I can't send email via my own Postfix anymore due to enforced restrictions that I made

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












Until recently my server with Postfix has worked well. Then I enforced some restrictions to a) combat spam b) disable sending emails to me on behalf on my own name -- I have begun receiving emails from my own email address demanding to send bitcoin to someone.



I want to fix both a and b.



And now I can't send email via my own postfix server.



 Client host rejected: cannot find your reverse hostname, [<my ip here>]


Note that I carry my laptot to different places and countries, and connect to WiFi from those. And I want to be able to send email always.



Here's a part of my config of Postfix. For database of the accounts and domains I use Postgresql.



smtpd_helo_required = yes

smtpd_client_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_unknown_reverse_client_hostname,

 reject_unknown_client_hostname,
 reject_unauth_pipelining

smtpd_helo_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_invalid_helo_hostname,

### reject_non_fqdn_helo_hostname,
 reject_unauth_pipelining

smtpd_sender_restrictions =
 permit_mynetworks,
 reject_sender_login_mismatch,
 permit_sasl_authenticated,
 reject_non_fqdn_sender,
 reject_unknown_sender_domain,
 reject_unauth_pipelining

smtpd_relay_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_non_fqdn_recipient,
 reject_unknown_recipient_domain,

 reject_unauth_destination


smtpd_recipient_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_non_fqdn_recipient,
 reject_unknown_recipient_domain,
 reject_unauth_pipelining

smtpd_data_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_multi_recipient_bounce,
 reject_unauth_pipelining

# deliver mail for virtual users to Dovecot's LMTP socket
virtual_transport = lmtp:unix:private/dovecot-lmtp

# query to find which domains we accept mail for
virtual_mailbox_domains = pgsql:/etc/postfix/virtual_mailbox_domains.cf

# query to find which email addresses we accept mail for
virtual_mailbox_maps = pgsql:/etc/postfix/virtual_mailbox_maps.cf

# query to find a user's email aliases
virtual_alias_maps = pgsql:/etc/postfix/virtual_alias_maps.cf

virtual_alias_domains = 
alias_database = 
alias_maps = 

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = all





linux email postfix







share|improve this question









New contributor




nylypej is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 1




    You won't be able to send email from most places with those restriction unless you configure pre-authentication to send emails or create a VPN.
    – Rui F Ribeiro
    5 hours ago










  • @RuiFRibeiro what do you mean by pre-authentication? It's used -- I have to provide my email/password
    – nylypej
    1 hour ago














up vote
1
down vote

favorite












Until recently my server with Postfix has worked well. Then I enforced some restrictions to a) combat spam b) disable sending emails to me on behalf on my own name -- I have begun receiving emails from my own email address demanding to send bitcoin to someone.



I want to fix both a and b.



And now I can't send email via my own postfix server.



 Client host rejected: cannot find your reverse hostname, [<my ip here>]


Note that I carry my laptot to different places and countries, and connect to WiFi from those. And I want to be able to send email always.



Here's a part of my config of Postfix. For database of the accounts and domains I use Postgresql.



smtpd_helo_required = yes

smtpd_client_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_unknown_reverse_client_hostname,

 reject_unknown_client_hostname,
 reject_unauth_pipelining

smtpd_helo_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_invalid_helo_hostname,

### reject_non_fqdn_helo_hostname,
 reject_unauth_pipelining

smtpd_sender_restrictions =
 permit_mynetworks,
 reject_sender_login_mismatch,
 permit_sasl_authenticated,
 reject_non_fqdn_sender,
 reject_unknown_sender_domain,
 reject_unauth_pipelining

smtpd_relay_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_non_fqdn_recipient,
 reject_unknown_recipient_domain,

 reject_unauth_destination


smtpd_recipient_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_non_fqdn_recipient,
 reject_unknown_recipient_domain,
 reject_unauth_pipelining

smtpd_data_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_multi_recipient_bounce,
 reject_unauth_pipelining

# deliver mail for virtual users to Dovecot's LMTP socket
virtual_transport = lmtp:unix:private/dovecot-lmtp

# query to find which domains we accept mail for
virtual_mailbox_domains = pgsql:/etc/postfix/virtual_mailbox_domains.cf

# query to find which email addresses we accept mail for
virtual_mailbox_maps = pgsql:/etc/postfix/virtual_mailbox_maps.cf

# query to find a user's email aliases
virtual_alias_maps = pgsql:/etc/postfix/virtual_alias_maps.cf

virtual_alias_domains = 
alias_database = 
alias_maps = 

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = all





linux email postfix







share|improve this question









New contributor




nylypej is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 1




    You won't be able to send email from most places with those restriction unless you configure pre-authentication to send emails or create a VPN.
    – Rui F Ribeiro
    5 hours ago










  • @RuiFRibeiro what do you mean by pre-authentication? It's used -- I have to provide my email/password
    – nylypej
    1 hour ago












up vote
1
down vote

favorite









up vote
1
down vote

favorite











Until recently my server with Postfix has worked well. Then I enforced some restrictions to a) combat spam b) disable sending emails to me on behalf on my own name -- I have begun receiving emails from my own email address demanding to send bitcoin to someone.



I want to fix both a and b.



And now I can't send email via my own postfix server.



 Client host rejected: cannot find your reverse hostname, [<my ip here>]


Note that I carry my laptot to different places and countries, and connect to WiFi from those. And I want to be able to send email always.



Here's a part of my config of Postfix. For database of the accounts and domains I use Postgresql.



smtpd_helo_required = yes

smtpd_client_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_unknown_reverse_client_hostname,

 reject_unknown_client_hostname,
 reject_unauth_pipelining

smtpd_helo_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_invalid_helo_hostname,

### reject_non_fqdn_helo_hostname,
 reject_unauth_pipelining

smtpd_sender_restrictions =
 permit_mynetworks,
 reject_sender_login_mismatch,
 permit_sasl_authenticated,
 reject_non_fqdn_sender,
 reject_unknown_sender_domain,
 reject_unauth_pipelining

smtpd_relay_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_non_fqdn_recipient,
 reject_unknown_recipient_domain,

 reject_unauth_destination


smtpd_recipient_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_non_fqdn_recipient,
 reject_unknown_recipient_domain,
 reject_unauth_pipelining

smtpd_data_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_multi_recipient_bounce,
 reject_unauth_pipelining

# deliver mail for virtual users to Dovecot's LMTP socket
virtual_transport = lmtp:unix:private/dovecot-lmtp

# query to find which domains we accept mail for
virtual_mailbox_domains = pgsql:/etc/postfix/virtual_mailbox_domains.cf

# query to find which email addresses we accept mail for
virtual_mailbox_maps = pgsql:/etc/postfix/virtual_mailbox_maps.cf

# query to find a user's email aliases
virtual_alias_maps = pgsql:/etc/postfix/virtual_alias_maps.cf

virtual_alias_domains = 
alias_database = 
alias_maps = 

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = all





linux email postfix







share|improve this question









New contributor




nylypej is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











Until recently my server with Postfix has worked well. Then I enforced some restrictions to a) combat spam b) disable sending emails to me on behalf on my own name -- I have begun receiving emails from my own email address demanding to send bitcoin to someone.



I want to fix both a and b.



And now I can't send email via my own postfix server.



 Client host rejected: cannot find your reverse hostname, [<my ip here>]


Note that I carry my laptot to different places and countries, and connect to WiFi from those. And I want to be able to send email always.



Here's a part of my config of Postfix. For database of the accounts and domains I use Postgresql.



smtpd_helo_required = yes

smtpd_client_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_unknown_reverse_client_hostname,

 reject_unknown_client_hostname,
 reject_unauth_pipelining

smtpd_helo_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_invalid_helo_hostname,

### reject_non_fqdn_helo_hostname,
 reject_unauth_pipelining

smtpd_sender_restrictions =
 permit_mynetworks,
 reject_sender_login_mismatch,
 permit_sasl_authenticated,
 reject_non_fqdn_sender,
 reject_unknown_sender_domain,
 reject_unauth_pipelining

smtpd_relay_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_non_fqdn_recipient,
 reject_unknown_recipient_domain,

 reject_unauth_destination


smtpd_recipient_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_non_fqdn_recipient,
 reject_unknown_recipient_domain,
 reject_unauth_pipelining

smtpd_data_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_multi_recipient_bounce,
 reject_unauth_pipelining

# deliver mail for virtual users to Dovecot's LMTP socket
virtual_transport = lmtp:unix:private/dovecot-lmtp

# query to find which domains we accept mail for
virtual_mailbox_domains = pgsql:/etc/postfix/virtual_mailbox_domains.cf

# query to find which email addresses we accept mail for
virtual_mailbox_maps = pgsql:/etc/postfix/virtual_mailbox_maps.cf

# query to find a user's email aliases
virtual_alias_maps = pgsql:/etc/postfix/virtual_alias_maps.cf

virtual_alias_domains = 
alias_database = 
alias_maps = 

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = all





linux email postfix




linux email postfix






share|improve this question









New contributor




nylypej is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




nylypej is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 1 hour ago





















New contributor




nylypej is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 6 hours ago









nylypej

92




92




New contributor




nylypej is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





nylypej is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






nylypej is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







  • 1




    You won't be able to send email from most places with those restriction unless you configure pre-authentication to send emails or create a VPN.
    – Rui F Ribeiro
    5 hours ago










  • @RuiFRibeiro what do you mean by pre-authentication? It's used -- I have to provide my email/password
    – nylypej
    1 hour ago












  • 1




    You won't be able to send email from most places with those restriction unless you configure pre-authentication to send emails or create a VPN.
    – Rui F Ribeiro
    5 hours ago










  • @RuiFRibeiro what do you mean by pre-authentication? It's used -- I have to provide my email/password
    – nylypej
    1 hour ago







1




1




You won't be able to send email from most places with those restriction unless you configure pre-authentication to send emails or create a VPN.
– Rui F Ribeiro
5 hours ago




You won't be able to send email from most places with those restriction unless you configure pre-authentication to send emails or create a VPN.
– Rui F Ribeiro
5 hours ago












@RuiFRibeiro what do you mean by pre-authentication? It's used -- I have to provide my email/password
– nylypej
1 hour ago




@RuiFRibeiro what do you mean by pre-authentication? It's used -- I have to provide my email/password
– nylypej
1 hour ago










2 Answers
2






active

oldest

votes

















up vote
2
down vote













Use different restriction for the submission interface (MSA - mail submission agent) on port 587, for example (excerpt of master.cf):



submission inet n - - - - smtpd
 -o smtpd_enforce_tls=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
 -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject


It forces STARTTLS and enables sending only after authentication, this is the easiest way. You can also use a VPN or similar as proposed in the comments and whitelist your IP/ranges with this method.



Using different ports for MSA (port 587) and MTA (Mail Transport Agent, ports 25, 465) is recommended as you will need different settings for both of them.



This is a minimal example, extend it to your needs.






share|improve this answer




















  • It forces STARTTLS and enables sending only after authentication, -- I'm required to provide login and password now, how is this not authentication?
    – nylypej
    59 mins ago


















up vote
2
down vote













I've been running my own mail servers for a long time. In my experience, 99% of spam can be rejected via SPF, DKIM checking along with RBL checking.



Here's a portion of my "standard" client restrictions:



smtpd_client_restrictions = permit_mynetworks 
 permit_sasl_authenticated
 check_helo_access hash:/etc/postfix/helo_access
 check_client_access hash:/etc/postfix/client_checks 
 reject_unauth_destination
 check_policy_service unix:private/policy-spf
 reject_rbl_client cbl.abuseat.org
 reject_rbl_client pbl.spamhaus.org
 reject_rbl_client sbl.spamhaus.org
 reject_rbl_client bl.blocklist.de
 reject_unknown_client


It's common for spammers to attempt to spoof a HELO by sending your domain's name or IP address, or localhost. These spoof attempts can be rejected immediately using the check_helo_access option as shown above. The HELO text database consists of a domain name or IP address or IP address range followed by the action and a message to send back.



A fairly simple HELO check follows:



# helo access
# check_helo_access hash:/etc/postfix/helo_access

localhost REJECT Only I am me
127.0.0.1 REJECT Only I am me
example.com REJECT Only I am me
dns.host.ip.addr REJECT Only I am me


"example.com" is your domain, and "dns.host.ip.addr" is your server's DNS listed IP address.



This database example results in something like this from one my actual server logs:



Oct 30 06:32:49 <domain> postfix/smtpd[22915]: NOQUEUE: reject: RCPT from xxx-161-xxx-132.dynamic-ip.xxxx.net[xxx.161.xxx.132]: 554 5.7.1 <xxx.xxx.xxx.xxx>: Helo command rejected: Only I am me; from=<dlh@xxx.xxx.cq.cnt> to=<gogo@xxxx.com.tw> proto=SMTP helo=<xxx.xxx.xxx.xxx>


The potential spammer/spoofer gets the message "Only I am me". It doesn't matter what the message is, but at least the spammer/spoofer knows you know.



And individual client checking goes something like this:



ip.addr.hack.attmpt REJECT
misconfig.server.but.good ACCEPT


And that's about it. I get about 3 spam mails a month, with hundreds of spam rejected.






share|improve this answer






















  • what's example.com REJECT Only I am me? what's dns.host.ip.addr REJECT Only I am me?
    – nylypej
    1 hour ago










  • have you taken into account that I travel with my laptop and connect to wifi and send email from different places and countries?
    – nylypej
    1 hour ago










  • @nylypej ... The laptop to email server connection is handled by Dovecot... not postfix... I can adjust my answer for a fairly complete configuration... however, I highly recommend installing LetsEncrypt and obtaining a DV TLS certificate that covers your mail server's IMAP and or POP3 connection.
    – RubberStamp
    58 mins ago










Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);






nylypej is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f479630%2fi-cant-send-email-via-my-own-postfix-anymore-due-to-enforced-restrictions-that%23new-answer', 'question_page');

);

Post as a guest

















2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
2
down vote













Use different restriction for the submission interface (MSA - mail submission agent) on port 587, for example (excerpt of master.cf):



submission inet n - - - - smtpd
 -o smtpd_enforce_tls=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
 -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject


It forces STARTTLS and enables sending only after authentication, this is the easiest way. You can also use a VPN or similar as proposed in the comments and whitelist your IP/ranges with this method.



Using different ports for MSA (port 587) and MTA (Mail Transport Agent, ports 25, 465) is recommended as you will need different settings for both of them.



This is a minimal example, extend it to your needs.






share|improve this answer




















  • It forces STARTTLS and enables sending only after authentication, -- I'm required to provide login and password now, how is this not authentication?
    – nylypej
    59 mins ago















up vote
2
down vote













Use different restriction for the submission interface (MSA - mail submission agent) on port 587, for example (excerpt of master.cf):



submission inet n - - - - smtpd
 -o smtpd_enforce_tls=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
 -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject


It forces STARTTLS and enables sending only after authentication, this is the easiest way. You can also use a VPN or similar as proposed in the comments and whitelist your IP/ranges with this method.



Using different ports for MSA (port 587) and MTA (Mail Transport Agent, ports 25, 465) is recommended as you will need different settings for both of them.



This is a minimal example, extend it to your needs.






share|improve this answer




















  • It forces STARTTLS and enables sending only after authentication, -- I'm required to provide login and password now, how is this not authentication?
    – nylypej
    59 mins ago













up vote
2
down vote










up vote
2
down vote









Use different restriction for the submission interface (MSA - mail submission agent) on port 587, for example (excerpt of master.cf):



submission inet n - - - - smtpd
 -o smtpd_enforce_tls=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
 -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject


It forces STARTTLS and enables sending only after authentication, this is the easiest way. You can also use a VPN or similar as proposed in the comments and whitelist your IP/ranges with this method.



Using different ports for MSA (port 587) and MTA (Mail Transport Agent, ports 25, 465) is recommended as you will need different settings for both of them.



This is a minimal example, extend it to your needs.






share|improve this answer












Use different restriction for the submission interface (MSA - mail submission agent) on port 587, for example (excerpt of master.cf):



submission inet n - - - - smtpd
 -o smtpd_enforce_tls=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
 -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject


It forces STARTTLS and enables sending only after authentication, this is the easiest way. You can also use a VPN or similar as proposed in the comments and whitelist your IP/ranges with this method.



Using different ports for MSA (port 587) and MTA (Mail Transport Agent, ports 25, 465) is recommended as you will need different settings for both of them.



This is a minimal example, extend it to your needs.







share|improve this answer












share|improve this answer



share|improve this answer










answered 3 hours ago









sebix

190212




190212











  • It forces STARTTLS and enables sending only after authentication, -- I'm required to provide login and password now, how is this not authentication?
    – nylypej
    59 mins ago

















  • It forces STARTTLS and enables sending only after authentication, -- I'm required to provide login and password now, how is this not authentication?
    – nylypej
    59 mins ago
















It forces STARTTLS and enables sending only after authentication, -- I'm required to provide login and password now, how is this not authentication?
– nylypej
59 mins ago





It forces STARTTLS and enables sending only after authentication, -- I'm required to provide login and password now, how is this not authentication?
– nylypej
59 mins ago













up vote
2
down vote













I've been running my own mail servers for a long time. In my experience, 99% of spam can be rejected via SPF, DKIM checking along with RBL checking.



Here's a portion of my "standard" client restrictions:



smtpd_client_restrictions = permit_mynetworks 
 permit_sasl_authenticated
 check_helo_access hash:/etc/postfix/helo_access
 check_client_access hash:/etc/postfix/client_checks 
 reject_unauth_destination
 check_policy_service unix:private/policy-spf
 reject_rbl_client cbl.abuseat.org
 reject_rbl_client pbl.spamhaus.org
 reject_rbl_client sbl.spamhaus.org
 reject_rbl_client bl.blocklist.de
 reject_unknown_client


It's common for spammers to attempt to spoof a HELO by sending your domain's name or IP address, or localhost. These spoof attempts can be rejected immediately using the check_helo_access option as shown above. The HELO text database consists of a domain name or IP address or IP address range followed by the action and a message to send back.



A fairly simple HELO check follows:



# helo access
# check_helo_access hash:/etc/postfix/helo_access

localhost REJECT Only I am me
127.0.0.1 REJECT Only I am me
example.com REJECT Only I am me
dns.host.ip.addr REJECT Only I am me


"example.com" is your domain, and "dns.host.ip.addr" is your server's DNS listed IP address.



This database example results in something like this from one my actual server logs:



Oct 30 06:32:49 <domain> postfix/smtpd[22915]: NOQUEUE: reject: RCPT from xxx-161-xxx-132.dynamic-ip.xxxx.net[xxx.161.xxx.132]: 554 5.7.1 <xxx.xxx.xxx.xxx>: Helo command rejected: Only I am me; from=<dlh@xxx.xxx.cq.cnt> to=<gogo@xxxx.com.tw> proto=SMTP helo=<xxx.xxx.xxx.xxx>


The potential spammer/spoofer gets the message "Only I am me". It doesn't matter what the message is, but at least the spammer/spoofer knows you know.



And individual client checking goes something like this:



ip.addr.hack.attmpt REJECT
misconfig.server.but.good ACCEPT


And that's about it. I get about 3 spam mails a month, with hundreds of spam rejected.






share|improve this answer






















  • what's example.com REJECT Only I am me? what's dns.host.ip.addr REJECT Only I am me?
    – nylypej
    1 hour ago










  • have you taken into account that I travel with my laptop and connect to wifi and send email from different places and countries?
    – nylypej
    1 hour ago










  • @nylypej ... The laptop to email server connection is handled by Dovecot... not postfix... I can adjust my answer for a fairly complete configuration... however, I highly recommend installing LetsEncrypt and obtaining a DV TLS certificate that covers your mail server's IMAP and or POP3 connection.
    – RubberStamp
    58 mins ago














up vote
2
down vote













I've been running my own mail servers for a long time. In my experience, 99% of spam can be rejected via SPF, DKIM checking along with RBL checking.



Here's a portion of my "standard" client restrictions:



smtpd_client_restrictions = permit_mynetworks 
 permit_sasl_authenticated
 check_helo_access hash:/etc/postfix/helo_access
 check_client_access hash:/etc/postfix/client_checks 
 reject_unauth_destination
 check_policy_service unix:private/policy-spf
 reject_rbl_client cbl.abuseat.org
 reject_rbl_client pbl.spamhaus.org
 reject_rbl_client sbl.spamhaus.org
 reject_rbl_client bl.blocklist.de
 reject_unknown_client


It's common for spammers to attempt to spoof a HELO by sending your domain's name or IP address, or localhost. These spoof attempts can be rejected immediately using the check_helo_access option as shown above. The HELO text database consists of a domain name or IP address or IP address range followed by the action and a message to send back.



A fairly simple HELO check follows:



# helo access
# check_helo_access hash:/etc/postfix/helo_access

localhost REJECT Only I am me
127.0.0.1 REJECT Only I am me
example.com REJECT Only I am me
dns.host.ip.addr REJECT Only I am me


"example.com" is your domain, and "dns.host.ip.addr" is your server's DNS listed IP address.



This database example results in something like this from one my actual server logs:



Oct 30 06:32:49 <domain> postfix/smtpd[22915]: NOQUEUE: reject: RCPT from xxx-161-xxx-132.dynamic-ip.xxxx.net[xxx.161.xxx.132]: 554 5.7.1 <xxx.xxx.xxx.xxx>: Helo command rejected: Only I am me; from=<dlh@xxx.xxx.cq.cnt> to=<gogo@xxxx.com.tw> proto=SMTP helo=<xxx.xxx.xxx.xxx>


The potential spammer/spoofer gets the message "Only I am me". It doesn't matter what the message is, but at least the spammer/spoofer knows you know.



And individual client checking goes something like this:



ip.addr.hack.attmpt REJECT
misconfig.server.but.good ACCEPT


And that's about it. I get about 3 spam mails a month, with hundreds of spam rejected.






share|improve this answer






















  • what's example.com REJECT Only I am me? what's dns.host.ip.addr REJECT Only I am me?
    – nylypej
    1 hour ago










  • have you taken into account that I travel with my laptop and connect to wifi and send email from different places and countries?
    – nylypej
    1 hour ago










  • @nylypej ... The laptop to email server connection is handled by Dovecot... not postfix... I can adjust my answer for a fairly complete configuration... however, I highly recommend installing LetsEncrypt and obtaining a DV TLS certificate that covers your mail server's IMAP and or POP3 connection.
    – RubberStamp
    58 mins ago












up vote
2
down vote










up vote
2
down vote









I've been running my own mail servers for a long time. In my experience, 99% of spam can be rejected via SPF, DKIM checking along with RBL checking.



Here's a portion of my "standard" client restrictions:



smtpd_client_restrictions = permit_mynetworks 
 permit_sasl_authenticated
 check_helo_access hash:/etc/postfix/helo_access
 check_client_access hash:/etc/postfix/client_checks 
 reject_unauth_destination
 check_policy_service unix:private/policy-spf
 reject_rbl_client cbl.abuseat.org
 reject_rbl_client pbl.spamhaus.org
 reject_rbl_client sbl.spamhaus.org
 reject_rbl_client bl.blocklist.de
 reject_unknown_client


It's common for spammers to attempt to spoof a HELO by sending your domain's name or IP address, or localhost. These spoof attempts can be rejected immediately using the check_helo_access option as shown above. The HELO text database consists of a domain name or IP address or IP address range followed by the action and a message to send back.



A fairly simple HELO check follows:



# helo access
# check_helo_access hash:/etc/postfix/helo_access

localhost REJECT Only I am me
127.0.0.1 REJECT Only I am me
example.com REJECT Only I am me
dns.host.ip.addr REJECT Only I am me


"example.com" is your domain, and "dns.host.ip.addr" is your server's DNS listed IP address.



This database example results in something like this from one my actual server logs:



Oct 30 06:32:49 <domain> postfix/smtpd[22915]: NOQUEUE: reject: RCPT from xxx-161-xxx-132.dynamic-ip.xxxx.net[xxx.161.xxx.132]: 554 5.7.1 <xxx.xxx.xxx.xxx>: Helo command rejected: Only I am me; from=<dlh@xxx.xxx.cq.cnt> to=<gogo@xxxx.com.tw> proto=SMTP helo=<xxx.xxx.xxx.xxx>


The potential spammer/spoofer gets the message "Only I am me". It doesn't matter what the message is, but at least the spammer/spoofer knows you know.



And individual client checking goes something like this:



ip.addr.hack.attmpt REJECT
misconfig.server.but.good ACCEPT


And that's about it. I get about 3 spam mails a month, with hundreds of spam rejected.






share|improve this answer














I've been running my own mail servers for a long time. In my experience, 99% of spam can be rejected via SPF, DKIM checking along with RBL checking.



Here's a portion of my "standard" client restrictions:



smtpd_client_restrictions = permit_mynetworks 
 permit_sasl_authenticated
 check_helo_access hash:/etc/postfix/helo_access
 check_client_access hash:/etc/postfix/client_checks 
 reject_unauth_destination
 check_policy_service unix:private/policy-spf
 reject_rbl_client cbl.abuseat.org
 reject_rbl_client pbl.spamhaus.org
 reject_rbl_client sbl.spamhaus.org
 reject_rbl_client bl.blocklist.de
 reject_unknown_client


It's common for spammers to attempt to spoof a HELO by sending your domain's name or IP address, or localhost. These spoof attempts can be rejected immediately using the check_helo_access option as shown above. The HELO text database consists of a domain name or IP address or IP address range followed by the action and a message to send back.



A fairly simple HELO check follows:



# helo access
# check_helo_access hash:/etc/postfix/helo_access

localhost REJECT Only I am me
127.0.0.1 REJECT Only I am me
example.com REJECT Only I am me
dns.host.ip.addr REJECT Only I am me


"example.com" is your domain, and "dns.host.ip.addr" is your server's DNS listed IP address.



This database example results in something like this from one my actual server logs:



Oct 30 06:32:49 <domain> postfix/smtpd[22915]: NOQUEUE: reject: RCPT from xxx-161-xxx-132.dynamic-ip.xxxx.net[xxx.161.xxx.132]: 554 5.7.1 <xxx.xxx.xxx.xxx>: Helo command rejected: Only I am me; from=<dlh@xxx.xxx.cq.cnt> to=<gogo@xxxx.com.tw> proto=SMTP helo=<xxx.xxx.xxx.xxx>


The potential spammer/spoofer gets the message "Only I am me". It doesn't matter what the message is, but at least the spammer/spoofer knows you know.



And individual client checking goes something like this:



ip.addr.hack.attmpt REJECT
misconfig.server.but.good ACCEPT


And that's about it. I get about 3 spam mails a month, with hundreds of spam rejected.







share|improve this answer














share|improve this answer



share|improve this answer








edited 1 hour ago

























answered 5 hours ago









RubberStamp

1,5601417




1,5601417











  • what's example.com REJECT Only I am me? what's dns.host.ip.addr REJECT Only I am me?
    – nylypej
    1 hour ago










  • have you taken into account that I travel with my laptop and connect to wifi and send email from different places and countries?
    – nylypej
    1 hour ago










  • @nylypej ... The laptop to email server connection is handled by Dovecot... not postfix... I can adjust my answer for a fairly complete configuration... however, I highly recommend installing LetsEncrypt and obtaining a DV TLS certificate that covers your mail server's IMAP and or POP3 connection.
    – RubberStamp
    58 mins ago
















  • what's example.com REJECT Only I am me? what's dns.host.ip.addr REJECT Only I am me?
    – nylypej
    1 hour ago










  • have you taken into account that I travel with my laptop and connect to wifi and send email from different places and countries?
    – nylypej
    1 hour ago










  • @nylypej ... The laptop to email server connection is handled by Dovecot... not postfix... I can adjust my answer for a fairly complete configuration... however, I highly recommend installing LetsEncrypt and obtaining a DV TLS certificate that covers your mail server's IMAP and or POP3 connection.
    – RubberStamp
    58 mins ago















what's example.com REJECT Only I am me? what's dns.host.ip.addr REJECT Only I am me?
– nylypej
1 hour ago




what's example.com REJECT Only I am me? what's dns.host.ip.addr REJECT Only I am me?
– nylypej
1 hour ago












have you taken into account that I travel with my laptop and connect to wifi and send email from different places and countries?
– nylypej
1 hour ago




have you taken into account that I travel with my laptop and connect to wifi and send email from different places and countries?
– nylypej
1 hour ago












@nylypej ... The laptop to email server connection is handled by Dovecot... not postfix... I can adjust my answer for a fairly complete configuration... however, I highly recommend installing LetsEncrypt and obtaining a DV TLS certificate that covers your mail server's IMAP and or POP3 connection.
– RubberStamp
58 mins ago




@nylypej ... The laptop to email server connection is handled by Dovecot... not postfix... I can adjust my answer for a fairly complete configuration... however, I highly recommend installing LetsEncrypt and obtaining a DV TLS certificate that covers your mail server's IMAP and or POP3 connection.
– RubberStamp
58 mins ago










nylypej is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















nylypej is a new contributor. Be nice, and check out our Code of Conduct.












nylypej is a new contributor. Be nice, and check out our Code of Conduct.











nylypej is a new contributor. Be nice, and check out our Code of Conduct.













 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f479630%2fi-cant-send-email-via-my-own-postfix-anymore-due-to-enforced-restrictions-that%23new-answer', 'question_page');

);

Post as a guest
































































Comments

Post a Comment

Popular posts from this blog

Long meetings (6-7 hours a day): Being “babysat” by supervisor

Image
Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 31 down vote favorite 4 I hold a PhD in mechanical engineering with a 7 year background in self-guided, self-paced research including 2 years as a graduate level course instructor and a subject matter expert for various engineering projects in a university setting in the United States. For the last 10-11 months, I am working in a research industry in France where my task is to debug C++ spaghetti code written over a period of several years by my current supervisor. It is a team of 2: just I and my supervisor. Diurnally, I am posed with a "bug of the day" to get out of this C++ code. My supervisor generally gives me about 15-30 minutes to solve it and then accosts me about whether or not the task is completed and then rinses and repeats this until the end of the day. Off-late, my supervisor has been holding 6-7 hour long "meetin
Read more

Is the Concept of Multiple Fantasy Races Scientifically Flawed? [closed]

Image
Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite Many fantasy worlds have multiple humanoid species (elves, orcs, humans, etc) living in the same world, in addition to that, they often have the ability to interbreed. And I can't help but question their believability... fantasy-races reproduction interspecies-relations share | improve this question edited Aug 9 at 14:46 Michael Kjörling ♦ 21.1k 10 85 161 asked Aug 9 at 13:13 Chlodio 118 6 closed as unclear what you're asking by MichaelK, Gryphon, John, Vincent, Frostfyre Aug 9 at 15:25 Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question. 3 Stack Exchange exist to
Read more

Confectionery

Image
Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of
Read more