Access denied when trying to send from localhost

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Access denied when trying to send from localhost

Nikolaos Milas
Hello,

On our mail server (running Postfix 3.2.4) I am also using fetchmail to
read mail from some pop server and deliver it to local users. Yet, mail
fails to get delivered:

...
Dec  1 01:34:39 vmail2 fetchmail[11447]: POP3> RETR 1
Dec  1 01:34:39 vmail2 fetchmail[11447]: POP3< +OK message 1 (546434
octets):
Dec  1 01:34:39 vmail2 postfix/smtpd[14506]: connect from localhost[::1]
Dec  1 01:34:39 vmail2 fetchmail[11447]: reading message
150@195.251.204.117:1 of 1 (546434 octets)Trying to connect to
::1/25...connected.
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP< 220 vmail2.noa.gr ESMTP
IC-XC-NI-KA
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP> EHLO vmail2.noa.gr
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP< 250-vmail2.noa.gr
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP< 250-PIPELINING
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP< 250-SIZE 41943040
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP< 250-VRFY
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP< 250-ETRN
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP< 250-STARTTLS
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP< 250-ENHANCEDSTATUSCODES
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP< 250-8BITMIME
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP< 250 DSN
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP> MAIL
FROM:<non-mail-user@S8400EAA> SIZE=546434
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP< 250 2.1.0 Ok
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP> RCPT TO:<[hidden email]>
Dec  1 01:34:39 vmail2 postfix/trivial-rewrite[14509]: using
backwards-compatible default setting append_dot_mydomain=yes to rewrite
"S8400EAA" to "S8400EAA.noa.gr"
Dec  1 01:34:39 vmail2 postfix/smtpd[14506]: NOQUEUE: reject: RCPT from
localhost[::1]: 554 5.7.1 <localhost[::1]>: Client host rejected: Access
denied; from=<non-mail-user@S8400EAA> to=<[hidden email]> proto=ESMTP
helo=<vmail2.noa.gr>
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP< 554 5.7.1
<localhost[::1]>: Client host rejected: Access denied
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP error: 554 5.7.1
<localhost[::1]>: Client host rejected: Access denied
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP listener doesn't like
recipient address `[hidden email]'
Dec  1 01:34:39 vmail2 postfix/smtpd[14510]: connect from localhost[::1]
Dec  1 01:34:39 vmail2 fetchmail[11447]: Trying to connect to
::1/25...connected.
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP< 220 vmail2.noa.gr ESMTP
IC-XC-NI-KA
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP> HELO vmail2.noa.gr
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP< 250 vmail2.noa.gr
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP> MAIL FROM:<>
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP< 250 2.1.0 Ok
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP> RCPT
TO:<non-mail-user@S8400EAA>
Dec  1 01:34:39 vmail2 postfix/smtpd[14510]: NOQUEUE: reject: RCPT from
localhost[::1]: 554 5.7.1 <localhost[::1]>: Client host rejected: Access
denied; from=<> to=<non-mail-user@S8400EAA> proto=SMTP helo=<vmail2.noa.gr>
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP< 554 5.7.1
<localhost[::1]>: Client host rejected: Access denied
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP> QUIT
Dec  1 01:34:39 vmail2 postfix/smtpd[14510]: disconnect from
localhost[::1] helo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP< 221 2.0.0 Bye
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP> RCPT TO:<[hidden email]>
Dec  1 01:34:39 vmail2 postfix/smtpd[14506]: NOQUEUE: reject: RCPT from
localhost[::1]: 554 5.7.1 <localhost[::1]>: Client host rejected: Access
denied; from=<non-mail-user@S8400EAA> to=<[hidden email]> proto=ESMTP
helo=<vmail2.noa.gr>
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP< 554 5.7.1
<localhost[::1]>: Client host rejected: Access denied
Dec  1 01:34:39 vmail2 fetchmail[11447]: can't even send to
[hidden email]!
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP> RSET
Dec  1 01:34:39 vmail2 fetchmail[11447]: SMTP< 250 2.0.0 Ok
Dec  1 01:34:39 vmail2 fetchmail[11447]: not flushed

Since I have:

smtpd_recipient_restrictions =
   check_client_access hash:/etc/postfix/localhost
   check_recipient_access hash:/etc/postfix/protected_destinations
   permit_sasl_authenticated
   reject_unverified_recipient
   reject_unauth_destination

and /etc/postfix/localhost:

    194.177.195.166          OK
    127.0.0.1                OK
    [::1]                    OK
    [2001:648:2011:15::166]  OK

...I wouldn't expect that smtp from localhost would be denied.

What am I doing wrong?

# postconf -n
alias_database = hash:/etc/postfix/aliases,
hash:/etc/postfix/aliases.d/virtual_aliases
alias_maps = hash:/etc/aliases
allowed_gein = check_client_access
cidr:/etc/postfix/gein_admin_ips.cidr,reject
allowed_iaasars = check_client_access
cidr:/etc/postfix/iaasars_admin_ips.cidr,reject
allowed_list1 = check_sasl_access
hash:/etc/postfix/allowed_groupmail_users,reject
allowed_list2 = permit_sasl_authenticated,reject
allowed_meteo = check_client_access
cidr:/etc/postfix/meteo_admin_ips.cidr,reject
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
controlled_senders = check_sender_access hash:/etc/postfix/blocked_senders
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
default_process_limit = 25
delay_logging_resolution_limit = 3
deliver_lock_attempts = 40
gwcheck = reject_unverified_recipient, reject_unauth_destination
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4, ipv6
local_header_rewrite_clients = static:all
mail_name = IC-XC-NI-KA
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 41943040
meta_directory = /etc/postfix
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = noa.gr
myhostname = vmail2.noa.gr
mynetworks = 195.251.204.0/24, 195.251.202.0/23, 194.177.194.0/23,
127.0.0.0/8, 10.201.0.0/16, [2001:648:2011::]/48, 83.212.5.24/29,
[2001:648:2ffc:1115::]/64, 62.217.124.0/29, [2001:648:2ffc:126::]/64
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
parent_domain_matches_subdomains =
postfwdcheck = check_policy_service inet:127.0.0.1:10040
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix3-3.2.4/README_FILES
recipient_canonical_maps = hash:/etc/postfix/domainrecipientmap
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix3-3.2.4/samples
sender_canonical_maps = hash:/etc/postfix/domainsendermap
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
smtp_tls_security_level = may
smtpd_client_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject
smtpd_delay_reject = yes
smtpd_end_of_data_restrictions = check_client_access
cidr:/etc/postfix/postfwdpolicy.cidr
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = check_client_access
hash:/etc/postfix/localhost check_recipient_access
hash:/etc/postfix/protected_destinations permit_sasl_authenticated
reject_unverified_recipient reject_unauth_destination
smtpd_restriction_classes =
controlled_senders,allowed_list1,allowed_list2,
allowed_iaasars,allowed_meteo,allowed_gein,postfwdcheck,gwcheck
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/pki/tls/certs/DigiCertCA.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/star_noa_gr-1243437.crt
smtpd_tls_key_file = /etc/pki/tls/private/star_noa_gr-1243437.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/aliases,
hash:/etc/postfix/aliases.d/virtual_aliases,
proxy:ldap:/etc/postfix/ldap-alias-vacation.cf,
proxy:ldap:/etc/postfix/ldap-aliases.cf
virtual_gid_maps = static:500
virtual_mailbox_base = /home/vmail/
virtual_mailbox_domains = $mydomain, space.$mydomain, admin.$mydomain,
nestor.$mydomain, gein.$mydomain, meteo.$mydomain, technet.$mydomain,
astro.$mydomain, hesperia-space.eu
virtual_mailbox_limit = 0
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap-users.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:500
postconf: warning: /etc/postfix/main.cf: unused parameter:
127.0.0.1:10040_time_limit=3600

Thanks,
Nick

Reply | Threaded
Open this post in threaded view
|

Re: Access denied when trying to send from localhost

Benny Pedersen-2
Nikolaos Milas skrev den 2017-12-01 00:50:

> smtpd_recipient_restrictions =
>   check_client_access hash:/etc/postfix/localhost

> What am I doing wrong?

change hash to cidr

or add permit_mynetworks instead of check_client_access
Reply | Threaded
Open this post in threaded view
|

Re: Access denied when trying to send from localhost

Viktor Dukhovni
In reply to this post by Nikolaos Milas


> On Nov 30, 2017, at 6:50 PM, Nikolaos Milas <[hidden email]> wrote:
>
> smtpd_recipient_restrictions =
>   check_client_access hash:/etc/postfix/localhost
>   check_recipient_access hash:/etc/postfix/protected_destinations
>   permit_sasl_authenticated
>   reject_unverified_recipient
>   reject_unauth_destination
>
> and /etc/postfix/localhost:
>
>   194.177.195.166          OK
>   127.0.0.1                OK
>   [::1]                    OK
>   [2001:648:2011:15::166]  OK
>
> ...I wouldn't expect that smtp from localhost would be denied.
>
> What am I doing wrong?

http://www.postfix.org/access.5.html

  net:work:addr:ess
  net:work:addr
  net:work
  net         Matches  the  specified IPv6 host address or subnetwork. An IPv6
              host address is a sequence of three to eight  hexadecimal  octet
              pairs separated by ":".

              Subnetworks  are  matched  by  repeatedly  truncating  the  last
              ":octetpair" from the remote IPv6 host address  string  until  a
              match  is found in the access table, or until further truncation
              is not possible.

              NOTE 1: the truncation and comparison are done with  the  string
              representation  of  the IPv6 host address. Thus, not all the ":"
              subnetworks will be tried.

              NOTE 2: The access map lookup key must be in canonical form:  do
              not specify unnecessary null characters, and do not enclose net-
              work address information with "[]" characters.

              NOTE 3: use the cidr lookup table type to  specify  network/net-
              mask patterns. See cidr_table(5) for details.

              IPv6 support is available in Postfix 2.2 and later.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Access denied when trying to send from localhost

Rodrigo Cunha
back up, ok.
Change this line, append "127.0.0.1/8"
Change This:

mynetworks = 195.251.204.0/24195.251.202.0/23194.177.194.0/23127.0.0.0/810.201.0.0/16, [2001:648:2011::]/48, 83.212.5.24/29, [2001:648:2ffc:1115::]/64, 62.217.124.0/29, [2001:648:2ffc:126::]/64

change that for this

mynetworks = 127.0.0.1/8195.251.204.0/24195.251.202.0/23194.177.194.0/23127.0.0.0/810.201.0.0/16, [2001:648:2011::]/48, 83.212.5.24/29, [2001:648:2ffc:1115::]/64, 62.217.124.0/29, [2001:648:2ffc:126::]/64

Livre de vírus. www.avast.com.

2017-11-30 22:02 GMT-02:00 Viktor Dukhovni <[hidden email]>:


> On Nov 30, 2017, at 6:50 PM, Nikolaos Milas <[hidden email]> wrote:
>
> smtpd_recipient_restrictions =
>   check_client_access hash:/etc/postfix/localhost
>   check_recipient_access hash:/etc/postfix/protected_destinations
>   permit_sasl_authenticated
>   reject_unverified_recipient
>   reject_unauth_destination
>
> and /etc/postfix/localhost:
>
>   194.177.195.166          OK
>   127.0.0.1                OK
>   [::1]                    OK
>   [2001:648:2011:15::166]  OK
>
> ...I wouldn't expect that smtp from localhost would be denied.
>
> What am I doing wrong?

http://www.postfix.org/access.5.html

  net:work:addr:ess
  net:work:addr
  net:work
  net         Matches  the  specified IPv6 host address or subnetwork. An IPv6
              host address is a sequence of three to eight  hexadecimal  octet
              pairs separated by ":".

              Subnetworks  are  matched  by  repeatedly  truncating  the  last
              ":octetpair" from the remote IPv6 host address  string  until  a
              match  is found in the access table, or until further truncation
              is not possible.

              NOTE 1: the truncation and comparison are done with  the  string
              representation  of  the IPv6 host address. Thus, not all the ":"
              subnetworks will be tried.

              NOTE 2: The access map lookup key must be in canonical form:  do
              not specify unnecessary null characters, and do not enclose net-
              work address information with "[]" characters.

              NOTE 3: use the cidr lookup table type to  specify  network/net-
              mask patterns. See cidr_table(5) for details.

              IPv6 support is available in Postfix 2.2 and later.

--
        Viktor.




--
Atenciosamente,
Rodrigo da Silva Cunha
São Gonçalo, RJ - Brasil

Reply | Threaded
Open this post in threaded view
|

Re: Access denied when trying to send from localhost

Nikolaos Milas
In reply to this post by Benny Pedersen-2
On 1/12/2017 1:58 πμ, Benny Pedersen wrote:

> change hash to cidr

I have already tried cidr with no luck:

smtpd_recipient_restrictions =
   check_client_access cidr:/etc/postfix/localhost.cidr
   check_recipient_access hash:/etc/postfix/protected_destinations
   permit_sasl_authenticated
   reject_unverified_recipient
   reject_unauth_destination

# cat /etc/postfix/localhost.cidr
194.177.195.166          OK
127.0.0.1                OK
::1                      OK
2001:648:2011:15::166    OK

(I also tried to enclose IPv6 addresses in square brackets, which did
not change things.)

> or add permit_mynetworks instead of check_client_access

I don't want to permit_mynetworks, because I want to force clients to
sasl-authenticate (with the exception of localhost).

Any ideas?

Nick
Reply | Threaded
Open this post in threaded view
|

Re: Access denied when trying to send from localhost

Nikolaos Milas
In reply to this post by Rodrigo Cunha
On 1/12/2017 4:09 πμ, Rodrigo Cunha wrote:

> Change This:
>
> mynetworks = 195.251.204.0/24 <http://195.251.204.0/24>,
> 195.251.202.0/23 <http://195.251.202.0/23>, 194.177.194.0/23
> <http://194.177.194.0/23>, 127.0.0.0/8 <http://127.0.0.0/8>,
> 10.201.0.0/16 <http://10.201.0.0/16>, [2001:648:2011::]/48,
> 83.212.5.24/29 <http://83.212.5.24/29>, [2001:648:2ffc:1115::]/64,
> 62.217.124.0/29 <http://62.217.124.0/29>, [2001:648:2ffc:126::]/64
>
> change that for this
>
> mynetworks = 127.0.0.1/8 <http://127.0.0.1/8>, 195.251.204.0/24
> <http://195.251.204.0/24>, 195.251.202.0/23 <http://195.251.202.0/23>,
> 194.177.194.0/23 <http://194.177.194.0/23>, 127.0.0.0/8
> <http://127.0.0.0/8>, 10.201.0.0/16 <http://10.201.0.0/16>,
> [2001:648:2011::]/48, 83.212.5.24/29 <http://83.212.5.24/29>,
> [2001:648:2ffc:1115::]/64, 62.217.124.0/29 <http://62.217.124.0/29>,
> [2001:648:2ffc:126::]/64

Thank you Rodrigo,

As you can see, 127.0.0.0/8 is already included.

However, I tried adding [::1]/128 (which I noticed was missing) and this
time it worked!

It seems that even though I have explicitly permitted ::1 in
localhost.cidr ( check_client_access in smtpd_recipient_restrictions ),
I MUST ALSO include it in mynetworks, although I don't use
permit_mynetworks!

Obviously, this is due to the implicit (default) setting of:

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
defer_unauth_destination

Things are working OK now, thanks everyone!!

Cheers,
Nick
Reply | Threaded
Open this post in threaded view
|

Re: Access denied when trying to send from localhost

Matus UHLAR - fantomas
In reply to this post by Nikolaos Milas
>On 1/12/2017 1:58 πμ, Benny Pedersen wrote:
>>or add permit_mynetworks instead of check_client_access

On 01.12.17 09:25, Nikolaos Milas wrote:
>I don't want to permit_mynetworks, because I want to force clients to
>sasl-authenticate (with the exception of localhost).

don't include those clients in $mynetworks then.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.
Reply | Threaded
Open this post in threaded view
|

Re: Access denied when trying to send from localhost

Benny Pedersen-2
Matus UHLAR - fantomas skrev den 2017-12-01 20:40:
>> On 1/12/2017 1:58 πμ, Benny Pedersen wrote:
>>> or add permit_mynetworks instead of check_client_access
>
> On 01.12.17 09:25, Nikolaos Milas wrote:
>> I don't want to permit_mynetworks, because I want to force clients to
>> sasl-authenticate (with the exception of localhost).
> don't include those clients in $mynetworks then.

more important, dont use permit_mynetworks on port 465 and 587

but only in global miain.cf

remember -o in master.cf where it is needed