Not receiving mail from some legitimate domains

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Not receiving mail from some legitimate domains

jlftl
I have a server running Postfix (3.1.0-3ubuntu0.3) that has been in
production for a few months and is generally working well.  However I've
been struggling to resolve an issue where some legitimate servers cannot
send inbound mail, where there appears to be an issue with the sending
server's DNS.

Here is an example:

Mar  5 23:25:47 enceladus postfix/postscreen[5155]: CONNECT from
[104.37.111.105]:51876 to [x.x.x.x]:25
Mar  5 23:25:47 enceladus postfix/postscreen[5155]: PASS OLD
[104.37.111.105]:51876
Mar  5 23:25:47 enceladus postfix/smtpd[5159]: warning: hostname
104-37-111-105.static.dbsintl.net does not resolve to address
104.37.111.105: Name or service not known
Mar  5 23:25:47 enceladus postfix/smtpd[5159]: connect from
unknown[104.37.111.105]
Mar  5 23:25:47 enceladus postfix/smtpd[5159]: disconnect from
unknown[104.37.111.105] ehlo=1 mail=0/1 quit=1 commands=2/3

Details on the sending host:

dig 104-37-111-105.static.dbsintl.net

; <<>> DiG 9.10.3-P4-Ubuntu <<>> 104-37-111-105.static.dbsintl.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53175
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;104-37-111-105.static.dbsintl.net. IN  A

;; AUTHORITY SECTION:
dbsintl.net.            60      IN      SOA     ns1.ral.hostedsolutions.com.
hostmaster.hostedsolutions.com. 2013061720 10800 3600 604800 604800

;; Query time: 19 msec
;; SERVER: 172.31.0.2#53(172.31.0.2)
;; WHEN: Tue Mar 06 17:54:38 UTC 2018
;; MSG SIZE  rcvd: 136


My smptd recipient restrictions from main.cf:

smtpd_recipient_restrictions = check_policy_service unix:private/policy-spf,
reject_unknown_recipient_domain, reject_unauth_pipelining,
permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

I previously had included reject_unknown_client_hostname, but removing it
seems to have no effect.  That's about the only seemingly relevant thing
I've found online, and I'm really at a loss as to how to proceed.


Also interesting, when attempting to register for the Postfix forum, I never
received the confirmation e-mail and had to use a backup account.  I have
seen this behavior once or twice before, where the remote server connects
and then disconnects without appearing to do anything, but have no idea
where to begin troubleshooting it:

Mar  6 17:37:13 enceladus postfix/postscreen[12658]: CONNECT from
[162.253.133.81]:53413 to [x.x.x.x]:25
Mar  6 17:37:19 enceladus postfix/postscreen[12658]: PASS NEW
[162.253.133.81]:53413
Mar  6 17:37:19 enceladus postfix/smtpd[12668]: connect from
n5.nabble.com[162.253.133.81]
Mar  6 17:37:19 enceladus postfix/smtpd[12668]: disconnect from
n5.nabble.com[162.253.133.81] ehlo=1 mail=0/1 rcpt=0/1 data=0/1 rset=0/1
quit=1 commands=2/6

Please let me know what additional information needed to dig deeper into
these issues.  Thank you!



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Not receiving mail from some legitimate domains

John Fawcett
On 06/03/18 19:12, jlftl wrote:
> I have a server running Postfix (3.1.0-3ubuntu0.3) that has been in
> production for a few months and is generally working well.  However I've
> been struggling to resolve an issue where some legitimate servers cannot
> send inbound mail, where there appears to be an issue with the sending
> server's DNS.
Without a correct dns setup these servers will have problems with
sending to other sites too. Are you sure these are legitimate mail servers?

>
> Here is an example:
>
> Mar  5 23:25:47 enceladus postfix/postscreen[5155]: CONNECT from
> [104.37.111.105]:51876 to [x.x.x.x]:25
> Mar  5 23:25:47 enceladus postfix/postscreen[5155]: PASS OLD
> [104.37.111.105]:51876
> Mar  5 23:25:47 enceladus postfix/smtpd[5159]: warning: hostname
> 104-37-111-105.static.dbsintl.net does not resolve to address
> 104.37.111.105: Name or service not known
> Mar  5 23:25:47 enceladus postfix/smtpd[5159]: connect from
> unknown[104.37.111.105]
> Mar  5 23:25:47 enceladus postfix/smtpd[5159]: disconnect from
> unknown[104.37.111.105] ehlo=1 mail=0/1 quit=1 commands=2/3
Looks like the mail command gave an error.

> Details on the sending host:
>
> dig 104-37-111-105.static.dbsintl.net
>
> ; <<>> DiG 9.10.3-P4-Ubuntu <<>> 104-37-111-105.static.dbsintl.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53175
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;104-37-111-105.static.dbsintl.net. IN  A
>
> ;; AUTHORITY SECTION:
> dbsintl.net.            60      IN      SOA     ns1.ral.hostedsolutions.com.
> hostmaster.hostedsolutions.com. 2013061720 10800 3600 604800 604800
>
> ;; Query time: 19 msec
> ;; SERVER: 172.31.0.2#53(172.31.0.2)
> ;; WHEN: Tue Mar 06 17:54:38 UTC 2018
> ;; MSG SIZE  rcvd: 136
>
>
> My smptd recipient restrictions from main.cf:
>
> smtpd_recipient_restrictions = check_policy_service unix:private/policy-spf,
> reject_unknown_recipient_domain, reject_unauth_pipelining,
> permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
>
> I previously had included reject_unknown_client_hostname, but removing it
> seems to have no effect.  That's about the only seemingly relevant thing
> I've found online, and I'm really at a loss as to how to proceed.
Without postconf -n it will be difficult to help, since these snippets
of configuration don't provide the full picture. You probably have other
restrictions set up.

> Also interesting, when attempting to register for the Postfix forum, I never
> received the confirmation e-mail and had to use a backup account.  I have
> seen this behavior once or twice before, where the remote server connects
> and then disconnects without appearing to do anything, but have no idea
> where to begin troubleshooting it:
>
> Mar  6 17:37:13 enceladus postfix/postscreen[12658]: CONNECT from
> [162.253.133.81]:53413 to [x.x.x.x]:25
> Mar  6 17:37:19 enceladus postfix/postscreen[12658]: PASS NEW
> [162.253.133.81]:53413
> Mar  6 17:37:19 enceladus postfix/smtpd[12668]: connect from
> n5.nabble.com[162.253.133.81]
> Mar  6 17:37:19 enceladus postfix/smtpd[12668]: disconnect from
> n5.nabble.com[162.253.133.81] ehlo=1 mail=0/1 rcpt=0/1 data=0/1 rset=0/1
> quit=1 commands=2/6
>
> Please let me know what additional information needed to dig deeper into
> these issues.  Thank you!
>
>
>
> --
> Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

One thing you could try (particularly if this is a low volume server) is
to look at the notify_classes setting, for example adding policy, so you
can get more info on errors send back to postmaster and that may help
you solve these cases.

John

Reply | Threaded
Open this post in threaded view
|

Re: Not receiving mail from some legitimate domains

Wietse Venema
John Fawcett:
> > Mar  5 23:25:47 enceladus postfix/smtpd[5159]: connect from
> > unknown[104.37.111.105]
> > Mar  5 23:25:47 enceladus postfix/smtpd[5159]: disconnect from
> > unknown[104.37.111.105] ehlo=1 mail=0/1 quit=1 commands=2/3
> Looks like the mail command gave an error.

Bingo. The client sent a MAIL FROM command with some bad syntax
(Postfix will not log all possible SMTP protocol violations, only
the ones that you can do something about).

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Not receiving mail from some legitimate domains

jlftl
Thank you very much for the responses!

This is a small, personal setup with low traffic so I will definitely
explore using notify_classes to try to get more feedback on the failures.

Remote server legitmacy - *.dbsintl.net appears to be a third party hosting
solution for small businesses.  In the example provided before, I can
correlate the timestamps in my mail.log to attempts to generate e-mails from
a particular website to myself (e.g. updating my e-mail address, etc.).

Coupled with the failure to receive mail from nabble, I have to assume the
problem is on my end.

Here's the output from postconf -n (with my server/domain names redacted):

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
default_destination_concurrency_limit = 5
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
inet_interfaces = all
mailbox_command = /usr/lib/dovecot/deliver -c
/etc/dovecot/conf.d/01-mail-stack-delivery.conf -m "${EXTENSION}"
mailbox_size_limit = 0
message_size_limit = 104857600
milter_connect_macros = j {daemon_name} v {if_name} _
milter_default_action = accept
mydestination = localhost, <myserver>.<mydomain>.net,
localhost.<mydomain>.net
myhostname = <myserver>.<mydomain>.net
mynetworks = 127.0.0.0/8 192.168.0.0/24 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = $smtpd_milters
postscreen_access_list = permit_mynetworks
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org, b.barracudacentral.org,
bl.spamcop.net
postscreen_greet_action = enforce
readme_directory = no
recipient_delimiter = +
relay_destination_concurrency_limit = 1
relayhost =
sender_whitelist = check_client_access
hash:/etc/postfix/check_client_access, reject
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit
smtpd_milters = unix:/opendkim/opendkim.sock, inet:localhost:54321,
unix:/spamass/spamass.sock
smtpd_recipient_restrictions = check_policy_service unix:private/policy-spf,
reject_unknown_recipient_domain, reject_unauth_pipelining,
permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_restriction_classes = sender_whitelist
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
smtpd_sender_restrictions = reject_sender_login_mismatch
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file =
/etc/ssl/private/ssl-chain-mail-<myserver>.<mydomain>.net.pem
smtpd_tls_ciphers = high
smtpd_tls_key_file =
/etc/ssl/private/<myserver>-decrypted-mail-<mydomain>.net.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql/virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_domains = mysql:/etc/postfix/mysql/virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000




--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Not receiving mail from some legitimate domains

Wietse Venema
jlftl:

> Thank you very much for the responses!
>
> This is a small, personal setup with low traffic so I will definitely
> explore using notify_classes to try to get more feedback on the failures.
>
> Remote server legitmacy - *.dbsintl.net appears to be a third party hosting
> solution for small businesses.  In the example provided before, I can
> correlate the timestamps in my mail.log to attempts to generate e-mails from
> a particular website to myself (e.g. updating my e-mail address, etc.).
>
> Coupled with the failure to receive mail from nabble, I have to assume the
> problem is on my end.
>
> Here's the output from postconf -n (with my server/domain names redacted):

If this is the server that logs

    unknown[104.37.111.105] ehlo=1 mail=0/1 quit=1 commands=2/3

but no logging about rejected commands, then there is no Postfix
setting that would change the result.

To see the client's MAIL FROM command you can turn on verbose logging
with

    postconf debug_peer_list=104.37.111.105

or use tcpdump as described in http://www.postfix.org/DEBUG_README.html.

        Wietse

Reply | Threaded
Open this post in threaded view
|

Re: Not receiving mail from some legitimate domains

jlftl
Wietse Venema wrote

> jlftl:
>> Thank you very much for the responses!
>>
>> This is a small, personal setup with low traffic so I will definitely
>> explore using notify_classes to try to get more feedback on the failures.
>>
>> Remote server legitmacy - *.dbsintl.net appears to be a third party
>> hosting
>> solution for small businesses.  In the example provided before, I can
>> correlate the timestamps in my mail.log to attempts to generate e-mails
>> from
>> a particular website to myself (e.g. updating my e-mail address, etc.).
>>
>> Coupled with the failure to receive mail from nabble, I have to assume
>> the
>> problem is on my end.
>>
>> Here's the output from postconf -n (with my server/domain names
>> redacted):
>
> If this is the server that logs
>
>     unknown[104.37.111.105] ehlo=1 mail=0/1 quit=1 commands=2/3
>
> but no logging about rejected commands, then there is no Postfix
> setting that would change the result.
>
> To see the client's MAIL FROM command you can turn on verbose logging
> with
>
>     postconf debug_peer_list=104.37.111.105
>
> or use tcpdump as described in http://www.postfix.org/DEBUG_README.html.
>
> Wietse

I've finally had time to circle back to this and was able to reproduce the
problem receiving mail from nabble (for the postfix users forum) with
notify_classes enabled.  I don't know if this particular issue is my only
problem, but for the time being it's the only one I've had to opportunity to
reproduce.  Here is the result from the postfix forum registration e-mail
(my server/domain redacted):

Transcript of session follows.

 Out: 220 <myserver>.<mydomain>.net ESMTP
 In:  ehlo hello
 Out: 250-<myserver>.mydomain>.net
 Out: 250-PIPELINING
 Out: 250-SIZE 104857600
 Out: 250-ETRN
 Out: 250-STARTTLS
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  help
 Out: 502 5.5.2 Error: command not recognized
 In:
 Out: 500 5.5.2 Error: bad syntax

My installation does not appear to recognize the extended smtp "help"
command.  I've attempted to do some research on this but "help" is an
awfully generic string to search for, so other than determining that it is a
valid estmp command I'm not sure what I need to do to correct it.

Thanks!



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Not receiving mail from some legitimate domains

John Fawcett
On 12/03/18 07:12, jlftl wrote:

> Wietse Venema wrote
>> jlftl:
>>> Thank you very much for the responses!
>>>
>>> This is a small, personal setup with low traffic so I will definitely
>>> explore using notify_classes to try to get more feedback on the failures.
>>>
>>> Remote server legitmacy - *.dbsintl.net appears to be a third party
>>> hosting
>>> solution for small businesses.  In the example provided before, I can
>>> correlate the timestamps in my mail.log to attempts to generate e-mails
>>> from
>>> a particular website to myself (e.g. updating my e-mail address, etc.).
>>>
>>> Coupled with the failure to receive mail from nabble, I have to assume
>>> the
>>> problem is on my end.
>>>
>>> Here's the output from postconf -n (with my server/domain names
>>> redacted):
>> If this is the server that logs
>>
>>     unknown[104.37.111.105] ehlo=1 mail=0/1 quit=1 commands=2/3
>>
>> but no logging about rejected commands, then there is no Postfix
>> setting that would change the result.
>>
>> To see the client's MAIL FROM command you can turn on verbose logging
>> with
>>
>>     postconf debug_peer_list=104.37.111.105
>>
>> or use tcpdump as described in http://www.postfix.org/DEBUG_README.html.
>>
>> Wietse
> I've finally had time to circle back to this and was able to reproduce the
> problem receiving mail from nabble (for the postfix users forum) with
> notify_classes enabled.  I don't know if this particular issue is my only
> problem, but for the time being it's the only one I've had to opportunity to
> reproduce.  Here is the result from the postfix forum registration e-mail
> (my server/domain redacted):
>
> Transcript of session follows.
>
>  Out: 220 <myserver>.<mydomain>.net ESMTP
>  In:  ehlo hello
>  Out: 250-<myserver>.mydomain>.net
>  Out: 250-PIPELINING
>  Out: 250-SIZE 104857600
>  Out: 250-ETRN
>  Out: 250-STARTTLS
>  Out: 250-ENHANCEDSTATUSCODES
>  Out: 250-8BITMIME
>  Out: 250 DSN
>  In:  help
>  Out: 502 5.5.2 Error: command not recognized
>  In:
>  Out: 500 5.5.2 Error: bad syntax
>
> My installation does not appear to recognize the extended smtp "help"
> command.  I've attempted to do some research on this but "help" is an
> awfully generic string to search for, so other than determining that it is a
> valid estmp command I'm not sure what I need to do to correct it.
>
> Thanks!
>
>
>
> --
> Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Hi

do you have any evidence that this came from Nabble? If not I would not
overly worry about not accepting email from a client that sends the help
command to your server.

Implementation of the help command is not needed for successful email
transmission. It's not part of the minimum set of commands needed for an
smtp server.  Given that the smtp protocol is generally used between two
programs and not by someone typing in the commands, there is very little
use for implementing the help command in the smtp server. It is not
supported by postfix.

John

Reply | Threaded
Open this post in threaded view
|

Re: Not receiving mail from some legitimate domains

jlftl
Hi John,

You are correct, this is my mistake.  I went back through the logs, and this
was NOT nabble.  I attempted to register another account for the forum in
order to generate the e-mail, and this server which issued the help command
had coincidentally connected within a few seconds of nabble's server.  The
error notification unfortunately arrived right when I was expecting it so I
hadn't bothered checking the logs.

I'll need to proceed with postconf debug/tcpdump to gather more information.
Sorry about that!



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Not receiving mail from some legitimate domains

jlftl
Alright, using postconf debug_peer_list appears to have identified the issue:

Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
n5.nabble.com[162.253.133.81]: 250-enceladus.<mydomain>.net
Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
n5.nabble.com[162.253.133.81]: 250-PIPELINING
Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
n5.nabble.com[162.253.133.81]: 250-SIZE 104857600
Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
n5.nabble.com[162.253.133.81]: 250-ETRN
Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
n5.nabble.com[162.253.133.81]: 250-STARTTLS
Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
n5.nabble.com[162.253.133.81]: 250-ENHANCEDSTATUSCODES
Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
n5.nabble.com[162.253.133.81]: 250-8BITMIME
Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
n5.nabble.com[162.253.133.81]: 250 DSN
Mar 14 14:03:10 enceladus postfix/smtpd[26760]: watchdog_pat: 0x564edfaa6dc0
Mar 14 14:03:10 enceladus postfix/smtpd[26760]: <
n5.nabble.com[162.253.133.81]: MAIL FROM:<[hidden email]> SIZE=3488
Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
n5.nabble.com[162.253.133.81]: 530 5.7.0 Must issue a STARTTLS command first

I modified the following:

main.cf - smtpd_tls_security_level = encrypt CHANGED TO may
master.cf - -o smtpd_tls_security_level = encrypt CHANGED TO may

Mail from (in this case nabble) is now delivered properly.  I'm hopeful that
this is my root issue...I will need to continue to monitor.

Thank you all very much for your help!



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Not receiving mail from some legitimate domains

Matus UHLAR - fantomas
On 14.03.18 07:55, jlftl wrote:

>Alright, using postconf debug_peer_list appears to have identified the issue:
>
>Mar 14 14:03:10 enceladus postfix/smtpd[26760]: <
>n5.nabble.com[162.253.133.81]: MAIL FROM:<[hidden email]> SIZE=3488
>Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
>n5.nabble.com[162.253.133.81]: 530 5.7.0 Must issue a STARTTLS command first
>
>I modified the following:
>
>main.cf - smtpd_tls_security_level = encrypt CHANGED TO may

>master.cf - -o smtpd_tls_security_level = encrypt CHANGED TO may

1. there's no need to configure the same option in master.cf than in the
main.cf, it's required when you want to change them.

2. submission and smtps SHOULD have "-o smtpd_tls_security_level = encrypt",
clients should be required to both authentize and encrypt.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".
Reply | Threaded
Open this post in threaded view
|

Re: Not receiving mail from some legitimate domains

Viktor Dukhovni


> On Mar 14, 2018, at 11:06 AM, Matus UHLAR - fantomas <[hidden email]> wrote:
>
> 1. there's no need to configure the same option in master.cf than in the
> main.cf, it's required when you want to change them.
>
> 2. submission and smtps SHOULD have "-o smtpd_tls_security_level = encrypt",
> clients should be required to both authentize and encrypt.

Just should point that SPACEs around the "=" sign in master.cf option overrides
don't do what you might naively expect.  The correct syntax is:

        -o smtpd_tls_security_level=encrypt

without SPACE characters around "=".

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Not receiving mail from some legitimate domains

jlftl
In reply to this post by Matus UHLAR - fantomas
Matus UHLAR - fantomas wrote
> On 14.03.18 07:55, jlftl wrote:
>>Alright, using postconf debug_peer_list appears to have identified the
issue:
>>
>>Mar 14 14:03:10 enceladus postfix/smtpd[26760]: <
>>n5.nabble.com[162.253.133.81]: MAIL FROM:&lt;

> bounces@.nabble

> &gt; SIZE=3488
>>Mar 14 14:03:10 enceladus postfix/smtpd[26760]: >
>>n5.nabble.com[162.253.133.81]: 530 5.7.0 Must issue a STARTTLS command
first

>>
>>I modified the following:
>>
>>main.cf - smtpd_tls_security_level = encrypt CHANGED TO may
>
>>master.cf - -o smtpd_tls_security_level = encrypt CHANGED TO may
>
> 1. there's no need to configure the same option in master.cf than in the
> main.cf, it's required when you want to change them.
>
> 2. submission and smtps SHOULD have "-o smtpd_tls_security_level =
> encrypt",
> clients should be required to both authentize and encrypt.
>
> --
> Matus UHLAR - fantomas,

> uhlar@

>  ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Christian Science Programming: "Let God Debug It!".

Thank you for the clarification; you are correct, I changed submission back
to "encrypt" and am still able to receive properly.  I should have made one
change at a time.  Thank you!

Viktor, thank you, the spaces around "=" were a typo on my part; in
master.cf the line is properly formatted as   -o
smtpd_tls_security_level=encrypt

Thank you all again.



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html