Loading ...
Sorry, an error occurred while loading the content.

Trying to let a "friendly" mail server in and it ain't working....

Expand Messages
  • Peter L. Berghold
    ... Hash: SHA1 Here is what I m seeing in my logs: Sep 26 11:06:53 berghold postfix/smtpd[826]: connect from mail.skywaysoftware.com[209.34.233.105] Sep 26
    Message 1 of 7 , Sep 26, 2008
    • 0 Attachment
      -----BEGIN PGP SIGNED MESSAGE-----
      Hash: SHA1


      Here is what I'm seeing in my logs:

      Sep 26 11:06:53 berghold postfix/smtpd[826]: connect from
      mail.skywaysoftware.com[209.34.233.105]
      Sep 26 11:06:53 berghold postfix/smtpd[826]: NOQUEUE: reject: RCPT from
      mail.skywaysoftware.com[209.34.233.105]: 450 4.7.1
      <testmail.SkywaySoftware.com>: Helo command rejected: Host not found;
      from=<Support@...> to=<peter@...> proto=ESMTP
      helo=<testmail.SkywaySoftware.com>
      Sep 26 11:06:53 berghold postfix/smtpd[826]: lost connection after RSET
      from mail.skywaysoftware.com[209.34.233.105]
      Sep 26 11:06:53 berghold postfix/smtpd[826]: disconnect from
      mail.skywaysoftware.com[209.34.233.105]

      The thing is that skywaysoftware.com is a company that puts out a
      community supported tool that I want to be on the forums for.
      Unfortunately I can't seem to receive mail for them.

      I went ahead and added the following entries into my access file (and
      ran postmap on the file afterwards, reloaded postfix, etc.) and the
      connections are still being rejected. What am I missing?


      209.34.233.105 OK
      mail.skywaysoftware.com OK
      skywaysoftware.com OK
      testmail.skywaysoftware.com OK
      support@... OK



      - --

      Peter L. Berghold http://www.berghold.net peter@...
      Unix Professional Dog Agility Fan Crazed Cook
      "Those who fail to learn from history are condemned to repeat it."

      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v1.4.5 (GNU/Linux)
      Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

      iD8DBQFI3PvGUM9/01RIhaARAvndAJ93xRWUnb4purmIOqT8+h3nlhTK+wCgtxLC
      x1IfTASAknQPb20BnhGfS6g=
      =SUFz
      -----END PGP SIGNATURE-----
    • Brian Evans - Postfix List
      ... Without a current postconf -n , no one here can tell you. An access(5) map file is only as good as where it appears on the config. Brian
      Message 2 of 7 , Sep 26, 2008
      • 0 Attachment
        Peter L. Berghold wrote:
        >
        > Here is what I'm seeing in my logs:
        >
        > Sep 26 11:06:53 berghold postfix/smtpd[826]: connect from
        > mail.skywaysoftware.com[209.34.233.105]
        > Sep 26 11:06:53 berghold postfix/smtpd[826]: NOQUEUE: reject: RCPT from
        > mail.skywaysoftware.com[209.34.233.105]: 450 4.7.1
        > <testmail.SkywaySoftware.com>: Helo command rejected: Host not found;
        > from=<Support@...> to=<peter@...> proto=ESMTP
        > helo=<testmail.SkywaySoftware.com>
        > Sep 26 11:06:53 berghold postfix/smtpd[826]: lost connection after RSET
        > from mail.skywaysoftware.com[209.34.233.105]
        > Sep 26 11:06:53 berghold postfix/smtpd[826]: disconnect from
        > mail.skywaysoftware.com[209.34.233.105]
        >
        > The thing is that skywaysoftware.com is a company that puts out a
        > community supported tool that I want to be on the forums for.
        > Unfortunately I can't seem to receive mail for them.
        >
        > I went ahead and added the following entries into my access file (and
        > ran postmap on the file afterwards, reloaded postfix, etc.) and the
        > connections are still being rejected. What am I missing?

        Without a current 'postconf -n', no one here can tell you.
        An access(5) map file is only as good as where it appears on the config.

        Brian

        >
        >
        > 209.34.233.105 OK
        > mail.skywaysoftware.com OK
        > skywaysoftware.com OK
        > testmail.skywaysoftware.com OK
        > support@... OK
        >
        >
        >
      • Wietse Venema
        ... You need to show postconf -n command outout with the access map and with the reject_unknown_helo_hostname feature that is blocking the client. Wietse ...
        Message 3 of 7 , Sep 26, 2008
        • 0 Attachment
          Peter L. Berghold:
          > Here is what I'm seeing in my logs:
          >
          > Sep 26 11:06:53 berghold postfix/smtpd[826]: connect from
          > mail.skywaysoftware.com[209.34.233.105]
          > Sep 26 11:06:53 berghold postfix/smtpd[826]: NOQUEUE: reject: RCPT from
          > mail.skywaysoftware.com[209.34.233.105]: 450 4.7.1
          > <testmail.SkywaySoftware.com>: Helo command rejected: Host not found;
          > from=<Support@...> to=<peter@...> proto=ESMTP
          > helo=<testmail.SkywaySoftware.com>
          > Sep 26 11:06:53 berghold postfix/smtpd[826]: lost connection after RSET
          > from mail.skywaysoftware.com[209.34.233.105]
          > Sep 26 11:06:53 berghold postfix/smtpd[826]: disconnect from
          > mail.skywaysoftware.com[209.34.233.105]
          >
          > The thing is that skywaysoftware.com is a company that puts out a
          > community supported tool that I want to be on the forums for.
          > Unfortunately I can't seem to receive mail for them.
          >
          > I went ahead and added the following entries into my access file (and
          > ran postmap on the file afterwards, reloaded postfix, etc.) and the
          > connections are still being rejected. What am I missing?

          You need to show "postconf -n" command outout with the access map
          and with the reject_unknown_helo_hostname feature that is blocking
          the client.

          Wietse

          >
          > 209.34.233.105 OK
          > mail.skywaysoftware.com OK
          > skywaysoftware.com OK
          > testmail.skywaysoftware.com OK
          > support@... OK
          >
          >
          >
          > --
          >
          > Peter L. Berghold http://www.berghold.net peter@...
          > Unix Professional Dog Agility Fan Crazed Cook
          > "Those who fail to learn from history are condemned to repeat it."
          -- End of PGP signed section.
        • Peter L. Berghold
          ... Hash: SHA1 ... alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin
          Message 4 of 7 , Sep 26, 2008
          • 0 Attachment
            -----BEGIN PGP SIGNED MESSAGE-----
            Hash: SHA1

            Brian Evans - Postfix List wrote:

            > Without a current 'postconf -n', no one here can tell you.
            >

            alias_database = hash:/etc/aliases
            alias_maps = hash:/etc/aliases
            broken_sasl_auth_clients = yes
            command_directory = /usr/sbin
            config_directory = /etc/postfix
            daemon_directory = /usr/libexec/postfix
            debug_peer_level = 2
            disable_vrfy_command = yes
            html_directory = no
            inet_interfaces = all
            mail_owner = postfix
            mailq_path = /usr/bin/mailq.postfix
            manpage_directory = /usr/share/man
            milter_default_action = accept
            mydestination = $myhostname,www.$mydomain, localhost.$mydomain, localhost
            mynetworks = 72.249.39.173/32,72.249.39.174/32,69.141.234.229/32
            mynetworks_style = host
            newaliases_path = /usr/bin/newaliases.postfix
            queue_directory = /var/spool/postfix
            readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES
            relay_domains = bayshoredogclub.org,
            berghold.net,agilitystewards.org,localhost
            sample_directory = /usr/share/doc/postfix-2.4.5/samples
            sendmail_path = /usr/sbin/sendmail.postfix
            setgid_group = postdrop
            smtpd_banner = $myhostname ESMTP $mail_name
            smtpd_helo_required = yes
            smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname,
            reject_unknown_hostname
            smtpd_milters = unix:/var/run/clamav-milter/clamav-milter
            smtpd_recipient_restrictions = check_sender_access
            hash:/etc/postfix/access, permit_mynetworks,
            permit_sasl_authenticated, reject_unauth_destination,
            reject_unauth_pipelining, reject_non_fqdn_sender,
            reject_non_fqdn_recipient, reject_unknown_recipient_domain,
            reject_invalid_hostname, reject_rbl_client blackholes.easynet.nl,
            reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net,
            reject_rbl_client sbl.spamhaus.org, reject_rbl_client
            opm.blitzed.org, reject_rbl_client dnsbl.njabl.org,
            reject_rbl_client list.dsbl.org, reject_rbl_client multihop.dsbl.org,
            permit
            smtpd_tls_CAfile = /etc/postfix/cacert.pem
            smtpd_tls_cert_file = /etc/postfix/newcert.pem
            smtpd_tls_key_file = /etc/postfix/newkey.pem
            smtpd_tls_loglevel = 9
            smtpd_tls_received_header = yes
            smtpd_tls_session_cache_timeout = 3600s
            smtpd_use_tls = yes
            tls_random_source = dev:/dev/urandom
            transport_maps = hash:/etc/postfix/transport
            unknown_local_recipient_reject_code = 550
            virtual_alias_maps = hash:/etc/postfix/virtual




            - --

            Peter L. Berghold http://www.berghold.net peter@...
            Unix Professional Dog Agility Fan Crazed Cook
            "Those who fail to learn from history are condemned to repeat it."
            -----BEGIN PGP SIGNATURE-----
            Version: GnuPG v1.4.5 (GNU/Linux)
            Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

            iD4DBQFI3P6RUM9/01RIhaARAkXCAJwK1EjyS3KWKJTeUk8bDtKMwkEh/ACYzzvY
            HpnMg81/THXcfhj82ARgxw==
            =CR55
            -----END PGP SIGNATURE-----
          • Victor Duchovni
            ... FIX THIS IMMEDIATELY. Your access table contains OK entries, and is used for sender lookups before restricting relay access. Your machine is now an open
            Message 5 of 7 , Sep 26, 2008
            • 0 Attachment
              On Fri, Sep 26, 2008 at 11:24:01AM -0400, Peter L. Berghold wrote:

              > smtpd_recipient_restrictions = check_sender_access
              > hash:/etc/postfix/access, permit_mynetworks,
              > permit_sasl_authenticated, reject_unauth_destination,
              > reject_unauth_pipelining, reject_non_fqdn_sender,
              > reject_non_fqdn_recipient, reject_unknown_recipient_domain,
              > reject_invalid_hostname, reject_rbl_client blackholes.easynet.nl,
              > reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net,
              > reject_rbl_client sbl.spamhaus.org, reject_rbl_client
              > opm.blitzed.org, reject_rbl_client dnsbl.njabl.org,
              > reject_rbl_client list.dsbl.org, reject_rbl_client multihop.dsbl.org,
              > permit

              FIX THIS IMMEDIATELY. Your access table contains "OK" entries, and is
              used for sender lookups before restricting relay access. Your machine is
              now an open relay, and will shortly be exploited by a spammer. Getting
              yourself removed from blacklists all over the planet is not fun...

              smtpd_recipient_resetrictions =
              permit_mynetworks,
              permit_sasl_authenticated,
              reject_unauth_destination,
              ... EVERYTHING else BELOW! ...

              Don't confuse "sender" (email address) with "client" (host doing the
              delivery).

              --
              Viktor.

              Disclaimer: off-list followups get on-list replies or get ignored.
              Please do not ignore the "Reply-To" header.

              To unsubscribe from the postfix-users list, visit
              http://www.postfix.org/lists.html or click the link below:
              <mailto:majordomo@...?body=unsubscribe%20postfix-users>

              If my response solves your problem, the best way to thank me is to not
              send an "it worked, thanks" follow-up. If you must respond, please put
              "It worked, thanks" in the "Subject" so I can delete these quickly.
            • Brian Evans
              ... [...] ... No relay_recipient_maps could make you an (out|back)scatter source. ... The problem comes from reject_unknown_hostname in this case. You don t
              Message 6 of 7 , Sep 26, 2008
              • 0 Attachment
                Peter L. Berghold wrote:
                > Brian Evans - Postfix List wrote:
                >
                > > Without a current 'postconf -n', no one here can tell you.
                >
                [...]
                > relay_domains = bayshoredogclub.org,
                > berghold.net,agilitystewards.org,localhost

                No relay_recipient_maps could make you an (out|back)scatter source.
                > smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname,
                > reject_unknown_hostname
                >

                The problem comes from reject_unknown_hostname in this case. You don't
                have a check_helo_access map before it to whitelist the client in question.

                > smtpd_recipient_restrictions = check_sender_access
                > hash:/etc/postfix/access, permit_mynetworks,
                > permit_sasl_authenticated, reject_unauth_destination,
                > reject_unauth_pipelining, reject_non_fqdn_sender,
                > reject_non_fqdn_recipient, reject_unknown_recipient_domain,
                > reject_invalid_hostname, reject_rbl_client blackholes.easynet.nl,
                > reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net,
                > reject_rbl_client sbl.spamhaus.org, reject_rbl_client
                > opm.blitzed.org, reject_rbl_client dnsbl.njabl.org,
                > reject_rbl_client list.dsbl.org, reject_rbl_client multihop.dsbl.org,
                > permit

                BTW, since you are using check_sender_access, this only ever matches
                ENVELOPE sender, never which machine is doing the sending.
                In addition, putting the check BEFORE reject_unauth_destination with an
                OK makes you an open relay for any forged domains in that access file.

                Also, opm.blitzed.org and *.dsbl.org are dead, remove those checks to
                save a little overhead and possible false positives in the future.

                Brian
              • mouss
                ... he d better whitelist the client IP. but reject_unknown_hostname is known to cause FPs, or at least delay mail in case of temp failures... ... and
                Message 7 of 7 , Sep 28, 2008
                • 0 Attachment
                  Brian Evans wrote:
                  > Peter L. Berghold wrote:
                  >> Brian Evans - Postfix List wrote:
                  >>
                  >>> Without a current 'postconf -n', no one here can tell you.
                  > [...]
                  >> relay_domains = bayshoredogclub.org,
                  >> berghold.net,agilitystewards.org,localhost
                  >
                  > No relay_recipient_maps could make you an (out|back)scatter source.
                  >> smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname,
                  >> reject_unknown_hostname
                  >>
                  >
                  > The problem comes from reject_unknown_hostname in this case. You don't
                  > have a check_helo_access map before it to whitelist the client in question.
                  >

                  he'd better whitelist the client IP. but reject_unknown_hostname is
                  known to cause FPs, or at least delay mail in case of temp failures...

                  >> smtpd_recipient_restrictions = check_sender_access
                  >> hash:/etc/postfix/access, permit_mynetworks,
                  >> permit_sasl_authenticated, reject_unauth_destination,
                  >> reject_unauth_pipelining, reject_non_fqdn_sender,
                  >> reject_non_fqdn_recipient, reject_unknown_recipient_domain,
                  >> reject_invalid_hostname, reject_rbl_client blackholes.easynet.nl,
                  >> reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net,
                  >> reject_rbl_client sbl.spamhaus.org, reject_rbl_client
                  >> opm.blitzed.org, reject_rbl_client dnsbl.njabl.org,
                  >> reject_rbl_client list.dsbl.org, reject_rbl_client multihop.dsbl.org,
                  >> permit
                  >
                  > BTW, since you are using check_sender_access, this only ever matches
                  > ENVELOPE sender, never which machine is doing the sending.
                  > In addition, putting the check BEFORE reject_unauth_destination with an
                  > OK makes you an open relay for any forged domains in that access file.


                  and reject_unauth_pipelining is useless here. sounds like a
                  cut-and-paste from a how[not]to ;-p
                  >
                  > Also, opm.blitzed.org and *.dsbl.org are dead, remove those checks to
                  > save a little overhead and possible false positives in the future.

                  so is blackholes.easynet.nl.
                  http://spamlinks.net/filter-dnsbl-dead.htm
                Your message has been successfully submitted and would be delivered to recipients shortly.