Re: Using Sasl authentication and RBL
Noel, Thanks again so much for all the great advice. I have since worked in your changes (I have omitted the relay_recipients_maps for now, as I have to device a scheme to synchronize my alias table between various domains). Here is my currenet postconf -n, any other pointers would be great. I will update the article I wrote next week to reflect these changes once I'm sure it all works as expected. Thanks again everybody else that helped too! biff = no broken_sasl_auth_clients = no command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib64/postfix data_directory = /var/lib/postfix debug_peer_level = 1 disable_vrfy_command = yes home_mailbox = .maildir/ html_directory = /usr/share/doc/postfix-2.6.5/html mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 2048 mydomain = example.com myhostname = foo.example.com mynetworks = 127.0.0.0/8 mynetworks_style = host newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.5/readme recipient_delimiter = + relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf #relay_recipient_maps = pgsql:/etc/postfix/pgsql/pgsql-relay-recipient_maps.cf sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_banner = $myhostname ESMTP NO UCE smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_policy_service inet:127.0.0.1:2525, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_security_options = noplaintext, noanonymous smtpd_sasl_tls_security_options = noanonymous smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-alias-maps.cf virtual_gid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-gid-maps.cf virtual_mailbox_base = /var/vmail virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-domains.cf virtual_mailbox_limit_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-limit-maps.cf virtual_mailbox_limit_override = yes virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-maps.cf virtual_maildir_extended = yes virtual_maildir_limit_message = Sorry, the recipients mailbox is currently full. Please try again later. virtual_overquota_bounce = no virtual_trash_count = no virtual_trash_name = .Trash virtual_uid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-uid-maps.cf Noel Jones wrote: On 4/23/2010 6:10 AM, oliver wrote: On Thu, 22 Apr 2010 19:06:59 -0500, Noel Jonesnjo...@megan.vbhcs.org wrote: On 4/22/2010 6:17 PM, Oliver Schinagl wrote: Here's what I have in my postconf now: mydomain = example.com myhostname = foo.example.com mynetworks_style = host OK, you're not defining mynetworks, permit_mynetworks should only allow your host's IPs. That's fine. I simply assumed, it's probably best to allow no one but localhost to mail unauthorized. If that's your intention, it's probably better to explicitly state: mynetworks = 127.0.0.1 Most people also list their local network here, but that's not a requirement. relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf Using relay_domains without relay_recipient_maps is strongly discouraged. Your queue will get clogged with undeliverable mail and eventually you'll be blacklisted as a backscatter source. I went looking up relay_recipient_maps and from what I gather, all the users that are in my user table on the other end would have to be here as well? This basically means my database backend would/could be identical/synchronized then with just the backupmx flag on the domain reversed? Yes, the recipient list needs to be shared. But really, the idea of third-party backup MX is long dead. Better to not offer the service to others nor use it yourself. Without very close cooperation between you and the other party, one of you is going to be a backscatter source. I can understand this working in my specific setup, where I admin both servers, but what if I would be a backupmx for a domain where I do not know the users from? E.g. My friend runs his own mailserver, and he likes me to be his backupmx; I'm perfectly fine with that, but I rather not have to
Re: Using Sasl authentication and RBL
On 4/24/2010 4:28 AM, Oliver Schinagl wrote: Noel, Thanks again so much for all the great advice. I have since worked in your changes (I have omitted the relay_recipients_maps for now, as I have to device a scheme to synchronize my alias table between various domains). Here is my currenet postconf -n, any other pointers would be great. I will update the article I wrote next week to reflect these changes once I'm sure it all works as expected. Thanks again everybody else that helped too! smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net cbl is included in zen, so you should remove it. smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net Other than that, no glaring errors. -- Noel Jones
Re: Using Sasl authentication and RBL
On Thu, 22 Apr 2010 19:06:59 -0500, Noel Jones njo...@megan.vbhcs.org wrote: On 4/22/2010 6:17 PM, Oliver Schinagl wrote: Well what I'm after is the following: Postfix should be nice and locked, no relaying or anything like that; backup_max's should be allowed to relay of course, and users who have logged in properly via, say thunderbird (using sasl_auth). Also I would like to use public RBL's to lower the load on my spamfilter etc so they shouldn't even come in. Here's what I have in my postconf now: mydomain = example.com myhostname = foo.example.com mynetworks_style = host OK, you're not defining mynetworks, permit_mynetworks should only allow your host's IPs. That's fine. I simply assumed, it's probably best to allow no one but localhost to mail unauthorized. relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf Using relay_domains without relay_recipient_maps is strongly discouraged. Your queue will get clogged with undeliverable mail and eventually you'll be blacklisted as a backscatter source. I went looking up relay_recipient_maps and from what I gather, all the users that are in my user table on the other end would have to be here as well? This basically means my database backend would/could be identical/synchronized then with just the backupmx flag on the domain reversed? I can understand this working in my specific setup, where I admin both servers, but what if I would be a backupmx for a domain where I do not know the users from? E.g. My friend runs his own mailserver, and he likes me to be his backupmx; I'm perfectly fine with that, but I rather not have to keep his userbase in sync with my userbase, or did I completly missunderstand? I saw specifying @domain is bad, what about a catchall? *...@backupmxdomain.com or are those identical in that sense? Or am I completely missing the point on this one. Also, re-reading it again, postfix will look up the string, but doesn't use the result, e.g. something like select * from backupmxtable where domain=%u; would result in a positive hit and all mailboxes from that domain, but that would also make me become a source of backscatter mail (what is that anyway)? I would assume that my postfix server would accept the mail, then forward it to the other host and deliver it there. smtpd_banner = $myhostname NO UCE ESMTP That must be smtpd_banner = $myhostname ESTMP comments... I assume the order matters here? I figured the NO UCE bit would be totally useless and totally ignored anyway, but hey, it would be there for all to see. smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net permit_mx_backup is evil and disabling your RBL lookups. Ah! now we're onto something. But why? is it filling in more then my backup mx domains here? I assume setting up relay_domains (properly) as above allows mail from my backups to arrive normally without consulting smtpd_client_restrictions? Don't use permit_mx_backup. If you run a backup MX for other domains, list those domains in relay_domains and the recipients in relay_recipient_maps. I will change this. smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname This should be smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated reject_invalid_helo_hostname It's not nice to reject authorized clients just because their mail client happens to bork the HELO name. I understand, I can agree with this one absolutly. smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, check_policy_service inet:127.0.0.1:2525, reject_unauth_destination Remove permit_mx_backup, it's disabling all your other checks. As above, I don't understand how here either :) smtpd_sasl_authenticated_header = no I like this set to yes, but that's just me. I read that it 'broadcasts' the sasl username to anybody receiving/reading the mailheader and was therefor bad. I can see how this would be useful the first few weeks to potentially debug, as if the username is not listed, the user was not authorized. smtpd_sasl_security_options = noanonymous Caution, this setting allows plain text passwords to be sent unencrypted. Safer (but harder for testing and maybe less compatible): smtpd_sasl_security_options = noplaintext, noanonymous smtpd_sasl_tls_security_options = noanonymous Would base64 encoded usernames/passwords count? I'm not sure what roundcube does in that regard, then again, it doesn't matter as it is running locally anyway; and it has an option to properly login when sending messages remotly I belive. and my master.cf: smtp inet n - n - 4 smtpd -o content_filter=amavis:[127.0.0.1]:10024 -o receive_override_options=no_address_mappings
Re: Using Sasl authentication and RBL
On 4/23/2010 6:10 AM, oliver wrote: On Thu, 22 Apr 2010 19:06:59 -0500, Noel Jonesnjo...@megan.vbhcs.org wrote: On 4/22/2010 6:17 PM, Oliver Schinagl wrote: Here's what I have in my postconf now: mydomain = example.com myhostname = foo.example.com mynetworks_style = host OK, you're not defining mynetworks, permit_mynetworks should only allow your host's IPs. That's fine. I simply assumed, it's probably best to allow no one but localhost to mail unauthorized. If that's your intention, it's probably better to explicitly state: mynetworks = 127.0.0.1 Most people also list their local network here, but that's not a requirement. relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf Using relay_domains without relay_recipient_maps is strongly discouraged. Your queue will get clogged with undeliverable mail and eventually you'll be blacklisted as a backscatter source. I went looking up relay_recipient_maps and from what I gather, all the users that are in my user table on the other end would have to be here as well? This basically means my database backend would/could be identical/synchronized then with just the backupmx flag on the domain reversed? Yes, the recipient list needs to be shared. But really, the idea of third-party backup MX is long dead. Better to not offer the service to others nor use it yourself. Without very close cooperation between you and the other party, one of you is going to be a backscatter source. I can understand this working in my specific setup, where I admin both servers, but what if I would be a backupmx for a domain where I do not know the users from? E.g. My friend runs his own mailserver, and he likes me to be his backupmx; I'm perfectly fine with that, but I rather not have to keep his userbase in sync with my userbase, or did I completly missunderstand? I saw specifying @domain is bad, what about a catchall? *...@backupmxdomain.com or are those identical in that sense? Or am I completely missing the point on this one. If you accept mail for some other system, and then they refuse it, it makes you a backscatter source. http://en.wikipedia.org/wiki/Backscatter_%28e-mail%29 http://www.postfix.org/BACKSCATTER_README.html#wtf This is about when you're a victim of backscatter, but you really don't want to be the source -- you will get blacklisted. If the remote system will never reject or bounce back mail you send them, I suppose you don't need a recipient list. But there is at least some evidence that systems that accept catch-all addresses are spam magnets. If the receiving system rejects unknown recipients during SMTP, you can let postfix build a list of known recipients for you. http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient but this doesn't help if the remote system rejects or bounces back mail it thinks is spam. Also, re-reading it again, postfix will look up the string, but doesn't use the result, e.g. something like select * from backupmxtable where domain=%u; would result in a positive hit and all mailboxes from that domain, but that would also make me become a source of backscatter mail (what is that anyway)? I would assume that my postfix server would accept the mail, then forward it to the other host and deliver it there. The problems start when the other host either rejects mail, or bounces it back to you. You must not allow that as a normal occurrence. An occasional bounce is probably unavoidable, but you should do whatever you can to avoid them. smtpd_banner = $myhostname NO UCE ESMTP That must be smtpd_banner = $myhostname ESTMP comments... I assume the order matters here? I figured the NO UCE bit would be totally useless and totally ignored anyway, but hey, it would be there for all to see. ESTMP must be the second field, you can put whatever else after that. I suppose the notice might do some good if you decide to sue a spammer someday. smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net permit_mx_backup is evil and disabling your RBL lookups. Ah! now we're onto something. But why? is it filling in more then my backup mx domains here? I assume setting up relay_domains (properly) as above allows mail from my backups to arrive normally without consulting smtpd_client_restrictions? permit_mx_backup also implies permit_auth_destination. No checks make sense after that other than reject -- the only mail that will still be processed at this point are unauth relay attempts. http://www.postfix.org/postconf.5.html#permit_mx_backup But really, the idea of a third-party backup MX is long dead, killed by spammers. Better to not offer the service to others nor use it yourself. smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, check_policy_service
Re: Using Sasl authentication and RBL
On 04/22/10 04:49, Noel Jones wrote: On 4/21/2010 9:03 PM, Oliver Schinagl wrote: On 04/22/10 03:55, Noel Jones wrote: On 4/21/2010 8:39 PM, Oliver Schinagl wrote: Heh, I suppose it wasn't as straightforward as that; I'll look more into it after some sleep, I enabled it with the following: submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING (even tried uncommenting both, which shouldn't matter inmo?) But got denied errors, telnet didn't tell me much, thunderbird told me slightly more: An error occurred sending mail: The mail server sent an incorrect greeting: 5.7.1yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy]: Client host rejected: Access denied. It won't even ask me for my sasl password, nothing. A mistery for the next day. Please show your current postconf -n and the error message from the postfix logs. Showing error messages from the client or from telnet are not particularly useful. -- Noel Jones My current postconf -n is exactly as above in the mail; i hadn't changed anything, i only pasted the relevant part from master.conf that i changed. I don't see a postconf -n in this mail. I asked for a new copy to make sure of its current contents, and because I deleted your previous messages and don't feel like rummaging around in the trash. I'm sorry, I didn't realize. Here it is :) postconf -n biff = no broken_sasl_auth_clients = no command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib64/postfix data_directory = /var/lib/postfix debug_peer_level = 1 disable_vrfy_command = yes home_mailbox = .maildir/ html_directory = /usr/share/doc/postfix-2.6.5/html mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 2048 mydomain = example.com myhostname = foo.example.com mynetworks_style = host newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.5/readme recipient_delimiter = + relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_banner = $myhostname NO UCE ESMTP smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net smtpd_delay_reject = no smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, check_policy_service inet:127.0.0.1:2525, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-alias-maps.cf virtual_gid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-gid-maps.cf virtual_mailbox_base = /var/vmail virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-domains.cf virtual_mailbox_limit_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-limit-maps.cf virtual_mailbox_limit_override = yes virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-maps.cf virtual_maildir_extended = yes virtual_maildir_limit_message = Sorry, the recipients mailbox is currently full. Please try again later. virtual_overquota_bounce = no virtual_trash_count = no virtual_trash_name = .Trash virtual_uid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-uid-maps.cf Apr 21 21:39:19 example postfix/smtpd[21360]: connect from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] Apr 21 21:39:19 example postfix/smtpd[21360]: NOQUEUE: reject: CONNECT from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] : 554 5.7.1yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]: Client host rejected: Access denied; proto=SMTP Apr 21 21:39:24 example postfix/smtpd[21360]: disconnect from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] The client was rejected during the CONNECT stage. This implies you are using smtpd_delay_reject = no. Don't do that, the client doesn't get a chance to authenticate. Hmm, You are absolutely right here, I was using that. I don't understand however, because I do have 'permit_sasl_auth' before the rbl stuff. It does fix the submission delivery port issue. So thanks on that :) Tested and confirmed! But I don't think this will fix my initial issue,
Re: Using Sasl authentication and RBL
On 4/22/2010 7:02 AM, Oliver Schinagl wrote: But I don't think this will fix my initial issue, with clients being rejected on the RBL Auth issue does it? I think I did read that smtpd_delay_reject was good. Then it's a different issue. Show postconf -n and logs of the unwanted behavior. If you're using the submission port, also show contents of master.cf. Ontop of that, I do have it set to no on my own server, where I can send with sasl auth just fine :S I'm still puzzled. I won't be able to verify all this though until tomorrow, when I'm at a pbl'ed adls line again. Obviously, settings are different on the other server. -- Noel Jones
Re: Using Sasl authentication and RBL
On 4/22/2010 12:10 AM, David Cottle wrote: I tried running testsaslauthd -u usermailname -p matchingpass -s smtp I get connect () : No such file or directory You need to debug your sasl installation. -- Noel Jones
Re: Using Sasl authentication and RBL
Quoting Noel Jones njo...@megan.vbhcs.org: On 4/22/2010 12:10 AM, David Cottle wrote: I tried running testsaslauthd -u usermailname -p matchingpass -s smtp I get connect () : No such file or directory You need to debug your sasl installation. -- Noel Jones Hi Noel, Any idea where to start as this is probably why its failing? Thanks
Re: Using Sasl authentication and RBL
On 4/22/2010 8:00 AM, webmas...@aus-city.com wrote: Quoting Noel Jones njo...@megan.vbhcs.org: On 4/22/2010 12:10 AM, David Cottle wrote: I tried running testsaslauthd -u usermailname -p matchingpass -s smtp I get connect () : No such file or directory You need to debug your sasl installation. -- Noel Jones Hi Noel, Any idea where to start as this is probably why its failing? Thanks Start here: http://www.postfix.org/SASL_README.html It's possible that only your test is failing, and your sasl is actually working. If your sasl is really borked, there should be other errors logged by postfix. Check the postfix logs. If some people are able to authenticate, then it's probably just your test that's broken. I use dovecot for sasl, so I can't provide further help in debugging cyrus auth problems. Someone else will jump in if you post proper evidence. -- Noel Jones
Re: Using Sasl authentication and RBL
On Wed, Apr 21, 2010 at 09:49:49PM -0500, Noel Jones wrote: submission is commented out in the default postfix config because a relatively small subset of folks using postfix need it, and it's not nice to open ports not needed. I would say that the subset is (or will soon be) a majority of sites, given the widespread blocking of port 25 for end users. However, as a default, it would not make sense to enable submission, because it relies on external software to provide SASL AUTH. Postfix is designed to work stand-alone, out of the box. In another part of this thread, the OP mentioned having read that smtpd_delay_reject = no was a good idea. Much thought has gone into Postfix default settings. Sometimes these defaults need to be changed for a site, but the best thing to do is to consult the documentation and find what the reasoning was for the default setting. The default smtpd_delay_reject=yes makes good sense in most cases. Inexperienced people often think that getting rid of them at CONNECT is going to save bandwidth, but there is no evidence to support this. It's just as likely that poorly-coded spam clients are going to connect again and keep trying. Penny wise, pound foolish. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: Using Sasl authentication and RBL
On 04/22/10 19:21, /dev/rob0 wrote: On Wed, Apr 21, 2010 at 09:49:49PM -0500, Noel Jones wrote: submission is commented out in the default postfix config because a relatively small subset of folks using postfix need it, and it's not nice to open ports not needed. I would say that the subset is (or will soon be) a majority of sites, given the widespread blocking of port 25 for end users. However, as a default, it would not make sense to enable submission, because it relies on external software to provide SASL AUTH. Postfix is designed to work stand-alone, out of the box. In another part of this thread, the OP mentioned having read that smtpd_delay_reject = no was a good idea. Much thought has gone into Postfix default settings. Sometimes these defaults need to be changed for a site, but the best thing to do is to consult the documentation and find what the reasoning was for the default setting. The default smtpd_delay_reject=yes makes good sense in most cases. Inexperienced people often think that getting rid of them at CONNECT is going to save bandwidth, but there is no evidence to support this. It's just as likely that poorly-coded spam clients are going to connect again and keep trying. Penny wise, pound foolish. I haven't tried whether my sasl auth on default port works now, but I have noticed a huge increase in spam getting passed; I haven't looked if I can do RBL in amavis (i should?) But postfix isn't rejecting any RBL anymore with the SMTP relay yes? I'm sorry for not knowing all I should know, i'm no postfix expert :) and I thought I understood it, but not well enough it seems. I suppose I could override smtpd_delay on port 587 via master.cf and have it set to 'no' in my postfix.conf, and just live with the idea that port 25 is kinda off limits for regular 'users' from now on? It sits wrong with me in a sense, but I'm sure i just don't get postfix's main.cf enough :( oliver
Re: Using Sasl authentication and RBL
On 04/23/10 00:45, Noel Jones wrote: On 4/22/2010 5:16 PM, Oliver Schinagl wrote: On 04/22/10 19:21, /dev/rob0 wrote: On Wed, Apr 21, 2010 at 09:49:49PM -0500, Noel Jones wrote: submission is commented out in the default postfix config because a relatively small subset of folks using postfix need it, and it's not nice to open ports not needed. I would say that the subset is (or will soon be) a majority of sites, given the widespread blocking of port 25 for end users. However, as a default, it would not make sense to enable submission, because it relies on external software to provide SASL AUTH. Postfix is designed to work stand-alone, out of the box. In another part of this thread, the OP mentioned having read that smtpd_delay_reject = no was a good idea. Much thought has gone into Postfix default settings. Sometimes these defaults need to be changed for a site, but the best thing to do is to consult the documentation and find what the reasoning was for the default setting. The default smtpd_delay_reject=yes makes good sense in most cases. Inexperienced people often think that getting rid of them at CONNECT is going to save bandwidth, but there is no evidence to support this. It's just as likely that poorly-coded spam clients are going to connect again and keep trying. Penny wise, pound foolish. I haven't tried whether my sasl auth on default port works now, but I have noticed a huge increase in spam getting passed; I haven't looked if I can do RBL in amavis (i should?) But postfix isn't rejecting any RBL anymore with the SMTP relay yes? Unrelated. The setting of smtpd_delay_reject will have no effect on RBL lookups. If your RBLs aren't working anymore, you should double check the other things you changed. You should leave smtpd_delay_reject at its default setting of yes unless you have a full understanding of why you might or might not want to change it. Indeed, all the postfix default settings are carefully chosen and shouldn't be changed without careful research or advice from a reliable source[1]. [1]Advice you receive on this list can be considered peer-reviewed and reliable. Advice found on the postfix.org web site can be considered authoritative and accurate. Advice found on some google-suggested web site may or may not have been peer-reviewed, and may or may not be accurate or current; use with caution. If you need help, you know the drill -- postconf -n and logs showing the problem. Well what I'm after is the following: Postfix should be nice and locked, no relaying or anything like that; backup_max's should be allowed to relay of course, and users who have logged in properly via, say thunderbird (using sasl_auth). Also I would like to use public RBL's to lower the load on my spamfilter etc so they shouldn't even come in. Here's what I have in my postconf now: biff = no broken_sasl_auth_clients = no command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib64/postfix data_directory = /var/lib/postfix debug_peer_level = 1 disable_vrfy_command = yes home_mailbox = .maildir/ html_directory = /usr/share/doc/postfix-2.6.5/html mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 2048 mydomain = example.com myhostname = foo.example.com mynetworks_style = host newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.5/readme recipient_delimiter = + relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_banner = $myhostname NO UCE ESMTP smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, check_policy_service inet:127.0.0.1:2525, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-alias-maps.cf virtual_gid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-gid-maps.cf virtual_mailbox_base = /var/vmail virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-domains.cf virtual_mailbox_limit_maps =
Re: Using Sasl authentication and RBL
Quoting Noel Jones njo...@megan.vbhcs.org: On 4/22/2010 8:00 AM, webmas...@aus-city.com wrote: Quoting Noel Jones njo...@megan.vbhcs.org: On 4/22/2010 12:10 AM, David Cottle wrote: I tried running testsaslauthd -u usermailname -p matchingpass -s smtp I get connect () : No such file or directory You need to debug your sasl installation. -- Noel Jones Hi Noel, Any idea where to start as this is probably why its failing? Thanks Start here: http://www.postfix.org/SASL_README.html It's possible that only your test is failing, and your sasl is actually working. If your sasl is really borked, there should be other errors logged by postfix. Check the postfix logs. If some people are able to authenticate, then it's probably just your test that's broken. I use dovecot for sasl, so I can't provide further help in debugging cyrus auth problems. Someone else will jump in if you post proper evidence. -- Noel Jones Hi Noel, Seems its plesk and not logging everything in the logs. It uses its own logging for mail, I could not find my successful login (below). The saslauthd is not running, but plesk must start use another process to do this, but its is running: But it is running and verifies (I did this on a remote server) telnet xxx 587 Trying xxx... Connected to xxx. Escape character is '^]'. 220 xxx ESMTP Postfix ehlo xxx. 250-xxx 250-PIPELINING 250-SIZE 2048 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from: xxx 250 2.1.0 Ok quit 221 2.0.0 Bye Connection closed by foreign host. I will have to check out my client as its only local to him alone. Also as I did say he runs multiple OS on the same machine and one works perfectly. Lastly digging in my logs, I found this: Apr 23 04:23:28 server postfix/smtpd[24755]: connect from unknown[xx.xx.xx.xx] Apr 23 04:23:28 server postfix/smtpd[25116]: warning: 127.0.0.1: address not listed for hostname localhost Apr 23 04:23:28 server postfix/smtpd[25116]: connect from unknown[127.0.0.1] Any idea why? Its listed in the /etc/hosts file: ::1 localhost localhost.localdomain localhost6.localdomain6 localhost6 127.0.0.1 xx.xx.xx.xx xx.xx.xxserver localhost.localdomain localhost Thanks again!
Re: Using Sasl authentication and RBL
On 4/22/2010 6:19 PM, webmas...@aus-city.com wrote: Seems its plesk and not logging everything in the logs. It uses its own logging for mail, I could not find my successful login (below). The saslauthd is not running, but plesk must start use another process to do this, but its is running: Logs are important for solving problems and tracing what happened to mail. If you can't find logs, ask on a plesk support forum. Without proper logging, it's far more difficult to diagnose problems and offer correct solutions. But it is running and verifies (I did this on a remote server) telnet xxx 587 Trying xxx... Connected to xxx. Escape character is '^]'. 220 xxx ESMTP Postfix ehlo xxx. 250-xxx 250-PIPELINING 250-SIZE 2048 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from: xxx 250 2.1.0 Ok quit 221 2.0.0 Bye Connection closed by foreign host. This shows that postfix is listening and offering AUTH on port 587, but not much else. It would be more interesting to try to authenticate as described in SASL_README (warning: don't post base64 encoded username/password to the list; they are trivially decoded.) I will have to check out my client as its only local to him alone. Also as I did say he runs multiple OS on the same machine and one works perfectly. Lastly digging in my logs, I found this: Apr 23 04:23:28 server postfix/smtpd[24755]: connect from unknown[xx.xx.xx.xx] Apr 23 04:23:28 server postfix/smtpd[25116]: warning: 127.0.0.1: address not listed for hostname localhost Apr 23 04:23:28 server postfix/smtpd[25116]: connect from unknown[127.0.0.1] Any idea why? Its listed in the /etc/hosts file: ::1 localhost localhost.localdomain localhost6.localdomain6 localhost6 127.0.0.1 xx.xx.xx.xx xx.xx.xx server localhost.localdomain localhost Maybe check your /etc/nsswitch.conf? This has no relation to any other problems you may be having. -- Noel Jones
Re: Using Sasl authentication and RBL
Quoting Noel Jones njo...@megan.vbhcs.org: On 4/22/2010 6:19 PM, webmas...@aus-city.com wrote: Seems its plesk and not logging everything in the logs. It uses its own logging for mail, I could not find my successful login (below). The saslauthd is not running, but plesk must start use another process to do this, but its is running: Logs are important for solving problems and tracing what happened to mail. If you can't find logs, ask on a plesk support forum. Without proper logging, it's far more difficult to diagnose problems and offer correct solutions. But it is running and verifies (I did this on a remote server) telnet xxx 587 Trying xxx... Connected to xxx. Escape character is '^]'. 220 xxx ESMTP Postfix ehlo xxx. 250-xxx 250-PIPELINING 250-SIZE 2048 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from: xxx 250 2.1.0 Ok quit 221 2.0.0 Bye Connection closed by foreign host. This shows that postfix is listening and offering AUTH on port 587, but not much else. It would be more interesting to try to authenticate as described in SASL_README (warning: don't post base64 encoded username/password to the list; they are trivially decoded.) I will have to check out my client as its only local to him alone. Also as I did say he runs multiple OS on the same machine and one works perfectly. Lastly digging in my logs, I found this: Apr 23 04:23:28 server postfix/smtpd[24755]: connect from unknown[xx.xx.xx.xx] Apr 23 04:23:28 server postfix/smtpd[25116]: warning: 127.0.0.1: address not listed for hostname localhost Apr 23 04:23:28 server postfix/smtpd[25116]: connect from unknown[127.0.0.1] Any idea why? Its listed in the /etc/hosts file: ::1 localhost localhost.localdomain localhost6.localdomain6 localhost6 127.0.0.1 xx.xx.xx.xx xx.xx.xx server localhost.localdomain localhost Maybe check your /etc/nsswitch.conf? This has no relation to any other problems you may be having. -- Noel Jones Hi Noel, I do see some auth stuff in the logs, I put a snip: Apr 21 05:05:30 server pop3d: IMAP connect from @ [203.206.129.129]INFO: LOGIN, user...@xx.com, ip=[xx.xx.xx.xx] Apr 21 05:05:31 server postfix/smtpd[21639]: connect from unknown[xx.xx.xx.xx] Apr 21 05:05:31 server postfix/smtpd[21760]: warning: 127.0.0.1: address not listed for hostname localhost Apr 21 05:05:31 server postfix/smtpd[21760]: connect from unknown[127.0.0.1] Apr 21 05:05:31 server postfix/smtpd[21639]: NOQUEUE: client=unknown[xx.xx.xx.xx], sasl_method=PLAIN, sasl_username...@xx.com Apr 21 05:05:31 server postfix/smtpd[21760]: AE1E923EAC: client=unknown[xx.xx.xx.xx] I will do that test later and report. Here is my nsswitch.conf # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # nisplus or nis+ Use NIS+ (NIS version 3) # nis or yp Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the db in front of files for entries you want to be # looked up first in the databases # # Example: #passwd:db files nisplus nis #shadow:db files nisplus nis #group: db files nisplus nis passwd: files shadow: files group: files #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc:nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases:files nisplus
Re: Using Sasl authentication and RBL
On 4/22/2010 6:17 PM, Oliver Schinagl wrote: Well what I'm after is the following: Postfix should be nice and locked, no relaying or anything like that; backup_max's should be allowed to relay of course, and users who have logged in properly via, say thunderbird (using sasl_auth). Also I would like to use public RBL's to lower the load on my spamfilter etc so they shouldn't even come in. Here's what I have in my postconf now: mydomain = example.com myhostname = foo.example.com mynetworks_style = host OK, you're not defining mynetworks, permit_mynetworks should only allow your host's IPs. That's fine. relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf Using relay_domains without relay_recipient_maps is strongly discouraged. Your queue will get clogged with undeliverable mail and eventually you'll be blacklisted as a backscatter source. smtpd_banner = $myhostname NO UCE ESMTP That must be smtpd_banner = $myhostname ESTMP comments... smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net permit_mx_backup is evil and disabling your RBL lookups. Don't use permit_mx_backup. If you run a backup MX for other domains, list those domains in relay_domains and the recipients in relay_recipient_maps. smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname This should be smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated reject_invalid_helo_hostname It's not nice to reject authorized clients just because their mail client happens to bork the HELO name. smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, check_policy_service inet:127.0.0.1:2525, reject_unauth_destination Remove permit_mx_backup, it's disabling all your other checks. smtpd_sasl_authenticated_header = no I like this set to yes, but that's just me. smtpd_sasl_security_options = noanonymous Caution, this setting allows plain text passwords to be sent unencrypted. Safer (but harder for testing and maybe less compatible): smtpd_sasl_security_options = noplaintext, noanonymous smtpd_sasl_tls_security_options = noanonymous and my master.cf: smtp inet n - n - 4 smtpd -o content_filter=amavis:[127.0.0.1]:10024 -o receive_override_options=no_address_mappings submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject You might want to add here -o smptd_sender_restrictions= to prevent main.cf parameters from interfering. Otherwise, looks reasonable. Remove your permit_mx_backup and everything should be dandy. -- Noel Jones
Re: Using Sasl authentication and RBL
Sent from my iPhone On 23/04/2010, at 10:10, Noel Jones njo...@megan.vbhcs.org wrote: On 4/22/2010 6:54 PM, webmas...@aus-city.com wrote: I do see some auth stuff in the logs, I put a snip: Apr 21 05:05:31 server postfix/smtpd[21639]: connect from unknown[xx.xx.xx.xx] Apr 21 05:05:31 server postfix/smtpd[21639]: NOQUEUE: client=unknown[xx.xx.xx.xx], sasl_method=PLAIN, sasl_username...@xx.com This confirms your AUTH is working. No need for further testing. If anyone can't send mail, they didn't AUTH. -- Noel Jones Hi Noel, Thanks, I really thought that was the case. I will check out my friends PC on the weekend and try to find out what is going on. As his Windows 7 + thunderbird works and his Fedora 11 and Windows XP don't for sending somethings weird. Also his W7 is a new install. I vaguely recall having him delete his XP thunderbird profile and redo it. Thanks again for your help and atleast got the master.cf better tweaked.
Using Sasl authentication and RBL
Hello all, I've been trying to figure out why a new server I setup using postfix doesn't allow me to relay messages after I authenticate (using cyrus-sasl). It appears then I can authenticate just fine, but when I try to send a message, I get a RBL error. I obviously want my ADSL IP not to be whitelisted from the sending end (as it's dhcp and just a regular adsl ip) but I would have expected that after authentication the RBL would be bypassed? I thought I pretty much set it up the same way as my older server, which accepts my mail just fine! Guess I was wrong, and I can't find the differences. As I've setup my server, I tried to document it as well as possible over at the gentoo-wiki; http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server The entire postfix server seems to be running excellently as far as I can tell, except for not being able to send from remote 'internet' IP's that are on the PBL. Find below my postconf -n (having replaced the real hostname with foo.example) === postconf -n biff = no broken_sasl_auth_clients = no command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib64/postfix data_directory = /var/lib/postfix debug_peer_level = 1 disable_vrfy_command = yes home_mailbox = .maildir/ html_directory = /usr/share/doc/postfix-2.6.5/html mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 2048 mydomain = example.com myhostname = foo.example.com mynetworks_style = host newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.5/readme recipient_delimiter = + relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_banner = $myhostname NO UCE ESMTP smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net smtpd_delay_reject = no smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, check_policy_service inet:127.0.0.1:2525, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-alias-maps.cf virtual_gid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-gid-maps.cf virtual_mailbox_base = /var/vmail virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-domains.cf virtual_mailbox_limit_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-limit-maps.cf virtual_mailbox_limit_override = yes virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-maps.cf virtual_maildir_extended = yes virtual_maildir_limit_message = Sorry, the recipients mailbox is currently full. Please try again later. virtual_overquota_bounce = no virtual_trash_count = no virtual_trash_name = .Trash virtual_uid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-uid-maps.cf
Re: Using Sasl authentication and RBL
Oliver Schinagl a écrit : Hello all, I've been trying to figure out why a new server I setup using postfix doesn't allow me to relay messages after I authenticate (using cyrus-sasl). It appears then I can authenticate just fine, but when I try to send a message, I get a RBL error. I obviously want my ADSL IP not to be whitelisted from the sending end (as it's dhcp and just a regular adsl ip) but I would have expected that after authentication the RBL would be bypassed? Show logs that prove your claims: 1- user was authenticated 2- relay was denied for (1), you should find a line like this: Apr 21 00:11:06 imlil postfix/smtpd[41827]: 454E8E54888: client=ouzoud.netoyen.net[82.239.111.75], sasl_method=PLAIN, sasl_username=mo...@ml.netoyen.net I thought I pretty much set it up the same way as my older server, which accepts my mail just fine! Guess I was wrong, and I can't find the differences. As I've setup my server, I tried to document it as well as possible over at the gentoo-wiki; http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server The entire postfix server seems to be running excellently as far as I can tell, except for not being able to send from remote 'internet' IP's that are on the PBL. Find below my postconf -n (having replaced the real hostname with foo.example) === postconf -n biff = no broken_sasl_auth_clients = no command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib64/postfix data_directory = /var/lib/postfix debug_peer_level = 1 disable_vrfy_command = yes home_mailbox = .maildir/ html_directory = /usr/share/doc/postfix-2.6.5/html mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 2048 mydomain = example.com myhostname = foo.example.com mynetworks_style = host newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.5/readme recipient_delimiter = + relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_banner = $myhostname NO UCE ESMTP smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net smtpd_delay_reject = no smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, check_policy_service inet:127.0.0.1:2525, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-alias-maps.cf virtual_gid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-gid-maps.cf virtual_mailbox_base = /var/vmail virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-domains.cf virtual_mailbox_limit_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-limit-maps.cf virtual_mailbox_limit_override = yes virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-mailbox-maps.cf virtual_maildir_extended = yes virtual_maildir_limit_message = Sorry, the recipients mailbox is currently full. Please try again later. virtual_overquota_bounce = no virtual_trash_count = no virtual_trash_name = .Trash virtual_uid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-uid-maps.cf
Re: Using Sasl authentication and RBL
On 04/21/10 23:47, mouss wrote: Oliver Schinagl a écrit : Hello all, I've been trying to figure out why a new server I setup using postfix doesn't allow me to relay messages after I authenticate (using cyrus-sasl). It appears then I can authenticate just fine, but when I try to send a message, I get a RBL error. I obviously want my ADSL IP not to be whitelisted from the sending end (as it's dhcp and just a regular adsl ip) but I would have expected that after authentication the RBL would be bypassed? Show logs that prove your claims: 1- user was authenticated 2- relay was denied for (1), you should find a line like this: Apr 21 00:11:06 imlil postfix/smtpd[41827]: 454E8E54888: client=ouzoud.netoyen.net[82.239.111.75], sasl_method=PLAIN, sasl_username=mo...@ml.netoyen.net Sorry for forgetting, I can post 2; I'm having troubles finding 1, because I think that's whats going wrong ;) Apr 19 14:30:36 example postfix/smtpd[26549]: connect from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] Apr 19 14:30:36 example postfix/smtpd[26549]: NOQUEUE: reject: CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]: 554 5.7.1 Service unavailable; Client host [xx.xxx.xx.xx] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=xx.xxx.xx.xx; proto=SMTP Apr 19 14:30:36 example postfix/smtpd[26549]: too many errors after CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] Apr 19 14:30:36 example postfix/smtpd[26549]: disconnect from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] What does work however, is if i telnet from my own host (which isn't in the pbl so it makes testing for me really hard (unless I could fake my domain temporarly to be on the pbl?) and AUTH LOGIN and send a message it does work, so sasl_auth must be working right? Apr 21 19:17:42 example postfix/smtpd[27551]: 3A47410E63: client=yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy], sasl_method=LOGIN, sasl_username=theuser Either thunderbird isn't trying to auth at all (even though I told it to) or it gets RBLed before it could even try to auth, which is what I'm thinking. My test box, (diff server basically) which is on the pbl normally, is down for maintanance atm (broken nic :S) so all I got is users complaining unable to send mail on the new server, and I can't figure out what I have done wrong. I thought I pretty much set it up the same way as my older server, which accepts my mail just fine! Guess I was wrong, and I can't find the differences. As I've setup my server, I tried to document it as well as possible over at the gentoo-wiki; http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server The entire postfix server seems to be running excellently as far as I can tell, except for not being able to send from remote 'internet' IP's that are on the PBL. Find below my postconf -n (having replaced the real hostname with foo.example) === postconf -n biff = no broken_sasl_auth_clients = no command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib64/postfix data_directory = /var/lib/postfix debug_peer_level = 1 disable_vrfy_command = yes home_mailbox = .maildir/ html_directory = /usr/share/doc/postfix-2.6.5/html mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 2048 mydomain = example.com myhostname = foo.example.com mynetworks_style = host newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.5/readme recipient_delimiter = + relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_banner = $myhostname NO UCE ESMTP smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net smtpd_delay_reject = no smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, check_policy_service inet:127.0.0.1:2525, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-alias-maps.cf virtual_gid_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-gid-maps.cf virtual_mailbox_base = /var/vmail virtual_mailbox_domains =
Re: Using Sasl authentication and RBL
On 04/21/2010 07:19 PM, Oliver Schinagl wrote: On 04/21/10 23:47, mouss wrote: Oliver Schinagl a écrit : Hello all, I've been trying to figure out why a new server I setup using postfix doesn't allow me to relay messages after I authenticate (using cyrus-sasl). It appears then I can authenticate just fine, but when I try to send a message, I get a RBL error. I obviously want my ADSL IP not to be whitelisted from the sending end (as it's dhcp and just a regular adsl ip) but I would have expected that after authentication the RBL would be bypassed? Show logs that prove your claims: 1- user was authenticated 2- relay was denied for (1), you should find a line like this: Apr 21 00:11:06 imlil postfix/smtpd[41827]: 454E8E54888: client=ouzoud.netoyen.net[82.239.111.75], sasl_method=PLAIN, sasl_username=mo...@ml.netoyen.net Sorry for forgetting, I can post 2; I'm having troubles finding 1, because I think that's whats going wrong ;) Apr 19 14:30:36 example postfix/smtpd[26549]: connect from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] Apr 19 14:30:36 example postfix/smtpd[26549]: NOQUEUE: reject: CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]: 554 5.7.1 Service unavailable; Client host [xx.xxx.xx.xx] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=xx.xxx.xx.xx; proto=SMTP Apr 19 14:30:36 example postfix/smtpd[26549]: too many errors after CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] Apr 19 14:30:36 example postfix/smtpd[26549]: disconnect from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] What does work however, is if i telnet from my own host (which isn't in the pbl so it makes testing for me really hard (unless I could fake my domain temporarly to be on the pbl?) and AUTH LOGIN and send a message it does work, so sasl_auth must be working right? Apr 21 19:17:42 example postfix/smtpd[27551]: 3A47410E63: client=yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy], sasl_method=LOGIN, sasl_username=theuser Either thunderbird isn't trying to auth at all (even though I told it to) or it gets RBLed before it could even try to auth, which is what I'm thinking. My test box, (diff server basically) which is on the pbl normally, is down for maintanance atm (broken nic :S) so all I got is users complaining unable to send mail on the new server, and I can't figure out what I have done wrong. I thought I pretty much set it up the same way as my older server, which accepts my mail just fine! Guess I was wrong, and I can't find the differences. As I've setup my server, I tried to document it as well as possible over at the gentoo-wiki; http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server The entire postfix server seems to be running excellently as far as I can tell, except for not being able to send from remote 'internet' IP's that are on the PBL. Find below my postconf -n (having replaced the real hostname with foo.example) === postconf -n biff = no broken_sasl_auth_clients = no command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib64/postfix data_directory = /var/lib/postfix debug_peer_level = 1 disable_vrfy_command = yes home_mailbox = .maildir/ html_directory = /usr/share/doc/postfix-2.6.5/html mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 2048 mydomain = example.com myhostname = foo.example.com mynetworks_style = host newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.5/readme recipient_delimiter = + relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_banner = $myhostname NO UCE ESMTP smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net smtpd_delay_reject = no smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, check_policy_service inet:127.0.0.1:2525, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = pgsql:/etc/postfix/pgsql/pgsql-virtual-alias-maps.cf virtual_gid_maps =
Re: Using Sasl authentication and RBL
On 04/22/10 02:10, Matt Hayes wrote: On 04/21/2010 07:19 PM, Oliver Schinagl wrote: On 04/21/10 23:47, mouss wrote: Oliver Schinagl a écrit : Hello all, I've been trying to figure out why a new server I setup using postfix doesn't allow me to relay messages after I authenticate (using cyrus-sasl). It appears then I can authenticate just fine, but when I try to send a message, I get a RBL error. I obviously want my ADSL IP not to be whitelisted from the sending end (as it's dhcp and just a regular adsl ip) but I would have expected that after authentication the RBL would be bypassed? Show logs that prove your claims: 1- user was authenticated 2- relay was denied for (1), you should find a line like this: Apr 21 00:11:06 imlil postfix/smtpd[41827]: 454E8E54888: client=ouzoud.netoyen.net[82.239.111.75], sasl_method=PLAIN, sasl_username=mo...@ml.netoyen.net Sorry for forgetting, I can post 2; I'm having troubles finding 1, because I think that's whats going wrong ;) Apr 19 14:30:36 example postfix/smtpd[26549]: connect from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] Apr 19 14:30:36 example postfix/smtpd[26549]: NOQUEUE: reject: CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]: 554 5.7.1 Service unavailable; Client host [xx.xxx.xx.xx] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=xx.xxx.xx.xx; proto=SMTP Apr 19 14:30:36 example postfix/smtpd[26549]: too many errors after CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] Apr 19 14:30:36 example postfix/smtpd[26549]: disconnect from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] What does work however, is if i telnet from my own host (which isn't in the pbl so it makes testing for me really hard (unless I could fake my domain temporarly to be on the pbl?) and AUTH LOGIN and send a message it does work, so sasl_auth must be working right? Apr 21 19:17:42 example postfix/smtpd[27551]: 3A47410E63: client=yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy], sasl_method=LOGIN, sasl_username=theuser Either thunderbird isn't trying to auth at all (even though I told it to) or it gets RBLed before it could even try to auth, which is what I'm thinking. My test box, (diff server basically) which is on the pbl normally, is down for maintanance atm (broken nic :S) so all I got is users complaining unable to send mail on the new server, and I can't figure out what I have done wrong. I thought I pretty much set it up the same way as my older server, which accepts my mail just fine! Guess I was wrong, and I can't find the differences. As I've setup my server, I tried to document it as well as possible over at the gentoo-wiki; http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server The entire postfix server seems to be running excellently as far as I can tell, except for not being able to send from remote 'internet' IP's that are on the PBL. Find below my postconf -n (having replaced the real hostname with foo.example) === postconf -n biff = no broken_sasl_auth_clients = no command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib64/postfix data_directory = /var/lib/postfix debug_peer_level = 1 disable_vrfy_command = yes home_mailbox = .maildir/ html_directory = /usr/share/doc/postfix-2.6.5/html mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 2048 mydomain = example.com myhostname = foo.example.com mynetworks_style = host newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.5/readme recipient_delimiter = + relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_banner = $myhostname NO UCE ESMTP smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net smtpd_delay_reject = no smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, check_policy_service inet:127.0.0.1:2525, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps =
Re: Using Sasl authentication and RBL
On 04/22/10 02:42, Matt Hayes wrote: On 04/21/2010 08:33 PM, Oliver Schinagl wrote: On 04/22/10 02:10, Matt Hayes wrote: On 04/21/2010 07:19 PM, Oliver Schinagl wrote: On 04/21/10 23:47, mouss wrote: Oliver Schinagl a écrit : Hello all, I've been trying to figure out why a new server I setup using postfix doesn't allow me to relay messages after I authenticate (using cyrus-sasl). It appears then I can authenticate just fine, but when I try to send a message, I get a RBL error. I obviously want my ADSL IP not to be whitelisted from the sending end (as it's dhcp and just a regular adsl ip) but I would have expected that after authentication the RBL would be bypassed? Show logs that prove your claims: 1- user was authenticated 2- relay was denied for (1), you should find a line like this: Apr 21 00:11:06 imlil postfix/smtpd[41827]: 454E8E54888: client=ouzoud.netoyen.net[82.239.111.75], sasl_method=PLAIN, sasl_username=mo...@ml.netoyen.net Sorry for forgetting, I can post 2; I'm having troubles finding 1, because I think that's whats going wrong ;) Apr 19 14:30:36 example postfix/smtpd[26549]: connect from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] Apr 19 14:30:36 example postfix/smtpd[26549]: NOQUEUE: reject: CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]: 554 5.7.1 Service unavailable; Client host [xx.xxx.xx.xx] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=xx.xxx.xx.xx; proto=SMTP Apr 19 14:30:36 example postfix/smtpd[26549]: too many errors after CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] Apr 19 14:30:36 example postfix/smtpd[26549]: disconnect from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] What does work however, is if i telnet from my own host (which isn't in the pbl so it makes testing for me really hard (unless I could fake my domain temporarly to be on the pbl?) and AUTH LOGIN and send a message it does work, so sasl_auth must be working right? Apr 21 19:17:42 example postfix/smtpd[27551]: 3A47410E63: client=yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy], sasl_method=LOGIN, sasl_username=theuser Either thunderbird isn't trying to auth at all (even though I told it to) or it gets RBLed before it could even try to auth, which is what I'm thinking. My test box, (diff server basically) which is on the pbl normally, is down for maintanance atm (broken nic :S) so all I got is users complaining unable to send mail on the new server, and I can't figure out what I have done wrong. I thought I pretty much set it up the same way as my older server, which accepts my mail just fine! Guess I was wrong, and I can't find the differences. As I've setup my server, I tried to document it as well as possible over at the gentoo-wiki; http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server The entire postfix server seems to be running excellently as far as I can tell, except for not being able to send from remote 'internet' IP's that are on the PBL. Find below my postconf -n (having replaced the real hostname with foo.example) === postconf -n biff = no broken_sasl_auth_clients = no command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib64/postfix data_directory = /var/lib/postfix debug_peer_level = 1 disable_vrfy_command = yes home_mailbox = .maildir/ html_directory = /usr/share/doc/postfix-2.6.5/html mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 2048 mydomain = example.com myhostname = foo.example.com mynetworks_style = host newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.5/readme recipient_delimiter = + relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_banner = $myhostname NO UCE ESMTP smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net smtpd_delay_reject = no smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, check_policy_service inet:127.0.0.1:2525, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem smtpd_tls_key_file = /etc/postfix/ssl/smtp.example.com_privatekey.pem smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s
Re: Using Sasl authentication and RBL
On 04/22/10 02:57, Oliver Schinagl wrote: On 04/22/10 02:42, Matt Hayes wrote: On 04/21/2010 08:33 PM, Oliver Schinagl wrote: On 04/22/10 02:10, Matt Hayes wrote: On 04/21/2010 07:19 PM, Oliver Schinagl wrote: On 04/21/10 23:47, mouss wrote: Oliver Schinagl a écrit : Hello all, I've been trying to figure out why a new server I setup using postfix doesn't allow me to relay messages after I authenticate (using cyrus-sasl). It appears then I can authenticate just fine, but when I try to send a message, I get a RBL error. I obviously want my ADSL IP not to be whitelisted from the sending end (as it's dhcp and just a regular adsl ip) but I would have expected that after authentication the RBL would be bypassed? Show logs that prove your claims: 1- user was authenticated 2- relay was denied for (1), you should find a line like this: Apr 21 00:11:06 imlil postfix/smtpd[41827]: 454E8E54888: client=ouzoud.netoyen.net[82.239.111.75], sasl_method=PLAIN, sasl_username=mo...@ml.netoyen.net Sorry for forgetting, I can post 2; I'm having troubles finding 1, because I think that's whats going wrong ;) Apr 19 14:30:36 example postfix/smtpd[26549]: connect from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] Apr 19 14:30:36 example postfix/smtpd[26549]: NOQUEUE: reject: CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]: 554 5.7.1 Service unavailable; Client host [xx.xxx.xx.xx] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=xx.xxx.xx.xx; proto=SMTP Apr 19 14:30:36 example postfix/smtpd[26549]: too many errors after CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] Apr 19 14:30:36 example postfix/smtpd[26549]: disconnect from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] What does work however, is if i telnet from my own host (which isn't in the pbl so it makes testing for me really hard (unless I could fake my domain temporarly to be on the pbl?) and AUTH LOGIN and send a message it does work, so sasl_auth must be working right? Apr 21 19:17:42 example postfix/smtpd[27551]: 3A47410E63: client=yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy], sasl_method=LOGIN, sasl_username=theuser Either thunderbird isn't trying to auth at all (even though I told it to) or it gets RBLed before it could even try to auth, which is what I'm thinking. My test box, (diff server basically) which is on the pbl normally, is down for maintanance atm (broken nic :S) so all I got is users complaining unable to send mail on the new server, and I can't figure out what I have done wrong. I thought I pretty much set it up the same way as my older server, which accepts my mail just fine! Guess I was wrong, and I can't find the differences. As I've setup my server, I tried to document it as well as possible over at the gentoo-wiki; http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server The entire postfix server seems to be running excellently as far as I can tell, except for not being able to send from remote 'internet' IP's that are on the PBL. Find below my postconf -n (having replaced the real hostname with foo.example) === postconf -n biff = no broken_sasl_auth_clients = no command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib64/postfix data_directory = /var/lib/postfix debug_peer_level = 1 disable_vrfy_command = yes home_mailbox = .maildir/ html_directory = /usr/share/doc/postfix-2.6.5/html mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 2048 mydomain = example.com myhostname = foo.example.com mynetworks_style = host newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.5/readme recipient_delimiter = + relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_banner = $myhostname NO UCE ESMTP smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net smtpd_delay_reject = no smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, check_policy_service inet:127.0.0.1:2525, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtp.example.com_server.pem
Re: Using Sasl authentication and RBL
On 04/22/10 03:39, Oliver Schinagl wrote: On 04/22/10 02:57, Oliver Schinagl wrote: On 04/22/10 02:42, Matt Hayes wrote: On 04/21/2010 08:33 PM, Oliver Schinagl wrote: On 04/22/10 02:10, Matt Hayes wrote: On 04/21/2010 07:19 PM, Oliver Schinagl wrote: On 04/21/10 23:47, mouss wrote: Oliver Schinagl a écrit : Hello all, I've been trying to figure out why a new server I setup using postfix doesn't allow me to relay messages after I authenticate (using cyrus-sasl). It appears then I can authenticate just fine, but when I try to send a message, I get a RBL error. I obviously want my ADSL IP not to be whitelisted from the sending end (as it's dhcp and just a regular adsl ip) but I would have expected that after authentication the RBL would be bypassed? Show logs that prove your claims: 1- user was authenticated 2- relay was denied for (1), you should find a line like this: Apr 21 00:11:06 imlil postfix/smtpd[41827]: 454E8E54888: client=ouzoud.netoyen.net[82.239.111.75], sasl_method=PLAIN, sasl_username=mo...@ml.netoyen.net Sorry for forgetting, I can post 2; I'm having troubles finding 1, because I think that's whats going wrong ;) Apr 19 14:30:36 example postfix/smtpd[26549]: connect from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] Apr 19 14:30:36 example postfix/smtpd[26549]: NOQUEUE: reject: CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx]: 554 5.7.1 Service unavailable; Client host [xx.xxx.xx.xx] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=xx.xxx.xx.xx; proto=SMTP Apr 19 14:30:36 example postfix/smtpd[26549]: too many errors after CONNECT from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] Apr 19 14:30:36 example postfix/smtpd[26549]: disconnect from xx-xxx-xx-xx.ip.someisp.nl[xx.xxx.xx.xx] What does work however, is if i telnet from my own host (which isn't in the pbl so it makes testing for me really hard (unless I could fake my domain temporarly to be on the pbl?) and AUTH LOGIN and send a message it does work, so sasl_auth must be working right? Apr 21 19:17:42 example postfix/smtpd[27551]: 3A47410E63: client=yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy], sasl_method=LOGIN, sasl_username=theuser Either thunderbird isn't trying to auth at all (even though I told it to) or it gets RBLed before it could even try to auth, which is what I'm thinking. My test box, (diff server basically) which is on the pbl normally, is down for maintanance atm (broken nic :S) so all I got is users complaining unable to send mail on the new server, and I can't figure out what I have done wrong. I thought I pretty much set it up the same way as my older server, which accepts my mail just fine! Guess I was wrong, and I can't find the differences. As I've setup my server, I tried to document it as well as possible over at the gentoo-wiki; http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server The entire postfix server seems to be running excellently as far as I can tell, except for not being able to send from remote 'internet' IP's that are on the PBL. Find below my postconf -n (having replaced the real hostname with foo.example) === postconf -n biff = no broken_sasl_auth_clients = no command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib64/postfix data_directory = /var/lib/postfix debug_peer_level = 1 disable_vrfy_command = yes home_mailbox = .maildir/ html_directory = /usr/share/doc/postfix-2.6.5/html mail_owner = postfix mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 2048 mydomain = example.com myhostname = foo.example.com mynetworks_style = host newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.5/readme recipient_delimiter = + relay_domains = pgsql:/etc/postfix/pgsql/pgsql-relay-domains-maps.cf sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_banner = $myhostname NO UCE ESMTP smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net smtpd_delay_reject = no smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_mx_backup, check_policy_service inet:127.0.0.1:2525, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain =
Re: Using Sasl authentication and RBL
On 4/21/2010 8:39 PM, Oliver Schinagl wrote: Heh, I suppose it wasn't as straightforward as that; I'll look more into it after some sleep, I enabled it with the following: submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING (even tried uncommenting both, which shouldn't matter inmo?) But got denied errors, telnet didn't tell me much, thunderbird told me slightly more: An error occurred sending mail: The mail server sent an incorrect greeting: 5.7.1yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy]: Client host rejected: Access denied. It won't even ask me for my sasl password, nothing. A mistery for the next day. Please show your current postconf -n and the error message from the postfix logs. Showing error messages from the client or from telnet are not particularly useful. -- Noel Jones
Re: Using Sasl authentication and RBL
On 04/22/10 03:55, Noel Jones wrote: On 4/21/2010 8:39 PM, Oliver Schinagl wrote: Heh, I suppose it wasn't as straightforward as that; I'll look more into it after some sleep, I enabled it with the following: submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING (even tried uncommenting both, which shouldn't matter inmo?) But got denied errors, telnet didn't tell me much, thunderbird told me slightly more: An error occurred sending mail: The mail server sent an incorrect greeting: 5.7.1yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy]: Client host rejected: Access denied. It won't even ask me for my sasl password, nothing. A mistery for the next day. Please show your current postconf -n and the error message from the postfix logs. Showing error messages from the client or from telnet are not particularly useful. -- Noel Jones My current postconf -n is exactly as above in the mail; i hadn't changed anything, i only pasted the relevant part from master.conf that i changed. Apr 21 21:39:19 example postfix/smtpd[21360]: connect from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] Apr 21 21:39:19 example postfix/smtpd[21360]: NOQUEUE: reject: CONNECT from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] : 554 5.7.1 yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]: Client host rejected: Access denied; proto=SMTP Apr 21 21:39:24 example postfix/smtpd[21360]: disconnect from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] is the corresponding postfix error; Basically what thunderbird reported :) Looking at the message you sent David Cottle, I think he's doing what Matt suggested I should do? Use submission to bypass RBL stuff; I'd gladly add those 2 options as well, but why would they not be in the default config? You'd think that the default submission bit was exactly that, allow users to bypass everything and submit messages directly. I'm to tired to think atm so I'll check it all out again tomorrow :) Sleep well :)
Re: Using Sasl authentication and RBL
On 4/21/2010 9:03 PM, Oliver Schinagl wrote: On 04/22/10 03:55, Noel Jones wrote: On 4/21/2010 8:39 PM, Oliver Schinagl wrote: Heh, I suppose it wasn't as straightforward as that; I'll look more into it after some sleep, I enabled it with the following: submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING (even tried uncommenting both, which shouldn't matter inmo?) But got denied errors, telnet didn't tell me much, thunderbird told me slightly more: An error occurred sending mail: The mail server sent an incorrect greeting: 5.7.1yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy]: Client host rejected: Access denied. It won't even ask me for my sasl password, nothing. A mistery for the next day. Please show your current postconf -n and the error message from the postfix logs. Showing error messages from the client or from telnet are not particularly useful. -- Noel Jones My current postconf -n is exactly as above in the mail; i hadn't changed anything, i only pasted the relevant part from master.conf that i changed. I don't see a postconf -n in this mail. I asked for a new copy to make sure of its current contents, and because I deleted your previous messages and don't feel like rummaging around in the trash. Apr 21 21:39:19 example postfix/smtpd[21360]: connect from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] Apr 21 21:39:19 example postfix/smtpd[21360]: NOQUEUE: reject: CONNECT from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] : 554 5.7.1yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]: Client host rejected: Access denied; proto=SMTP Apr 21 21:39:24 example postfix/smtpd[21360]: disconnect from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] The client was rejected during the CONNECT stage. This implies you are using smtpd_delay_reject = no. Don't do that, the client doesn't get a chance to authenticate. is the corresponding postfix error; Basically what thunderbird reported :) The postfix log is far more useful; it tells us your problem is (at least) you need to unset smtpd_delay_reject. There may be other problems exposed once you fix this one. Looking at the message you sent David Cottle, I think he's doing what Matt suggested I should do? Use submission to bypass RBL stuff; I'd gladly add those 2 options as well, but why would they not be in the default config? You'd think that the default submission bit was exactly that, allow users to bypass everything and submit messages directly. I'm to tired to think atm so I'll check it all out again tomorrow :) Sleep well :) There is no evidence David's client ever authenticates. Not quite the same problem. Your client doesn't authenticate either, but that's because you don't give them the chance. Using the submission port is an accepted solution to the common problems[1] of how to allow mobile users to send mail to your server. The main advantage is it allows you to specify a different policy[2] for authenticated users. You can add -o smtpd_delay_reject=yes to the submission entry in master.cf to insure that changes to that parameter in main.cf won't affect the submission service. But a better solution is just don't mess with that setting; leave it at the default yes. submission is commented out in the default postfix config because a relatively small subset of folks using postfix need it, and it's not nice to open ports not needed. [1] IP listed in RBL. ISP or hotspot blocks port 25 access. [2] accept mail from authenticated clients no matter how screwed up their mailer or their IP -- Noel Jones
Re: Using Sasl authentication and RBL
Sent from my iPhone On 22/04/2010, at 12:49, Noel Jones njo...@megan.vbhcs.org wrote: On 4/21/2010 9:03 PM, Oliver Schinagl wrote: On 04/22/10 03:55, Noel Jones wrote: On 4/21/2010 8:39 PM, Oliver Schinagl wrote: Heh, I suppose it wasn't as straightforward as that; I'll look more into it after some sleep, I enabled it with the following: submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING (even tried uncommenting both, which shouldn't matter inmo?) But got denied errors, telnet didn't tell me much, thunderbird told me slightly more: An error occurred sending mail: The mail server sent an incorrect greeting: 5.7.1yyy-yy-ftth.myisp.nl[yyy.yyy.yy.yyy]: Client host rejected: Access denied. It won't even ask me for my sasl password, nothing. A mistery for the next day. Please show your current postconf -n and the error message from the postfix logs. Showing error messages from the client or from telnet are not particularly useful. -- Noel Jones My current postconf -n is exactly as above in the mail; i hadn't changed anything, i only pasted the relevant part from master.conf that i changed. I don't see a postconf -n in this mail. I asked for a new copy to make sure of its current contents, and because I deleted your previous messages and don't feel like rummaging around in the trash. Apr 21 21:39:19 example postfix/smtpd[21360]: connect from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] Apr 21 21:39:19 example postfix/smtpd[21360]: NOQUEUE: reject: CONNECT from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] : 554 5.7.1yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy]: Client host rejected: Access denied; proto=SMTP Apr 21 21:39:24 example postfix/smtpd[21360]: disconnect from yyy-yyy-ftth.myisp.nl[yyy.yyy.yyy.yyy] The client was rejected during the CONNECT stage. This implies you are using smtpd_delay_reject = no. Don't do that, the client doesn't get a chance to authenticate. is the corresponding postfix error; Basically what thunderbird reported :) The postfix log is far more useful; it tells us your problem is (at least) you need to unset smtpd_delay_reject. There may be other problems exposed once you fix this one. Looking at the message you sent David Cottle, I think he's doing what Matt suggested I should do? Use submission to bypass RBL stuff; I'd gladly add those 2 options as well, but why would they not be in the default config? You'd think that the default submission bit was exactly that, allow users to bypass everything and submit messages directly. I'm to tired to think atm so I'll check it all out again tomorrow :) Sleep well :) There is no evidence David's client ever authenticates. Not quite the same problem. Your client doesn't authenticate either, but that's because you don't give them the chance. Using the submission port is an accepted solution to the common problems[1] of how to allow mobile users to send mail to your server. The main advantage is it allows you to specify a different policy[2] for authenticated users. You can add -o smtpd_delay_reject=yes to the submission entry in master.cf to insure that changes to that parameter in main.cf won't affect the submission service. But a better solution is just don't mess with that setting; leave it at the default yes. submission is commented out in the default postfix config because a relatively small subset of folks using postfix need it, and it's not nice to open ports not needed. [1] IP listed in RBL. ISP or hotspot blocks port 25 access. [2] accept mail from authenticated clients no matter how screwed up their mailer or their IP -- Noel Jones Hi Noel, I tried running testsaslauthd -u usermailname -p matchingpass -s smtp I get connect () : No such file or directory