Loading ...
Sorry, an error occurred while loading the content.

SASL Authenticated user blocked for non fqdn helo

Expand Messages
  • Russell Horn
    Hi, I ve a user who had their mail rejected for not presenting a FQDN as part of the SMTP HELO, yet they were sasl authenticated. The log says: Apr 1 01:06:31
    Message 1 of 7 , Mar 31, 2009
    • 0 Attachment
      Hi,

      I've a user who had their mail rejected for not presenting a FQDN as part of the SMTP HELO, yet they were sasl authenticated.

      The log says:

      AprĀ  1 01:06:31 paddington postfix/smtpd[3215]: NOQUEUE: reject: RCPT from xxx.blueyonder.co.uk[92.xxx.xxx.xxx]: 504 <titan>: Helo command rejected: need fully-qualified hostname; from=<bob@...> to=<russell@...> proto=ESMTP helo=<titan>

      And main.cf has

      smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/access, reject_unauth_destination hash:/etc/postfix/block, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_invalid_hostname, reject_unknown_sender_domain, check_relay_domains

      I thought is premit_sasl_authenticated came first, then that would take precidence over the reject_non_fqdn, is that not the case, or is something else wrong? postconf -n is below.

      Thanks for any suggestions,

      Russell.

      --- postconf -n ---

      access_map_reject_code = 550
      alias_database = hash:/etc/aliases
      alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
      body_checks = pcre:/etc/postfix/virus
      bounce_size_limit = 1000
      broken_sasl_auth_clients = yes
      canonical_maps = hash:/etc/postfix/canonical
      command_directory = /usr/sbin
      config_directory = /etc/postfix
      daemon_directory = /usr/lib/postfix
      debug_peer_level = 3
      default_destination_concurrency_limit = 20
      default_process_limit = 20
      defer_transports =
      disable_dns_lookups = no
      disable_vrfy_command = yes
      header_checks = pcre:/etc/postfix/headerchecks
      html_directory = /usr/share/doc/packages/postfix/html
      invalid_hostname_reject_code = 501
      lmtp_sasl_security_options = noanonymous
      local_destination_concurrency_limit = 3
      local_recipient_maps =
      mail_name = Postfix ESMTP $myhostname
      mail_spool_directory = /var/mail
      mailbox_transport = lmtp:unix:/var/spool/postfix/socket/lmtp
      mailq_path = /usr/bin/mailq
      manpage_directory = /usr/share/man
      maps_rbl_domains = blackholes.mail-abuse.org, sbl.spamhaus.org, bl.spamcop.net, blackholes.easynet.nl
      maps_rbl_reject_code = 550
      masquerade_exceptions = root
      message_size_limit = 35000000
      mime_header_checks = pcre:/etc/postfix/virus
      mydestination = example.com
      mynetworks = 87.117.xxx.xxx
      myorigin = example.com
      newaliases_path = /usr/bin/newaliases
      owner_request_special = no
      readme_directory = /usr/share/doc/packages/postfix/README_FILES
      recipient_delimiter = +
      reject_code = 550
      relay_domains_reject_code = 550
      relocated_maps = hash:/etc/postfix/relocated
      sample_directory = /usr/share/doc/packages/postfix/samples
      sendmail_path = /usr/sbin/sendmail
      setgid_group = maildrop
      smtp_sasl_security_options =
      smtp_tls_CAfile = /etc/postfix/certs/ssl.ca
      smtp_tls_cert_file = /etc/postfix/certs/ssl.cert
      smtp_tls_key_file = /etc/postfix/certs/ssl.key
      smtp_tls_loglevel = 1
      smtp_tls_note_starttls_offer = yes
      smtp_tls_session_cache_database = sdbm:/etc/postfix/cache/smtp_scache
      smtp_tls_session_cache_timeout = 3600s
      smtp_use_tls = yes
      smtpd_client_restrictions = hash:/etc/postfix/access, reject_maps_rbl
      smtpd_delay_reject = no
      smtpd_helo_required = yes
      smtpd_recipient_limit = 300
      smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/access, reject_unauth_destination hash:/etc/postfix/block, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_invalid_hostname, reject_unknown_sender_domain, check_relay_domains
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_local_domain = foo
      smtpd_sasl_security_options = noanonymous
      smtpd_sender_restrictions = check_sender_access, hash:/etc/postfix/spammers
      smtpd_tls_CAfile = /etc/postfix/certs/ssl.ca
      smtpd_tls_ask_ccert = yes
      smtpd_tls_cert_file = /etc/postfix/certs/ssl.cert
      smtpd_tls_key_file = /etc/postfix/certs/ssl.key
      smtpd_tls_loglevel = 1
      smtpd_tls_received_header = yes
      smtpd_tls_session_cache_database = sdbm:/etc/postfix/cache/smtpd_scache
      smtpd_tls_session_cache_timeout = 3600s
      smtpd_use_tls = yes
      strict_rfc821_envelopes = yes
      tls_random_source = dev:/dev/urandom
      transport_maps = hash:/etc/postfix/transport
      unknown_address_reject_code = 450
      unknown_client_reject_code = 450
      unknown_hostname_reject_code = 450
      unknown_local_recipient_reject_code = 450


    • Matt Hayes
      ... **snip** Russell, Can you provide us your submission lines from your master.cf? -Matt
      Message 2 of 7 , Mar 31, 2009
      • 0 Attachment
        Russell Horn wrote:
        > Hi,
        >
        > I've a user who had their mail rejected for not presenting a FQDN as
        > part of the SMTP HELO, yet they were sasl authenticated.
        >
        > The log says:
        >
        > Apr 1 01:06:31 paddington postfix/smtpd[3215]: NOQUEUE: reject: RCPT
        > from xxx.blueyonder.co.uk <http://xxx.blueyonder.co.uk>[92.xxx.xxx.xxx]:
        > 504 <titan>: Helo command rejected: need fully-qualified hostname;
        > from=<bob@... <mailto:bob@...>> to=<russell@...
        > <mailto:russell@...>> proto=ESMTP helo=<titan>
        >
        > And main.cf <http://main.cf> has
        >
        **snip**
        Russell,

        Can you provide us your "submission" lines from your master.cf?

        -Matt
      • Matt Hayes
        ... Keep in mind that any smtpd_*_restrictions you have in main.cf have to be zeroed out in the submission line or where ever you have your clients authing
        Message 3 of 7 , Mar 31, 2009
        • 0 Attachment
          Russell Horn wrote:
          > Sorry, I missed a line:
          >
          > submission inet n - n - - smtpd
          > -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
          >
          > Russell.
          >
          >

          Keep in mind that any smtpd_*_restrictions you have in main.cf have to
          be zeroed out in the submission line or where ever you have your clients
          authing too.

          This is mine:

          submission inet n - n - - smtpd
          -o smtpd_tls_security_level=may
          -o smtpd_sasl_auth_enable=yes
          -o smtpd_delay_reject=yes
          -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
          -o smtpd_data_restrictions=


          I have to explicitly set smtpd_recipient_restrictions to what I want and
          "zero out" smtpd_data_restrictions as I have those defined in main.cf

          -matt
        • Sahil Tandon
          ... Can you show logging that confirms this client authenticated? For example, what is the output of: % grep 3215 /var/log/maillog | grep sasl_method ...
          Message 4 of 7 , Mar 31, 2009
          • 0 Attachment
            On Tue, 31 Mar 2009, Russell Horn wrote:

            > I've a user who had their mail rejected for not presenting a FQDN as part of
            > the SMTP HELO, yet they were sasl authenticated.
            >
            > The log says:
            >
            > Apr 1 01:06:31 paddington postfix/smtpd[3215]: NOQUEUE: reject: RCPT from
            > xxx.blueyonder.co.uk[92.xxx.xxx.xxx]: 504 <titan>: Helo command rejected:
            > need fully-qualified hostname; from=<bob@...> to=<
            > russell@...> proto=ESMTP helo=<titan>

            Can you show logging that confirms this client authenticated? For example,
            what is the output of:

            % grep 3215 /var/log/maillog | grep sasl_method

            > I thought is premit_sasl_authenticated came first, then that would take
            > precidence over the reject_non_fqdn, is that not the case, or is something
            > else wrong?

            smtpd_recipient_restrictions are applied in the order they are specified.

            > access_map_reject_code = 550

            What's wrong with 554?

            > alias_database = hash:/etc/aliases
            > alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
            > body_checks = pcre:/etc/postfix/virus
            > bounce_size_limit = 1000
            > broken_sasl_auth_clients = yes
            > canonical_maps = hash:/etc/postfix/canonical
            > command_directory = /usr/sbin
            > config_directory = /etc/postfix
            > daemon_directory = /usr/lib/postfix
            > debug_peer_level = 3
            > default_destination_concurrency_limit = 20
            > default_process_limit = 20
            > defer_transports =
            > disable_dns_lookups = no
            > disable_vrfy_command = yes
            > header_checks = pcre:/etc/postfix/headerchecks
            > html_directory = /usr/share/doc/packages/postfix/html
            > invalid_hostname_reject_code = 501
            > lmtp_sasl_security_options = noanonymous
            > local_destination_concurrency_limit = 3
            > local_recipient_maps =
            > mail_name = Postfix ESMTP $myhostname

            Your $smtpd_banner must look ridiculous.

            > mail_spool_directory = /var/mail
            > mailbox_transport = lmtp:unix:/var/spool/postfix/socket/lmtp
            > mailq_path = /usr/bin/mailq
            > manpage_directory = /usr/share/man
            > maps_rbl_domains = blackholes.mail-abuse.org, sbl.spamhaus.org,
            > bl.spamcop.net, blackholes.easynet.nl

            Obsolete; consider using reject_rbl_client instead.

            > maps_rbl_reject_code = 550

            Why did you change this from 554?

            > masquerade_exceptions = root
            > message_size_limit = 35000000
            > mime_header_checks = pcre:/etc/postfix/virus
            > mydestination = example.com
            > mynetworks = 87.117.xxx.xxx
            > myorigin = example.com
            > newaliases_path = /usr/bin/newaliases
            > owner_request_special = no
            > readme_directory = /usr/share/doc/packages/postfix/README_FILES
            > recipient_delimiter = +
            > reject_code = 550

            Why? Just curious.

            > relay_domains_reject_code = 550
            > relocated_maps = hash:/etc/postfix/relocated
            > sample_directory = /usr/share/doc/packages/postfix/samples
            > sendmail_path = /usr/sbin/sendmail
            > setgid_group = maildrop
            > smtp_sasl_security_options =
            > smtp_tls_CAfile = /etc/postfix/certs/ssl.ca
            > smtp_tls_cert_file = /etc/postfix/certs/ssl.cert
            > smtp_tls_key_file = /etc/postfix/certs/ssl.key
            > smtp_tls_loglevel = 1
            > smtp_tls_note_starttls_offer = yes
            > smtp_tls_session_cache_database = sdbm:/etc/postfix/cache/smtp_scache
            > smtp_tls_session_cache_timeout = 3600s
            > smtp_use_tls = yes
            > smtpd_client_restrictions = hash:/etc/postfix/access, reject_maps_rbl

            This is odd. You have type:table without specifying a restriction that
            queries that type:table; see postconf(5).

            > smtpd_delay_reject = no
            > smtpd_helo_required = yes
            > smtpd_recipient_limit = 300
            > smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
            > check_client_access hash:/etc/postfix/access, reject_unauth_destination
            > hash:/etc/postfix/block, reject_non_fqdn_hostname, reject_non_fqdn_sender,
            > reject_non_fqdn_recipient, reject_invalid_hostname,
            > reject_unknown_sender_domain, check_relay_domains
            > smtpd_sasl_auth_enable = yes
            > smtpd_sasl_local_domain = foo
            > smtpd_sasl_security_options = noanonymous
            > smtpd_sender_restrictions = check_sender_access, hash:/etc/postfix/spammers

            Extraneous comma.

            --
            Sahil Tandon <sahil@...>
          • Brian Evans - Postfix List
            ... This is your preference. It is not required to do so. OP has not presented enough information to know what is going on. ... Have to? No. Good idea? Yes.
            Message 5 of 7 , Apr 1, 2009
            • 0 Attachment
              Matt Hayes wrote:
              > Russell Horn wrote:
              >
              >> Sorry, I missed a line:
              >>
              >> submission inet n - n - - smtpd
              >> -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
              >>
              >> Russell.
              >>
              >>
              >>
              >
              > Keep in mind that any smtpd_*_restrictions you have in main.cf have to
              > be zeroed out in the submission line or where ever you have your clients
              > authing too.
              >
              >

              This is your preference. It is not required to do so.
              OP has not presented enough information to know what is going on.

              > This is mine:
              >
              > submission inet n - n - - smtpd
              > -o smtpd_tls_security_level=may
              > -o smtpd_sasl_auth_enable=yes
              > -o smtpd_delay_reject=yes
              > -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
              > -o smtpd_data_restrictions=
              >
              >
              > I have to explicitly set smtpd_recipient_restrictions to what I want and
              > "zero out" smtpd_data_restrictions as I have those defined in main.cf
              >
              >
              Have to? No. Good idea? Yes.

              Brian
            • Victor Duchovni
              ... No, it is pretty much a requirement for staying sane. The settings for a given service should be defined in exactly one place, I recommend: submission inet
              Message 6 of 7 , Apr 1, 2009
              • 0 Attachment
                On Wed, Apr 01, 2009 at 09:02:18AM -0400, Brian Evans - Postfix List wrote:

                > > Keep in mind that any smtpd_*_restrictions you have in main.cf have to
                > > be zeroed out in the submission line or where ever you have your clients
                > > authing too.
                > >
                > >
                >
                > This is your preference. It is not required to do so.

                No, it is pretty much a requirement for staying sane. The settings for
                a given service should be defined in exactly one place, I recommend:

                submission inet n - n - - smtpd
                ...
                -o smtpd_tls_security_level=$submission_tls_security_level
                -o smtpd_sasl_auth_enable=$submission_sasl_auth_enable
                -o smtpd_client_restrictions=$submission_client_restrictions
                -o smtpd_helo_restrictions=$submission_helo_restrictions
                -o smtpd_sender_restrictions=$submission_sender_restrictions
                -o smtpd_recipient_restrictions=$submission_recipient_restrictions
                -o smtpd_data_restrictions=$submission_data_restrictions
                -o smtpd_end_of_data_restrictions=$submission_end_of_data_restrictions

                with the values of the above defined in main.cf.

                --
                Viktor.

                Disclaimer: off-list followups get on-list replies or get ignored.
                Please do not ignore the "Reply-To" header.

                To unsubscribe from the postfix-users list, visit
                http://www.postfix.org/lists.html or click the link below:
                <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                If my response solves your problem, the best way to thank me is to not
                send an "it worked, thanks" follow-up. If you must respond, please put
                "It worked, thanks" in the "Subject" so I can delete these quickly.
              • Noel Jones
                ... [press the plain text button when posting from gmail] Do you have evidence the user really authenticated? more notes below... ... Restrictions are
                Message 7 of 7 , Apr 1, 2009
                • 0 Attachment
                  Russell Horn wrote:
                  > Hi,
                  >
                  > I've a user who had their mail rejected for not presenting a FQDN as
                  > part of the SMTP HELO, yet they were sasl authenticated.
                  >
                  > The log says:
                  >
                  > Apr 1 01:06:31 paddington postfix/smtpd[3215]: NOQUEUE: reject: RCPT
                  > from xxx.blueyonder.co.uk <http://xxx.blueyonder.co.uk>[92.xxx.xxx.xxx]:
                  > 504 <titan>: Helo command rejected: need fully-qualified hostname;
                  > from=<bob@... <mailto:bob@...>> to=<russell@...
                  > <mailto:russell@...>> proto=ESMTP helo=<titan>

                  [press the "plain text" button when posting from gmail]

                  Do you have evidence the user really authenticated?

                  more notes below...

                  > And main.cf <http://main.cf> has
                  >
                  > smtpd_recipient_restrictions = permit_mynetworks,
                  > permit_sasl_authenticated, check_client_access hash:/etc/postfix/access,
                  > reject_unauth_destination hash:/etc/postfix/block,
                  > reject_non_fqdn_hostname, reject_non_fqdn_sender,
                  > reject_non_fqdn_recipient, reject_invalid_hostname,
                  > reject_unknown_sender_domain, check_relay_domains
                  >
                  > I thought is premit_sasl_authenticated came first, then that would take
                  > precidence over the reject_non_fqdn, is that not the case, or is
                  > something else wrong? postconf -n is below.

                  Restrictions are evaluated in the order listed. Either the
                  client didn't authenticate or you have
                  reject_non_fqdn_hostname elsewhere in your config.

                  Do you have a "submission" or "smtps" service with different
                  settings defined in master.cf?

                  Best guess at this point is the client didn't authenticate.


                  > --- postconf -n ---
                  >
                  > access_map_reject_code = 550

                  Better to remove this to leave at its default.

                  > default_destination_concurrency_limit = 20

                  This is the default. Better to remove default values.

                  > default_process_limit = 20

                  This is quite low, the current default is 100. OK for a very
                  low volume and/or low memory site.

                  > disable_dns_lookups = no

                  Again, better to remove default values.

                  > invalid_hostname_reject_code = 501

                  another default.

                  > local_recipient_maps =

                  Very bad if you have local users. You will accept and bounce
                  undeliverable mail, making you a backscatter source.
                  Besides clogging your queue with undeliverable bounces, if you
                  annoy enough innocent bystanders you'll get blacklisted.

                  > mail_name = Postfix ESMTP $myhostname

                  Very odd. Best to remove this.

                  > maps_rbl_domains = blackholes.mail-abuse.org
                  > <http://blackholes.mail-abuse.org>, sbl.spamhaus.org
                  > <http://sbl.spamhaus.org>, bl.spamcop.net <http://bl.spamcop.net>,
                  > blackholes.easynet.nl <http://blackholes.easynet.nl>

                  maps_rbl_domains is deprecated; you should remove the above
                  and use explicit reject_rbl_client statements instead.

                  mail-abuse.org is a pay service (with questionable
                  effectiveness). Remove it unless you have a subscription.

                  sbl.spamhaus.org is OK, but zen.spamhaus.org is far more
                  effective. Note spamhaus' usage policy has changed, they are
                  no longer free for "high-volume" sites and will block queries
                  if you exceed their limits.

                  > maps_rbl_reject_code = 550

                  Best left at the default.

                  > mynetworks = 87.117.xxx.xxx

                  It's not required, but generally a good idea to include
                  127.0.0.1 in mynetworks.

                  > reject_code = 550
                  > relay_domains_reject_code = 550

                  both these are best left at defaults.

                  > smtpd_client_restrictions = hash:/etc/postfix/access, reject_maps_rbl

                  Much better to use
                  check_client_access hash:/etc/postfix/access
                  rather than depending on the undocumented implied
                  check_{SECTION}_access.

                  It's best to prefix these with
                  permit_mynetworks, permit_sasl_authenticated
                  so you don't reject your own users if their home connection
                  happens to be on an RBL.

                  Even better, move these checks to smtpd_recipient_restrictions.

                  > smtpd_delay_reject = no

                  Generally unwise. This prevents excluding authenticated
                  clients from smtpd_client_restrictions or
                  smtpd_helo_restrictions because the client hasn't
                  authenticated yet. Also reduces the usefulness of logged
                  rejections since the sender and intended recipient can't be
                  logged.

                  But OK if your authenticated users are connecting to
                  "submission" or "smtps" with alternate settings.

                  > smtpd_recipient_restrictions = permit_mynetworks,
                  > permit_sasl_authenticated, check_client_access hash:/etc/postfix/access,

                  I see you've duplicated your client access map here.
                  Remove one of them.

                  > reject_unauth_destination hash:/etc/postfix/block,

                  another bare map name. Far better to use
                  check_recipient_access hash:/etc/postfix/block

                  > reject_non_fqdn_hostname, reject_non_fqdn_sender,
                  > reject_non_fqdn_recipient, reject_invalid_hostname,
                  > reject_unknown_sender_domain, check_relay_domains

                  check_relay_domains is deprecated and should not be used.
                  Since you already have reject_unauth_destination above, just
                  remove this.

                  This is a fine place to move your RBL restrictions
                  reject_rbl_client zen.spamhaus.org
                  reject_rbl_client bl.spamcop.net

                  > unknown_address_reject_code = 450
                  > unknown_client_reject_code = 450
                  > unknown_hostname_reject_code = 450
                  > unknown_local_recipient_reject_code = 450

                  Better to change all these to 550 unless you are having
                  trouble with rejecting mail you want - and are watching the
                  logs for it.


                  -- Noel Jones
                Your message has been successfully submitted and would be delivered to recipients shortly.