What am I missing? DNSBL on submission port?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

What am I missing? DNSBL on submission port?

Andrew Sullivan
Hi,

I _know_ I am overlooking something, and I need a clue-bat.  

I use postscreen on the SMTP (25) port and smptd on the submission
port; the latter requires authentication via dovecot.  This usually
works except every now and then when sending mail, almost always from
hotel networks (where I spend a lot of time), I get one of these:

Oct 31 23:31:56 mx4 postfix/smtpd[2575]: connect from unknown[66.171.166.114]
Oct 31 23:31:56 mx4 postfix/smtpd[2575]: Anonymous TLS connection established from unknown[66.171.166.114]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Oct 31 23:31:56 mx4 postfix/smtpd[2575]: NOQUEUE: reject: RCPT from unknown[66.171.166.114]: 554 5.7.1 Service unavailable; Client host [66.171.166.114] blocked using sbl.spamhaus.org; https://www.spamhaus.org/sbl/query/SBLCSS; from=<[hidden email]> to=<REDACTED> proto=ESMTP helo=<anvilwalrusden.com>
Oct 31 23:31:56 mx4 postfix/smtpd[2575]: lost connection after RCPT from unknown[66.171.166.114]
Oct 31 23:31:56 mx4 postfix/smtpd[2575]: disconnect from unknown[66.171.166.114] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 commands=5/6

It seems to me that I have somehow managed to put the DNSBL filters on
my submission port, which seems (1) obviously wrong and (2)
mystifying.  So I'm wondering whether anyone has a hint on what I
should start looking at so that I can fix this.  It's clear to me that
I didn't know what I was doing when I set this up or this wouldn't
have happened; but I'm really, really sure that I am unable to read
all the parts of the documentation now (like this week) to understand
what I did wrong without a clue about where to start digging.  Hence
the plea.

This isn't totally urgent, because my solution is more or less always
to hook up to my phone, which pretty reliably doesn't have this
problem.  But it annoys me that I've messed it up.

Thanks for your help,

A

--
Andrew Sullivan
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: What am I missing? DNSBL on submission port?

Bill Cole-3
On 31 Oct 2019, at 19:52, Andrew Sullivan wrote:

> Hi,
>
> I _know_ I am overlooking something, and I need a clue-bat.
>
> I use postscreen on the SMTP (25) port and smptd on the submission
> port; the latter requires authentication via dovecot.  This usually
> works except every now and then when sending mail, almost always from
> hotel networks (where I spend a lot of time), I get one of these:
>
> Oct 31 23:31:56 mx4 postfix/smtpd[2575]: connect from
> unknown[66.171.166.114]
> Oct 31 23:31:56 mx4 postfix/smtpd[2575]: Anonymous TLS connection
> established from unknown[66.171.166.114]: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> Oct 31 23:31:56 mx4 postfix/smtpd[2575]: NOQUEUE: reject: RCPT from
> unknown[66.171.166.114]: 554 5.7.1 Service unavailable; Client host
> [66.171.166.114] blocked using sbl.spamhaus.org;
> https://www.spamhaus.org/sbl/query/SBLCSS; 
> from=<[hidden email]> to=<REDACTED> proto=ESMTP
> helo=<anvilwalrusden.com>
> Oct 31 23:31:56 mx4 postfix/smtpd[2575]: lost connection after RCPT
> from unknown[66.171.166.114]
> Oct 31 23:31:56 mx4 postfix/smtpd[2575]: disconnect from
> unknown[66.171.166.114] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1
> commands=5/6

Are you SURE that's not port 25?

The "postfix/smtpd" label will be used by the smtpd process that
postscreen hands off to, so it is helpful to assign a unique syslog_name
in master.cf to the smtpd that is run on the submission port.

>
> It seems to me that I have somehow managed to put the DNSBL filters on
> my submission port, which seems (1) obviously wrong and (2)
> mystifying.  So I'm wondering whether anyone has a hint on what I
> should start looking at so that I can fix this.  It's clear to me that
> I didn't know what I was doing when I set this up or this wouldn't
> have happened; but I'm really, really sure that I am unable to read
> all the parts of the documentation now (like this week) to understand
> what I did wrong without a clue about where to start digging.  Hence
> the plea.


Your master.cf should override whichever smtpd_whatever_restrictions
list applies your DNSBL restrictions. For example, I put my DNSBL
restrictions (and almost everything else) in
smtpd_recipient_restrictions, so my master.cf has this entry:

submission inet  n       -       n       -       -       smtpd
     -o syslog_name=postfix/submit
     -o smtpd_tls_security_level=encrypt
     -o smtpd_sasl_auth_enable=yes
     -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
     -o milter_macro_daemon_name=ORIGINATING


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Reply | Threaded
Open this post in threaded view
|

Re: What am I missing? DNSBL on submission port?

Andrew Sullivan
In reply to this post by Andrew Sullivan
On Thu, Oct 31, 2019 at 07:52:11PM -0400, Andrew Sullivan wrote:
> Hi,
>
> I _know_ I am overlooking something, and I need a clue-bat.  

Thanks to the list for the help.  I tracked this down to a mistake in
main.cf with a too-restrictive smtpd_client_restrictions (I seem to
have commented out the line that had permit_sasl_authenticated, which
I think was a leftover elision from testing where I was trying to
force the condition).

Thanks for the clues.  Intermittent failures are hard to debug.

Best regards,

A

--
Andrew Sullivan
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: What am I missing? DNSBL on submission port?

Matus UHLAR - fantomas
>On Thu, Oct 31, 2019 at 07:52:11PM -0400, Andrew Sullivan wrote:
>> I _know_ I am overlooking something, and I need a clue-bat.

On 17.11.19 22:03, Andrew Sullivan wrote:
>Thanks to the list for the help.  I tracked this down to a mistake in
>main.cf with a too-restrictive smtpd_client_restrictions (I seem to
>have commented out the line that had permit_sasl_authenticated, which
>I think was a leftover elision from testing where I was trying to
>force the condition).

main.cf options should be overridden in master.cf and thus too restrictive
smtpd_client_restrictions should not affect submission port.

>Thanks for the clues.  Intermittent failures are hard to debug.

the question was if you are sure it was the submission port.  smtpd on
submission port should log as "postfix/submit/smtpd" due to proper options
in master.cf:

     -o syslog_name=postfix/submit
     -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

you can also add

     -o smtpd_client_restrictions=

or move rejection from smtpd_client_restrictions to e.g.
smtpd_recipient_restrictions to avoid the problem you've had.

This would also add possibility to whitelist certain recipients e.g.
postmaster so they could receive mail from blacklisted sites

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Enter any 12-digit prime number to continue.