On 9/8/2009 3:07 AM, Paul Beard wrote:
I am getting no inbound email after locking down the requirements of
users to authenticate before sending. I dropped back from current
(2.7.*) to 2.6.5.
Not having any success getting tcpdump output. The version I have
differs from the example in the DEBUG instructions.
Complete error messages. Please use cut-and-paste, or use attachments,
instead of reciting information from memory.
Sep 8 00:45:33 shuttle postfix/smtpd[56335]: lost connection after
CONNECT from mail-pz0-f204.google.com[209.85.222.204]
Looks like the client disconnected.
Test your TLS implementation with
openssl s_client -connect IP:port -starttls smtp
If you get a
250 DSN
or similar message after all the SSL handshake goop, then it
worked.
maps_rbl_domains = blackholes.mail-abuse.org
maps_rbl_domains parameter is deprecated. See the
reject_rbl_client command instead.
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname,
reject_invalid_hostname, permit
You need permit_sasl_authenticated right after permit_mynetworks.
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated
This is a no-op, you can remove it.
I don't see an smtpd_recipient_restrictions here. You will
need at least:
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
smtpd_tls_loglevel = 3
Everything you may need should be logged at level 1.
strict_rfc821_envelopes = yes
This may reject legit mail.
--master.cf--
smtp inet n - n - 200 smtpd
-o content_filter=filter:
-o smtpd_tls_wrappermode=yes
Ouch! Don't do that!
This is likely why the client disconnected; your server was
speaking SSL and the client was speaking normal SMTP. It
looked like garbage to the client.
Wrappermode should only be used on a dedicated port, typically
465 "smtps".
-o smtpd_sasl_auth_enable=yes
Since smtpd_sasl_auth_enable is set in main.cf, no reason to
set it here.
-- Noel Jones
