Hi! After I changed the main.cf yesterday according to the recommendations of Spamhaus, https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/MTAs/020-Postfix.html# no more emails can be sent from mobile devices. From Thunderbird the message is: "Senden der Nachricht ist fehlgeschlagen Fehler beim Senden der Nachricht. Der Mail-Server antwortete: Client host 91.114.18X.XXX blocked using ZEN - see https://www.spamhaus.org/query/ip/91.114.1XX.XXX for details. Bitte überprüfen Sie die E-Mail Adresse des Empfängers "[email protected]" und wiederholen Sie den Vorgang." My main.cf (part of) Code: smtpd_recipient_restrictions = reject_rbl_client XXXXX3uvo3vcbrc5gd2kz4.zen.dq.spamhaus.net=127.0.0.[2..11], reject_rhsbl_sender XXXXX3uvo3vcbrc5gd2kz4.dbl.dq.spamhaus.net=127.0.1.[2..99], reject_rhsbl_helo XXXXX3uvo3vcbrc5gd2kz4.dbl.dq.spamhaus.net=127.0.1.[2..99], reject_rhsbl_reverse_client XXXXX3uvo3vcbrc5gd2kz4.dbl.dq.spamhaus.net=127.0.1.[2..99], reject_rhsbl_sender XXXXX3uvo3vcbrc5gd2kz4.zrd.dq.spamhaus.net=127.0.2.[2..24], reject_rhsbl_helo XXXXX3uvo3vcbrc5gd2kz4.zrd.dq.spamhaus.net=127.0.2.[2..24], reject_rhsbl_reverse_client XXXXX3uvo3vcbrc5gd2kz4.zrd.dq.spamhaus.net=127.0.2.[2..24], permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:/etc/postfix/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status rbl_reply_maps = hash:/etc/postfix/dnsbl-reply-map mail.log Code: Mar 28 05:40:55 tesoro postfix/smtpd[2651]: connect from 089144216235.atnat0025.highway.a1.net[89.144.216.235] Mar 28 05:40:56 tesoro postfix/smtpd[2651]: NOQUEUE: filter: RCPT from 089144216235.atnat0025.highway.a1.net[89.144.216.235]: <office@XXX>: Sender address triggers FILTER lmtp:[127.0.0.1]:10026; from=<office@XXXat> to=<[email protected]> proto=ESMTP helo=<[192.168.36.47]> Mar 28 05:40:56 tesoro postfix/smtpd[2651]: NOQUEUE: reject: RCPT from 089144216235.atnat0025.highway.a1.net[89.144.216.235]: 554 5.7.1 Client host 89.144.216.235 blocked using ZEN - see https://www.spamhaus.org/query/ip/91.114.1XX.XXX for details; from=<office@XXX> to=<[email protected]> proto=ESMTP helo=<[192.168.36.47]> Mar 28 05:41:01 tesoro postfix/smtpd[2651]: lost connection after RCPT from 089144216235.atnat0025.highway.a1.net[89.144.216.235] Mar 28 05:41:01 tesoro postfix/smtpd[2651]: disconnect from 089144216235.atnat0025.highway.a1.net[89.144.216.235] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 commands=5/6 After I researched, the references point to a missing/incorrect login to the server. But I can exclude Open Relay (mxtoolbox). If I remove the line Code: reject_rbl_client XXXXX3uvo3vcbrc5gd2kz4.zen.dq.spamhaus.net=127.0.0.[2..11], sending is possible. But this is not the goal. How do I configure the main.cf/smtpd_recipient_restrictions correctly so that I can send emails from mobile devices? Thanks for your help!
Add the Spamhaus blacklist via ISPConfig instead. - Undo the current changes - In the panel, go to System -> Server Config -> server1.example.com -> Mail - Add the blacklists you want to add at the option "Real-time Blackhole List"
Note this works for that one entry because it uses reject_rbl_client, which is the same restriction list as ISPConfig will add; all the other lists use a different restriction lists and will not utilize the spamhaus lists correctly. The reason this change worked for you is because ISPConfig adds the "reject_rbl_client ..." after some other smtpd_recipient_list restrictions (permit_mynetworks, permit_sasl_authenticated, etc.) which allow the client to send - what you should do is keep the restriction lists they provided, but reorder your restrictions so authenticated clients aren't blocked, etc. You might also want to ensure your users send on port 465 or 587 and configure the smtpd_recipient_restrictions there (in master.cf) for them to be able to send, and then leave the default smtpd_recipient_restrictions (in main.cf) much more restrictive (port 25 is for server to server mail, not for authenticated clients).
