Relay access denied to local IPv6 client

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Relay access denied to local IPv6 client

Nikolaos Milas
Hello,

We are using Postfix v3.2.4and we arefacing the followingproblem:
Aclient (a data storage system) with an IPv6 address of
[2001:648:2011:a21:320e:d5ff:fec6:b55] tries to send an (autosupport)
email and it's being denied access:

Feb 23 06:22:17 vmail2 postfix/smtpd[16146]: NOQUEUE: reject: RCPT from
unknown[2001:648:2011:a21:320e:d5ff:fec6:b55]: 554 5.7.1
<[hidden email]>: Relay access denied;
from=<[hidden email]> to=<[hidden email]>
proto=SMTP helo=<DD2500.astro.private.noa.gr>

All /48 IPv6 address blockis included in mynetworks: ...,
[2001:648:2011::]/48, ...

The client does not support TLS or authentication. For such clients we
provide explicit permission:

smtpd_client_restrictions =
   ...
   check_client_access cidr:/etc/postfix/non-tls-clients.cidr
   permit_sasl_authenticated
   reject

where /etc/postfix/non-tls-clients.cidr:

    ...
    [2001:648:2011:a21:320e:d5ff:fec6:b55]   OK
    ...

Please, be kind to help me understand what is causing this client
rejection and correct my postfix configuration.

postconf -n follows:

# postconf -n
alias_database = hash:/etc/postfix/aliases,
hash:/etc/postfix/aliases.d/virtual_aliases
alias_maps = hash:/etc/aliases
allowed_list1 = check_sasl_access
hash:/etc/postfix/allowed_groupmail_users,reject
allowed_list2 = permit_sasl_authenticated,reject
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
controlled_senders = check_sender_access hash:/etc/postfix/blocked_senders
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
default_process_limit = 25
delay_logging_resolution_limit = 3
deliver_lock_attempts = 40
gwcheck = reject_unverified_recipient, reject_unauth_destination
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4, ipv6
local_header_rewrite_clients = static:all
mail_name = IC-XC-NI-KA
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 41943040
meta_directory = /etc/postfix
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = noa.gr
myhostname = vmail2.noa.gr
mynetworks = 195.251.204.0/24, 195.251.202.0/23, 194.177.194.0/23,
127.0.0.0/8, 10.201.0.0/16, [2001:648:2011::]/48, 83.212.5.24/29,
[2001:648:2ffc:1115::]/64, 62.217.124.0/29, [2001:648:2ffc:126::]/64,
[::1]/128
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
parent_domain_matches_subdomains =
postfwdcheck = check_policy_service inet:127.0.0.1:10040
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix3-3.2.4/README_FILES
recipient_canonical_maps = hash:/etc/postfix/domainrecipientmap
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix3-3.2.4/samples
sender_canonical_maps = hash:/etc/postfix/domainsendermap
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
smtp_tls_security_level = may
smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/localhost.cidr check_client_access
cidr:/etc/postfix/gwservers.cidr check_client_access
cidr:/etc/postfix/non-tls-clients.cidr permit_sasl_authenticated reject
smtpd_delay_reject = yes
smtpd_end_of_data_restrictions = check_client_access
cidr:/etc/postfix/postfwdpolicy.cidr
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/protected_destinations permit_sasl_authenticated
reject_unverified_recipient reject_unauth_destination
smtpd_restriction_classes =
controlled_senders,allowed_list1,allowed_list2, postfwdcheck,gwcheck
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/pki/tls/certs/DigiCertCA.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/star_noa_gr-1243437.crt
smtpd_tls_key_file = /etc/pki/tls/private/star_noa_gr-1243437.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/aliases,
hash:/etc/postfix/aliases.d/virtual_aliases,
proxy:ldap:/etc/postfix/ldap-alias-vacation.cf,
proxy:ldap:/etc/postfix/ldap-aliases.cf
virtual_gid_maps = static:500
virtual_mailbox_base = /home/vmail/
virtual_mailbox_domains = $mydomain, space.$mydomain, admin.$mydomain,
nestor.$mydomain, gein.$mydomain, meteo.$mydomain, technet.$mydomain,
astro.$mydomain, hesperia-space.eu
virtual_mailbox_limit = 0
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap-users.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:500
postconf: warning: /etc/postfix/main.cf: unused parameter:
127.0.0.1:10040_time_limit=3600

Thanks in advance,
Nick

Reply | Threaded
Open this post in threaded view
|

Re: Relay access denied to local IPv6 client

Jörg Backschues
Am 23.02.2018 um 09:49 schrieb Nikolaos Milas:

> where /etc/postfix/non-tls-clients.cidr:
>
>     ...
>     [2001:648:2011:a21:320e:d5ff:fec6:b55]   OK
>     ...

Please check the CIDR table syntax
<http://www.postfix.org/cidr_table.5.html>:

e.g.

2001:db8::/32           REJECT

--
Regards
Jörg Backschues
Reply | Threaded
Open this post in threaded view
|

Re: Relay access denied to local IPv6 client

Wietse Venema
In reply to this post by Nikolaos Milas
Nikolaos Milas:

> Hello,
>
> We are using Postfix v3.2.4and we arefacing the followingproblem:
> Aclient (a data storage system) with an IPv6 address of
> [2001:648:2011:a21:320e:d5ff:fec6:b55] tries to send an (autosupport)
> email and it's being denied access:
>
> Feb 23 06:22:17 vmail2 postfix/smtpd[16146]: NOQUEUE: reject: RCPT from
> unknown[2001:648:2011:a21:320e:d5ff:fec6:b55]: 554 5.7.1
> <[hidden email]>: Relay access denied;
> from=<[hidden email]> to=<[hidden email]>
> proto=SMTP helo=<DD2500.astro.private.noa.gr>
>
> All /48 IPv6 address blockis included in mynetworks: ...,
> [2001:648:2011::]/48, ...
>
> The client does not support TLS or authentication. For such clients we
> provide explicit permission:
>
> smtpd_client_restrictions =
>  ? ...
>  ? check_client_access cidr:/etc/postfix/non-tls-clients.cidr
>  ? permit_sasl_authenticated
>  ? reject

Relay access is enforced in smtpd_RELAY_restrictions (or historically,
in smtpd_RECIPIENT_restrictions).

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Relay access denied to local IPv6 client

Bill Cole-3
In reply to this post by Nikolaos Milas
On 23 Feb 2018, at 3:49, Nikolaos Milas wrote:

> Hello,
>
> We are using Postfix v3.2.4and we arefacing the followingproblem:
> Aclient (a data storage system) with an IPv6 address of
> [2001:648:2011:a21:320e:d5ff:fec6:b55] tries to send an (autosupport)
> email and it's being denied access:
>
> Feb 23 06:22:17 vmail2 postfix/smtpd[16146]: NOQUEUE: reject: RCPT
> from unknown[2001:648:2011:a21:320e:d5ff:fec6:b55]: 554 5.7.1
> <[hidden email]>: Relay access denied;
> from=<[hidden email]> to=<[hidden email]>
> proto=SMTP helo=<DD2500.astro.private.noa.gr>
>
> All /48 IPv6 address blockis included in mynetworks: ...,
> [2001:648:2011::]/48, ...
>
> The client does not support TLS or authentication. For such clients we
> provide explicit permission:
>
> smtpd_client_restrictions =
>   ...
>   check_client_access cidr:/etc/postfix/non-tls-clients.cidr
>   permit_sasl_authenticated
>   reject
>
> where /etc/postfix/non-tls-clients.cidr:
>
>    ...
>    [2001:648:2011:a21:320e:d5ff:fec6:b55]   OK
>    ...
>
> Please, be kind to help me understand what is causing this client
> rejection and correct my postfix configuration.
>
> postconf -n follows:
[...]
> smtpd_client_restrictions = check_client_access
> cidr:/etc/postfix/localhost.cidr check_client_access
> cidr:/etc/postfix/gwservers.cidr check_client_access
> cidr:/etc/postfix/non-tls-clients.cidr permit_sasl_authenticated
> reject
[...]
> smtpd_recipient_restrictions = check_recipient_access
> hash:/etc/postfix/protected_destinations permit_sasl_authenticated
> reject_unverified_recipient reject_unauth_destination

The restriction lists in Postfix are run in a fixed logical order
(client, helo, sender, relay, recipient, data, end_of_data) and 'OK'
from an early restriction list (smtpd_client_restrictions) *DOES NOT*
prevent 'REJECT' by a later restriction list
(smtpd_recipient_restrictions.) OK only terminates a single restriction
list, not the whole set of lists, so in this case the transaction is
exiting the smtpd_client_restrictions list with OK at
"check_client_access cidr:/etc/postfix/non-tls-clients.cidr" but it
still must pass through smtpd_recipient_restrictions, where it is
rejected by "reject_unauth_destination" because you are not the final
destination for the recipient domain nor do you have the recipient
domain in $relay_domains.

See the SMTPD_ACCESS_README file for complete details.

Reply | Threaded
Open this post in threaded view
|

Re: Relay access denied to local IPv6 client

Nikolaos Milas
On 23/2/2018 9:00 μμ, Bill Cole wrote:

> The restriction lists in Postfix are run in a fixed logical order
> (client, helo, sender, relay, recipient, data, end_of_data) and 'OK'
> from an early restriction list (smtpd_client_restrictions) *DOES
> NOT*prevent 'REJECT' by a later restriction list
> (smtpd_recipient_restrictions.) OK only terminates a single
> restriction list, not the whole set of lists, so in this case the
> transaction is exiting the smtpd_client_restrictions list with OK at
> "check_client_access cidr:/etc/postfix/non-tls-clients.cidr" but it
> still must pass through smtpd_recipient_restrictions, where it is
> rejected by "reject_unauth_destination" because you are not the final
> destination for the recipient domain nor do you have the recipient
> domain in $relay_domains.

Thank you all for your feedback and especially Bill for the detailed
explanation.

The solution was as simple as adding permit_mynetworks to
smtpd_recipient_restrictions. Since client connectivity is controlled by
smtpd_client_restrictions, in this scenario there is no reason to not
allow relay access to all mynetwork.

Best Regards,
Nick