Re: Set submission as to bypass RBLs
On 4/21/2010 10:15 PM, David Cottle wrote: Sent from my iPhone On 22/04/2010, at 12:00, Noel Jones njo...@megan.vbhcs.org wrote: On 4/21/2010 6:35 PM, David Cottle wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I am having some issues with my server blocking ISP IP addresses. I know a recent update to plesk-9.5.1 changed my postfix main.cf and master.cf (the timestamps changed). I managed to fix main.cf as on the smtpd_client_restrictions, they put the RBLs first. Can anyone see what is wrong in the master.cf? I just want submission on 587 able to bypass RBL checks: you must have missed the answer yesterday. # # Postfix master process configuration file. For details on the format == [...] submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 add here: -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -- Noel Jones Hi Noel, Okay I did miss this! I will add your smtpd_helo_restrictions as above. What exactly does that do as to not having it? The suggested config above prevents settings in main.cf from interfering with settings on the submission port. I have to get my client to try sending email again and dig out the logs. What I can't understand is he has 3 OS on his PC. Fedora 11 and Windows XP using thunderbird, exactly same settings and both can RX but not send mail. Windows 7, using thunderbird it RX and Sends. Same details, ports, it's got the server certificate same on all 3 but only W7 works. That's very important information. That makes this sound very much like a client configuration issue, not postfix. If you still think it's postfix, show your current postconf -n and master.cf, and show logs demonstrating that the client authenticates yet is rejected. But according to the config you posted earlier, if the client does authenticate they will bypass RBL checks. So you need to show proof the client authenticated and was rejected. Next nail, same client can submit mail using a different configuration on the same hardware with the same IP. Sounds as if they are able to authenticate with at least one config. Without further evidence, this isn't a postfix issue. Fix the client. -- Noel Jones
Re: Set submission as to bypass RBLs
On 4/22/2010 7:59 AM, webmas...@aus-city.com wrote: Sorry its got all truncated. Where exactly do I need to add that in here? (I added a extra line between each) plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames mailman unix - n n - - pipe flags=R user=mailman:mailman argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient} 127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue 127.0.0.1:10026 inet n - - - - smtpd -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o receive_override_options=no_unknown_recipient_checks 127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6 dbpath=/plesk/passwd.db smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_tls_wrappermode=yes submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 Add here (to the submission entry) -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject You may also want to add these to the smtps entry. But this won't fix the problem of the client not authenticating. -- Noel Jones
Re: Set submission as to bypass RBLs
Quoting Noel Jones njo...@megan.vbhcs.org: On 4/22/2010 7:59 AM, webmas...@aus-city.com wrote: Sorry its got all truncated. Where exactly do I need to add that in here? (I added a extra line between each) plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames mailman unix - n n - - pipe flags=R user=mailman:mailman argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient} 127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue 127.0.0.1:10026 inet n - - - - smtpd -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o receive_override_options=no_unknown_recipient_checks 127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6 dbpath=/plesk/passwd.db smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_tls_wrappermode=yes submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 Add here (to the submission entry) -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject You may also want to add these to the smtps entry. But this won't fix the problem of the client not authenticating. -- Noel Jones Hi Noel, I made the changes as you suggested. My submission line in master now is: submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
Re: Set submission as to bypass RBLs
n 04/21/2010 07:35 PM, David Cottle wrote: #submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING Seems submission is commented out? -matt
Re: Set submission as to bypass RBLs
Quoting Matt Hayes domin...@slackadelic.com: n 04/21/2010 07:35 PM, David Cottle wrote: #submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING Seems submission is commented out? -matt Hi Matt, No its not look further down: smtpd_tls_wrappermode=yes submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025
Re: Set submission as to bypass RBLs
On 04/21/2010 08:14 PM, webmas...@aus-city.com wrote: Quoting Matt Hayes domin...@slackadelic.com: n 04/21/2010 07:35 PM, David Cottle wrote: #submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING Seems submission is commented out? -matt Hi Matt, No its not look further down: smtpd_tls_wrappermode=yes submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 ahhh missed that! If you have smtpd_recipient_restrictions defined in main.cf you'll have to negate them just as you did with smtpd_sender_restrictions -Matt
Re: Set submission as to bypass RBLs
Sent from my iPhone On 22/04/2010, at 10:28, Matt Hayes domin...@slackadelic.com wrote: On 04/21/2010 08:14 PM, webmas...@aus-city.com wrote: Quoting Matt Hayes domin...@slackadelic.com: n 04/21/2010 07:35 PM, David Cottle wrote: #submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING Seems submission is commented out? -matt Hi Matt, No its not look further down: smtpd_tls_wrappermode=yes submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 ahhh missed that! If you have smtpd_recipient_restrictions defined in main.cf you'll have to negate them just as you did with smtpd_sender_restrictions -Matt Hi Matt, In main.cf I have got in smptd sender restrictions permit sasl authenticated. It's also in smtpd recipient restrictions as the 3rd after mynetworks and a plesk no relay check. smtpd client restrictions it's 2nd after a plesk blacklist check. In client restrictions it's the 2nd one, as my whitelists is first. I know it's RBL killing as it's complaints about ISP dynamic message. I can post my actual main.cf later when I have PC as I am on iPhone. Is there also a command to dump the config? Thanks!
Re: Set submission as to bypass RBLs
On 04/21/2010 09:23 PM, David Cottle wrote: Sent from my iPhone On 22/04/2010, at 10:28, Matt Hayes domin...@slackadelic.com wrote: On 04/21/2010 08:14 PM, webmas...@aus-city.com wrote: Quoting Matt Hayes domin...@slackadelic.com: n 04/21/2010 07:35 PM, David Cottle wrote: #submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING Seems submission is commented out? -matt Hi Matt, No its not look further down: smtpd_tls_wrappermode=yes submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 ahhh missed that! If you have smtpd_recipient_restrictions defined in main.cf you'll have to negate them just as you did with smtpd_sender_restrictions -Matt Hi Matt, In main.cf I have got in smptd sender restrictions permit sasl authenticated. It's also in smtpd recipient restrictions as the 3rd after mynetworks and a plesk no relay check. smtpd client restrictions it's 2nd after a plesk blacklist check. In client restrictions it's the 2nd one, as my whitelists is first. I know it's RBL killing as it's complaints about ISP dynamic message. I can post my actual main.cf later when I have PC as I am on iPhone. Is there also a command to dump the config? Thanks! The best way: postconf -n -Matt
Re: Set submission as to bypass RBLs
On 4/21/2010 6:35 PM, David Cottle wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I am having some issues with my server blocking ISP IP addresses. I know a recent update to plesk-9.5.1 changed my postfix main.cf and master.cf (the timestamps changed). I managed to fix main.cf as on the smtpd_client_restrictions, they put the RBLs first. Can anyone see what is wrong in the master.cf? I just want submission on 587 able to bypass RBL checks: you must have missed the answer yesterday. # # Postfix master process configuration file. For details on the format == [...] submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 add here: -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -- Noel Jones
Re: Set submission as to bypass RBLs
On 4/21/2010 9:01 PM, David Cottle wrote: The best way: postconf -n -Matt smtpd_client_restrictions = check_client_access hash:/etc/postfix/whitelist, permit_sasl_authenticated, check_client_access hash:/etc/postfix/check_backscatterer, check_client_access hash:/etc/postfix/check_spamcannibal, check_client_access cidr:/etc/postfix/postfix-dnswl-permit, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org OK, permit_sasl_authenticated comes before reject_rbl_client. smtpd_recipient_restrictions = permit_mynetworks, check_client_access pcre:/var/spool/postfix/plesk/no_relay.re, permit_sasl_authenticated, reject_unauth_destination OK, permit_sasl_authenticated comes before reject_rbl_client. smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access pcre:/var/spool/postfix/plesk/non_auth.re OK, no RBL checks. Conclusion: If a client is rejected by RBL checks, they didn't authenticate. You can verify this in your postfix logs. -- Noel Jones
Re: Set submission as to bypass RBLs
Sent from my iPhone On 22/04/2010, at 12:00, Noel Jones njo...@megan.vbhcs.org wrote: On 4/21/2010 6:35 PM, David Cottle wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I am having some issues with my server blocking ISP IP addresses. I know a recent update to plesk-9.5.1 changed my postfix main.cf and master.cf (the timestamps changed). I managed to fix main.cf as on the smtpd_client_restrictions, they put the RBLs first. Can anyone see what is wrong in the master.cf? I just want submission on 587 able to bypass RBL checks: you must have missed the answer yesterday. # # Postfix master process configuration file. For details on the format === === [...] submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 add here: -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -- Noel Jones Hi Noel, Okay I did miss this! I will add your smtpd_helo_restrictions as above. What exactly does that do as to not having it? I have to get my client to try sending email again and dig out the logs. What I can't understand is he has 3 OS on his PC. Fedora 11 and Windows XP using thunderbird, exactly same settings and both can RX but not send mail. Windows 7, using thunderbird it RX and Sends. Same details, ports, it's got the server certificate same on all 3 but only W7 works. It's the same broadband settings, could it be the machines host name? Anyway as it's only one client it's hard to track. Thanks!
Re: Set submission as to bypass RBLs
David Cottle a écrit : I am having some issues with my server blocking ISP IP addresses. I know a recent update to plesk-9.5.1 changed my postfix main.cf and master.cf (the timestamps changed). I managed to fix main.cf as on the smtpd_client_restrictions, they put the RBLs first. Can anyone see what is wrong in the master.cf? Is plesk open source? can I install plesk on my freebsd? if not, case dismissed...
Re: Set submission as to bypass RBLs
On Tue, 20 Apr 2010, David Cottle wrote: I know a recent update to plesk-9.5.1 changed my postfix main.cf and master.cf (the timestamps changed). I managed to fix main.cf as on the smtpd_client_restrictions, they put the RBLs first. Can anyone see what is wrong in the master.cf? I just want submission on 587 able to bypass RBL checks: submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 Your cut paste looks horrible in my reader, but I guess the RBL is checked somewhere in smtpd_recipient_restrictions as defined in your main.cf? Please show the output of 'postconf -n'. -- Sahil Tandon sa...@freebsd.org
Re: Set submission as to bypass RBLs
On 4/19/2010 6:07 PM, David Cottle wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I am having some issues with my server blocking ISP IP addresses. I know a recent update to plesk-9.5.1 changed my postfix main.cf and master.cf (the timestamps changed). I managed to fix main.cf as on the smtpd_client_restrictions, they put the RBLs first. Can anyone see what is wrong in the master.cf? I just want submission on 587 able to bypass RBL checks: master.cf: smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_tls_wrappermode=yes submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 Typically for both the smtps and submission entries in master.cf, one would override all main.cf restrictions by adding: -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject -o smtpd_data_restrictions= ... and then other stuff specific to those services such as sasl, tls, and content/proxy filter settings. -- Noel Jones