Loading ...
Sorry, an error occurred while loading the content.

Re: Strange Question

Expand Messages
  • Noel Jones
    ... whitelist the university mail servers. -- Noel Jones
    Message 1 of 8 , Mar 1 3:02 PM
    • 0 Attachment
      At 04:58 PM 3/1/2007, Trevor Antczak wrote:
      >Since I sent this, I've realized that this same issue is also affecting
      >another problem. We're affiliated with a university, and many of the staff
      >have university e-mail addresses. Most of them forward those university
      >addresses to lite3d.com addresses. When a mail is sent from a lite3d.com
      >address to a forwarded university address, it bounces. The university
      >e-mail admin and I have been trying to figure out why for quite a while.
      >Now that I've been working on this new issue, I think I've just figured out
      >that it's actually the same problem. As far the server sees things mail is
      >coming from outside the network (the forward from the university) claiming
      >that it's from inside the network (the original sender's e-mail address is
      >internal). Now I really need to figure this out.

      whitelist the university mail servers.

      --
      Noel Jones
    • Trevor Antczak
      OK, this makes sense.  A grep of main.cf shows check_sender_access twice: smtpd_sender_restrictions = check_sender_access ldap:ldapcheckexternal
      Message 2 of 8 , Mar 1 4:38 PM
      • 0 Attachment
        OK, this makes sense.  A grep of main.cf shows check_sender_access
        twice:

        smtpd_sender_restrictions = check_sender_access ldap:ldapcheckexternal

        smtpd_recipient_restrictions =
          check_sender_access ldap:ldap_restrictions,
          permit_sasl_authenticated,
          permit_mynetworks,
          reject_unauth_destination

        In both cases it references ldap maps.  I need to figure out how to
        access those maps and see what they have in them to fix this I guess. 
        This is an OpenXchange server, so I didn't do a lot of the original
        configuration stuff.  I'm having to work out what was done automagically
        by the installer to fix problems that the GUI isn't built to handle. 
        Thanks for the help

        Trevor
        On Mar 01, 2007 05:55 PM, Noel Jones wrote:

        >At 04:09 PM 3/1/2007, Trevor Antczak wrote:
        >>I run a mailserver for my company here (lite3d.com). We¹re a high tech
        >>type
        >>place, and most of our users have laptops and high speed networks at
        >>home.
        >>They¹d like to be able to do work from home, but the problem is that
        >>most of
        >>them (us really) have Cox highspeed internet, which will not allow you
        >>to
        >>hook up to remote mailservers through its network. You have to send
        >>all of
        >>your mail through smtp.east.cox.net or it doesn¹t leave their network
        >>(I
        >>suppose one could set up a mailserver that listens on a non-standard
        >>port
        >>and bypass this, but it¹s probably not worth the effort).
        >
        >There is a standard alternate port called the submission port,
        >587. Virtually all mail clients support sending mail to the
        >submission port, and it's very rare to see this port blocked.
        >
        >There's probably a commented-out submission entry in your master.cf
        >you can use as a starting point.
        >
        >The submission port is usually used along with TLS encryption and
        >SASL authentication to prevent abuse and to insure privacy.
        >
        >If you enable the submission port with TLS and SASL for both internal
        >and external use, your users' laptops will be able to send mail
        >wherever they are without needing to select an alternate
        >config. You'll also want to use TLS for your POP3/IMAP server so
        >your users can read mail securely.
        >
        >>Our mailserver is setup to reject mail that appears to be from
        >>lite3d.com
        >>but is not coming from a lite3d.com server. This is a perfectly normal
        >>and
        >>common setting, and I ordinarily support it, but it¹s causing problems
        >>right
        >
        >You did this by adding a check_sender_access map to your
        >configuration that has an entry similar to
        >lite3d.com REJECT
        >You can either delete this entry or create a whitelist for the cox
        >mail servers just prior to that check. Post your "postconf -n"
        >output for detailed instructions.
        >But if you enable the submission port you won't need to change this
        >policy.
        >
        >
        >--
        >Noel Jones
        >
      • mouss
        ... now you have a reason not to support it. such a check is known to break mail in some situations, and your is such a situation. remove the check and see if
        Message 3 of 8 , Mar 2 2:39 PM
        • 0 Attachment
          Trevor Antczak wrote:
          > [snip]
          >
          > Our mailserver is setup to reject mail that appears to be from lite3d.com
          > but is not coming from a lite3d.com server. This is a perfectly normal and
          > common setting, and I ordinarily support it, but it¹s causing problems right
          > now.

          now you have a reason not to support it. such a check is known to break
          mail in some situations, and your is such a situation. remove the check
          and see if you get more spam than usual. if so, see if you can add safe
          checks. only if you can't should you consider finding a solution based
          on such a check.

          > How do I turn it off in postfix? I remember doing this in sendmail
          > (actually I remember turning the feature ON, but..) some years ago, but I¹m
          > fairly new to Postfix. Ideally I¹d like it to only accept mail from
          > smtp.east.cox.net as if it were local (so I¹m only subject to a few hundred
          > thousand spoofers instead of the whole Internet), but I don¹t know how much
          > I can customize these settings. In the long run I think I¹ll go to a VPN to
          > resolve this, but in the mean time, my boss wants people to be able to send
          > mail from home.
          >
        • mouss
          ... This is dangerous. if it returns a single OK, then you re an open relay. better put it under smtpd_sender_restrictions.
          Message 4 of 8 , Mar 2 2:40 PM
          • 0 Attachment
            Trevor Antczak wrote:
            > OK, this makes sense. A grep of main.cf shows check_sender_access
            > twice:
            >
            > smtpd_sender_restrictions = check_sender_access ldap:ldapcheckexternal
            >
            > smtpd_recipient_restrictions =
            > check_sender_access ldap:ldap_restrictions,
            >

            This is dangerous. if it returns a single OK, then you're an open relay.
            better put it under smtpd_sender_restrictions.
          Your message has been successfully submitted and would be delivered to recipients shortly.