Hi,
I have the following set in postfix
smtpd_client_restrictions = permit_inet_interfaces permit_tls_all_clientcerts reject_rbl_client zen.spamhaus.org reject_rhsbl_client dbl.spamhaus.org reject_unknown_client
The permit_tls_all_clientcerts is an attempt to fix the issue but it still happens. I'm trying to send an email from my PC desktop email client. It logins into the virtual server mail using TLS. Sometimes this works and sometimes it comes back with blocked using zen.spamhaus.org. I can understand why the IP might be blocked. It's a dynamic IP assigned by my ISP so I shouldn't be posting from it onto the internet. But of course I want to connect to my mailserver ok.
Form the logs a successful send is:
postfix/smtpd[5633]: connect from xxxx[x.x.x.x]
postfix/smtpd[5633]: 7F9B7C0613: client=xxxx[x.x.x.x], sasl_method=LOGIN, sasl_username=xxxxx
postfix/smtpd[5633]: disconnect from xxxx[x.x.x.x]
and a failed send is
postfix/smtpd[8580]: connect from xxxx[xx.xx.xx.xx]
postfix/smtpd[8580]: NOQUEUE: reject: RCPT from xxxx[xx.xx.xx.xx]: 554 5.7.1 Service unavailable; Client host [x.x.x.x] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=...
postfix/smtpd[8580]: lost connection after RCPT from xxxx[x.x.x.x]
postfix/smtpd[8580]: disconnect from xxxx[x.x.x.x]
Why does this sometimes fail? If I check my PC's IP against spamhaus then I am blacklisted which I'd expect. And the blacklist was there when I had the fail, and there when I checked after sending the email so it's not like I just hit the window when it wasn't blacklisted. It seesm to be that sometimes it checks the blacklist before working out that I've logged in so are a valid user.
Comments
Submitted by andreychek on Thu, 10/23/2014 - 11:01 Comment #1
Howdy -- you may want to make sure you're connecting on a secure port; it's possible it's just rejecting connections to port 25. You'd also want to make sure your client is configured to authenticate, as clients such as Outlook doesn't always authenticate by default.
However, are you by chance using Virtualmin GPL there? If you're using Virtualmin GPL, and you have any followup questions, you'd want to use the Forums for that. We monitor the Forums, along with lots of wonderful folks in the community. Thanks!
Submitted by malc_b on Thu, 10/23/2014 - 12:02 Comment #2
Hi,
You're correct I am on GPL and so I have posted here by mistake. Sorry about that. Can you move this thread?
Anyway, if you can't then I'll repost when I see if what I'm trying works. The odd thing I reckon is that is fails occasionally, not all the time. So I think is it perhaps a timing issue. I've added permit_sasl_authenticated to the smtpd_client_restrictions and removed permit_tls_all_clientcerts. Looking at the successful send it is using sasl so maybe setting that in the list is the way to go rather than it being allowed by another (maybe later) test.
Submitted by andreychek on Thu, 10/23/2014 - 14:53 Comment #3
I wish it were simple to move a post! We've been talking about how to add that functionality, but it doesn't seem to work out of the box on this version of Drupal.
I had wondered if it were failing occasionally due to a different client being used (ie, mobile vs PC). Otherwise, that is indeed unusual, especially if the IP is consistently listed in the RBL.
I do recommend using "permit_sasl_authenticated" in there -- that option is there by default, but if that were removed, that could cause problems.
Submitted by malc_b on Fri, 10/24/2014 - 02:50 Comment #4
Thanks for that info. Some how permit_sasl_authenticated was lost from the settings so this is looking like the problem.
FYI this was all on the same PC with same email client.