DevHeads.net

Making relay_access_denied permanent?

Hi,

I was wondering why the following error is returned as tempfail:

Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: connect from
hwsrv-288880.hostwindsdns.com[108.174.196.241]
Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: NOQUEUE: reject: RCPT
from hwsrv-288880.hostwindsdns.com[108.174.196.241]: 454 4.7.1
< ... at gmail dot com>: Relay access denied;
from=< ... at jpkessler dot de> to=< ... at gmail dot com> proto=ESMTP
helo=<hwsrv-288880.hostwindsdns.com>
Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: lost connection after
RCPT from hwsrv-288880.hostwindsdns.com[108.174.196.241]
Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: disconnect from
hwsrv-288880.hostwindsdns.com[108.174.196.241] ehlo=1 mail=1 rcpt=0/1
commands=2/3
Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: connect from
hwsrv-288880.hostwindsdns.com[108.174.196.241]
Jul  8 09:49:04 mx3 postfix-cluster/smtpd[3420]: NOQUEUE: reject: RCPT
from hwsrv-288880.hostwindsdns.com[108.174.196.241]: 454 4.7.1
< ... at gmail dot com>: Relay access denied;
from=< ... at jpkessler dot de> to=< ... at gmail dot com> proto=ESMTP
helo=<hwsrv-288880.hostwindsdns.com>
Jul  8 09:49:05 mx3 postfix-cluster/smtpd[3420]: lost connection after
RCPT from hwsrv-288880.hostwindsdns.com[108.174.196.241]
Jul  8 09:49:05 mx3 postfix-cluster/smtpd[3420]: disconnect from
hwsrv-288880.hostwindsdns.com[108.174.196.241] ehlo=1 mail=1 rcpt=0/1
commands=2/3

Here's the configuration:

# postconf mail_version
mail_version = 3.1.0

# postconf -n
absenderverifizierung = reject_unverified_sender
address_verify_map = btree:$data_directory/db_address_verify
address_verify_positive_refresh_time = 30d
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
delay_warning_time = 4h
empfaengerverifizierung = reject_unverified_recipient
empty_address_recipient = EMAIL-DIENST
greylistcheck = check_policy_service inet:127.0.0.1:10031
header_checks = pcre:/etc/postfix/header_checks
home_mailbox = Maildir/
inet_interfaces = 10.10.10.3
mail_name = Mailservice
mail_owner = postfix
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
message_size_limit = 41943040
multi_instance_directories = /etc/postfix-cluster
multi_instance_enable = yes
multi_instance_wrapper = ${command_directory}/postmulti -p --
mydestination = localhost
myhostname = box4.jpkessler.de
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = $myhostname
pfwpolicycheck = check_policy_service inet:127.0.0.1:10045
readme_directory = no
recipient_delimiter = +
relay_domains = jpkessler.de, jpkessler.info, notrust.de, postfwd.org,
jpkit.de, jpkit.net, jpk.mine.nu, mail.jpkessler.de, mbox.jpkessler.de,
test.jpkessler.de, notrust.de, cint.jpkessler.de, lists.jpkessler.de,
box3.jpkessler.de, box4.jpkessler.de
relaycheck = permit_mynetworks, check_ccert_access
cdb:/etc/postfix/tls_ccerts
relayhost =
setgid_group = postdrop
show_user_unknown_table_name = no
smtp_tls_CAfile = /etc/postfix/CERTS/ca.cer
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_cert_file = /etc/postfix/CERTS/fullchain.cer
smtp_tls_key_file = /etc/postfix/CERTS/jpkessler.de.key
smtp_tls_loglevel = 1
smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP Mailservice
smtpd_policy_service_max_idle = 600s
smtpd_policy_service_max_ttl = 1000s
smtpd_policy_service_timeout = 300s
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain, permit_mynetworks, check_client_access
cidr:/etc/postfix/allowed_ips, check_ccert_access
cdb:/etc/postfix/tls_ccerts, reject_non_fqdn_sender,
reject_unauth_destination, reject_unknown_sender_domain, pfwpolicycheck,
empfaengerverifizierung, permit
smtpd_restriction_classes = relaycheck, pfwpolicycheck, greylistcheck,
empfaengerverifizierung, absenderverifizierung
smtpd_sasl_auth_enable = no
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/CERTS/ca.cer
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file = /etc/postfix/CERTS/fullchain.cer
smtpd_tls_dh1024_param_file = /etc/postfix/CERTS/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/CERTS/dh_512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_key_file = /etc/postfix/CERTS/jpkessler.de.key
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_preempt_cipherlist = yes
transport_maps = cdb:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_recipient_reject_reason = Unknown user -- Empfaenger unbekannt
unverified_sender_reject_code = 550

# postconf -Mf
smtp       inet  n       -       n       -       - smtpd
pickup     fifo  n       -       y       60      1 pickup
cleanup    unix  n       -       y       -       0 cleanup
qmgr       fifo  n       -       n       300     1 qmgr
tlsmgr     unix  -       -       y       1000?   1 tlsmgr
rewrite    unix  -       -       y       -       - trivial-rewrite
bounce     unix  -       -       y       -       0 bounce
defer      unix  -       -       y       -       0 bounce
trace      unix  -       -       y       -       0 bounce
verify     unix  -       -       y       -       1 verify
flush      unix  n       -       y       1000?   0 flush
proxymap   unix  -       -       n       -       - proxymap
proxywrite unix  -       -       n       -       1 proxymap
smtp       unix  -       -       n       -       - smtp
relay      unix  -       -       n       -       - smtp
showq      unix  n       -       y       -       - showq
error      unix  -       -       y       -       - error
retry      unix  -       -       y       -       - error
discard    unix  -       -       y       -       - discard
local      unix  -       n       n       -       - local
virtual    unix  -       n       n       -       - virtual
lmtp       unix  -       -       y       -       - lmtp
anvil      unix  -       -       y       -       1 anvil
scache     unix  -       -       y       -       1 scache
maildrop   unix  -       n       n       -       - pipe flags=DRhu
    user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp       unix  -       n       n       -       - pipe flags=Fqhu
    user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail     unix  -       n       n       -       - pipe flags=F user=ftn
    argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp      unix  -       n       n       -       - pipe flags=Fq.
    user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n       n       -       2 pipe flags=R
    user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
    ${user} ${extension}
mailman    unix  -       n       n       -       - pipe flags=FR
    user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
    ${user}

Comments

Re: Making relay_access_denied permanent?

By Jan P. Kessler at 07/08/2018 - 04:10

Maybe I can answer the question myself - it would be nice if anybody
could confirm:

# postconf -d|grep smtpd_relay_restr
...
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
defer_unauth_destination

I guess that I should set:

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination

Am I right?

Thank you in advance
  Jan

Am 08.07.2018 um 10:04 schrieb Jan P. Kessler:

Re: Making relay_access_denied permanent?

By Wietse Venema at 07/08/2018 - 07:44

Jan P. Kessler:
Yes, if you agree with the setting.

smtpd_relay_restrictions was introduced late in the life of Postfix,
and making this a hard reject by default would be too disruptive.

Wietse

Re: Making relay_access_denied permanent?

By Jan P. Kessler at 07/08/2018 - 04:28

Confirmed by my own test - sorry for noise on this list:

Jul  8 10:23:14 mx3 postfix-cluster/smtpd[3564]: NOQUEUE: reject: RCPT
from ipservice-047-071-140-188.pools.arcor-ip.net[47.71.140.188]: 554
5.7.1 < ... at ruv dot de>: Relay access denied; from=< ... at ruv dot de>
to=< ... at ruv dot de> proto=ESMTP helo=<ruv.de>

I have to admit that it's an old configuration (from a postfix 2.x
setup). I think it's time to review it.

Case closed - thank you for postfix!

Regards, jpk