Asai:
After investigating this issue further, it looks like there might be
something I'm missing regarding postscreen. My reasoning for this is
yesterday a client said she couldn't send email. I looked at her phone
and the postfix logs and could see that her IP address was being
rejected by postscreen:
Wietse:
As documented ***DO NOT*** run postscreen on the server port
that is used by mail client programs.
Asai:
I'm wondering if I have something wrong in master.cf:
587 inet n - n - - smtpd
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd
In that case one mistake is that the client connected to the wrong
service: they connected to service smtp(=port 25) instead of service
submission(=port 587). That's also why postscrfeen rejected the
client: the client came from a IP address dynamic pool.
Another mistake may be that you offer AUTH service on port 25.
An unrelated mistake is that you have two submission service entries
in master.cf: one called 587 and one called submission. Only the
last entry will be used, so it is a good idea to remove the first
one.
Wietse
Would it follow then that I should remove the smtp_sasl_mechanism_filter
from main.cf? Would that be causing clients to try to connect via port
25 even though they're set to connect to 587?
[root@triata ~]# postconf -n | grep smtp_
postscreen_non_smtp_command_action = enforce
postscreen_non_smtp_command_enable = yes
smtp_sasl_mechanism_filter = plain, login
smtp_tls_loglevel = 2
