Getting 'Relay access denied' from one LAN host but not from another - why?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Getting 'Relay access denied' from one LAN host but not from another - why?

Chris Green-11
I have Postfix 3.4.13 running on my xubuntu 20.04 system.

It's configured to send outgoing E-Mail to my hosting provider's smart
host and to deliver incoming E-Mail to local users (basically just me).
This has been working for several years.

Also configured a while ago and working OK are some local E-Mail
senders such as a backup system on the LAN which send any backup error
messages to me.  I have just tested this by sending a test error
message and this works OK, see this bit of mail.log:-

    Nov 11 10:10:39 esprimo postfix/smtpd[2245946]: connect from pibackup.zbmc.eu[192.168.1.108]
    Nov 11 10:10:39 esprimo postfix/smtpd[2245946]: D36AC2C059A: client=pibackup.zbmc.eu[192.168.1.108]
    Nov 11 10:10:39 esprimo postfix/cleanup[2245950]: D36AC2C059A: message-id=<> Nov 11 10:10:39 esprimo postfix/qmgr[1320]: D36AC2C059A: from=<root@pibackup>, size=433, nrcpt=1 (queue active)
    Nov 11 10:10:39 esprimo postfix/smtpd[2245946]: disconnect from pibackup.zbmc.eu[192.168.1.108] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
    Nov 11 10:10:39 esprimo postfix/local[2245951]: D36AC2C059A: to=<chris@esprimo>, relay=local, delay=0.08, delays=0.01/0.01/0/0.06, dsn=2.0.0, status=sent (delivered to command: /home/chris/.mutt/bin/filter.py)
    Nov 11 10:10:39 esprimo postfix/qmgr[1320]: D36AC2C059A: removed

However E-Mail sent from another system on the LAN (a Draytek 2820n
router) is being rejected with "Relay access denied" and I don't
understand why.  Here is the mail.log output:-

    Nov  9 09:41:09 esprimo postfix/smtpd[1894400]: connect from 2820n.zbmc.eu[192.168.1.20]
    Nov  9 09:41:09 esprimo postfix/smtpd[1894400]: NOQUEUE: reject: RCPT from 2820n.zbmc.eu[192.168.1.20]: 454 4.7.1 <[hidden email]>: Relay access denied; from=<[hidden email]> to=<[hidden email]> proto=SMTP helo=<isbd.co.uk>
    Nov  9 09:41:09 esprimo postfix/smtpd[1894400]: disconnect from 2820n.zbmc.eu[192.168.1.20] helo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
    Nov  9 10:09:54 esprimo postfix/smtpd[1897924]: connect from 2820n.zbmc.eu[192.168.1.20]
    Nov  9 10:09:54 esprimo postfix/smtpd[1897924]: NOQUEUE: reject: RCPT from 2820n.zbmc.eu[192.168.1.20]: 454 4.7.1 <[hidden email]>: Relay access denied; from=<[hidden email]> to=<[hidden email]> proto=SMTP helo=<isbd.co.uk>
    Nov  9 10:09:54 esprimo postfix/smtpd[1897924]: disconnect from 2820n.zbmc.eu[192.168.1.20] helo=1 mail=1 rcpt=0/1 quit=1 commands=3/4

I can't understand why one message is delivered while the other is
rejected.

Here's my main.cf:-

    # See /usr/share/postfix/main.cf.dist for a commented, more complete
    version


    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname

    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no

    # appending .domain is the MUA's job.
    append_dot_mydomain = no

    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h

    readme_directory = no

    # TLS parameters
    smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
    smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
    smtpd_use_tls=yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package
    for
    # information on enabling SSL in the smtp client.

    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
    defer_unauth_destination
    myhostname = esprimo.zbmc.eu
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = zbmc.eu
    mydestination = zbmc.eu esprimo.zbmc.eu, esprimo, chris.zbmc.eu
    relayhost = [mail.gandi.net]:465
    # relayhost = [mail.gridhost.co.uk]:465
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = ipv4
    smtp_sasl_auth_enable = yes
    smtp_tls_wrappermode = yes
    smtp_tls_security_level = encrypt
    smtp_sasl_tls_security_options = noanonymous
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    message_size_limit = 120480000
    compatibility_level = 2


Shouldn't that permit_mynetworks allow E-Mail from 2820n.zbmc.eu[192.168.1.20]
as it does allow it from pibackup.zbmc.eu[192.168.1.108]?  Can anyone
suggest what might be wrong?

--
Chris Green
Reply | Threaded
Open this post in threaded view
|

Re: Getting 'Relay access denied' from one LAN host but not from another - why?

Matus UHLAR - fantomas
On 11.11.20 10:30, Chris Green wrote:
>Subject: Getting 'Relay access denied' from one LAN host but not from
> another - why?

>I have Postfix 3.4.13 running on my xubuntu 20.04 system.
>
>It's configured to send outgoing E-Mail to my hosting provider's smart
>host and to deliver incoming E-Mail to local users (basically just me).
>This has been working for several years.
>
>Also configured a while ago and working OK are some local E-Mail
>senders such as a backup system on the LAN which send any backup error
>messages to me.  I have just tested this by sending a test error
>message and this works OK, see this bit of mail.log:-
>
>    Nov 11 10:10:39 esprimo postfix/smtpd[2245946]: connect from pibackup.zbmc.eu[192.168.1.108]
>    Nov 11 10:10:39 esprimo postfix/smtpd[2245946]: D36AC2C059A: client=pibackup.zbmc.eu[192.168.1.108]
>    Nov 11 10:10:39 esprimo postfix/cleanup[2245950]: D36AC2C059A: message-id=<> Nov 11 10:10:39 esprimo postfix/qmgr[1320]: D36AC2C059A: from=<root@pibackup>, size=433, nrcpt=1 (queue active)
>    Nov 11 10:10:39 esprimo postfix/smtpd[2245946]: disconnect from pibackup.zbmc.eu[192.168.1.108] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
>    Nov 11 10:10:39 esprimo postfix/local[2245951]: D36AC2C059A: to=<chris@esprimo>, relay=local, delay=0.08, delays=0.01/0.01/0/0.06, dsn=2.0.0, status=sent (delivered to command: /home/chris/.mutt/bin/filter.py)
>    Nov 11 10:10:39 esprimo postfix/qmgr[1320]: D36AC2C059A: removed

this message is not relayed, but delivered locally.

>However E-Mail sent from another system on the LAN (a Draytek 2820n
>router) is being rejected with "Relay access denied" and I don't
>understand why.  Here is the mail.log output:-
>
>    Nov  9 09:41:09 esprimo postfix/smtpd[1894400]: connect from 2820n.zbmc.eu[192.168.1.20]
>    Nov  9 09:41:09 esprimo postfix/smtpd[1894400]: NOQUEUE: reject: RCPT from 2820n.zbmc.eu[192.168.1.20]: 454 4.7.1 <[hidden email]>: Relay access denied; from=<[hidden email]> to=<[hidden email]> proto=SMTP helo=<isbd.co.uk>
>    Nov  9 09:41:09 esprimo postfix/smtpd[1894400]: disconnect from 2820n.zbmc.eu[192.168.1.20] helo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
>    Nov  9 10:09:54 esprimo postfix/smtpd[1897924]: connect from 2820n.zbmc.eu[192.168.1.20]
>    Nov  9 10:09:54 esprimo postfix/smtpd[1897924]: NOQUEUE: reject: RCPT from 2820n.zbmc.eu[192.168.1.20]: 454 4.7.1 <[hidden email]>: Relay access denied; from=<[hidden email]> to=<[hidden email]> proto=SMTP helo=<isbd.co.uk>
>    Nov  9 10:09:54 esprimo postfix/smtpd[1897924]: disconnect from 2820n.zbmc.eu[192.168.1.20] helo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
>
>I can't understand why one message is delivered while the other is
>rejected.

this message is not to be delivered locally, but to relayed.



>    # See /usr/share/postfix/main.cf.dist for a commented, more complete
>    version
>
>
>    # Debian specific:  Specifying a file name will cause the first
>    # line of that file to be used as the name.  The Debian default
>    # is /etc/mailname.
>    #myorigin = /etc/mailname
>
>    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
>    biff = no
>
>    # appending .domain is the MUA's job.
>    append_dot_mydomain = no
>
>    # Uncomment the next line to generate "delayed mail" warnings
>    #delay_warning_time = 4h
>
>    readme_directory = no
>
>    # TLS parameters
>    smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
>    smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
>    smtpd_use_tls=yes
>    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
>    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>
>    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package
>    for
>    # information on enabling SSL in the smtp client.
>
>    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
>    defer_unauth_destination
>    myhostname = esprimo.zbmc.eu
>    alias_maps = hash:/etc/aliases
>    alias_database = hash:/etc/aliases
>    myorigin = zbmc.eu
>    mydestination = zbmc.eu esprimo.zbmc.eu, esprimo, chris.zbmc.eu
>    relayhost = [mail.gandi.net]:465
>    # relayhost = [mail.gridhost.co.uk]:465
>    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
>    mailbox_size_limit = 0
>    recipient_delimiter = +
>    inet_interfaces = all
>    inet_protocols = ipv4
>    smtp_sasl_auth_enable = yes
>    smtp_tls_wrappermode = yes
>    smtp_tls_security_level = encrypt
>    smtp_sasl_tls_security_options = noanonymous
>    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
>    message_size_limit = 120480000
>    compatibility_level = 2
>
>
>Shouldn't that permit_mynetworks allow E-Mail from 2820n.zbmc.eu[192.168.1.20]
>as it does allow it from pibackup.zbmc.eu[192.168.1.108]?  Can anyone
>suggest what might be wrong?

only if 192.168.1.20 was in your mynetworks list, and it is not.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
Reply | Threaded
Open this post in threaded view
|

Re: Getting 'Relay access denied' from one LAN host but not from another - why?

Chris Green-11
On Wed, Nov 11, 2020 at 11:43:48AM +0100, Matus UHLAR - fantomas wrote:
[snip]
>
> this message is not relayed, but delivered locally.
>
[snip]
>
> this message is not to be delivered locally, but to relayed.
>

Of course, thanks Matus, one was to chris@esprimo whereas the rejected
one was to [hidden email].

>
>
[snip]
> >
> >
> > Shouldn't that permit_mynetworks allow E-Mail from 2820n.zbmc.eu[192.168.1.20]
> > as it does allow it from pibackup.zbmc.eu[192.168.1.108]?  Can anyone
> > suggest what might be wrong?
>
> only if 192.168.1.20 was in your mynetworks list, and it is not.
>
Correct!  I should have looked at main.cf a bit harder.


Anyway, thanks for all the answers Matus, as you can see I'm am more
of a Postfix 'user' than anything else.  :-)   (At least I managed to
provide all the information needed!)

--
Chris Green