Sending messages from gmail client blocked.

Discussion in 'Server Operation' started by anark10n, Jun 10, 2021.

Tags:
  1. anark10n

    anark10n Member

    Hey there
    So one of my clients(person) has added their mail account to the Gmail client, and they've had no problems with it until recently. They suddenly started to get this error message recently
    Code:
    <[email protected]> host hostname.mydomain.tld[xxx.xxx.xxx.xxx] said: 554
    5.7.1 Service unavailable; Client host [xxx.xxx.xxx.xxx] blocked using
    zen.spamhaus.org (in reply to RCPT TO command)
    My server isn't listed on that blacklist, and messages send fine when using another mail client (thunderbird, webmail). Any ideas as to what could be causing this?
     
    Last edited: Jun 11, 2021
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You are using a blacklist in one of your smtpd restrictions in which the client ip is listed, so it is blocked. To work around that you will need to change the restriction to allow the client based on some characteristic before the rbl check. It's possible to put 'permit_sasl_authenticated' ahead of that so authenticated clients bypass rbls, or use something like this example which is setup by ISPConfig (I assume you don't use ISPConfig since you posted in the non-ISPConfig forum topics):
    Code:
    # postconf smtpd_client_restrictions
    smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, reject_rbl_client zen.spamhaus.org, permit_sasl_authenticated, reject_unauth_pipelining, reject_unknown_client_hostname, permit
    
    That shows the rbl in use ahead of permit_sasl_authenticated, which is effective for port 25 (mail from external servers); clients sending mail use ports 465 or 587, which both override that (in master.cf) to simply:
    Code:
    smtpd_client_restrictions=permit_sasl_authenticated,reject
    
    So the rbl isn't used for at all for clients sending mail, they simply have to authenticate.
     
  3. anark10n

    anark10n Member

    I do use ispconfig, I just assumed the problem wasn't specifically related to ispconfig, so I asked here since i didn't know quite where else to post it to. Would i still need to add your suggested configurations to my master.cf if I'm using ispconfig?
    Thing is, these bounce backs only started happening recently. I haven't ran any updates in the time between getting no bounce backs and getting them, the last update being in March or so. And i edited my original post to differentiate between real client and mail client.
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Clients should send mail on port 465 or 587; there is no rbl in use there.
     
  5. anark10n

    anark10n Member

    Yep, that is the port they are sending on, i haven't changed them from the defaults.
     
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    What is your main.cf and master.cf?
     
  7. anark10n

    anark10n Member

    See attached.
     

    Attached Files:

  8. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You have the default setup, with the rbl used here:
    Code:
    smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_unauth_pipelining , permit
    and smtpd_client_restrictions is overwritten for both submission and smtps services:
    Code:
    submission inet n       -       y       -       -       smtpd
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_tls_auth_only=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    
    smtps     inet  n       -       y       -       -       smtpd
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    
    Which means your client is in fact not using those services, but the default smtpd_client_restrictions (ie. port 25). I'll additionally note that your current setting has permit_sasl_authentication ahead of the rbl, so your client is not only using the wrong port, but they are not authenticating to your server, either.
     
  9. anark10n

    anark10n Member

    That's weird, because when I switch ports on any client to port 25, then I'm an unable to send, but when I switch to 465 or 587, then I'm able to send. Can I change the port to both 465 and 587, or does it have to be one? And will moving permit_sasl_authentication after rbl resolve authenticating to my server?
     
  10. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    They are both setup on your server, the client will use one or the other; sometimes when setting up a connection a client might test multiple ones to find what works, but then it settles on one set of ports/settings to use, and doesn't change afterwards (it doesn't mean a client couldn't do that in theory, but in practice I've not seen that behavior).
    No, that would make the rbl apply to authenticated clients as well (which is what I showed above, and I think is what you'll end up with if you reconfigure your server); as you have it, if the client authenticates on port 25, the rbl will not be checked.

    You said this happens for someone using a gmail client? I don't know how that works exactly, but can you check/specify the ports there?
     
  11. anark10n

    anark10n Member

    Yes, the ports can be specified through the gmail client, and have been set to 465.
    Is the fact that my clients aren't authenticating to my server a critical issue? And if so, what can I do to resolve it?
     

Share This Page