Trying to let a "friendly" mail server in and it ain't working....

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Trying to let a "friendly" mail server in and it ain't working....

blue_cowdawg
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Here is what I'm seeing in my logs:

Sep 26 11:06:53 berghold postfix/smtpd[826]: connect from
mail.skywaysoftware.com[209.34.233.105]
Sep 26 11:06:53 berghold postfix/smtpd[826]: NOQUEUE: reject: RCPT from
mail.skywaysoftware.com[209.34.233.105]: 450 4.7.1
<testmail.SkywaySoftware.com>: Helo command rejected: Host not found;
from=<[hidden email]> to=<[hidden email]> proto=ESMTP
helo=<testmail.SkywaySoftware.com>
Sep 26 11:06:53 berghold postfix/smtpd[826]: lost connection after RSET
from mail.skywaysoftware.com[209.34.233.105]
Sep 26 11:06:53 berghold postfix/smtpd[826]: disconnect from
mail.skywaysoftware.com[209.34.233.105]

The thing is that skywaysoftware.com is a company that puts out a
community supported tool that I want to be on the forums for.
Unfortunately I can't seem to receive mail for them.

I went ahead and added the following entries into my access file (and
ran postmap on the file afterwards, reloaded postfix, etc.) and the
connections are still being rejected.  What am I missing?


209.34.233.105  OK
mail.skywaysoftware.com OK
skywaysoftware.com      OK
testmail.skywaysoftware.com     OK
[hidden email]      OK



- --

Peter L. Berghold     http://www.berghold.net   [hidden email]
Unix Professional     Dog Agility Fan   Crazed Cook
"Those who fail to learn from history are condemned to repeat it."

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI3PvGUM9/01RIhaARAvndAJ93xRWUnb4purmIOqT8+h3nlhTK+wCgtxLC
x1IfTASAknQPb20BnhGfS6g=
=SUFz
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: Trying to let a "friendly" mail server in and it ain't working....

Brian Evans - Postfix List
Peter L. Berghold wrote:

>
> Here is what I'm seeing in my logs:
>
> Sep 26 11:06:53 berghold postfix/smtpd[826]: connect from
> mail.skywaysoftware.com[209.34.233.105]
> Sep 26 11:06:53 berghold postfix/smtpd[826]: NOQUEUE: reject: RCPT from
> mail.skywaysoftware.com[209.34.233.105]: 450 4.7.1
> <testmail.SkywaySoftware.com>: Helo command rejected: Host not found;
> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<testmail.SkywaySoftware.com>
> Sep 26 11:06:53 berghold postfix/smtpd[826]: lost connection after RSET
> from mail.skywaysoftware.com[209.34.233.105]
> Sep 26 11:06:53 berghold postfix/smtpd[826]: disconnect from
> mail.skywaysoftware.com[209.34.233.105]
>
> The thing is that skywaysoftware.com is a company that puts out a
> community supported tool that I want to be on the forums for.
> Unfortunately I can't seem to receive mail for them.
>
> I went ahead and added the following entries into my access file (and
> ran postmap on the file afterwards, reloaded postfix, etc.) and the
> connections are still being rejected.  What am I missing?

Without a current 'postconf -n', no one here can tell you.
An access(5) map file is only as good as where it appears on the config.

Brian

>
>
> 209.34.233.105  OK
> mail.skywaysoftware.com OK
> skywaysoftware.com      OK
> testmail.skywaysoftware.com     OK
> [hidden email]      OK
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Trying to let a "friendly" mail server in and it ain't working....

Wietse Venema
In reply to this post by blue_cowdawg
Peter L. Berghold:

> Here is what I'm seeing in my logs:
>
> Sep 26 11:06:53 berghold postfix/smtpd[826]: connect from
> mail.skywaysoftware.com[209.34.233.105]
> Sep 26 11:06:53 berghold postfix/smtpd[826]: NOQUEUE: reject: RCPT from
> mail.skywaysoftware.com[209.34.233.105]: 450 4.7.1
> <testmail.SkywaySoftware.com>: Helo command rejected: Host not found;
> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<testmail.SkywaySoftware.com>
> Sep 26 11:06:53 berghold postfix/smtpd[826]: lost connection after RSET
> from mail.skywaysoftware.com[209.34.233.105]
> Sep 26 11:06:53 berghold postfix/smtpd[826]: disconnect from
> mail.skywaysoftware.com[209.34.233.105]
>
> The thing is that skywaysoftware.com is a company that puts out a
> community supported tool that I want to be on the forums for.
> Unfortunately I can't seem to receive mail for them.
>
> I went ahead and added the following entries into my access file (and
> ran postmap on the file afterwards, reloaded postfix, etc.) and the
> connections are still being rejected.  What am I missing?

You need to show "postconf -n" command outout with the access map
and with the reject_unknown_helo_hostname feature that is blocking
the client.

        Wietse

>
> 209.34.233.105  OK
> mail.skywaysoftware.com OK
> skywaysoftware.com      OK
> testmail.skywaysoftware.com     OK
> [hidden email]      OK
>
>
>
> --
>
> Peter L. Berghold     http://www.berghold.net   [hidden email]
> Unix Professional     Dog Agility Fan   Crazed Cook
> "Those who fail to learn from history are condemned to repeat it."
-- End of PGP signed section.

Reply | Threaded
Open this post in threaded view
|

Re: Trying to let a "friendly" mail server in and it ain't working....

blue_cowdawg
In reply to this post by Brian Evans - Postfix List
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian Evans - Postfix List wrote:

> Without a current 'postconf -n', no one here can tell you.
>

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
milter_default_action = accept
mydestination = $myhostname,www.$mydomain, localhost.$mydomain, localhost
mynetworks = 72.249.39.173/32,72.249.39.174/32,69.141.234.229/32
mynetworks_style = host
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES
relay_domains = bayshoredogclub.org,
berghold.net,agilitystewards.org,localhost
sample_directory = /usr/share/doc/postfix-2.4.5/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname,
reject_unknown_hostname
smtpd_milters = unix:/var/run/clamav-milter/clamav-milter
smtpd_recipient_restrictions = check_sender_access
hash:/etc/postfix/access,    permit_mynetworks,
permit_sasl_authenticated,    reject_unauth_destination,
reject_unauth_pipelining,    reject_non_fqdn_sender,
reject_non_fqdn_recipient,    reject_unknown_recipient_domain,
reject_invalid_hostname,    reject_rbl_client blackholes.easynet.nl,
reject_rbl_client cbl.abuseat.org,    reject_rbl_client bl.spamcop.net,
   reject_rbl_client sbl.spamhaus.org,    reject_rbl_client
opm.blitzed.org,    reject_rbl_client dnsbl.njabl.org,
reject_rbl_client list.dsbl.org,    reject_rbl_client multihop.dsbl.org,
   permit
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_key_file = /etc/postfix/newkey.pem
smtpd_tls_loglevel = 9
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual




- --

Peter L. Berghold     http://www.berghold.net   [hidden email]
Unix Professional     Dog Agility Fan   Crazed Cook
"Those who fail to learn from history are condemned to repeat it."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD4DBQFI3P6RUM9/01RIhaARAkXCAJwK1EjyS3KWKJTeUk8bDtKMwkEh/ACYzzvY
HpnMg81/THXcfhj82ARgxw==
=CR55
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: Trying to let a "friendly" mail server in and it ain't working....

Victor Duchovni
On Fri, Sep 26, 2008 at 11:24:01AM -0400, Peter L. Berghold wrote:

> smtpd_recipient_restrictions = check_sender_access
> hash:/etc/postfix/access,    permit_mynetworks,
> permit_sasl_authenticated,    reject_unauth_destination,
> reject_unauth_pipelining,    reject_non_fqdn_sender,
> reject_non_fqdn_recipient,    reject_unknown_recipient_domain,
> reject_invalid_hostname,    reject_rbl_client blackholes.easynet.nl,
> reject_rbl_client cbl.abuseat.org,    reject_rbl_client bl.spamcop.net,
>    reject_rbl_client sbl.spamhaus.org,    reject_rbl_client
> opm.blitzed.org,    reject_rbl_client dnsbl.njabl.org,
> reject_rbl_client list.dsbl.org,    reject_rbl_client multihop.dsbl.org,
>    permit

FIX THIS IMMEDIATELY. Your access table contains "OK" entries, and is
used for sender lookups before restricting relay access. Your machine is
now an open relay, and will shortly be exploited by a spammer. Getting
yourself removed from blacklists all over the planet is not fun...

        smtpd_recipient_resetrictions =
                permit_mynetworks,
                permit_sasl_authenticated,
                reject_unauth_destination,
                ... EVERYTHING else BELOW! ...

Don't confuse "sender" (email address) with "client" (host doing the
delivery).

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: Trying to let a "friendly" mail server in and it ain't working....

Brian Evans - Postfix List
In reply to this post by blue_cowdawg
Peter L. Berghold wrote:
> Brian Evans - Postfix List wrote:
>
> > Without a current 'postconf -n', no one here can tell you.
>
[...]
> relay_domains = bayshoredogclub.org,
> berghold.net,agilitystewards.org,localhost

No relay_recipient_maps could make you an (out|back)scatter source.
> smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname,
> reject_unknown_hostname
>

The problem comes from reject_unknown_hostname in this case.  You don't
have a check_helo_access map before it to whitelist the client in question.

> smtpd_recipient_restrictions = check_sender_access
> hash:/etc/postfix/access,    permit_mynetworks,
> permit_sasl_authenticated,    reject_unauth_destination,
> reject_unauth_pipelining,    reject_non_fqdn_sender,
> reject_non_fqdn_recipient,    reject_unknown_recipient_domain,
> reject_invalid_hostname,    reject_rbl_client blackholes.easynet.nl,
> reject_rbl_client cbl.abuseat.org,    reject_rbl_client bl.spamcop.net,
>    reject_rbl_client sbl.spamhaus.org,    reject_rbl_client
> opm.blitzed.org,    reject_rbl_client dnsbl.njabl.org,
> reject_rbl_client list.dsbl.org,    reject_rbl_client multihop.dsbl.org,
>    permit

BTW, since you are using check_sender_access, this only ever matches
ENVELOPE sender, never which machine is doing the sending.
In addition, putting the check BEFORE reject_unauth_destination with an
OK makes you an open relay for any forged domains in that access file.

Also, opm.blitzed.org and *.dsbl.org are dead, remove those checks to
save a little overhead and possible false positives in the future.

Brian
Reply | Threaded
Open this post in threaded view
|

Re: Trying to let a "friendly" mail server in and it ain't working....

mouss-2
Brian Evans wrote:

> Peter L. Berghold wrote:
>> Brian Evans - Postfix List wrote:
>>
>>> Without a current 'postconf -n', no one here can tell you.
> [...]
>> relay_domains = bayshoredogclub.org,
>> berghold.net,agilitystewards.org,localhost
>
> No relay_recipient_maps could make you an (out|back)scatter source.
>> smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname,
>> reject_unknown_hostname
>>
>
> The problem comes from reject_unknown_hostname in this case.  You don't
> have a check_helo_access map before it to whitelist the client in question.
>

he'd better whitelist the client IP. but reject_unknown_hostname is
known to cause FPs, or at least delay mail in case of temp failures...

>> smtpd_recipient_restrictions = check_sender_access
>> hash:/etc/postfix/access,    permit_mynetworks,
>> permit_sasl_authenticated,    reject_unauth_destination,
>> reject_unauth_pipelining,    reject_non_fqdn_sender,
>> reject_non_fqdn_recipient,    reject_unknown_recipient_domain,
>> reject_invalid_hostname,    reject_rbl_client blackholes.easynet.nl,
>> reject_rbl_client cbl.abuseat.org,    reject_rbl_client bl.spamcop.net,
>>    reject_rbl_client sbl.spamhaus.org,    reject_rbl_client
>> opm.blitzed.org,    reject_rbl_client dnsbl.njabl.org,
>> reject_rbl_client list.dsbl.org,    reject_rbl_client multihop.dsbl.org,
>>    permit
>
> BTW, since you are using check_sender_access, this only ever matches
> ENVELOPE sender, never which machine is doing the sending.
> In addition, putting the check BEFORE reject_unauth_destination with an
> OK makes you an open relay for any forged domains in that access file.


and reject_unauth_pipelining is useless here. sounds like a
cut-and-paste from a how[not]to ;-p
>
> Also, opm.blitzed.org and *.dsbl.org are dead, remove those checks to
> save a little overhead and possible false positives in the future.

so is blackholes.easynet.nl.
        http://spamlinks.net/filter-dnsbl-dead.htm