Client host rejected: Access denied

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Client host rejected: Access denied

Scappatura Rocco
Hello.

My MTA (Debian Lenny with postfix+amavisd-new+spamassassin+clamav) rejected an SMTP connection from Yahoo:

Jun 13 17:04:01 av7 postfix/smtpd[25250]: NOQUEUE: reject: RCPT from sonic317-25.consmr.mail.ir2.yahoo.com[87.248.110.215]: 554 5.7.1 <sonic317-25.consmr.mail.ir2.yahoo.com[87.248.110.215]>: Client host rejected: Access denied; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<sonic317-25.consmr.mail.ir2.yahoo.com>

I can't figure out why. Here my postfix config:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_rate_time_unit = 60s
append_dot_mydomain = no
biff = no
bounce_size_limit = 1
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024 header_checks = regexp:/etc/postfix/header_checks inet_interfaces = all mailbox_size_limit = 0 message_size_limit = 31457280 mydestination = xxx.example.com, localhost.example.com, , localhost myhostname = xxx.example.com mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname proxy_read_maps = proxy:mysql:/etc/postfix/mysql-relay-recipients.cf proxy:mysql:/etc/postfix/mysql-relay-domains.cf proxy:mysql:/etc/postfix/mysql-check-sender-access.cf proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf proxy:mysql:/etc/postfix/mysql-check-client-access.cf proxy:unix:passwd.byname proxy:mysql:/etc/postfix/mysql-virtual-transports.cf
readme_directory = no
receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = proxy:mysql:/etc/postfix/mysql-relay-domains.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-relay-recipients.cf
relayhost =
smtp_host_lookup = native
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_client_connection_count_limit = 20 smtpd_client_connection_rate_limit = 40 smtpd_client_message_rate_limit = 50 smtpd_client_recipient_rate_limit = 250 smtpd_error_sleep_time = 0s smtpd_hard_error_limit = 10 smtpd_recipient_limit = 100 smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031 permit_sasl_authenticated check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf permit_mynetworks reject_unauth_destination reject_non_fqdn_sender reject_non_fqdn_recipient reject_unlisted_sender reject_unlisted_recipient reject_unknown_sender_domain reject_invalid_hostname reject_rbl_client psbl.surriel.com, reject_rhsbl_sender dsn.rfc-ignorant.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client truncate.gbudb.net, reject_rbl_client zen.spamhaus.org, check_policy_service inet:127.0.0.1:2501 smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sender_restrictions = check_sender_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf check_recipient_access proxy:mysql:/etc/postfix/mysql-check-sender-access.cf check_recipient_access proxy:mysql:/etc/postfix/mysql-check-recipient-access.cf
smtpd_soft_error_limit = 5
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual-transports.cf

As you can see ' smtpd_client_restrictions' is not used.

Could someone explain the reason of the rejection?

Regards,

RS
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Client host rejected: Access denied

Wietse Venema
Scappatura Rocco:
> smtpd_recipient_restrictions =
>  ...
>  check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
>  ...

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

R: Client host rejected: Access denied

Scappatura Rocco
> smtpd_recipient_restrictions =
>  ...
>  check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
>  ...

Hello,

indeed I can't figure out why the check above can cause the error:

"Client host rejected: Access denied"

In my mysql 'postfix' database, I have a simple 'access' table with 3 culumn: ip, mask, action.

The query for check SMTP relay is:

"select action from access where inet_aton(ip) & inet_aton(mask) = inet_aton('%s') & inet_aton(mask) order by mask DESC limit 0,1;"

Basically, it returns OK, REJECT or no row.

In the specific case of the error that I have described in this post, the query returns no row.

Here complete errore received by the sender:

<[hidden email]>:
554: 5.7.1 <sonic307-9.consmr.mail.ir2.yahoo.com[87.248.110.34]>: Client host rejected: Access denied

--- Below this line is a copy of the message.

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.it; s=s2048; t=1497366344; bh=QZjaAukmiNp6iGsvVR67kpU0ELChNhm5DytI/msfDuA=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=PxvQw+FmmL3gr1Us+eQJlPtzPKfH/Uf8va6ni2TA+WunyajbinJLVxoviIw7OXRjjIyJDyr9+xS9ntGI8ChDNIPbSeaee3rl+eijvSeJK2mvq8J8sy8jXOVNsSZZmieUZxSRGX3H9BMcQ9/J98ixbXIa1yYJXEClxHLr8RTr9BKJD61mdW9U/I0wWgDYXWWCkN8qYzRn+J/5g7Cgb8N6qA1K1enIWErOKmgikm5ccImItz9IvgdJ69rDz4jOokxAQVSJJBHADsyNfPGZss+b4tgCU6t6gs9Q3l0oAb/hSW33KAcFQKezPu3VZ5MXoaZxrLfF8noHNY0jIkOTbFwRiQ==
X-YMail-OSG: xDBdgt8VM1kUVzeTWHDZFsOQ6D.VUgd2X1je9kRTVPs7tynSWG67U2vnk9hND7S
zRVHnlQsTUhsjvJ4tD2KLZPqXybQYzTcpgVgPEMvC5ML8G7A.jLif4WC.CRGYpTCTz_XVAXTXPGU
eqor9cVwcMgMz.ACKF9azVkHPy_6dFYDMKdtr5K7Jgd3e93GSgmwChC7osYWiSq3FY1lIG7u7gjd
Hdvk5JViErnoWXcfrC7Lu5B7VbGlAjQqyN6wrHe9dbiINyNJEefYWKVfQ9Fb_1pNZX1qSw..2UKN
tKDpS4iboNOXpvbhaNc8yRJEcmL8sUk.ouhEqzBvLq7Z7Ayq9ZR2.t2P7bx29hvfwoIS0_IYpvsg
RexZ9JIWNV79Wb.Dp9tFYGEdYZS8z5p4TEjdIvDdt1OX9AQt.ddP5xAyHDhzTXuiJJBDSwF8rDCk
J8SwSH8It6iT2HLsf6LNqWH8fSg6ie6YM__7dQPzX9VDTbCrpiYy_Hv2XJCBJYJAvJcMnyrprics
oNWVNap3SaxevkVGd5Kw.aLtMyj2vIbitcqmmkR.JssvL.q70kUOFQWZQa6Am4pWSaOmMXihl
Received: from sonic.gate.mail.ne1.yahoo.com by sonic307.consmr.mail.ir2.yahoo.com with HTTP; Tue, 13 Jun 2017 15:05:44 +0000
Date: Tue, 13 Jun 2017 15:05:43 +0000 (UTC)
From: Simone Ponzalli <[hidden email]>
Reply-To: aaa bbb <[hidden email]>
To: ccc ddd<[hidden email]>
Message-ID: <[hidden email]>
In-Reply-To: <[hidden email]>
References: <[hidden email]> <[hidden email]> <[hidden email]>
Subject: I: xxxxxxxxxxx
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_Part_1748156_1137968452.1497366343412"
X-Mailer: WebService/1.1.9778 YahooMailNeo Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Content-Length: 53234

Regards,

RS





Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: R: Client host rejected: Access denied

Wietse Venema
Scappatura Rocco:

> > smtpd_recipient_restrictions =
> >  ...
> >  check_client_access proxy:mysql:/etc/postfix/mysql-check-client-access.cf
> >  ...
>
> Hello,
>
> indeed I can't figure out why the check above can cause the error:
>
> "Client host rejected: Access denied"
> ...
> Here complete errore received by the sender:
>
> <[hidden email]>:
> 554: 5.7.1 <sonic307-9.consmr.mail.ir2.yahoo.com[87.248.110.34]>: Client host rejected: Access denied

You can use the postmap command so simulate the queries that
check_client_access makes:

postmap -q 87.248.110.34 proxy:mysql:/etc/postfix/mysql-check-client-access.cf
postmap -q 87.248.110 proxy:mysql:/etc/postfix/mysql-check-client-access.cf
postmap -q 87.248 proxy:mysql:/etc/postfix/mysql-check-client-access.cf
postmap -q 87 proxy:mysql:/etc/postfix/mysql-check-client-access.cf

And for the domain name queries that check_client_access makes:

postmap -q postmap -q sonic307-9.consmr.mail.ir2.yahoo.com proxy:mysql:/etc/postfix/mysql-check-client-access.cf
postmap -q postmap -q consmr.mail.ir2.yahoo.com proxy:mysql:/etc/postfix/mysql-check-client-access.cf
postmap -q postmap -q mail.ir2.yahoo.com proxy:mysql:/etc/postfix/mysql-check-client-access.cf
postmap -q postmap -q ir2.yahoo.com proxy:mysql:/etc/postfix/mysql-check-client-access.cf
postmap -q postmap -q yahoo.com proxy:mysql:/etc/postfix/mysql-check-client-access.cf
postmap -q postmap -q com proxy:mysql:/etc/postfix/mysql-check-client-access.cf

If any of those queries returns a result, then that is the action
that Postfix will execute.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

R: R: Client host rejected: Access denied

Scappatura Rocco


> -----Messaggio originale-----
> Da: [hidden email] [mailto:owner-postfix-
> [hidden email]] Per conto di Wietse Venema
> Inviato: mercoledì 14 giugno 2017 19:38
> A: Postfix users <[hidden email]>
> Oggetto: Re: R: Client host rejected: Access denied
>
> Scappatura Rocco:
> > > smtpd_recipient_restrictions =
> > >  ...
> > >  check_client_access
> > > proxy:mysql:/etc/postfix/mysql-check-client-access.cf
> > >  ...
> >
> > Hello,
> >
> > indeed I can't figure out why the check above can cause the error:
> >
> > "Client host rejected: Access denied"
> > ...
> > Here complete errore received by the sender:
> >
> > <[hidden email]>:
> > 554: 5.7.1 <sonic307-9.consmr.mail.ir2.yahoo.com[87.248.110.34]>:
> > Client host rejected: Access denied
>
> You can use the postmap command so simulate the queries that
> check_client_access makes:
>
> postmap -q 87.248.110.34 proxy:mysql:/etc/postfix/mysql-check-client-
> access.cf
> postmap -q 87.248.110 proxy:mysql:/etc/postfix/mysql-check-client-
> access.cf

postmap -q 87.248.110 proxy:mysql:/etc/postfix/mysql-check-client-access.cf
REJECT

:-)

Indeed I checked that I have an erroneous entry in my DB. Infact:

SELECT *
FROM access
WHERE INET_ATON( ip ) & INET_ATON( mask ) = INET_ATON(  '87.248.110' ) & INET_ATON( mask )
ORDER BY mask DESC
LIMIT 0 , 1

Returns:

+--------------+-----------------+--------+
| ip           | mask            | action |
+--------------+-----------------+--------+
| 77.246.0.112 | 225.225.225.224 | REJECT |
+--------------+-----------------+--------+

And mask 225.225.225.224 is clearly wrong..

:-(

Thanks for your support!

> postmap -q 87.248 proxy:mysql:/etc/postfix/mysql-check-client-access.cf
> postmap -q 87 proxy:mysql:/etc/postfix/mysql-check-client-access.cf
>
> And for the domain name queries that check_client_access makes:
>
> postmap -q postmap -q sonic307-9.consmr.mail.ir2.yahoo.com
> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
> postmap -q postmap -q consmr.mail.ir2.yahoo.com
> proxy:mysql:/etc/postfix/mysql-check-client-access.cf
> postmap -q postmap -q mail.ir2.yahoo.com proxy:mysql:/etc/postfix/mysql-
> check-client-access.cf
> postmap -q postmap -q ir2.yahoo.com proxy:mysql:/etc/postfix/mysql-
> check-client-access.cf
> postmap -q postmap -q yahoo.com proxy:mysql:/etc/postfix/mysql-check-
> client-access.cf
> postmap -q postmap -q com proxy:mysql:/etc/postfix/mysql-check-client-
> access.cf
>
> If any of those queries returns a result, then that is the action that Postfix will
> execute.
>
> Wietse

RS

Loading...