2

i have a Postfix 2.9.6 running on Ubuntu with the following configuration https://gist.github.com/anonymous/400fb4afa05e18c6da2b and i'm suffering the following issue where a valid client tries to send an email to itself. Most of my clients does not have a valid FQDN as hostname but as i understand that's not a problem because of permit_sasl_authenticated but i don't know why the following process ends up like this:

Out: 220 mail.isp.es ESMTP Postfix
 In:  EHLO NoFQDN-Host
 Out: 250-mail.isp.es
 Out: 250-PIPELINING
 Out: 250-SIZE 10240000
 Out: 250-ETRN
 Out: 250-STARTTLS
 Out: 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: <user2@domain.com>
 Out: 250 2.1.0 Ok
 In:  RCPT TO: <user2@domain.com>
 Out: 450 4.7.1 : Helo command rejected: Host not found

Session aborted, reason: lost connection

For other details, see the local mail logfile

The following are my restrictions:

smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions =
smtpd_etrn_restrictions =
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, warn_if_reject reject_unknown_helo_hostname, permit
smtpd_restriction_classes =
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit

Does anyone knows why that client is not able to send an email while others does?

peris
  • 508
  • 2
  • 9
  • 27
  • Looks like your client did not authenticate? – Dusan Bajic Feb 14 '14 at 08:17
  • Hi, according to Postfix restrictions to get that forward he must been authenticated previously. I'm also assuming he's connecting to a secure port which needs authentication – peris Feb 14 '14 at 08:28
  • If the block above is from your debug log then the client did not authenticate. – mschuett Feb 14 '14 at 09:52
  • Yes i see he didn't authenticate, that may explain why then it gets the ehlo reject, cause he is not authenticated. Thx! – peris Feb 14 '14 at 13:48

2 Answers2

3

The important configuration part
https://gist.github.com/anonymous/7168b1810d6f7bbea7e7

smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_unknown_helo_hostname, permit_sasl_authenticated, permit

Suggested Fix
In smtpd_recipient_restrictions put reject_unknown_helo_hostname after permit_sasl_authenticated.

AnFi
  • 6,103
  • 1
  • 14
  • 27
  • Hi, thanks a lot for your answer. The gist configuration was outdated the current configuration is the one highlighted in the post which is already as you suggest to. That's why i don't undertand how can be possible to reject due to invalid hostname while the client is supposed to be authenticated. Any clue? Maybe the issue is not in smtpd_recipient_restrictions? Thanks! – peris Feb 14 '14 at 10:27
  • Could you provide sample SMTP session with HELO based reject in reply to "rcpt to" **after** SMTP AUTH? The sample you provided is without SMTP AUTH. – AnFi Feb 14 '14 at 10:33
  • "That's why i don't undertand how can be possible to reject due to invalid hostname while the client is supposed to be authenticated. Any clue?" show maillog – ALex_hha Feb 14 '14 at 11:11
  • Hi, that's the genuine log file https://gist.github.com/anonymous/9d95164f5cd2d7862e10 – peris Feb 14 '14 at 13:43
0

Your client probably just needs to alter the configuration of his email client. You haven't mentioned if you've enabled the submission and/or smtps ports, however, if you're just offering port 25, they may just need to configure their outgoing connection to use STARTTLS.

NickW
  • 10,263
  • 1
  • 20
  • 27