the server is running the latest Debian OS and ISPCFG3 and has been set up according to the perfect Debian Server how to available here. first of all please find my main.cf further down: I thought I had it all perfectly configured but I am getting a weird problem now. From my work station everything works with these settings: POP3, SSL, port 995 and POP3 no SSL port 110 When sending, if I use these settings: SMTP, port 25, TLS same with SMTp port 25 no SSL I get the following error due to the fact that I didn't check the box where it says: "Server requries authentification", seems logical to me so far. if I use SMTP, TLS, port 25 and check the box: "server requries authentification" and tell it to use the same settings as for the incoming mail server, everything is working just fine. And now comes the problem: one customer in particular cannot use SSL/TLS which I will figure out soon but she is able to send via SMTP port 25 without the checkbox being ticked for "Server requires authentification". I checked the server and I am not an open relay, so how can this be? I remember Outlook express had a checkbox for: "pop before SMTP" but this particular client is using Outlook and I can't find such a setting so how is she sending mail? Code: # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # TLS parameters smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = h1870666.stratoserver.net alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = h1870666.stratoserver.net, localhost, localhost.localdomain relayhost = mynetworks = 127.0.0.0/8 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all html_directory = /usr/share/doc/postfix/html virtual_alias_domains = virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_policy_service inet:127.0.0.1:10023, permit smtpd_tls_security_level = may transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf virtual_create_maildirsize = yes virtual_maildir_extended = yes virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf virtual_mailbox_limit_override = yes virtual_maildir_limit_message = "The user you are trying to reach is over quota." virtual_overquota_bounce = yes proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_$ smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = maildrop header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings message_size_limit = 0 inet_protocols = all smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_auth_only = no smtp_tls_note_starttls_offer = yes smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 4 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
How did she test that? I guess she send a email to another domain which is on the same server, then the behaviour is OK as smtp authentication is only required when you send email to another server like a gmail.com address.
I definitely know she sent to the same domain - she actually clicked the "Test settigns" button Outlook offers which sends out an email to itself... Thanks for opening my eyes to this but does that mean any email from a domain to itself can be used for spamming? Apart from this mistery, does my main.cf above look ok to you?
You are using old postfix syntax in reject_invalid_hostname (reject_invalid_helo_hostname). Also you need smtpd_helo_required = yes to enforce this restriction. Cheers
