Hey there So one of my clients(person) has added their mail account to the Gmail client, and they've had no problems with it until recently. They suddenly started to get this error message recently Code: <[email protected]> host hostname.mydomain.tld[xxx.xxx.xxx.xxx] said: 554 5.7.1 Service unavailable; Client host [xxx.xxx.xxx.xxx] blocked using zen.spamhaus.org (in reply to RCPT TO command) My server isn't listed on that blacklist, and messages send fine when using another mail client (thunderbird, webmail). Any ideas as to what could be causing this?
You are using a blacklist in one of your smtpd restrictions in which the client ip is listed, so it is blocked. To work around that you will need to change the restriction to allow the client based on some characteristic before the rbl check. It's possible to put 'permit_sasl_authenticated' ahead of that so authenticated clients bypass rbls, or use something like this example which is setup by ISPConfig (I assume you don't use ISPConfig since you posted in the non-ISPConfig forum topics): Code: # postconf smtpd_client_restrictions smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, reject_rbl_client zen.spamhaus.org, permit_sasl_authenticated, reject_unauth_pipelining, reject_unknown_client_hostname, permit That shows the rbl in use ahead of permit_sasl_authenticated, which is effective for port 25 (mail from external servers); clients sending mail use ports 465 or 587, which both override that (in master.cf) to simply: Code: smtpd_client_restrictions=permit_sasl_authenticated,reject So the rbl isn't used for at all for clients sending mail, they simply have to authenticate.
I do use ispconfig, I just assumed the problem wasn't specifically related to ispconfig, so I asked here since i didn't know quite where else to post it to. Would i still need to add your suggested configurations to my master.cf if I'm using ispconfig? Thing is, these bounce backs only started happening recently. I haven't ran any updates in the time between getting no bounce backs and getting them, the last update being in March or so. And i edited my original post to differentiate between real client and mail client.
You have the default setup, with the rbl used here: Code: smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_unauth_pipelining , permit and smtpd_client_restrictions is overwritten for both submission and smtps services: Code: submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject Which means your client is in fact not using those services, but the default smtpd_client_restrictions (ie. port 25). I'll additionally note that your current setting has permit_sasl_authentication ahead of the rbl, so your client is not only using the wrong port, but they are not authenticating to your server, either.
That's weird, because when I switch ports on any client to port 25, then I'm an unable to send, but when I switch to 465 or 587, then I'm able to send. Can I change the port to both 465 and 587, or does it have to be one? And will moving permit_sasl_authentication after rbl resolve authenticating to my server?
They are both setup on your server, the client will use one or the other; sometimes when setting up a connection a client might test multiple ones to find what works, but then it settles on one set of ports/settings to use, and doesn't change afterwards (it doesn't mean a client couldn't do that in theory, but in practice I've not seen that behavior). No, that would make the rbl apply to authenticated clients as well (which is what I showed above, and I think is what you'll end up with if you reconfigure your server); as you have it, if the client authenticates on port 25, the rbl will not be checked. You said this happens for someone using a gmail client? I don't know how that works exactly, but can you check/specify the ports there?
Yes, the ports can be specified through the gmail client, and have been set to 465. Is the fact that my clients aren't authenticating to my server a critical issue? And if so, what can I do to resolve it?