Re: Postfix + Dovecot SASL authentication.

Tue, 03 Mar 2009 18:49:35 -0800 

Miguel Da Silva - Centro de Matemática wrote:
Dear users, I realized today that the local SMTP server is not working as expected. 

I found these lines in the log files:

Mar  2 22:42:48 smtp postfix/smtpd[30427]: 1A66913105B:
client=r190-134-zz-xx.dialup.adsl.anteldata.net.uy[190.134.zz.xx], sa
sl_method=PLAIN, sasl_username=usuario1
Mar  2 22:42:49 mordred postfix/cleanup[30478]: 1A66913105B:
message-id=<49ac7fbf.1050...@cmat.edu.uy>

Mar  2 18:41:59 smtp postfix/smtpd[15652]: TLS connection established
from r190-134-zz-xx.dialup.adsl.anteldata.net.uy[190.134
.zz.xx]: TLSv1 with cipher RC4-MD5 (128/128 bits)
Mar  2 18:42:02 smtp postfix/smtpd[15652]: NOQUEUE: reject: RCPT from
r190-134-zz-xx.dialup.adsl.anteldata.net.uy[190.134.zz.
xx]: 450 4.7.1 <dest...@cmat.edu.uy>: Recipient address rejected:
Greylisting in action, please come back later.; from=<usuar...@c
mat.edu.uy> to=<dest...@cmat.edu.uy> proto=ESMTP helo=<UserPC>


So, the first 2 lines shows usuario1 sending mail through this server 
and everything goes fine. His client is using SASL authentication and 
that's ok. On the other hand, the last 2 lines shows usuario2 can not 
use the SMTP server. The mail he is sending is being rejected. But, the 
rejection is due to greylisting (postgrey is being used), not due to 
lack of authentication. Note both users are sending mails from their homes.


Obviously usuario2 did not authenticate.



Here goes some lines from main.cf:

smtpd_recipient_restrictions =
        reject_rbl_client sbl.spamhaus.org
        reject_rbl_client bl.spamcop.net



Do you really want to subject authenticated users to the above 
checks?  Many users' home ISPs will be listed in spamhaus 
and/or spamcop and won't be able to submit mail.  These checks 
should be moved below reject_unauth_destination.  and you 
should probably use zen.spamhaus.org rather than sbl.



        check_recipient_access hash:/etc/postfix/bloqueados



It's generally unwise to put access tables before 
reject_unauth_destination.  Accidental entries can make you an 
open relay.

http://www.postfix.org/SMTPD_ACCESS_README.html#danger


        permit_sasl_authenticated
        permit_mynetworks
        reject_unauth_destination
        reject_unknown_recipient_domain
        reject_unverified_recipient
        check_policy_service inet:127.0.0.1:10026

smtpd_sender_restrictions =
        regexp:/etc/postfix/sender.regexp,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain


Sugestions?! My idea is, if you are not part to $mynetworks, then 
authenticating is the only way to get mail relaid trough this server.


Greetings.


  -- Noel Jones























					Reply via email to