Loading ...
Sorry, an error occurred while loading the content.

Re: ignoring client restrictions for smtps

Expand Messages
  • Dan Langille
    ... This works. Nice solution. Thank you. :) -- Dan Langille http://langille.org/
    Message 1 of 4 , Sep 28, 2008
    • 0 Attachment
      On Sep 28, 2008, at 2:39 PM, Wietse Venema wrote:

      > Dan Langille:
      >> Today I discovered that my mail server is rejecting smtps connections
      >> based upon RBL.
      >>
      >> Example:
      >>
      >> Sep 28 17:44:40 nyi postfix/smtpd[20073]: NOQUEUE: reject: CONNECT
      >> from pool-151-197-20-211.phil.east.verizon.net[151.197.20.211]: 554
      >> 5.7.1 Service unavailable; Client host [151.197.20.211] blocked using
      >> dnsbl.njabl.org; 1045929907; proto=SMTP
      >>
      >> I'd rather not restrict smtps connection. Either they authenticate
      >> or
      >> they do not. That is enough for me.
      >
      > Assuming that other sanity checks still apply for smtps clients...
      >
      >> My smtps service is defined through this (slightly altered) master.cf
      >> entry:
      >>
      >> 10.11.12.13:smtps inet n - n - - smtpd
      >> -o smtpd_sasl_auth_enable=yes
      >> -o
      >> smtpd_recipient_restrictions
      >> =permit_sasl_authenticated,reject_unauth_destination
      >> -o smtpd_sasl_type=dovecot
      >> -o smtpd_sasl_path=private/auth
      >> -o smtpd_tls_security_level=encrypt
      >> -o smtpd_tls_wrappermode=yes
      >> -o smtpd_tls_cert_file=/usr/local/etc/postfix-config/CERTS/
      >> nyi.example.org.cert
      >> -o smtpd_tls_key_file=/usr/local/etc/postfix-config/CERTS/
      >> nyi.example.org.nopassword.key
      >>
      >> In main.cf, I find these references to njabl.org. I would prefer to
      >> keep these smtp restrictions in place.
      >
      >> maps_rbl_domains = dnsbl.njabl.org
      >>
      >> smtpd_client_restrictions = sleep 1, reject_unauth_pipelining, hash:/
      >> usr/local/etc/postfix-config/main/access,
      >> reject_rbl_client dnsbl.njabl.org,
      >> permit_mynetworks
      >
      > Add to main.cf:
      >
      > smtps_client_restrictions = sleep 1, reject_unauth_pipelining
      > hash:/usr/local/etc/postfix-config/main/access
      >
      > i.e. all but the ``reject_rbl_client dnsbl.njabl.org''.
      >
      > In master.cf, add to the smtps entry:
      >
      > -o smtpd_client_restrictions=$smtps_client_restrictions
      >
      > Ditto for smtpd_helo_restrictions and smtpd_sender_restrictions
      > or anything that references dnsbl.njabl.org.
      >
      > This workaround is needed because there can't be spaces in master.cf
      > -o options. You can use commas instead of spaces, but that just
      > makes things uglier.


      This works. Nice solution. Thank you. :)

      --
      Dan Langille
      http://langille.org/
    Your message has been successfully submitted and would be delivered to recipients shortly.