On Wed, 21 Oct 2009, johnea wrote: > However I had trouble for the first time today configuring a client > for the submission port. Mail from this client is rejected with: > > Oct 21 13:11:31 atom postfix/smtpd[8849]: NOQUEUE: reject: RCPT from > xxxxx[aa.bb.cc.dd]: 504 5.5.2 <johnealaptop>: Helo command rejected: > need fully-qualified hostname; from=<outl...@telco-op.org> > to=<m...@johnea.net> proto=ESMTP helo=<johnealaptop> > > I was under the impression that the -o options specified for submission > in the master.cf file superseded the general options specified in main.cf > (hey, I'm an EE, no one ever taught me how to do this stuff)
It does not supersede all restrictions, only those you explicitly override with -o. > FQDN HELO is required in the main.cf but I believed that the delayed > evaluation would allow the sasl authentication specified for submission. No, your smtpd_client_restrictions evaluates to OK, but for the same client, smtpd_helo_restrictions (which are not skipped) evaluate to REJECT, and the client is correctly turned away. > This is the helo restrictions section of the main.cf: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > disable_vrfy_command = yes > smtpd_helo_required = yes > smtpd_helo_restrictions = > permit_mynetworks, > reject_non_fqdn_helo_hostname, > reject_invalid_helo_hostname, > reject_unknown_helo_hostname, > permit > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > I will happily supply the whole file if this is not enough. Generally, the output of 'postconf -n' is preferred in lieu of snippets or entire main.cf dumps. > This is the complete master.cf file: Next time, exclude the comments. :) > -o smtpd_client_restrictions=permit_sasl_authenticated,reject OK. > Should I move the main.cf helo restrictions into recipient restrictions? You could, but it would still lead to a rejection of that client because you do not override smtpd_recipient_restrictions in your master.cf. > Or maybe just specify a blank helo restrictions line for submission in > the master.cf? Sure. There are a variety of ways around this. Personally, I specify all my restrictions in main.cf under smtpd_recipient_restrictions, and then override *that* in my master.cf for the submission smtpd(8). What ever you decide, just make sure to use reject_unauth_destination as early as possible to avoid becoming an open relay. -- Sahil Tandon <sa...@tandon.net>
