HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   need some help with my main.cf (postfix) (http://www.howtoforge.com/forums/showthread.php?t=55685)

Ovidiu 9th January 2012 12:24

need some help with my main.cf (postfix)
 
the server is running the latest Debian OS and ISPCFG3 and has been set up according to the perfect Debian Server how to available here.
first of all please find my main.cf further down:

I thought I had it all perfectly configured but I am getting a weird problem now. From my work station everything works with these settings:

POP3, SSL, port 995 and POP3 no SSL port 110

When sending, if I use these settings:

SMTP, port 25, TLS same with SMTp port 25 no SSL

I get the following error due to the fact that I didn't check the box where it says: "Server requries authentification", seems logical to me so far.

Quote:

--- Error ---
frogalla [0: POP3] ['mail.premaman.co.za' (port: 995)] [SSL: 1]
Send Mail: Error verifying 'To'<br> Server Returned: 5.5.2 &lt;TITAN&gt;: Helo command rejected: need fully-qualified hostname (#504)

if I use SMTP, TLS, port 25 and check the box: "server requries authentification" and tell it to use the same settings as for the incoming mail server, everything is working just fine.

And now comes the problem: one customer in particular cannot use SSL/TLS which I will figure out soon but she is able to send via SMTP port 25 without the checkbox being ticked for "Server requires authentification". I checked the server and I am not an open relay, so how can this be? I remember Outlook express had a checkbox for: "pop before SMTP" but this particular client is using Outlook and I can't find such a setting so how is she sending mail?


Code:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = h1870666.stratoserver.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = h1870666.stratoserver.net, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions =
            permit_sasl_authenticated,
            reject_non_fqdn_sender,
            reject_non_fqdn_recipient,
            reject_unknown_sender_domain,
            reject_unknown_recipient_domain,
            permit_mynetworks,
            check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
            reject_invalid_hostname,
            reject_non_fqdn_hostname,
            reject_unauth_destination,
            reject_rbl_client zen.spamhaus.org,
            check_policy_service inet:127.0.0.1:10023,
            permit
smtpd_tls_security_level = may
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = "The user you are trying to reach is over quota."
virtual_overquota_bounce = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_$
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = maildrop
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
message_size_limit = 0
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 4
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom


till 9th January 2012 13:09

How did she test that? I guess she send a email to another domain which is on the same server, then the behaviour is OK as smtp authentication is only required when you send email to another server like a gmail.com address.

Ovidiu 9th January 2012 20:07

I definitely know she sent to the same domain :-) - she actually clicked the "Test settigns" button Outlook offers which sends out an email to itself...

Thanks for opening my eyes to this but does that mean any email from a domain to itself can be used for spamming?

Apart from this mistery, does my main.cf above look ok to you?

pititis 9th January 2012 20:48

You are using old postfix syntax in reject_invalid_hostname (reject_invalid_helo_hostname). Also you need smtpd_helo_required = yes to enforce this restriction.

Cheers


All times are GMT +2. The time now is 20:59.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.