postfix / submission / smtpd_client_restrictions / sleep

After tweaking my postfix configuration, I apparently broke submission on port 587. Every time I connected, I immediately got:

554 5.7.1 <my.host.name[1.2.3.4]>: Client host rejected: Access denied

That’s strange. Postfix is supposed to reject unauthenticated clients only in master.cf:

submission inet  n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_auth_only=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

But if it rejects me at connect time, I don’t have a chance to identify myself.

The cause of the problem turned out to be this: smtpd_delay_reject = no

To combat spam, I use the sleep parameter. Many bots give up within a short amount of time after connecting — or they write commands without waiting for feedback (pipelining) — so waiting a bit helps a lot.

smtpd_client_restrictions
...
       sleep seconds
              Pause for the specified number of seconds and proceed with the next restriction in the list, if any. This may stop zombie mail when used as:
              /etc/postfix/main.cf:
                  smtpd_client_restrictions =
                      sleep 1, reject_unauth_pipelining
                  smtpd_delay_reject = no

(Some people will call this waiting bad. However, no MTA has trouble with a little wait, and this is FAR better than graylisting which ensures that the recipient has to wait entire hours, instead of just seconds, for their mail.)

The smtpd_delay_reject = no causes the sleep to actually get executed at connect time. If we skip this, we’re already half-way through the mail-sending before any sleep occurs.

For submission/587, I used the default authenticated clients only config:

smtpd_sasl_auth_enable (default: no)
...
       To reject all SMTP connections from unauthenticated clients, specify "smtpd_delay_reject = yes" (which is the default) and use:

           smtpd_client_restrictions = permit_sasl_authenticated, reject

You’ll notice the conflicting options.

The fix: replace smtpd_client_restrictions with smtpd_recipient_restrictions. Now the same is authenticated check is performed, but first after we’ve had a chance to identify ourselves.