aquamail helo option

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

aquamail helo option

David Mehler
Hello,

Is anyone using Android's Aquamail to send mail through postfix? If
so, how do you have it configured?

My postfix is rejecting mail from Aquamail because it's helo is:

<[192.168.1.1]> basically it's internal ip.

I do not want to remove my restrictions can I get around this with a map?

Thanks.
Dave.
Reply | Threaded
Open this post in threaded view
|

Re: aquamail helo option

/dev/rob0
On Sun, Apr 22, 2018 at 07:24:42PM -0400, David Mehler wrote:
> Is anyone using Android's Aquamail to send mail through postfix?
> If so, how do you have it configured?
>
> My postfix is rejecting mail from Aquamail because it's helo is:
>
> <[192.168.1.1]> basically it's internal ip.

What restriction do you have that is blocking this?  Include
"postconf -nf ; postconf -Mf" and the entire non-verbose logs showing
the rejection.  Perhaps you have a check_helo_access lookup; you
should also show us what is in that lookup.

While you can, and I do, block such HELOs on port 25, you must not
apply such a restriction to submitting clients.  A HELO like that is
perfectly valid per RFC.

So perhaps the actual problem is that you're submitting on port 25,
and your fix is to require users to submit on submission[s], ports
587 or 465, and don't accept submitted mail on 25.  Your reply as
detailed above will show this.

> I do not want to remove my restrictions can I get around this with
> a map?

That would be a bad idea, and anyway, a question we couldn't answer
without knowing how you blocked it.  The various Postfix HELO
restrictions, such as:
+ reject_invalid_helo_hostname
+ reject_non_fqdn_helo_hostname
+ reject_unknown_helo_hostname
will NOT block that HELO string.
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: aquamail helo option

David Mehler
Hello,

Thanks for your reply. My postconf -nf and postconf -Mf are below as
is the relevant log portions. I'm suspecting that my various smtpd*
restrictions are wrong.

If you need any other files let me know.

Thanks.
Dave.

#postconf -nf
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1h
bounce_template_file = /usr/local/etc/postfix/bounce.cf
broken_sasl_auth_clients = no
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
delay_warning_time = 4h
disable_vrfy_command = yes
header_checks = pcre:/usr/local/etc/postfix/header_checks,
    regexp:/usr/local/etc/postfix/phish419.regexp
html_directory = /usr/local/share/doc/postfix
in_flow_delay = 1s
inet_interfaces = xxx.xxx.xxx.xxx, 127.0.0.1
inet_protocols = ipv4
local_recipient_maps = $virtual_mailbox_maps
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maximal_backoff_time = 15m
maximal_queue_lifetime = 1h
message_size_limit = 52428800
meta_directory = /usr/local/libexec/postfix
milter_default_action = accept
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}"
milter_protocol = 6
mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks
minimal_backoff_time = 5m
mydestination = localhost
mydomain = domain.com
myhostname = mail.domain.com
mynetworks = $config_directory/mynetworks
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
non_smtpd_milters = $smtpd_milters
postscreen_access_list = permit_mynetworks,
    cidr:/usr/local/etc/postfix/postscreen_access.cidr,
    cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_reply_map =
    pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
    bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com
    bl.mailspike.net swl.spamhaus.org*-4
    list.dnswl.org=127.[0..255].[0..255].0*-2
    list.dnswl.org=127.[0..255].[0..255].1*-3
    list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = drop
queue_directory = /var/spool/postfix
queue_run_delay = 5m
readme_directory = /usr/local/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
show_user_unknown_table_name = no
smtp_helo_timeout = 60s
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_ciphers = high
smtp_tls_key_file = $smtpd_tls_key_file
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
    aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3, !TLSv1
smtp_tls_protocols = !SSLv2,!SSLv3, !TLSv1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = permit_mynetworks check_client_access
    hash:/usr/local/etc/postfix/without_ptr reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname
smtpd_milters = unix:/var/run/rspamd/milter.sock,inet:127.0.0.1:8472
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
    reject_unauth_destination check_helo_access
    hash:/usr/local/etc/postfix/helo_access, ,check_helo_access
    pcre:/usr/local/etc/postfix/helo_checks ,check_sender_mx_access
    cidr:/usr/local/etc/postfix/bogus_mx check_sender_access
    hash:/usr/local/etc/postfix/safe_addresses check_sender_access
    hash:/usr/local/etc/postfix/auto-whtlst check_client_access
    cidr:/usr/local/etc/postfix/spamfarms check_client_access
    cidr:/usr/local/etc/postfix/sinokorea.cidr check_recipient_access
    mysql:/usr/local/etc/postfix/db/recipient-access.cf permit_dnswl_client
    list.dnswl.org=127.0.[2..14].[1..3] check_reverse_client_hostname_access
    pcre:/usr/local/etc/postfix/fqrdns.pcre
    reject_unknown_reverse_client_hostname reject_non_fqdn_sender
    reject_invalid_helo_hostname reject_unlisted_recipient reject_rhsbl_client
    dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org reject_rhsbl_helo
    dbl.spamhaus.org check_policy_service unix:private/spf-policy
    check_policy_service unix:private/dovecot-quota check_policy_service
    unix:private/p0f-policy
smtpd_reject_unlisted_sender = yes
smtpd_relay_restrictions = reject_non_fqdn_recipient
    reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 3
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /usr/local/etc/ssl/acme/domain.com/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /etc/ssl/dhparam.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
    EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_key_file = /usr/local/etc/ssl/acme/private/domain.com/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 !TLSv1.1 TLSv1.2
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1 !TLSv1.1 TLSv1.2
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
smtputf8_enable = yes
soft_bounce = no
spf-policy_time_limit = 3600s
strict_rfc821_envelopes = yes
swap_bangpath = no
tls_high_cipherlist =
    ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
tls_preempt_cipherlist = yes
tls_ssl_options = no_ticket, no_compression
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/db/aliases.cf
virtual_gid_maps = static:999
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/db/domains.cf
virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/db/accounts.cf
virtual_minimum_uid = 999
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:999

#postconf -Mf
smtp       inet  n       -       n       -       1       postscreen
    -o smtpd_sasl_auth_enable=no
smtpd      pass  -       -       n       -       -       smtpd
dnsblog    unix  -       -       n       -       0       dnsblog
tlsproxy   unix  -       -       n       -       0       tlsproxy
submission inet  n       -       n       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_dh1024_param_file=/etc/ssl/dhparam.pem
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o smtpd_sasl_security_options=noanonymous
    -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
    -o smtpd_sender_login_maps=mysql:/usr/local/etc/postfix/db/sender-login-maps.cf
    -o tls_preempt_cipherlist=yes
    -o cleanup_service_name=submission-header-cleanup
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
submission-header-cleanup unix n - n     -       0       cleanup
    -o header_checks=regexp:/usr/local/etc/postfix/submission_header_cleanup
spf-policy unix  -       n       n       -       0       spawn user=vmail
    argv=/usr/local/bin/perl /usr/local/libexec/postfix-policyd-spf-perl
dfilt      unix  -       n       n       -       -       pipe flags=Rq
    user=filter argv=/usr/local/etc/postfix/disclaimer -f ${sender} -r
    ${recipient}
scan       unix  -       -       n       -       16      smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
127.0.0.1:10026 inet n   -       n       -       16      smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks_style=host
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
p0f-policy unix  -       n       n       -       -       spawn user=p0f
    argv=/usr/local/bin/perl /usr/local/etc/postfix/p0f-policy.pl

#cat postfix.log
Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: connect from
Connecting-Host-and-IP
Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: Anonymous
TLS connection established from Connecting-Host-and-IP: TLSv1.2 with
cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: NOQUEUE:
reject: RCPT from Connecting-Host-and-IP: 554 5.7.1 <[hidden email]>:
Relay access denied; from=<[hidden email]> to=<[hidden email]>
proto=ESMTP helo=<[192.168.1.107]>
Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: disconnect
from Connecting-Host-and-IP ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1
rset=1 quit=1 commands=7/8


On 4/22/18, /dev/rob0 <[hidden email]> wrote:

> On Sun, Apr 22, 2018 at 07:24:42PM -0400, David Mehler wrote:
>> Is anyone using Android's Aquamail to send mail through postfix?
>> If so, how do you have it configured?
>>
>> My postfix is rejecting mail from Aquamail because it's helo is:
>>
>> <[192.168.1.1]> basically it's internal ip.
>
> What restriction do you have that is blocking this?  Include
> "postconf -nf ; postconf -Mf" and the entire non-verbose logs showing
> the rejection.  Perhaps you have a check_helo_access lookup; you
> should also show us what is in that lookup.
>
> While you can, and I do, block such HELOs on port 25, you must not
> apply such a restriction to submitting clients.  A HELO like that is
> perfectly valid per RFC.
>
> So perhaps the actual problem is that you're submitting on port 25,
> and your fix is to require users to submit on submission[s], ports
> 587 or 465, and don't accept submitted mail on 25.  Your reply as
> detailed above will show this.
>
>> I do not want to remove my restrictions can I get around this with
>> a map?
>
> That would be a bad idea, and anyway, a question we couldn't answer
> without knowing how you blocked it.  The various Postfix HELO
> restrictions, such as:
> + reject_invalid_helo_hostname
> + reject_non_fqdn_helo_hostname
> + reject_unknown_helo_hostname
> will NOT block that HELO string.
> --
>   http://rob0.nodns4.us/
>   Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
>
Reply | Threaded
Open this post in threaded view
|

Re: aquamail helo option

Viktor Dukhovni


> On Apr 22, 2018, at 11:29 PM, David Mehler <[hidden email]> wrote:
>
> Thanks for your reply. My postconf -nf and postconf -Mf are below as
> is the relevant log portions. I'm suspecting that my various smtpd*
> restrictions are wrong.

Start with the default upstream master.cf file template for submission:

  https://github.com/vdukhovni/postfix/blob/master/postfix/conf/master.cf#L17

AVOID complex restrict definitions in master.cf, use the indirect approach
($mua_client_restrictions, ...) from the stock master.cf file, with the
actual definitions in main.cf.

Only the shortest/simplest overrides that will never change should be
explicitly defined in master.cf in.  For example, and likely the
setting you're missing:

   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: aquamail helo option

David Mehler
Hello Viktor,

Thank you for your reply. I do see the differences between the
master.cf you reference and the one I've got. One thing do you have an
upstream reference for main.cf in GitHub? I'd looking for the mua*
definitions, my system does not have them.

Thanks.
Dave.


On 4/22/18, Viktor Dukhovni <[hidden email]> wrote:

>
>
>> On Apr 22, 2018, at 11:29 PM, David Mehler <[hidden email]> wrote:
>>
>> Thanks for your reply. My postconf -nf and postconf -Mf are below as
>> is the relevant log portions. I'm suspecting that my various smtpd*
>> restrictions are wrong.
>
> Start with the default upstream master.cf file template for submission:
>
>
> https://github.com/vdukhovni/postfix/blob/master/postfix/conf/master.cf#L17
>
> AVOID complex restrict definitions in master.cf, use the indirect approach
> ($mua_client_restrictions, ...) from the stock master.cf file, with the
> actual definitions in main.cf.
>
> Only the shortest/simplest overrides that will never change should be
> explicitly defined in master.cf in.  For example, and likely the
> setting you're missing:
>
>    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>
> --
> Viktor.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: aquamail helo option

Viktor Dukhovni


> On Apr 23, 2018, at 12:10 AM, David Mehler <[hidden email]> wrote:
>
> Thank you for your reply. I do see the differences between the
> master.cf you reference and the one I've got. One thing do you have an
> upstream reference for main.cf in GitHub? I'd looking for the mua*
> definitions, my system does not have them.

The default working configuration has empty values for the various
$mua_mumble parameters.  Most sites don't need them, but if you do
need additional controls, you set them to fit your needs.  The stock
main.cf file does not define these parameters:

  https://github.com/vdukhovni/postfix/blob/master/postfix/conf/main.cf

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: aquamail helo option

David Mehler
Hi,

Thanks. So I can drop in master.cf upstream without inputting mua*
parameters in my main.cf?

I've got a few options in my master.cf file submission service that
are not in the upstream file, are they still relevant in 3.3?

smtp       inet  n       -       n       -       1       postscreen
    -o smtpd_sasl_auth_enable=no

dnsblog    unix  -       -       n       -       0       dnsblog
tlsproxy   unix  -       -       n       -       0       tlsproxy

and in submission:
    -o smtpd_tls_dh1024_param_file=/etc/ssl/dhparam.pem
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o smtpd_sasl_security_options=noanonymous

    -o tls_preempt_cipherlist=yes


Thanks.
Dave.


On 4/23/18, Viktor Dukhovni <[hidden email]> wrote:

>
>
>> On Apr 23, 2018, at 12:10 AM, David Mehler <[hidden email]> wrote:
>>
>> Thank you for your reply. I do see the differences between the
>> master.cf you reference and the one I've got. One thing do you have an
>> upstream reference for main.cf in GitHub? I'd looking for the mua*
>> definitions, my system does not have them.
>
> The default working configuration has empty values for the various
> $mua_mumble parameters.  Most sites don't need them, but if you do
> need additional controls, you set them to fit your needs.  The stock
> main.cf file does not define these parameters:
>
>   https://github.com/vdukhovni/postfix/blob/master/postfix/conf/main.cf
>
> --
> Viktor.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: aquamail helo option

Viktor Dukhovni


> On Apr 23, 2018, at 12:29 AM, David Mehler <[hidden email]> wrote:
>
> Thanks. So I can drop in master.cf upstream without inputting mua*
> parameters in my main.cf?

Generally not the whole file, but you can use the stock file as a
starting template from which to borrow appropriate service definitions
or specific override settings.

> I've got a few options in my master.cf file submission service that
> are not in the upstream file, are they still relevant in 3.3?
>
> smtp       inet  n       -       n       -       1       postscreen
>    -o smtpd_sasl_auth_enable=no

That setting is the default, and if you don't set to "yes" in main.cf,
the override is not needed, but could be a harmless "safety net".

> dnsblog    unix  -       -       n       -       0       dnsblog
> tlsproxy   unix  -       -       n       -       0       tlsproxy

These are needed for postscreen support.  You uncomment them in
the stock file as needed.

> and in submission:
>    -o smtpd_tls_dh1024_param_file=/etc/ssl/dhparam.pem

See http://www.postfix.org/FORWARD_SECRECY_README.html#quick-start
Don't get hung up the literal file name, what matters is the content,
thus ideally a 2048-bit (Sophie Germain) prime group.

>    -o smtpd_sasl_type=dovecot
>    -o smtpd_sasl_path=private/auth

Whatever SASL backend works for you.

>    -o smtpd_sasl_security_options=noanonymous
>    -o tls_preempt_cipherlist=yes

These are fine.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: aquamail helo option

David Mehler
Hello Viktor,

Thank you again for your reply.

I had to remove the mua* options in submission from the upstream
master.cf that I loaded, otherwise it loaded fine. I'm not using them.

I think I have it, the pfs that is. Can I get a postconf -nf and a
postconf -Mf sanitized of your configuration? I'd like to compare it
with mine.

Thanks.
Dave.


On 4/23/18, Viktor Dukhovni <[hidden email]> wrote:

>
>
>> On Apr 23, 2018, at 12:29 AM, David Mehler <[hidden email]> wrote:
>>
>> Thanks. So I can drop in master.cf upstream without inputting mua*
>> parameters in my main.cf?
>
> Generally not the whole file, but you can use the stock file as a
> starting template from which to borrow appropriate service definitions
> or specific override settings.
>
>> I've got a few options in my master.cf file submission service that
>> are not in the upstream file, are they still relevant in 3.3?
>>
>> smtp       inet  n       -       n       -       1       postscreen
>>    -o smtpd_sasl_auth_enable=no
>
> That setting is the default, and if you don't set to "yes" in main.cf,
> the override is not needed, but could be a harmless "safety net".
>
>> dnsblog    unix  -       -       n       -       0       dnsblog
>> tlsproxy   unix  -       -       n       -       0       tlsproxy
>
> These are needed for postscreen support.  You uncomment them in
> the stock file as needed.
>
>> and in submission:
>>    -o smtpd_tls_dh1024_param_file=/etc/ssl/dhparam.pem
>
> See http://www.postfix.org/FORWARD_SECRECY_README.html#quick-start
> Don't get hung up the literal file name, what matters is the content,
> thus ideally a 2048-bit (Sophie Germain) prime group.
>
>>    -o smtpd_sasl_type=dovecot
>>    -o smtpd_sasl_path=private/auth
>
> Whatever SASL backend works for you.
>
>>    -o smtpd_sasl_security_options=noanonymous
>>    -o tls_preempt_cipherlist=yes
>
> These are fine.
>
> --
> Viktor.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: aquamail helo option

Viktor Dukhovni


> On Apr 23, 2018, at 12:55 AM, David Mehler <[hidden email]> wrote:
>
> Thank you again for your reply.
>
> I had to remove the mua* options in submission from the upstream
> master.cf that I loaded, otherwise it loaded fine. I'm not using them.

That's surprising.  They should work just fine, with any custom
non-empty settings for the parameters added to main.cf.

> I think I have it, the pfs that is. Can I get a postconf -nf and a
> postconf -Mf sanitized of your configuration? I'd like to compare it
> with mine.

That's unlikely to be useful.  Our needs are unlikely to coincide.
If your configuration is not doing what you want, explain what you
want, post the configuration you're testing and any relevant logs.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: aquamail helo option

Matus UHLAR - fantomas
In reply to this post by David Mehler
>> On Sun, Apr 22, 2018 at 07:24:42PM -0400, David Mehler wrote:
>>> Is anyone using Android's Aquamail to send mail through postfix?
>>> If so, how do you have it configured?
>>>
>>> My postfix is rejecting mail from Aquamail because it's helo is:
>>>
>>> <[192.168.1.1]> basically it's internal ip.

how do you know it's because of HELO?

On 22.04.18 23:29, David Mehler wrote:

>#cat postfix.log
>Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: connect from
>Connecting-Host-and-IP
>Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: Anonymous
>TLS connection established from Connecting-Host-and-IP: TLSv1.2 with
>cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: NOQUEUE:
>reject: RCPT from Connecting-Host-and-IP: 554 5.7.1 <[hidden email]>:
>Relay access denied; from=<[hidden email]> to=<[hidden email]>
>proto=ESMTP helo=<[192.168.1.107]>

this does not look like HELO rejection.
Did you set up smtp authentication? did it work?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
     One OS to rule them all, One OS to find them,
One OS to bring them all and into darkness bind them
Reply | Threaded
Open this post in threaded view
|

Re: aquamail helo option

David Mehler
Hi,

I don't have any mua* options set in main.cf.

As for helo I'm going to post my restrictions and their corresponding
files going to be a few hours, but I'm sure it's helo.

Thanks.
Dave.


On 4/23/18, Matus UHLAR - fantomas <[hidden email]> wrote:

>>> On Sun, Apr 22, 2018 at 07:24:42PM -0400, David Mehler wrote:
>>>> Is anyone using Android's Aquamail to send mail through postfix?
>>>> If so, how do you have it configured?
>>>>
>>>> My postfix is rejecting mail from Aquamail because it's helo is:
>>>>
>>>> <[192.168.1.1]> basically it's internal ip.
>
> how do you know it's because of HELO?
>
> On 22.04.18 23:29, David Mehler wrote:
>>#cat postfix.log
>>Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: connect from
>>Connecting-Host-and-IP
>>Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: Anonymous
>>TLS connection established from Connecting-Host-and-IP: TLSv1.2 with
>>cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: NOQUEUE:
>>reject: RCPT from Connecting-Host-and-IP: 554 5.7.1 <[hidden email]>:
>>Relay access denied; from=<[hidden email]> to=<[hidden email]>
>>proto=ESMTP helo=<[192.168.1.107]>
>
> this does not look like HELO rejection.
> Did you set up smtp authentication? did it work?
>
> --
> Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>      One OS to rule them all, One OS to find them,
> One OS to bring them all and into darkness bind them
>
Reply | Threaded
Open this post in threaded view
|

Re: aquamail helo option

Matus UHLAR - fantomas
On 23.04.18 09:25, David Mehler wrote:
>I don't have any mua* options set in main.cf.

that is not what I have asked.

>As for helo I'm going to post my restrictions and their corresponding
>files going to be a few hours, but I'm sure it's helo.

you did post your restrictions and I have found nothing related there.

Let's better start from scratch:

can you answer my suestion (did you enable authentication?)
because the bwlow looks like recipient rejection, which should be allowed if
you are authenticated or in $mynetworks:

smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
    reject_unauth_destination
    check_helo_access hash:/usr/local/etc/postfix/helo_access
    check_helo_access pcre:/usr/local/etc/postfix/helo_checks
    check_sender_mx_access cidr:/usr/local/etc/postfix/bogus_mx
    check_sender_access hash:/usr/local/etc/postfix/safe_addresses
    check_sender_access hash:/usr/local/etc/postfix/auto-whtlst
    check_client_access cidr:/usr/local/etc/postfix/spamfarms
    check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr
    check_recipient_access mysql:/usr/local/etc/postfix/db/recipient-access.cf
    permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
    check_reverse_client_hostname_access pcre:/usr/local/etc/postfix/fqrdns.pcre
    reject_unknown_reverse_client_hostname reject_non_fqdn_sender
    reject_invalid_helo_hostname reject_unlisted_recipient
    reject_rhsbl_client dbl.spamhaus.org
    reject_rhsbl_sender dbl.spamhaus.org
    reject_rhsbl_helo dbl.spamhaus.org
    check_policy_service unix:private/spf-policy
    check_policy_service unix:private/dovecot-quota
    check_policy_service unix:private/p0f-policy


>On 4/23/18, Matus UHLAR - fantomas <[hidden email]> wrote:
>>>> On Sun, Apr 22, 2018 at 07:24:42PM -0400, David Mehler wrote:
>>>>> Is anyone using Android's Aquamail to send mail through postfix?
>>>>> If so, how do you have it configured?
>>>>>
>>>>> My postfix is rejecting mail from Aquamail because it's helo is:
>>>>>
>>>>> <[192.168.1.1]> basically it's internal ip.
>>
>> how do you know it's because of HELO?
>>
>> On 22.04.18 23:29, David Mehler wrote:
>>>#cat postfix.log
>>>Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: connect from
>>>Connecting-Host-and-IP
>>>Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: Anonymous
>>>TLS connection established from Connecting-Host-and-IP: TLSv1.2 with
>>>cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>>Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: NOQUEUE:
>>>reject: RCPT from Connecting-Host-and-IP: 554 5.7.1 <[hidden email]>:
>>>Relay access denied; from=<[hidden email]> to=<[hidden email]>
>>>proto=ESMTP helo=<[192.168.1.107]>
>>
>> this does not look like HELO rejection.
>> Did you set up smtp authentication? did it work?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
Reply | Threaded
Open this post in threaded view
|

Re: aquamail helo option

Wietse Venema
In reply to this post by Matus UHLAR - fantomas
Matus UHLAR - fantomas:
> >Apr 22 13:40:13 hostname postfix/submission/smtpd[34144]: NOQUEUE:
> >reject: RCPT from Connecting-Host-and-IP: 554 5.7.1 <[hidden email]>:
> >Relay access denied; from=<[hidden email]> to=<[hidden email]>
> >proto=ESMTP helo=<[192.168.1.107]>
>
> this does not look like HELO rejection.

I agree, and I wrote Postfix.

If Postfix had rejected HELO then it would say:

    reject: ... 554 5.7.1 <[192.168.1.107]>: Helo command rejected

Instead it says:

    reject: ... 554 5.7.1 <[hidden email]>: Relay access denied

Meaning the client was blocked with reject_unauth_destination,
presumably because the client did not authenticate with SASL.

        Wietse