Set submission as to bypass RBLs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I am having some issues with my server blocking ISP IP addresses. I know a recent update to plesk-9.5.1 changed my postfix main.cf and master.cf (the timestamps changed). I managed to fix main.cf as on the smtpd_client_restrictions, they put the RBLs first. Can anyone see what is wrong in the master.cf? I just want submission on 587 able to bypass RBL checks: # # Postfix master process configuration file. For details on the format == smtp inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 #submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - n - - smtpd # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup fifo n - - 60 1 pickup -o content_filter=smtp:127.0.0.1:10027 cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - n - - smtp -o smtp_fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scacheunix - - n - 1 scache # plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames mailman unix - n n - - pipe flags=R user=mailman:mailman argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient} 127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue 127.0.0.1:10026 inet n - - - - smtpd -o smtpd_client_restrictions= - -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o receive_override_options=no_unknown_recipient_checks 127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6 dbpath=/plesk/passwd.db smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_tls_wrappermode=yes submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvM4hMACgkQi1lOcz5YUMjXsgCg60T9TuGn647iVqquRXnm7ECC Uc4AoMXsS4z+fWEbIOCcMYvom36rzQZ9 =6UYQ -END PGP SIGNATURE- <>
Set submission as to bypass RBLs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I am having some issues with my server blocking ISP IP addresses. I know a recent update to plesk-9.5.1 changed my postfix main.cf and master.cf (the timestamps changed). I managed to fix main.cf as on the smtpd_client_restrictions, they put the RBLs first. Can anyone see what is wrong in the master.cf? I just want submission on 587 able to bypass RBL checks: # # Postfix master process configuration file. For details on the format == smtp inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 #submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - n - - smtpd # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup fifo n - - 60 1 pickup -o content_filter=smtp:127.0.0.1:10027 cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - n - - smtp -o smtp_fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scacheunix - - n - 1 scache # plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames mailman unix - n n - - pipe flags=R user=mailman:mailman argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient} 127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue 127.0.0.1:10026 inet n - - - - smtpd -o smtpd_client_restrictions= - -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o receive_override_options=no_unknown_recipient_checks 127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6 dbpath=/plesk/passwd.db smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_tls_wrappermode=yes submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvPi7MACgkQi1lOcz5YUMhUdgCfSQcDsMVe0jM6dUUZ4i1JC58i tO0AnAwyEiJYikm4w4imblStUKv7jNga =+b+4 -END PGP SIGNATURE-
Re: Set submission as to bypass RBLs
On Tue, 20 Apr 2010, David Cottle wrote: > I know a recent update to plesk-9.5.1 changed my postfix main.cf and > master.cf (the timestamps changed). I managed to fix main.cf as on > the smtpd_client_restrictions, they put the RBLs first. > > Can anyone see what is wrong in the master.cf? > > I just want submission on 587 able to bypass RBL checks: > > submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o > smtpd_sasl_auth_enable=yes -o > smtpd_client_restrictions=permit_sasl_authenticated,reject -o > smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 Your cut & paste looks horrible in my reader, but I guess the RBL is checked somewhere in smtpd_recipient_restrictions as defined in your main.cf? Please show the output of 'postconf -n'. -- Sahil Tandon
Re: Set submission as to bypass RBLs
On 4/19/2010 6:07 PM, David Cottle wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I am having some issues with my server blocking ISP IP addresses. I know a recent update to plesk-9.5.1 changed my postfix main.cf and master.cf (the timestamps changed). I managed to fix main.cf as on the smtpd_client_restrictions, they put the RBLs first. Can anyone see what is wrong in the master.cf? I just want submission on 587 able to bypass RBL checks: > master.cf: smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_tls_wrappermode=yes submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 Typically for both the "smtps" and "submission" entries in master.cf, one would override all main.cf restrictions by adding: -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject -o smtpd_data_restrictions= ... and then other stuff specific to those services such as sasl, tls, and content/proxy filter settings. -- Noel Jones
Re: Set submission as to bypass RBLs
David Cottle a écrit : > I am having some issues with my server blocking ISP IP addresses. > > I know a recent update to plesk-9.5.1 changed my postfix main.cf and > master.cf (the timestamps changed). I managed to fix main.cf as on > the smtpd_client_restrictions, they put the RBLs first. > > Can anyone see what is wrong in the master.cf? > Is plesk open source? can I install plesk on my freebsd? if not, case dismissed...
Re: Set submission as to bypass RBLs
n 04/21/2010 07:35 PM, David Cottle wrote: > #submission inet n - n - - smtpd > # -o smtpd_tls_security_level=encrypt > # -o smtpd_sasl_auth_enable=yes > # -o smtpd_client_restrictions=permit_sasl_authenticated,reject > # -o milter_macro_daemon_name=ORIGINATING Seems submission is commented out? -matt
Re: Set submission as to bypass RBLs
Quoting Matt Hayes : n 04/21/2010 07:35 PM, David Cottle wrote: #submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING Seems submission is commented out? -matt Hi Matt, No its not look further down: smtpd_tls_wrappermode=yes submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025
Re: Set submission as to bypass RBLs
On 04/21/2010 08:14 PM, webmas...@aus-city.com wrote: > Quoting Matt Hayes : > >> n 04/21/2010 07:35 PM, David Cottle wrote: >> >>> #submission inet n - n - - smtpd >>> # -o smtpd_tls_security_level=encrypt >>> # -o smtpd_sasl_auth_enable=yes >>> # -o smtpd_client_restrictions=permit_sasl_authenticated,reject >>> # -o milter_macro_daemon_name=ORIGINATING >> >> Seems submission is commented out? >> >> -matt >> > > Hi Matt, > > No its not look further down: > > smtpd_tls_wrappermode=yes > submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o > smtpd_sasl_auth_enable=yes -o > smtpd_client_restrictions=permit_sasl_authenticated,reject -o > smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 > > > ahhh missed that! If you have smtpd_recipient_restrictions defined in main.cf you'll have to negate them just as you did with smtpd_sender_restrictions -Matt
Re: Set submission as to bypass RBLs
Sent from my iPhone On 22/04/2010, at 10:28, Matt Hayes wrote: On 04/21/2010 08:14 PM, webmas...@aus-city.com wrote: Quoting Matt Hayes : n 04/21/2010 07:35 PM, David Cottle wrote: #submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING Seems submission is commented out? -matt Hi Matt, No its not look further down: smtpd_tls_wrappermode=yes submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 ahhh missed that! If you have smtpd_recipient_restrictions defined in main.cf you'll have to negate them just as you did with smtpd_sender_restrictions -Matt Hi Matt, In main.cf I have got in smptd sender restrictions permit sasl authenticated. It's also in smtpd recipient restrictions as the 3rd after mynetworks and a plesk no relay check. smtpd client restrictions it's 2nd after a plesk blacklist check. In client restrictions it's the 2nd one, as my whitelists is first. I know it's RBL killing as it's complaints about ISP dynamic message. I can post my actual main.cf later when I have PC as I am on iPhone. Is there also a command to dump the config? Thanks!
Re: Set submission as to bypass RBLs
On 04/21/2010 09:23 PM, David Cottle wrote: > > > Sent from my iPhone > > On 22/04/2010, at 10:28, Matt Hayes wrote: > >> >> On 04/21/2010 08:14 PM, webmas...@aus-city.com wrote: >>> Quoting Matt Hayes : >>> n 04/21/2010 07:35 PM, David Cottle wrote: > #submission inet n - n - - smtpd > # -o smtpd_tls_security_level=encrypt > # -o smtpd_sasl_auth_enable=yes > # -o smtpd_client_restrictions=permit_sasl_authenticated,reject > # -o milter_macro_daemon_name=ORIGINATING Seems submission is commented out? -matt >>> >>> Hi Matt, >>> >>> No its not look further down: >>> >>> smtpd_tls_wrappermode=yes >>> submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o >>> smtpd_sasl_auth_enable=yes -o >>> smtpd_client_restrictions=permit_sasl_authenticated,reject -o >>> smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 >>> >>> >>> >> >> >> ahhh missed that! >> >> If you have smtpd_recipient_restrictions defined in main.cf you'll have >> to negate them just as you did with smtpd_sender_restrictions >> >> -Matt > > Hi Matt, > > In main.cf I have got in smptd sender restrictions permit sasl > authenticated. > > It's also in smtpd recipient restrictions as the 3rd after mynetworks > and a plesk no relay check. > > smtpd client restrictions it's 2nd after a plesk blacklist check. > > In client restrictions it's the 2nd one, as my whitelists is first. > > I know it's RBL killing as it's complaints about ISP dynamic message. > > I can post my actual main.cf later when I have PC as I am on iPhone. > > Is there also a command to dump the config? > > Thanks! > > The best way: postconf -n -Matt
Re: Set submission as to bypass RBLs
On 4/21/2010 6:35 PM, David Cottle wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I am having some issues with my server blocking ISP IP addresses. I know a recent update to plesk-9.5.1 changed my postfix main.cf and master.cf (the timestamps changed). I managed to fix main.cf as on the smtpd_client_restrictions, they put the RBLs first. Can anyone see what is wrong in the master.cf? I just want submission on 587 able to bypass RBL checks: you must have missed the answer yesterday. # # Postfix master process configuration file. For details on the format == [...] submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 add here: -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -- Noel Jones
Re: Set submission as to bypass RBLs
Sent from my iPhone On 22/04/2010, at 11:38, Matt Hayes wrote: On 04/21/2010 09:23 PM, David Cottle wrote: Sent from my iPhone On 22/04/2010, at 10:28, Matt Hayes wrote: On 04/21/2010 08:14 PM, webmas...@aus-city.com wrote: Quoting Matt Hayes : n 04/21/2010 07:35 PM, David Cottle wrote: #submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING Seems submission is commented out? -matt Hi Matt, No its not look further down: smtpd_tls_wrappermode=yes submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 ahhh missed that! If you have smtpd_recipient_restrictions defined in main.cf you'll have to negate them just as you did with smtpd_sender_restrictions -Matt Hi Matt, In main.cf I have got in smptd sender restrictions permit sasl authenticated. It's also in smtpd recipient restrictions as the 3rd after mynetworks and a plesk no relay check. smtpd client restrictions it's 2nd after a plesk blacklist check. In client restrictions it's the 2nd one, as my whitelists is first. I know it's RBL killing as it's complaints about ISP dynamic message. I can post my actual main.cf later when I have PC as I am on iPhone. Is there also a command to dump the config? Thanks! The best way: postconf -n -Matt alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 header_checks = regexp:/etc/postfix/header_checks html_directory = no inet_interfaces = all inet_protocols = all local_recipient_maps = $virtual_mailbox_maps mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 2048 mydestination = localhost.$mydomain, localhost, localhost.localdomain mynetworks = 127.0.0.0/8, 10.0.0.0/8, 10.0.10.1/32 [::1]/128 [fe80::%eth0]/64, 192.168.0.0/24, 203.19.70.65, 202.129.79.106, 203.217.18.104/30 , 203.206.180.36/30, 203.206.129.128/27 newaliases_path = /usr/bin/newaliases.postfix notify_classes = queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES sample_directory = /usr/share/doc/postfix-2.5.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_send_xforward_command = yes smtp_tls_security_level = may smtp_use_tls = no smtpd_authorized_xforward_hosts = 127.0.0.0/8 smtpd_client_restrictions = check_client_access hash:/etc/postfix/ whitelist, permit_sasl_authenticated, check_client_access hash:/etc/ postfix/check_backscatterer, check_client_access hash:/etc/postfix/ check_spamcannibal, check_client_access cidr:/etc/postfix/postfix- dnswl-permit, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org , reject_rbl_client b.barracudacentral.org smtpd_proxy_timeout = 3600s smtpd_recipient_restrictions = permit_mynetworks, check_client_access pcre:/var/spool/postfix/plesk/no_relay.re, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = check_sender_access hash:/var/spool/ postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access pcre:/var/spool/postfix/plesk/non_auth.re smtpd_timeout = 3600s smtpd_tls_cert_file = /etc/postfix/postfix_default.pem smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_tls_security_level = may smtpd_use_tls = yes transport_maps = hash:/var/spool/postfix/plesk/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/ virtual virtual_gid_maps = static:31 virtual_mailbox_base = /var/qmail/mailnames virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/ postfix/plesk/virtual_domains virtual_mailbox_maps = hash:/var/spool/postfix/plesk/vmailbox virtual_transport = plesk_virtual virtual_uid_maps = static:110
Re: Set submission as to bypass RBLs
On 4/21/2010 9:01 PM, David Cottle wrote: The best way: postconf -n -Matt smtpd_client_restrictions = check_client_access hash:/etc/postfix/whitelist, permit_sasl_authenticated, check_client_access hash:/etc/postfix/check_backscatterer, check_client_access hash:/etc/postfix/check_spamcannibal, check_client_access cidr:/etc/postfix/postfix-dnswl-permit, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org OK, permit_sasl_authenticated comes before reject_rbl_client. smtpd_recipient_restrictions = permit_mynetworks, check_client_access pcre:/var/spool/postfix/plesk/no_relay.re, permit_sasl_authenticated, reject_unauth_destination OK, permit_sasl_authenticated comes before reject_rbl_client. smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, check_client_access pcre:/var/spool/postfix/plesk/non_auth.re OK, no RBL checks. Conclusion: If a client is rejected by RBL checks, they didn't authenticate. You can verify this in your postfix logs. -- Noel Jones
Re: Set submission as to bypass RBLs
Sent from my iPhone On 22/04/2010, at 12:00, Noel Jones wrote: On 4/21/2010 6:35 PM, David Cottle wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I am having some issues with my server blocking ISP IP addresses. I know a recent update to plesk-9.5.1 changed my postfix main.cf and master.cf (the timestamps changed). I managed to fix main.cf as on the smtpd_client_restrictions, they put the RBLs first. Can anyone see what is wrong in the master.cf? I just want submission on 587 able to bypass RBL checks: you must have missed the answer yesterday. # # Postfix master process configuration file. For details on the format === === [...] submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 add here: -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -- Noel Jones Hi Noel, Okay I did miss this! I will add your smtpd_helo_restrictions as above. What exactly does that do as to not having it? I have to get my client to try sending email again and dig out the logs. What I can't understand is he has 3 OS on his PC. Fedora 11 and Windows XP using thunderbird, exactly same settings and both can RX but not send mail. Windows 7, using thunderbird it RX and Sends. Same details, ports, it's got the server certificate same on all 3 but only W7 works. It's the same broadband settings, could it be the machines host name? Anyway as it's only one client it's hard to track. Thanks!
Re: Set submission as to bypass RBLs
On 4/21/2010 10:15 PM, David Cottle wrote: Sent from my iPhone On 22/04/2010, at 12:00, Noel Jones wrote: On 4/21/2010 6:35 PM, David Cottle wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I am having some issues with my server blocking ISP IP addresses. I know a recent update to plesk-9.5.1 changed my postfix main.cf and master.cf (the timestamps changed). I managed to fix main.cf as on the smtpd_client_restrictions, they put the RBLs first. Can anyone see what is wrong in the master.cf? I just want submission on 587 able to bypass RBL checks: you must have missed the answer yesterday. # # Postfix master process configuration file. For details on the format == [...] submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 add here: -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -- Noel Jones Hi Noel, Okay I did miss this! I will add your smtpd_helo_restrictions as above. What exactly does that do as to not having it? The suggested config above prevents settings in main.cf from interfering with settings on the submission port. I have to get my client to try sending email again and dig out the logs. What I can't understand is he has 3 OS on his PC. Fedora 11 and Windows XP using thunderbird, exactly same settings and both can RX but not send mail. Windows 7, using thunderbird it RX and Sends. Same details, ports, it's got the server certificate same on all 3 but only W7 works. That's very important information. That makes this sound very much like a client configuration issue, not postfix. If you still think it's postfix, show your current "postconf -n" and master.cf, and show logs demonstrating that the client authenticates yet is rejected. But according to the config you posted earlier, if the client does authenticate they will bypass RBL checks. So you need to show proof the client authenticated and was rejected. Next nail, same client can submit mail using a different configuration on the same hardware with the same IP. Sounds as if they are able to authenticate with at least one config. Without further evidence, this isn't a postfix issue. Fix the client. -- Noel Jones
Re: Set submission as to bypass RBLs
Quoting Noel Jones : On 4/21/2010 10:15 PM, David Cottle wrote: Sent from my iPhone On 22/04/2010, at 12:00, Noel Jones wrote: On 4/21/2010 6:35 PM, David Cottle wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I am having some issues with my server blocking ISP IP addresses. I know a recent update to plesk-9.5.1 changed my postfix main.cf and master.cf (the timestamps changed). I managed to fix main.cf as on the smtpd_client_restrictions, they put the RBLs first. Can anyone see what is wrong in the master.cf? I just want submission on 587 able to bypass RBL checks: you must have missed the answer yesterday. # # Postfix master process configuration file. For details on the format == [...] submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 add here: -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -- Noel Jones Hi Noel, Okay I did miss this! I will add your smtpd_helo_restrictions as above. What exactly does that do as to not having it? The suggested config above prevents settings in main.cf from interfering with settings on the submission port. I have to get my client to try sending email again and dig out the logs. What I can't understand is he has 3 OS on his PC. Fedora 11 and Windows XP using thunderbird, exactly same settings and both can RX but not send mail. Windows 7, using thunderbird it RX and Sends. Same details, ports, it's got the server certificate same on all 3 but only W7 works. That's very important information. That makes this sound very much like a client configuration issue, not postfix. If you still think it's postfix, show your current "postconf -n" and master.cf, and show logs demonstrating that the client authenticates yet is rejected. But according to the config you posted earlier, if the client does authenticate they will bypass RBL checks. So you need to show proof the client authenticated and was rejected. Next nail, same client can submit mail using a different configuration on the same hardware with the same IP. Sounds as if they are able to authenticate with at least one config. Without further evidence, this isn't a postfix issue. Fix the client. -- Noel Jones Hi Noel, Sorry its got all truncated. Where exactly do I need to add that in here? (I added a extra line between each) plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames mailman unix - n n - - pipe flags=R user=mailman:mailman argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient} 127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue 127.0.0.1:10026 inet n - - - - smtpd -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o receive_override_options=no_unknown_recipient_checks 127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6 dbpath=/plesk/passwd.db smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_tls_wrappermode=yes submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 END
Re: Set submission as to bypass RBLs
On 4/22/2010 7:59 AM, webmas...@aus-city.com wrote: > Sorry its got all truncated. Where exactly do I need to add that in here? (I added a extra line between each) plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames mailman unix - n n - - pipe flags=R user=mailman:mailman argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient} 127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue 127.0.0.1:10026 inet n - - - - smtpd -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o receive_override_options=no_unknown_recipient_checks 127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6 dbpath=/plesk/passwd.db smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_tls_wrappermode=yes submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 Add here (to the submission entry) -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject You may also want to add these to the "smtps" entry. But this won't fix the problem of the client not authenticating. -- Noel Jones
Re: Set submission as to bypass RBLs
Quoting Noel Jones : On 4/22/2010 7:59 AM, webmas...@aus-city.com wrote: Sorry its got all truncated. Where exactly do I need to add that in here? (I added a extra line between each) plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames mailman unix - n n - - pipe flags=R user=mailman:mailman argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient} 127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue 127.0.0.1:10026 inet n - - - - smtpd -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o receive_override_options=no_unknown_recipient_checks 127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6 dbpath=/plesk/passwd.db smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_tls_wrappermode=yes submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 Add here (to the submission entry) -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject You may also want to add these to the "smtps" entry. But this won't fix the problem of the client not authenticating. -- Noel Jones Hi Noel, I made the changes as you suggested. My submission line in master now is: submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject