On Fri, 10 Jan 2020 at 13:39, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: > > On 10.01.20 12:42, Simon B wrote: > >For as long as I can I remember, I have blocked connections purporting > >to be my own domain/IP address using a postmapped file called > >helo_checks. > > > >This is checked AFTER permit_sasl_authenticated. > > > >smtpd_recipient_restrictions = > >reject_non_fqdn_sender, > >reject_non_fqdn_recipient, > >permit_sasl_authenticated, > >reject_sender_login_mismatch, > >rejected_authenticated_sender_login_mismatch, > >check_helo_access hash:/etc/postfix/helo_checks, > >. > >. > >. > >permit_mynetworks, > >reject_unauth_destination, > >a bunch more RBLs, > >permit > > > >Since upgrading to 2.11 yesterday (yes, I am on a path to move up > >through debian versions), all mail coming in on > >postfix/submission/smtpd is being rejected by the domain check in that > >file, even though the user is sasl authenticated. > > > >Can someone help me figure out why? > > > >I can probably remove/comment the offending line and rely on other > >rejection parameters, but it still rejects a significant of spam > >attempts, so I'd prefer to keep it. > > logs?
Quite difficult to get logs off the production environment onto my office client, hence the redacted smtpd_recipient_restrictions Jan 10 13:42:22 mail postfix/smtpd[18730] : NOQUEUE: rejectRCPT from localhost [127.0.0.1]: 550 5.7.1. <mail.example.net>: Helo command rejected: Your server is misconfigured as you are not a member of this domain; from=<si...@example.net> to=<si...@example.com> proto=ESMTP helo=<mail.example.net> > don't you have check_helo_access at different place in any chance? Good shout. it is also in smtpd_relay_restrictions, but that is functionally a one-to-one copy of smtpd_recipient_restrictions > I'm not sure what smtpd_relay_restrictions debian adds to main.cf by > default. nothing in my main.cf is default by debian. It's been painstakingly constructed over hears with contributions from this list. Thanks Simon