Postfix rejecting mail from authenticated clients
After much experimentation it turned out I had to add permit_sasl_authenticated
to smtpd_client_restrictions
(not to be confused with smtpd_recipient_restrictions
).
This has fixed it.
Related videos on Youtube
NPE
Updated on September 18, 2022Comments
-
NPE almost 2 years
I am trying to configure Postfix so that it would accept mail from authenticated clients outside
$mynetworks
.When I try to send a test email from my iPhone, which is configured to use port 25, SSL and password authentication, the mail gets rejected by Postfix. I get the following in
/var/log/mail.info
:Oct 25 17:41:35 mailhost postfix/smtpd[6136]: warning: 212.183.x.x: hostname host212-183-x-x.uk.access.vodafone.net verification failed: Name or service not known
Oct 25 17:41:35 mailhost postfix/smtpd[6136]: connect from unknown[212.183.x.x]
Oct 25 17:41:39 mailhost postfix/smtpd[6136]: NOQUEUE: reject: RCPT from unknown[212.183.x.x]: 554 5.7.1 : Client host rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[10.25.x.x]>
Oct 25 17:41:39 mailhost postfix/smtpd[6136]: disconnect from unknown[212.183.x.x]
Here are all my
main.cf
settings that have to do with SASL/TLS:smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/dovecot-auth smtpd_sasl_authenticated_header = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtp_use_tls = yes smtpd_tls_received_header = yes smtpd_tls_mandatory_protocols = SSLv3, TLSv1 smtpd_tls_mandatory_ciphers = medium smtpd_tls_auth_only = yes tls_random_source = dev:/dev/urandom
How do I establish that the session is indeed authenticated?
How do I go about troubleshooting this further?
-
NPE over 12 years@ChristopherEvans: It did. What wasn't configured correctly was
smtpd_CLIENT_restrictions
(caps used for emphasis). -
mailq over 12 yearsDefinitively not! You will not allow the Vodafone domain(s) to be allowed for relaying. Never ever. Always use SASL but don't trust servers based on names.