Re: Postfix error 450 4.7.1 Sender address rejected: Access denied

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Postfix error 450 4.7.1 Sender address rejected: Access denied

James B. Byrne
Can anyone clue me in on what configuration issue might be causing
this and whose configuration it is, mine or theirs?

postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from
smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1
<[hidden email]>: Sender address rejected: Access denied;
from=<[hidden email]> to=<[hidden email]>
proto=ESMTP helo=<smout-245176.nsmailserv.com>


# postconf -n
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
delay_warning_time = 30m
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks.regexp
home_mailbox = Maildir/
html_directory = no
ignore_mx_lookup_error = no
inet_interfaces = localhost, inet08.hamilton.harte-lyne.ca
inet_protocols = all
local_transport = smtp
mail_spool_directory = /var/spool/mail
mailman_destination_recipient_limit = 1
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20480000
milter_default_action = accept
milter_protocol = 2
mydestination =
mynetworks = 216.185.71.0/26, 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
policyd-spf_time_limit = 3600
queue_minfree = 40960000
rbl_reply_maps = hash:/etc/postfix/rbl_reply
readme_directory = /usr/share/doc/postfix-2.11.1/README_FILES
recipient_delimiter = +
relay_clientcerts = hash:/etc/postfix/relay_clientcerts
relay_domains = hash:/etc/postfix/relay_domains
sample_directory = /usr/share/doc/postfix-2.11.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_dns_support_level = dnssec
smtp_host_lookup = dns
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtp.crt
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED,
IDEA, RC2, RC5
smtp_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtp.key
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtpd_client_restrictions = permit
smtpd_data_restrictions = permit_mynetworks,
reject_multi_recipient_bounce, reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
pcre:/etc/postfix/helo_checks.pcre, reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname, permit
smtpd_milters = inet:127.0.0.1:8891
smtpd_proxy_timeout = 300s
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_unauth_pipelining, check_policy_service
unix:/var/spool/postfix/postgrey/socket, check_policy_service
unix:private/policyd-spf, permit
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sender_restrictions = permit_mynetworks, check_sender_access
hash:/etc/postfix/sender_access, check_sender_mx_access
hash:/etc/postfix/sender_mx_access, check_sender_ns_access
hash:/etc/postfix/sender_ns_access, permit_sasl_authenticated,
reject_non_fqdn_sender, reject_unknown_sender_domain, permit
smtpd_starttls_timeout = ${stress?10}${stress:120}s
smtpd_timeout = ${stress?10}${stress:120}s
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtpd.crt
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtpd.key
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
soft_bounce = no
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual,
regexp:/etc/postfix/virtual.regexp

--
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:[hidden email]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3




Reply | Threaded
Open this post in threaded view
|

Re: Postfix error 450 4.7.1 Sender address rejected: Access denied

James B. Byrne

On Thu, May 5, 2016 11:34, James B. Byrne wrote:

> Can anyone clue me in on what configuration issue might be causing
> this and whose configuration it is, mine or theirs?
>
> postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from
> smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1
> <[hidden email]>: Sender address rejected: Access denied;
> from=<[hidden email]> to=<[hidden email]>
> proto=ESMTP helo=<smout-245176.nsmailserv.com>
>
>

I discovered this issue in their DNS with respect to SPF:

;; ANSWER SECTION:
lymanworldwide.com.     1800    IN      TXT     "v=spf1
include:netcore.co.in -all"
lymanworldwide.com.     1800    IN      TXT     "v=spf1
include:spf.protection.outlook.com -all"

But it does not appear to me that the connection is getting to the
point where SPF is considered.


--
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:[hidden email]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

gao
Reply | Threaded
Open this post in threaded view
|

Re: Postfix error 450 4.7.1 Sender address rejected: Access denied

gao
try use "~all" instead of "-all" in your SPF txt record.



On 16-05-05 08:57 AM, James B. Byrne wrote:

> On Thu, May 5, 2016 11:34, James B. Byrne wrote:
>> Can anyone clue me in on what configuration issue might be causing
>> this and whose configuration it is, mine or theirs?
>>
>> postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from
>> smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1
>> <[hidden email]>: Sender address rejected: Access denied;
>> from=<[hidden email]> to=<[hidden email]>
>> proto=ESMTP helo=<smout-245176.nsmailserv.com>
>>
>>
> I discovered this issue in their DNS with respect to SPF:
>
> ;; ANSWER SECTION:
> lymanworldwide.com.     1800    IN      TXT     "v=spf1
> include:netcore.co.in -all"
> lymanworldwide.com.     1800    IN      TXT     "v=spf1
> include:spf.protection.outlook.com -all"
>
> But it does not appear to me that the connection is getting to the
> point where SPF is considered.
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Postfix error 450 4.7.1 Sender address rejected: Access denied

James B. Byrne

On Thu, May 5, 2016 12:01, Gao wrote:
> try use "~all" instead of "-all" in your SPF txt record.
>

We are not the sender.  We are the recipient.  Our SPF record does not
bear on this issue insofar as I can see.  In any case, our SPF TXT RR
already includes ~all, not -all.

--
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:[hidden email]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Reply | Threaded
Open this post in threaded view
|

Re: Postfix error 450 4.7.1 Sender address rejected: Access denied

Christian Kivalo
In reply to this post by James B. Byrne


Am 5. Mai 2016 17:34:36 MESZ, schrieb "James B. Byrne" <[hidden email]>:

>Can anyone clue me in on what configuration issue might be causing
>this and whose configuration it is, mine or theirs?
>
>postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from
>smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1
><[hidden email]>: Sender address rejected: Access denied;
>from=<[hidden email]> to=<[hidden email]>
>proto=ESMTP helo=<smout-245176.nsmailserv.com>
>
>
># postconf -n
>alias_maps = hash:/etc/aliases
>broken_sasl_auth_clients = yes
>command_directory = /usr/sbin
>config_directory = /etc/postfix
>content_filter = smtp-amavis:[127.0.0.1]:10024
>daemon_directory = /usr/libexec/postfix
>data_directory = /var/lib/postfix
>debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
>ddd $daemon_directory/$process_name $process_id & sleep 5
>delay_warning_time = 30m
>disable_vrfy_command = yes
>header_checks = regexp:/etc/postfix/header_checks.regexp
>home_mailbox = Maildir/
>html_directory = no
>ignore_mx_lookup_error = no
>inet_interfaces = localhost, inet08.hamilton.harte-lyne.ca
>inet_protocols = all
>local_transport = smtp
>mail_spool_directory = /var/spool/mail
>mailman_destination_recipient_limit = 1
>mailq_path = /usr/bin/mailq.postfix
>manpage_directory = /usr/share/man
>message_size_limit = 20480000
>milter_default_action = accept
>milter_protocol = 2
>mydestination =
>mynetworks = 216.185.71.0/26, 127.0.0.0/8
>newaliases_path = /usr/bin/newaliases.postfix
>non_smtpd_milters = $smtpd_milters
>policyd-spf_time_limit = 3600
>queue_minfree = 40960000
>rbl_reply_maps = hash:/etc/postfix/rbl_reply
>readme_directory = /usr/share/doc/postfix-2.11.1/README_FILES
>recipient_delimiter = +
>relay_clientcerts = hash:/etc/postfix/relay_clientcerts
>relay_domains = hash:/etc/postfix/relay_domains
>sample_directory = /usr/share/doc/postfix-2.11.1/samples
>sendmail_path = /usr/sbin/sendmail.postfix
>setgid_group = postdrop
>smtp_dns_support_level = dnssec
>smtp_host_lookup = dns
>smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
>smtp_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtp.crt
>smtp_tls_ciphers = medium
>smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED,
>IDEA, RC2, RC5
>smtp_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtp.key
>smtp_tls_protocols = !SSLv2, !SSLv3
>smtp_tls_security_level = dane
>smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
>smtp_tls_session_cache_timeout = 3600s
>smtpd_client_restrictions = permit
>smtpd_data_restrictions = permit_mynetworks,
>reject_multi_recipient_bounce, reject_unauth_pipelining, permit
>smtpd_helo_required = yes
>smtpd_helo_restrictions = permit_mynetworks, check_helo_access
>pcre:/etc/postfix/helo_checks.pcre, reject_non_fqdn_helo_hostname,
>reject_unknown_helo_hostname, permit
>smtpd_milters = inet:127.0.0.1:8891
>smtpd_proxy_timeout = 300s
>smtpd_recipient_restrictions = reject_non_fqdn_recipient,
>reject_unknown_recipient_domain, permit_mynetworks,
>permit_sasl_authenticated, reject_unauth_destination,
>reject_unauth_pipelining, check_policy_service
>unix:/var/spool/postfix/postgrey/socket, check_policy_service
>unix:private/policyd-spf, permit
>smtpd_relay_restrictions = permit_mynetworks,
>permit_sasl_authenticated, defer_unauth_destination
>smtpd_sasl_auth_enable = yes
>smtpd_sasl_path = smtpd
>smtpd_sender_restrictions = permit_mynetworks, check_sender_access
>hash:/etc/postfix/sender_access, check_sender_mx_access
>hash:/etc/postfix/sender_mx_access, check_sender_ns_access
>hash:/etc/postfix/sender_ns_access, permit_sasl_authenticated,
>reject_non_fqdn_sender, reject_unknown_sender_domain, permit

Whats in these files?

>smtpd_starttls_timeout = ${stress?10}${stress:120}s
>smtpd_timeout = ${stress?10}${stress:120}s
>smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
>smtpd_tls_ask_ccert = yes
>smtpd_tls_auth_only = yes
>smtpd_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtpd.crt
>smtpd_tls_ciphers = medium
>smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
>smtpd_tls_fingerprint_digest = sha1
>smtpd_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtpd.key
>smtpd_tls_protocols = !SSLv2, !SSLv3
>smtpd_tls_received_header = yes
>smtpd_tls_security_level = may
>smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
>smtpd_tls_session_cache_timeout = 3600s
>soft_bounce = no
>strict_rfc821_envelopes = yes
>tls_random_source = dev:/dev/urandom
>transport_maps = hash:/etc/postfix/transport
>unknown_local_recipient_reject_code = 550
>virtual_alias_maps = hash:/etc/postfix/virtual,
>regexp:/etc/postfix/virtual.regexp

Reply | Threaded
Open this post in threaded view
|

Re: Postfix error 450 4.7.1 Sender address rejected: Access denied

Noel Jones-2
In reply to this post by James B. Byrne
On 5/5/2016 10:34 AM, James B. Byrne wrote:
> Can anyone clue me in on what configuration issue might be causing
> this and whose configuration it is, mine or theirs?
>
> postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from
> smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1
> <[hidden email]>: Sender address rejected: Access denied;
> from=<[hidden email]> to=<[hidden email]>
> proto=ESMTP helo=<smout-245176.nsmailserv.com>
>


"Sender address rejected: Access denied;" is caused by one of your
check_sender_access maps.


> smtpd_sender_restrictions = permit_mynetworks, check_sender_access
> hash:/etc/postfix/sender_access, check_sender_mx_access
> hash:/etc/postfix/sender_mx_access, check_sender_ns_access
> hash:/etc/postfix/sender_ns_access, permit_sasl_authenticated,

One of these.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Postfix error 450 4.7.1 Sender address rejected: Access denied

James B. Byrne
In reply to this post by Christian Kivalo

On Thu, May 5, 2016 12:11, Christian Kivalo wrote:

>
>
> Am 5. Mai 2016 17:34:36 MESZ, schrieb "James B. Byrne"
> <[hidden email]>:
>>Can anyone clue me in on what configuration issue might be causing
>>this and whose configuration it is, mine or theirs?
>>
>>postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from
>>smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1
>><[hidden email]>: Sender address rejected: Access denied;
>>from=<[hidden email]> to=<[hidden email]>
>>proto=ESMTP helo=<smout-245176.nsmailserv.com>
>>
>>
>># postconf -n
. . .
>>smtpd_sender_restrictions = permit_mynetworks, check_sender_access
>>hash:/etc/postfix/sender_access, check_sender_mx_access
>>hash:/etc/postfix/sender_mx_access, check_sender_ns_access
>>hash:/etc/postfix/sender_ns_access, permit_sasl_authenticated,
>>reject_non_fqdn_sender, reject_unknown_sender_domain, permit
>
> Whats in these files?
>


# cat /etc/postfix/sender_access
. . .
#                                                                    
ACCESS(5)

::1                                                               OK
127.0.0.1                                                         OK
216.185.71.9                                                      OK
216.185.71.10                                                     OK
216.185.71.11                                                     OK
216.185.71.12                                                     OK
216.185.71.13                                                     OK
216.185.71.14                                                     OK
216.185.71.15                                                     OK
216.185.71.16                                                     OK
216.185.71.17                                                     OK
216.185.71.18                                                     OK
216.185.71.19                                                     OK
216.185.71.20                                                     OK
216.185.71.21                                                     OK
216.185.71.22                                                     OK
216.185.71.23                                                     OK
216.185.71.24                                                     OK
216.185.71.25                                                     OK
216.185.71.26                                                     OK
216.185.71.27                                                     OK
216.185.71.28                                                     OK
216.185.71.29                                                     OK

[hidden email]                                       OK
mailman.halisp.net                                                OK

upsdocs.com                                                       OK
.upsdocs.com                                                      OK

verticalresponse.com                                              REJECT


# cat /etc/postfix/sender_mx_access
. . .
# Cannot use OK result in this map, use DUNNO instead.



# cat /etc/postfix/sender_ns_access
. . .
# Cannot use OK result in this map, use DUNNO instead.
#
colocrossings.com               DEFER
name-services.com               DEFER
name-services.net               DEFER
leaseweb.be                     DEFER
leaseweb.ca                     DEFER
leaseweb.ch                     DEFER
leaseweb.com                    DEFER
leaseweb.de                     DEFER
leaseweb.fr                     DEFER
leaseweb.net                    DEFER
leaseweb.nl                     DEFER
leaseweb.org                    DEFER
leaseweb.us                     DEFER


--
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:[hidden email]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Reply | Threaded
Open this post in threaded view
|

Re: Postfix error 450 4.7.1 Sender address rejected: Access denied

Christian Kivalo


Am 5. Mai 2016 18:30:40 MESZ, schrieb "James B. Byrne" <[hidden email]>:

>
>On Thu, May 5, 2016 12:11, Christian Kivalo wrote:
>>
>>
>> Am 5. Mai 2016 17:34:36 MESZ, schrieb "James B. Byrne"
>> <[hidden email]>:
>>>Can anyone clue me in on what configuration issue might be causing
>>>this and whose configuration it is, mine or theirs?
>>>
>>>postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from
>>>smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1
>>><[hidden email]>: Sender address rejected: Access denied;
>>>from=<[hidden email]> to=<[hidden email]>
>>>proto=ESMTP helo=<smout-245176.nsmailserv.com>
>>>
>>>
>>># postconf -n
>. . .
>>>smtpd_sender_restrictions = permit_mynetworks, check_sender_access
>>>hash:/etc/postfix/sender_access, check_sender_mx_access
>>>hash:/etc/postfix/sender_mx_access, check_sender_ns_access
>>>hash:/etc/postfix/sender_ns_access, permit_sasl_authenticated,
>>>reject_non_fqdn_sender, reject_unknown_sender_domain, permit
>>
>> Whats in these files?

...

># cat /etc/postfix/sender_ns_access
>. . .
># Cannot use OK result in this map, use DUNNO instead.
>#
>colocrossings.com               DEFER
>name-services.com               DEFER
>name-services.net               DEFER


There it is: lymanworldwide.com uses nameservices provided by name-services.com

valo@karl:~ $ dig ns lymanworldwide.com

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> ns lymanworldwide.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51294
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;lymanworldwide.com.            IN      NS

;; ANSWER SECTION:
lymanworldwide.com.     3600    IN      NS      dns5.name-services.com.
lymanworldwide.com.     3600    IN      NS      dns3.name-services.com.
lymanworldwide.com.     3600    IN      NS      dns4.name-services.com.
lymanworldwide.com.     3600    IN      NS      dns1.name-services.com.
lymanworldwide.com.     3600    IN      NS      dns2.name-services.com.

;; Query time: 179 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 05 18:33:14 CEST 2016
;; MSG SIZE  rcvd: 156


--
 Christian Kivalo
Reply | Threaded
Open this post in threaded view
|

Re: Postfix error 450 4.7.1 Sender address rejected: Access denied

James B. Byrne

On Thu, May 5, 2016 12:37, Christian Kivalo wrote:

>
> There it is: lymanworldwide.com uses nameservices provided by
> name-services.com
>

Thanks, that is it.  I suppose we will just have to explicitly permit
them in. Not that I approve of their choice of registrars (enom).

Thanks for the help.

--
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:[hidden email]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Reply | Threaded
Open this post in threaded view
|

Re: Postfix error 450 4.7.1 Sender address rejected: Access denied

Bill Cole-3
In reply to this post by James B. Byrne
On 5 May 2016, at 11:57, James B. Byrne wrote:

> On Thu, May 5, 2016 11:34, James B. Byrne wrote:
>> Can anyone clue me in on what configuration issue might be causing
>> this and whose configuration it is, mine or theirs?
>>
>> postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from
>> smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1
>> <[hidden email]>: Sender address rejected: Access denied;
>> from=<[hidden email]> to=<[hidden email]>
>> proto=ESMTP helo=<smout-245176.nsmailserv.com>
>>
>>
>
> I discovered this issue in their DNS with respect to SPF:
>
> ;; ANSWER SECTION:
> lymanworldwide.com.     1800    IN      TXT     "v=spf1
> include:netcore.co.in -all"
> lymanworldwide.com.     1800    IN      TXT     "v=spf1
> include:spf.protection.outlook.com -all"

Yes, that's almost certainly the cause of the problem. Having 2 SPF TXT
records is fundamentally broken in addition to being formally incorrect.
There's no defined way to merge records and any of the obvious
mechanisms with those 2 records would be indeterminate because they are
explicitly contradictory and there is no way to prioritize one over the
other. The rejection is "soft" (450 instead of 550) because presumably
your SPF checking is configured to do that when SPF records are formally
improper.

> But it does not appear to me that the connection is getting to the
> point where SPF is considered.

Sure it is. The usual order of SMTP commands is

(EHLO|HELO) MAIL RCPT (maybe multiple times) DATA QUIT

Your config includes:

> smtpd_recipient_restrictions = reject_non_fqdn_recipient,
> reject_unknown_recipient_domain, permit_mynetworks,
> permit_sasl_authenticated, reject_unauth_destination,
> reject_unauth_pipelining, check_policy_service
> unix:/var/spool/postfix/postgrey/socket, check_policy_service
> unix:private/policyd-spf, permit

Assuming that "policyd-spf" is where you check and enforce SPF, this
config entry means that it is checked for each recipient, i.e. each SMTP
"RCPT" command. The quoted log entry records that smtpd got a command
from 202.162.245.174 that was probably exactly like this:

    RCPT TO:<[hidden email]>

and replied with something much like:

    450 4.7.1 <[hidden email]>: Sender address rejected:
Access denied

(the reply at least started with '450 4.7.1'; I'm not sure exactly what
smtpd says in the following text part but it really doesn't matter)

Postfix smtpd waits to make that check until RCPT because you told it to
do so explicitly by putting it in smtpd_recipient_restrictions and would
do so in any case (unless you put it in smtpd_data_restrictions, which
would be perverse) because smtpd_delay_reject=yes is a default setting.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix error 450 4.7.1 Sender address rejected: Access denied

Viktor Dukhovni
On Thu, May 05, 2016 at 10:24:49PM -0400, Bill Cole wrote:

> >I discovered this issue in their DNS with respect to SPF:
> >
> >;; ANSWER SECTION:
> >lymanworldwide.com.     1800    IN      TXT     "v=spf1
> >include:netcore.co.in -all"
> >lymanworldwide.com.     1800    IN      TXT     "v=spf1
> >include:spf.protection.outlook.com -all"
>
> Yes, that's almost certainly the cause of the problem.

Except that the logs clearly indicate it isn't.  The rejection is
a sender access(5) check.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix error 450 4.7.1 Sender address rejected: Access denied

Bill Cole-3
In reply to this post by Bill Cole-3
On 5 May 2016, at 22:24, Bill Cole wrote:

[ blah blah blah ]

OR: I was entirely wrong about the broken SPF records being the cause of
that rejection.

Noel & Christian were right in pointing you at the access maps. You
MIGHT also run into the SPF issue after exempting that sender from the
shunning of their DNS provider, depending on how you do it, but that is
dependent on how your policyd-spf responds in the case of bad records.