Can't seem to allow relay from IP

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Can't seem to allow relay from IP

bstaggs
Greetings,

I am attempting to allow mail relay from a specific IP address but can't
seem to make it work correctly.  I am running Postfix 2.10.1 and with
"debug_peer_level = 2" and "debug_peer_list = xx.yyy.99.9", I get the
following error:


May  7 14:47:19 fender postfix/submission/smtpd[23487]: NOQUEUE: reject:
RCPT from host01.domain.net[xx.yyy.99.9]: 554 5.7.1
<[hidden email]>: Relay access denied; from=<[hidden email]>
to=<[hidden email]> proto=SMTP helo=<host01.domain.net>
May  7 14:09:32 fender postfix/submission/smtpd[23487]: generic_checks:
name=reject_unauth_destination status=2

...

May  7 14:47:19 fender postfix/smtps/smtpd[23826]: >>> START Client host
RESTRICTIONS <<<
May  7 14:47:19 fender postfix/smtps/smtpd[23826]: generic_checks:
name=permit_mynetworks
May  7 14:47:19 fender postfix/smtps/smtpd[23826]: permit_mynetworks:
host01.domain.net xx.yyy.99.9
May  7 14:47:19 fender postfix/smtps/smtpd[23826]: match_hostname:
host01.domain.net ~? 127.0.0.0/8
May  7 14:47:19 fender postfix/smtps/smtpd[23826]: match_hostaddr:
xx.yyy.99.9 ~? 127.0.0.0/8
May  7 14:47:19 fender postfix/smtps/smtpd[23826]: match_hostname:
host01.domain.net ~? 69.8.3.64/28
May  7 14:47:19 fender postfix/smtps/smtpd[23826]: match_hostaddr:
xx.yyy.99.9 ~? xx.x.3.64/28
May  7 14:47:19 fender postfix/smtps/smtpd[23826]: match_hostname:
host01.staggs.net ~? xx.yyy.99.9
May  7 14:47:19 fender postfix/smtps/smtpd[23826]: match_hostaddr:
xx.yyy.99.9 ~? xx.yyy.99.9
May  7 14:47:19 fender postfix/smtps/smtpd[23826]: match_list_match:
permit_mynetworks: no match
May  7 14:47:19 fender postfix/smtps/smtpd[23826]: generic_checks:
name=permit_mynetworks status=1


I assume "generic_checks: name=permit_mynetworks status=1" means the client
IP is listed in "mynetwork" based on googling similar errors.

I see the same "status=1" on >>> START Sender address RESTRICTIONS <<< and
>>> START Recipient address RESTRICTIONS <<<


Oddly there seem to be a second section of ">>> START Recipient address
RESTRICTIONS <<<"


May  7 14:47:19 fender postfix/smtps/smtpd[23826]: >>> START Recipient
address RESTRICTIONS <<<
May  7 14:47:19 fender postfix/smtps/smtpd[23826]: generic_checks:
name=permit_sasl_authenticated
May  7 14:47:19 fender postfix/smtps/smtpd[23826]: match_list_match:
permit_sasl_authenticated: no match
May  7 14:47:19 fender postfix/smtps/smtpd[23826]: generic_checks:
name=permit_sasl_authenticated status=1
May  7 14:47:19 fender postfix/smtps/smtpd[23826]: >>> END Recipient address
RESTRICTIONS <<<




I have these settings in my main.cf:

mynetworks = 127.0.0.0/8, 69.8.x.xx/28, xx.yyy.99.9

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination

smtpd_client_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        check_client_access hash:/etc/postfix/access

smtpd_sender_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        check_sender_access hash:/etc/postfix/access

smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_invalid_hostname,
        reject_unknown_recipient_domain,
        reject_unauth_pipelining,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client dnsbl.sorbs.net,
        reject_rbl_client cbl.abuseat.org,
        permit

Any advice on how to debug further would be appreciated.

Thank you,

--
bstaggs





















--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Can't seem to allow relay from IP

Noel Jones-2
On 5/7/2018 3:01 PM, bstaggs wrote:
> Greetings,
>
> I am attempting to allow mail relay from a specific IP address but can't
> seem to make it work correctly.  I am running Postfix 2.10.1 and with
> "debug_peer_level = 2" and "debug_peer_list = xx.yyy.99.9", I get the
> following error:
>

Turn off debug logging.  It it unlikely to help solve this issue,
and the real problem is likely to be lost in a flood of irrelevant
information.

Your two examples connect to the submission and smtps services
rather than regular port 25 smtp.  It's common for those ports to
have overrides in master.cf to permit only sasl authenticated clients.

If you need more help, see
http://www.postfix.org/DEBUG_README.html
and especially
http://www.postfix.org/DEBUG_README.html#mail



  -- Noel Jones



>
> May  7 14:47:19 fender postfix/submission/smtpd[23487]: NOQUEUE: reject:
> RCPT from host01.domain.net[xx.yyy.99.9]: 554 5.7.1
> <[hidden email]>: Relay access denied; from=<[hidden email]>
> to=<[hidden email]> proto=SMTP helo=<host01.domain.net>
> May  7 14:09:32 fender postfix/submission/smtpd[23487]: generic_checks:
> name=reject_unauth_destination status=2
>
> ...
>
> May  7 14:47:19 fender postfix/smtps/smtpd[23826]: >>> START Client host
> RESTRICTIONS <<<
> May  7 14:47:19 fender postfix/smtps/smtpd[23826]: generic_checks:
> name=permit_mynetworks
> May  7 14:47:19 fender postfix/smtps/smtpd[23826]: permit_mynetworks:
> host01.domain.net xx.yyy.99.9
> May  7 14:47:19 fender postfix/smtps/smtpd[23826]: match_hostname:
> host01.domain.net ~? 127.0.0.0/8
> May  7 14:47:19 fender postfix/smtps/smtpd[23826]: match_hostaddr:
> xx.yyy.99.9 ~? 127.0.0.0/8
> May  7 14:47:19 fender postfix/smtps/smtpd[23826]: match_hostname:
> host01.domain.net ~? 69.8.3.64/28
> May  7 14:47:19 fender postfix/smtps/smtpd[23826]: match_hostaddr:
> xx.yyy.99.9 ~? xx.x.3.64/28
> May  7 14:47:19 fender postfix/smtps/smtpd[23826]: match_hostname:
> host01.staggs.net ~? xx.yyy.99.9
> May  7 14:47:19 fender postfix/smtps/smtpd[23826]: match_hostaddr:
> xx.yyy.99.9 ~? xx.yyy.99.9
> May  7 14:47:19 fender postfix/smtps/smtpd[23826]: match_list_match:
> permit_mynetworks: no match
> May  7 14:47:19 fender postfix/smtps/smtpd[23826]: generic_checks:
> name=permit_mynetworks status=1
>
>
> I assume "generic_checks: name=permit_mynetworks status=1" means the client
> IP is listed in "mynetwork" based on googling similar errors.
>
> I see the same "status=1" on >>> START Sender address RESTRICTIONS <<< and
>>>> START Recipient address RESTRICTIONS <<<
>
>
> Oddly there seem to be a second section of ">>> START Recipient address
> RESTRICTIONS <<<"
>
>
> May  7 14:47:19 fender postfix/smtps/smtpd[23826]: >>> START Recipient
> address RESTRICTIONS <<<
> May  7 14:47:19 fender postfix/smtps/smtpd[23826]: generic_checks:
> name=permit_sasl_authenticated
> May  7 14:47:19 fender postfix/smtps/smtpd[23826]: match_list_match:
> permit_sasl_authenticated: no match
> May  7 14:47:19 fender postfix/smtps/smtpd[23826]: generic_checks:
> name=permit_sasl_authenticated status=1
> May  7 14:47:19 fender postfix/smtps/smtpd[23826]: >>> END Recipient address
> RESTRICTIONS <<<
>
>
>
>
> I have these settings in my main.cf:
>
> mynetworks = 127.0.0.0/8, 69.8.x.xx/28, xx.yyy.99.9
>
> smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
> reject_unauth_destination
>
> smtpd_client_restrictions =
>         permit_mynetworks,
>         permit_sasl_authenticated,
>         check_client_access hash:/etc/postfix/access
>
> smtpd_sender_restrictions =
>         permit_mynetworks,
>         permit_sasl_authenticated,
>         check_sender_access hash:/etc/postfix/access
>
> smtpd_recipient_restrictions =
>         permit_mynetworks,
>         permit_sasl_authenticated,
>         reject_invalid_hostname,
>         reject_unknown_recipient_domain,
>         reject_unauth_pipelining,
>         reject_rbl_client zen.spamhaus.org,
>         reject_rbl_client bl.spamcop.net,
>         reject_rbl_client dnsbl.sorbs.net,
>         reject_rbl_client cbl.abuseat.org,
>         permit
>
> Any advice on how to debug further would be appreciated.
>
> Thank you,
>
> --
> bstaggs
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
> Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
>

Reply | Threaded
Open this post in threaded view
|

Re: Can't seem to allow relay from IP

bstaggs
Many thanks!!!  Never thought to look in the master.cf.  Rookie mistake.

--
bstaggs



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Can't seem to allow relay from IP

Matus UHLAR - fantomas
In reply to this post by Noel Jones-2
>On 5/7/2018 3:01 PM, bstaggs wrote:
>> I am attempting to allow mail relay from a specific IP address but can't
>> seem to make it work correctly.  I am running Postfix 2.10.1 and with
>> "debug_peer_level = 2" and "debug_peer_list = xx.yyy.99.9", I get the
>> following error:

On 07.05.18 15:15, Noel Jones wrote:
>Turn off debug logging.  It it unlikely to help solve this issue,
>and the real problem is likely to be lost in a flood of irrelevant
>information.
>
>Your two examples connect to the submission and smtps services
>rather than regular port 25 smtp.  It's common for those ports to
>have overrides in master.cf to permit only sasl authenticated clients.

note that submission and smtps ports should NOT  accept mail from a client
that is not authenticated.  they should simply deny mail with reject
statement, not anything like reject_unauth_destination.

That is, why there is
"smtpd_client_restrictions=permit_sasl_authenticated,reject"
by default.

>> May  7 14:47:19 fender postfix/submission/smtpd[23487]: NOQUEUE: reject:
>> RCPT from host01.domain.net[xx.yyy.99.9]: 554 5.7.1
>> <[hidden email]>: Relay access denied; from=<[hidden email]>
>> to=<[hidden email]> proto=SMTP helo=<host01.domain.net>
>> May  7 14:09:32 fender postfix/submission/smtpd[23487]: generic_checks:
>> name=reject_unauth_destination status=2

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest.