On Mon, 13 Jan 2020 at 18:44, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > > On Mon, Jan 13, 2020 at 06:25:27PM +0100, Simon B wrote: > > > > > >> >Since upgrading to 2.11 yesterday (yes, I am on a path to move up > > > > >> >through debian versions), all mail coming in on > > > > >> >postfix/submission/smtpd is being rejected by the domain check in > > > > >> >that > > > > >> >file, even though the user is sasl authenticated. > > Note, Postfix 2.11 (actually 2.10 IIRC) adds "smtpd_relay_restrictions", > which you don't override in the submission service definition:
Cause and effect in one simple sentence - thanks Viktor! > > submission inet n - n - - smtpd > > -o syslog_name=postfix/submission > > -o smtpd_delay_reject=yes > > # -o receive_override_options=no_address_mappings > > -o always_add_missing_headers=yes > > -o content_filter=dksign:[127.0.0.1]:10028 > > -o smtpd_enforce_tls=yes > > -o smtpd_sasl_auth_enable=yes > > -o smtpd_tls_security_level=encrypt > > -o smtpd_tls_auth_only=yes > > -o > > smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_recipient,permit_sasl_authenticated,reject > > But you also don't override, "smtpd_helo_restrictions", ... Thanks for the additional hint. > The boilerplate commented submission service in recent upstream Postfix > master.cf files reads: > > #submission inet n - n - - smtpd > # -o syslog_name=postfix/submission > # -o smtpd_tls_security_level=encrypt > # -o smtpd_sasl_auth_enable=yes > # -o smtpd_tls_auth_only=yes > # -o smtpd_reject_unlisted_recipient=no > # -o smtpd_client_restrictions=$mua_client_restrictions > # -o smtpd_helo_restrictions=$mua_helo_restrictions > # -o smtpd_sender_restrictions=$mua_sender_restrictions > # -o smtpd_recipient_restrictions= > # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject > # -o milter_macro_daemon_name=ORIGINATING > > Yours should look substantially similar (sans comments): Now looks like this... 10 submission inet n - n - - smtpd 11 -o syslog_name=postfix/submission 12 -o smtpd_tls_security_level=encrypt 13 -o smtpd_sasl_auth_enable=yes 14 -o smtpd_tls_auth_only=yes 15 -o smtpd_enforce_tls=yes 16 -o smtpd_delay_reject=yes 17 -o always_add_missing_headers=yes 18 -o content_filter=dksign:[127.0.0.1]:10028 19 -o smtpd_reject_unlisted_recipient=no 20 -o smtpd_recipient_restrictions=reject_non_fqdn_sender,reject_non_fqdn_recipient,permit_sasl_authenticated,reject 21 -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_plaintext_session,reject 22 -o smtpd_helo_restrictions=permit_mynetworks,reject_invalid_helo_hostname 23 -o smtpd_sender_restrictions=reject_non_fqdn_sender 24 -o smtpd_relay_restrictions=permit_sasl_authenticated,reject 25 -o milter_macro_daemon_name=ORIGINATING Which seems to have solved the problem - or at least just kicked it down the road. Now there's a slightly different format of the error when receiving mail from the amavis filter... Jan 15 11:39:31 mail postfix/smtpd[31588]: connect from localhost[127.0.0.1] Jan 15 11:39:31 mail postfix/smtpd[31588]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <amavisd.example.net>: Helo command rejected: Host not found; from=<si...@example.net> to=< simo...@example.com> proto=ESMTP helo=<amavisd.example.net> Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) smtp resp to RCPT (pip) (<simo...@example.com>): 554 5.7.1 <amavisd.example.net>: Helo command rejected: Host not found Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) Negative SMTP resp. to DATA: 554 5.5.1 Error: no valid recipients Jan 15 11:39:31 mail postfix/smtpd[31588]: disconnect from localhost[127.0.0.1] Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) (!)kTBsiMtC7PPJ FWD from <si...@example.net> -> <simo...@example.com>, BODY=7BIT 554 5.7.1 from MTA(smtp:[127.0.0.1]:10025): 554 5.7.1 <amavisd.example.net>: Helo command rejected: Host not found Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) Blocked MTA-BLOCKED {RejectedInbound}, [127.0.0.1] [217.110.53.130] <si...@example.net> -> <simo...@example.com>, Message-ID: <20200115113913.horde.vu0wmb4khzfc85v7hddg...@webmail.example.net>, mail_id: kTBsiMtC7PPJ, Hits: -5.2, size: 1093, 5595 ms Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) TIMING-SA total 5466 ms - parse: 1.86 (0.0%), extract_message_metadata: 3.8 (0.1%), get_uri_detail_list: 0.31 (0.0%), tests_pri_-1000: 4.5 (0.1%), tests_pri_-950: 1.14 (0.0%), tests_pri_-900: 0.91 (0.0%), tests_pri_-400: 77 (1.4%), check_bayes: 76 (1.4%), b_tie_ro: 1.69 (0.0%), b_tokenize: 3.1 (0.1%), b_tok_get_all: 3.9 (0.1%), b_comp_prob: 1.50 (0.0%), b_tok_touch_all: 63 (1.2%), b_finish: 0.65 (0.0%), tests_pri_0: 5223 (95.6%), check_spf: 0.23 (0.0%), check_dkim_adsp: 3.3 (0.1%), check_dcc: 138 (2.5%), check_razor2: 5005 (91.6%), check_pyzor: 40 (0.7%), tests_pri_500: 3.1 (0.1%), learn: 141 (2.6%), b_learn: 140 (2.6%), b_tie_rw: 1.85 (0.0%), b_count_change: 99 (1.8%), get_report: 0.59 (0.0%) Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) size: 1093, TIMING [total 5599 ms] - SMTP greeting: 2.0 (0%)0, SMTP EHLO: 0.8 (0%)0, SMTP pre-MAIL: 0.2 (0%)0, SMTP pre-DATA-flush: 2.8 (0%)0, SMTP DATA: 36 (1%)1, check_init: 0.5 (0%)1, digest_hdr: 1.2 (0%)1, digest_body_dkim: 0.2 (0%)1, collect_info: 3.8 (0%)1, mime_decode: 8 (0%)1, get-file-type1: 17 (0%)1, parts_decode: 0.3 (0%)1, check_header: 0.9 (0%)1, AV-scan-1: 3.5 (0%)1, spam-wb-list: 1.8 (0%)1, SA msg read: 0.6 (0%)1, SA parse: 2.9 (0%)1, SA check: 5461 (98%)99, decide_mail_destiny: 7 (0%)99, notif-quar: 0.4 (0%)99, fwd-connect: 30 (1%)100, fwd-mail-pip: 5 (0%)100, fwd-rcpt-pip: 0.3 (0%)100, fwd-data-chkpnt: 0.1 (0%)100, fwd-end-chkpnt: 1.0 (0%)100, prepare-dsn: 1.7 (0%)100, report: 1.3 (0%)100, main_log_entry: 4.6 (0%)100, update_snmp: 2.0 (0%)100, SMTP pre-response: 0.3 (0%)100, SMTP response: 0.2 (0%)100, unlink-1-files: 0.2 (0%)100, rundown: 0.6 (0%)100 Jan 15 11:39:31 mail postfix/smtp[31583]: 47yQMw5NBrz7L5SW: to=<simo...@example.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=12, delays=6.1/0.01/0/5.6, dsn=5.7.1, status=bounced (host 127.0.0.1[127.0.0.1] said: 554 5.7.1 id=02303-14 - Rejected by next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:10025): 554 5.7.1 <amavisd.example.net>: Helo command rejected: Host not found (in reply to end of DATA command)) Despite the fact that I changed those receiver settings in master.cf to: 118 #The amavis reciever 119 127.0.0.1:10025 inet n - - - - smtpd 120 -o content_filter= 121 -o local_recipient_maps= 122 -o relay_recipient_maps= 123 -o smtpd_restriction_classes= 124 -o smtpd_client_restrictions=permit_mynetworks,reject_plaintext_session 125 -o smtpd_helo_restrictions=permit_mynetworks 126 -o smtpd_sender_restrictions= 127 -o smtpd_recipient_restrictions=permit_mynetworks,reject 128 -o mynetworks=127.0.0.0/8 129 -o strict_rfc821_envelopes=yes 130 -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks 131 -o smtp_bind_address=127.0.0.1 At the moment nothing is going through amavis in either direction, so that's a problem... Cheers. Simon