I can't send email via my own Postfix anymore due to enforced restrictions that I made

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












Until recently my server with Postfix has worked well. Then I enforced some restrictions to a) combat spam b) disable sending emails to me on behalf on my own name -- I have begun receiving emails from my own email address demanding to send bitcoin to someone.



I want to fix both a and b.



And now I can't send email via my own postfix server.



 Client host rejected: cannot find your reverse hostname, [<my ip here>]


Note that I carry my laptot to different places and countries, and connect to WiFi from those. And I want to be able to send email always.



Here's a part of my config of Postfix. For database of the accounts and domains I use Postgresql.



smtpd_helo_required = yes

smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_reverse_client_hostname,

reject_unknown_client_hostname,
reject_unauth_pipelining

smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,

### reject_non_fqdn_helo_hostname,
reject_unauth_pipelining

smtpd_sender_restrictions =
permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_pipelining

smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,

reject_unauth_destination


smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_pipelining

smtpd_data_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_multi_recipient_bounce,
reject_unauth_pipelining

# deliver mail for virtual users to Dovecot's LMTP socket
virtual_transport = lmtp:unix:private/dovecot-lmtp

# query to find which domains we accept mail for
virtual_mailbox_domains = pgsql:/etc/postfix/virtual_mailbox_domains.cf

# query to find which email addresses we accept mail for
virtual_mailbox_maps = pgsql:/etc/postfix/virtual_mailbox_maps.cf

# query to find a user's email aliases
virtual_alias_maps = pgsql:/etc/postfix/virtual_alias_maps.cf

virtual_alias_domains =
alias_database =
alias_maps =

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = all









share|improve this question









New contributor




nylypej is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 1




    You won't be able to send email from most places with those restriction unless you configure pre-authentication to send emails or create a VPN.
    – Rui F Ribeiro
    5 hours ago










  • @RuiFRibeiro what do you mean by pre-authentication? It's used -- I have to provide my email/password
    – nylypej
    1 hour ago














up vote
1
down vote

favorite












Until recently my server with Postfix has worked well. Then I enforced some restrictions to a) combat spam b) disable sending emails to me on behalf on my own name -- I have begun receiving emails from my own email address demanding to send bitcoin to someone.



I want to fix both a and b.



And now I can't send email via my own postfix server.



 Client host rejected: cannot find your reverse hostname, [<my ip here>]


Note that I carry my laptot to different places and countries, and connect to WiFi from those. And I want to be able to send email always.



Here's a part of my config of Postfix. For database of the accounts and domains I use Postgresql.



smtpd_helo_required = yes

smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_reverse_client_hostname,

reject_unknown_client_hostname,
reject_unauth_pipelining

smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,

### reject_non_fqdn_helo_hostname,
reject_unauth_pipelining

smtpd_sender_restrictions =
permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_pipelining

smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,

reject_unauth_destination


smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_pipelining

smtpd_data_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_multi_recipient_bounce,
reject_unauth_pipelining

# deliver mail for virtual users to Dovecot's LMTP socket
virtual_transport = lmtp:unix:private/dovecot-lmtp

# query to find which domains we accept mail for
virtual_mailbox_domains = pgsql:/etc/postfix/virtual_mailbox_domains.cf

# query to find which email addresses we accept mail for
virtual_mailbox_maps = pgsql:/etc/postfix/virtual_mailbox_maps.cf

# query to find a user's email aliases
virtual_alias_maps = pgsql:/etc/postfix/virtual_alias_maps.cf

virtual_alias_domains =
alias_database =
alias_maps =

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = all









share|improve this question









New contributor




nylypej is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 1




    You won't be able to send email from most places with those restriction unless you configure pre-authentication to send emails or create a VPN.
    – Rui F Ribeiro
    5 hours ago










  • @RuiFRibeiro what do you mean by pre-authentication? It's used -- I have to provide my email/password
    – nylypej
    1 hour ago












up vote
1
down vote

favorite









up vote
1
down vote

favorite











Until recently my server with Postfix has worked well. Then I enforced some restrictions to a) combat spam b) disable sending emails to me on behalf on my own name -- I have begun receiving emails from my own email address demanding to send bitcoin to someone.



I want to fix both a and b.



And now I can't send email via my own postfix server.



 Client host rejected: cannot find your reverse hostname, [<my ip here>]


Note that I carry my laptot to different places and countries, and connect to WiFi from those. And I want to be able to send email always.



Here's a part of my config of Postfix. For database of the accounts and domains I use Postgresql.



smtpd_helo_required = yes

smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_reverse_client_hostname,

reject_unknown_client_hostname,
reject_unauth_pipelining

smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,

### reject_non_fqdn_helo_hostname,
reject_unauth_pipelining

smtpd_sender_restrictions =
permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_pipelining

smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,

reject_unauth_destination


smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_pipelining

smtpd_data_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_multi_recipient_bounce,
reject_unauth_pipelining

# deliver mail for virtual users to Dovecot's LMTP socket
virtual_transport = lmtp:unix:private/dovecot-lmtp

# query to find which domains we accept mail for
virtual_mailbox_domains = pgsql:/etc/postfix/virtual_mailbox_domains.cf

# query to find which email addresses we accept mail for
virtual_mailbox_maps = pgsql:/etc/postfix/virtual_mailbox_maps.cf

# query to find a user's email aliases
virtual_alias_maps = pgsql:/etc/postfix/virtual_alias_maps.cf

virtual_alias_domains =
alias_database =
alias_maps =

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = all









share|improve this question









New contributor




nylypej is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











Until recently my server with Postfix has worked well. Then I enforced some restrictions to a) combat spam b) disable sending emails to me on behalf on my own name -- I have begun receiving emails from my own email address demanding to send bitcoin to someone.



I want to fix both a and b.



And now I can't send email via my own postfix server.



 Client host rejected: cannot find your reverse hostname, [<my ip here>]


Note that I carry my laptot to different places and countries, and connect to WiFi from those. And I want to be able to send email always.



Here's a part of my config of Postfix. For database of the accounts and domains I use Postgresql.



smtpd_helo_required = yes

smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_reverse_client_hostname,

reject_unknown_client_hostname,
reject_unauth_pipelining

smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,

### reject_non_fqdn_helo_hostname,
reject_unauth_pipelining

smtpd_sender_restrictions =
permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_pipelining

smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,

reject_unauth_destination


smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_pipelining

smtpd_data_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_multi_recipient_bounce,
reject_unauth_pipelining

# deliver mail for virtual users to Dovecot's LMTP socket
virtual_transport = lmtp:unix:private/dovecot-lmtp

# query to find which domains we accept mail for
virtual_mailbox_domains = pgsql:/etc/postfix/virtual_mailbox_domains.cf

# query to find which email addresses we accept mail for
virtual_mailbox_maps = pgsql:/etc/postfix/virtual_mailbox_maps.cf

# query to find a user's email aliases
virtual_alias_maps = pgsql:/etc/postfix/virtual_alias_maps.cf

virtual_alias_domains =
alias_database =
alias_maps =

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = all






linux email postfix






share|improve this question









New contributor




nylypej is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




nylypej is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 1 hour ago





















New contributor




nylypej is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 6 hours ago









nylypej

92




92




New contributor




nylypej is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





nylypej is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






nylypej is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







  • 1




    You won't be able to send email from most places with those restriction unless you configure pre-authentication to send emails or create a VPN.
    – Rui F Ribeiro
    5 hours ago










  • @RuiFRibeiro what do you mean by pre-authentication? It's used -- I have to provide my email/password
    – nylypej
    1 hour ago












  • 1




    You won't be able to send email from most places with those restriction unless you configure pre-authentication to send emails or create a VPN.
    – Rui F Ribeiro
    5 hours ago










  • @RuiFRibeiro what do you mean by pre-authentication? It's used -- I have to provide my email/password
    – nylypej
    1 hour ago







1




1




You won't be able to send email from most places with those restriction unless you configure pre-authentication to send emails or create a VPN.
– Rui F Ribeiro
5 hours ago




You won't be able to send email from most places with those restriction unless you configure pre-authentication to send emails or create a VPN.
– Rui F Ribeiro
5 hours ago












@RuiFRibeiro what do you mean by pre-authentication? It's used -- I have to provide my email/password
– nylypej
1 hour ago




@RuiFRibeiro what do you mean by pre-authentication? It's used -- I have to provide my email/password
– nylypej
1 hour ago










2 Answers
2






active

oldest

votes

















up vote
2
down vote













Use different restriction for the submission interface (MSA - mail submission agent) on port 587, for example (excerpt of master.cf):



submission inet n - - - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject


It forces STARTTLS and enables sending only after authentication, this is the easiest way. You can also use a VPN or similar as proposed in the comments and whitelist your IP/ranges with this method.



Using different ports for MSA (port 587) and MTA (Mail Transport Agent, ports 25, 465) is recommended as you will need different settings for both of them.



This is a minimal example, extend it to your needs.






share|improve this answer




















  • It forces STARTTLS and enables sending only after authentication, -- I'm required to provide login and password now, how is this not authentication?
    – nylypej
    59 mins ago


















up vote
2
down vote













I've been running my own mail servers for a long time. In my experience, 99% of spam can be rejected via SPF, DKIM checking along with RBL checking.



Here's a portion of my "standard" client restrictions:



smtpd_client_restrictions = permit_mynetworks 
permit_sasl_authenticated
check_helo_access hash:/etc/postfix/helo_access
check_client_access hash:/etc/postfix/client_checks
reject_unauth_destination
check_policy_service unix:private/policy-spf
reject_rbl_client cbl.abuseat.org
reject_rbl_client pbl.spamhaus.org
reject_rbl_client sbl.spamhaus.org
reject_rbl_client bl.blocklist.de
reject_unknown_client


It's common for spammers to attempt to spoof a HELO by sending your domain's name or IP address, or localhost. These spoof attempts can be rejected immediately using the check_helo_access option as shown above. The HELO text database consists of a domain name or IP address or IP address range followed by the action and a message to send back.



A fairly simple HELO check follows:



# helo access
# check_helo_access hash:/etc/postfix/helo_access

localhost REJECT Only I am me
127.0.0.1 REJECT Only I am me
example.com REJECT Only I am me
dns.host.ip.addr REJECT Only I am me


"example.com" is your domain, and "dns.host.ip.addr" is your server's DNS listed IP address.



This database example results in something like this from one my actual server logs:



Oct 30 06:32:49 <domain> postfix/smtpd[22915]: NOQUEUE: reject: RCPT from xxx-161-xxx-132.dynamic-ip.xxxx.net[xxx.161.xxx.132]: 554 5.7.1 <xxx.xxx.xxx.xxx>: Helo command rejected: Only I am me; from=<dlh@xxx.xxx.cq.cnt> to=<gogo@xxxx.com.tw> proto=SMTP helo=<xxx.xxx.xxx.xxx>


The potential spammer/spoofer gets the message "Only I am me". It doesn't matter what the message is, but at least the spammer/spoofer knows you know.



And individual client checking goes something like this:



ip.addr.hack.attmpt REJECT
misconfig.server.but.good ACCEPT


And that's about it. I get about 3 spam mails a month, with hundreds of spam rejected.






share|improve this answer






















  • what's example.com REJECT Only I am me? what's dns.host.ip.addr REJECT Only I am me?
    – nylypej
    1 hour ago










  • have you taken into account that I travel with my laptop and connect to wifi and send email from different places and countries?
    – nylypej
    1 hour ago










  • @nylypej ... The laptop to email server connection is handled by Dovecot... not postfix... I can adjust my answer for a fairly complete configuration... however, I highly recommend installing LetsEncrypt and obtaining a DV TLS certificate that covers your mail server's IMAP and or POP3 connection.
    – RubberStamp
    58 mins ago










Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);






nylypej is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f479630%2fi-cant-send-email-via-my-own-postfix-anymore-due-to-enforced-restrictions-that%23new-answer', 'question_page');

);

Post as a guest






























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
2
down vote













Use different restriction for the submission interface (MSA - mail submission agent) on port 587, for example (excerpt of master.cf):



submission inet n - - - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject


It forces STARTTLS and enables sending only after authentication, this is the easiest way. You can also use a VPN or similar as proposed in the comments and whitelist your IP/ranges with this method.



Using different ports for MSA (port 587) and MTA (Mail Transport Agent, ports 25, 465) is recommended as you will need different settings for both of them.



This is a minimal example, extend it to your needs.






share|improve this answer




















  • It forces STARTTLS and enables sending only after authentication, -- I'm required to provide login and password now, how is this not authentication?
    – nylypej
    59 mins ago















up vote
2
down vote













Use different restriction for the submission interface (MSA - mail submission agent) on port 587, for example (excerpt of master.cf):



submission inet n - - - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject


It forces STARTTLS and enables sending only after authentication, this is the easiest way. You can also use a VPN or similar as proposed in the comments and whitelist your IP/ranges with this method.



Using different ports for MSA (port 587) and MTA (Mail Transport Agent, ports 25, 465) is recommended as you will need different settings for both of them.



This is a minimal example, extend it to your needs.






share|improve this answer




















  • It forces STARTTLS and enables sending only after authentication, -- I'm required to provide login and password now, how is this not authentication?
    – nylypej
    59 mins ago













up vote
2
down vote










up vote
2
down vote









Use different restriction for the submission interface (MSA - mail submission agent) on port 587, for example (excerpt of master.cf):



submission inet n - - - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject


It forces STARTTLS and enables sending only after authentication, this is the easiest way. You can also use a VPN or similar as proposed in the comments and whitelist your IP/ranges with this method.



Using different ports for MSA (port 587) and MTA (Mail Transport Agent, ports 25, 465) is recommended as you will need different settings for both of them.



This is a minimal example, extend it to your needs.






share|improve this answer












Use different restriction for the submission interface (MSA - mail submission agent) on port 587, for example (excerpt of master.cf):



submission inet n - - - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject


It forces STARTTLS and enables sending only after authentication, this is the easiest way. You can also use a VPN or similar as proposed in the comments and whitelist your IP/ranges with this method.



Using different ports for MSA (port 587) and MTA (Mail Transport Agent, ports 25, 465) is recommended as you will need different settings for both of them.



This is a minimal example, extend it to your needs.







share|improve this answer












share|improve this answer



share|improve this answer










answered 3 hours ago









sebix

190212




190212











  • It forces STARTTLS and enables sending only after authentication, -- I'm required to provide login and password now, how is this not authentication?
    – nylypej
    59 mins ago

















  • It forces STARTTLS and enables sending only after authentication, -- I'm required to provide login and password now, how is this not authentication?
    – nylypej
    59 mins ago
















It forces STARTTLS and enables sending only after authentication, -- I'm required to provide login and password now, how is this not authentication?
– nylypej
59 mins ago





It forces STARTTLS and enables sending only after authentication, -- I'm required to provide login and password now, how is this not authentication?
– nylypej
59 mins ago













up vote
2
down vote













I've been running my own mail servers for a long time. In my experience, 99% of spam can be rejected via SPF, DKIM checking along with RBL checking.



Here's a portion of my "standard" client restrictions:



smtpd_client_restrictions = permit_mynetworks 
permit_sasl_authenticated
check_helo_access hash:/etc/postfix/helo_access
check_client_access hash:/etc/postfix/client_checks
reject_unauth_destination
check_policy_service unix:private/policy-spf
reject_rbl_client cbl.abuseat.org
reject_rbl_client pbl.spamhaus.org
reject_rbl_client sbl.spamhaus.org
reject_rbl_client bl.blocklist.de
reject_unknown_client


It's common for spammers to attempt to spoof a HELO by sending your domain's name or IP address, or localhost. These spoof attempts can be rejected immediately using the check_helo_access option as shown above. The HELO text database consists of a domain name or IP address or IP address range followed by the action and a message to send back.



A fairly simple HELO check follows:



# helo access
# check_helo_access hash:/etc/postfix/helo_access

localhost REJECT Only I am me
127.0.0.1 REJECT Only I am me
example.com REJECT Only I am me
dns.host.ip.addr REJECT Only I am me


"example.com" is your domain, and "dns.host.ip.addr" is your server's DNS listed IP address.



This database example results in something like this from one my actual server logs:



Oct 30 06:32:49 <domain> postfix/smtpd[22915]: NOQUEUE: reject: RCPT from xxx-161-xxx-132.dynamic-ip.xxxx.net[xxx.161.xxx.132]: 554 5.7.1 <xxx.xxx.xxx.xxx>: Helo command rejected: Only I am me; from=<dlh@xxx.xxx.cq.cnt> to=<gogo@xxxx.com.tw> proto=SMTP helo=<xxx.xxx.xxx.xxx>


The potential spammer/spoofer gets the message "Only I am me". It doesn't matter what the message is, but at least the spammer/spoofer knows you know.



And individual client checking goes something like this:



ip.addr.hack.attmpt REJECT
misconfig.server.but.good ACCEPT


And that's about it. I get about 3 spam mails a month, with hundreds of spam rejected.






share|improve this answer






















  • what's example.com REJECT Only I am me? what's dns.host.ip.addr REJECT Only I am me?
    – nylypej
    1 hour ago










  • have you taken into account that I travel with my laptop and connect to wifi and send email from different places and countries?
    – nylypej
    1 hour ago










  • @nylypej ... The laptop to email server connection is handled by Dovecot... not postfix... I can adjust my answer for a fairly complete configuration... however, I highly recommend installing LetsEncrypt and obtaining a DV TLS certificate that covers your mail server's IMAP and or POP3 connection.
    – RubberStamp
    58 mins ago














up vote
2
down vote













I've been running my own mail servers for a long time. In my experience, 99% of spam can be rejected via SPF, DKIM checking along with RBL checking.



Here's a portion of my "standard" client restrictions:



smtpd_client_restrictions = permit_mynetworks 
permit_sasl_authenticated
check_helo_access hash:/etc/postfix/helo_access
check_client_access hash:/etc/postfix/client_checks
reject_unauth_destination
check_policy_service unix:private/policy-spf
reject_rbl_client cbl.abuseat.org
reject_rbl_client pbl.spamhaus.org
reject_rbl_client sbl.spamhaus.org
reject_rbl_client bl.blocklist.de
reject_unknown_client


It's common for spammers to attempt to spoof a HELO by sending your domain's name or IP address, or localhost. These spoof attempts can be rejected immediately using the check_helo_access option as shown above. The HELO text database consists of a domain name or IP address or IP address range followed by the action and a message to send back.



A fairly simple HELO check follows:



# helo access
# check_helo_access hash:/etc/postfix/helo_access

localhost REJECT Only I am me
127.0.0.1 REJECT Only I am me
example.com REJECT Only I am me
dns.host.ip.addr REJECT Only I am me


"example.com" is your domain, and "dns.host.ip.addr" is your server's DNS listed IP address.



This database example results in something like this from one my actual server logs:



Oct 30 06:32:49 <domain> postfix/smtpd[22915]: NOQUEUE: reject: RCPT from xxx-161-xxx-132.dynamic-ip.xxxx.net[xxx.161.xxx.132]: 554 5.7.1 <xxx.xxx.xxx.xxx>: Helo command rejected: Only I am me; from=<dlh@xxx.xxx.cq.cnt> to=<gogo@xxxx.com.tw> proto=SMTP helo=<xxx.xxx.xxx.xxx>


The potential spammer/spoofer gets the message "Only I am me". It doesn't matter what the message is, but at least the spammer/spoofer knows you know.



And individual client checking goes something like this:



ip.addr.hack.attmpt REJECT
misconfig.server.but.good ACCEPT


And that's about it. I get about 3 spam mails a month, with hundreds of spam rejected.






share|improve this answer






















  • what's example.com REJECT Only I am me? what's dns.host.ip.addr REJECT Only I am me?
    – nylypej
    1 hour ago










  • have you taken into account that I travel with my laptop and connect to wifi and send email from different places and countries?
    – nylypej
    1 hour ago










  • @nylypej ... The laptop to email server connection is handled by Dovecot... not postfix... I can adjust my answer for a fairly complete configuration... however, I highly recommend installing LetsEncrypt and obtaining a DV TLS certificate that covers your mail server's IMAP and or POP3 connection.
    – RubberStamp
    58 mins ago












up vote
2
down vote










up vote
2
down vote









I've been running my own mail servers for a long time. In my experience, 99% of spam can be rejected via SPF, DKIM checking along with RBL checking.



Here's a portion of my "standard" client restrictions:



smtpd_client_restrictions = permit_mynetworks 
permit_sasl_authenticated
check_helo_access hash:/etc/postfix/helo_access
check_client_access hash:/etc/postfix/client_checks
reject_unauth_destination
check_policy_service unix:private/policy-spf
reject_rbl_client cbl.abuseat.org
reject_rbl_client pbl.spamhaus.org
reject_rbl_client sbl.spamhaus.org
reject_rbl_client bl.blocklist.de
reject_unknown_client


It's common for spammers to attempt to spoof a HELO by sending your domain's name or IP address, or localhost. These spoof attempts can be rejected immediately using the check_helo_access option as shown above. The HELO text database consists of a domain name or IP address or IP address range followed by the action and a message to send back.



A fairly simple HELO check follows:



# helo access
# check_helo_access hash:/etc/postfix/helo_access

localhost REJECT Only I am me
127.0.0.1 REJECT Only I am me
example.com REJECT Only I am me
dns.host.ip.addr REJECT Only I am me


"example.com" is your domain, and "dns.host.ip.addr" is your server's DNS listed IP address.



This database example results in something like this from one my actual server logs:



Oct 30 06:32:49 <domain> postfix/smtpd[22915]: NOQUEUE: reject: RCPT from xxx-161-xxx-132.dynamic-ip.xxxx.net[xxx.161.xxx.132]: 554 5.7.1 <xxx.xxx.xxx.xxx>: Helo command rejected: Only I am me; from=<dlh@xxx.xxx.cq.cnt> to=<gogo@xxxx.com.tw> proto=SMTP helo=<xxx.xxx.xxx.xxx>


The potential spammer/spoofer gets the message "Only I am me". It doesn't matter what the message is, but at least the spammer/spoofer knows you know.



And individual client checking goes something like this:



ip.addr.hack.attmpt REJECT
misconfig.server.but.good ACCEPT


And that's about it. I get about 3 spam mails a month, with hundreds of spam rejected.






share|improve this answer














I've been running my own mail servers for a long time. In my experience, 99% of spam can be rejected via SPF, DKIM checking along with RBL checking.



Here's a portion of my "standard" client restrictions:



smtpd_client_restrictions = permit_mynetworks 
permit_sasl_authenticated
check_helo_access hash:/etc/postfix/helo_access
check_client_access hash:/etc/postfix/client_checks
reject_unauth_destination
check_policy_service unix:private/policy-spf
reject_rbl_client cbl.abuseat.org
reject_rbl_client pbl.spamhaus.org
reject_rbl_client sbl.spamhaus.org
reject_rbl_client bl.blocklist.de
reject_unknown_client


It's common for spammers to attempt to spoof a HELO by sending your domain's name or IP address, or localhost. These spoof attempts can be rejected immediately using the check_helo_access option as shown above. The HELO text database consists of a domain name or IP address or IP address range followed by the action and a message to send back.



A fairly simple HELO check follows:



# helo access
# check_helo_access hash:/etc/postfix/helo_access

localhost REJECT Only I am me
127.0.0.1 REJECT Only I am me
example.com REJECT Only I am me
dns.host.ip.addr REJECT Only I am me


"example.com" is your domain, and "dns.host.ip.addr" is your server's DNS listed IP address.



This database example results in something like this from one my actual server logs:



Oct 30 06:32:49 <domain> postfix/smtpd[22915]: NOQUEUE: reject: RCPT from xxx-161-xxx-132.dynamic-ip.xxxx.net[xxx.161.xxx.132]: 554 5.7.1 <xxx.xxx.xxx.xxx>: Helo command rejected: Only I am me; from=<dlh@xxx.xxx.cq.cnt> to=<gogo@xxxx.com.tw> proto=SMTP helo=<xxx.xxx.xxx.xxx>


The potential spammer/spoofer gets the message "Only I am me". It doesn't matter what the message is, but at least the spammer/spoofer knows you know.



And individual client checking goes something like this:



ip.addr.hack.attmpt REJECT
misconfig.server.but.good ACCEPT


And that's about it. I get about 3 spam mails a month, with hundreds of spam rejected.







share|improve this answer














share|improve this answer



share|improve this answer








edited 1 hour ago

























answered 5 hours ago









RubberStamp

1,5601417




1,5601417











  • what's example.com REJECT Only I am me? what's dns.host.ip.addr REJECT Only I am me?
    – nylypej
    1 hour ago










  • have you taken into account that I travel with my laptop and connect to wifi and send email from different places and countries?
    – nylypej
    1 hour ago










  • @nylypej ... The laptop to email server connection is handled by Dovecot... not postfix... I can adjust my answer for a fairly complete configuration... however, I highly recommend installing LetsEncrypt and obtaining a DV TLS certificate that covers your mail server's IMAP and or POP3 connection.
    – RubberStamp
    58 mins ago
















  • what's example.com REJECT Only I am me? what's dns.host.ip.addr REJECT Only I am me?
    – nylypej
    1 hour ago










  • have you taken into account that I travel with my laptop and connect to wifi and send email from different places and countries?
    – nylypej
    1 hour ago










  • @nylypej ... The laptop to email server connection is handled by Dovecot... not postfix... I can adjust my answer for a fairly complete configuration... however, I highly recommend installing LetsEncrypt and obtaining a DV TLS certificate that covers your mail server's IMAP and or POP3 connection.
    – RubberStamp
    58 mins ago















what's example.com REJECT Only I am me? what's dns.host.ip.addr REJECT Only I am me?
– nylypej
1 hour ago




what's example.com REJECT Only I am me? what's dns.host.ip.addr REJECT Only I am me?
– nylypej
1 hour ago












have you taken into account that I travel with my laptop and connect to wifi and send email from different places and countries?
– nylypej
1 hour ago




have you taken into account that I travel with my laptop and connect to wifi and send email from different places and countries?
– nylypej
1 hour ago












@nylypej ... The laptop to email server connection is handled by Dovecot... not postfix... I can adjust my answer for a fairly complete configuration... however, I highly recommend installing LetsEncrypt and obtaining a DV TLS certificate that covers your mail server's IMAP and or POP3 connection.
– RubberStamp
58 mins ago




@nylypej ... The laptop to email server connection is handled by Dovecot... not postfix... I can adjust my answer for a fairly complete configuration... however, I highly recommend installing LetsEncrypt and obtaining a DV TLS certificate that covers your mail server's IMAP and or POP3 connection.
– RubberStamp
58 mins ago










nylypej is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















nylypej is a new contributor. Be nice, and check out our Code of Conduct.












nylypej is a new contributor. Be nice, and check out our Code of Conduct.











nylypej is a new contributor. Be nice, and check out our Code of Conduct.













 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f479630%2fi-cant-send-email-via-my-own-postfix-anymore-due-to-enforced-restrictions-that%23new-answer', 'question_page');

);

Post as a guest













































































Comments

Popular posts from this blog

Long meetings (6-7 hours a day): Being “babysat” by supervisor

What does second last employer means? [closed]

One-line joke