can't send mail via iphone - blocked by zen.spamhaus.org

Question

Level 1

15 points

can't send mail via iphone - blocked by zen.spamhaus.org

can anyone help me figure this one out...

I can send / receive email fine through my server from my desktop machine on a network, but when I try to send email from my iPhone via the 3G network my server blocks me using zen.spamhaus.org

this is the output from a postconf -n

allow untrustedrouting = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug peerlevel = 2
delay warningtime = 6h
disable vrfycommand = yes
enable serveroptions = yes
fast flushdomains = $relay_domains
html_directory = no
inet_interfaces = all
local recipientmaps = proxy:unix:passwd.byname $alias_maps
luser_relay =
mail_owner = postfix
mailbox sizelimit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps rbldomains =
maximal queuelifetime = 5d
message sizelimit = 0
mydestination = $myhostname,localhost.$mydomain,localhost
mydomain = kiwi.newzealand.co.nz
mydomain_fallback = localhost
myhostname = smtp.newzealand.co.nz
mynetworks = 127.0.0.1/32,192.168.1.0/24
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd clientrestrictions = permit saslauthenticated permit_mynetworks reject rblclient zen.spamhaus.org permit
smtpd datarestrictions = permit saslauthenticated, permit_mynetworks, reject unauthpipelining, permit
smtpd delayreject = no
smtpd error_sleeptime = 1s
smtpd hard_errorlimit = 20
smtpd helorequired = yes
smtpd helorestrictions = permit saslauthenticated, permit_mynetworks, check heloaccess hash:/etc/postfix/helo_access, reject non_fqdnhostname, reject invalidhostname, permit
smtpd pw_server_securityoptions = login,plain,cram-md5
smtpd recipientrestrictions = permit saslauthenticated, reject invalidhostname, reject non_fqdnsender, reject non_fqdnrecipient, permit_mynetworks, reject unauthdestination, reject unlistedrecipient, reject rblclient sbl-xbl.spamhaus.org, reject rblclient smtp.dnsbl.sorbs.net, permit
smtpd sasl_authenable = yes
smtpd senderrestrictions = permit saslauthenticated, permit_mynetworks, reject non_fqdnsender, permit
smtpd soft_errorlimit = 10
smtpd tlsCAfile = /etc/certificates/secure.newzealand.co.nz.chcrt
smtpd tls_certfile = /etc/certificates/Default.crt
smtpd tls_keyfile = /etc/certificates/Default.key
smtpd use_pwserver = yes
smtpd usetls = no
unknown local_recipient_rejectcode = 550
virtual aliasdomains = hash:/etc/postfix/virtual_domains
virtual aliasmaps = hash:/etc/postfix/virtual
virtual mailboxdomains = hash:/etc/postfix/virtual domainsdummy
virtual_transport = lmtp:unix:/var/imap/socket/lmtp

Dual G5 Xserve, Mac OS X (10.4.11)

Posted on Oct 22, 2009 9:25 PM

Reply

Answer 1

jaydisc

Level 4

1,464 points

Oct 22, 2009 10:01 PM in response to reganyelcich

The IP address your iphone is trying to send mail from is currently blacklisted. You should turn on "submission" (alternate port of 587) on postfix so when you send via your iPhone to that port, you can have it configured to not check the spamhaus blacklist.

Reply

Answer 2

reganyelcich Author

Level 1

15 points

Oct 23, 2009 6:06 PM in response to jaydisc

hi jaydisc

I'm not exactly sure what needs to be done to turn on submission?

I have enabled 25,587 in my firewall for mail, and in master.cf I have the following line uncommented....

submission inet n - n - - smtpd

Is there anything else I need to do?

Reply

Answer 3

jaydisc

Level 4

1,464 points

Oct 23, 2009 6:57 PM in response to reganyelcich

Uncomment the few lines underneath it as well, so it looks like this:

submission inet n - n - - smtpd
 -o smtpdenforcetls=yes
 -o smtpdsasl_authenable=yes
 -o smtpdclient_restrictions=permit_saslauthenticated,reject

You can optionally leave " -o smtpd enforcetls=yes" commented if you don't want to use SSL but I strongly recommend it.

After doing that, restart postfix and you should be all set. If not, let us see the output of /var/log/mail.log when it fails.

Reply

Answer 4

reganyelcich Author

Level 1

15 points

Oct 23, 2009 10:55 PM in response to jaydisc

hi jaydisc

when the phone tries connecting to the mail server I'm getting this error in the log files...

edit: I'm also now being blocked from sending any mail from my desktop machine as well with an "access denied" message.

Connecting from iPhone...

Oct 24 18:32:58 kiwi postfix/smtpd[25358]: NOQUEUE: reject: CONNECT from unknown[121.90.252.1]: 554 <unknown[121.90.252.1]>: Client host rejected: Access denied; proto=SMTP

Connecting from desktop machine...

Oct 24 18:53:46 kiwi postfix/smtpd[26012]: NOQUEUE: reject: CONNECT from 125-236-237-95.adsl.xtra.co.nz[125.236.237.95]: 554 <125-236-237-95.adsl.xtra.co.nz[125.236.237.95]>: Client host rejected: Access denied; proto=SMTP
Oct 24 18:53:46 kiwi postfix/smtpd[26012]: lost connection after CONNECT from 125-236-237-95.adsl.xtra.co.nz[125.236.237.95]
Oct 24 18:53:46 kiwi postfix/smtpd[26012]: disconnect from 125-236-237-95.adsl.xtra.co.nz[125.236.237.95]

Message was edited by: regan y

Reply

Answer 5

jaydisc

Level 4

1,464 points

Oct 23, 2009 10:53 PM in response to reganyelcich

Have you enabled authentication on the iPhone?

Reply

Answer 6

reganyelcich Author

Level 1

15 points

Oct 23, 2009 10:58 PM in response to jaydisc

yip,

Settings > Mail, Contacts, Calendars > Mail Account > Outgoing Mail Server > Primary Server

Authentication: Password
Server Port: 587

I commented out the SSL setting to make sure it wasn't that but still got the same errors.

Reply

Answer 7

jaydisc

Level 4

1,464 points

Oct 23, 2009 11:25 PM in response to reganyelcich

OK, I think because you're specifying that blacklist in both smtpdclientrestrictions as well as smtpdrecipientrestrictions, we need to add an override for both. In master, with the other submission directives, add:

-o smtpd recipient_restrictions=permit_saslauthenticated,reject

Reply

Answer 8

reganyelcich Author

Level 1

15 points

Oct 24, 2009 12:20 AM in response to jaydisc

hmmmm, nope, still getting the same errors from both phone and desktop.

iphone

Oct 24 20:18:28 kiwi postfix/smtpd[27553]: NOQUEUE: reject: CONNECT from unknown[121.90.193.198]: 554 <unknown[121.90.193.198]>: Client host rejected: Access denied; proto=SMTP

desktop:

Oct 24 20:17:14 kiwi postfix/smtpd[27553]: NOQUEUE: reject: CONNECT from 125-236-237-95.adsl.xtra.co.nz[125.236.237.95]: 554 <125-236-237-95.adsl.xtra.co.nz[125.236.237.95]>: Client host rejected: Access denied; proto=SMTP

Reply

Answer 9

reganyelcich Author

Level 1

15 points

Oct 24, 2009 1:08 AM in response to jaydisc

as soon as I get rid of:

zen.spamhaus.org

and replace it with:

sbl-xbl.spamhaus.org
smtp.dnsbl.sorbs.net

the iphone and desktop machine connect and send ok.

So it appears that the "permit saslauthenticated" option is ignored when I've got "zen.spamhaus.org" set in the junk mail rejection servers.

Reply

Answer 10

jaydisc

Level 4

1,464 points

Oct 24, 2009 2:45 AM in response to reganyelcich

Can you paste back the parts of master.cf you modified?

(And you have restarted Postfix, yes?)

Reply

Answer 11

reganyelcich Author

Level 1

15 points

Oct 24, 2009 4:18 AM in response to jaydisc

yip reloaded postifx and stop/started the mail service.

so if I leave the following settings uncommented, the mail system rejects my attempts to connect. If I disable them, and use zen.spamhause then zen rejects the connection due to mobile ip I'm guessing. So if I comment these out, and change the spam system to those above then sending from the iphone and desktop work fine. I would have though the "permit saslauthenticated" flag would over ride zen.spamhaus checks but for some reason it doesn't seem to be working that way.

submission inet n - n - - smtpd
-o smtpd sasl_authenable=yes
-o smtpd client_restrictions=permit_saslauthenticated,reject
-o smtpd recipient_restrictions=permit_saslauthenticated,reject

Message was edited by: regan y

Reply

Answer 12

jaydisc

Level 4

1,464 points

Oct 24, 2009 2:28 PM in response to reganyelcich

At this point, I'm stumped.

If you just turn on submission or any other smtpd listener, it should default to all of the directives set in main.cf unless/until you override them in master.cf. Based on what you've showed me in master.cf, you have overrode those directives, so maybe it's something we haven't seen. It is possible you accidentally have two submission directives in master.cf?

Perhaps you should turn on peer debugging just to be sure which directive is actually stopping you. In main.cf, add/uncomment:

debug peerlevel = 2
debug peerlist = 121.90.193.198, 125.236.237.95

Then you should get a more detailed report on what's happening. You can add more hostnames, IP to the peer_list if need be.

Reply

Answer 13

reganyelcich Author

Level 1

15 points

Oct 25, 2009 3:39 PM in response to jaydisc

Thanks for your help - I can't find any duplicate submission setting in master.cf so have turned on the additional logging as you suggested - wow - lots more info there - here's what it wrote to the log files below. So this is with the submission settings as per above, and with zen.spamhaus.org set in the relay rejection server field - and trying to send from the iphone.

Oct 26 11:36:31 kiwi postfix/smtpd[9543]: connect from unknown[121.90.155.25]
Oct 26 11:36:31 kiwi postfix/smtpd[9543]: >>> START Client host RESTRICTIONS <<<
Oct 26 11:36:31 kiwi postfix/smtpd[9543]: generic_checks: name=permit_sasl_authenticated
Oct 26 11:36:31 kiwi postfix/smtpd[9543]: generic_checks: name=permit_sasl_authenticated status=0
Oct 26 11:36:31 kiwi postfix/smtpd[9543]: generic_checks: name=permit_mynetworks
Oct 26 11:36:31 kiwi postfix/smtpd[9543]: permit_mynetworks: unknown 121.90.155.25
Oct 26 11:36:31 kiwi postfix/smtpd[9543]: match_hostname: unknown ~? 127.0.0.1/32
Oct 26 11:36:31 kiwi postfix/smtpd[9543]: match_hostaddr: 121.90.155.25 ~? 127.0.0.1/32
Oct 26 11:36:31 kiwi postfix/smtpd[9543]: match_hostname: unknown ~? 192.168.1.0/24
Oct 26 11:36:31 kiwi postfix/smtpd[9543]: match_hostaddr: 121.90.155.25 ~? 192.168.1.0/24
Oct 26 11:36:31 kiwi postfix/smtpd[9543]: match_list_match: unknown: no match
Oct 26 11:36:31 kiwi postfix/smtpd[9543]: match_list_match: 121.90.155.25: no match
Oct 26 11:36:31 kiwi postfix/smtpd[9543]: generic_checks: name=permit_mynetworks status=0
Oct 26 11:36:31 kiwi postfix/smtpd[9543]: generic_checks: name=reject_rbl_client
Oct 26 11:36:31 kiwi postfix/smtpd[9543]: reject_rbl: Client host 121.90.155.25
Oct 26 11:36:32 kiwi postfix/smtpd[9543]: dns_query: 25.155.90.121.zen.spamhaus.org (A): OK
Oct 26 11:36:32 kiwi postfix/smtpd[9543]: dns_get_answer: type A for 25.155.90.121.zen.spamhaus.org
Oct 26 11:36:32 kiwi postfix/smtpd[9535]: NOQUEUE: reject: CONNECT from unknown[200.184.85.42]: 554 Service unavailable; Client host [200.184.85.42] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=200.184.85.42; proto=SMTP
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: dns_query: 25.155.90.121.zen.spamhaus.org (TXT): OK
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: dns_get_answer: type TXT for 25.155.90.121.zen.spamhaus.org
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: ctable_locate: install entry key 25.155.90.121.zen.spamhaus.org
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: mac_parse: $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: rbl_expand_lookup: ${rbl_code}
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: mac_expand_callback: rbl_code = 554
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: mac_expand_callback: Service unavailable; = Service unavailable;
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: rbl_expand_lookup: ${rbl_class}
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: mac_expand_callback: rbl_class = Client host
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: mac_expand_callback: [ = [
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: rbl_expand_lookup: ${rbl_what}
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: mac_expand_callback: rbl_what = 121.90.155.25
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: mac_expand_callback: ] blocked using = ] blocked using
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: rbl_expand_lookup: ${rbl_domain}
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: mac_expand_callback: rbl_domain = zen.spamhaus.org
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: rbl_expand_lookup: ${rbl_reason}
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: mac_parse: ; $rbl_reason
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: mac_expand_callback: ; = ;
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: rbl_expand_lookup: ${rbl_reason}
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: mac_expand_callback: rbl_reason = http://www.spamhaus.org/query/bl?ip=121.90.155.25
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: mac_expand_callback: rbl_reason = http://www.spamhaus.org/query/bl?ip=121.90.155.25
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: NOQUEUE: reject: CONNECT from unknown[121.90.155.25]: 554 Service unavailable; Client host [121.90.155.25] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=121.90.155.25; proto=SMTP
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: generic_checks: name=reject_rbl_client status=2
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: > unknown[121.90.155.25]: 554 Service unavailable; Client host [121.90.155.25] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=121.90.155.25
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: watchdog_pat: 0x309e88
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: < unknown[121.90.155.25]: ???
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: > unknown[121.90.155.25]: 502 Error: command not implemented
Oct 26 11:36:33 kiwi postfix/smtpd[9543]: watchdog_pat: 0x309e88

Message was edited by: regan y

Reply

Answer 14

jaydisc

Level 4

1,464 points

Oct 25, 2009 4:07 PM in response to reganyelcich

According to those logs, you are not authenticating:

Oct 26 11:36:31 kiwi postfix/smtpd9543: generic_checks: name=permit saslauthenticated status=0

When I do the same test on mine, I get :

Oct 26 10:05:49 thepracticeofcode postfix/smtpd[8428]: generic_checks: name=permit saslauthenticated status=1

Please check your settings.

Reply

Answer 15

reganyelcich Author

Level 1

15 points

Oct 25, 2009 4:20 PM in response to jaydisc

hmmm.... very odd.

I'll try it from my desktop first with the settings in Mail...

- pop server name ok
- username ok
- password ok
- outgoing mail server name ok
- use custom port 587
- authentication = password
- username ok
- password ok

is there anything else I need to set to make it authenticate on the Mail client end?

The password must be ok because when I change the mail server settings back again it works fine? :\

Message was edited by: regan y

Reply