Loading ...
Sorry, an error occurred while loading the content.

Re: SASL Authenticated user blocked for non fqdn helo

Expand Messages
  • Brian Evans - Postfix List
    ... This is your preference. It is not required to do so. OP has not presented enough information to know what is going on. ... Have to? No. Good idea? Yes.
    Message 1 of 7 , Apr 1, 2009
    • 0 Attachment
      Matt Hayes wrote:
      > Russell Horn wrote:
      >
      >> Sorry, I missed a line:
      >>
      >> submission inet n - n - - smtpd
      >> -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
      >>
      >> Russell.
      >>
      >>
      >>
      >
      > Keep in mind that any smtpd_*_restrictions you have in main.cf have to
      > be zeroed out in the submission line or where ever you have your clients
      > authing too.
      >
      >

      This is your preference. It is not required to do so.
      OP has not presented enough information to know what is going on.

      > This is mine:
      >
      > submission inet n - n - - smtpd
      > -o smtpd_tls_security_level=may
      > -o smtpd_sasl_auth_enable=yes
      > -o smtpd_delay_reject=yes
      > -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
      > -o smtpd_data_restrictions=
      >
      >
      > I have to explicitly set smtpd_recipient_restrictions to what I want and
      > "zero out" smtpd_data_restrictions as I have those defined in main.cf
      >
      >
      Have to? No. Good idea? Yes.

      Brian
    • Victor Duchovni
      ... No, it is pretty much a requirement for staying sane. The settings for a given service should be defined in exactly one place, I recommend: submission inet
      Message 2 of 7 , Apr 1, 2009
      • 0 Attachment
        On Wed, Apr 01, 2009 at 09:02:18AM -0400, Brian Evans - Postfix List wrote:

        > > Keep in mind that any smtpd_*_restrictions you have in main.cf have to
        > > be zeroed out in the submission line or where ever you have your clients
        > > authing too.
        > >
        > >
        >
        > This is your preference. It is not required to do so.

        No, it is pretty much a requirement for staying sane. The settings for
        a given service should be defined in exactly one place, I recommend:

        submission inet n - n - - smtpd
        ...
        -o smtpd_tls_security_level=$submission_tls_security_level
        -o smtpd_sasl_auth_enable=$submission_sasl_auth_enable
        -o smtpd_client_restrictions=$submission_client_restrictions
        -o smtpd_helo_restrictions=$submission_helo_restrictions
        -o smtpd_sender_restrictions=$submission_sender_restrictions
        -o smtpd_recipient_restrictions=$submission_recipient_restrictions
        -o smtpd_data_restrictions=$submission_data_restrictions
        -o smtpd_end_of_data_restrictions=$submission_end_of_data_restrictions

        with the values of the above defined in main.cf.

        --
        Viktor.

        Disclaimer: off-list followups get on-list replies or get ignored.
        Please do not ignore the "Reply-To" header.

        To unsubscribe from the postfix-users list, visit
        http://www.postfix.org/lists.html or click the link below:
        <mailto:majordomo@...?body=unsubscribe%20postfix-users>

        If my response solves your problem, the best way to thank me is to not
        send an "it worked, thanks" follow-up. If you must respond, please put
        "It worked, thanks" in the "Subject" so I can delete these quickly.
      • Noel Jones
        ... [press the plain text button when posting from gmail] Do you have evidence the user really authenticated? more notes below... ... Restrictions are
        Message 3 of 7 , Apr 1, 2009
        • 0 Attachment
          Russell Horn wrote:
          > Hi,
          >
          > I've a user who had their mail rejected for not presenting a FQDN as
          > part of the SMTP HELO, yet they were sasl authenticated.
          >
          > The log says:
          >
          > Apr 1 01:06:31 paddington postfix/smtpd[3215]: NOQUEUE: reject: RCPT
          > from xxx.blueyonder.co.uk <http://xxx.blueyonder.co.uk>[92.xxx.xxx.xxx]:
          > 504 <titan>: Helo command rejected: need fully-qualified hostname;
          > from=<bob@... <mailto:bob@...>> to=<russell@...
          > <mailto:russell@...>> proto=ESMTP helo=<titan>

          [press the "plain text" button when posting from gmail]

          Do you have evidence the user really authenticated?

          more notes below...

          > And main.cf <http://main.cf> has
          >
          > smtpd_recipient_restrictions = permit_mynetworks,
          > permit_sasl_authenticated, check_client_access hash:/etc/postfix/access,
          > reject_unauth_destination hash:/etc/postfix/block,
          > reject_non_fqdn_hostname, reject_non_fqdn_sender,
          > reject_non_fqdn_recipient, reject_invalid_hostname,
          > reject_unknown_sender_domain, check_relay_domains
          >
          > I thought is premit_sasl_authenticated came first, then that would take
          > precidence over the reject_non_fqdn, is that not the case, or is
          > something else wrong? postconf -n is below.

          Restrictions are evaluated in the order listed. Either the
          client didn't authenticate or you have
          reject_non_fqdn_hostname elsewhere in your config.

          Do you have a "submission" or "smtps" service with different
          settings defined in master.cf?

          Best guess at this point is the client didn't authenticate.


          > --- postconf -n ---
          >
          > access_map_reject_code = 550

          Better to remove this to leave at its default.

          > default_destination_concurrency_limit = 20

          This is the default. Better to remove default values.

          > default_process_limit = 20

          This is quite low, the current default is 100. OK for a very
          low volume and/or low memory site.

          > disable_dns_lookups = no

          Again, better to remove default values.

          > invalid_hostname_reject_code = 501

          another default.

          > local_recipient_maps =

          Very bad if you have local users. You will accept and bounce
          undeliverable mail, making you a backscatter source.
          Besides clogging your queue with undeliverable bounces, if you
          annoy enough innocent bystanders you'll get blacklisted.

          > mail_name = Postfix ESMTP $myhostname

          Very odd. Best to remove this.

          > maps_rbl_domains = blackholes.mail-abuse.org
          > <http://blackholes.mail-abuse.org>, sbl.spamhaus.org
          > <http://sbl.spamhaus.org>, bl.spamcop.net <http://bl.spamcop.net>,
          > blackholes.easynet.nl <http://blackholes.easynet.nl>

          maps_rbl_domains is deprecated; you should remove the above
          and use explicit reject_rbl_client statements instead.

          mail-abuse.org is a pay service (with questionable
          effectiveness). Remove it unless you have a subscription.

          sbl.spamhaus.org is OK, but zen.spamhaus.org is far more
          effective. Note spamhaus' usage policy has changed, they are
          no longer free for "high-volume" sites and will block queries
          if you exceed their limits.

          > maps_rbl_reject_code = 550

          Best left at the default.

          > mynetworks = 87.117.xxx.xxx

          It's not required, but generally a good idea to include
          127.0.0.1 in mynetworks.

          > reject_code = 550
          > relay_domains_reject_code = 550

          both these are best left at defaults.

          > smtpd_client_restrictions = hash:/etc/postfix/access, reject_maps_rbl

          Much better to use
          check_client_access hash:/etc/postfix/access
          rather than depending on the undocumented implied
          check_{SECTION}_access.

          It's best to prefix these with
          permit_mynetworks, permit_sasl_authenticated
          so you don't reject your own users if their home connection
          happens to be on an RBL.

          Even better, move these checks to smtpd_recipient_restrictions.

          > smtpd_delay_reject = no

          Generally unwise. This prevents excluding authenticated
          clients from smtpd_client_restrictions or
          smtpd_helo_restrictions because the client hasn't
          authenticated yet. Also reduces the usefulness of logged
          rejections since the sender and intended recipient can't be
          logged.

          But OK if your authenticated users are connecting to
          "submission" or "smtps" with alternate settings.

          > smtpd_recipient_restrictions = permit_mynetworks,
          > permit_sasl_authenticated, check_client_access hash:/etc/postfix/access,

          I see you've duplicated your client access map here.
          Remove one of them.

          > reject_unauth_destination hash:/etc/postfix/block,

          another bare map name. Far better to use
          check_recipient_access hash:/etc/postfix/block

          > reject_non_fqdn_hostname, reject_non_fqdn_sender,
          > reject_non_fqdn_recipient, reject_invalid_hostname,
          > reject_unknown_sender_domain, check_relay_domains

          check_relay_domains is deprecated and should not be used.
          Since you already have reject_unauth_destination above, just
          remove this.

          This is a fine place to move your RBL restrictions
          reject_rbl_client zen.spamhaus.org
          reject_rbl_client bl.spamcop.net

          > unknown_address_reject_code = 450
          > unknown_client_reject_code = 450
          > unknown_hostname_reject_code = 450
          > unknown_local_recipient_reject_code = 450

          Better to change all these to 550 unless you are having
          trouble with rejecting mail you want - and are watching the
          logs for it.


          -- Noel Jones
        Your message has been successfully submitted and would be delivered to recipients shortly.