| 1 |
On 2010-05-26 3:32 PM, Brandon Vargo wrote: |
| 2 |
> On Wed, 2010-05-26 at 15:40 +0100, Steve wrote: |
| 3 |
>> On a gentoo mailserver, I'm running Postfix 2.6.5 - and, having followed |
| 4 |
>> some howto or other, quite a long time ago, I have this section at the |
| 5 |
>> end of my main.cf: |
| 6 |
|
| 7 |
<snip> |
| 8 |
>> The problem arises elsewhere... where I'm not connected to my local |
| 9 |
>> (W)LAN (i.e. where I'm not in "permit_mynetworks") - where the |
| 10 |
>> phone reports: |
| 11 |
|
| 12 |
Whether or not your client is in mynetwroks is irrelevant, if you are |
| 13 |
sasl_authenticating. |
| 14 |
|
| 15 |
>> The server returned the following error message: |
| 16 |
>> |
| 17 |
>> 554 5.7.1 Service unavailable; Client host 149.254.48.170 blocked using |
| 18 |
>> sbl-xbl.spamhouse.org; http://www.spamhous.org/query/bl?ip=149.254.48.170 |
| 19 |
>> -- |
| 20 |
>> |
| 21 |
>> The block comes as no surprise as 149.254.48.170 isn't exclusively under |
| 22 |
>> my control |
| 23 |
|
| 24 |
Irrelevant... |
| 25 |
|
| 26 |
>> So... the questions: |
| 27 |
>> |
| 28 |
>> * How can I alter the configuration to process email from blocked |
| 29 |
>> locations if and only if the client authenticates? |
| 30 |
>> * How can I verify that SMTP auth has been done (when connecting from my |
| 31 |
>> LAN) - it would be a disaster if I inadvertently created an open relay. |
| 32 |
>> (I don't think I have - but better safe than sorry, etc.) |
| 33 |
>> |
| 34 |
>> Thanks in advance for any replies... |
| 35 |
|
| 36 |
> You want to split your rules between smtpd_recipient_restrictions, |
| 37 |
> smtpd_sender_restrictions, and smtpd_client_restrictions. |
| 38 |
|
| 39 |
Absolutely not necessary. In most cases - as long as the default (yes) |
| 40 |
for smtpd_delay_reject hasn't been changed - it is perfectly fine to |
| 41 |
have all restrictions under smtpd_recipient_restrictions - and in fact |
| 42 |
it is desirable because it is easier to maintain. |
| 43 |
|
| 44 |
The problem is that you are *not* sasl_authenticating - if you were, |
| 45 |
then you would not have hit that restriction. |
| 46 |
|
| 47 |
We need two things - output of postconf -n on your server, and a log |
| 48 |
snippet of a rejected send attempt. |
| 49 |
|
| 50 |
Also, contents of master.cf - are you using port 25, or the submission |
| 51 |
port (587)? You should always use the submission port if you aren't now. |
| 52 |
|
| 53 |
Charles |
Archives