Re: ignoring client restrictions for smtps
- On Sep 28, 2008, at 2:39 PM, Wietse Venema wrote:
> Dan Langille:This works. Nice solution. Thank you. :)
>> Today I discovered that my mail server is rejecting smtps connections
>> based upon RBL.
>> Sep 28 17:44:40 nyi postfix/smtpd: NOQUEUE: reject: CONNECT
>> from pool-151-197-20-211.phil.east.verizon.net[220.127.116.11]: 554
>> 5.7.1 Service unavailable; Client host [18.104.22.168] blocked using
>> dnsbl.njabl.org; 1045929907; proto=SMTP
>> I'd rather not restrict smtps connection. Either they authenticate
>> they do not. That is enough for me.
> Assuming that other sanity checks still apply for smtps clients...
>> My smtps service is defined through this (slightly altered) master.cf
>> 10.11.12.13:smtps inet n - n - - smtpd
>> -o smtpd_sasl_auth_enable=yes
>> -o smtpd_sasl_type=dovecot
>> -o smtpd_sasl_path=private/auth
>> -o smtpd_tls_security_level=encrypt
>> -o smtpd_tls_wrappermode=yes
>> -o smtpd_tls_cert_file=/usr/local/etc/postfix-config/CERTS/
>> -o smtpd_tls_key_file=/usr/local/etc/postfix-config/CERTS/
>> In main.cf, I find these references to njabl.org. I would prefer to
>> keep these smtp restrictions in place.
>> maps_rbl_domains = dnsbl.njabl.org
>> smtpd_client_restrictions = sleep 1, reject_unauth_pipelining, hash:/
>> reject_rbl_client dnsbl.njabl.org,
> Add to main.cf:
> smtps_client_restrictions = sleep 1, reject_unauth_pipelining
> i.e. all but the ``reject_rbl_client dnsbl.njabl.org''.
> In master.cf, add to the smtps entry:
> -o smtpd_client_restrictions=$smtps_client_restrictions
> Ditto for smtpd_helo_restrictions and smtpd_sender_restrictions
> or anything that references dnsbl.njabl.org.
> This workaround is needed because there can't be spaces in master.cf
> -o options. You can use commas instead of spaces, but that just
> makes things uglier.