Loading ...
Sorry, an error occurred while loading the content.
 

Re: SASL Authenticated user blocked for non fqdn helo

Expand Messages
  • Noel Jones
    ... [press the plain text button when posting from gmail] Do you have evidence the user really authenticated? more notes below... ... Restrictions are
    Message 1 of 7 , Apr 1, 2009
      Russell Horn wrote:
      > Hi,
      >
      > I've a user who had their mail rejected for not presenting a FQDN as
      > part of the SMTP HELO, yet they were sasl authenticated.
      >
      > The log says:
      >
      > Apr 1 01:06:31 paddington postfix/smtpd[3215]: NOQUEUE: reject: RCPT
      > from xxx.blueyonder.co.uk <http://xxx.blueyonder.co.uk>[92.xxx.xxx.xxx]:
      > 504 <titan>: Helo command rejected: need fully-qualified hostname;
      > from=<bob@... <mailto:bob@...>> to=<russell@...
      > <mailto:russell@...>> proto=ESMTP helo=<titan>

      [press the "plain text" button when posting from gmail]

      Do you have evidence the user really authenticated?

      more notes below...

      > And main.cf <http://main.cf> has
      >
      > smtpd_recipient_restrictions = permit_mynetworks,
      > permit_sasl_authenticated, check_client_access hash:/etc/postfix/access,
      > reject_unauth_destination hash:/etc/postfix/block,
      > reject_non_fqdn_hostname, reject_non_fqdn_sender,
      > reject_non_fqdn_recipient, reject_invalid_hostname,
      > reject_unknown_sender_domain, check_relay_domains
      >
      > I thought is premit_sasl_authenticated came first, then that would take
      > precidence over the reject_non_fqdn, is that not the case, or is
      > something else wrong? postconf -n is below.

      Restrictions are evaluated in the order listed. Either the
      client didn't authenticate or you have
      reject_non_fqdn_hostname elsewhere in your config.

      Do you have a "submission" or "smtps" service with different
      settings defined in master.cf?

      Best guess at this point is the client didn't authenticate.


      > --- postconf -n ---
      >
      > access_map_reject_code = 550

      Better to remove this to leave at its default.

      > default_destination_concurrency_limit = 20

      This is the default. Better to remove default values.

      > default_process_limit = 20

      This is quite low, the current default is 100. OK for a very
      low volume and/or low memory site.

      > disable_dns_lookups = no

      Again, better to remove default values.

      > invalid_hostname_reject_code = 501

      another default.

      > local_recipient_maps =

      Very bad if you have local users. You will accept and bounce
      undeliverable mail, making you a backscatter source.
      Besides clogging your queue with undeliverable bounces, if you
      annoy enough innocent bystanders you'll get blacklisted.

      > mail_name = Postfix ESMTP $myhostname

      Very odd. Best to remove this.

      > maps_rbl_domains = blackholes.mail-abuse.org
      > <http://blackholes.mail-abuse.org>, sbl.spamhaus.org
      > <http://sbl.spamhaus.org>, bl.spamcop.net <http://bl.spamcop.net>,
      > blackholes.easynet.nl <http://blackholes.easynet.nl>

      maps_rbl_domains is deprecated; you should remove the above
      and use explicit reject_rbl_client statements instead.

      mail-abuse.org is a pay service (with questionable
      effectiveness). Remove it unless you have a subscription.

      sbl.spamhaus.org is OK, but zen.spamhaus.org is far more
      effective. Note spamhaus' usage policy has changed, they are
      no longer free for "high-volume" sites and will block queries
      if you exceed their limits.

      > maps_rbl_reject_code = 550

      Best left at the default.

      > mynetworks = 87.117.xxx.xxx

      It's not required, but generally a good idea to include
      127.0.0.1 in mynetworks.

      > reject_code = 550
      > relay_domains_reject_code = 550

      both these are best left at defaults.

      > smtpd_client_restrictions = hash:/etc/postfix/access, reject_maps_rbl

      Much better to use
      check_client_access hash:/etc/postfix/access
      rather than depending on the undocumented implied
      check_{SECTION}_access.

      It's best to prefix these with
      permit_mynetworks, permit_sasl_authenticated
      so you don't reject your own users if their home connection
      happens to be on an RBL.

      Even better, move these checks to smtpd_recipient_restrictions.

      > smtpd_delay_reject = no

      Generally unwise. This prevents excluding authenticated
      clients from smtpd_client_restrictions or
      smtpd_helo_restrictions because the client hasn't
      authenticated yet. Also reduces the usefulness of logged
      rejections since the sender and intended recipient can't be
      logged.

      But OK if your authenticated users are connecting to
      "submission" or "smtps" with alternate settings.

      > smtpd_recipient_restrictions = permit_mynetworks,
      > permit_sasl_authenticated, check_client_access hash:/etc/postfix/access,

      I see you've duplicated your client access map here.
      Remove one of them.

      > reject_unauth_destination hash:/etc/postfix/block,

      another bare map name. Far better to use
      check_recipient_access hash:/etc/postfix/block

      > reject_non_fqdn_hostname, reject_non_fqdn_sender,
      > reject_non_fqdn_recipient, reject_invalid_hostname,
      > reject_unknown_sender_domain, check_relay_domains

      check_relay_domains is deprecated and should not be used.
      Since you already have reject_unauth_destination above, just
      remove this.

      This is a fine place to move your RBL restrictions
      reject_rbl_client zen.spamhaus.org
      reject_rbl_client bl.spamcop.net

      > unknown_address_reject_code = 450
      > unknown_client_reject_code = 450
      > unknown_hostname_reject_code = 450
      > unknown_local_recipient_reject_code = 450

      Better to change all these to 550 unless you are having
      trouble with rejecting mail you want - and are watching the
      logs for it.


      -- Noel Jones
    Your message has been successfully submitted and would be delivered to recipients shortly.