Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: your mail

0 views
Skip to first unread message

Wietse Venema

unread,
Feb 11, 2005, 8:18:28 PM2/11/05
to
Lydiard:
> Hi
>
> In my logs, I have this.. (who doesn't)..??
>
>
> Feb 8 23:08:00 jonty postfix/smtpd[27708]: connect from
> ns1.www-goto.com[202.14.69.2]
> Feb 8 23:08:01 jonty postfix/smtpd[27708]: NOQUEUE: reject: RCPT from
> ns1.www-goto.com[202.14.69.2]: 554 Service unavailable; Client host
> [202.14.69.2] blocked using bl.sp
> amcop.net; Blocked - see http://www.spamcop.net/bl.shtml?202.14.69.2;
> from=<edi...@WWW-GOTO.COM> to=<in...@mydomain.net> proto=ESMTP
> helo=<www--search.com>
> Feb 8 23:08:02 jonty postfix/smtpd[27708]: disconnect from
> ns1.www-goto.com[202.14.69.2]
>
> I'm upset that it was rejected by the RBL. The mydomain.net is a virtual domain
> (there are no local accounts at all) and there is no valid user account for inf@
> anything (bugger the RFCs, I say). So, why wasn't it 550-ed by the
> reject_unauth_destination? Have I missunderstood the use of this? Should I be

It wasn't rejected by reject_unauth_destination.

It was rejected by the DNSBL at bl.spamcop.net.

Wietse

Lydiard

unread,
Feb 12, 2005, 3:44:16 AM2/12/05
to
Quoting Wietse Venema <wie...@porcupine.org>:

I know that, and as far as I can see from the config I posted it should have hit
reject_unauth_destination BEFORE it triggered the DNSBL from SPamcop - i.e.
spamcop should never even have been asked. Why didn't
reject_unauth_destination reject it? I don't have in...@mydomain.net in my
MYSQL table.

Lyd
SOrry, I forgot to "subject" my original mail..

Magnus Bäck

unread,
Feb 12, 2005, 5:42:47 AM2/12/05
to
On Saturday, February 12, 2005 at 09:44 CET,
Lydiard <lyd...@spamcop.net> wrote:

> I know that, and as far as I can see from the config I posted it
> should have hit reject_unauth_destination BEFORE it triggered the
> DNSBL from SPamcop - i.e. spamcop should never even have been asked.
> Why didn't reject_unauth_destination reject it? I don't have
> in...@mydomain.net in my MYSQL table.

reject_unauth_destination doesn't check for the existence of the
recipient address. reject_unlisted_recipient (check_recipient_maps
in Postfix <2.1) does that.

--=20
Magnus B=E4ck
mag...@dsek.lth.se

Lydiard

unread,
Feb 12, 2005, 9:52:24 AM2/12/05
to
Quoting Magnus B=E4ck <mag...@dsek.lth.se>:

Thanks. I've added in after the reject_auth_destination and it seems to wor=
k -
that is, it doesn't seem to have broken anything. The perplexing thing is t=
hat
I oten have Recipient Address Rejected notices in my logs (mostly from
misspelled valid accounts) even before I did this. Which still makes me won=
der
why the DNSBL blocked that mail and not the user-lookup check.

Lyd

Matt

unread,
Feb 12, 2005, 9:58:00 AM2/12/05
to
Lydiard wrote:

> > reject_unauth_destination doesn't check for the existence of the
> > recipient address. reject_unlisted_recipient (check_recipient_maps
> > in Postfix <2.1) does that.
>
> Thanks. I've added in after the reject_auth_destination and it seems to

> work - that is, it doesn't seem to have broken anything. The perplexing
> thing is that I oten have Recipient Address Rejected notices in my logs


> (mostly from misspelled valid accounts) even before I did this. Which

> still makes me wonder why the DNSBL blocked that mail and not the
> user-lookup check.


Possibly because those previous sender|client addresses weren't in a
blocklist?


Matt

Magnus Bäck

unread,
Feb 12, 2005, 10:03:27 AM2/12/05
to
On Saturday, February 12, 2005 at 15:52 CET,
Lydiard <lyd...@spamcop.net> wrote:

> Quoting Magnus B=E4ck <mag...@dsek.lth.se>:
>=20


> > reject_unauth_destination doesn't check for the existence of the
> > recipient address. reject_unlisted_recipient (check_recipient_maps
> > in Postfix <2.1) does that.

>=20


> Thanks. I've added in after the reject_auth_destination and it seems
> to work - that is, it doesn't seem to have broken anything. The
> perplexing thing is that I oten have Recipient Address Rejected
> notices in my logs (mostly from misspelled valid accounts) even before
> I did this. Which still makes me wonder why the DNSBL blocked that
> mail and not the user-lookup check.

If you don't specify reject_unlisted_recipient/check_recipient_maps,
the restriction will be performed implicitly at the end of the recipient
restrictions (this can be disabled with smtpd_reject_unlisted_recipient
in Postfix 2.1 and later).

--=20
Magnus B=E4ck
mag...@dsek.lth.se

Magnus Bäck

unread,
Feb 17, 2005, 5:28:10 PM2/17/05
to
On Wednesday, February 16, 2005 at 20:02 CET,
Lars Weste <lwe...@gmx.de> wrote:

> i have set up postfix that i can relay mail from my internal server=20
> through my external mail server to the internet.
> I'm wondering how i can set up postfix to relay mails from trusted user=
s=20
> with a dynamic address without open postfix as a spam relay?=20
> Is there a way without authentication, that i say any mail from domain=20
> @mydomain.com to anywhere is allowed?=20

Allowing relay access for clients with example.com sender addresses is
not okay. Allowing relay access for clients whose IP address resolves
to a hostname under example.com is okay. Use check_client_access.

> or do i need to set up sasl authentication or sth. similar, authenticat=
ing=20
> all users before they can send? if i do so, can i use sasl or ldap=20
> authentication for users sending mail from the internet.

It's not a question of SASL or LDAP; you'll be using SASL either way,
but the SASL library can indeed use an LDAP backend.

> i also have an cyrus imap server running, authenticating the users
> against ldap, on the same host. or can i do pop before smtp with
> postfix?=20

Either way.

> so in short: what is the best way to allow authenticated users from
> the internet to send mail and the internal relay host also to send
> mail?=20

If you already have authentication setup for Cyrus, it should not be too
difficult to get it working with Postfix too.

--=20
Magnus B=E4ck
mag...@dsek.lth.se

Victor Duchovni

unread,
Feb 17, 2005, 5:52:24 PM2/17/05
to
On Thu, Feb 17, 2005 at 11:27:50PM +0100, Magnus B?ck wrote:

> On Wednesday, February 16, 2005 at 20:02 CET,
> Lars Weste <lwe...@gmx.de> wrote:
>
> > i have set up postfix that i can relay mail from my internal server

> > through my external mail server to the internet.

> > I'm wondering how i can set up postfix to relay mails from trusted users

> > with a dynamic address without open postfix as a spam relay?

> > Is there a way without authentication, that i say any mail from domain

> > @mydomain.com to anywhere is allowed?

>
> Allowing relay access for clients with example.com sender addresses is
> not okay. Allowing relay access for clients whose IP address resolves
> to a hostname under example.com is okay. Use check_client_access.

This has unpleasant failure modes when DNS tempfails, do not whitelist
or grant relay rights based on client domain names. One can globally
enfore reject_unknown_client as a work-around, but this has other
unpleasant consequences.

--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majo...@postfix.org?body=unsubscribe%20postfix-users>

0 new messages