr 21 19:17:42 example postfix/smtpd[27551]: 3A47410E63: >>>>>> client=yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy], sasl_method=LOGIN, >>>>>> sasl_username=theuser >>>>>> >>>>>> >>>>>> Either thunderbird isn't trying to auth at all (even though I told it >>>>>> to) or it gets RBLed before it could even try to auth, which is what I'm >>>>>> thinking. >>>>>> >>>>>> My test box, (diff server basically) which is on the pbl normally, is >>>>>> down for maintanance atm (broken nic :S) so all I got is users >>>>>> complaining unable to send mail on the new server, and I can't figure >>>>>> out what I have done wrong. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> I thought I pretty much set it up the same way as my older server, >>>>>>>> which >>>>>>>> accepts my mail just fine! Guess I was wrong, and I can't find the >>>>>>>> differences. >>>>>>>> >>>>>>>> As I've setup my server, I tried to document it as well as possible >>>>>>>> over >>>>>>>> at the gentoo-wiki; >>>>>>>> >>>>>>>> http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server >>>>>>>> >>>>>>>> >>>>>>>> The entire postfix server seems to be running excellently as far as I >>>>>>>> can tell, except for not being able to send from remote 'internet' IP's >>>>>>>> that are on the PBL. >>>>>>>> >>>>>>>> Find below my postconf -n (having replaced the real hostname with >>>>>>>> foo.example) >>>>>>>> === >>>>>>>> postconf -n >>>>>>>> biff = no >>>>>>>> broken_sasl_auth_clients = no >>>>>>>> command_directory = /usr/sbin >>>>>>>> config_directory = /etc/postfix >>>>>>>> daemon_directory = /usr/lib64/postfix >>>>>>>> data_directory = /var/lib/postfix >>>>>>>> debug_peer_level = 1 >>>>>>>> disable_vrfy_command = yes >>>>>>>> home_mailbox = .maildir/ >>>>>>>> html_directory = /usr/share/doc/postfix-2.6.5/html >>>>>>>> mail_owner = postfix >>>>>>>> mailq_path = /usr/bin/mailq >>>>>>>> manpage_directory = /usr/share/man >>>>>>>> message_size_limit = 20480000 >>>>>>>> mydomain = example.com >>>>>>>> myhostname = foo.example.com >>>>>>>> mynetworks_style = host >>>>>>>> newaliases_path = /usr/bin/newaliases >>>>>>>> queue_directory = /var/spool/postfix >>>>>>>> readme_directory = /usr/share/doc/postfix-2.6.5/readme >>>>>>>> recipient_delimiter = + >>>>>>>> relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf >>>>>>>> sendmail_path = /usr/sbin/sendmail >>>>>>>> setgid_group = postdrop >>>>>>>> smtpd_banner = $myhostname NO UCE ESMTP >>>>>>>> smtpd_client_restrictions = permit_mynetworks, >>>>>>>> permit_sasl_authenticated, permit_mx_backup, reject_rbl_client >>>>>>>> zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client >>>>>>>> bl.spamcop.net >>>>>>>> smtpd_delay_reject = no >>>>>>>> smtpd_helo_required = yes >>>>>>>> smtpd_helo_restrictions = reject_invalid_hostname >>>>>>>> smtpd_recipient_restrictions = permit_mynetworks, >>>>>>>> permit_sasl_authenticated, permit_mx_backup, check_policy_service >>>>>>>> inet:127.0.0.1:2525, reject_unauth_destination >>>>>>>> smtpd_sasl_auth_enable = yes >>>>>>>> smtpd_sasl_authenticated_header = no >>>>>>>> smtpd_sasl_local_domain = >>>>>>>> smtpd_sasl_security_options = noanonymous >>>>>>>> smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem >>>>>>>> smtpd_tls_auth_only = no >>>>>>>> smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem >>>>>>>> smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem >>>>>>>> smtpd_tls_loglevel = 0 >>>>>>>> smtpd_tls_received_header = yes >>>>>>>> smtpd_tls_session_cache_timeout = 3600s >>>>>>>> smtpd_use_tls = yes >>>>>>>> soft_bounce = no >>>>>>>> tls_random_source = dev:/dev/urandom >>>>>>>> unknown_local_recipient_reject_code = 550 >>>>>>>> virtual_alias_maps = >>>>>>>> pgsql:/etc/postfix/pgsql/pgsql-virtual-alias-maps.cf >>>>>>>> virtual_gid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-gid-maps.cf >>>>>>>> virtual_mailbox_base = /var/vmail >>>>>>>> virtual_mailbox_domains = >>>>>>>> pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-domains.cf >>>>>>>> virtual_mailbox_limit_maps = >>>>>>>> pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-limit-maps.cf >>>>>>>> virtual_mailbox_limit_override = yes >>>>>>>> virtual_mailbox_maps = >>>>>>>> pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-maps.cf >>>>>>>> virtual_maildir_extended = yes >>>>>>>> virtual_maildir_limit_message = "Sorry, the recipients mailbox is >>>>>>>> currently full. Please try again later." >>>>>>>> virtual_overquota_bounce = no >>>>>>>> virtual_trash_count = no >>>>>>>> virtual_trash_name = ".Trash" >>>>>>>> virtual_uid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-uid-maps.cf >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> Is there some reason you aren't using the submission port (587) ? >>>>> >>>>> -matt >>>>> >>>>> >>>>> >>>>> >>>> Because it's the first time I've heard of it! :) (I did notice google >>>> was running services on that port, so I suppose that is what that is?) >>>> >>>> I followed years ago the inital howto, and re-wrote the howto from the >>>> gentoo wiki, neither mention submission. Also in the default config it >>>> is disabled. >>>> >>>> I'm all for enabling it too (and updating the howto for it); It brings >>>> up a few questions though. >>>> What is it speficially for? It seems it's yet another port to listen for >>>> incoming mail, but on 587 instead of 25 forcing the use of TLS and Sasl >>>> auth? >>>> Why is it commented default? >>>> It won't fix why i'm hitting the RBL list when trying to send externally >>>> right? Just a nother way for users to submit their messages? >>>> >>>> I do like having it though I admit for when smtps wouldn't be available. >>>> >>>> >>>> >>> Yes, it is another smtpd, however, its specifically for user submission >>> of email. >>> >>> This allows you the flexibility to give your authed users ways to bypass >>> things like.. RBL checks and it forces users to authenticate to send >>> email, which in-turn, can help verify they are who they say they are etc. >>> >>> -Matt >>> >>> >>> >> Ok, thanks I'll enable that one as well, atleast I can get my users to >> mail properly using 587; I'll still have to figure out why auth won't >> work on the regular port 25 though :S, simply because it bugs me :S >> >> > Heh, I suppose it wasn't as straightforward as that; I'll look more into > it after some sleep, I enabled it with the following: > submission inet n - n - - smtpd > # -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > # -o milter_macro_daemon_name=ORIGINATING > (even tried uncommenting both, which shouldn't matter inmo?) > > But got denied errors, telnet didn't tell me much, thunderbird told me > slightly more: > An error occurred sending mail: The mail server sent an incorrect > greeting: 5.7.1 <yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy]>: Client host > rejected: Access denied. > It won't even ask me for my sasl password, nothing. A mistery for the > next day. > BTW, I forgot to mention, irony has it, that where I cannot send from my host using 587; I can properly send just fine (assuming useing auth, otherwise i'd be an open relay ...) on port 25 (using TLS) and port 465 (using SSL) from my not PBL-ed host (so submission won't work at all, normal submission methods bump into RBL before authing).
I was reading David Cottle's message and noticed he has something remotly similar, yet completely different right? I'll pay attention to his posts aswell :) Oliver
