Re: Strange Question
- At 04:58 PM 3/1/2007, Trevor Antczak wrote:
>Since I sent this, I've realized that this same issue is also affectingwhitelist the university mail servers.
>another problem. We're affiliated with a university, and many of the staff
>have university e-mail addresses. Most of them forward those university
>addresses to lite3d.com addresses. When a mail is sent from a lite3d.com
>address to a forwarded university address, it bounces. The university
>e-mail admin and I have been trying to figure out why for quite a while.
>Now that I've been working on this new issue, I think I've just figured out
>that it's actually the same problem. As far the server sees things mail is
>coming from outside the network (the forward from the university) claiming
>that it's from inside the network (the original sender's e-mail address is
>internal). Now I really need to figure this out.
- OK, this makes sense. A grep of main.cf shows check_sender_access
smtpd_sender_restrictions = check_sender_access ldap:ldapcheckexternal
In both cases it references ldap maps. I need to figure out how to
access those maps and see what they have in them to fix this I guess.
This is an OpenXchange server, so I didn't do a lot of the original
configuration stuff. I'm having to work out what was done automagically
by the installer to fix problems that the GUI isn't built to handle.
Thanks for the help
On Mar 01, 2007 05:55 PM, Noel Jones wrote:
>At 04:09 PM 3/1/2007, Trevor Antczak wrote:
>>I run a mailserver for my company here (lite3d.com). We¹re a high tech
>>place, and most of our users have laptops and high speed networks at
>>They¹d like to be able to do work from home, but the problem is that
>>them (us really) have Cox highspeed internet, which will not allow you
>>hook up to remote mailservers through its network. You have to send
>>your mail through smtp.east.cox.net or it doesn¹t leave their network
>>suppose one could set up a mailserver that listens on a non-standard
>>and bypass this, but it¹s probably not worth the effort).
>There is a standard alternate port called the submission port,
>587. Virtually all mail clients support sending mail to the
>submission port, and it's very rare to see this port blocked.
>There's probably a commented-out submission entry in your master.cf
>you can use as a starting point.
>The submission port is usually used along with TLS encryption and
>SASL authentication to prevent abuse and to insure privacy.
>If you enable the submission port with TLS and SASL for both internal
>and external use, your users' laptops will be able to send mail
>wherever they are without needing to select an alternate
>config. You'll also want to use TLS for your POP3/IMAP server so
>your users can read mail securely.
>>Our mailserver is setup to reject mail that appears to be from
>>but is not coming from a lite3d.com server. This is a perfectly normal
>>common setting, and I ordinarily support it, but it¹s causing problems
>You did this by adding a check_sender_access map to your
>configuration that has an entry similar to
>You can either delete this entry or create a whitelist for the cox
>mail servers just prior to that check. Post your "postconf -n"
>output for detailed instructions.
>But if you enable the submission port you won't need to change this
- Trevor Antczak wrote:
> [snip]now you have a reason not to support it. such a check is known to break
> Our mailserver is setup to reject mail that appears to be from lite3d.com
> but is not coming from a lite3d.com server. This is a perfectly normal and
> common setting, and I ordinarily support it, but it¹s causing problems right
mail in some situations, and your is such a situation. remove the check
and see if you get more spam than usual. if so, see if you can add safe
checks. only if you can't should you consider finding a solution based
on such a check.
> How do I turn it off in postfix? I remember doing this in sendmail
> (actually I remember turning the feature ON, but..) some years ago, but I¹m
> fairly new to Postfix. Ideally I¹d like it to only accept mail from
> smtp.east.cox.net as if it were local (so I¹m only subject to a few hundred
> thousand spoofers instead of the whole Internet), but I don¹t know how much
> I can customize these settings. In the long run I think I¹ll go to a VPN to
> resolve this, but in the mean time, my boss wants people to be able to send
> mail from home.
- Trevor Antczak wrote:
> OK, this makes sense. A grep of main.cf shows check_sender_accessThis is dangerous. if it returns a single OK, then you're an open relay.
> smtpd_sender_restrictions = check_sender_access ldap:ldapcheckexternal
> smtpd_recipient_restrictions =
> check_sender_access ldap:ldap_restrictions,
better put it under smtpd_sender_restrictions.