On Fri, 10 Jan 2020 at 18:22, Simon B <simon.buongio...@gmail.com> wrote: > > On Fri, 10 Jan 2020 at 15:53, Matus UHLAR - fantomas <uh...@fantomas.sk> > wrote: > > > > >> On 10.01.20 12:42, Simon B wrote: > > >> >For as long as I can I remember, I have blocked connections purporting > > >> >to be my own domain/IP address using a postmapped file called > > >> >helo_checks. > > >> > > > >> >This is checked AFTER permit_sasl_authenticated. > > >> > > > >> >smtpd_recipient_restrictions = > > >> >reject_non_fqdn_sender, > > >> >reject_non_fqdn_recipient, > > >> >permit_sasl_authenticated, > > >> >reject_sender_login_mismatch, > > >> >rejected_authenticated_sender_login_mismatch, > > >> >check_helo_access hash:/etc/postfix/helo_checks, > > >> >. > > >> >. > > >> >. > > >> >permit_mynetworks, > > >> >reject_unauth_destination, > > >> >a bunch more RBLs, > > >> >permit > > >> > > > >> >Since upgrading to 2.11 yesterday (yes, I am on a path to move up > > >> >through debian versions), all mail coming in on > > >> >postfix/submission/smtpd is being rejected by the domain check in that > > >> >file, even though the user is sasl authenticated. > > >> > > > >> >Can someone help me figure out why? > > >> > > > >> >I can probably remove/comment the offending line and rely on other > > >> >rejection parameters, but it still rejects a significant of spam > > >> >attempts, so I'd prefer to keep it. > > > > >On Fri, 10 Jan 2020 at 13:39, Matus UHLAR - fantomas <uh...@fantomas.sk> > > >wrote: > > >> logs? > > > > On 10.01.20 14:50, Simon B wrote: > > >Quite difficult to get logs off the production environment onto my > > >office client, hence the redacted smtpd_recipient_restrictions > > > > > >Jan 10 13:42:22 mail postfix/smtpd[18730] : NOQUEUE: rejectRCPT from > > >localhost [127.0.0.1]: 550 5.7.1. <mail.example.net>: Helo command > > >rejected: Your server is misconfigured as you are not a member of this > > >domain; from=<si...@example.net> to=<si...@example.com> proto=ESMTP > > >helo=<mail.example.net> > > > > ok, this looks like recipient rejection, because of helo checks. > > Are you sure those clients did authenticate successfully? > > Very :) I can see the authentication attempt succeed, > > > >> don't you have check_helo_access at different place in any chance? > > > > > >Good shout. it is also in smtpd_relay_restrictions, but that is > > >functionally a one-to-one copy of smtpd_recipient_restrictions > > > > >> I'm not sure what smtpd_relay_restrictions debian adds to main.cf by > > >> default. > > > > > >nothing in my main.cf is default by debian. It's been painstakingly > > >constructed over hears with contributions from this list. > > > > I guess that upgrade script configured smtpd_recipient_restrictions to > > smtpd_relay_restrictions. > > That's a good guess, because I don't actually remember doing that... > But it makes sense to have it the same... > > > Since it's postfix/submission/smtpd, isn't there anything strange in > > master.cf ? > > Nothing I can see. I'll pick this up Monday and post that.
Hi Matus, List root@mail:/etc/postfix# ls master.cf -rw-r--r-- 1 root root 6.4K 2016-01-13 10:43:01 master.cf smtp inet n - - - - smtpd -v submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_delay_reject=yes # -o receive_override_options=no_address_mappings -o always_add_missing_headers=yes -o content_filter=dksign:[127.0.0.1]:10028 -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=encrypt -o smtpd_tls_auth_only=yes -o smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_recipient,permit_sasl_authenticated,reject No changes since years, and nothing funky I can see.. I have added -v to the smtpd and will try to debug it like that... Cheers. Simon