I can't send email via my own Postfix anymore due to enforced restrictions that I made
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
Until recently my server with Postfix has worked well. Then I enforced some restrictions to a) combat spam b) disable sending emails to me on behalf on my own name -- I have begun receiving emails from my own email address demanding to send bitcoin to someone.
I want to fix both a and b.
And now I can't send email via my own postfix server.
Client host rejected: cannot find your reverse hostname, [<my ip here>]
Note that I carry my laptot to different places and countries, and connect to WiFi from those. And I want to be able to send email always.
Here's a part of my config of Postfix. For database of the accounts and domains I use Postgresql.
smtpd_helo_required = yes
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_reverse_client_hostname,
reject_unknown_client_hostname,
reject_unauth_pipelining
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
### reject_non_fqdn_helo_hostname,
reject_unauth_pipelining
smtpd_sender_restrictions =
permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_pipelining
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_pipelining
smtpd_data_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_multi_recipient_bounce,
reject_unauth_pipelining
# deliver mail for virtual users to Dovecot's LMTP socket
virtual_transport = lmtp:unix:private/dovecot-lmtp
# query to find which domains we accept mail for
virtual_mailbox_domains = pgsql:/etc/postfix/virtual_mailbox_domains.cf
# query to find which email addresses we accept mail for
virtual_mailbox_maps = pgsql:/etc/postfix/virtual_mailbox_maps.cf
# query to find a user's email aliases
virtual_alias_maps = pgsql:/etc/postfix/virtual_alias_maps.cf
virtual_alias_domains =
alias_database =
alias_maps =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = all
linux email postfix
New contributor
add a comment |Â
up vote
1
down vote
favorite
Until recently my server with Postfix has worked well. Then I enforced some restrictions to a) combat spam b) disable sending emails to me on behalf on my own name -- I have begun receiving emails from my own email address demanding to send bitcoin to someone.
I want to fix both a and b.
And now I can't send email via my own postfix server.
Client host rejected: cannot find your reverse hostname, [<my ip here>]
Note that I carry my laptot to different places and countries, and connect to WiFi from those. And I want to be able to send email always.
Here's a part of my config of Postfix. For database of the accounts and domains I use Postgresql.
smtpd_helo_required = yes
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_reverse_client_hostname,
reject_unknown_client_hostname,
reject_unauth_pipelining
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
### reject_non_fqdn_helo_hostname,
reject_unauth_pipelining
smtpd_sender_restrictions =
permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_pipelining
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_pipelining
smtpd_data_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_multi_recipient_bounce,
reject_unauth_pipelining
# deliver mail for virtual users to Dovecot's LMTP socket
virtual_transport = lmtp:unix:private/dovecot-lmtp
# query to find which domains we accept mail for
virtual_mailbox_domains = pgsql:/etc/postfix/virtual_mailbox_domains.cf
# query to find which email addresses we accept mail for
virtual_mailbox_maps = pgsql:/etc/postfix/virtual_mailbox_maps.cf
# query to find a user's email aliases
virtual_alias_maps = pgsql:/etc/postfix/virtual_alias_maps.cf
virtual_alias_domains =
alias_database =
alias_maps =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = all
linux email postfix
New contributor
1
You won't be able to send email from most places with those restriction unless you configure pre-authentication to send emails or create a VPN.
â Rui F Ribeiro
5 hours ago
@RuiFRibeiro what do you mean by pre-authentication? It's used -- I have to provide my email/password
â nylypej
1 hour ago
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
Until recently my server with Postfix has worked well. Then I enforced some restrictions to a) combat spam b) disable sending emails to me on behalf on my own name -- I have begun receiving emails from my own email address demanding to send bitcoin to someone.
I want to fix both a and b.
And now I can't send email via my own postfix server.
Client host rejected: cannot find your reverse hostname, [<my ip here>]
Note that I carry my laptot to different places and countries, and connect to WiFi from those. And I want to be able to send email always.
Here's a part of my config of Postfix. For database of the accounts and domains I use Postgresql.
smtpd_helo_required = yes
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_reverse_client_hostname,
reject_unknown_client_hostname,
reject_unauth_pipelining
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
### reject_non_fqdn_helo_hostname,
reject_unauth_pipelining
smtpd_sender_restrictions =
permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_pipelining
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_pipelining
smtpd_data_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_multi_recipient_bounce,
reject_unauth_pipelining
# deliver mail for virtual users to Dovecot's LMTP socket
virtual_transport = lmtp:unix:private/dovecot-lmtp
# query to find which domains we accept mail for
virtual_mailbox_domains = pgsql:/etc/postfix/virtual_mailbox_domains.cf
# query to find which email addresses we accept mail for
virtual_mailbox_maps = pgsql:/etc/postfix/virtual_mailbox_maps.cf
# query to find a user's email aliases
virtual_alias_maps = pgsql:/etc/postfix/virtual_alias_maps.cf
virtual_alias_domains =
alias_database =
alias_maps =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = all
linux email postfix
New contributor
Until recently my server with Postfix has worked well. Then I enforced some restrictions to a) combat spam b) disable sending emails to me on behalf on my own name -- I have begun receiving emails from my own email address demanding to send bitcoin to someone.
I want to fix both a and b.
And now I can't send email via my own postfix server.
Client host rejected: cannot find your reverse hostname, [<my ip here>]
Note that I carry my laptot to different places and countries, and connect to WiFi from those. And I want to be able to send email always.
Here's a part of my config of Postfix. For database of the accounts and domains I use Postgresql.
smtpd_helo_required = yes
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_reverse_client_hostname,
reject_unknown_client_hostname,
reject_unauth_pipelining
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
### reject_non_fqdn_helo_hostname,
reject_unauth_pipelining
smtpd_sender_restrictions =
permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_pipelining
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_pipelining
smtpd_data_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_multi_recipient_bounce,
reject_unauth_pipelining
# deliver mail for virtual users to Dovecot's LMTP socket
virtual_transport = lmtp:unix:private/dovecot-lmtp
# query to find which domains we accept mail for
virtual_mailbox_domains = pgsql:/etc/postfix/virtual_mailbox_domains.cf
# query to find which email addresses we accept mail for
virtual_mailbox_maps = pgsql:/etc/postfix/virtual_mailbox_maps.cf
# query to find a user's email aliases
virtual_alias_maps = pgsql:/etc/postfix/virtual_alias_maps.cf
virtual_alias_domains =
alias_database =
alias_maps =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = all
linux email postfix
linux email postfix
New contributor
New contributor
edited 1 hour ago
New contributor
asked 6 hours ago
nylypej
92
92
New contributor
New contributor
1
You won't be able to send email from most places with those restriction unless you configure pre-authentication to send emails or create a VPN.
â Rui F Ribeiro
5 hours ago
@RuiFRibeiro what do you mean by pre-authentication? It's used -- I have to provide my email/password
â nylypej
1 hour ago
add a comment |Â
1
You won't be able to send email from most places with those restriction unless you configure pre-authentication to send emails or create a VPN.
â Rui F Ribeiro
5 hours ago
@RuiFRibeiro what do you mean by pre-authentication? It's used -- I have to provide my email/password
â nylypej
1 hour ago
1
1
You won't be able to send email from most places with those restriction unless you configure pre-authentication to send emails or create a VPN.
â Rui F Ribeiro
5 hours ago
You won't be able to send email from most places with those restriction unless you configure pre-authentication to send emails or create a VPN.
â Rui F Ribeiro
5 hours ago
@RuiFRibeiro what do you mean by pre-authentication? It's used -- I have to provide my email/password
â nylypej
1 hour ago
@RuiFRibeiro what do you mean by pre-authentication? It's used -- I have to provide my email/password
â nylypej
1 hour ago
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
2
down vote
Use different restriction for the submission interface (MSA - mail submission agent) on port 587, for example (excerpt of master.cf
):
submission inet n - - - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
It forces STARTTLS and enables sending only after authentication, this is the easiest way. You can also use a VPN or similar as proposed in the comments and whitelist your IP/ranges with this method.
Using different ports for MSA (port 587) and MTA (Mail Transport Agent, ports 25, 465) is recommended as you will need different settings for both of them.
This is a minimal example, extend it to your needs.
It forces STARTTLS and enables sending only after authentication,
-- I'm required to provide login and password now, how is this not authentication?
â nylypej
59 mins ago
add a comment |Â
up vote
2
down vote
I've been running my own mail servers for a long time. In my experience, 99% of spam can be rejected via SPF, DKIM checking along with RBL checking.
Here's a portion of my "standard" client restrictions:
smtpd_client_restrictions = permit_mynetworks
permit_sasl_authenticated
check_helo_access hash:/etc/postfix/helo_access
check_client_access hash:/etc/postfix/client_checks
reject_unauth_destination
check_policy_service unix:private/policy-spf
reject_rbl_client cbl.abuseat.org
reject_rbl_client pbl.spamhaus.org
reject_rbl_client sbl.spamhaus.org
reject_rbl_client bl.blocklist.de
reject_unknown_client
It's common for spammers to attempt to spoof a HELO by sending your domain's name or IP address, or localhost. These spoof attempts can be rejected immediately using the check_helo_access
option as shown above. The HELO text database consists of a domain name or IP address or IP address range followed by the action and a message to send back.
A fairly simple HELO check follows:
# helo access
# check_helo_access hash:/etc/postfix/helo_access
localhost REJECT Only I am me
127.0.0.1 REJECT Only I am me
example.com REJECT Only I am me
dns.host.ip.addr REJECT Only I am me
"example.com" is your domain, and "dns.host.ip.addr" is your server's DNS listed IP address.
This database example results in something like this from one my actual server logs:
Oct 30 06:32:49 <domain> postfix/smtpd[22915]: NOQUEUE: reject: RCPT from xxx-161-xxx-132.dynamic-ip.xxxx.net[xxx.161.xxx.132]: 554 5.7.1 <xxx.xxx.xxx.xxx>: Helo command rejected: Only I am me; from=<dlh@xxx.xxx.cq.cnt> to=<gogo@xxxx.com.tw> proto=SMTP helo=<xxx.xxx.xxx.xxx>
The potential spammer/spoofer gets the message "Only I am me". It doesn't matter what the message is, but at least the spammer/spoofer knows you know.
And individual client checking goes something like this:
ip.addr.hack.attmpt REJECT
misconfig.server.but.good ACCEPT
And that's about it. I get about 3 spam mails a month, with hundreds of spam rejected.
what'sexample.com REJECT Only I am me
? what'sdns.host.ip.addr REJECT Only I am me
?
â nylypej
1 hour ago
have you taken into account that I travel with my laptop and connect to wifi and send email from different places and countries?
â nylypej
1 hour ago
@nylypej ... The laptop to email server connection is handled by Dovecot... not postfix... I can adjust my answer for a fairly complete configuration... however, I highly recommend installing LetsEncrypt and obtaining a DV TLS certificate that covers your mail server's IMAP and or POP3 connection.
â RubberStamp
58 mins ago
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
Use different restriction for the submission interface (MSA - mail submission agent) on port 587, for example (excerpt of master.cf
):
submission inet n - - - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
It forces STARTTLS and enables sending only after authentication, this is the easiest way. You can also use a VPN or similar as proposed in the comments and whitelist your IP/ranges with this method.
Using different ports for MSA (port 587) and MTA (Mail Transport Agent, ports 25, 465) is recommended as you will need different settings for both of them.
This is a minimal example, extend it to your needs.
It forces STARTTLS and enables sending only after authentication,
-- I'm required to provide login and password now, how is this not authentication?
â nylypej
59 mins ago
add a comment |Â
up vote
2
down vote
Use different restriction for the submission interface (MSA - mail submission agent) on port 587, for example (excerpt of master.cf
):
submission inet n - - - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
It forces STARTTLS and enables sending only after authentication, this is the easiest way. You can also use a VPN or similar as proposed in the comments and whitelist your IP/ranges with this method.
Using different ports for MSA (port 587) and MTA (Mail Transport Agent, ports 25, 465) is recommended as you will need different settings for both of them.
This is a minimal example, extend it to your needs.
It forces STARTTLS and enables sending only after authentication,
-- I'm required to provide login and password now, how is this not authentication?
â nylypej
59 mins ago
add a comment |Â
up vote
2
down vote
up vote
2
down vote
Use different restriction for the submission interface (MSA - mail submission agent) on port 587, for example (excerpt of master.cf
):
submission inet n - - - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
It forces STARTTLS and enables sending only after authentication, this is the easiest way. You can also use a VPN or similar as proposed in the comments and whitelist your IP/ranges with this method.
Using different ports for MSA (port 587) and MTA (Mail Transport Agent, ports 25, 465) is recommended as you will need different settings for both of them.
This is a minimal example, extend it to your needs.
Use different restriction for the submission interface (MSA - mail submission agent) on port 587, for example (excerpt of master.cf
):
submission inet n - - - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
It forces STARTTLS and enables sending only after authentication, this is the easiest way. You can also use a VPN or similar as proposed in the comments and whitelist your IP/ranges with this method.
Using different ports for MSA (port 587) and MTA (Mail Transport Agent, ports 25, 465) is recommended as you will need different settings for both of them.
This is a minimal example, extend it to your needs.
answered 3 hours ago
sebix
190212
190212
It forces STARTTLS and enables sending only after authentication,
-- I'm required to provide login and password now, how is this not authentication?
â nylypej
59 mins ago
add a comment |Â
It forces STARTTLS and enables sending only after authentication,
-- I'm required to provide login and password now, how is this not authentication?
â nylypej
59 mins ago
It forces STARTTLS and enables sending only after authentication,
-- I'm required to provide login and password now, how is this not authentication?â nylypej
59 mins ago
It forces STARTTLS and enables sending only after authentication,
-- I'm required to provide login and password now, how is this not authentication?â nylypej
59 mins ago
add a comment |Â
up vote
2
down vote
I've been running my own mail servers for a long time. In my experience, 99% of spam can be rejected via SPF, DKIM checking along with RBL checking.
Here's a portion of my "standard" client restrictions:
smtpd_client_restrictions = permit_mynetworks
permit_sasl_authenticated
check_helo_access hash:/etc/postfix/helo_access
check_client_access hash:/etc/postfix/client_checks
reject_unauth_destination
check_policy_service unix:private/policy-spf
reject_rbl_client cbl.abuseat.org
reject_rbl_client pbl.spamhaus.org
reject_rbl_client sbl.spamhaus.org
reject_rbl_client bl.blocklist.de
reject_unknown_client
It's common for spammers to attempt to spoof a HELO by sending your domain's name or IP address, or localhost. These spoof attempts can be rejected immediately using the check_helo_access
option as shown above. The HELO text database consists of a domain name or IP address or IP address range followed by the action and a message to send back.
A fairly simple HELO check follows:
# helo access
# check_helo_access hash:/etc/postfix/helo_access
localhost REJECT Only I am me
127.0.0.1 REJECT Only I am me
example.com REJECT Only I am me
dns.host.ip.addr REJECT Only I am me
"example.com" is your domain, and "dns.host.ip.addr" is your server's DNS listed IP address.
This database example results in something like this from one my actual server logs:
Oct 30 06:32:49 <domain> postfix/smtpd[22915]: NOQUEUE: reject: RCPT from xxx-161-xxx-132.dynamic-ip.xxxx.net[xxx.161.xxx.132]: 554 5.7.1 <xxx.xxx.xxx.xxx>: Helo command rejected: Only I am me; from=<dlh@xxx.xxx.cq.cnt> to=<gogo@xxxx.com.tw> proto=SMTP helo=<xxx.xxx.xxx.xxx>
The potential spammer/spoofer gets the message "Only I am me". It doesn't matter what the message is, but at least the spammer/spoofer knows you know.
And individual client checking goes something like this:
ip.addr.hack.attmpt REJECT
misconfig.server.but.good ACCEPT
And that's about it. I get about 3 spam mails a month, with hundreds of spam rejected.
what'sexample.com REJECT Only I am me
? what'sdns.host.ip.addr REJECT Only I am me
?
â nylypej
1 hour ago
have you taken into account that I travel with my laptop and connect to wifi and send email from different places and countries?
â nylypej
1 hour ago
@nylypej ... The laptop to email server connection is handled by Dovecot... not postfix... I can adjust my answer for a fairly complete configuration... however, I highly recommend installing LetsEncrypt and obtaining a DV TLS certificate that covers your mail server's IMAP and or POP3 connection.
â RubberStamp
58 mins ago
add a comment |Â
up vote
2
down vote
I've been running my own mail servers for a long time. In my experience, 99% of spam can be rejected via SPF, DKIM checking along with RBL checking.
Here's a portion of my "standard" client restrictions:
smtpd_client_restrictions = permit_mynetworks
permit_sasl_authenticated
check_helo_access hash:/etc/postfix/helo_access
check_client_access hash:/etc/postfix/client_checks
reject_unauth_destination
check_policy_service unix:private/policy-spf
reject_rbl_client cbl.abuseat.org
reject_rbl_client pbl.spamhaus.org
reject_rbl_client sbl.spamhaus.org
reject_rbl_client bl.blocklist.de
reject_unknown_client
It's common for spammers to attempt to spoof a HELO by sending your domain's name or IP address, or localhost. These spoof attempts can be rejected immediately using the check_helo_access
option as shown above. The HELO text database consists of a domain name or IP address or IP address range followed by the action and a message to send back.
A fairly simple HELO check follows:
# helo access
# check_helo_access hash:/etc/postfix/helo_access
localhost REJECT Only I am me
127.0.0.1 REJECT Only I am me
example.com REJECT Only I am me
dns.host.ip.addr REJECT Only I am me
"example.com" is your domain, and "dns.host.ip.addr" is your server's DNS listed IP address.
This database example results in something like this from one my actual server logs:
Oct 30 06:32:49 <domain> postfix/smtpd[22915]: NOQUEUE: reject: RCPT from xxx-161-xxx-132.dynamic-ip.xxxx.net[xxx.161.xxx.132]: 554 5.7.1 <xxx.xxx.xxx.xxx>: Helo command rejected: Only I am me; from=<dlh@xxx.xxx.cq.cnt> to=<gogo@xxxx.com.tw> proto=SMTP helo=<xxx.xxx.xxx.xxx>
The potential spammer/spoofer gets the message "Only I am me". It doesn't matter what the message is, but at least the spammer/spoofer knows you know.
And individual client checking goes something like this:
ip.addr.hack.attmpt REJECT
misconfig.server.but.good ACCEPT
And that's about it. I get about 3 spam mails a month, with hundreds of spam rejected.
what'sexample.com REJECT Only I am me
? what'sdns.host.ip.addr REJECT Only I am me
?
â nylypej
1 hour ago
have you taken into account that I travel with my laptop and connect to wifi and send email from different places and countries?
â nylypej
1 hour ago
@nylypej ... The laptop to email server connection is handled by Dovecot... not postfix... I can adjust my answer for a fairly complete configuration... however, I highly recommend installing LetsEncrypt and obtaining a DV TLS certificate that covers your mail server's IMAP and or POP3 connection.
â RubberStamp
58 mins ago
add a comment |Â
up vote
2
down vote
up vote
2
down vote
I've been running my own mail servers for a long time. In my experience, 99% of spam can be rejected via SPF, DKIM checking along with RBL checking.
Here's a portion of my "standard" client restrictions:
smtpd_client_restrictions = permit_mynetworks
permit_sasl_authenticated
check_helo_access hash:/etc/postfix/helo_access
check_client_access hash:/etc/postfix/client_checks
reject_unauth_destination
check_policy_service unix:private/policy-spf
reject_rbl_client cbl.abuseat.org
reject_rbl_client pbl.spamhaus.org
reject_rbl_client sbl.spamhaus.org
reject_rbl_client bl.blocklist.de
reject_unknown_client
It's common for spammers to attempt to spoof a HELO by sending your domain's name or IP address, or localhost. These spoof attempts can be rejected immediately using the check_helo_access
option as shown above. The HELO text database consists of a domain name or IP address or IP address range followed by the action and a message to send back.
A fairly simple HELO check follows:
# helo access
# check_helo_access hash:/etc/postfix/helo_access
localhost REJECT Only I am me
127.0.0.1 REJECT Only I am me
example.com REJECT Only I am me
dns.host.ip.addr REJECT Only I am me
"example.com" is your domain, and "dns.host.ip.addr" is your server's DNS listed IP address.
This database example results in something like this from one my actual server logs:
Oct 30 06:32:49 <domain> postfix/smtpd[22915]: NOQUEUE: reject: RCPT from xxx-161-xxx-132.dynamic-ip.xxxx.net[xxx.161.xxx.132]: 554 5.7.1 <xxx.xxx.xxx.xxx>: Helo command rejected: Only I am me; from=<dlh@xxx.xxx.cq.cnt> to=<gogo@xxxx.com.tw> proto=SMTP helo=<xxx.xxx.xxx.xxx>
The potential spammer/spoofer gets the message "Only I am me". It doesn't matter what the message is, but at least the spammer/spoofer knows you know.
And individual client checking goes something like this:
ip.addr.hack.attmpt REJECT
misconfig.server.but.good ACCEPT
And that's about it. I get about 3 spam mails a month, with hundreds of spam rejected.
I've been running my own mail servers for a long time. In my experience, 99% of spam can be rejected via SPF, DKIM checking along with RBL checking.
Here's a portion of my "standard" client restrictions:
smtpd_client_restrictions = permit_mynetworks
permit_sasl_authenticated
check_helo_access hash:/etc/postfix/helo_access
check_client_access hash:/etc/postfix/client_checks
reject_unauth_destination
check_policy_service unix:private/policy-spf
reject_rbl_client cbl.abuseat.org
reject_rbl_client pbl.spamhaus.org
reject_rbl_client sbl.spamhaus.org
reject_rbl_client bl.blocklist.de
reject_unknown_client
It's common for spammers to attempt to spoof a HELO by sending your domain's name or IP address, or localhost. These spoof attempts can be rejected immediately using the check_helo_access
option as shown above. The HELO text database consists of a domain name or IP address or IP address range followed by the action and a message to send back.
A fairly simple HELO check follows:
# helo access
# check_helo_access hash:/etc/postfix/helo_access
localhost REJECT Only I am me
127.0.0.1 REJECT Only I am me
example.com REJECT Only I am me
dns.host.ip.addr REJECT Only I am me
"example.com" is your domain, and "dns.host.ip.addr" is your server's DNS listed IP address.
This database example results in something like this from one my actual server logs:
Oct 30 06:32:49 <domain> postfix/smtpd[22915]: NOQUEUE: reject: RCPT from xxx-161-xxx-132.dynamic-ip.xxxx.net[xxx.161.xxx.132]: 554 5.7.1 <xxx.xxx.xxx.xxx>: Helo command rejected: Only I am me; from=<dlh@xxx.xxx.cq.cnt> to=<gogo@xxxx.com.tw> proto=SMTP helo=<xxx.xxx.xxx.xxx>
The potential spammer/spoofer gets the message "Only I am me". It doesn't matter what the message is, but at least the spammer/spoofer knows you know.
And individual client checking goes something like this:
ip.addr.hack.attmpt REJECT
misconfig.server.but.good ACCEPT
And that's about it. I get about 3 spam mails a month, with hundreds of spam rejected.
edited 1 hour ago
answered 5 hours ago
RubberStamp
1,5601417
1,5601417
what'sexample.com REJECT Only I am me
? what'sdns.host.ip.addr REJECT Only I am me
?
â nylypej
1 hour ago
have you taken into account that I travel with my laptop and connect to wifi and send email from different places and countries?
â nylypej
1 hour ago
@nylypej ... The laptop to email server connection is handled by Dovecot... not postfix... I can adjust my answer for a fairly complete configuration... however, I highly recommend installing LetsEncrypt and obtaining a DV TLS certificate that covers your mail server's IMAP and or POP3 connection.
â RubberStamp
58 mins ago
add a comment |Â
what'sexample.com REJECT Only I am me
? what'sdns.host.ip.addr REJECT Only I am me
?
â nylypej
1 hour ago
have you taken into account that I travel with my laptop and connect to wifi and send email from different places and countries?
â nylypej
1 hour ago
@nylypej ... The laptop to email server connection is handled by Dovecot... not postfix... I can adjust my answer for a fairly complete configuration... however, I highly recommend installing LetsEncrypt and obtaining a DV TLS certificate that covers your mail server's IMAP and or POP3 connection.
â RubberStamp
58 mins ago
what's
example.com REJECT Only I am me
? what's dns.host.ip.addr REJECT Only I am me
?â nylypej
1 hour ago
what's
example.com REJECT Only I am me
? what's dns.host.ip.addr REJECT Only I am me
?â nylypej
1 hour ago
have you taken into account that I travel with my laptop and connect to wifi and send email from different places and countries?
â nylypej
1 hour ago
have you taken into account that I travel with my laptop and connect to wifi and send email from different places and countries?
â nylypej
1 hour ago
@nylypej ... The laptop to email server connection is handled by Dovecot... not postfix... I can adjust my answer for a fairly complete configuration... however, I highly recommend installing LetsEncrypt and obtaining a DV TLS certificate that covers your mail server's IMAP and or POP3 connection.
â RubberStamp
58 mins ago
@nylypej ... The laptop to email server connection is handled by Dovecot... not postfix... I can adjust my answer for a fairly complete configuration... however, I highly recommend installing LetsEncrypt and obtaining a DV TLS certificate that covers your mail server's IMAP and or POP3 connection.
â RubberStamp
58 mins ago
add a comment |Â
nylypej is a new contributor. Be nice, and check out our Code of Conduct.
nylypej is a new contributor. Be nice, and check out our Code of Conduct.
nylypej is a new contributor. Be nice, and check out our Code of Conduct.
nylypej is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f479630%2fi-cant-send-email-via-my-own-postfix-anymore-due-to-enforced-restrictions-that%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
1
You won't be able to send email from most places with those restriction unless you configure pre-authentication to send emails or create a VPN.
â Rui F Ribeiro
5 hours ago
@RuiFRibeiro what do you mean by pre-authentication? It's used -- I have to provide my email/password
â nylypej
1 hour ago