need some help with my main.cf (postfix)

Discussion in 'Installation/Configuration' started by Ovidiu, Jan 9, 2012.

  1. Ovidiu

    Ovidiu Active Member

    the server is running the latest Debian OS and ISPCFG3 and has been set up according to the perfect Debian Server how to available here.
    first of all please find my main.cf further down:

    I thought I had it all perfectly configured but I am getting a weird problem now. From my work station everything works with these settings:

    POP3, SSL, port 995 and POP3 no SSL port 110

    When sending, if I use these settings:

    SMTP, port 25, TLS same with SMTp port 25 no SSL

    I get the following error due to the fact that I didn't check the box where it says: "Server requries authentification", seems logical to me so far.

    if I use SMTP, TLS, port 25 and check the box: "server requries authentification" and tell it to use the same settings as for the incoming mail server, everything is working just fine.

    And now comes the problem: one customer in particular cannot use SSL/TLS which I will figure out soon but she is able to send via SMTP port 25 without the checkbox being ticked for "Server requires authentification". I checked the server and I am not an open relay, so how can this be? I remember Outlook express had a checkbox for: "pop before SMTP" but this particular client is using Outlook and I can't find such a setting so how is she sending mail?


    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = /usr/share/doc/postfix
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    myhostname = h1870666.stratoserver.net
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination = h1870666.stratoserver.net, localhost, localhost.localdomain
    relayhost =
    mynetworks = 127.0.0.0/8 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions =
                permit_sasl_authenticated,
                reject_non_fqdn_sender,
                reject_non_fqdn_recipient,
                reject_unknown_sender_domain,
                reject_unknown_recipient_domain,
                permit_mynetworks,
                check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
                reject_invalid_hostname,
                reject_non_fqdn_hostname,
                reject_unauth_destination,
                reject_rbl_client zen.spamhaus.org,
                check_policy_service inet:127.0.0.1:10023,
                permit
    smtpd_tls_security_level = may
    transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    virtual_create_maildirsize = yes
    virtual_maildir_extended = yes
    virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
    virtual_mailbox_limit_override = yes
    virtual_maildir_limit_message = "The user you are trying to reach is over quota."
    virtual_overquota_bounce = yes
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_$
    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = maildrop
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    message_size_limit = 0
    inet_protocols = all
    smtpd_sasl_local_domain =
    smtpd_sasl_security_options = noanonymous
    smtpd_tls_auth_only = no
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 4
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    
     
    Last edited: Jan 9, 2012
  2. till

    till Super Moderator

    How did she test that? I guess she send a email to another domain which is on the same server, then the behaviour is OK as smtp authentication is only required when you send email to another server like a gmail.com address.
     
  3. Ovidiu

    Ovidiu Active Member

    I definitely know she sent to the same domain :) - she actually clicked the "Test settigns" button Outlook offers which sends out an email to itself...

    Thanks for opening my eyes to this but does that mean any email from a domain to itself can be used for spamming?

    Apart from this mistery, does my main.cf above look ok to you?
     
  4. pititis

    pititis Member

    You are using old postfix syntax in reject_invalid_hostname (reject_invalid_helo_hostname). Also you need smtpd_helo_required = yes to enforce this restriction.

    Cheers
     

Share This Page