On Fri, 10 Jan 2020 at 15:53, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: > > >> On 10.01.20 12:42, Simon B wrote: > >> >For as long as I can I remember, I have blocked connections purporting > >> >to be my own domain/IP address using a postmapped file called > >> >helo_checks. > >> > > >> >This is checked AFTER permit_sasl_authenticated. > >> > > >> >smtpd_recipient_restrictions = > >> >reject_non_fqdn_sender, > >> >reject_non_fqdn_recipient, > >> >permit_sasl_authenticated, > >> >reject_sender_login_mismatch, > >> >rejected_authenticated_sender_login_mismatch, > >> >check_helo_access hash:/etc/postfix/helo_checks, > >> >. > >> >. > >> >. > >> >permit_mynetworks, > >> >reject_unauth_destination, > >> >a bunch more RBLs, > >> >permit > >> > > >> >Since upgrading to 2.11 yesterday (yes, I am on a path to move up > >> >through debian versions), all mail coming in on > >> >postfix/submission/smtpd is being rejected by the domain check in that > >> >file, even though the user is sasl authenticated. > >> > > >> >Can someone help me figure out why? > >> > > >> >I can probably remove/comment the offending line and rely on other > >> >rejection parameters, but it still rejects a significant of spam > >> >attempts, so I'd prefer to keep it. > > >On Fri, 10 Jan 2020 at 13:39, Matus UHLAR - fantomas <uh...@fantomas.sk> > >wrote: > >> logs? > > On 10.01.20 14:50, Simon B wrote: > >Quite difficult to get logs off the production environment onto my > >office client, hence the redacted smtpd_recipient_restrictions > > > >Jan 10 13:42:22 mail postfix/smtpd[18730] : NOQUEUE: rejectRCPT from > >localhost [127.0.0.1]: 550 5.7.1. <mail.example.net>: Helo command > >rejected: Your server is misconfigured as you are not a member of this > >domain; from=<si...@example.net> to=<si...@example.com> proto=ESMTP > >helo=<mail.example.net> > > ok, this looks like recipient rejection, because of helo checks. > Are you sure those clients did authenticate successfully?
Very :) I can see the authentication attempt succeed, > >> don't you have check_helo_access at different place in any chance? > > > >Good shout. it is also in smtpd_relay_restrictions, but that is > >functionally a one-to-one copy of smtpd_recipient_restrictions > > >> I'm not sure what smtpd_relay_restrictions debian adds to main.cf by > >> default. > > > >nothing in my main.cf is default by debian. It's been painstakingly > >constructed over hears with contributions from this list. > > I guess that upgrade script configured smtpd_recipient_restrictions to > smtpd_relay_restrictions. That's a good guess, because I don't actually remember doing that... But it makes sense to have it the same... > Since it's postfix/submission/smtpd, isn't there anything strange in > master.cf ? Nothing I can see. I'll pick this up Monday and post that. Thanks. Simon
