Making relay_access_denied permanent?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Making relay_access_denied permanent?

Jan P. Kessler
Hi,

I was wondering why the following error is returned as tempfail:

Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: connect from
hwsrv-288880.hostwindsdns.com[108.174.196.241]
Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: NOQUEUE: reject: RCPT
from hwsrv-288880.hostwindsdns.com[108.174.196.241]: 454 4.7.1
<[hidden email]>: Relay access denied;
from=<[hidden email]> to=<[hidden email]> proto=ESMTP
helo=<hwsrv-288880.hostwindsdns.com>
Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: lost connection after
RCPT from hwsrv-288880.hostwindsdns.com[108.174.196.241]
Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: disconnect from
hwsrv-288880.hostwindsdns.com[108.174.196.241] ehlo=1 mail=1 rcpt=0/1
commands=2/3
Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: connect from
hwsrv-288880.hostwindsdns.com[108.174.196.241]
Jul  8 09:49:04 mx3 postfix-cluster/smtpd[3420]: NOQUEUE: reject: RCPT
from hwsrv-288880.hostwindsdns.com[108.174.196.241]: 454 4.7.1
<[hidden email]>: Relay access denied;
from=<[hidden email]> to=<[hidden email]> proto=ESMTP
helo=<hwsrv-288880.hostwindsdns.com>
Jul  8 09:49:05 mx3 postfix-cluster/smtpd[3420]: lost connection after
RCPT from hwsrv-288880.hostwindsdns.com[108.174.196.241]
Jul  8 09:49:05 mx3 postfix-cluster/smtpd[3420]: disconnect from
hwsrv-288880.hostwindsdns.com[108.174.196.241] ehlo=1 mail=1 rcpt=0/1
commands=2/3

Here's the configuration:

# postconf mail_version
mail_version = 3.1.0

# postconf -n
absenderverifizierung = reject_unverified_sender
address_verify_map = btree:$data_directory/db_address_verify
address_verify_positive_refresh_time = 30d
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
delay_warning_time = 4h
empfaengerverifizierung = reject_unverified_recipient
empty_address_recipient = EMAIL-DIENST
greylistcheck = check_policy_service inet:127.0.0.1:10031
header_checks = pcre:/etc/postfix/header_checks
home_mailbox = Maildir/
inet_interfaces = 10.10.10.3
mail_name = Mailservice
mail_owner = postfix
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
message_size_limit = 41943040
multi_instance_directories = /etc/postfix-cluster
multi_instance_enable = yes
multi_instance_wrapper = ${command_directory}/postmulti -p --
mydestination = localhost
myhostname = box4.jpkessler.de
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = $myhostname
pfwpolicycheck = check_policy_service inet:127.0.0.1:10045
readme_directory = no
recipient_delimiter = +
relay_domains = jpkessler.de, jpkessler.info, notrust.de, postfwd.org,
jpkit.de, jpkit.net, jpk.mine.nu, mail.jpkessler.de, mbox.jpkessler.de,
test.jpkessler.de, notrust.de, cint.jpkessler.de, lists.jpkessler.de,
box3.jpkessler.de, box4.jpkessler.de
relaycheck = permit_mynetworks, check_ccert_access
cdb:/etc/postfix/tls_ccerts
relayhost =
setgid_group = postdrop
show_user_unknown_table_name = no
smtp_tls_CAfile = /etc/postfix/CERTS/ca.cer
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_cert_file = /etc/postfix/CERTS/fullchain.cer
smtp_tls_key_file = /etc/postfix/CERTS/jpkessler.de.key
smtp_tls_loglevel = 1
smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP Mailservice
smtpd_policy_service_max_idle = 600s
smtpd_policy_service_max_ttl = 1000s
smtpd_policy_service_timeout = 300s
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain, permit_mynetworks, check_client_access
cidr:/etc/postfix/allowed_ips, check_ccert_access
cdb:/etc/postfix/tls_ccerts, reject_non_fqdn_sender,
reject_unauth_destination, reject_unknown_sender_domain, pfwpolicycheck,
empfaengerverifizierung, permit
smtpd_restriction_classes = relaycheck, pfwpolicycheck, greylistcheck,
empfaengerverifizierung, absenderverifizierung
smtpd_sasl_auth_enable = no
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/CERTS/ca.cer
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file = /etc/postfix/CERTS/fullchain.cer
smtpd_tls_dh1024_param_file = /etc/postfix/CERTS/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/CERTS/dh_512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_key_file = /etc/postfix/CERTS/jpkessler.de.key
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_preempt_cipherlist = yes
transport_maps = cdb:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_recipient_reject_reason = Unknown user -- Empfaenger unbekannt
unverified_sender_reject_code = 550

# postconf -Mf
smtp       inet  n       -       n       -       - smtpd
pickup     fifo  n       -       y       60      1 pickup
cleanup    unix  n       -       y       -       0 cleanup
qmgr       fifo  n       -       n       300     1 qmgr
tlsmgr     unix  -       -       y       1000?   1 tlsmgr
rewrite    unix  -       -       y       -       - trivial-rewrite
bounce     unix  -       -       y       -       0 bounce
defer      unix  -       -       y       -       0 bounce
trace      unix  -       -       y       -       0 bounce
verify     unix  -       -       y       -       1 verify
flush      unix  n       -       y       1000?   0 flush
proxymap   unix  -       -       n       -       - proxymap
proxywrite unix  -       -       n       -       1 proxymap
smtp       unix  -       -       n       -       - smtp
relay      unix  -       -       n       -       - smtp
showq      unix  n       -       y       -       - showq
error      unix  -       -       y       -       - error
retry      unix  -       -       y       -       - error
discard    unix  -       -       y       -       - discard
local      unix  -       n       n       -       - local
virtual    unix  -       n       n       -       - virtual
lmtp       unix  -       -       y       -       - lmtp
anvil      unix  -       -       y       -       1 anvil
scache     unix  -       -       y       -       1 scache
maildrop   unix  -       n       n       -       - pipe flags=DRhu
     user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp       unix  -       n       n       -       - pipe flags=Fqhu
     user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail     unix  -       n       n       -       - pipe flags=F user=ftn
     argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp      unix  -       n       n       -       - pipe flags=Fq.
     user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n       n       -       2 pipe flags=R
     user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
     ${user} ${extension}
mailman    unix  -       n       n       -       - pipe flags=FR
     user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
     ${user}

Reply | Threaded
Open this post in threaded view
|

Re: Making relay_access_denied permanent?

Jan P. Kessler
Maybe I can answer the question myself - it would be nice if anybody
could confirm:

# postconf -d|grep smtpd_relay_restr
...
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
defer_unauth_destination

I guess that I should set:

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination

Am I right?

Thank you in advance
   Jan



Am 08.07.2018 um 10:04 schrieb Jan P. Kessler:

> Hi,
>
> I was wondering why the following error is returned as tempfail:
>
> Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: connect from
> hwsrv-288880.hostwindsdns.com[108.174.196.241]
> Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: NOQUEUE: reject: RCPT
> from hwsrv-288880.hostwindsdns.com[108.174.196.241]: 454 4.7.1
> <[hidden email]>: Relay access denied;
> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<hwsrv-288880.hostwindsdns.com>
> Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: lost connection after
> RCPT from hwsrv-288880.hostwindsdns.com[108.174.196.241]
> Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: disconnect from
> hwsrv-288880.hostwindsdns.com[108.174.196.241] ehlo=1 mail=1 rcpt=0/1
> commands=2/3
> Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: connect from
> hwsrv-288880.hostwindsdns.com[108.174.196.241]
> Jul  8 09:49:04 mx3 postfix-cluster/smtpd[3420]: NOQUEUE: reject: RCPT
> from hwsrv-288880.hostwindsdns.com[108.174.196.241]: 454 4.7.1
> <[hidden email]>: Relay access denied;
> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<hwsrv-288880.hostwindsdns.com>
> Jul  8 09:49:05 mx3 postfix-cluster/smtpd[3420]: lost connection after
> RCPT from hwsrv-288880.hostwindsdns.com[108.174.196.241]
> Jul  8 09:49:05 mx3 postfix-cluster/smtpd[3420]: disconnect from
> hwsrv-288880.hostwindsdns.com[108.174.196.241] ehlo=1 mail=1 rcpt=0/1
> commands=2/3
>
> Here's the configuration:
>
> # postconf mail_version
> mail_version = 3.1.0
>
> # postconf -n
> absenderverifizierung = reject_unverified_sender
> address_verify_map = btree:$data_directory/db_address_verify
> address_verify_positive_refresh_time = 30d
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> compatibility_level = 2
> delay_warning_time = 4h
> empfaengerverifizierung = reject_unverified_recipient
> empty_address_recipient = EMAIL-DIENST
> greylistcheck = check_policy_service inet:127.0.0.1:10031
> header_checks = pcre:/etc/postfix/header_checks
> home_mailbox = Maildir/
> inet_interfaces = 10.10.10.3
> mail_name = Mailservice
> mail_owner = postfix
> mailbox_command = /usr/lib/dovecot/deliver
> mailbox_size_limit = 0
> message_size_limit = 41943040
> multi_instance_directories = /etc/postfix-cluster
> multi_instance_enable = yes
> multi_instance_wrapper = ${command_directory}/postmulti -p --
> mydestination = localhost
> myhostname = box4.jpkessler.de
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
> myorigin = $myhostname
> pfwpolicycheck = check_policy_service inet:127.0.0.1:10045
> readme_directory = no
> recipient_delimiter = +
> relay_domains = jpkessler.de, jpkessler.info, notrust.de, postfwd.org,
> jpkit.de, jpkit.net, jpk.mine.nu, mail.jpkessler.de,
> mbox.jpkessler.de, test.jpkessler.de, notrust.de, cint.jpkessler.de,
> lists.jpkessler.de, box3.jpkessler.de, box4.jpkessler.de
> relaycheck = permit_mynetworks, check_ccert_access
> cdb:/etc/postfix/tls_ccerts
> relayhost =
> setgid_group = postdrop
> show_user_unknown_table_name = no
> smtp_tls_CAfile = /etc/postfix/CERTS/ca.cer
> smtp_tls_CApath = /etc/ssl/certs
> smtp_tls_cert_file = /etc/postfix/CERTS/fullchain.cer
> smtp_tls_key_file = /etc/postfix/CERTS/jpkessler.de.key
> smtp_tls_loglevel = 1
> smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtp_use_tls = yes
> smtpd_banner = $myhostname ESMTP Mailservice
> smtpd_policy_service_max_idle = 600s
> smtpd_policy_service_max_ttl = 1000s
> smtpd_policy_service_timeout = 300s
> smtpd_recipient_restrictions = reject_non_fqdn_recipient,
> reject_unknown_recipient_domain, permit_mynetworks,
> check_client_access cidr:/etc/postfix/allowed_ips, check_ccert_access
> cdb:/etc/postfix/tls_ccerts, reject_non_fqdn_sender,
> reject_unauth_destination, reject_unknown_sender_domain,
> pfwpolicycheck, empfaengerverifizierung, permit
> smtpd_restriction_classes = relaycheck, pfwpolicycheck, greylistcheck,
> empfaengerverifizierung, absenderverifizierung
> smtpd_sasl_auth_enable = no
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_type = dovecot
> smtpd_tls_CAfile = /etc/postfix/CERTS/ca.cer
> smtpd_tls_CApath = /etc/ssl/certs
> smtpd_tls_ccert_verifydepth = 9
> smtpd_tls_cert_file = /etc/postfix/CERTS/fullchain.cer
> smtpd_tls_dh1024_param_file = /etc/postfix/CERTS/dh_2048.pem
> smtpd_tls_dh512_param_file = /etc/postfix/CERTS/dh_512.pem
> smtpd_tls_eecdh_grade = strong
> smtpd_tls_key_file = /etc/postfix/CERTS/jpkessler.de.key
> smtpd_tls_loglevel = 1
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_use_tls = yes
> tls_preempt_cipherlist = yes
> transport_maps = cdb:/etc/postfix/transport
> unknown_local_recipient_reject_code = 550
> unverified_recipient_reject_code = 550
> unverified_recipient_reject_reason = Unknown user -- Empfaenger unbekannt
> unverified_sender_reject_code = 550
>
> # postconf -Mf
> smtp       inet  n       -       n       -       - smtpd
> pickup     fifo  n       -       y       60      1 pickup
> cleanup    unix  n       -       y       -       0 cleanup
> qmgr       fifo  n       -       n       300     1 qmgr
> tlsmgr     unix  -       -       y       1000?   1 tlsmgr
> rewrite    unix  -       -       y       -       - trivial-rewrite
> bounce     unix  -       -       y       -       0 bounce
> defer      unix  -       -       y       -       0 bounce
> trace      unix  -       -       y       -       0 bounce
> verify     unix  -       -       y       -       1 verify
> flush      unix  n       -       y       1000?   0 flush
> proxymap   unix  -       -       n       -       - proxymap
> proxywrite unix  -       -       n       -       1 proxymap
> smtp       unix  -       -       n       -       - smtp
> relay      unix  -       -       n       -       - smtp
> showq      unix  n       -       y       -       - showq
> error      unix  -       -       y       -       - error
> retry      unix  -       -       y       -       - error
> discard    unix  -       -       y       -       - discard
> local      unix  -       n       n       -       - local
> virtual    unix  -       n       n       -       - virtual
> lmtp       unix  -       -       y       -       - lmtp
> anvil      unix  -       -       y       -       1 anvil
> scache     unix  -       -       y       -       1 scache
> maildrop   unix  -       n       n       -       - pipe flags=DRhu
>     user=vmail argv=/usr/bin/maildrop -d ${recipient}
> uucp       unix  -       n       n       -       - pipe flags=Fqhu
>     user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
> ifmail     unix  -       n       n       -       - pipe flags=F user=ftn
>     argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> bsmtp      unix  -       n       n       -       - pipe flags=Fq.
>     user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
> scalemail-backend unix - n       n       -       2 pipe flags=R
>     user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
>     ${user} ${extension}
> mailman    unix  -       n       n       -       - pipe flags=FR
>     user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
>     ${user}
>

Reply | Threaded
Open this post in threaded view
|

Re: Making relay_access_denied permanent?

Jan P. Kessler
Confirmed by my own test - sorry for noise on this list:

Jul  8 10:23:14 mx3 postfix-cluster/smtpd[3564]: NOQUEUE: reject: RCPT
from ipservice-047-071-140-188.pools.arcor-ip.net[47.71.140.188]: 554
5.7.1 <[hidden email]>: Relay access denied; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP helo=<ruv.de>

I have to admit that it's an old configuration (from a postfix 2.x
setup). I think it's time to review it.

Case closed - thank you for postfix!

Regards, jpk

Reply | Threaded
Open this post in threaded view
|

Re: Making relay_access_denied permanent?

Wietse Venema
In reply to this post by Jan P. Kessler
Jan P. Kessler:

> Maybe I can answer the question myself - it would be nice if anybody
> could confirm:
>
> # postconf -d|grep smtpd_relay_restr
> ...
> smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
> defer_unauth_destination
>
> I guess that I should set:
>
> smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
> reject_unauth_destination
>
> Am I right?

Yes, if you agree with the setting.

smtpd_relay_restrictions was introduced late in the life of Postfix,
and making this a hard reject by default would be too disruptive.

        Wietse