On Tue, Jan 11, 2022 at 10:41:55PM -0500, Bill Cole wrote:
> On 2022-01-11 at 19:58:09 UTC-0500 (Tue, 11 Jan 2022 19:58:09 -0500)
> Ruben Safir <ru...@mrbrklyn.com>
> is rumored to have said:
>
> >>
> >>I hope that makes some sense. But I still don't
> >>understand your statement that "It is hitting on port
> >>587" I'm not sure what you mean by "It".
> >
> >
> >It means that thunderbird, outside the network, is reaching across the
> >internet and tickling port 587 on postfix and it doesn't care... it
> >still throws up a block like it was accessing port 25. Spamhause
> >claims
> >it should allow this, but it doesn't It is blocked. Postfix
> >triggers a
> >request to spamhaus and it returns a RBL block.
>
> So you need to fix your Postfix's port 587 service. Override
> whatever smtpd_*_restrictions list you have using whichever Spamhaus
> list your client IP is on with a list suited to initial submission.
>
> That's a vague answer because your problem remains vague. You've
> described your setup in natural human language, which is ill-suited
> to describe Postfix configuration.
>
Ah -- you may have nailed it.
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname,
regexp:/etc/postfix/helo.regexp, permit
smtpd_sender_restrictions = hash:/etc/postfix/access,
reject_unknown_sender_domain
smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/helo_client_exceptions
check_sender_access hash:/etc/postfix/sender_checks,
reject_invalid_hostname,
# Can cause issues with Auth SMTP, so be weary!
reject_non_fqdn_hostname,
#################################
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
permit_mynetworks, reject_unauth_destination,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net
reject_rbl_client cbl.abuseat.org,
permit
smtpd_data_restrictions = reject_unauth_pipelining, permit
How does this affect port 587 specifically?
> As the docs say regarding getting help here you should include
> command output from:
>
> "postconf -n"
>
> "postconf -Mf" (Postfix 2.9 or later).
alias_maps = hash:/etc/aliases, hash:/usr/lib/mailman/data/aliases
biff = no
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter =
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
defer_transports =
delay_warning_time = 1h
disable_dns_lookups = no
disable_mime_output_conversion = no
disable_vrfy_command = yes
html_directory = /usr/share/doc/packages/postfix-doc/html
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains = [domain redacted].com, [domain redacted].com
masquerade_exceptions = root
message_size_limit = 0
message_strip_characters = \0
mydestination = [[domains redacted]]
mydomain = [domain redacted].com
myhostname = [domain redacted].com
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES
relay_clientcerts =
relayhost =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix-doc/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_enforce_tls = no
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = no
smtp_sasl_password_maps =
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/postfix/tls/smtpd.pem
smtp_tls_cert_file = /etc/postfix/tls/smtpd.pem
smtp_tls_key_file = /etc/postfix/tls/smtpd.pem
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname,
regexp:/etc/postfix/helo.regexp, permit
smtpd_recipient_restrictions = check_client_access
hash:/etc/postfix/helo_client_exceptions check_sender_access
hash:/etc/postfix/sender_checks, reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
permit_mynetworks, reject_unauth_destination, permit_mynetworks,
reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_hostname,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
reject_rbl_client cbl.abuseat.org, permit
smtpd_sasl_auth_enable = no
smtpd_sender_restrictions = hash:/etc/postfix/access,
reject_unknown_sender_domain
smtpd_tls_CAfile = /etc/postfix/tls/smtpd.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/postfix/tls/smtpd.pem
smtpd_tls_key_file = /etc/postfix/tls/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
strict_8bitmime = no
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual
>
>
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013
