| 1 |
On Wed, 2010-05-26 at 15:40 +0100, Steve wrote: |
| 2 |
> On a gentoo mailserver, I'm running Postfix 2.6.5 - and, having followed |
| 3 |
> some howto or other, quite a long time ago, I have this section at the |
| 4 |
> end of my main.cf: |
| 5 |
> |
| 6 |
> -- |
| 7 |
> smtpd_recipient_restrictions = |
| 8 |
> permit_mynetworks, |
| 9 |
> permit_sasl_authenticated, |
| 10 |
> reject_unauth_destination, |
| 11 |
> reject_non_fqdn_sender, |
| 12 |
> reject_rbl_client sbl-xbl.spamhaus.org, |
| 13 |
> reject_rbl_client list.dsbl.org, |
| 14 |
> reject_rbl_client bl.spamcop.net, |
| 15 |
> reject_unknown_sender_domain, |
| 16 |
> reject_rhsbl_sender bogusmx.rfc-ignorant.org |
| 17 |
> -- |
| 18 |
> |
| 19 |
> While it might not be optimal, it worked extremely well for a long |
| 20 |
> time. The block lists were a godsend as I receive(d) quite a lot of |
| 21 |
> spam which had threatened to bog down spamassassin. For ages, I just |
| 22 |
> used my ISP's SMTP server to send, and only received on my own. |
| 23 |
> |
| 24 |
> I've bought a smart phone (an HTC HD2 on Windows Mobile 6.5) and need to |
| 25 |
> use it to access my email on this server - both via mobile and Wi-Fi |
| 26 |
> connectivity. The IMAP(s) side works OK for my inbox (after a few |
| 27 |
> dovecot tweaks) - and, after a setting up SASL, I can now send email |
| 28 |
> from my phone via my own SMTP server, which gateways this to my ISP... |
| 29 |
> all secured by a complex password. So far, so good - and I can send |
| 30 |
> email from home over Wi-Fi from my phone. The problem arises |
| 31 |
> elsewhere... where I'm not connected to my local (W)LAN (i.e. where I'm |
| 32 |
> not in "permit_mynetworks") - where the phone reports: |
| 33 |
> |
| 34 |
> -- |
| 35 |
> The server returned the following error message: |
| 36 |
> |
| 37 |
> 554 5.7.1 Service unavailable; Client host 149.254.48.170 blocked using |
| 38 |
> sbl-xbl.spamhouse.org; http://www.spamhous.org/query/bl?ip=149.254.48.170 |
| 39 |
> -- |
| 40 |
> |
| 41 |
> The block comes as no surprise as 149.254.48.170 isn't exclusively under |
| 42 |
> my control - and, likely, is a vector for lots of spam - now mobile data |
| 43 |
> services are cheap and difficult to trace. What I didn't expect is for |
| 44 |
> my connection to be rejected even though I had the right username and |
| 45 |
> password. |
| 46 |
> |
| 47 |
> So... the questions: |
| 48 |
> |
| 49 |
> * How can I alter the configuration to process email from blocked |
| 50 |
> locations if and only if the client authenticates? |
| 51 |
> * How can I verify that SMTP auth has been done (when connecting from my |
| 52 |
> LAN) - it would be a disaster if I inadvertently created an open relay. |
| 53 |
> (I don't think I have - but better safe than sorry, etc.) |
| 54 |
> |
| 55 |
> Thanks in advance for any replies... |
| 56 |
> |
| 57 |
> |
| 58 |
|
| 59 |
You want to split your rules between smtpd_recipient_restrictions, |
| 60 |
smtpd_sender_restrictions, and smtpd_client_restrictions. The first will |
| 61 |
apply rules to the recipient address, controlling the destinations to |
| 62 |
which the mail server will send mail. The second will apply rules to the |
| 63 |
sender address. The third will restrict who is allowed to connect to |
| 64 |
your mail server in the first place. By default, |
| 65 |
smtpd_recipient_restrictions permits mynetworks and rejects unauthorized |
| 66 |
recipients, smtp_sender_restrictions permits everything, and |
| 67 |
smtpd_client_restrictions allows all connections. In all, the first |
| 68 |
restriction that matches is applied. |
| 69 |
|
| 70 |
What you want it something closer to this: |
| 71 |
|
| 72 |
smtpd_client_restrictions = |
| 73 |
permit_mynetworks, |
| 74 |
permit_sasl_authenticated, |
| 75 |
reject_rbl_client sbl-xbl.spamhaus.org, |
| 76 |
reject_rbl_client list.dsbl.org, |
| 77 |
reject_rbl_client bl.spamcop.net, |
| 78 |
reject_rhsbl_sender bogusmx.rfc-ignorant.org |
| 79 |
|
| 80 |
smtpd_recipient_restrictions = |
| 81 |
permit_mynetworks, |
| 82 |
permit_sasl_authenticated, |
| 83 |
reject_unauth_destination |
| 84 |
|
| 85 |
smtpd_sender_restrictons = |
| 86 |
permit_mynetworks, |
| 87 |
permit_sasl_authenticated, |
| 88 |
reject_non_fqdn_sender, |
| 89 |
reject_unknown_sender_domain |
| 90 |
|
| 91 |
Note that I have not tested this exact configuration, but I have |
| 92 |
something similar on my mail server. This configuration will allow all |
| 93 |
mail from your local network and any authenticated client. If neither of |
| 94 |
these conditions are met, the remote client is blocked if they are on |
| 95 |
one of the DNS block lists, the sender address is not known, or the mail |
| 96 |
is addressed to an unauthorized destination. If the client is on the |
| 97 |
local network or authenticated, none of the other rules will apply. You |
| 98 |
can of course test the rules by using one of the many mail relay testing |
| 99 |
websites or simply connecting from outside your network with and without |
| 100 |
using authentication. |
| 101 |
|
| 102 |
For more information on these rules, look at the postfix documentation, |
| 103 |
which is quite comprehensive: |
| 104 |
* http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions |
| 105 |
* http://www.postfix.org/postconf.5.html#smtpd_client_restrictions |
| 106 |
* http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions |
| 107 |
|
| 108 |
You might also want to take a look at smtpd_helo_restrictions and |
| 109 |
smtpd_data_restrictions for further tuning. Also, note that spamhaus |
| 110 |
recommends zen.spamhaus.org instead of sbl-xbl.spamhaus.org. The former |
| 111 |
is more comprehensive while the latter is geared only toward exploits. |
| 112 |
Do not include both, as zen includes sbl-xbl. |
| 113 |
|
| 114 |
For more in-depth information, you probably want to ask the |
| 115 |
postfix-users mailing list, as your issue relates to Postfix more than |
| 116 |
Gentoo. |
| 117 |
|
| 118 |
I hope the above helps. |
| 119 |
|
| 120 |
Regards, |
| 121 |
|
| 122 |
Brandon Vargo |
Archives