1 |
On 2010-05-26 3:32 PM, Brandon Vargo wrote: |
2 |
> On Wed, 2010-05-26 at 15:40 +0100, Steve wrote: |
3 |
>> On a gentoo mailserver, I'm running Postfix 2.6.5 - and, having followed |
4 |
>> some howto or other, quite a long time ago, I have this section at the |
5 |
>> end of my main.cf: |
6 |
|
7 |
<snip> |
8 |
>> The problem arises elsewhere... where I'm not connected to my local |
9 |
>> (W)LAN (i.e. where I'm not in "permit_mynetworks") - where the |
10 |
>> phone reports: |
11 |
|
12 |
Whether or not your client is in mynetwroks is irrelevant, if you are |
13 |
sasl_authenticating. |
14 |
|
15 |
>> The server returned the following error message: |
16 |
>> |
17 |
>> 554 5.7.1 Service unavailable; Client host 149.254.48.170 blocked using |
18 |
>> sbl-xbl.spamhouse.org; http://www.spamhous.org/query/bl?ip=149.254.48.170 |
19 |
>> -- |
20 |
>> |
21 |
>> The block comes as no surprise as 149.254.48.170 isn't exclusively under |
22 |
>> my control |
23 |
|
24 |
Irrelevant... |
25 |
|
26 |
>> So... the questions: |
27 |
>> |
28 |
>> * How can I alter the configuration to process email from blocked |
29 |
>> locations if and only if the client authenticates? |
30 |
>> * How can I verify that SMTP auth has been done (when connecting from my |
31 |
>> LAN) - it would be a disaster if I inadvertently created an open relay. |
32 |
>> (I don't think I have - but better safe than sorry, etc.) |
33 |
>> |
34 |
>> Thanks in advance for any replies... |
35 |
|
36 |
> You want to split your rules between smtpd_recipient_restrictions, |
37 |
> smtpd_sender_restrictions, and smtpd_client_restrictions. |
38 |
|
39 |
Absolutely not necessary. In most cases - as long as the default (yes) |
40 |
for smtpd_delay_reject hasn't been changed - it is perfectly fine to |
41 |
have all restrictions under smtpd_recipient_restrictions - and in fact |
42 |
it is desirable because it is easier to maintain. |
43 |
|
44 |
The problem is that you are *not* sasl_authenticating - if you were, |
45 |
then you would not have hit that restriction. |
46 |
|
47 |
We need two things - output of postconf -n on your server, and a log |
48 |
snippet of a rejected send attempt. |
49 |
|
50 |
Also, contents of master.cf - are you using port 25, or the submission |
51 |
port (587)? You should always use the submission port if you aren't now. |
52 |
|
53 |
Charles |