On Jan 6, 2014, at 1:17 PM, Eric Cunningham <e...@whoi.edu> wrote:
> Hi, I've encountered a problem with Windows-based devices, such as Windows
> Phones, being unable to send mail through postfix. The problem and
> resolution are described at
> http://answers.microsoft.com/en-us/winphone/forum/wp8-wpemail/smtp-authentication-for-outgoing-emails-via-a/2132a705-e1d0-401d-9883-f22f7ed2cb6a
>
> However, if I add LOGIN to mech_list in /etc/postfix/sasl/smtpd.conf to
> address that problem, our SMTP server becomes an open relay. Does anyone
> have any idea what might be causing this and what the fix is to allow Windows
> devices to send mail while not opening a mail relay?
I see a couple of things,
> mynetworks = 128.128.0.0/16, 127.0.0.0/8, 199.92.168.150, 172.16.8.0/24
all of these networks will be free to send. as stated in your config;
> smtpd_sender_restrictions = permit_sasl_authenticated,
> permit_mynetworks
> smtpd_tls_security_level = may
optional encryption , i would set that to encrypt.
also looking for these lines which I don't see;
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
Adding Login as an Auth mech wouldn't make your system an open relay. Your
system was open already.
-j
>
>
> /etc/postfix/sasl/smtpd.conf:
>
> pwcheck_method: saslauthd
> mech_list: PLAIN
> log_level: 0
>
>
> postconf -n
>
> address_verify_poll_count = ${stress?1}${stress:3}
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases, ldap:ldap
> anvil_rate_time_unit = 60s
> append_dot_mydomain = yes
> body_checks = pcre:/etc/postfix/access/body_access
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/lib/postfix
> default_process_limit = 250
> default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what]
> blocked using $rbl_domain${rbl_reason?; $rbl_reason}. Contact
> <postmas...@whoi.edu> if this is in error.
> header_checks = pcre:/etc/postfix/access/header_access
> html_directory = /usr/share/doc/postfix/html
> mailbox_size_limit = 0
> message_size_limit = 104857600
> mime_header_checks = pcre:/etc/postfix/access/mime_header_checks
> mydestination = $myhostname, $mydomain, postal2.$mydomain, outbox.$mydomain,
> mail.$mydomain, localhost.$mydomain, localhost.localdomain, localhost,
> beachcomberscompanion.org, whoi.net, cinar.org, bco-dmo.org,
> bcodmo.org, oceanopportunities.org
> myhostname = postal2.whoi.edu
> mynetworks = 128.128.0.0/16, 127.0.0.0/8, 199.92.168.150, 172.16.8.0/24
> myorigin = $mydomain
> parent_domain_matches_subdomains =
> permit_mx_backup_networks = $mynetworks
> rbl_reply_maps = hash:/etc/postfix/access/dnsbl_replies
> readme_directory = /usr/share/doc/postfix
> recipient_delimiter = +
> relay_domains = hash:/etc/postfix/mx_host_relays, oceanus.whoi.edu,
> atlantis.whoi.edu knorr.whoi.edu, tioga.whoi.edu, bosun.whoi.edu,
> striker.whoi.edu, striker2.whoi.edu, sssg1.whoi.edu, wbc.whoi.edu
> relayhost =
> relocated_maps = hash:/etc/postfix/relocated
> setgid_group = postdrop
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> smtpd_client_connection_rate_limit = 60
> smtpd_client_message_rate_limit = 250
> smtpd_client_new_tls_session_rate_limit = 60
> smtpd_client_recipient_rate_limit = 300
> smtpd_client_restrictions = check_client_access
> hash:/etc/postfix/access/connect_client_access
> smtpd_delay_reject = yes
> smtpd_error_sleep_time = 5s
> smtpd_etrn_restrictions = permit_mynetworks, reject
> smtpd_hard_error_limit = ${stress?1}${stress:20}
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks, check_helo_access
> pcre:/etc/postfix/access/final_helo_access
> smtpd_junk_command_limit = ${stress?1}${stress:100}
> smtpd_recipient_restrictions = reject_unauth_pipelining,
> reject_non_fqdn_recipient, check_sender_access
> pcre:/etc/postfix/access/final_sender_access,
> reject_unknown_recipient_domain, permit_sasl_authenticated,
> permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain,
> check_recipient_access
> pcre:/etc/postfix/access/final_recipient_access, check_client_access
> hash:/etc/postfix/access/final_client_access, check_helo_access
> pcre:/etc/postfix/access/suspect_helo, reject_rbl_client
> b.barracudacentral.org, reject_rbl_client zen.spamhaus.org,
> reject_rbl_client autospam.whoi.edu, reject_rhsbl_sender
> dsn.rfc-ignorant.org, reject_rbl_client dnsbl.ahbl.org,
> reject_rbl_client http.dnsbl.sorbs.net, reject_rbl_client
> socks.dnsbl.sorbs.net, reject_rbl_client misc.dnsbl.sorbs.net,
> reject_rbl_client web.dnsbl.sorbs.net, reject_rbl_client
> dul.dnsbl.sorbs.net, reject_rbl_client bl.
> spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client
> dyna.spamrats.com, reject_rbl_client noptr.spamrats.com,
> reject_rbl_client virbl.dnsbl.bit.nl, reject_rbl_client ix.dnsbl.manitu.net,
> reject_rbl_client backscatter.spameatingmonkey.net,
> reject_rbl_client bl.spameatingmonkey.net, reject_rhsbl_sender
> fresh.spameatingmonkey.net, reject_rhsbl_client fresh.spameatingmonkey.net,
> reject_rhsbl_sender uribl.spameatingmonkey.net, reject_rhsbl_client
> uribl.spameatingmonkey.net, reject_rhsbl_sender urired.spameatingmonkey.net,
> reject_rhsbl_client urired.spameatingmonkey.net,
> check_sender_access hash:/etc/postfix/access/check_backscatterer,
> check_policy_service inet:127.0.0.1:10023, permit
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_security_options = noanonymous
> smtpd_sender_restrictions = permit_sasl_authenticated,
> permit_mynetworks
> smtpd_soft_error_limit = 10
> smtpd_starttls_timeout = ${stress?10}${stress:300}s
> smtpd_timeout = ${stress?10}${stress:300}s
> smtpd_tls_CAfile = /etc/postfix/tls/whoi-inCommon-interim.cer
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/postfix/tls/whoi-inCommon-certificate.cer
> smtpd_tls_key_file = /etc/postfix/tls/whoi-inCommon-private.key
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_timeout = 3600s
> tls_random_source = dev:/dev/urandom
> transport_maps = hash:/etc/postfix/transport
> unknown_local_recipient_reject_code = 550
> virtual_alias_domains = $virtual_alias_maps
> virtual_alias_maps = hash:/etc/postfix/virtual, ldap:vldap
>
