outlook connect postfix use tls will fail,reject: RCPT from , 554 5.7.1,Client host rejected: Access denied

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

outlook connect postfix use tls will fail,reject: RCPT from , 554 5.7.1,Client host rejected: Access denied

xiedeacc
use outlook connect to postfix on ubuntu 16.04 will fail, it seemed tls
established, and can connect to imap success, but send test mail will fail,
if use roundcube without tls, can log imap and smtp, and send recevive mail
successfully,here is log:

Sep 10 18:40:01 xiedeacc postfix/smtpd[5536]: Anonymous TLS connection
established from unknown[122.226.185.66]: TLSv1 with cipher
ECDHE-RSA-AES256-SHA (256/256 bits)
from here we can see tls established, but send mail will rejected by postfix

Sep 10 18:40:01 xiedeacc postfix/smtpd[5536]: NOQUEUE: reject: RCPT from
unknown[122.226.185.66]: 554 5.7.1 <unknown[122.226.185.66]>: Client host
rejected: Access denied; from=<[hidden email]> to=<[hidden email]>
proto=ESMTP helo=<yangzhenxieNB4>
here is main.cf

smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname,
reject_invalid_hostname, permit

#smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_unauth_pipelining, check_sender_access
hash:/etc/postfix/sender_access, permit

smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender,
reject_unknown_sender_domain, check_sender_access
hash:/etc/postfix/sender_access, permit

smtpd_client_restrictions = check_client_access hash:/etc/postfix/access,
reject_rbl_client anti-spam.org.cn, permit_mynetworks,
permit_inet_interfaces, permit_sasl_authenticated, reject

smtpd_recipient_restrictions =  check_recipient_access
hash:/etc/postfix/recipient_access, permit_auth_destination,
reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_unauth_destination, check_policy_service
unix:/var/spool/postfix/var/run/postgrey/socket, reject

#smtpd_recipient_restrictions = check_recipient_access
mysql:/etc/postfix/mysql_block_recip.cf

smtpd_data_restrictions = reject_unauth_pipelining

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
permit_auth_destination, reject
here is master.cf

submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o
smtpd_client_restrictions=permit_mynetworks,permit_inet_interfaces,permit_sasl_authenticated,reject
  -o
smtpd_helo_restrictions=permit_mynetworks,reject_non_fqdn_hostname,reject_invalid_hostname,permit
  -o
smtpd_sender_restrictions=permit_mynetworks,reject_non_fqdn_sender,reject_unknown_sender_domain,permit
  -o
smtpd_recipient_restrictions=permit_auth_destination,reject_unauth_pipelining,permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_destination,reject
  -o
smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,permit_auth_destination,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  #  -o smptd_tls_auth_only=yes
  -o smtpd_sasl_security_options=noanonymous,noplaintext
  -o smtpd_sasl_tls_security_options=noanonymous
  -o smtpd_tls_cert_file=/etc/ssl/certs/xiedeacc.com.crt
  -0 smtpd_tls_key_file=/etc/ssl/private/xiedeacc.com.nopassword.key
  -o
smtpd_client_restrictions=permit_mynetworks,permit_inet_interfaces,permit_sasl_authenticated,reject
  -o
smtpd_helo_restrictions=permit_mynetworks,reject_non_fqdn_hostname,reject_invalid_hostname,permit
  #  -o
smtpd_sender_restrictions=permit_mynetworks,reject_non_fqdn_sender,reject_unknown_sender_domain,reject_unauth_pipelining,permit
  -o
smtpd_sender_restrictions=permit_mynetworks,reject_non_fqdn_sender,reject_unknown_sender_domain,permit
  -o
smtpd_recipient_restrictions=permit_auth_destination,reject_unauth_pipelining,permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_destination,reject
  -o
smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,permit_auth_destination,reject
  -o milter_macro_daemon_name=ORIGINATING



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: outlook connect postfix use tls will fail,reject: RCPT from , 554 5.7.1,Client host rejected: Access denied

Matus UHLAR - fantomas
please, use a real MUA to send mail so it does not wrap lines pasted from
configuration and logs.

On 10.09.17 04:05, xiedeacc wrote:
>Sep 10 18:40:01 xiedeacc postfix/smtpd[5536]: NOQUEUE: reject: RCPT from
>unknown[122.226.185.66]: 554 5.7.1 <unknown[122.226.185.66]>: Client host
>rejected: Access denied; from=<[hidden email]> to=<[hidden email]>
>proto=ESMTP helo=<yangzhenxieNB4>

this looks like "deny" permission in some of the rules.

>smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender,
>reject_unknown_sender_domain, check_sender_access
>hash:/etc/postfix/sender_access, permit

>smtpd_client_restrictions = check_client_access hash:/etc/postfix/access,
>reject_rbl_client anti-spam.org.cn, permit_mynetworks,
>permit_inet_interfaces, permit_sasl_authenticated, reject

>smtpd_recipient_restrictions =  check_recipient_access
>hash:/etc/postfix/recipient_access, permit_auth_destination,
>reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated,
>reject_non_fqdn_recipient, reject_unknown_recipient_domain,
>reject_unauth_destination, check_policy_service
>unix:/var/spool/postfix/var/run/postgrey/socket, reject

check /etc/postfix/sender_access, /etc/postfix/access and
/etc/postfix/recipient_access if they don't block the mail

>here is master.cf
>
>submission inet n       -       y       -       -       smtpd

it is apparently NOT the master.cf, just part of it. However, since the log
line above says postfix/smtpd, it was NOT sent from submission port, but
apparently via port 25 where restrictions from master.cf don't apply.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.
Reply | Threaded
Open this post in threaded view
|

Re: outlook connect postfix use tls will fail,reject: RCPT from , 554 5.7.1,Client host rejected: Access denied

xiedeacc
it's really a real mua, it's dovecot



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: outlook connect postfix use tls will fail,reject: RCPT from , 554 5.7.1,Client host rejected: Access denied

Benny Pedersen-2
xiedeacc skrev den 2017-09-10 16:44:
> it's really a real mua, it's dovecot

no

> Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

this is a real mua

ironical ?
Reply | Threaded
Open this post in threaded view
|

Re: outlook connect postfix use tls will fail,reject: RCPT from , 554 5.7.1,Client host rejected: Access denied

Wietse Venema
In reply to this post by xiedeacc
xiedeacc:
> Sep 10 18:40:01 ... 554 5.7.1 <unknown[122.226.185.66]>: Client host
> rejected: Access denied

This is blocked by a 'reject' action in smtpd_client_restrictions or
by a 'reject' result in a check_client_access lookup table.

Suggestion: simply your rules and add things until things break.
Then you know what is broken.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: outlook connect postfix use tls will fail,reject: RCPT from , 554 5.7.1,Client host rejected: Access denied

xiedeacc
In reply to this post by Benny Pedersen-2
maybe I misunderstood what's MUA, I will try to change configurations
tommorow, for in a inet envirament, my postfix will send a wrong certs for
unkown reason ,this really bother me, not localhost, but inet, and in inet,
nginx will sent wrong certs too, I cannot find the reason



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: outlook connect postfix use tls will fail,reject: RCPT from , 554 5.7.1,Client host rejected: Access denied

Viktor Dukhovni
In reply to this post by xiedeacc
On Sun, Sep 10, 2017 at 04:05:02AM -0700, xiedeacc wrote:

> Sep 10 18:40:01 xiedeacc postfix/smtpd[5536]: Anonymous TLS connection
> established from unknown[122.226.185.66]: TLSv1 with cipher
> ECDHE-RSA-AES256-SHA (256/256 bits)

TLS encrypts the channel, but does not typically authenticate the
client, perhaps you're confusing TLS with SASL (a not uncommon
beginner mistake).

    * TLS:  Provides traffic integrity and confidentiality,
            may authenticate the server to the client.

    * SASL: Authenticates the client to the server, may
            also authenticate the server to the client
            (for some SASL "mechanisms").

> from here we can see tls established, but send mail will rejected by postfix

Authorization to send is not typically based on TLS alone.

> postfix/smtpd[5536]: NOQUEUE: reject: RCPT from unknown[122.226.185.66]:
>    554 5.7.1 <unknown[122.226.185.66]>:
>    Client host rejected: Access denied;

This is a "reject" action in "smtpd_client_restrictions" for a
client that *did not* do SASL authentication.  Perhaps this
client wants the SASL "LOGIN" mechanism to be available, but
you're only offering "PLAIN".

>    from=<[hidden email]>
>    to=<[hidden email]>
>    proto=ESMTP
>    helo=<yangzhenxieNB4>

> smtpd_client_restrictions =
>    check_client_access hash:/etc/postfix/access,

Most likely not this one unless you have a "REJECT" in this table
for the client's IP address.

>    reject_rbl_client anti-spam.org.cn,

This would be logged differently.

>    permit_mynetworks,
>    permit_inet_interfaces,
>    permit_sasl_authenticated,

None of the above passed.

>    reject

So this action took effect, assuming the client connected to
the SMTP service on port 25.


> submission inet n       -       y       -       -       smtpd
>   [...]
>   -o smtpd_client_restrictions=permit_mynetworks,permit_inet_interfaces,permit_sasl_authenticated,reject

Much the same conclusion for the submission port (587).

> smtps     inet  n       -       y       -       -       smtpd
>   -o smtpd_tls_wrappermode=yes
>   -0 smtpd_tls_key_file=/etc/ssl/private/xiedeacc.com.nopassword.key

That "-0" (digit 0) is not "-o".  Use a font that clearly distinguishes
them.

>   -o smtpd_client_restrictions=permit_mynetworks,permit_inet_interfaces,permit_sasl_authenticated,reject

And the same client reject observation for port 465.  The client
did not do SASL.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: outlook connect postfix use tls will fail,reject: RCPT from , 554 5.7.1,Client host rejected: Access denied

xiedeacc
not confused, just because outlook stranger configuration, outlook have to
manual set to send authentication to postfix, when add account to outlook,
at other configuration, send server, need choose my sender server(SMTP) need
authentication



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: outlook connect postfix use tls will fail,reject: RCPT from , 554 5.7.1,Client host rejected: Access denied

xiedeacc
In reply to this post by xiedeacc
Ihave solved this by change outlook configuration, for outlook have to manual
set to send authentication to postfix, when add account to outlook, at other
configuration, send server, need choose my sender server(SMTP) need
authentication



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html