Re: Set submission as to bypass RBLs

2010-04-22 Thread Noel Jones 

On 4/21/2010 10:15 PM, David Cottle wrote:



Sent from my iPhone

On 22/04/2010, at 12:00, Noel Jones njo...@megan.vbhcs.org wrote:


On 4/21/2010 6:35 PM, David Cottle wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I am having some issues with my server blocking ISP IP addresses.

I know a recent update to plesk-9.5.1 changed my postfix main.cf and
master.cf (the timestamps changed). I managed to fix main.cf as on
the smtpd_client_restrictions, they put the RBLs first.

Can anyone see what is wrong in the master.cf?

I just want submission on 587 able to bypass RBL checks:


you must have missed the answer yesterday.



#
# Postfix master process configuration file. For details on the format
==


[...]

submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025


add here:

-o smtpd_helo_restrictions=
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject


-- Noel Jones


Hi Noel,

Okay I did miss this! I will add your smtpd_helo_restrictions as above.

What exactly does that do as to not having it?


The suggested config above prevents settings in main.cf from 
interfering with settings on the submission port.





I have to get my client to try sending email again and dig out the logs.

What I can't understand is he has 3 OS on his PC.

Fedora 11 and Windows XP using thunderbird, exactly same settings and
both can RX but not send mail.
Windows 7, using thunderbird it RX and Sends.

Same details, ports, it's got the server certificate same on all 3 but
only W7 works.


That's very important information.  That makes this sound very 
much like a client configuration issue, not postfix.


If you still think it's postfix, show your current postconf 
-n and master.cf, and show logs demonstrating that the client 
authenticates yet is rejected.


But according to the config you posted earlier, if the client 
does authenticate they will bypass RBL checks.  So you need to 
show proof the client authenticated and was rejected.


Next nail, same client can submit mail using a different 
configuration on the same hardware with the same IP.  Sounds 
as if they are able to authenticate with at least one config.


Without further evidence, this isn't a postfix issue.  Fix the 
client.


  -- Noel Jones

Re: Set submission as to bypass RBLs

2010-04-22 Thread Noel Jones 

On 4/22/2010 7:59 AM, webmas...@aus-city.com wrote:

 Sorry its got all truncated. Where exactly do I need to add that in
here? (I added a extra line between each)

plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser
argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p
/var/qmail/mailnames

mailman unix - n n - - pipe flags=R user=mailman:mailman
argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}

127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue

127.0.0.1:10026 inet n - - - - smtpd -o smtpd_client_restrictions= -o
smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o
smtpd_recipient_restrictions=permit_mynetworks,reject -o
smtpd_data_restrictions= -o
receive_override_options=no_unknown_recipient_checks

127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote

plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6
dbpath=/plesk/passwd.db

smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o
smtpd_tls_wrappermode=yes

submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025


Add here (to the submission entry)
  -o smtpd_helo_restrictions=
  -o 
smtpd_recipient_restrictions=permit_sasl_authenticated,reject


You may also want to add these to the smtps entry.

But this won't fix the problem of the client not authenticating.

  -- Noel Jones

Re: Set submission as to bypass RBLs

2010-04-22 Thread webmaster 

Quoting Noel Jones njo...@megan.vbhcs.org:


On 4/22/2010 7:59 AM, webmas...@aus-city.com wrote:

Sorry its got all truncated. Where exactly do I need to add that in

here? (I added a extra line between each)

plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser
argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p
/var/qmail/mailnames

mailman unix - n n - - pipe flags=R user=mailman:mailman
argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}

127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue

127.0.0.1:10026 inet n - - - - smtpd -o smtpd_client_restrictions= -o
smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o
smtpd_recipient_restrictions=permit_mynetworks,reject -o
smtpd_data_restrictions= -o
receive_override_options=no_unknown_recipient_checks

127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote

plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6
dbpath=/plesk/passwd.db

smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o
smtpd_tls_wrappermode=yes

submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025


Add here (to the submission entry)
  -o smtpd_helo_restrictions=
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

You may also want to add these to the smtps entry.

But this won't fix the problem of the client not authenticating.

  -- Noel Jones



Hi Noel,

I made the changes as you suggested.  My submission line in master now is:

submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o  
smtpd_sasl_auth_enable=yes -o  
smtpd_client_restrictions=permit_sasl_authenticated,reject -o  
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025  -o  
smtpd_helo_restrictions=  -o  
smtpd_recipient_restrictions=permit_sasl_authenticated,reject

Re: Set submission as to bypass RBLs

2010-04-21 Thread Matt Hayes 
n 04/21/2010 07:35 PM, David Cottle wrote:

 #submission inet n   -   n   -   -   smtpd
 #  -o smtpd_tls_security_level=encrypt
 #  -o smtpd_sasl_auth_enable=yes
 #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING

Seems submission is commented out?

-matt

Re: Set submission as to bypass RBLs

2010-04-21 Thread webmaster 

Quoting Matt Hayes domin...@slackadelic.com:


n 04/21/2010 07:35 PM, David Cottle wrote:


#submission inet n   -   n   -   -   smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING


Seems submission is commented out?

-matt



Hi Matt,

No its not look further down:

smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025

Re: Set submission as to bypass RBLs

2010-04-21 Thread Matt Hayes 

On 04/21/2010 08:14 PM, webmas...@aus-city.com wrote:
 Quoting Matt Hayes domin...@slackadelic.com:
 
 n 04/21/2010 07:35 PM, David Cottle wrote:

 #submission inet n   -   n   -   -   smtpd
 #  -o smtpd_tls_security_level=encrypt
 #  -o smtpd_sasl_auth_enable=yes
 #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING

 Seems submission is commented out?

 -matt

 
 Hi Matt,
 
 No its not look further down:
 
 smtpd_tls_wrappermode=yes
 submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
 smtpd_sasl_auth_enable=yes -o
 smtpd_client_restrictions=permit_sasl_authenticated,reject -o
 smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025
 
 
 


ahhh missed that!

If you have smtpd_recipient_restrictions defined in main.cf you'll have
to negate them just as you did with smtpd_sender_restrictions

-Matt

Re: Set submission as to bypass RBLs

2010-04-21 Thread David Cottle 



Sent from my iPhone

On 22/04/2010, at 10:28, Matt Hayes domin...@slackadelic.com wrote:



On 04/21/2010 08:14 PM, webmas...@aus-city.com wrote:

Quoting Matt Hayes domin...@slackadelic.com:


n 04/21/2010 07:35 PM, David Cottle wrote:


#submission inet n   -   n   -   -   smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING


Seems submission is commented out?

-matt



Hi Matt,

No its not look further down:

smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025






ahhh missed that!

If you have smtpd_recipient_restrictions defined in main.cf you'll  
have

to negate them just as you did with smtpd_sender_restrictions

-Matt


Hi Matt,

In main.cf I have got in smptd sender restrictions permit sasl  
authenticated.


It's also in smtpd recipient restrictions as the 3rd after mynetworks  
and a plesk no relay check.


smtpd client restrictions it's 2nd after a plesk blacklist check.

In client restrictions it's the 2nd one, as my whitelists is first.

I know it's RBL killing as it's complaints about ISP dynamic message.

I can post my actual main.cf later when I have PC as I am on iPhone.

Is there also a command to dump the config?

Thanks!

Re: Set submission as to bypass RBLs

2010-04-21 Thread Matt Hayes 


On 04/21/2010 09:23 PM, David Cottle wrote:
 
 
 Sent from my iPhone
 
 On 22/04/2010, at 10:28, Matt Hayes domin...@slackadelic.com wrote:
 

 On 04/21/2010 08:14 PM, webmas...@aus-city.com wrote:
 Quoting Matt Hayes domin...@slackadelic.com:

 n 04/21/2010 07:35 PM, David Cottle wrote:

 #submission inet n   -   n   -   -   smtpd
 #  -o smtpd_tls_security_level=encrypt
 #  -o smtpd_sasl_auth_enable=yes
 #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING

 Seems submission is commented out?

 -matt


 Hi Matt,

 No its not look further down:

 smtpd_tls_wrappermode=yes
 submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
 smtpd_sasl_auth_enable=yes -o
 smtpd_client_restrictions=permit_sasl_authenticated,reject -o
 smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025





 ahhh missed that!

 If you have smtpd_recipient_restrictions defined in main.cf you'll have
 to negate them just as you did with smtpd_sender_restrictions

 -Matt
 
 Hi Matt,
 
 In main.cf I have got in smptd sender restrictions permit sasl
 authenticated.
 
 It's also in smtpd recipient restrictions as the 3rd after mynetworks
 and a plesk no relay check.
 
 smtpd client restrictions it's 2nd after a plesk blacklist check.
 
 In client restrictions it's the 2nd one, as my whitelists is first.
 
 I know it's RBL killing as it's complaints about ISP dynamic message.
 
 I can post my actual main.cf later when I have PC as I am on iPhone.
 
 Is there also a command to dump the config?
 
 Thanks!
  
   


The best way: postconf -n


-Matt

Re: Set submission as to bypass RBLs

2010-04-21 Thread Noel Jones 

On 4/21/2010 6:35 PM, David Cottle wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I am having some issues with my server blocking ISP IP addresses.

I know a recent update to plesk-9.5.1 changed my postfix main.cf and
master.cf (the timestamps changed).  I managed to fix main.cf as on
the smtpd_client_restrictions, they put the RBLs first.

Can anyone see what is wrong in the master.cf?

I just want submission on 587 able to bypass RBL checks:


you must have missed the answer yesterday.



#
# Postfix master process configuration file.  For details on the format
==

[...]

submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025


add here:

  -o smtpd_helo_restrictions=
  -o 
smtpd_recipient_restrictions=permit_sasl_authenticated,reject



  -- Noel Jones

Re: Set submission as to bypass RBLs

2010-04-21 Thread Noel Jones 

On 4/21/2010 9:01 PM, David Cottle wrote:

The best way: postconf -n


-Matt


smtpd_client_restrictions = check_client_access
hash:/etc/postfix/whitelist, permit_sasl_authenticated,
check_client_access hash:/etc/postfix/check_backscatterer,
check_client_access hash:/etc/postfix/check_spamcannibal,
check_client_access cidr:/etc/postfix/postfix-dnswl-permit,
reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org,
reject_rbl_client b.barracudacentral.org


OK, permit_sasl_authenticated comes before reject_rbl_client.


smtpd_recipient_restrictions = permit_mynetworks, check_client_access
pcre:/var/spool/postfix/plesk/no_relay.re, permit_sasl_authenticated,
reject_unauth_destination


OK, permit_sasl_authenticated comes before reject_rbl_client.


smtpd_sender_restrictions = check_sender_access
hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated,
check_client_access pcre:/var/spool/postfix/plesk/non_auth.re


OK, no RBL checks.


Conclusion:  If a client is rejected by RBL checks, they 
didn't authenticate.  You can verify this in your postfix logs.


  -- Noel Jones

Re: Set submission as to bypass RBLs

2010-04-21 Thread David Cottle 



Sent from my iPhone

On 22/04/2010, at 12:00, Noel Jones njo...@megan.vbhcs.org wrote:


On 4/21/2010 6:35 PM, David Cottle wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I am having some issues with my server blocking ISP IP addresses.

I know a recent update to plesk-9.5.1 changed my postfix main.cf and
master.cf (the timestamps changed).  I managed to fix main.cf as on
the smtpd_client_restrictions, they put the RBLs first.

Can anyone see what is wrong in the master.cf?

I just want submission on 587 able to bypass RBL checks:


you must have missed the answer yesterday.



#
# Postfix master process configuration file.  For details on the  
format
=== 
=== 


[...]

submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025


add here:

 -o smtpd_helo_restrictions=
 -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject


 -- Noel Jones


Hi Noel,

Okay I did miss this! I will add your smtpd_helo_restrictions as above.

What exactly does that do as to not having it?

I have to get my client to try sending email again and dig out the logs.

What I can't understand is he has 3 OS on his PC.

Fedora 11 and Windows XP using thunderbird, exactly same settings and  
both can RX but not send mail.

Windows 7, using thunderbird it RX and Sends.

Same details, ports, it's got the server certificate same on all 3 but  
only W7 works.


It's the same broadband settings, could it be the machines host name?

Anyway as it's only one client it's hard to track.

Thanks!

Re: Set submission as to bypass RBLs

2010-04-20 Thread mouss 
David Cottle a écrit :
 I am having some issues with my server blocking ISP IP addresses.
 
 I know a recent update to plesk-9.5.1 changed my postfix main.cf and
 master.cf (the timestamps changed).  I managed to fix main.cf as on
 the smtpd_client_restrictions, they put the RBLs first.
 
 Can anyone see what is wrong in the master.cf?
 

Is plesk open source? can I install plesk on my freebsd?
if not, case dismissed...

Re: Set submission as to bypass RBLs

2010-04-19 Thread Sahil Tandon 
On Tue, 20 Apr 2010, David Cottle wrote:

 I know a recent update to plesk-9.5.1 changed my postfix main.cf and
 master.cf (the timestamps changed).  I managed to fix main.cf as on
 the smtpd_client_restrictions, they put the RBLs first.
 
 Can anyone see what is wrong in the master.cf?
 
 I just want submission on 587 able to bypass RBL checks:

 submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
 smtpd_sasl_auth_enable=yes -o
 smtpd_client_restrictions=permit_sasl_authenticated,reject -o
 smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025

Your cut  paste looks horrible in my reader, but I guess the RBL is
checked somewhere in smtpd_recipient_restrictions as defined in your
main.cf?

Please show the output of 'postconf -n'.

-- 
Sahil Tandon sa...@freebsd.org

Re: Set submission as to bypass RBLs

2010-04-19 Thread Noel Jones 

On 4/19/2010 6:07 PM, David Cottle wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I am having some issues with my server blocking ISP IP addresses.

I know a recent update to plesk-9.5.1 changed my postfix main.cf and
master.cf (the timestamps changed).  I managed to fix main.cf as on
the smtpd_client_restrictions, they put the RBLs first.

Can anyone see what is wrong in the master.cf?

I just want submission on 587 able to bypass RBL checks:



 master.cf:

smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o
smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025


Typically for both the smtps and submission entries in 
master.cf, one would override all main.cf restrictions by adding:

 -o smtpd_client_restrictions=
 -o smtpd_helo_restrictions=
 -o smtpd_sender_restrictions=
 -o 
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject

 -o smtpd_data_restrictions=
 ...
and then other stuff specific to those services such as sasl, 
tls, and content/proxy filter settings.



  -- Noel Jones