Forums

mis fmp
mis fmp
Offline
Resolved
0 votes
I have an issue, need email professional suggestion.

There is a email from gov.
The email is "sys-no-reply@findbiz.nat.gov.tw " but our email server reject to recieve it.
the maillog show:
Jan 11 14:54:14 ms postfix/smtpd[3980]: NOQUEUE: reject: RCPT from 163-29-187-197.HINET-IP.hinet.net[163.29.187.197]: 504 5.5.2 <wa11>: Helo command rejected: need fully-qualified hostname; from=<sys-no-reply@findbiz.nat.gov.tw> to=<laplace@XXX.com.tw> proto=ESMTP helo=<wa11>


the postconf is below:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
bounce_queue_lifetime = 6h
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = mailprefilter
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps = $alias_maps $virtual_alias_maps
luser_relay =
mail_owner = postfix
mailbox_size_limit = 102400000
mailbox_transport = mailpostfilter
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20480000
message_strip_characters = \0
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = XXX.com.tw
myhostname = ms.XXX.com.tw
mynetworks = 127.0.0.0/8, [::1]/128, 172.16.0.0/12
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
recipient_delimiter = +
relay_domains = $mydestination
relayhost = [msa.hinet.net]:25
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, check_helo_access hash:/etc/postfix/helo_access, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_rhsbl_sender dsn.rfc-ignorant.org, reject_unknown_sender_domain, permit
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_invalid_hostname, reject_rhsbl_sender dsn.rfc-ignorant.org, permit permit_mynetworks, permit_sasl_authenticated, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_invalid_hostname, reject_unknown_sender_domain, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client 2.0.0.127.b.barracudacentral.org, permit permit_mynetworks, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_invalid_hostname, reject_unknown_sender_domain, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client 2.0.0.127.b.barracudacentral.org, permit
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
strict_rfc821_envelopes = yes permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, permit
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = $alias_maps, $virtual_maps, ldap:/etc/postfix/imap-aliases.cf, ldap:/etc/postfix/imap-groups.cf


Am i right, if I put the email domain or host into Helo whitelist?
and Please show how to put the email into Helo whitelist for bypassing the email in to our email server?
Also welcome better solution.

Thanks.
Charlie
Friday, January 11 2019, 07:29 AM
Share this post:

Accepted Answer

Friday, January 11 2019, 10:29 AM - #Permalink
Resolved
0 votes
The minimum basic requirements are how postfix was installed before you made your edits.

My main.cf (from postconf -n) is:
[root@server ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
bounce_queue_lifetime = 6h
broken_sasl_auth_clients = yes
clearglassnetwork = 172.19.0.0/16
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = mailprefilter
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps = $alias_maps $virtual_alias_maps
luser_relay =
mail_owner = postfix
mailbox_size_limit = 102400000
mailbox_transport = mailpostfilter
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 51200000
message_strip_characters = \0
milter_default_action = accept
milter_protocol = 6
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = howitts.co.uk
myhostname = mailserver.howitts.co.uk
mynetworks = 127.0.0.0/8, [::1]/128, 172.17.2.0/23, $clearglassnetwork
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
recipient_delimiter = +
relayhost = [smtp.ntlworld.com]:25
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_map
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_use_tls = yes
smtpd_client_restrictions = permit_mynetworks, reject_unknown_reverse_client_hostname
smtpd_helo_required = yes
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_invalid_hostname, check_policy_service unix:/var/spool/postfix/postgrey/socket, reject_unauth_pipelining, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_access, check_sender_access hash:/etc/postfix/access, permit_sasl_authenticated, reject_non_fqdn_sender, reject_invalid_hostname
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/letsencrypt/live/www.howitts.co.uk/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/www.howitts.co.uk/privkey.pem
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps = $alias_maps, $virtual_maps, ldap:/etc/postfix/imap-aliases.cf, ldap:/etc/postfix/imap-groups.cf
But I have a bunch of edits myself and I use the greylisting app, domainkeys/dkim, clearglass and Let's Encrypt certificates. Also I have implemented a bit more than in the More anti-spam and e-mail defence measures HowTo.

Note also the use of smtpd_relay_restrictions is not part of the standard ClearOS set up. It uses reject_unauth_destination in smtpd_sender_restrictions.
The reply is currently minimized Show
Responses (4)
  • Accepted Answer

    Friday, January 11 2019, 08:27 AM - #Permalink
    Resolved
    0 votes
    As a new user, your first couple of posts get moderated, so I've deleted your repeat post.

    The best solution is to contact the sysadmin of the sending server and inform him that is server is misconfigured.

    I see that you have changed a lot of you main.cf as it normally does not have any helo restrictions and much more limited sender restrictions and more recipient restrictions. I trust you understand the changes you've done! Most of the sender restrictions you have I would have expected in recipient restrictions.

    Check /etc/postfix/access for the format of the helo whitelist and remember to do a "postconf /etc/postfix/helo_access" each time you edit it.

    Your smtpd_sender_restrictions are a mess as they duplicate (same goes for your helo restrictions) and be very careful where reject_unauth_destination ends up in the list so you don't set up an inadvertent relay. See this Postfix link. You may do better to add some smtpd_relay_restrictions. I use:
    smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    mis fmp
    mis fmp
    Offline
    Friday, January 11 2019, 09:37 AM - #Permalink
    Resolved
    0 votes
    Dear Nick,
    Thanks to your quickly response.

    I have add smtpd_relay_restrictions.

    I have comment smtpd_helo_restrictions =..., #smtpd_sender_restrictions = ... and smtpd_recipient_restrictions = ... as you suggestion,
    why they added is for blocking spam mail use my email server to send junk email.

    Can you advice the minimum "restrictions" should or must I config in main.cf

    Thank you very much.
    Charlie
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    mis fmp
    mis fmp
    Offline
    Monday, January 14 2019, 12:48 AM - #Permalink
    Resolved
    0 votes
    Dear Nick,

    Thank you for help, but the email notice from government still rejected,
    Jan 14 08:38:18 ms postfix/smtpd[3727]: NOQUEUE: reject: RCPT from 163-29-187-197.HINET-IP.hinet.net[163.29.187.197]: 504 5.5.2 <wa11>: Helo command rejected: need fully-qualified hostname; from=<sys-no-reply@findbiz.nat.gov.tw> to=<yyy@XXX.com.tw> proto=ESMTP helo=<wa11>

    my new postconf -n is below
    alias_database = hash:/etc/aliases
    alias_maps = hash:/etc/aliases
    bounce_queue_lifetime = 6h
    broken_sasl_auth_clients = yes
    command_directory = /usr/sbin
    config_directory = /etc/postfix
    content_filter = mailprefilter
    daemon_directory = /usr/libexec/postfix
    data_directory = /var/lib/postfix
    debug_peer_level = 2
    debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
    disable_vrfy_command = no
    header_checks = regexp:/etc/postfix/header_checks
    html_directory = no
    inet_interfaces = all
    inet_protocols = ipv4
    local_recipient_maps = $alias_maps $virtual_alias_maps
    luser_relay =
    mail_owner = postfix
    mailbox_size_limit = 102400000
    mailbox_transport = mailpostfilter
    mailq_path = /usr/bin/mailq.postfix
    manpage_directory = /usr/share/man
    message_size_limit = 20480000
    message_strip_characters = \0
    mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
    mydomain = fmp.com.tw
    myhostname = ms.fmp.com.tw
    mynetworks = 127.0.0.0/8, [::1]/128, 172.16.0.0/12
    myorigin = $mydomain
    newaliases_path = /usr/bin/newaliases.postfix
    queue_directory = /var/spool/postfix
    readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
    recipient_delimiter = +
    relay_domains = $mydestination
    relayhost = [msa.hinet.net]:25
    sample_directory = /usr/share/doc/postfix-2.6.6/samples
    sendmail_path = /usr/sbin/sendmail.postfix
    setgid_group = postdrop
    smtpd_client_restrictions = sleep 5
    smtpd_delay_reject = yes
    smtpd_helo_required = yes
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_invalid_hostname, check_policy_service unix:/var/spool/postfix/postgrey/socket, reject_unauth_pipelining, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org
    smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_local_domain = $mydomain
    smtpd_sasl_security_options = noanonymous
    smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_access, check_sender_access hash:/etc/postfix/access, permit_sasl_authenticated, reject_non_fqdn_sender, reject_invalid_hostname
    smtpd_tls_auth_only = no
    smtpd_tls_cert_file = /etc/postfix/cert.pem
    smtpd_tls_key_file = /etc/postfix/key.pem
    smtpd_tls_loglevel = 1
    smtpd_use_tls = yes
    strict_rfc821_envelopes = yes
    transport_maps = hash:/etc/postfix/transport
    unknown_local_recipient_reject_code = 550
    virtual_alias_maps = $alias_maps, $virtual_maps, ldap:/etc/postfix/imap-aliases.cf, ldap:/etc/postfix/imap-groups.cf



    Please advice Is there anything I and do. because I can not suggest gov. to fix it.

    Regards,
    Charlie
    The reply is currently minimized Show
  • Accepted Answer

    Monday, January 14 2019, 09:57 AM - #Permalink
    Resolved
    0 votes
    Did you restart postfix/SMTP Server after making you changes? I have a feeling it may fail or give warnings.

    Is your "postconf -n" really correct? It looks like a C&P from mine with a few alterations. From you latest file, I see you've built in restrictions on the "access" file. Have you really done anything with it, populated it with anything then run postmap against it? Also have you installed and activated greylisting because you've built that in as well. If you don't know what you are doing with the restrictions, can I suggest you go back to the default, which is something like:
    queue_directory = /var/spool/postfix
    command_directory = /usr/sbin
    daemon_directory = /usr/libexec/postfix
    data_directory = /var/lib/postfix
    mail_owner = postfix
    myhostname = server.lan
    mydomain = howitts.co.uk
    myorigin = $mydomain
    inet_interfaces = all
    inet_protocols = ipv4
    mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
    unknown_local_recipient_reject_code = 550
    mynetworks = 127.0.0.0/8, [::1]/128, 172.17.2.0/23
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    header_checks = regexp:/etc/postfix/header_checks
    debug_peer_level = 2
    debugger_command =
    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
    ddd $daemon_directory/$process_name $process_id & sleep 5
    sendmail_path = /usr/sbin/sendmail.postfix
    newaliases_path = /usr/bin/newaliases.postfix
    mailq_path = /usr/bin/mailq.postfix
    setgid_group = postdrop
    html_directory = no
    manpage_directory = /usr/share/man
    bounce_queue_lifetime = 6h
    mailbox_size_limit = 102400000
    message_size_limit = 51200000
    luser_relay =
    recipient_delimiter = +
    message_strip_characters = \0
    broken_sasl_auth_clients = yes
    smtpd_sasl_auth_enable = no
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_local_domain = $mydomain
    smtpd_use_tls = yes
    smtpd_tls_cert_file = /etc/postfix/cert.pem
    smtpd_tls_key_file = /etc/postfix/key.pem
    smtpd_tls_loglevel = 1
    smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:/var/spool/postfix/postgrey/socket
    mailbox_transport = mailpostfilter
    content_filter = mailprefilter
    transport_maps = hash:/etc/postfix/transport
    virtual_alias_maps = $alias_maps, $virtual_maps, ldap:/etc/postfix/imap-aliases.cf, ldap:/etc/postfix/imap-groups.cf
    local_recipient_maps = $alias_maps $virtual_alias_maps
    smtpd_tls_auth_only = no


    You can then build on it using More anti-spam and e-mail defence measures.
    The reply is currently minimized Show
Your Reply