Re: Illegal block?
On 01/06/2012 03:23 AM, Benny Pedersen wrote: On Tue, 03 Jan 2012 23:37:16 +0200, Tolga wrote: Jan 3 15:58:44 bilgisayarciniz postfix/smtpd[6179]: NOQUEUE: reject: RCPT from unknown[85.95.233.13]: 554 5.7.1 Service unavailable; Client host [85.95.233.13] blocked using sbl.spamhaus.org; http://www.spamhaus.org/SBL/sbl.lasso?query=SBL100619; from= to= proto=ESMTP helo= smtpd is not local problem, is it a user that remotely try to do sasl auth ? if not all is well, but you know that x.x.0.0/16 is alot of client/mta ips ? I'll take that out. I don't use it in anyway and I don't know where that came from.
Re: Illegal block?
On 01/03/2012 11:57 PM, Reindl Harald wrote: Am 03.01.2012 22:37, schrieb Tolga: Hi, I thought I'd check the logs today, and I found something curious to me: Jan 3 15:58:44 bilgisayarciniz postfix/smtpd[6179]: NOQUEUE: reject: RCPT from unknown[85.95.233.13]: 554 5.7.1 Service unavailable; Client host [85.95.233.13] blocked using sbl.spamhaus.org; http://www.spamhaus.org/SBL/sbl.lasso?query=SBL100619; from= to= proto=ESMTP helo= There are many lines of such logs, all with different from addresses and different helo addresses, except that the IP is always the same, 85.95.233.1? (? is between 1 and 9). It resolves to localhost.mail.localdomain. What could cause such behaviour? do not use a RBL if you do not want to live with the results there is nothing illegal THEY decided for whatever reason to put the IP on their balcklist YOU decided to trust them your chocie, if you are not happy complain at spamhaus.org or consider not to use blacklists which are velieving the are the law and blocked a national tld-registry because they did not deleted domains spamhaus wanted to be deleted I'm not unhappy with using a RBL. I was just wondering how come all that 85.95.233.1[1-9] IP addresses all resolved to localhost.mail.localdomain, since ozelsektor.net resolves to 95.173.166.9.
Re: Postfix Mac Aministration
On Jan 4, 2012, at 9:54 PM, /dev/rob0 wrote: > On Wednesday 04 January 2012 20:45:23 Eric Lemings wrote: > ... >> smtpd_recipient_restrictions = > > BTW "client" != "recipient", in case that is what you meant by > duplicated settings. They are different settings, but functionally > similar. You could consolidate all of your restrictions into > smtpd_recipient_restrictions. Unless you need complex whitelisting, > it's usually easier that way, to only maintain one set of > restrictions. After this was suggested twice, I figure it's probably a good idea so I consolidated smtpd_client_restrictions into smtpd_recipient_restrictions. :) > ... > I could suggest signing up for the Barracuda BRBL and using Spam- > eating Monkey, and could nitpick some of the postconf, but overall > it's not that bad, you have sane and strong antispam controls in > place. Maybe share logs and samples of the spam you got? > > One WAG I came up with: are you using a DNS forwarder which is > probably blocked by Spamhaus? Try testing, from the Postfix host: > $ dig 2.0.0.127.zen.spamhaus.org. any > This should return their test records. Compare with NXDOMAIN here: > $ dig 2.0.0.127.zen.spamhaus.org. any @8.8.4.4 I ran these two dig commands. Here's the output from my mail server: [root@myhost postfix]$ dig 2.0.0.127.zen.spamhaus.org. any ; <<>> DiG 9.7.3-P3 <<>> 2.0.0.127.zen.spamhaus.org. any ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48990 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;2.0.0.127.zen.spamhaus.org.IN ANY ;; ANSWER SECTION: 2.0.0.127.zen.spamhaus.org. 900 IN A 127.0.0.2 2.0.0.127.zen.spamhaus.org. 900 IN A 127.0.0.10 2.0.0.127.zen.spamhaus.org. 900 IN A 127.0.0.4 2.0.0.127.zen.spamhaus.org. 900 IN TXT "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL233"; 2.0.0.127.zen.spamhaus.org. 900 IN TXT "http://www.spamhaus.org/query/bl?ip=127.0.0.2"; ;; Query time: 58 msec ;; SERVER: 192.168.0.1#53(192.168.0.1) ;; WHEN: Fri Jan 6 01:40:57 2012 ;; MSG SIZE rcvd: 213 [root@myhost postfix]$ dig 2.0.0.127.zen.spamhaus.org. any @8.8.4.4 ; <<>> DiG 9.7.3-P3 <<>> 2.0.0.127.zen.spamhaus.org. any @8.8.4.4 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33677 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;2.0.0.127.zen.spamhaus.org.IN ANY ;; AUTHORITY SECTION: zen.spamhaus.org. 150 IN SOA need.to.know.only. hostmaster.spamhaus.org. 1201060830 3600 600 432000 150 ;; Query time: 157 msec ;; SERVER: 8.8.4.4#53(8.8.4.4) ;; WHEN: Fri Jan 6 01:43:09 2012 ;; MSG SIZE rcvd: 108 Not sure how to interpret that output though. It seems the new spam control measures in my Postfix configuration may actually be working now. The quantity has tapered off significantly after the initial flood of spam which may have been queued up retries I'm guessing. Eric.
Re: Postfix & cyrus-sasl 2.1.25 issues
On Thu, Jan 05, 2012 at 04:46:08PM -0800, Quanah Gibson-Mount wrote: > Thus my question as to whether or > not anyone has gotten 2.1.25 to work with Postfix at all. If someone can > confirm they have SMTP auth working with a Cyrus-SASL 2.1.25 linked > Postfix, then it gives me other avenues to examine. $ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 london0.caf.com.tr ESMTP Postfix ehlo localhost 250-london0.caf.com.tr 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH PLAIN 235 2.7.0 Authentication successful quit 221 2.0.0 Bye Connection closed by foreign host. # saslauthd -v saslauthd 2.1.25 authentication mechanisms: sasldb getpwent pam rimap shadow # postconf mail_version mail_version = 2.8.7 Tested with ldap as well. Also no problem. FWIW, here is with cyrus-imap: # imtest -a eras localhost S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS AUTH=PLAIN AUTH=LOGIN SASL-IR] london0.caf.com.tr Cyrus IMAP v2.4.12 server ready Please enter your password: C: A01 AUTHENTICATE PLAIN S: A01 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ SORT=DISPLAY THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE LIST-EXTENDED WITHIN QRESYNC SCAN XLIST URLAUTH URLAUTH=BINARY X-NETSCAPE LOGINDISABLED COMPRESS=DEFLATE IDLE] Success (no protection) Authenticated. Security strength factor: 0 a logout * BYE LOGOUT received a OK Completed Connection closed. There are reports of broken PLAIN and LOGIN mechs with cyrus-sasl 2.1.25. But I can't reproduce it. -- Eray Aslan
Re: Postfix Mac Aministration
On Jan 5, 2012, at 2:33 AM, Stan Hoeppner wrote: > On 1/4/2012 10:54 PM, /dev/rob0 wrote: > >> You could consolidate all of your restrictions into >> smtpd_recipient_restrictions. Unless you need complex whitelisting, >> it's usually easier that way, to only maintain one set of >> restrictions. > > I recommend this as well. For me it's much easier to work with and > debug. I find it actually works better for complex whitelisting. > >> Zen has superceded sbl-xbl.spamhaus.org, which both below and above, >> you say you are using. > > It appears none of your current dnsbls target snowshoe spam. I'd > recommend adding Spamhaus' DBL to your config: > > smtpd_recipient_restrictions = > ... >reject_rhsbl_client dbl.spamhaus.org >reject_rhsbl_sender dbl.spamhaus.org >reject_rhsbl_helo dbl.spamhaus.org > ... > I added these too. I think I'm finally getting into the "fine-tuning" phase. :) Eric.
Re: disable_mime_output_conversion
Ralf Hildebrandt: > disable_mime_output_conversion can be used to disable the 8bit->7bit > conversion while sending mails to mailers not annnouncing "8BITMIME" > after EHLO. > > But is the a way of seeing how often this conversion is actually being > used? The Postfix SMTP client does not provide a feature-by-feature breakdown of ESMTP negotiation results. It logs CISCO bug workarounds, because those can affect performance. MIME downgrade is a documented protocol feature, not a bug workaround. Wietse
Re: Postfix Mac Aministration
On 1/6/2012 3:05 AM, Eric Lemings wrote: > [root@myhost postfix]$ dig 2.0.0.127.zen.spamhaus.org. any ... > ;; ANSWER SECTION: > 2.0.0.127.zen.spamhaus.org. 900 IN A 127.0.0.2 > 2.0.0.127.zen.spamhaus.org. 900 IN A 127.0.0.10 > 2.0.0.127.zen.spamhaus.org. 900 IN A 127.0.0.4 > 2.0.0.127.zen.spamhaus.org. 900 IN TXT > "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL233"; > 2.0.0.127.zen.spamhaus.org. 900 IN TXT > "http://www.spamhaus.org/query/bl?ip=127.0.0.2"; This means your queries should be working. > It seems the new spam control measures in my Postfix configuration may > actually be working now. The quantity has tapered off significantly after > the initial flood of spam which may have been queued up retries I'm guessing. Bot spam engines never retry failed deliveries, and greylisting relies on this fact to block bot spam. Most snowshoe spammer hosts don't retry either, by design. Considering you just consolidated everything under smtpd_recipient_restrictions, you should share "postconf -n" output again so we can sanity check it. Restriction order can be important, sometimes critical. -- Stan
Re: Postfix & cyrus-sasl 2.1.25 issues
--On Friday, January 06, 2012 11:05 AM +0200 Eray Aslan wrote: On Thu, Jan 05, 2012 at 04:46:08PM -0800, Quanah Gibson-Mount wrote: Thus my question as to whether or not anyone has gotten 2.1.25 to work with Postfix at all. If someone can confirm they have SMTP auth working with a Cyrus-SASL 2.1.25 linked Postfix, then it gives me other avenues to examine. $ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 london0.caf.com.tr ESMTP Postfix ehlo localhost 250-london0.caf.com.tr 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH PLAIN 235 2.7.0 Authentication successful quit 221 2.0.0 Bye Connection closed by foreign host. # saslauthd -v saslauthd 2.1.25 authentication mechanisms: sasldb getpwent pam rimap shadow zimbra@zqa-062:~$ /opt/zimbra/cyrus-sasl/sbin/saslauthd -v saslauthd 2.1.25 authentication mechanisms: getpwent kerberos5 rimap shadow zimbra # postconf mail_version mail_version = 2.8.7 zimbra@zqa-062:~$ postconf mail_version mail_version = 2.8.7 There are reports of broken PLAIN and LOGIN mechs with cyrus-sasl 2.1.25. But I can't reproduce it. That is what I'm seeing. :/ Where else did you see these reports? testsaslauthd works like a charm, which I forgot to mention in my original report: zimbra@zqa-062:~$ /opt/zimbra/cyrus-sasl/sbin/testsaslauthd -u admin -p xxx 0: OK "Success." --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Postfix & cyrus-sasl 2.1.25 issues
--On Friday, January 06, 2012 9:23 AM -0800 Quanah Gibson-Mount wrote: There are reports of broken PLAIN and LOGIN mechs with cyrus-sasl 2.1.25. But I can't reproduce it. That is what I'm seeing. :/ Where else did you see these reports? Ok, found that one on the cyrus-sasl list. Doesn't look like it ever got resolved either. :/ --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
2 separate postfix instances and confusion with IP's in received field of mail message HELP!
Hi, i have a problem with my 2 postfix instances. 2 separate IP's and coressponding domain names are setup on networking, they are working fine. I want second mail message (below) to have `Received: from firstInstanceDomain.com (firstInstanceDomain.com. [second.domain.ip])` instead of `Received: from secondInstanceDomain.com (secondInstanceDomain.com. [second.domain.ip])` Othe important information: -i have DKIM working on both domains - when i put relayhost = firstInstanceDomain.com in firstInstanceDomain MAIN.CF i have secondInstanceDomain inside mail message from firstInstanceDomain, and secondInstanceDomain mail message is ok - mail headers from both domains, master and main configs are attached below **I HAVE SPENT 60 HOURS trying to solve it, searching all google resource, postfix documenation, blogs and forums. no luck. Please Help!** MAIL SENT FROM m...@firstinstancedomain.com Delivered-To: somem...@domain.com Received: by 10.68.49.10 with SMTP id q10cs774841pbn; Fri, 6 Jan 2012 08:18:06 -0800 (PST) Received: by 10.213.3.136 with SMTP id 8mr1420319ebn.0.1325866683057; Fri, 06 Jan 2012 08:18:03 -0800 (PST) Return-Path: Received: from firstInstanceDomain.com (firstInstanceDomain.com. [first.domain.ip]) by mx.google.com with ESMTP id 57si5431812eey.212.2012.01.06.08.18.01; Fri, 06 Jan 2012 08:18:02 -0800 (PST) Received-SPF: pass (google.com: domain of mail@firstInstanceDomain.comdesignates first.domain.ip as permitted sender) client-ip=first.domain.ip; Authentication-Results: mx.google.com; spf=pass (google.com: domain of m...@firstinstancedomain.com designates first.domain.ip as permitted sender) smtp.mail=m...@firstinstancedomain.com; dkim=pass header.i=@firstInstanceDomain.com To: "somem...@domain.com" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=firstInstanceDomain.com; s=default; t=1325870581; RestOfTheKey Subject: SomeSubject From: "firstInstanceDomain.com" Message-ID: Return-To: m...@firstinstancedomain.com Date: Fri, 06 Jan 2012 17:23:01 + Content-Type: multipart/alternative; boundary="=_1.e091838bd31325ae4da677be1af4efd5" MIME-Version: 1.0 RestOfTheMessage MAIL SENT FROM m...@secondinstancedomain.com Delivered-To: somem...@domain.com Received: by 10.68.49.10 with SMTP id q10cs774832pbn; Fri, 6 Jan 2012 08:18:01 -0800 (PST) Received: by 10.213.108.146 with SMTP id f18mr1347667ebp.36.1325866679721; Fri, 06 Jan 2012 08:17:59 -0800 (PST) Return-Path: Received: from firstInstanceDomain.com (firstInstanceDomain.com. [first.domain.ip]) by mx.google.com with ESMTP id 3si24805496eeh.44.2012.01.06.08.17.58; Fri, 06 Jan 2012 08:17:59 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning m...@secondinstancedomain.com does not designate first.domain.ip as permitted sender) client-ip=first.domain.ip; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning m...@secondinstancedomain.com does not designate first.domain.ip as permitted sender) smtp.mail=m...@secondinstancedomain.com; dkim=pass header.i=@secondInstanceDomain.com To: "somem...@domain.com" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=secondInstanceDomain.com; s=dbdef; t=1325870578; RestOfTheKey Subject: SomeSubject From: "secondInstanceDomain.com" Message-ID: Return-To: m...@secondinstancedomain.com Date: Fri, 06 Jan 2012 17:22:58 + Content-Type: multipart/alternative; boundary="=_1.7183ef0339b880f9a93c3d822619afee" MIME-Version: 1.0 RestOfTheMessage MASTER.CF FOR firstInstanceDomain (rest of config is standard) first.domain.ip:smtp inet n - n - - smtpd -o myhostname=firstInstanceDomain.com -o mydomain=firstInstanceDomain.com MASTER.CF FOR secondInstanceDomain (rest of config is standard) second.domain.ip:smtp inet n - n - - smtpd -o myhostname=secondInstanceDomain.com -o mydomain=secondInstanceDomain.com MAIN.CF FOR firstInstanceDomain smtp_bind_address = first.domain.ip mydomain=firstInstanceDomain.com mynetworks=firstInstanceDomain.com alternate_config_directories = /etc/postfix-third data_directory = /var/lib/postfix header_checks = regexp:/etc/postfix/header_checks inet_interfaces = localhost mydestination = $mydomain, localhost.$mydomain, $mydomain myhostname = $mydomain myorigin=$mydomain queue_directory = /var/spool/postfix alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep
Re: 2 separate postfix instances and confusion with IP's in received field of mail message HELP!
On 1/6/2012 12:01 PM, damian freelance wrote: > Hi, i have a problem with my 2 postfix instances. 2 separate IP's > and coressponding domain names are setup on networking, they are > working fine. I want second mail message (below) to have > `Received: from firstInstanceDomain.com (firstInstanceDomain.com. > [second.domain.ip])` > instead of > `Received: from secondInstanceDomain.com (secondInstanceDomain.com. > [second.domain.ip])` Please post in plain text only. Control the sending HELO/EHLO name with smtp_helo_name http://www.postfix.org/postconf.5.html#smtp_helo_name Check configuration with "postconf -n" or "postconf -n -c config_dir" rather than eyeballing main.cf. Likewise don't post main.cf snippings. If you need more help, please see http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones
Re: 2 separate postfix instances and confusion with IP's in received field of mail message HELP!
damian freelance: > Hi, i have a problem with my 2 postfix instances. 2 separate IP's and > coressponding domain names are setup on networking, they are working fine. > I want second mail message (below) to have > `Received: from firstInstanceDomain.com (firstInstanceDomain.com. > [second.domain.ip])` > instead of > `Received: from secondInstanceDomain.com (secondInstanceDomain.com. > [second.domain.ip])` The content of the Received: header is: Received: from client-helo-argument (hostname-of-client-ip-address [client-ip-address]) by server-myhostname ... The SMTP client by default sends $myhostname in the EHLO command. The purpose of the Received: header is to record what happened, not to rewrite history to something prettier than what happened. Wietse
Re: Postfix & cyrus-sasl 2.1.25 issues
On Fri, Jan 06, 2012 at 09:23:02AM -0800, Quanah Gibson-Mount wrote: > --On Friday, January 06, 2012 11:05 AM +0200 Eray Aslan > wrote: > > There are reports of broken PLAIN and LOGIN mechs with cyrus-sasl > > 2.1.25. But I can't reproduce it. > > That is what I'm seeing. :/ Where else did you see these reports? https://bugs.gentoo.org/show_bug.cgi?id=392761 https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/875440 -- Eray Aslan
Re: Postfix & cyrus-sasl 2.1.25 issues
--On Friday, January 06, 2012 10:19 PM +0200 Eray Aslan wrote: On Fri, Jan 06, 2012 at 09:23:02AM -0800, Quanah Gibson-Mount wrote: --On Friday, January 06, 2012 11:05 AM +0200 Eray Aslan wrote: > There are reports of broken PLAIN and LOGIN mechs with cyrus-sasl > 2.1.25. But I can't reproduce it. That is what I'm seeing. :/ Where else did you see these reports? https://bugs.gentoo.org/show_bug.cgi?id=392761 https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/875440 Thanks, that is very useful information. I can now reproduce this using the cyrus-sasl sample client/server, so I am going to chalk this up to being a cyrus-sasl bug. Once I have a solution, I'll follow up with the postfix list so anyone who hits it here can know what to do. ;) --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Illegal block?
On Fri, 06 Jan 2012 10:46:40 +0200, Tolga wrote: if not all is well, but you know that x.x.0.0/16 is alot of client/mta ips ? I'll take that out. I don't use it in anyway and I don't know where that came from. some users / scripts with root access changed it, or just redhat ? :) will be usefull if maintainers keep main.cf.example as example and main.cf empty as the default defaults are in postconf -d should be keept out of main.cf unless setting need to be changed of course, mostly thay dont willl that work in postfix 3.x ?
Re: 2 separate postfix instances and confusion with IP's in received field of mail message HELP!
Thx for all answers. Setting sendmail_path = /usr/sbin/sendmail -t -i -C /etc/postfix-third in httpd.conf did the trick. Now mails have correct ip/domain information. 2012/1/6 Wietse Venema > damian freelance: > > Hi, i have a problem with my 2 postfix instances. 2 separate IP's and > > coressponding domain names are setup on networking, they are working > fine. > > I want second mail message (below) to have > > `Received: from firstInstanceDomain.com (firstInstanceDomain.com. > > [second.domain.ip])` > > instead of > > `Received: from secondInstanceDomain.com (secondInstanceDomain.com. > > [second.domain.ip])` > > The content of the Received: header is: > >Received: from client-helo-argument (hostname-of-client-ip-address >[client-ip-address]) by server-myhostname ... > > The SMTP client by default sends $myhostname in the EHLO command. > > The purpose of the Received: header is to record what happened, not > to rewrite history to something prettier than what happened. > >Wietse >
Re: Postfix Mac Aministration
On Jan 6, 2012, at 5:15 AM, Stan Hoeppner wrote: > On 1/6/2012 3:05 AM, Eric Lemings wrote: > >> [root@myhost postfix]$ dig 2.0.0.127.zen.spamhaus.org. any > ... >> ;; ANSWER SECTION: >> 2.0.0.127.zen.spamhaus.org. 900 IN A 127.0.0.2 >> 2.0.0.127.zen.spamhaus.org. 900 IN A 127.0.0.10 >> 2.0.0.127.zen.spamhaus.org. 900 IN A 127.0.0.4 >> 2.0.0.127.zen.spamhaus.org. 900 IN TXT >> "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL233"; >> 2.0.0.127.zen.spamhaus.org. 900 IN TXT >> "http://www.spamhaus.org/query/bl?ip=127.0.0.2"; > > This means your queries should be working. > >> It seems the new spam control measures in my Postfix configuration may >> actually be working now. The quantity has tapered off significantly after >> the initial flood of spam which may have been queued up retries I'm guessing. > > Bot spam engines never retry failed deliveries, and greylisting relies > on this fact to block bot spam. Most snowshoe spammer hosts don't retry > either, by design. > > Considering you just consolidated everything under > smtpd_recipient_restrictions, you should share "postconf -n" output > again so we can sanity check it. Restriction order can be important, > sometimes critical. Current 'postconf -n' output: command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix debug_peer_level = 2 enable_server_options = yes header_checks = pcre:/etc/postfix/custom_header_checks html_directory = /usr/share/doc/postfix/html imap_submit_cred_file = /private/etc/postfix/submit.cred inet_interfaces = all local_recipient_maps = proxy:unix:passwd.byname $alias_maps mail_owner = _postfix mailbox_size_limit = 0 mailbox_transport = dovecot mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man maps_rbl_domains = message_size_limit = 0 mydestination = $myhostname, localhost.$mydomain, localhost, myhost, $mydomain, mail mydomain = lemings.com mydomain_fallback = localhost myhostname = mail.lemings.com mynetworks = 127.0.0.0/8,192.168.0.0/16 newaliases_path = /usr/bin/newaliases postscreen_dnsbl_sites = zen.spamhaus.org*2 rbl-plus.mail-abuse.org bl.spamcop.net queue_directory = /private/var/spool/postfix readme_directory = /usr/share/doc/postfix recipient_canonical_maps = hash:/etc/postfix/system_user_maps recipient_delimiter = + relayhost = sample_directory = /usr/share/doc/postfix/examples sendmail_path = /usr/sbin/sendmail setgid_group = _postdrop smtp_sasl_auth_enable = no smtp_sasl_password_maps = smtpd_enforce_tls = no smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks,check_helo_access hash:/etc/postfix/helo_access,reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname,permit smtpd_pw_server_security_options = cram-md5,gssapi,login,plain smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient,reject_unknown_recipient_domain, permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination, reject_rhsbl_client dbl.spamhaus.org,reject_rhsbl_sender dbl.spamhaus.org,reject_rhsbl_helo dbl.spamhaus.org,reject_rbl_client zen.spamhaus.org,reject_rbl_client rbl-plus.mail-abuse.org, reject_rbl_client bl.spamcop.net,check_policy_service unix:private/policy, permit smtpd_sasl_auth_enable = yes smtpd_tls_CAfile = /etc/certificates/myhost.lemings.com.F10D537E0CACDAC26C86B0FAA5A3E24477F0F6A3.chain.pem smtpd_tls_cert_file = /etc/certificates/myhost.lemings.com.F10D537E0CACDAC26C86B0FAA5A3E24477F0F6A3.cert.pem smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL smtpd_tls_key_file = /etc/certificates/myhost.lemings.com.F10D537E0CACDAC26C86B0FAA5A3E24477F0F6A3.key.pem smtpd_use_pw_server = yes smtpd_use_tls = yes strict_rfc821_envelopes = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 use_sacl_cache = yes virtual_alias_maps = $virtual_maps Still quite a bit of spam getting through. Eric.
