Hello, One of users got "Error 403 - Forbidden" when trying to reply/send email. This is what is in the mail log. Any idea why this might have happen? /var/log/mail.log Feb 15 07:24:18 sun postfix/postscreen[13641]: CONNECT from [196.20.68.185]:27349 to [177.178.22.22]:25 Feb 15 07:24:18 sun postfix/postscreen[13641]: PREGREET 14 after 0.17 from [196.20.68.185]:27349: EHLO ylmf-pc\r\n Feb 15 07:24:18 sun postfix/postscreen[13641]: HANGUP after 0.41 from [196.20.68.185]:27349 in tests after SMTP handshake Thanks
possible HELO restrictions for clients? reject_non_fqdn_helo_hostname = yes in place? Maybe also post your postfix main.cf http://www.postfix.org/postconf.5.html#reject_invalid_helo_hostname http://www.postfix.org/postconf.5.html#smtpd_helo_restrictions
If the client were rejected for the helo hostname, or any other reason, you'd have a 'reject: ....' log message. Those are postscreen logs; from http://www.postfix.org/POSTSCREEN_README.html: Code: When an SMTP client sends a command before the postscreen_greet_wait time has elapsed, postscreen(8) logs this as: PREGREET count after time from [address]:port text... Translation: the client at [address]:port sent count bytes before its turn to speak. This happened time seconds after the postscreen_greet_wait timer was started. The text is what the client sent (truncated to 100 bytes, and with non-printable characters replaced with C-style escapes such as \r for carriage-return and \n for newline). The postscreen_greet_action parameter specifies the action that is taken next And: Code: When an SMTP client hangs up unexpectedly, postscreen(8) logs this as: HANGUP after time from [address]:port in test name Translation: the SMTP client at [address]:port disconnected unexpectedly, time seconds after the start of the test named test name. So in your logs, 196.20.68.185 connected, sent the EHLO command before it was supposed to, then dropped the connection. Now "Error 403 - Forbidden" is a webserver error - so your user is replying to an email in webmail (roundcube or squirrelmail) provided by your ispconfig setup? Your webmail shouldn't be hitting postscreen on your mail server, you might simply need to tell it (webmail) to send authenticated on port 587. But a few other questions if that doesn't do it, what is 196.20.68.185, the ip address of your webmail server? Is your mail service on the same machine as webmail or a different machine? And what webmail program is it? If it's tripping up pregreet stuff in postscreen, it's not speaking smtp very intelligently; maybe there's a bugfix/way to improve that, too.
Thank You very much Jesse! Server IP is 177.178.22.22 (I changed IP number in log for privacy reasons) I have Roundcube installed as webmail. I use one server for following services: Web-Server: Online FTP-Server: Online SMTP-Server: Online POP3-Server: Online IMAP-Server: Online DNS-Server: Online mySQL-Server: Online /etc/postfix/main.cf Code: # See /usr/share/postfix/main.cf.dist for a commented, more complete version postscreen_greet_action = enforce policy-spf_time_limit = 3600s smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname strict_rfc821_envelopes = yes smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # TLS parameters smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = sun.bluesignals.com alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases myorigin = /etc/mailname mydestination = sun.bluesignals.com, localhost, localhost.localdomain relayhost = mynetworks = 127.0.0.0/8 [::1]/128 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all html_directory = /usr/share/doc/postfix/html virtual_alias_domains = virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 inet_protocols = all smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf, check_policy_service inet:127.0.0.1:10023 smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_tls_security_level = may transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re smtpd_client_message_rate_limit = 100 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = dovecot header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks owner_request_special = no dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings message_size_limit = 0 smtp_tls_security_level = may smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem
what do you have for smtp settings in your roundcube config file (eg. /opt/roundcube/config/config.inc.php if you followed the ispconfig howto to set it up, or /etc/roundcube/main.inc.php if using a debian package)? Try something like: Code: $config['smtp_server'] = 'localhost'; $config['smtp_port'] = 587; $config['smtp_user'] = '%u'; $config['smtp_pass'] = '%p'; That assumes you have submission port configured (check in /etc/postfix/master.cf, or run netstat -an | grep :587)
Submission port 587 is configured Code: netstat -an | grep :587 tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN tcp6 0 0 :::587 :::* LISTEN I don't have any of the SMTP lines you mentioned in my /var/www/webmail/config/config.inc.php Code: $config['smtp_server'] = 'localhost'; $config['smtp_port'] = 587; $config['smtp_user'] = '%u'; $config['smtp_pass'] = '%p';
