On Wed, 15 Jan 2020 at 15:57, Dominic Raferd <domi...@timedicer.co.uk> wrote:
>
>
>
> On Wed, 15 Jan 2020 at 13:36, Simon B <simon.buongio...@gmail.com> wrote:
>>
>> On Wed, 15 Jan 2020 at 13:40, Matus UHLAR - fantomas <uh...@fantomas.sk>
>> wrote:
>> >
>> > >> On Mon, Jan 13, 2020 at 06:25:27PM +0100, Simon B wrote:
>> > >> > > > >> >Since upgrading to 2.11 yesterday (yes, I am on a path to
>> > >> > > > >> >move up
>> > >> > > > >> >through debian versions), all mail coming in on
>> > >> > > > >> >postfix/submission/smtpd is being rejected by the domain
>> > >> > > > >> >check in that
>> > >> > > > >> >file, even though the user is sasl authenticated.
>> >
>> > >On Mon, 13 Jan 2020 at 18:44, Viktor Dukhovni
>> > ><postfix-us...@dukhovni.org> wrote:
>> > >> Note, Postfix 2.11 (actually 2.10 IIRC) adds "smtpd_relay_restrictions",
>> > >> which you don't override in the submission service definition:
>> >
>> > On 15.01.20 13:19, Simon B wrote:
>> > >Cause and effect in one simple sentence - thanks Viktor!
>> >
>> > if you use debian, the default smtpd_relay_restrictions should contain:
>> >
>> > smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated
>> > defer_unauth_destination
>>
>> That results in this
>> Jan 15 13:32:53 mail postfix/smtpd[743]: NOQUEUE: reject: RCPT from
>> localhost[127.0.0.1]: 451 4.3.5 Server configuration error;
>> > >Despite the fact that I changed those receiver settings in master.cf to:
>> > >
>> > >118 #The amavis reciever
>> > >119 127.0.0.1:10025 inet n - - - - smtpd
>> > >120 -o content_filter=
>> > >121 -o local_recipient_maps=
>> > >122 -o relay_recipient_maps=
>> > >123 -o smtpd_restriction_classes=
>> > >124 -o
>> > >smtpd_client_restrictions=permit_mynetworks,reject_plaintext_session
>> > >125 -o smtpd_helo_restrictions=permit_mynetworks
>> > >126 -o smtpd_sender_restrictions=
>> > >127 -o smtpd_recipient_restrictions=permit_mynetworks,reject
>> > >128 -o mynetworks=127.0.0.0/8
>> > >129 -o strict_rfc821_envelopes=yes
>> > >130 -o
>> > >receive_override_options=no_unknown_recipient_checks,no_header_body_checks
>> > >131 -o smtp_bind_address=127.0.0.1
>> > >
>> > >At the moment nothing is going through amavis in either direction, so
>> > >that's a problem...
>> >
>> > are you sure amavis sends mail through port 10025?
>>
>> Hi Matus,
>>
>> Yes, very sure.
>>
>> if I turn on -v logging for that hop, I am concerned about these lines
>> in the log.
>>
>> Jan 15 13:09:01 mail postfix/smtpd[466]: < localhost[127.0.0.1]: EHLO
>> amavisd.localhost
>> Jan 15 13:09:01 mail postfix/smtpd[466]: match_list_match: localhost: no
>> match
>> Jan 15 13:09:01 mail postfix/smtpd[466]: match_list_match: 127.0.0.1: no
>> match
>> and
>> Jan 15 13:09:01 mail postfix/smtpd[466]: generic_checks:
>> name=permit_mynetworks
>> Jan 15 13:09:01 mail postfix/smtpd[466]: permit_mynetworks: localhost
>> 127.0.0.1
>> Jan 15 13:09:01 mail postfix/smtpd[466]: match_hostname: localhost ~?
>> 127.0.0.0/8
>> Jan 15 13:09:01 mail postfix/smtpd[466]: match_hostaddr: 127.0.0.1 ~?
>> 127.0.0.0/8
>> Jan 15 13:09:01 mail postfix/smtpd[466]: match_list_match:
>> permit_mynetworks: no match
>> culminating in
>> Jan 15 13:09:01 mail postfix/smtpd[466]: NOQUEUE: reject: RCPT from
>> localhost[127.0.0.1]: 554 5.7.1 <amavisd.localhost>: Helo command
>> rejected: Host not found; from=<si...@example.net>
>> to=<simo...@example.com> proto=ESMTP helo=<amavisd.localhost>
>>
>>
>> permit_mynetworks should be permitting that, not offering no match.
>
>
> Is amavis running on the local machine? The smtpd process listening for
> amavis seems unable to match amavis's ip either to local host or to 127.0.0.1.
>
> As as workaround you could change the 'permit_mynetworks' setting on this
> smtpd process to 'permit'. If you have firewalled port 10025 it should be
> reasonably safe I think?
Hi Dominic,
So, there was an error in my previous response to Matus - but not a fatal one.
Amavis listens on 10024, and postfix listens on 10025
That means mail comes in on 587, it goes to amavis on 10024 and comes
back on 10025 before going out.
I currently have
#The amavis reciever
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=permit_mynetworks
-o smtpd_helo_restrictions=permit
-o smtpd_sender_restrictions=
-o smtpd_relay_restrictions=permit_mynetworks,defer_unauth_destination
-o
smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_recipient
-o mynetworks=127.0.0.0/8,[::1]/128
-o strict_rfc821_envelopes=yes
-o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtp_bind_address=127.0.0.1
and mail is flowing. I am not happy since the solution to the
original problem has been to make smtpd_helo_restrictions=permit and
even though it's internal we operate a zero-trust policy, and "permit"
is not that.
Thanks for your help, and thanks to Viktor and Matus too.
Regards
Simon
