postfix / submission / smtpd_client_restrictions / sleep

postfix / submission / smtpd_client_restrictions / sleep

  • Written by
    Walter Doekes
  • Published on

After tweaking my postfix configuration, I apparently broke submission on port 587. Every time I connected, I immediately got:

554 5.7.1 <[]>: Client host rejected: Access denied

That’s strange. Postfix is supposed to reject unauthenticated clients only in

submission inet  n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_auth_only=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

But if it rejects me at connect time, I don’t have a chance to identify myself.

The cause of the problem turned out to be this: smtpd_delay_reject = no

To combat spam, I use the sleep parameter. Many bots give up within a short amount of time after connecting — or they write commands without waiting for feedback (pipelining) — so waiting a bit helps a lot.

       sleep seconds
              Pause for the specified number of seconds and proceed with the next restriction in the list, if any. This may stop zombie mail when used as:
                  smtpd_client_restrictions =
                      sleep 1, reject_unauth_pipelining
                  smtpd_delay_reject = no

(Some people will call this waiting bad. However, no MTA has trouble with a little wait, and this is FAR better than graylisting which ensures that the recipient has to wait entire hours, instead of just seconds, for their mail.)

The smtpd_delay_reject = no causes the sleep to actually get executed at connect time. If we skip this, we’re already half-way through the mail-sending before any sleep occurs.

For submission/587, I used the default authenticated clients only config:

smtpd_sasl_auth_enable (default: no)
       To reject all SMTP connections from unauthenticated clients, specify "smtpd_delay_reject = yes" (which is the default) and use:

           smtpd_client_restrictions = permit_sasl_authenticated, reject

You’ll notice the conflicting options.

The fix: replace smtpd_client_restrictions with smtpd_recipient_restrictions. Now the same is authenticated check is performed, but first after we’ve had a chance to identify ourselves.

Back to overview Newer post: setuid / seteuid / uid / euid Older post: new ipython / old django