I installed and integrated policyd v2 (cluebringer) into my postfix installation. I use it for ratelimit sasl authenticated email senders (quota module) and greylisting not authenticated incoming mails.
The problem is, that I have to put the policy server in front of the smtpd_recipient_restrictions like that:
smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unlisted_recipient
With this configuration the greylisting tracking of cluebringer gets filled with triples of recipients which does not have a corresponding virtual mailbox entry. The mails for these recipients could be rejected before the policy server checks greylisting and/or other things via cluebringer.
Setting reject_unauth_destination to the top will also reject sasl authenticated users. Setting also permit_sasl_authenticated to the top, then reject_unauth_destination and on third position check_policy_service inet:127.0.0.1:10031 it would resolve the greylisting problem, but then it is not possible to set a quota and/or accounting limit for sasl authenticated users in cluebringer.
Is there a way to optimize this configuation?
Thanks
You could run a seperate greylisting policy server for incoming emails at port 25 and reject invalid emails plus greylisting, and run the cluebringer policy server for incoming emails at submission port 587, assuming your users use port 587 to submit emails and not via port 25.
Related
I want to send an email to a mailbox on Gmail's servers. But I cannot understand why Google wants to authenticate me, the sender.
I want to act as the sending mail server. So using openssl, I open a TCP connection to smpt.gmail.com. Openssl takes care of the TLS handshake, and I am ready to send a message of the SMTP protocol
openssl s_client -connect smtp.gmail.com:587 -star
ttls smtp
CONNECTED(00000005)
.. Lots of TLS or SSL details ...
---
250 SMTPUTF8
I send the HELO message:
HELO smtp.gmail.com
250-smtp.gmail.com at your service
And I try to send a message:
MAIL FROM: <me#nowhere.com>
530-5.7.0 Authentication Required. Learn more at ...
But Gmail servers responds that I need to be authenticated.
I would understand authenticating with the mail server if I were reading from a mailbox, but I don't get why I need to authenticate to send a message to a mailbox.
I can't find much documentation on the internet regarding this either.
Is there some kind of mechanism where every owner of a mailserver on the planet needs to create a google account just to send emails to a gmail mailbox?
How does the mail servers at Microsoft outlook send messages to Gmail servers?
What am I missing here?
Modern SMTP splits message submission into a separate transaction, distinct from message transport. You are generally required to authenticate with your local MTA (Gmail's if you are sending from Gmail, Outlook if that's where you are sending from, etc) to submit a message, and then the transport network of SMTP proper takes it from there.
There used to be a time when you were able to submit a message to a remote MTA by something called direct injection, but spammers abused this (along with pretty much every other feature of email) to the point where this model was no longer sustainable.
The modern message submission protocol runs on port 587, and generally requires authentication, and thus can obviously only accept submissions from local users for whom the server has identity and authentication information.
The transport protocol, by contrast, runs on the original port number, 25, which is more or less universally firewalled now for residential IP addresses. (Inside an organization, you might still be able to connect to a local mail server on port 25 and perhaps even submit messages without authenticating.)
In addition, regular mail servers on the modern Internet need to maintain a positive reputation. This helps keep the bad apples somewhat isolated, but raises the bar for newcomers and minor independent operators. See e.g. SenderBase for one such reputation system, though the big operators typically have their own proprietary ones which are not available to outsiders.
I have just installed VestaCP on a fresh CentOS VPS.
I have set up email for one domain. All mail sent to that domain bounces with the error 550 smtp auth requried
I have commented out the following;
deny message = smtp auth requried
from exim.conf
I have turned off anti-spam.
I still get the bounce with this message.
Specifically, if I send an email from a gmail account google responds:
Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the server for the recipient domain foobar.tld by mail.foobar.tld. [x.x.x.x].
The error that the other server returned was:
550 smtp auth requried
Any experience with this? I have seen the problem on a number of threads but have not found a solution.
I partially solved the problem. It only occurred when sending mail to the smtp server from a domain that was hosted on the same server for web but not for email. When I sent email from a domain that had nothing to do with any domains hosted on the same server as the exim instance, then it got through. I still can't send email from the domain that was causing the problem and I would like to, but I can work around it.
So to be clear in case anyone reads this:
domain1 web is hosted on server1
domain1 email is hosted on google's servers
domain2 is hosted on server1 for web and email
exim is running on server1
when I send email from thunderbird via google's server from email#domain1 to and email#domain2 the exim instance asks google's smtp server for authentication even though the mail is being delivered to a mailbox in its list of domains it can deliver to on the same physical server where it is running.
I suspect that it is suspicious of the from address, which it shouldn't be since the mx records indicate that it does not host mail for that domain.
Why don’t SMTP servers just require all senders to be authenticated before accepting mail?
There are several cases where users of SMTP servers don't have an account with the service provider that they could use for authentication.
For instance an ISP or a mobile phone operator could allow you to use their SMTP server when using their services even if you are receiving the email from a different provider. In this case the user would be authenticated based on their IP address -- if the user connects from an IP within the ISP IP block, access is allowed.
Also, SMTP servers which function as an MX for a domain (i.e. SMTP servers which handle incoming mail for a domain) need to allow incoming mail to users at that domain, without authentication.
I run a mail server on my web server, it has SMTP authentication enabled and I added my server's IP address to the whitelist, so no password is required to send out emails if they come from within the server. I did this to allow my web applications to use the SMTP service.
My question is can a spammer spoof a packet with my own IP address and bypass the SMTP authentication?
Emails sent from my email server often end up in the recipient's spam folder and I'm trying to figure out why. I send no more than 200 emails per month.
It isn't possible to spoof your address unless the attacker is between you and your server (which is very unlikely - he would have to be an ISP or to be able to overwatch and control your internet traffic). This is because after an attacker sends a connection request to your server, the server sends a packet to you that the attacker needs to have to be able to establish a connection: http://en.wikipedia.org/wiki/TCP_handshake#Connection_establishment
Try to look at the headers of a mail that gets into the spam folder and look for something that says that your servers IP is blacklisted or something like that.
I have problem sending emails, i checked the email sending error logs, and I found this:
RCPT RCPT TO:
503 This mail server requires authentication when attempting to send to a non-local e-mail address. Please check your mail client settings or contact your administrator to verify that the domain or address is defined for this server.
And this:
Sending unsolicited commercial or bulk e-mail to Microsoft's computer network is prohibited. Other restrictions are found at http://privacy.msn.com/Anti-spam/. Violations will result in use of equipment located in California and other states.
And following I dont understand what it means:
DATA DATA 354+Start+mail+input;+end+with+.
RCPT RCPT TO: 250 Requested mail action okay, completed
and some others...
This SMTP server requires authentication. Depending on your provider, you either need to specify username/password or, if your host uses POP-before-SMTP auth, you need to check your email first and that action adds you to an authenticated list for some time so you can send replies.
This error means you need to authenticate against your SMTP server before sending out emails.