Loading ...
Sorry, an error occurred while loading the content.
 

Reject client from domains without MX records

Expand Messages
  • Pau Peris
    Machine mail.domain.com send email for domain.com through Postfix 2.11 but today reviewing mail.log file i noticed some Wordpress on machines
    Message 1 of 30 , Mar 22, 2014
      Machine mail.domain.com send email for domain.com through Postfix 2.11 but today reviewing mail.log file i noticed some Wordpress on machines wordpress.domain.com andblog.domain.com as sending email through mail.domain.com where sender address is user@... and user@.... Obviously they configured Wordpress to authenticate and send email to mail.domain.com.

      The issue here is mail.domain.com is responsible of sending email for domain.com but not *.domain.com so the latter are not DKIM signed and obviously are not valid recipient addresses as those domains are not able to recieve email so i would like to reject clients using a from domain address which is not able to receive email like *.domain.com.

      I've been looking at the docs http://www.postfix.org/postconf.5.html but i'm unable to find a neat solution. Does anyone know how can i accomplish that?
    • lists@rhsoft.net
      ... please don t post in HTML, i destroys quoting in a thread and has no benefit domains without MX records is a bad idea, there is no RFC saying that a MX
      Message 2 of 30 , Mar 22, 2014
        Am 22.03.2014 10:29, schrieb Pau Peris:
        > The issue here is mail.domain.com <http://mail.domain.com> is responsible of sending email for domain.com
        > <http://domain.com> but not *.domain.com <http://domain.com> so the latter are not DKIM signed and obviously are
        > not valid recipient addresses as those domains are not able to recieve email so i would like to reject clients
        > using a from domain address which is not able to receive email like *.domain.com <http://domain.com>.

        please don't post in HTML, i destroys quoting in a thread and has no benefit

        "domains without MX records" is a bad idea, there is no RFC saying
        that a MX record is mandatory, that is why any MTA falls back to the
        A-record of the domain if there is no MX

        and to avoid Stan jumping out and shout "but in this decade there are no domains
        without MX": they exists and they are used, i learned that after a customer complaint
        becausem y email-verification on the webserver rejected addresses without MX

        not sure how it does in case if non-existing subdomains
        however, that should be enabled on any public MX and catchs spam
        http://www.postfix.org/postconf.5.html#reject_unknown_sender_domain
      • Pau Peris
        Thanks for the explanation but i think i m not understanding you. I understand MX records are not mandatory but i m wondering what am i supposed to do when
        Message 3 of 30 , Mar 22, 2014
          Thanks for the explanation but i think i'm not understanding you. I understand MX records are not mandatory but i'm wondering what am i supposed to do when someone tries to send an email and the from address is not valid but an A or CNAME RR exists? By not valid i mean replying to the from address will never reach any mailbox.

          My worries are:
          * I'm responsible for sending email for domain.com but not for *.domain.com.
          * I'm only signing and following the rules - like DKIM, SPF, DMARC - for domain.com but haven't done anything special for *.domain.com. And i don't want my server to be responsible for sending not signed emails, etc.
          * I do not want to send emails if the from address is not reachable.

          Probably the best solution should be to make sure the from address matches the login address?

          I'm already using reject_unknown_sender_domain.

          Thank you so much.



          On Sat, Mar 22, 2014 at 11:21 AM, lists@... <lists@...> wrote:


          Am 22.03.2014 10:29, schrieb Pau Peris:
          > The issue here is mail.domain.com <http://mail.domain.com> is responsible of sending email for domain.com
          > <http://domain.com> but not *.domain.com <http://domain.com> so the latter are not DKIM signed and obviously are
          > not valid recipient addresses as those domains are not able to recieve email so i would like to reject clients
          > using a from domain address which is not able to receive email like *.domain.com <http://domain.com>.

          please don't post in HTML, i destroys quoting in a thread and has no benefit

          "domains without MX records" is a bad idea, there is no RFC saying
          that a MX record is mandatory, that is why any MTA falls back to the
          A-record of the domain if there is no MX

          and to avoid Stan jumping  out and shout "but in this decade there are no domains
          without MX": they exists and they are used, i learned that after a customer complaint
          becausem y email-verification  on the webserver rejected addresses without MX

          not sure how it does in case if non-existing subdomains
          however, that should be enabled on any public MX and catchs spam
          http://www.postfix.org/postconf.5.html#reject_unknown_sender_domain

        • Pau Peris
          Just a last note, i would like to make sure domains/subdomains user as sender/from addresses have a MX RR accepting email for such domains/subdomains. I mean,
          Message 4 of 30 , Mar 22, 2014
            Just a last note, i would like to make sure domains/subdomains user as sender/from addresses have a MX RR accepting email for such domains/subdomains. I mean, if from address is host.mydomain.com while it can be reachable as long as it has an A or CNAME RR email delivered to host.mydomain.com may not have any MX record accepting emails for such domain/subdomain.


            On Sat, Mar 22, 2014 at 12:04 PM, Pau Peris <pau@...> wrote:
            Thanks for the explanation but i think i'm not understanding you. I understand MX records are not mandatory but i'm wondering what am i supposed to do when someone tries to send an email and the from address is not valid but an A or CNAME RR exists? By not valid i mean replying to the from address will never reach any mailbox.

            My worries are:
            * I'm responsible for sending email for domain.com but not for *.domain.com.
            * I'm only signing and following the rules - like DKIM, SPF, DMARC - for domain.com but haven't done anything special for *.domain.com. And i don't want my server to be responsible for sending not signed emails, etc.
            * I do not want to send emails if the from address is not reachable.

            Probably the best solution should be to make sure the from address matches the login address?

            I'm already using reject_unknown_sender_domain.

            Thank you so much.



            On Sat, Mar 22, 2014 at 11:21 AM, lists@... <lists@...> wrote:


            Am 22.03.2014 10:29, schrieb Pau Peris:
            > The issue here is mail.domain.com <http://mail.domain.com> is responsible of sending email for domain.com
            > <http://domain.com> but not *.domain.com <http://domain.com> so the latter are not DKIM signed and obviously are
            > not valid recipient addresses as those domains are not able to recieve email so i would like to reject clients
            > using a from domain address which is not able to receive email like *.domain.com <http://domain.com>.

            please don't post in HTML, i destroys quoting in a thread and has no benefit

            "domains without MX records" is a bad idea, there is no RFC saying
            that a MX record is mandatory, that is why any MTA falls back to the
            A-record of the domain if there is no MX

            and to avoid Stan jumping  out and shout "but in this decade there are no domains
            without MX": they exists and they are used, i learned that after a customer complaint
            becausem y email-verification  on the webserver rejected addresses without MX

            not sure how it does in case if non-existing subdomains
            however, that should be enabled on any public MX and catchs spam
            http://www.postfix.org/postconf.5.html#reject_unknown_sender_domain




            --
            Pau Peris Rodriguez
            Chief Executive Officer (CEO)
            Tel: 669650292
            C/Balmes 211, Principal Segunda
            Barcelona 08006
            http://www.webeloping.es

            Aquest correu electrònic conté informació de caràcter confidencial dirigida exclusivament al seu/s destinatari/s en còpia present. Tant mateix, queda prohibida la seva divulgació, copia o distribució a tercers sense prèvia autorització escrita per part de Pau Peris Rodriguez. En cas d'haver rebut aquesta informació per error, es demana que es notifiqui immediatament d'aquesta circumstancia mitjançant la direcció electrònica del emissor.
          • lists@rhsoft.net
            please avoid top-posting ... you did not make clear that you talk about sending mail ... yes, you should not allow non-existent senders you need some rules
            Message 5 of 30 , Mar 22, 2014
              please avoid top-posting

              Am 22.03.2014 12:04, schrieb Pau Peris:
              > Thanks for the explanation but i think i'm not understanding you. I understand MX records are not mandatory but i'm
              > wondering what am i supposed to do when someone tries to send an email and the from address is not valid but an A
              > or CNAME RR exists? By not valid i mean replying to the from address will never reach any mailbox.
              >
              > My worries are:
              > * I'm responsible for sending email for domain.com <http://domain.com> but not for *.domain.com <http://domain.com>.
              > * I'm only signing and following the rules - like DKIM, SPF, DMARC - for domain.com <http://domain.com> but haven't
              > done anything special for *.domain.com <http://domain.com>. And i don't want my server to be responsible for
              > sending not signed emails, etc.

              you did not make clear that you talk about sending mail

              > * I do not want to send emails if the from address is not reachable.
              > Probably the best solution should be to make sure the from address matches the login address?

              yes, you should not allow non-existent senders
              you need some rules before "permit_sasl_authenticated"

              in most cases that should be enough:
              http://www.postfix.org/postconf.5.html#reject_unlisted_sender
              ___________________________________________________

              that is complexer to implement but if done properly the perfect solution
              however, you need to consider also aliases be listed here which may have
              not a own login but are allowed for the user/password combination

              reject_authenticated_sender_login_mismatch
              http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps

              reject_authenticated_sender_login_mismatch
              Enforces the reject_sender_login_mismatch restriction for authenticated clients only.
              This feature is available in Postfix version 2.1 and later.
              ___________________________________________________

              that's how it looks in "main.cf" while you need a way for "smtpd_sender_login_maps"
              matching your environment, "reject_non_fqdn_recipient" and "reject_non_fqdn_sender"
              is highly recommended and rejects user mistakes and prevents auto-add "myhostname"
              if someone sends to "johnny"

              smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-senderaccess.cf

              smtpd_recipient_restrictions = permit_mynetworks
              reject_non_fqdn_recipient
              reject_non_fqdn_sender
              reject_unlisted_sender
              reject_authenticated_sender_login_mismatch
              permit_sasl_authenticated

              > I'm already using reject_unknown_sender_domain.
              > Thank you so much.

              > On Sat, Mar 22, 2014 at 11:21 AM, lists@... <mailto:lists@...> <lists@...
              > <mailto:lists@...>> wrote:
              >
              > Am 22.03.2014 10:29, schrieb Pau Peris:
              > > The issue here is mail.domain.com <http://mail.domain.com> <http://mail.domain.com> is responsible of sending
              > email for domain.com <http://domain.com>
              > > <http://domain.com> but not *.domain.com <http://domain.com> <http://domain.com> so the latter are not DKIM
              > signed and obviously are
              > > not valid recipient addresses as those domains are not able to recieve email so i would like to reject clients
              > > using a from domain address which is not able to receive email like *.domain.com <http://domain.com>
              > <http://domain.com>.
              >
              > please don't post in HTML, i destroys quoting in a thread and has no benefit
              >
              > "domains without MX records" is a bad idea, there is no RFC saying
              > that a MX record is mandatory, that is why any MTA falls back to the
              > A-record of the domain if there is no MX
              >
              > and to avoid Stan jumping out and shout "but in this decade there are no domains
              > without MX": they exists and they are used, i learned that after a customer complaint
              > becausem y email-verification on the webserver rejected addresses without MX
              >
              > not sure how it does in case if non-existing subdomains
              > however, that should be enabled on any public MX and catchs spam
              > http://www.postfix.org/postconf.5.html#reject_unknown_sender_domain
              >
              >
            • Wietse Venema
              ... This is described in RFC 5321 section 5.1. Wietse
              Message 6 of 30 , Mar 22, 2014
                Pau Peris:
                > Thanks for the explanation but i think i'm not understanding you. I
                > understand MX records are not mandatory but i'm wondering what am i
                > supposed to do when someone tries to send an email and the from address is
                > not valid but an A or CNAME RR exists?

                This is described in RFC 5321 section 5.1.


                Wietse
              • Pau Peris
                Thank you everyone. Your advises has been very useful to resolve this issue.
                Message 7 of 30 , Mar 24, 2014
                  Thank you everyone. Your advises has been very useful to resolve this issue.


                  On Sat, Mar 22, 2014 at 2:17 PM, Wietse Venema <wietse@...> wrote:
                  Pau Peris:
                  > Thanks for the explanation but i think i'm not understanding you. I
                  > understand MX records are not mandatory but i'm wondering what am i
                  > supposed to do when someone tries to send an email and the from address is
                  > not valid but an A or CNAME RR exists?

                  This is described in RFC 5321 section 5.1.


                          Wietse


                • Pau Peris
                  I m wondering why are you setting the following policies under recipient restrictions and not under sender restrictions? Maybe it s more efficient?
                  Message 8 of 30 , Mar 24, 2014
                    I'm wondering why are you setting the following policies under recipient restrictions and not under sender restrictions? Maybe it's more efficient?

                     reject_non_fqdn_sender
                     reject_unlisted_sender
                     reject_authenticated_sender_login_mismatch

                    Last, what do you think about reject_unverified_sender? Is it a resources drainer?

                    Thanks a lot!


                    On Mon, Mar 24, 2014 at 8:44 PM, Pau Peris <pau@...> wrote:
                    Thank you everyone. Your advises has been very useful to resolve this issue.


                    On Sat, Mar 22, 2014 at 2:17 PM, Wietse Venema <wietse@...> wrote:
                    Pau Peris:
                    > Thanks for the explanation but i think i'm not understanding you. I
                    > understand MX records are not mandatory but i'm wondering what am i
                    > supposed to do when someone tries to send an email and the from address is
                    > not valid but an A or CNAME RR exists?

                    This is described in RFC 5321 section 5.1.


                            Wietse



                  • lists@rhsoft.net
                    ... because with smtpd_delay_reject which is default for good reasons it does not matter and the configuration is easier to understand as well as specific
                    Message 9 of 30 , Mar 24, 2014
                      Am 24.03.2014 20:54, schrieb Pau Peris:
                      > I'm wondering why are you setting the following policies under recipient restrictions
                      > and not under sender restrictions? Maybe it's more efficient?
                      >
                      > reject_non_fqdn_sender
                      > reject_unlisted_sender
                      > reject_authenticated_sender_login_mismatch

                      because with "smtpd_delay_reject" which is default for
                      good reasons it does not matter and the configuration
                      is easier to understand as well as specific overrides
                      are better to manage

                      > reject_non_fqdn_sender
                      > reject_unlisted_sender
                      > reject_authenticated_sender_login_mismatch
                      >
                      > Last, what do you think about reject_unverified_sender? Is it a resources drainer?

                      it may lead to blacklisting because you always make a sending
                      attempt and in case of forged senders you do that to servers
                      never tried to send a message to you
                    • Pau Peris
                      Hundred thanks!! Really great help, tomorrow gonna put it all together and solve the issue. Good night! ... -- *Pau Peris Rodriguez* *Chief Executive Officer
                      Message 10 of 30 , Mar 24, 2014
                        Hundred thanks!! Really great help, tomorrow gonna put it all together and solve the issue.

                        Good night!


                        On Mon, Mar 24, 2014 at 9:06 PM, lists@... <lists@...> wrote:


                        Am 24.03.2014 20:54, schrieb Pau Peris:
                        > I'm wondering why are you setting the following policies under recipient restrictions
                        > and not under sender restrictions? Maybe it's more efficient?
                        >
                        > reject_non_fqdn_sender
                        > reject_unlisted_sender
                        > reject_authenticated_sender_login_mismatch

                        because with "smtpd_delay_reject" which is default for
                        good reasons it does not matter and the configuration
                        is easier to understand as well as specific overrides
                        are better to manage

                        >  reject_non_fqdn_sender
                        >  reject_unlisted_sender
                        >  reject_authenticated_sender_login_mismatch
                        >
                        > Last, what do you think about reject_unverified_sender? Is it a resources drainer?

                        it may lead to blacklisting because you always make a sending
                        attempt and in case of forged senders you do that to servers
                        never tried to send a message to you



                        --
                        Pau Peris Rodriguez
                        Chief Executive Officer (CEO)
                        Tel: 669650292
                        C/Balmes 211, Principal Segunda
                        Barcelona 08006
                        http://www.webeloping.es

                        Aquest correu electrònic conté informació de caràcter confidencial dirigida exclusivament al seu/s destinatari/s en còpia present. Tant mateix, queda prohibida la seva divulgació, copia o distribució a tercers sense prèvia autorització escrita per part de Pau Peris Rodriguez. En cas d'haver rebut aquesta informació per error, es demana que es notifiqui immediatament d'aquesta circumstancia mitjançant la direcció electrònica del emissor.
                      • Pau Peris
                        Hello again, i read carefully the explanation given by rhsoft and also went to postconf doc page - http://www.postfix.org/postconf.5.html -to be able to
                        Message 11 of 30 , Mar 26, 2014

                          Hello again,

                          i read carefully the explanation given by rhsoft and also went to postconf
                          doc page -  http://www.postfix.org/postconf.5.html -to be able to
                          understand each one of the statements i was setting up. It really looks
                          pretty easy but i think i'm bypassing something because i'm not able to
                          reject senders based on:
                          * The sender/from address is not the one used to login/authenticate.
                          * The sender/from address does not exist.

                          I'm posting bellow my current Postfix setup in hope someone can help to
                          find the error:

                          $ postconf |grep mail_version
                          mail_version = 2.11.0

                          $ postconf -n
                          https://gist.github.com/sibok/df8c8fc0d85785978c85

                          Here's the output shown at /var/log/mail.log

                          I enabled MySQL SQL Query logs so that's what i seen when trying to send from ws@... to pau@... where example.com is a valid domain, able to receive emails, and blog.example.com is a valid CNAME which is not able to receive emails so the following address ws@... does not exists.
                          https://gist.github.com/sibok/ef6a417d10ddf20bd242


                          On Tue, Mar 25, 2014 at 12:07 AM, Pau Peris <pau@...> wrote:
                          Hundred thanks!! Really great help, tomorrow gonna put it all together and solve the issue.

                          Good night!


                          On Mon, Mar 24, 2014 at 9:06 PM, lists@... <lists@...> wrote:


                          Am 24.03.2014 20:54, schrieb Pau Peris:
                          > I'm wondering why are you setting the following policies under recipient restrictions
                          > and not under sender restrictions? Maybe it's more efficient?
                          >
                          > reject_non_fqdn_sender
                          > reject_unlisted_sender
                          > reject_authenticated_sender_login_mismatch

                          because with "smtpd_delay_reject" which is default for
                          good reasons it does not matter and the configuration
                          is easier to understand as well as specific overrides
                          are better to manage

                          >  reject_non_fqdn_sender
                          >  reject_unlisted_sender
                          >  reject_authenticated_sender_login_mismatch
                          >
                          > Last, what do you think about reject_unverified_sender? Is it a resources drainer?

                          it may lead to blacklisting because you always make a sending
                          attempt and in case of forged senders you do that to servers
                          never tried to send a message to you
                        • Pau Peris
                          Hi, i m really getting nuts trying to get is running. The current behavior is: * An authenticated user can login as user foo@example.com and then send an email
                          Message 12 of 30 , Mar 27, 2014
                            Hi,

                            i'm really getting nuts trying to get is running.

                            The current behavior is:
                            * An authenticated user can login as user foo@... and then send an email using from/sender address bar@...
                            * When another server i have, also running a Postfix 2.11, which relays emails on the main server tries to send an email the local user sending the email must match the from/sender address. If not the following message appears "Sender address rejected: not owned by user...". It looks like the desired behavior only works for relaying.

                            Here's what happens when i fake a from address through telnet https://gist.github.com/sibok/30d7b1085ee6eb26167c



                            I hope someone can give some bits of help.

                            Thanks


                            On Wed, Mar 26, 2014 at 9:22 PM, Pau Peris <pau@...> wrote:

                            Hello again,

                            i read carefully the explanation given by rhsoft and also went to postconf
                            doc page -  http://www.postfix.org/postconf.5.html -to be able to
                            understand each one of the statements i was setting up. It really looks
                            pretty easy but i think i'm bypassing something because i'm not able to
                            reject senders based on:
                            * The sender/from address is not the one used to login/authenticate.
                            * The sender/from address does not exist.

                            I'm posting bellow my current Postfix setup in hope someone can help to
                            find the error:

                            $ postconf |grep mail_version
                            mail_version = 2.11.0

                            $ postconf -n
                            https://gist.github.com/sibok/df8c8fc0d85785978c85


                            Here's the output shown at /var/log/mail.log

                            I enabled MySQL SQL Query logs so that's what i seen when trying to send from ws@... to pau@... where example.com is a valid domain, able to receive emails, and blog.example.com is a valid CNAME which is not able to receive emails so the following address ws@... does not exists.
                            https://gist.github.com/sibok/ef6a417d10ddf20bd242


                            On Tue, Mar 25, 2014 at 12:07 AM, Pau Peris <pau@...> wrote:
                            Hundred thanks!! Really great help, tomorrow gonna put it all together and solve the issue.

                            Good night!


                            On Mon, Mar 24, 2014 at 9:06 PM, lists@... <lists@...> wrote:


                            Am 24.03.2014 20:54, schrieb Pau Peris:
                            > I'm wondering why are you setting the following policies under recipient restrictions
                            > and not under sender restrictions? Maybe it's more efficient?
                            >
                            > reject_non_fqdn_sender
                            > reject_unlisted_sender
                            > reject_authenticated_sender_login_mismatch

                            because with "smtpd_delay_reject" which is default for
                            good reasons it does not matter and the configuration
                            is easier to understand as well as specific overrides
                            are better to manage

                            >  reject_non_fqdn_sender
                            >  reject_unlisted_sender
                            >  reject_authenticated_sender_login_mismatch
                            >
                            > Last, what do you think about reject_unverified_sender? Is it a resources drainer?

                            it may lead to blacklisting because you always make a sending
                            attempt and in case of forged senders you do that to servers
                            never tried to send a message to you
                          • Pau Peris
                            If i try to spoof email/sender address through Mozilla Thunderbird i get the same error message as the one when relaying : Sender address
                            Message 13 of 30 , Mar 27, 2014
                              If i try to spoof email/sender address through Mozilla Thunderbird i get the same error message as the one when relaying <user@...>: Sender address rejected: not owned by user user2@...; So it looks like the issue only exists when working locally like through the webmail solution.


                              On Thu, Mar 27, 2014 at 3:37 PM, Pau Peris <pau@...> wrote:
                              Hi,

                              i'm really getting nuts trying to get is running.

                              The current behavior is:
                              * An authenticated user can login as user foo@... and then send an email using from/sender address bar@...
                              * When another server i have, also running a Postfix 2.11, which relays emails on the main server tries to send an email the local user sending the email must match the from/sender address. If not the following message appears "Sender address rejected: not owned by user...". It looks like the desired behavior only works for relaying.

                              Here's what happens when i fake a from address through telnet https://gist.github.com/sibok/30d7b1085ee6eb26167c



                              I hope someone can give some bits of help.

                              Thanks


                              On Wed, Mar 26, 2014 at 9:22 PM, Pau Peris <pau@...> wrote:

                              Hello again,

                              i read carefully the explanation given by rhsoft and also went to postconf
                              doc page -  http://www.postfix.org/postconf.5.html -to be able to
                              understand each one of the statements i was setting up. It really looks
                              pretty easy but i think i'm bypassing something because i'm not able to
                              reject senders based on:
                              * The sender/from address is not the one used to login/authenticate.
                              * The sender/from address does not exist.

                              I'm posting bellow my current Postfix setup in hope someone can help to
                              find the error:

                              $ postconf |grep mail_version
                              mail_version = 2.11.0

                              $ postconf -n
                              https://gist.github.com/sibok/df8c8fc0d85785978c85


                              Here's the output shown at /var/log/mail.log

                              I enabled MySQL SQL Query logs so that's what i seen when trying to send from ws@... to pau@... where example.com is a valid domain, able to receive emails, and blog.example.com is a valid CNAME which is not able to receive emails so the following address ws@... does not exists.
                              https://gist.github.com/sibok/ef6a417d10ddf20bd242


                              On Tue, Mar 25, 2014 at 12:07 AM, Pau Peris <pau@...> wrote:
                              Hundred thanks!! Really great help, tomorrow gonna put it all together and solve the issue.

                              Good night!


                              On Mon, Mar 24, 2014 at 9:06 PM, lists@... <lists@...> wrote:


                              Am 24.03.2014 20:54, schrieb Pau Peris:
                              > I'm wondering why are you setting the following policies under recipient restrictions
                              > and not under sender restrictions? Maybe it's more efficient?
                              >
                              > reject_non_fqdn_sender
                              > reject_unlisted_sender
                              > reject_authenticated_sender_login_mismatch

                              because with "smtpd_delay_reject" which is default for
                              good reasons it does not matter and the configuration
                              is easier to understand as well as specific overrides
                              are better to manage

                              >  reject_non_fqdn_sender
                              >  reject_unlisted_sender
                              >  reject_authenticated_sender_login_mismatch
                              >
                              > Last, what do you think about reject_unverified_sender? Is it a resources drainer?

                              it may lead to blacklisting because you always make a sending
                              attempt and in case of forged senders you do that to servers
                              never tried to send a message to you



                              --
                              Pau Peris Rodriguez
                              Chief Executive Officer (CEO)
                              Tel: 669650292
                              C/Balmes 211, Principal Segunda
                              Barcelona 08006
                              http://www.webeloping.es

                              Aquest correu electrònic conté informació de caràcter confidencial dirigida exclusivament al seu/s destinatari/s en còpia present. Tant mateix, queda prohibida la seva divulgació, copia o distribució a tercers sense prèvia autorització escrita per part de Pau Peris Rodriguez. En cas d'haver rebut aquesta informació per error, es demana que es notifiqui immediatament d'aquesta circumstancia mitjançant la direcció electrònica del emissor.
                            • Pau Peris
                              After doing another try and looking carefully at the mail.log file i realize that after the first attempt to reject the email i finally gets delivered.
                              Message 14 of 30 , Mar 27, 2014
                                After doing another try and looking carefully at the mail.log file i realize that after the first attempt to reject the email i finally gets delivered. https://gist.github.com/sibok/82f84dcc71bfa75deeeb

                                Hope someone can help. Thanks!


                                On Thu, Mar 27, 2014 at 6:52 PM, Pau Peris <pau@...> wrote:
                                If i try to spoof email/sender address through Mozilla Thunderbird i get the same error message as the one when relaying <user@...>: Sender address rejected: not owned by user user2@...; So it looks like the issue only exists when working locally like through the webmail solution.


                                On Thu, Mar 27, 2014 at 3:37 PM, Pau Peris <pau@...> wrote:
                                Hi,

                                i'm really getting nuts trying to get is running.

                                The current behavior is:
                                * An authenticated user can login as user foo@... and then send an email using from/sender address bar@...
                                * When another server i have, also running a Postfix 2.11, which relays emails on the main server tries to send an email the local user sending the email must match the from/sender address. If not the following message appears "Sender address rejected: not owned by user...". It looks like the desired behavior only works for relaying.

                                Here's what happens when i fake a from address through telnet https://gist.github.com/sibok/30d7b1085ee6eb26167c



                                I hope someone can give some bits of help.

                                Thanks


                                On Wed, Mar 26, 2014 at 9:22 PM, Pau Peris <pau@...> wrote:

                                Hello again,

                                i read carefully the explanation given by rhsoft and also went to postconf
                                doc page -  http://www.postfix.org/postconf.5.html -to be able to
                                understand each one of the statements i was setting up. It really looks
                                pretty easy but i think i'm bypassing something because i'm not able to
                                reject senders based on:
                                * The sender/from address is not the one used to login/authenticate.
                                * The sender/from address does not exist.

                                I'm posting bellow my current Postfix setup in hope someone can help to
                                find the error:

                                $ postconf |grep mail_version
                                mail_version = 2.11.0

                                $ postconf -n
                                https://gist.github.com/sibok/df8c8fc0d85785978c85


                                Here's the output shown at /var/log/mail.log

                                I enabled MySQL SQL Query logs so that's what i seen when trying to send from ws@... to pau@... where example.com is a valid domain, able to receive emails, and blog.example.com is a valid CNAME which is not able to receive emails so the following address ws@... does not exists.
                                https://gist.github.com/sibok/ef6a417d10ddf20bd242


                                On Tue, Mar 25, 2014 at 12:07 AM, Pau Peris <pau@...> wrote:
                                Hundred thanks!! Really great help, tomorrow gonna put it all together and solve the issue.

                                Good night!


                                On Mon, Mar 24, 2014 at 9:06 PM, lists@... <lists@...> wrote:


                                Am 24.03.2014 20:54, schrieb Pau Peris:
                                > I'm wondering why are you setting the following policies under recipient restrictions
                                > and not under sender restrictions? Maybe it's more efficient?
                                >
                                > reject_non_fqdn_sender
                                > reject_unlisted_sender
                                > reject_authenticated_sender_login_mismatch

                                because with "smtpd_delay_reject" which is default for
                                good reasons it does not matter and the configuration
                                is easier to understand as well as specific overrides
                                are better to manage

                                >  reject_non_fqdn_sender
                                >  reject_unlisted_sender
                                >  reject_authenticated_sender_login_mismatch
                                >
                                > Last, what do you think about reject_unverified_sender? Is it a resources drainer?

                                it may lead to blacklisting because you always make a sending
                                attempt and in case of forged senders you do that to servers
                                never tried to send a message to you



                                --
                                Pau Peris Rodriguez
                                Chief Executive Officer (CEO)
                                Tel: 669650292
                                C/Balmes 211, Principal Segunda
                                Barcelona 08006
                                http://www.webeloping.es

                                Aquest correu electrònic conté informació de caràcter confidencial dirigida exclusivament al seu/s destinatari/s en còpia present. Tant mateix, queda prohibida la seva divulgació, copia o distribució a tercers sense prèvia autorització escrita per part de Pau Peris Rodriguez. En cas d'haver rebut aquesta informació per error, es demana que es notifiqui immediatament d'aquesta circumstancia mitjançant la direcció electrònica del emissor.



                                --
                                Pau Peris Rodriguez
                                Chief Executive Officer (CEO)
                                Tel: 669650292
                                C/Balmes 211, Principal Segunda
                                Barcelona 08006
                                http://www.webeloping.es

                                Aquest correu electrònic conté informació de caràcter confidencial dirigida exclusivament al seu/s destinatari/s en còpia present. Tant mateix, queda prohibida la seva divulgació, copia o distribució a tercers sense prèvia autorització escrita per part de Pau Peris Rodriguez. En cas d'haver rebut aquesta informació per error, es demana que es notifiqui immediatament d'aquesta circumstancia mitjançant la direcció electrònica del emissor.
                              • lists@rhsoft.net
                                ... because permit_mynetworks does what it is supposed to do if you don t have mynetworks configured the defaults are applied [root@srv-rhsoft:~]$ postconf
                                Message 15 of 30 , Mar 27, 2014
                                  Am 27.03.2014 18:52, schrieb Pau Peris:
                                  > If i try to spoof email/sender address through Mozilla Thunderbird i get the same error message as the one when
                                  > relaying <user@... <mailto:user@...>>: Sender address rejected: not owned by user user2@...
                                  > <mailto:user2@...>; So it looks like the issue only exists when working locally like through the webmail
                                  > solution

                                  because "permit_mynetworks" does what it is supposed to do
                                  if you don't have "mynetworks" configured the defaults are applied

                                  [root@srv-rhsoft:~]$ postconf -d mynetworks
                                  mynetworks = 127.0.0.0/8 62.178.103.0/24 192.168.2.0/24 192.168.10.0/24 192.168.196.0/24 10.0.0.0/24
                                • Robert Schetterer
                                  ... configure your webmail to use smtp not sendmail binary ( as default in most webmail ) Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49
                                  Message 16 of 30 , Mar 27, 2014
                                    Am 27.03.2014 18:52, schrieb Pau Peris:
                                    > If i try to spoof email/sender address through Mozilla Thunderbird i get
                                    > the same error message as the one when relaying <user@...
                                    > <mailto:user@...>>: Sender address rejected: not owned by user
                                    > user2@... <mailto:user2@...>; So it looks like the issue
                                    > only exists when working locally like through the webmail solution.


                                    configure your webmail to use smtp not sendmail binary ( as default in
                                    most webmail )


                                    Best Regards
                                    MfG Robert Schetterer

                                    --
                                    [*] sys4 AG

                                    http://sys4.de, +49 (89) 30 90 46 64
                                    Franziskanerstraße 15, 81669 München

                                    Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                                    Vorstand: Patrick Ben Koetter, Marc Schiffbauer
                                    Aufsichtsratsvorsitzender: Florian Kirstein
                                  • Pau Peris
                                    Hi, i didn t configure mynetworks because i mynetworks_style is set to host. I thought it was right thing to do to fit my needs which obviously looks like not.
                                    Message 17 of 30 , Mar 27, 2014
                                      Hi,

                                      i didn't configure mynetworks because i mynetworks_style is set to host. I thought it was right thing to do to fit my needs which obviously looks like not. Could you please exaplain me why is it wrong? I think i'm not fully understanding why permit_mynetworks is wrong there.

                                      Robert, i'm using Roundcube already configured to connect to smtp and not as sendmail. Thanks for your tip.

                                      Thanks again,



                                      On Thu, Mar 27, 2014 at 7:32 PM, Robert Schetterer <rs@...> wrote:
                                      Am 27.03.2014 18:52, schrieb Pau Peris:
                                      > If i try to spoof email/sender address through Mozilla Thunderbird i get
                                      > the same error message as the one when relaying <user@...
                                      > <mailto:user@...>>: Sender address rejected: not owned by user
                                      > user2@... <mailto:user2@...>; So it looks like the issue
                                      > only exists when working locally like through the webmail solution.


                                      configure your webmail to use smtp not sendmail binary ( as default in
                                      most webmail )


                                      Best Regards
                                      MfG Robert Schetterer

                                      --
                                      [*] sys4 AG

                                      http://sys4.de, +49 (89) 30 90 46 64
                                      Franziskanerstraße 15, 81669 München

                                      Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                                      Vorstand: Patrick Ben Koetter, Marc Schiffbauer
                                      Aufsichtsratsvorsitzender: Florian Kirstein



                                      --
                                      Pau Peris Rodriguez
                                      Chief Executive Officer (CEO)
                                      Tel: 669650292
                                      C/Balmes 211, Principal Segunda
                                      Barcelona 08006
                                      http://www.webeloping.es

                                      Aquest correu electrònic conté informació de caràcter confidencial dirigida exclusivament al seu/s destinatari/s en còpia present. Tant mateix, queda prohibida la seva divulgació, copia o distribució a tercers sense prèvia autorització escrita per part de Pau Peris Rodriguez. En cas d'haver rebut aquesta informació per error, es demana que es notifiqui immediatament d'aquesta circumstancia mitjançant la direcció electrònica del emissor.
                                    • lists@rhsoft.net
                                      can you please stop top-posting and using HTML on lists? what is bad with HTML? look at the quote below after convert you message to plain ... why should it be
                                      Message 18 of 30 , Mar 27, 2014
                                        can you please stop top-posting and using HTML on lists?
                                        what is bad with HTML? look at the quote below after convert you message to plain

                                        Am 27.03.2014 19:53, schrieb Pau Peris:
                                        > i didn't configure mynetworks because i mynetworks_style is set to host. I thought
                                        > it was right thing to do to fit my needs which obviously looks like not. Could you
                                        > please exaplain me why is it wrong?

                                        why should it be right?

                                        if you don't want to skip a restriction because the machine is
                                        in "mynetworks" just don't put "permit_networks" before the
                                        restriction or don't put the machine in question in "mynetworks"

                                        i know nobody who changed "mynetworks_style" and i know a lot of admins

                                        > On Thu, Mar 27, 2014 at 7:32 PM, Robert Schetterer <rs@... <mailto:rs@...>> wrote:
                                        >
                                        > Am 27.03.2014 18 <tel:27.03.2014%2018>:52, schrieb Pau Peris:
                                        > > If i try to spoof email/sender address through Mozilla Thunderbird i get
                                        > > the same error message as the one when relaying <user@... <mailto:user@...>
                                        > > <mailto:user@... <mailto:user@...>>>: Sender address rejected: not owned by user
                                        > > user2@... <mailto:user2@...> <mailto:user2@... <mailto:user2@...>>; So it
                                        > looks like the issue
                                        > > only exists when working locally like through the webmail solution.
                                        >
                                        >
                                        > configure your webmail to use smtp not sendmail binary ( as default in
                                        > most webmail )
                                      • Pau Peris
                                        Hi, i understand now the mistake. I m reviewing the whole restrictions lot to fix permit_mynetworks where it is needed. I m looking at Postfix site -
                                        Message 19 of 30 , Mar 27, 2014
                                          Hi,

                                          i understand now the mistake. I'm reviewing the whole restrictions lot to fix permit_mynetworks where it is needed.

                                          I'm looking at Postfix site - http://postfix.org/postconf.5.html - for a way to create exceptions as i would like some users like root to be able to spoof their from address but i'm not able to find the right directive. Would you dare pointing me to the right one?

                                          Thank you so much. I rally appreciate your help




                                          On Thu, Mar 27, 2014 at 7:53 PM, Pau Peris <pau@...> wrote:
                                          Hi,

                                          i didn't configure mynetworks because i mynetworks_style is set to host. I thought it was right thing to do to fit my needs which obviously looks like not. Could you please exaplain me why is it wrong? I think i'm not fully understanding why permit_mynetworks is wrong there.

                                          Robert, i'm using Roundcube already configured to connect to smtp and not as sendmail. Thanks for your tip.

                                          Thanks again,



                                          On Thu, Mar 27, 2014 at 7:32 PM, Robert Schetterer <rs@...> wrote:
                                          Am 27.03.2014 18:52, schrieb Pau Peris:
                                          > If i try to spoof email/sender address through Mozilla Thunderbird i get
                                          > the same error message as the one when relaying <user@...
                                          > <mailto:user@...>>: Sender address rejected: not owned by user
                                          > user2@... <mailto:user2@...>; So it looks like the issue
                                          > only exists when working locally like through the webmail solution.


                                          configure your webmail to use smtp not sendmail binary ( as default in
                                          most webmail )


                                          Best Regards
                                          MfG Robert Schetterer

                                          --
                                          [*] sys4 AG

                                          http://sys4.de, +49 (89) 30 90 46 64
                                          Franziskanerstraße 15, 81669 München

                                          Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                                          Vorstand: Patrick Ben Koetter, Marc Schiffbauer
                                          Aufsichtsratsvorsitzender: Florian Kirstein
                                        • lists@rhsoft.net
                                          PLEASE LEARN TO USE YOUR MAIL-CLIENT AND HOW TO QUOTE * do not top post * do not post HTML * do not reply only to your own questions while you refer to answers
                                          Message 20 of 30 , Mar 27, 2014
                                            PLEASE LEARN TO USE YOUR MAIL-CLIENT AND HOW TO QUOTE

                                            * do not top post
                                            * do not post HTML
                                            * do not reply only to your own questions while you refer to answers
                                            * if you continue that way of posting i just ignore you

                                            this is a completly unreadable thread in the meanwhile
                                            that below is hardly a response to my last message
                                            __________________________________________________

                                            back to topic:

                                            * why would you like to spoof root?
                                            * mails of cronjobs and such things are using the sendmail binary
                                            * the sendmail binary has *no relevance* to SMTP restrictions because it is not SMTP

                                            Am 27.03.2014 20:04, schrieb Pau Peris:
                                            > i understand now the mistake. I'm reviewing the whole restrictions lot to fix permit_mynetworks where it is needed.
                                            >
                                            > I'm looking at Postfix site - http://postfix.org/postconf.5.html - for a way to create exceptions as i would like
                                            > some users like root to be able to spoof their from address but i'm not able to find the right directive. Would you
                                            > dare pointing me to the right one?
                                            >
                                            > Thank you so much. I rally appreciate your help
                                            >
                                            >
                                            >
                                            >
                                            > On Thu, Mar 27, 2014 at 7:53 PM, Pau Peris <pau@... <mailto:pau@...>> wrote:
                                            >
                                            > Hi,
                                            >
                                            > i didn't configure mynetworks because i mynetworks_style is set to host. I thought it was right thing to do to
                                            > fit my needs which obviously looks like not. Could you please exaplain me why is it wrong? I think i'm not
                                            > fully understanding why permit_mynetworks is wrong there.
                                            >
                                            > Robert, i'm using Roundcube already configured to connect to smtp and not as sendmail. Thanks for your tip.
                                            >
                                            > Thanks again,
                                            >
                                            >
                                            >
                                            > On Thu, Mar 27, 2014 at 7:32 PM, Robert Schetterer <rs@... <mailto:rs@...>> wrote:
                                            >
                                            > Am 27.03.2014 18 <tel:27.03.2014%2018>:52, schrieb Pau Peris:
                                            > > If i try to spoof email/sender address through Mozilla Thunderbird i get
                                            > > the same error message as the one when relaying <user@... <mailto:user@...>
                                            > > <mailto:user@... <mailto:user@...>>>: Sender address rejected: not owned by user
                                            > > user2@... <mailto:user2@...> <mailto:user2@... <mailto:user2@...>>; So it
                                            > looks like the issue
                                            > > only exists when working locally like through the webmail solution.
                                            >
                                            >
                                            > configure your webmail to use smtp not sendmail binary ( as default in
                                            > most webmail )
                                          • Pau Peris
                                            Excuse me, i ll try to follow your rules. The HTML thing was due to the reader, i think it took web URL and emails into HTML tags. Excuses. Respect the
                                            Message 21 of 30 , Mar 27, 2014

                                              Excuse me, i'll try to follow your rules. The HTML thing was due to the reader, i think it took web URL and emails into HTML tags. Excuses.

                                              Respect the exceptions list, you talk about cron emails using sendmail but it is using aliases table specified in main.cf also uses an email rewriter table specified in main.cf If possible would like to create an exception table. The case is i would like aliases to be only used for recieving and forwarding to real email boxes. I do not want to let users login through aliases. Also i would like some users like root to rewrite its email.

                                              Last, i think master.cf is overwriting some restrictions because when emails first get smtp it gets rejected if login missmatch sender address, then don't know why it is passed to amavis content filter when it really should get rejected and after amavis injects the email again into smtp it gets delivered. It's pretty weird, but i'm not able to find my mistake.

                                              Thanks a lot!!
                                              --

                                              Sent from my Android mobile, excuse the brevity.

                                              On Mar 27, 2014 9:17 PM, "lists@..." <lists@...> wrote:
                                              PLEASE LEARN TO USE YOUR MAIL-CLIENT AND HOW TO QUOTE

                                              * do not top post
                                              * do not post HTML
                                              * do not reply only to your own questions while you refer to answers
                                              * if you continue that way of posting i just ignore you

                                              this is a completly unreadable thread in the meanwhile
                                              that below is hardly a response to my last message
                                              __________________________________________________

                                              back to topic:

                                              * why would you like to spoof root?
                                              * mails of cronjobs and such things are using the sendmail binary
                                              * the sendmail binary has *no relevance* to SMTP restrictions because it is not SMTP

                                              Am 27.03.2014 20:04, schrieb Pau Peris:
                                              > i understand now the mistake. I'm reviewing the whole restrictions lot to fix permit_mynetworks where it is needed.
                                              >
                                              > I'm looking at Postfix site - http://postfix.org/postconf.5.html - for a way to create exceptions as i would like
                                              > some users like root to be able to spoof their from address but i'm not able to find the right directive. Would you
                                              > dare pointing me to the right one?
                                              >
                                              > Thank you so much. I rally appreciate your help
                                              >
                                              >
                                              >
                                              >
                                              > On Thu, Mar 27, 2014 at 7:53 PM, Pau Peris <pau@... <mailto:pau@...>> wrote:
                                              >
                                              >     Hi,
                                              >
                                              >     i didn't configure mynetworks because i mynetworks_style is set to host. I thought it was right thing to do to
                                              >     fit my needs which obviously looks like not. Could you please exaplain me why is it wrong? I think i'm not
                                              >     fully understanding why permit_mynetworks is wrong there.
                                              >
                                              >     Robert, i'm using Roundcube already configured to connect to smtp and not as sendmail. Thanks for your tip.
                                              >
                                              >     Thanks again,
                                              >
                                              >
                                              >
                                              >     On Thu, Mar 27, 2014 at 7:32 PM, Robert Schetterer <rs@... <mailto:rs@...>> wrote:
                                              >
                                              >         Am 27.03.2014 18 <tel:27.03.2014%2018>:52, schrieb Pau Peris:
                                              >         > If i try to spoof email/sender address through Mozilla Thunderbird i get
                                              >         > the same error message as the one when relaying <user@... <mailto:user@...>
                                              >         > <mailto:user@... <mailto:user@...>>>: Sender address rejected: not owned by user
                                              >         > user2@... <mailto:user2@...> <mailto:user2@... <mailto:user2@...>>; So it
                                              >         looks like the issue
                                              >         > only exists when working locally like through the webmail solution.
                                              >
                                              >
                                              >         configure your webmail to use smtp not sendmail binary ( as default in
                                              >         most webmail )
                                            • Pau Peris
                                              Finally, removing warn_if_rejected did the trick. Oh mine, stupid mistake, easy fix! Thanks a lot rhsoft!! ... reader, i think it took web URL and emails into
                                              Message 22 of 30 , Mar 28, 2014
                                                Finally,

                                                removing warn_if_rejected did the trick. Oh mine, stupid mistake, easy fix!

                                                Thanks a lot rhsoft!!


                                                On Thu, Mar 27, 2014 at 11:48 PM, Pau Peris <pau@...> wrote:
                                                >
                                                > Excuse me, i'll try to follow your rules. The HTML thing was due to the reader, i think it took web URL and emails into HTML tags. Excuses.
                                                >
                                                > Respect the exceptions list, you talk about cron emails using sendmail but it is using aliases table specified in main.cf also uses an email rewriter table specified in main.cf If possible would like to create an exception table. The case is i would like aliases to be only used for recieving and forwarding to real email boxes. I do not want to let users login through aliases. Also i would like some users like root to rewrite its email.
                                                >
                                                > Last, i think master.cf is overwriting some restrictions because when emails first get smtp it gets rejected if login missmatch sender address, then don't know why it is passed to amavis content filter when it really should get rejected and after amavis injects the email again into smtp it gets delivered. It's pretty weird, but i'm not able to find my mistake.
                                                >
                                                > Thanks a lot!!
                                                > --
                                                >
                                                > Sent from my Android mobile, excuse the brevity.
                                                >
                                                > On Mar 27, 2014 9:17 PM, "lists@..." <lists@...> wrote:
                                                >>
                                                >> PLEASE LEARN TO USE YOUR MAIL-CLIENT AND HOW TO QUOTE
                                                >>
                                                >> * do not top post
                                                >> * do not post HTML
                                                >> * do not reply only to your own questions while you refer to answers
                                                >> * if you continue that way of posting i just ignore you
                                                >>
                                                >> this is a completly unreadable thread in the meanwhile
                                                >> that below is hardly a response to my last message
                                                >> __________________________________________________
                                                >>
                                                >> back to topic:
                                                >>
                                                >> * why would you like to spoof root?
                                                >> * mails of cronjobs and such things are using the sendmail binary
                                                >> * the sendmail binary has *no relevance* to SMTP restrictions because it is not SMTP
                                                >>
                                                >> Am 27.03.2014 20:04, schrieb Pau Peris:
                                                >> > i understand now the mistake. I'm reviewing the whole restrictions lot to fix permit_mynetworks where it is needed.
                                                >> >
                                                >> > I'm looking at Postfix site - http://postfix.org/postconf.5.html - for a way to create exceptions as i would like
                                                >> > some users like root to be able to spoof their from address but i'm not able to find the right directive. Would you
                                                >> > dare pointing me to the right one?
                                                >> >
                                                >> > Thank you so much. I rally appreciate your help
                                                >> >
                                                >> >
                                                >> >
                                                >> >
                                                >> > On Thu, Mar 27, 2014 at 7:53 PM, Pau Peris <pau@... <mailto:pau@...>> wrote:
                                                >> >
                                                >> >     Hi,
                                                >> >
                                                >> >     i didn't configure mynetworks because i mynetworks_style is set to host. I thought it was right thing to do to
                                                >> >     fit my needs which obviously looks like not. Could you please exaplain me why is it wrong? I think i'm not
                                                >> >     fully understanding why permit_mynetworks is wrong there.
                                                >> >
                                                >> >     Robert, i'm using Roundcube already configured to connect to smtp and not as sendmail. Thanks for your tip.
                                                >> >
                                                >> >     Thanks again,
                                                >> >
                                                >> >
                                                >> >
                                                >> >     On Thu, Mar 27, 2014 at 7:32 PM, Robert Schetterer <rs@... <mailto:rs@...>> wrote:
                                                >> >
                                                >> >         Am 27.03.2014 18 <tel:27.03.2014%2018>:52, schrieb Pau Peris:
                                                >> >         > If i try to spoof email/sender address through Mozilla Thunderbird i get
                                                >> >         > the same error message as the one when relaying <user@... <mailto:user@...>
                                                >> >         > <mailto:user@... <mailto:user@...>>>: Sender address rejected: not owned by user
                                                >> >         > user2@... <mailto:user2@...> <mailto:user2@... <mailto:user2@...>>; So it
                                                >> >         looks like the issue
                                                >> >         > only exists when working locally like through the webmail solution.
                                                >> >
                                                >> >
                                                >> >         configure your webmail to use smtp not sendmail binary ( as default in
                                                >> >         most webmail )

                                              • Pau Peris
                                                I think everything was working fine but after update main.cf file i m seeing the following warning for emails incoming outside the box, postfix/smtpd[15455]:
                                                Message 23 of 30 , Mar 28, 2014
                                                  I think everything was working fine but after update main.cf file i'm seeing the following warning for emails incoming outside the box, postfix/smtpd[15455]: warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support

                                                  The previous warning is show when i send an email from GMail to a domain whose email is managed by me.

                                                  Basically what i did is:
                                                  * Remove permit_mynetworks where i think it shouldn't be.
                                                  * Disable smtp auth globally and enable it at submission 587 and smtps 465.
                                                  * Remove the deprecated smtp_use_tls/smtpd_use_tls statements.

                                                  Here i paste my current main.cf and master.cf files. https://gist.github.com/sibok/f6f3fc9dfa074868e10e

                                                  Any help would be extremely appreciated. Thanks in advanced!

                                                  On Fri, Mar 28, 2014 at 6:45 PM, Pau Peris <pau@...> wrote:
                                                  >
                                                  > Finally,
                                                  >
                                                  > removing warn_if_rejected did the trick. Oh mine, stupid mistake, easy fix!
                                                  >
                                                  > Thanks a lot rhsoft!!
                                                  >
                                                  >
                                                  >
                                                  > On Thu, Mar 27, 2014 at 11:48 PM, Pau Peris <pau@...> wrote:
                                                  > >
                                                  > > Excuse me, i'll try to follow your rules. The HTML thing was due to the reader, i think it took web URL and emails into HTML tags. Excuses.
                                                  > >
                                                  > > Respect the exceptions list, you talk about cron emails using sendmail but it is using aliases table specified in main.cf also uses an email rewriter table specified in main.cf If possible would like to create an exception table. The case is i would like aliases to be only used for recieving and forwarding to real email boxes. I do not want to let users login through aliases. Also i would like some users like root to rewrite its email.
                                                  > >
                                                  > > Last, i think master.cf is overwriting some restrictions because when emails first get smtp it gets rejected if login missmatch sender address, then don't know why it is passed to amavis content filter when it really should get rejected and after amavis injects the email again into smtp it gets delivered. It's pretty weird, but i'm not able to find my mistake.
                                                  > >
                                                  > > Thanks a lot!!
                                                  > > --
                                                  > >
                                                  > > Sent from my Android mobile, excuse the brevity.
                                                  > >
                                                  > > On Mar 27, 2014 9:17 PM, "lists@..." <lists@...> wrote:
                                                  > >>
                                                  > >> PLEASE LEARN TO USE YOUR MAIL-CLIENT AND HOW TO QUOTE
                                                  > >>
                                                  > >> * do not top post
                                                  > >> * do not post HTML
                                                  > >> * do not reply only to your own questions while you refer to answers
                                                  > >> * if you continue that way of posting i just ignore you
                                                  > >>
                                                  > >> this is a completly unreadable thread in the meanwhile
                                                  > >> that below is hardly a response to my last message
                                                  > >> __________________________________________________
                                                  > >>
                                                  > >> back to topic:
                                                  > >>
                                                  > >> * why would you like to spoof root?
                                                  > >> * mails of cronjobs and such things are using the sendmail binary
                                                  > >> * the sendmail binary has *no relevance* to SMTP restrictions because it is not SMTP
                                                  > >>
                                                  > >> Am 27.03.2014 20:04, schrieb Pau Peris:
                                                  > >> > i understand now the mistake. I'm reviewing the whole restrictions lot to fix permit_mynetworks where it is needed.
                                                  > >> >
                                                  > >> > I'm looking at Postfix site - http://postfix.org/postconf.5.html - for a way to create exceptions as i would like
                                                  > >> > some users like root to be able to spoof their from address but i'm not able to find the right directive. Would you
                                                  > >> > dare pointing me to the right one?
                                                  > >> >
                                                  > >> > Thank you so much. I rally appreciate your help
                                                  > >> >
                                                  > >> >
                                                  > >> >
                                                  > >> >
                                                  > >> > On Thu, Mar 27, 2014 at 7:53 PM, Pau Peris <pau@... <mailto:pau@...>> wrote:
                                                  > >> >
                                                  > >> >     Hi,
                                                  > >> >
                                                  > >> >     i didn't configure mynetworks because i mynetworks_style is set to host. I thought it was right thing to do to
                                                  > >> >     fit my needs which obviously looks like not. Could you please exaplain me why is it wrong? I think i'm not
                                                  > >> >     fully understanding why permit_mynetworks is wrong there.
                                                  > >> >
                                                  > >> >     Robert, i'm using Roundcube already configured to connect to smtp and not as sendmail. Thanks for your tip.
                                                  > >> >
                                                  > >> >     Thanks again,
                                                  > >> >
                                                  > >> >
                                                  > >> >
                                                  > >> >     On Thu, Mar 27, 2014 at 7:32 PM, Robert Schetterer <rs@... <mailto:rs@...>> wrote:
                                                  > >> >
                                                  > >> >         Am 27.03.2014 18 <tel:27.03.2014%2018>:52, schrieb Pau Peris:
                                                  > >> >         > If i try to spoof email/sender address through Mozilla Thunderbird i get
                                                  > >> >         > the same error message as the one when relaying <user@... <mailto:user@...>
                                                  > >> >         > <mailto:user@... <mailto:user@...>>>: Sender address rejected: not owned by user
                                                  > >> >         > user2@... <mailto:user2@...> <mailto:user2@... <mailto:user2@...>>; So it
                                                  > >> >         looks like the issue
                                                  > >> >         > only exists when working locally like through the webmail solution.
                                                  > >> >
                                                  > >> >
                                                  > >> >         configure your webmail to use smtp not sendmail binary ( as default in
                                                  > >> >         most webmail )
                                                • lists@rhsoft.net
                                                  ... `reject_authenticated_sender_login_mismatch has a clear context to SASL auth just don t list SASL related params in main.cf if disable smtp auth
                                                  Message 24 of 30 , Mar 28, 2014
                                                    Am 28.03.2014 20:33, schrieb Pau Peris:
                                                    > I think everything was working fine but after update main.cf <http://main.cf> file i'm seeing the following warning
                                                    > for emails incoming outside the box, postfix/smtpd[15455]: warning: restriction
                                                    > `reject_authenticated_sender_login_mismatch' ignored: no SASL support
                                                    >
                                                    > The previous warning is show when i send an email from GMail to a domain whose email is managed by me.
                                                    >
                                                    > Basically what i did is:
                                                    > * Remove permit_mynetworks where i think it shouldn't be.
                                                    > * Disable smtp auth globally and enable it at submission 587 and smtps 465.
                                                    > * Remove the deprecated smtp_use_tls/smtpd_use_tls statements

                                                    `reject_authenticated_sender_login_mismatch' has a clear context to SASL auth
                                                    just don't list SASL related params in main.cf if "disable smtp auth globally"
                                                  • Pau Peris
                                                    Could you be more explicit or place an example on how should main.cf should stay after removing the sasl params and how should master.cf look please? Thank u
                                                    Message 25 of 30 , Mar 28, 2014

                                                      Could you be more explicit or place an example on how should main.cf should stay after removing the sasl params and how should master.cf look please?

                                                      Thank u so much!!

                                                      Sent from my Android mobile, excuse the brevity.

                                                      On Mar 28, 2014 10:21 PM, "lists@..." <lists@...> wrote:

                                                      Am 28.03.2014 20:33, schrieb Pau Peris:
                                                      > I think everything was working fine but after update main.cf <http://main.cf> file i'm seeing the following warning
                                                      > for emails incoming outside the box, postfix/smtpd[15455]: warning: restriction
                                                      > `reject_authenticated_sender_login_mismatch' ignored: no SASL support
                                                      >
                                                      > The previous warning is show when i send an email from GMail to a domain whose email is managed by me.
                                                      >
                                                      > Basically what i did is:
                                                      > * Remove permit_mynetworks where i think it shouldn't be.
                                                      > * Disable smtp auth globally and enable it at submission 587 and smtps 465.
                                                      > * Remove the deprecated smtp_use_tls/smtpd_use_tls statements

                                                      `reject_authenticated_sender_login_mismatch' has a clear context to SASL auth
                                                      just don't list SASL related params in main.cf if "disable smtp auth globally"

                                                    • lists@rhsoft.net
                                                      sorry, you need to read manuals and try some things at your own if you can t handle it why do you remove auth globally? in general don t change defaults for no
                                                      Message 26 of 30 , Mar 28, 2014
                                                        sorry, you need to read manuals and try some things at your own
                                                        if you can't handle it why do you remove auth globally?
                                                        in general don't change defaults for no good reason

                                                        Am 29.03.2014 00:21, schrieb Pau Peris:
                                                        > Could you be more explicit or place an example on how should main.cf <http://main.cf> should stay after removing
                                                        > the sasl params and how should master.cf <http://master.cf> look please?
                                                        >
                                                        > Thank u so much!!
                                                        >
                                                        > Sent from my Android mobile, excuse the brevity.
                                                        >
                                                        > On Mar 28, 2014 10:21 PM, "lists@... <mailto:lists@...>" <lists@... <mailto:lists@...>>
                                                        > wrote:
                                                        >
                                                        >
                                                        > Am 28.03.2014 20:33, schrieb Pau Peris:
                                                        > > I think everything was working fine but after update main.cf <http://main.cf> <http://main.cf> file i'm
                                                        > seeing the following warning
                                                        > > for emails incoming outside the box, postfix/smtpd[15455]: warning: restriction
                                                        > > `reject_authenticated_sender_login_mismatch' ignored: no SASL support
                                                        > >
                                                        > > The previous warning is show when i send an email from GMail to a domain whose email is managed by me.
                                                        > >
                                                        > > Basically what i did is:
                                                        > > * Remove permit_mynetworks where i think it shouldn't be.
                                                        > > * Disable smtp auth globally and enable it at submission 587 and smtps 465.
                                                        > > * Remove the deprecated smtp_use_tls/smtpd_use_tls statements
                                                        >
                                                        > `reject_authenticated_sender_login_mismatch' has a clear context to SASL auth
                                                        > just don't list SASL related params in main.cf <http://main.cf> if "disable smtp auth globally"
                                                      • Pau Peris
                                                        I don t think that s about reading but about experise. Which takes time after reading. I will reenable sasl globally again while i try to understand it all.
                                                        Message 27 of 30 , Mar 28, 2014

                                                          I don't think that's about reading but about experise. Which takes time after reading.

                                                          I will reenable sasl globally again while i try to understand it all.

                                                          I'm unsure if login sender mismatch can have any side effect for incoming email once global sasl auth is activated. Could you please explain this?

                                                          Thanks a lot!
                                                          --

                                                          Sent from my Android mobile, excuse the brevity.

                                                          On Mar 29, 2014 12:30 AM, "lists@..." <lists@...> wrote:
                                                          sorry, you need to read manuals and try some things at your own
                                                          if you can't handle it why do you remove auth globally?
                                                          in general don't change defaults for no good reason

                                                          Am 29.03.2014 00:21, schrieb Pau Peris:
                                                          > Could you be more explicit or place an example on how should main.cf <http://main.cf> should stay after removing
                                                          > the sasl params and how should master.cf <http://master.cf> look please?
                                                          >
                                                          > Thank u so much!!
                                                          >
                                                          > Sent from my Android mobile, excuse the brevity.
                                                          >
                                                          > On Mar 28, 2014 10:21 PM, "lists@... <mailto:lists@...>" <lists@... <mailto:lists@...>>
                                                          > wrote:
                                                          >
                                                          >
                                                          >     Am 28.03.2014 20:33, schrieb Pau Peris:
                                                          >     > I think everything was working fine but after update main.cf <http://main.cf> <http://main.cf> file i'm
                                                          >     seeing the following warning
                                                          >     > for emails incoming outside the box, postfix/smtpd[15455]: warning: restriction
                                                          >     > `reject_authenticated_sender_login_mismatch' ignored: no SASL support
                                                          >     >
                                                          >     > The previous warning is show when i send an email from GMail to a domain whose email is managed by me.
                                                          >     >
                                                          >     > Basically what i did is:
                                                          >     > * Remove permit_mynetworks where i think it shouldn't be.
                                                          >     > * Disable smtp auth globally and enable it at submission 587 and smtps 465.
                                                          >     > * Remove the deprecated smtp_use_tls/smtpd_use_tls statements
                                                          >
                                                          >     `reject_authenticated_sender_login_mismatch' has a clear context to SASL auth
                                                          >     just don't list SASL related params in main.cf <http://main.cf> if "disable smtp auth globally"
                                                        • lists@rhsoft.net
                                                          ... no, it s a matter of read, try and try again, been there done that ... as said: read the documentation, especially for params you are usinf
                                                          Message 28 of 30 , Mar 28, 2014
                                                            Am 29.03.2014 00:43, schrieb Pau Peris:
                                                            > I don't think that's about reading but about experise. Which takes time after reading

                                                            no, it's a matter of read, try and try again, been there done that

                                                            > I will reenable sasl globally again while i try to understand it all
                                                            > I'm unsure if login sender mismatch can have any side effect for incoming email once global sasl auth is activated

                                                            as said: read the documentation, especially for params you are usinf

                                                            "reject_authenticated_sender_login_mismatch" contains the word "authenticated"
                                                            http://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch

                                                            > Sent from my Android mobile, excuse the brevity.
                                                            >
                                                            > On Mar 29, 2014 12:30 AM, "lists@... <mailto:lists@...>" <lists@... <mailto:lists@...>>
                                                            > wrote:
                                                            >
                                                            > sorry, you need to read manuals and try some things at your own
                                                            > if you can't handle it why do you remove auth globally?
                                                            > in general don't change defaults for no good reason
                                                            >
                                                            > Am 29.03.2014 00:21, schrieb Pau Peris:
                                                            > > Could you be more explicit or place an example on how should main.cf <http://main.cf> <http://main.cf> should
                                                            > stay after removing
                                                            > > the sasl params and how should master.cf <http://master.cf> <http://master.cf> look please?
                                                            > >
                                                            > > Thank u so much!!
                                                            > >
                                                            > > Sent from my Android mobile, excuse the brevity.
                                                            > >
                                                            > > On Mar 28, 2014 10:21 PM, "lists@... <mailto:lists@...> <mailto:lists@...
                                                            > <mailto:lists@...>>" <lists@... <mailto:lists@...> <mailto:lists@...
                                                            > <mailto:lists@...>>>
                                                            > > wrote:
                                                            > >
                                                            > >
                                                            > > Am 28.03.2014 20:33, schrieb Pau Peris:
                                                            > > > I think everything was working fine but after update main.cf <http://main.cf> <http://main.cf>
                                                            > <http://main.cf> file i'm
                                                            > > seeing the following warning
                                                            > > > for emails incoming outside the box, postfix/smtpd[15455]: warning: restriction
                                                            > > > `reject_authenticated_sender_login_mismatch' ignored: no SASL support
                                                            > > >
                                                            > > > The previous warning is show when i send an email from GMail to a domain whose email is managed by me.
                                                            > > >
                                                            > > > Basically what i did is:
                                                            > > > * Remove permit_mynetworks where i think it shouldn't be.
                                                            > > > * Disable smtp auth globally and enable it at submission 587 and smtps 465.
                                                            > > > * Remove the deprecated smtp_use_tls/smtpd_use_tls statements
                                                            > >
                                                            > > `reject_authenticated_sender_login_mismatch' has a clear context to SASL auth
                                                            > > just don't list SASL related params in main.cf <http://main.cf> <http://main.cf> if "disable smtp auth
                                                            > globally"
                                                          • Pau Peris
                                                            Thanks a lot! -- Sent from my Android mobile, excuse the brevity.
                                                            Message 29 of 30 , Mar 28, 2014

                                                              Thanks a lot!
                                                              --
                                                              Sent from my Android mobile, excuse the brevity.

                                                              On Mar 29, 2014 12:55 AM, "lists@..." <lists@...> wrote:


                                                              Am 29.03.2014 00:43, schrieb Pau Peris:
                                                              > I don't think that's about reading but about experise. Which takes time after reading

                                                              no, it's a matter of read, try and try again, been there done that

                                                              > I will reenable sasl globally again while i try to understand it all
                                                              > I'm unsure if login sender mismatch can have any side effect for incoming email once global sasl auth is activated

                                                              as said: read the documentation, especially for params you are usinf

                                                              "reject_authenticated_sender_login_mismatch" contains the word "authenticated"
                                                              http://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch

                                                              > Sent from my Android mobile, excuse the brevity.
                                                              >
                                                              > On Mar 29, 2014 12:30 AM, "lists@... <mailto:lists@...>" <lists@... <mailto:lists@...>>
                                                              > wrote:
                                                              >
                                                              >     sorry, you need to read manuals and try some things at your own
                                                              >     if you can't handle it why do you remove auth globally?
                                                              >     in general don't change defaults for no good reason
                                                              >
                                                              >     Am 29.03.2014 00:21, schrieb Pau Peris:
                                                              >     > Could you be more explicit or place an example on how should main.cf <http://main.cf> <http://main.cf> should
                                                              >     stay after removing
                                                              >     > the sasl params and how should master.cf <http://master.cf> <http://master.cf> look please?
                                                              >     >
                                                              >     > Thank u so much!!
                                                              >     >
                                                              >     > Sent from my Android mobile, excuse the brevity.
                                                              >     >
                                                              >     > On Mar 28, 2014 10:21 PM, "lists@... <mailto:lists@...> <mailto:lists@...
                                                              >     <mailto:lists@...>>" <lists@... <mailto:lists@...> <mailto:lists@...
                                                              >     <mailto:lists@...>>>
                                                              >     > wrote:
                                                              >     >
                                                              >     >
                                                              >     >     Am 28.03.2014 20:33, schrieb Pau Peris:
                                                              >     >     > I think everything was working fine but after update main.cf <http://main.cf> <http://main.cf>
                                                              >     <http://main.cf> file i'm
                                                              >     >     seeing the following warning
                                                              >     >     > for emails incoming outside the box, postfix/smtpd[15455]: warning: restriction
                                                              >     >     > `reject_authenticated_sender_login_mismatch' ignored: no SASL support
                                                              >     >     >
                                                              >     >     > The previous warning is show when i send an email from GMail to a domain whose email is managed by me.
                                                              >     >     >
                                                              >     >     > Basically what i did is:
                                                              >     >     > * Remove permit_mynetworks where i think it shouldn't be.
                                                              >     >     > * Disable smtp auth globally and enable it at submission 587 and smtps 465.
                                                              >     >     > * Remove the deprecated smtp_use_tls/smtpd_use_tls statements
                                                              >     >
                                                              >     >     `reject_authenticated_sender_login_mismatch' has a clear context to SASL auth
                                                              >     >     just don't list SASL related params in main.cf <http://main.cf> <http://main.cf> if "disable smtp auth
                                                              >     globally"
                                                            • Pau Peris
                                                              Just in case someone is interested, finally i disabled sasl auth globally and fixed the previous error by adding/modifying the following lines at master.cf
                                                              Message 30 of 30 , Mar 28, 2014
                                                                Just in case someone is interested, finally i disabled sasl auth globally and fixed the previous error by adding/modifying the following lines at master.cf

                                                                smtp                  inet  n       -       -       -       -       smtpd
                                                                   -o smtpd_sasl_auth_enable=yes

                                                                As you can see i forgot to enable sasl on smtp.

                                                                I also added the following restriction next to reject_authenticated_sender_login_mismatch:

                                                                                                reject_authenticated_sender_login_mismatch,
                                                                                                reject_known_sender_login_mismatch,

                                                                Maybe it helps someone.


                                                                On Sat, Mar 29, 2014 at 1:02 AM, Pau Peris <pau@...> wrote:
                                                                >
                                                                > Thanks a lot!
                                                                > --
                                                                >
                                                                >
                                                                > Sent from my Android mobile, excuse the brevity.
                                                                >
                                                                > On Mar 29, 2014 12:55 AM, "lists@..." <lists@...> wrote:
                                                                >>
                                                                >>
                                                                >>
                                                                >> Am 29.03.2014 00:43, schrieb Pau Peris:
                                                                >> > I don't think that's about reading but about experise. Which takes time after reading
                                                                >>
                                                                >> no, it's a matter of read, try and try again, been there done that
                                                                >>
                                                                >> > I will reenable sasl globally again while i try to understand it all
                                                                >> > I'm unsure if login sender mismatch can have any side effect for incoming email once global sasl auth is activated
                                                                >>
                                                                >> as said: read the documentation, especially for params you are usinf
                                                                >>
                                                                >> "reject_authenticated_sender_login_mismatch" contains the word "authenticated"
                                                                >> http://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch
                                                                >>
                                                                >> > Sent from my Android mobile, excuse the brevity.
                                                                >> >
                                                                >> > On Mar 29, 2014 12:30 AM, "lists@... <mailto:lists@...>" <lists@... <mailto:lists@...>>
                                                                >> > wrote:
                                                                >> >
                                                                >> >     sorry, you need to read manuals and try some things at your own
                                                                >> >     if you can't handle it why do you remove auth globally?
                                                                >> >     in general don't change defaults for no good reason
                                                                >> >
                                                                >> >     Am 29.03.2014 00:21, schrieb Pau Peris:
                                                                >> >     > Could you be more explicit or place an example on how should main.cf <http://main.cf> <http://main.cf> should
                                                                >> >     stay after removing
                                                                >> >     > the sasl params and how should master.cf <http://master.cf> <http://master.cf> look please?
                                                                >> >     >
                                                                >> >     > Thank u so much!!
                                                                >> >     >
                                                                >> >     > Sent from my Android mobile, excuse the brevity.
                                                                >> >     >
                                                                >> >     > On Mar 28, 2014 10:21 PM, "lists@... <mailto:lists@...> <mailto:lists@...
                                                                >> >     <mailto:lists@...>>" <lists@... <mailto:lists@...> <mailto:lists@...
                                                                >> >     <mailto:lists@...>>>
                                                                >> >     > wrote:
                                                                >> >     >
                                                                >> >     >
                                                                >> >     >     Am 28.03.2014 20:33, schrieb Pau Peris:
                                                                >> >     >     > I think everything was working fine but after update main.cf <http://main.cf> <http://main.cf>
                                                                >> >     <http://main.cf> file i'm
                                                                >> >     >     seeing the following warning
                                                                >> >     >     > for emails incoming outside the box, postfix/smtpd[15455]: warning: restriction
                                                                >> >     >     > `reject_authenticated_sender_login_mismatch' ignored: no SASL support
                                                                >> >     >     >
                                                                >> >     >     > The previous warning is show when i send an email from GMail to a domain whose email is managed by me.
                                                                >> >     >     >
                                                                >> >     >     > Basically what i did is:
                                                                >> >     >     > * Remove permit_mynetworks where i think it shouldn't be.
                                                                >> >     >     > * Disable smtp auth globally and enable it at submission 587 and smtps 465.
                                                                >> >     >     > * Remove the deprecated smtp_use_tls/smtpd_use_tls statements
                                                                >> >     >
                                                                >> >     >     `reject_authenticated_sender_login_mismatch' has a clear context to SASL auth
                                                                >> >     >     just don't list SASL related params in main.cf <http://main.cf> <http://main.cf> if "disable smtp auth
                                                                >> >     globally"
                                                              Your message has been successfully submitted and would be delivered to recipients shortly.