no valid recipient

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

no valid recipient

Gary Aitken
I'm trying to allow client connections from only two places:
   a known ip
   a specific domain served at gmail
And delivery only to local recipients.

Relevant parts of main.cf:

mynetworks = 127.0.0.0/8 10.138.0.10/32 [::ffff:127.0.0.0]/104 [::1]/128
   postfix-server-domain.com otherdomain.com
smtpd_client_restrictions =
   permit_mynetworks,
   hash:/etc/postfix/ok_to_receive_from
#  reject
smtpd_sender_restrictions =
   hash:/etc/postfix/ok_to_receive_from,
   permit_mynetworks,
   reject
smtpd_recipient_restrictions =
   permit_mynetworks,
   reject

Questions:
   1. In the log, mynetworks_core shows only IP addrs, and does not include
      the domain names I listed with it.
      Is mynetworks restricted to IP addrs?

   2. I see the following in the log:

< mail-pf1-f170.google.com[209.85.210.170]: DATA
> mail-pf1-f170.google.com[209.85.210.170]:
   554 5.5.1 Error: no valid recipients

   Why doesn't permit_mynetworks result in a valid recipient,
   given that it's addressed to <[hidden email]> ?

   3. Mail from <mydomain.com> at gmail comes in via the gmail relays.
      Is there a way to allow only those relays, given they can change?
   
Thanks,

Gary
Reply | Threaded
Open this post in threaded view
|

Re: no valid recipient

Wietse Venema
Gary Aitken:
> < mail-pf1-f170.google.com[209.85.210.170]: DATA
> > mail-pf1-f170.google.com[209.85.210.170]:
>    554 5.5.1 Error: no valid recipients

That is incomplete. There is also an RCPT TO command, plus a response
from Postfix that says why the recipient is rejected.

>    Why doesn't permit_mynetworks result in a valid recipient,
>    given that it's addressed to <[hidden email]> ?

The anser to the question was logged as part of the RCPT TO reponse.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: no valid recipient

Gary Aitken
On 2/17/21 2:17 PM, Wietse Venema wrote:
> Gary Aitken:
>> < mail-pf1-f170.google.com[209.85.210.170]: DATA
>>> mail-pf1-f170.google.com[209.85.210.170]:
>>     554 5.5.1 Error: no valid recipients
>
> That is incomplete. There is also an RCPT TO command, plus a response
> from Postfix that says why the recipient is rejected.

Thanks, here's what I see:

3096  RCPT TO
3146  >>> START Client host RESTRICTIONS <<<
3176  >>> END Client host RESTRICTIONS <<<
3177  >>> START Helo command RESTRICTIONS <<<
3184  >>> END Helo command RESTRICTIONS <<<
3185  >>> START Sender address RESTRICTIONS <<<
3230  generic_checks: name=check_sender_access status=1
3231  >>> END Sender address RESTRICTIONS <<<
3232  >>> START Recipient address RESTRICTIONS <<<
       generic_checks: name=permit_mynetworks
...
       match_hostname: mynetworks: mail-pf1-f182.google.com ~?
             postfix-server-domain.com
       match_hostaddr: mynetworks: 209.85.210.182 ~?
             postfix-server-domain.com
       match_hostname: mynetworks: mail-pf1-f182.google.com ~?
             other-domain.com
       match_hostaddr: mynetworks: 209.85.210.182 ~?
             other-domain.com
       match_list_match: mail-pf1-f182.google.com: no match
       match_list_match: 209.85.210.182: no match
       generic_checks: name=permit_mynetworks status=0
       generic_checks: name=reject
       NOQUEUE: reject: RCPT from mail-pf1-f182.google.com[209.85.210.182]:
         554 5.7.1 <[hidden email]>:
             Recipient address rejected:
         Access denied; from=<[hidden email]>
             to=<[hidden email]>
         proto=ESMTP helo=<mail-pf1-f182.google.com>
         generic_checks: name=reject status=2
3253  >>> END Recipient address RESTRICTIONS <<<
       > mail-pf1-f182.google.com[209.85.210.182]: 554 5.7.1
         <[hidden email]>:
         Recipient address rejected: Access denied
       < mail-pf1-f182.google.com[209.85.210.182]: DATA
       > mail-pf1-f182.google.com[209.85.210.182]:
         554 5.5.1 Error: no valid recipients

Why is it comparing the client domain / ip and not the domain portion of
the recipient address?  I thought by saying
   smtpd_recipient_restrictions=permit_mynetworks
I was saying allow any recipient in one of $mynetworks?

Thanks,

Gary
Reply | Threaded
Open this post in threaded view
|

Re: no valid recipient

Bill Cole-3
On 17 Feb 2021, at 18:17, Gary Aitken wrote:

> Why is it comparing the client domain / ip and not the domain portion
> of
> the recipient address?

Read the description of permit_mynetworks available via 'man 5
postconf'. The $mynetworks parameter is a set of IP addresses.

> I thought by saying
>   smtpd_recipient_restrictions=permit_mynetworks
> I was saying allow any recipient in one of $mynetworks?

Nope. smtpd_recipient_restrictions lists the restrictions that are
applied at the time of each RCPT command. Technically, all of the
logically prior smtpd_*_restrictions lists are also evaluated at that
time in Postfix unless you unset smtpd_delay_reject, but they are
evaluated in logical order. The individual restriction directives in the
smtpd_*_restrictions lists each apply to particular attributes of the
SMTP transaction, regardless of which list they are in. Again, see 'man
5 postconf' for full details.

Beyond that, networks are networks, domains are domains. It isn't
meaningful to say that a recipient is in a network. Recipients are in
domains.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Reply | Threaded
Open this post in threaded view
|

Re: no valid recipient

Wietse Venema
In reply to this post by Gary Aitken
Gary Aitken:

> On 2/17/21 2:17 PM, Wietse Venema wrote:
> > Gary Aitken:
> >> < mail-pf1-f170.google.com[209.85.210.170]: DATA
> >>> mail-pf1-f170.google.com[209.85.210.170]:
> >>     554 5.5.1 Error: no valid recipients
> >
> > That is incomplete. There is also an RCPT TO command, plus a response
> > from Postfix that says why the recipient is rejected.
>
> Thanks, here's what I see:
>
> 3096  RCPT TO

This is the line that I was looking for.

        NOQUEUE: reject: RCPT from mail-pf1-f182.google.com[209.85.210.182]:
          554 5.7.1 <[hidden email]>: Recipient
          address rejected: Access denied; from=<[hidden email]>
          to=<[hidden email]> proto=ESMTP
          helo=<mail-pf1-f182.google.com>

Here is the rule that does it:

    smtpd_recipient_restrictions =
      permit_mynetworks,
      reject

According to debug logging:
    generic_checks: name=permit_mynetworks status=0
    generic_checks: name=reject

permit_mynetworks returns no match, therefore the recipient is rejected.

Documentation:

http://www.postfix.org/postconf.5.html#permit_mynetworks

       permit_mynetworks
              Permit the request when THE CLIENT IP ADDRESS matches
              any  network or network address listed in  $mynetworks.

http://www.postfix.org/postconf.5.html#mynetworks

mynetworks (default: see postconf -d output)
        ...
       Specify a list of network addresses or network/netmask
       patterns,  separated  by commas and/or whitespace. Continue
       long lines by starting the next line with whitespace.
        ...

Note the "CLIENT IP ADDRESS". You have domain names in mynetworks.

        Wietse