On Thu, Aug 18, 2022 at 03:10:57PM -0400, post...@ptld.com wrote:
> I am trying to understand what the connecting client is doing in this
> situation on submission port 587. I replaced my domain with
> example.com.
Why do you believe that the logs below are for port 587?
> Aug 18 14:15:27 mx postfix/smtpd[26495]: warning: hostname
> dsl-201-121-80-137-dyn.prod-infinitum.com.mx does not resolve to address
> 201.121.80.137: Name or service not known
> Aug 18 14:15:27 mx postfix/smtpd[26495]: connect from unknown[201.121.80.137]
> Aug 18 14:15:27 mx postfix/smtpd[26495]: NOQUEUE: reject: RCPT from
> unknown[201.121.80.137]: 554 5.7.1 <r99...@gmail.com>: Recipient address
> rejected: Access denied; from=<test...@example.com> to=<r99...@gmail.com>
> proto=ESMTP helo=<TDA1017C2>
> Aug 18 14:15:27 mx postfix/smtpd[26495]: lost connection after RCPT from
> unknown[201.121.80.137]
> Aug 18 14:15:27 mx postfix/smtpd[26495]: disconnect from
> unknown[201.121.80.137] ehlo=1 mail=1 rcpt=0/1 commands=2/3
This client did not establish a TLS connection, and did not try to
authenticate.
> Normally when someone is trying to guess submission logins i would see
> something like: warning: unknown[62.233.50.137]: SASL PLAIN
> authentication failed: Connection lost to authentication server
>
>
> What is the client doing in the first log to get "Recipient address rejected:
> Access denied;"
> The submission restrictions are:
>
> -o smtpd_sasl_type=dovecot
> -o smtpd_sasl_path=private/auth
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_sasl_security_options=noanonymous
> -o
> smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination
> -o
> smtpd_recipient_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated,reject
For port 587 submission, you should have configured at least:
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
With these, any attempt to start a mail transaction (MAIL FROM:) will be
rejected if not inside TLS, and the syslog_name will clearly
differentiate between connections to ports 587 and 25.
The stock master.cf file from Wietse includes (commented out):
#submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# Instead of specifying complex smtpd_<xxx>_restrictions here,
# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
# here, and specify mua_<xxx>_restrictions in main.cf (where
# "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
# -o smtpd_client_restrictions=
# -o smtpd_helo_restrictions=
# -o smtpd_sender_restrictions=
# -o smtpd_relay_restrictions=
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
# Choose one: enable submissions for loopback clients only, or for any
# client.
#127.0.0.1:submissions inet n - n - - smtpd
#submissions inet n - n - - smtpd
# -o syslog_name=postfix/submissions
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# Instead of specifying complex smtpd_<xxx>_restrictions here,
# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
# here, and specify mua_<xxx>_restrictions in main.cf (where
# "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
# -o smtpd_client_restrictions=
# -o smtpd_helo_restrictions=
# -o smtpd_sender_restrictions=
# -o smtpd_relay_restrictions=
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
--
Viktor.
