Set submission as to bypass RBLs

[David Cottle]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I am having some issues with my server blocking ISP IP addresses.

I know a recent update to plesk-9.5.1 changed my postfix main.cf and
master.cf (the timestamps changed).  I managed to fix main.cf as on
the smtpd_client_restrictions, they put the RBLs first.

Can anyone see what is wrong in the master.cf?

I just want submission on 587 able to bypass RBL checks:

#
# Postfix master process configuration file.  For details on the format
==
smtp inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025
#submission inet n   -   n   -   -   smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps inet  n   -   n   -   -   smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628  inet  n   -   n   -   -   qmqpd
pickup fifo n - - 60 1 pickup -o content_filter=smtp:127.0.0.1:10027
cleanup   unix  n   -   n   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
#qmgr fifo  n   -   n   300 1   oqmgr
tlsmgrunix  -   -   n   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial-rewrite
bounceunix  -   -   n   -   0   bounce
defer unix  -   -   n   -   0   bounce
trace unix  -   -   n   -   0   bounce
verifyunix  -   -   n   -   1   verify
flush unix  n   -   n   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   n   -   -   smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX
loops
relay unix  -   -   n   -   -   smtp
-o smtp_fallback_relay=
#   -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix  n   -   n   -   -   showq
error unix  -   -   n   -   -   error
retry unix  -   -   n   -   -   error
discard   unix  -   -   n   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   n   -   -   lmtp
anvil unix  -   -   n   -   1   anvil
scacheunix  -   -   n   -   1   scache
#

plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser
argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p
/var/qmail/mailnames
mailman unix - n n - - pipe flags=R user=mailman:mailman
argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}
127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue
127.0.0.1:10026 inet n - - - - smtpd  -o smtpd_client_restrictions=
- -o smtpd_helo_restrictions=  -o smtpd_sender_restrictions=  -o
smtpd_recipient_restrictions=permit_mynetworks,reject  -o
smtpd_data_restrictions=  -o
receive_override_options=no_unknown_recipient_checks
127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote
plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6
dbpath=/plesk/passwd.db
smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o
smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvM4hMACgkQi1lOcz5YUMjXsgCg60T9TuGn647iVqquRXnm7ECC
Uc4AoMXsS4z+fWEbIOCcMYvom36rzQZ9
=6UYQ
-END PGP SIGNATURE-

<>

Set submission as to bypass RBLs

[David Cottle]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I am having some issues with my server blocking ISP IP addresses.

I know a recent update to plesk-9.5.1 changed my postfix main.cf and
master.cf (the timestamps changed).  I managed to fix main.cf as on
the smtpd_client_restrictions, they put the RBLs first.

Can anyone see what is wrong in the master.cf?

I just want submission on 587 able to bypass RBL checks:

#
# Postfix master process configuration file.  For details on the format
==
smtp inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025
#submission inet n   -   n   -   -   smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps inet  n   -   n   -   -   smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628  inet  n   -   n   -   -   qmqpd
pickup fifo n - - 60 1 pickup -o content_filter=smtp:127.0.0.1:10027
cleanup   unix  n   -   n   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
#qmgr fifo  n   -   n   300 1   oqmgr
tlsmgrunix  -   -   n   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial-rewrite
bounceunix  -   -   n   -   0   bounce
defer unix  -   -   n   -   0   bounce
trace unix  -   -   n   -   0   bounce
verifyunix  -   -   n   -   1   verify
flush unix  n   -   n   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   n   -   -   smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX
loops
relay unix  -   -   n   -   -   smtp
-o smtp_fallback_relay=
#   -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix  n   -   n   -   -   showq
error unix  -   -   n   -   -   error
retry unix  -   -   n   -   -   error
discard   unix  -   -   n   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   n   -   -   lmtp
anvil unix  -   -   n   -   1   anvil
scacheunix  -   -   n   -   1   scache
#

plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser
argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p
/var/qmail/mailnames
mailman unix - n n - - pipe flags=R user=mailman:mailman
argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}
127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue
127.0.0.1:10026 inet n - - - - smtpd  -o smtpd_client_restrictions=
- -o smtpd_helo_restrictions=  -o smtpd_sender_restrictions=  -o
smtpd_recipient_restrictions=permit_mynetworks,reject  -o
smtpd_data_restrictions=  -o
receive_override_options=no_unknown_recipient_checks
127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote
plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6
dbpath=/plesk/passwd.db
smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o
smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvPi7MACgkQi1lOcz5YUMhUdgCfSQcDsMVe0jM6dUUZ4i1JC58i
tO0AnAwyEiJYikm4w4imblStUKv7jNga
=+b+4
-END PGP SIGNATURE-

Re: Set submission as to bypass RBLs

[Sahil Tandon]

On Tue, 20 Apr 2010, David Cottle wrote:

> I know a recent update to plesk-9.5.1 changed my postfix main.cf and
> master.cf (the timestamps changed).  I managed to fix main.cf as on
> the smtpd_client_restrictions, they put the RBLs first.
> 
> Can anyone see what is wrong in the master.cf?
> 
> I just want submission on 587 able to bypass RBL checks:
>
> submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
> smtpd_sasl_auth_enable=yes -o
> smtpd_client_restrictions=permit_sasl_authenticated,reject -o
> smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025

Your cut & paste looks horrible in my reader, but I guess the RBL is
checked somewhere in smtpd_recipient_restrictions as defined in your
main.cf?

Please show the output of 'postconf -n'.

-- 
Sahil Tandon 

Re: Set submission as to bypass RBLs

[Noel Jones]

On 4/19/2010 6:07 PM, David Cottle wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I am having some issues with my server blocking ISP IP addresses.

I know a recent update to plesk-9.5.1 changed my postfix main.cf and
master.cf (the timestamps changed).  I managed to fix main.cf as on
the smtpd_client_restrictions, they put the RBLs first.

Can anyone see what is wrong in the master.cf?

I just want submission on 587 able to bypass RBL checks:



> master.cf:

smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o
smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025


Typically for both the "smtps" and "submission" entries in 
master.cf, one would override all main.cf restrictions by adding:

 -o smtpd_client_restrictions=
 -o smtpd_helo_restrictions=
 -o smtpd_sender_restrictions=
 -o 
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject

 -o smtpd_data_restrictions=
 ...
and then other stuff specific to those services such as sasl, 
tls, and content/proxy filter settings.



  -- Noel Jones

Re: Set submission as to bypass RBLs

[mouss]

David Cottle a écrit :
> I am having some issues with my server blocking ISP IP addresses.
> 
> I know a recent update to plesk-9.5.1 changed my postfix main.cf and
> master.cf (the timestamps changed).  I managed to fix main.cf as on
> the smtpd_client_restrictions, they put the RBLs first.
> 
> Can anyone see what is wrong in the master.cf?
> 

Is plesk open source? can I install plesk on my freebsd?
if not, case dismissed...

Re: Set submission as to bypass RBLs

[Matt Hayes]

n 04/21/2010 07:35 PM, David Cottle wrote:

> #submission inet n   -   n   -   -   smtpd
> #  -o smtpd_tls_security_level=encrypt
> #  -o smtpd_sasl_auth_enable=yes
> #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> #  -o milter_macro_daemon_name=ORIGINATING

Seems submission is commented out?

-matt

Re: Set submission as to bypass RBLs

[webmaster]

Quoting Matt Hayes :


n 04/21/2010 07:35 PM, David Cottle wrote:


#submission inet n   -   n   -   -   smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING


Seems submission is commented out?

-matt



Hi Matt,

No its not look further down:

smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025

Re: Set submission as to bypass RBLs

[Matt Hayes]

On 04/21/2010 08:14 PM, webmas...@aus-city.com wrote:
> Quoting Matt Hayes :
> 
>> n 04/21/2010 07:35 PM, David Cottle wrote:
>>
>>> #submission inet n   -   n   -   -   smtpd
>>> #  -o smtpd_tls_security_level=encrypt
>>> #  -o smtpd_sasl_auth_enable=yes
>>> #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>> #  -o milter_macro_daemon_name=ORIGINATING
>>
>> Seems submission is commented out?
>>
>> -matt
>>
> 
> Hi Matt,
> 
> No its not look further down:
> 
> smtpd_tls_wrappermode=yes
> submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
> smtpd_sasl_auth_enable=yes -o
> smtpd_client_restrictions=permit_sasl_authenticated,reject -o
> smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025
> 
> 
> 


ahhh missed that!

If you have smtpd_recipient_restrictions defined in main.cf you'll have
to negate them just as you did with smtpd_sender_restrictions

-Matt

Re: Set submission as to bypass RBLs

[David Cottle]

Sent from my iPhone

On 22/04/2010, at 10:28, Matt Hayes  wrote:



On 04/21/2010 08:14 PM, webmas...@aus-city.com wrote:

Quoting Matt Hayes :


n 04/21/2010 07:35 PM, David Cottle wrote:


#submission inet n   -   n   -   -   smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING


Seems submission is commented out?

-matt



Hi Matt,

No its not look further down:

smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025






ahhh missed that!

If you have smtpd_recipient_restrictions defined in main.cf you'll  
have

to negate them just as you did with smtpd_sender_restrictions

-Matt


Hi Matt,

In main.cf I have got in smptd sender restrictions permit sasl  
authenticated.


It's also in smtpd recipient restrictions as the 3rd after mynetworks  
and a plesk no relay check.


smtpd client restrictions it's 2nd after a plesk blacklist check.

In client restrictions it's the 2nd one, as my whitelists is first.

I know it's RBL killing as it's complaints about ISP dynamic message.

I can post my actual main.cf later when I have PC as I am on iPhone.

Is there also a command to dump the config?

Thanks!
 

Re: Set submission as to bypass RBLs

[Matt Hayes]

On 04/21/2010 09:23 PM, David Cottle wrote:
> 
> 
> Sent from my iPhone
> 
> On 22/04/2010, at 10:28, Matt Hayes  wrote:
> 
>>
>> On 04/21/2010 08:14 PM, webmas...@aus-city.com wrote:
>>> Quoting Matt Hayes :
>>>
 n 04/21/2010 07:35 PM, David Cottle wrote:

> #submission inet n   -   n   -   -   smtpd
> #  -o smtpd_tls_security_level=encrypt
> #  -o smtpd_sasl_auth_enable=yes
> #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> #  -o milter_macro_daemon_name=ORIGINATING

 Seems submission is commented out?

 -matt

>>>
>>> Hi Matt,
>>>
>>> No its not look further down:
>>>
>>> smtpd_tls_wrappermode=yes
>>> submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
>>> smtpd_sasl_auth_enable=yes -o
>>> smtpd_client_restrictions=permit_sasl_authenticated,reject -o
>>> smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025
>>>
>>>
>>>
>>
>>
>> ahhh missed that!
>>
>> If you have smtpd_recipient_restrictions defined in main.cf you'll have
>> to negate them just as you did with smtpd_sender_restrictions
>>
>> -Matt
> 
> Hi Matt,
> 
> In main.cf I have got in smptd sender restrictions permit sasl
> authenticated.
> 
> It's also in smtpd recipient restrictions as the 3rd after mynetworks
> and a plesk no relay check.
> 
> smtpd client restrictions it's 2nd after a plesk blacklist check.
> 
> In client restrictions it's the 2nd one, as my whitelists is first.
> 
> I know it's RBL killing as it's complaints about ISP dynamic message.
> 
> I can post my actual main.cf later when I have PC as I am on iPhone.
> 
> Is there also a command to dump the config?
> 
> Thanks!
>  
>   


The best way: postconf -n


-Matt

Re: Set submission as to bypass RBLs

[Noel Jones]

On 4/21/2010 6:35 PM, David Cottle wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I am having some issues with my server blocking ISP IP addresses.

I know a recent update to plesk-9.5.1 changed my postfix main.cf and
master.cf (the timestamps changed).  I managed to fix main.cf as on
the smtpd_client_restrictions, they put the RBLs first.

Can anyone see what is wrong in the master.cf?

I just want submission on 587 able to bypass RBL checks:


you must have missed the answer yesterday.



#
# Postfix master process configuration file.  For details on the format
==

[...]

submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025


add here:

  -o smtpd_helo_restrictions=
  -o 
smtpd_recipient_restrictions=permit_sasl_authenticated,reject



  -- Noel Jones

Re: Set submission as to bypass RBLs

[David Cottle]

Sent from my iPhone

On 22/04/2010, at 11:38, Matt Hayes  wrote:




On 04/21/2010 09:23 PM, David Cottle wrote:



Sent from my iPhone

On 22/04/2010, at 10:28, Matt Hayes  wrote:



On 04/21/2010 08:14 PM, webmas...@aus-city.com wrote:

Quoting Matt Hayes :


n 04/21/2010 07:35 PM, David Cottle wrote:


#submission inet n   -   n   -   -   smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING


Seems submission is commented out?

-matt



Hi Matt,

No its not look further down:

smtpd_tls_wrappermode=yes
submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025






ahhh missed that!

If you have smtpd_recipient_restrictions defined in main.cf you'll  
have

to negate them just as you did with smtpd_sender_restrictions

-Matt


Hi Matt,

In main.cf I have got in smptd sender restrictions permit sasl
authenticated.

It's also in smtpd recipient restrictions as the 3rd after mynetworks
and a plesk no relay check.

smtpd client restrictions it's 2nd after a plesk blacklist check.

In client restrictions it's the 2nd one, as my whitelists is first.

I know it's RBL killing as it's complaints about ISP dynamic message.

I can post my actual main.cf later when I have PC as I am on iPhone.

Is there also a command to dump the config?

Thanks!





The best way: postconf -n


-Matt


alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = all
local_recipient_maps = $virtual_mailbox_maps
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 2048
mydestination = localhost.$mydomain, localhost, localhost.localdomain
mynetworks = 127.0.0.0/8, 10.0.0.0/8, 10.0.10.1/32 [::1]/128  
[fe80::%eth0]/64, 192.168.0.0/24, 203.19.70.65, 202.129.79.106, 203.217.18.104/30 
, 203.206.180.36/30, 203.206.129.128/27

newaliases_path = /usr/bin/newaliases.postfix
notify_classes =
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.5.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_send_xforward_command = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_authorized_xforward_hosts = 127.0.0.0/8
smtpd_client_restrictions = check_client_access hash:/etc/postfix/ 
whitelist, permit_sasl_authenticated, check_client_access hash:/etc/ 
postfix/check_backscatterer, check_client_access hash:/etc/postfix/ 
check_spamcannibal, check_client_access cidr:/etc/postfix/postfix- 
dnswl-permit, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org 
, reject_rbl_client b.barracudacentral.org

smtpd_proxy_timeout = 3600s
smtpd_recipient_restrictions = permit_mynetworks, check_client_access  
pcre:/var/spool/postfix/plesk/no_relay.re, permit_sasl_authenticated,  
reject_unauth_destination

smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = check_sender_access hash:/var/spool/ 
postfix/plesk/blacklists, permit_sasl_authenticated,  
check_client_access pcre:/var/spool/postfix/plesk/non_auth.re

smtpd_timeout = 3600s
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
transport_maps = hash:/var/spool/postfix/plesk/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/ 
virtual

virtual_gid_maps = static:31
virtual_mailbox_base = /var/qmail/mailnames
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/ 
postfix/plesk/virtual_domains

virtual_mailbox_maps = hash:/var/spool/postfix/plesk/vmailbox
virtual_transport = plesk_virtual
virtual_uid_maps = static:110

Re: Set submission as to bypass RBLs

[Noel Jones]

On 4/21/2010 9:01 PM, David Cottle wrote:

The best way: postconf -n


-Matt


smtpd_client_restrictions = check_client_access
hash:/etc/postfix/whitelist, permit_sasl_authenticated,
check_client_access hash:/etc/postfix/check_backscatterer,
check_client_access hash:/etc/postfix/check_spamcannibal,
check_client_access cidr:/etc/postfix/postfix-dnswl-permit,
reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org,
reject_rbl_client b.barracudacentral.org


OK, permit_sasl_authenticated comes before reject_rbl_client.


smtpd_recipient_restrictions = permit_mynetworks, check_client_access
pcre:/var/spool/postfix/plesk/no_relay.re, permit_sasl_authenticated,
reject_unauth_destination


OK, permit_sasl_authenticated comes before reject_rbl_client.


smtpd_sender_restrictions = check_sender_access
hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated,
check_client_access pcre:/var/spool/postfix/plesk/non_auth.re


OK, no RBL checks.


Conclusion:  If a client is rejected by RBL checks, they 
didn't authenticate.  You can verify this in your postfix logs.


  -- Noel Jones

Re: Set submission as to bypass RBLs

[David Cottle]

Sent from my iPhone

On 22/04/2010, at 12:00, Noel Jones  wrote:


On 4/21/2010 6:35 PM, David Cottle wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I am having some issues with my server blocking ISP IP addresses.

I know a recent update to plesk-9.5.1 changed my postfix main.cf and
master.cf (the timestamps changed).  I managed to fix main.cf as on
the smtpd_client_restrictions, they put the RBLs first.

Can anyone see what is wrong in the master.cf?

I just want submission on 587 able to bypass RBL checks:


you must have missed the answer yesterday.



#
# Postfix master process configuration file.  For details on the  
format
=== 
=== 


[...]

submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025


add here:

 -o smtpd_helo_restrictions=
 -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject


 -- Noel Jones


Hi Noel,

Okay I did miss this! I will add your smtpd_helo_restrictions as above.

What exactly does that do as to not having it?

I have to get my client to try sending email again and dig out the logs.

What I can't understand is he has 3 OS on his PC.

Fedora 11 and Windows XP using thunderbird, exactly same settings and  
both can RX but not send mail.

Windows 7, using thunderbird it RX and Sends.

Same details, ports, it's got the server certificate same on all 3 but  
only W7 works.


It's the same broadband settings, could it be the machines host name?

Anyway as it's only one client it's hard to track.

Thanks!

Re: Set submission as to bypass RBLs

[Noel Jones]

On 4/21/2010 10:15 PM, David Cottle wrote:



Sent from my iPhone

On 22/04/2010, at 12:00, Noel Jones  wrote:


On 4/21/2010 6:35 PM, David Cottle wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I am having some issues with my server blocking ISP IP addresses.

I know a recent update to plesk-9.5.1 changed my postfix main.cf and
master.cf (the timestamps changed). I managed to fix main.cf as on
the smtpd_client_restrictions, they put the RBLs first.

Can anyone see what is wrong in the master.cf?

I just want submission on 587 able to bypass RBL checks:


you must have missed the answer yesterday.



#
# Postfix master process configuration file. For details on the format
==


[...]

submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025


add here:

-o smtpd_helo_restrictions=
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject


-- Noel Jones


Hi Noel,

Okay I did miss this! I will add your smtpd_helo_restrictions as above.

What exactly does that do as to not having it?


The suggested config above prevents settings in main.cf from 
interfering with settings on the submission port.





I have to get my client to try sending email again and dig out the logs.

What I can't understand is he has 3 OS on his PC.

Fedora 11 and Windows XP using thunderbird, exactly same settings and
both can RX but not send mail.
Windows 7, using thunderbird it RX and Sends.

Same details, ports, it's got the server certificate same on all 3 but
only W7 works.


That's very important information.  That makes this sound very 
much like a client configuration issue, not postfix.


If you still think it's postfix, show your current "postconf 
-n" and master.cf, and show logs demonstrating that the client 
authenticates yet is rejected.


But according to the config you posted earlier, if the client 
does authenticate they will bypass RBL checks.  So you need to 
show proof the client authenticated and was rejected.


Next nail, same client can submit mail using a different 
configuration on the same hardware with the same IP.  Sounds 
as if they are able to authenticate with at least one config.


Without further evidence, this isn't a postfix issue.  Fix the 
client.


  -- Noel Jones

Re: Set submission as to bypass RBLs

[webmaster]

Quoting Noel Jones :


On 4/21/2010 10:15 PM, David Cottle wrote:



Sent from my iPhone

On 22/04/2010, at 12:00, Noel Jones  wrote:


On 4/21/2010 6:35 PM, David Cottle wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I am having some issues with my server blocking ISP IP addresses.

I know a recent update to plesk-9.5.1 changed my postfix main.cf and
master.cf (the timestamps changed). I managed to fix main.cf as on
the smtpd_client_restrictions, they put the RBLs first.

Can anyone see what is wrong in the master.cf?

I just want submission on 587 able to bypass RBL checks:


you must have missed the answer yesterday.



#
# Postfix master process configuration file. For details on the format
==


[...]

submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025


add here:

-o smtpd_helo_restrictions=
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject


-- Noel Jones


Hi Noel,

Okay I did miss this! I will add your smtpd_helo_restrictions as above.

What exactly does that do as to not having it?


The suggested config above prevents settings in main.cf from  
interfering with settings on the submission port.





I have to get my client to try sending email again and dig out the logs.

What I can't understand is he has 3 OS on his PC.

Fedora 11 and Windows XP using thunderbird, exactly same settings and
both can RX but not send mail.
Windows 7, using thunderbird it RX and Sends.

Same details, ports, it's got the server certificate same on all 3 but
only W7 works.


That's very important information.  That makes this sound very much  
like a client configuration issue, not postfix.


If you still think it's postfix, show your current "postconf -n" and  
master.cf, and show logs demonstrating that the client authenticates  
yet is rejected.


But according to the config you posted earlier, if the client does  
authenticate they will bypass RBL checks.  So you need to show proof  
the client authenticated and was rejected.


Next nail, same client can submit mail using a different  
configuration on the same hardware with the same IP.  Sounds as if  
they are able to authenticate with at least one config.


Without further evidence, this isn't a postfix issue.  Fix the client.

  -- Noel Jones



Hi Noel,

Sorry its got all truncated.  Where exactly do I need to add that in  
here? (I added a extra line between each)


plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser  
argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p  
/var/qmail/mailnames


mailman unix - n n - - pipe flags=R user=mailman:mailman  
argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}


127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user  
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue


127.0.0.1:10026 inet n - - - - smtpd  -o smtpd_client_restrictions=   
-o smtpd_helo_restrictions=  -o smtpd_sender_restrictions=  -o  
smtpd_recipient_restrictions=permit_mynetworks,reject  -o  
smtpd_data_restrictions=  -o  
receive_override_options=no_unknown_recipient_checks


127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user  
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote


plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6  
dbpath=/plesk/passwd.db


smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o  
smtpd_tls_wrappermode=yes


submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o  
smtpd_sasl_auth_enable=yes -o  
smtpd_client_restrictions=permit_sasl_authenticated,reject -o  
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025


END

Re: Set submission as to bypass RBLs

[Noel Jones]

On 4/22/2010 7:59 AM, webmas...@aus-city.com wrote:

> Sorry its got all truncated. Where exactly do I need to add that in
here? (I added a extra line between each)

plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser
argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p
/var/qmail/mailnames

mailman unix - n n - - pipe flags=R user=mailman:mailman
argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}

127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue

127.0.0.1:10026 inet n - - - - smtpd -o smtpd_client_restrictions= -o
smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o
smtpd_recipient_restrictions=permit_mynetworks,reject -o
smtpd_data_restrictions= -o
receive_override_options=no_unknown_recipient_checks

127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote

plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6
dbpath=/plesk/passwd.db

smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o
smtpd_tls_wrappermode=yes

submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025


Add here (to the submission entry)
  -o smtpd_helo_restrictions=
  -o 
smtpd_recipient_restrictions=permit_sasl_authenticated,reject


You may also want to add these to the "smtps" entry.

But this won't fix the problem of the client not authenticating.

  -- Noel Jones

Re: Set submission as to bypass RBLs

[webmaster]

Quoting Noel Jones :


On 4/22/2010 7:59 AM, webmas...@aus-city.com wrote:

Sorry its got all truncated. Where exactly do I need to add that in

here? (I added a extra line between each)

plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser
argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p
/var/qmail/mailnames

mailman unix - n n - - pipe flags=R user=mailman:mailman
argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}

127.0.0.1:10025 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10027 before-queue

127.0.0.1:10026 inet n - - - - smtpd -o smtpd_client_restrictions= -o
smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o
smtpd_recipient_restrictions=permit_mynetworks,reject -o
smtpd_data_restrictions= -o
receive_override_options=no_unknown_recipient_checks

127.0.0.1:10027 inet n n n - - spawn user=mhandlers-user
argv=/usr/lib/plesk-9.0/postfix-queue 127.0.0.1 10026 before-remote

plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6
dbpath=/plesk/passwd.db

smtps inet n - - - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o
smtpd_tls_wrappermode=yes

submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o
smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject -o
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025


Add here (to the submission entry)
  -o smtpd_helo_restrictions=
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

You may also want to add these to the "smtps" entry.

But this won't fix the problem of the client not authenticating.

  -- Noel Jones



Hi Noel,

I made the changes as you suggested.  My submission line in master now is:

submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o  
smtpd_sasl_auth_enable=yes -o  
smtpd_client_restrictions=permit_sasl_authenticated,reject -o  
smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:10025  -o  
smtpd_helo_restrictions=  -o  
smtpd_recipient_restrictions=permit_sasl_authenticated,reject