>Dale Carstensen a écrit :
>> I searched on the MARC archive for "access denied" and got 30 hits
>> since 4-30-2009, but none of the subjects looked promising, so here's
>> a question.
>>
>> A local recipient has registered a complaint that correspondents are
>> getting 554 responses part of the time (not always) when attempting
>> to send mail to this local recipient. An example message includes:
>>
>> 554 554 <mail-gx0-f209.google.com[209.85.217.209]>: Client
>> host rejected: Access denied (state 14)
>>
>> In the interval since the current /var/log/maillog started at
>> Jun 16 11:00:01, there have been 12 'reject.*Access denied'
>> entries. 5 of them involve this local recipient. 1 involves
>> another valid recipient. 6 look like spam to me.
>>
>> The 6 with valid local recipients should not have had access
>> denied, I think. Why did they?
>>
>> There are 13 "reject" messages in the log. The other one is an
>> outgoing message where qwest.net said the recipient is not valid.
>> There are 15,380 "sent" messages in the log, just to give some
>> perspective.
>>
>> This postfix is somewhat dated. I'm working on a whole new
>> up-to-date server, but that project has stalled on getting a
>> conversion to virtual users instead of adding every mail user
>> as a Unix shell account. The version running is 2.2.8p1 on
>> OpenBSD 3.9 amd64.
>>
>> postconf -n output (names changed to example.com, IP addr to old/new.ip.rang
>e):
>>
>> command_directory = /usr/local/sbin
>> config_directory = /etc/postfix
>> content_filter = smtp-amavis:[127.0.0.1]:10024
>> daemon_directory = /usr/local/libexec/postfix
>> debug_peer_level = 2
>> html_directory = /usr/local/share/doc/postfix/html
>> mail_owner = _postfix
>> mailbox_size_limit = 512000000
>> mailq_path = /usr/local/sbin/mailq
>> manpage_directory = /usr/local/man
>> message_size_limit = 102400000
>> mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
>> mydomain = example.com
>> myhostname = host.example.com
>> mynetworks = old.ip.range.0/23, 127.0.0.0/8, new.ip.range.192/26, 10.9.64.0/
>18
>> myorigin = $mydomain
>> newaliases_path = /usr/local/sbin/newaliases
>> queue_directory = /var/spool/postfix
>> readme_directory = /usr/local/share/doc/postfix/readme
>> sample_directory = /etc/postfix
>> sendmail_path = /usr/local/sbin/sendmail
>> setgid_group = _postdrop
>> unknown_local_recipient_reject_code = 550
>>
>> Log entries (local names changed to exam...@example.com, remote to
>> rem...@remote.real-domain..., address of local postfix server to
>> new.ip.range.host), otherwise "grep 'reject.*Access denied'
>> /var/log/maillog":
>>
>> Jun 16 20:04:47 lacn postfix/smtpd[4529]: NOQUEUE: reject: RCPT from
>> unknown[67.118.51.103]: 554 <unknown[67.118.51.103]>: Client host rejected:
>> Access denied; from=<spam...@tiscali.it> to=<spam...@tiscali.it> proto=ESMTP
>
>> helo=<Sandy-pnowdsakp>
>> Jun 17 10:45:45 lacn postfix/smtpd[14521]: NOQUEUE: reject: RCPT from
>> mx-out.forthnet.gr[193.92.150.104]: 554 <mx-out.forthnet.gr[193.92.150.104]>
>:
>> Client host rejected: Access denied; from=<rem...@real-domain.cha.forthnet.g
>r>
>> to=<examp...@host.example.com> proto=ESMTP helo=<mx-out.forthnet.gr>
>> Jun 17 16:24:09 lacn postfix/smtpd[12055]: NOQUEUE: reject: RCPT from
>> unknown[66.191.14.222]: 554 <unknown[66.191.14.222]>: Client host rejected:
>> Access denied; from=<spam...@tiscali.it> to=<spam...@tiscali.it> proto=ESMTP
>
>> helo=<SERVER2>
>> Jun 18 09:08:44 lacn postfix/smtpd[26877]: NOQUEUE: reject: RCPT from
>> mx-out.forthnet.gr[193.92.150.104]: 554 <mx-out.forthnet.gr[193.92.150.104]>
>:
>> Client host rejected: Access denied; from=<rem...@real-domain.cha.forthnet.g
>r>
>> to=<examp...@host.example.com> proto=ESMTP helo=<mx-out.forthnet.gr>
>> Jun 18 23:53:21 lacn postfix/smtpd[10310]: NOQUEUE: reject: RCPT from
>> 124-11-136-70.dynamic.tfn.net.tw[124.11.136.70]: 554
>> <124-11-136-70.dynamic.tfn.net.tw[124.11.136.70]>: Client host rejected:
>> Access denied; from=<vi...@gmail.com> to=<vbibi...@gmail.com> proto=SMTP
>> helo=<new.ip.range.host>
>> Jun 19 01:40:44 lacn postfix/smtpd[12721]: NOQUEUE: reject: RCPT from
>> 118-168-111-183.dynamic.hinet.net[118.168.111.183]: 554
>> <118-168-111-183.dynamic.hinet.net[118.168.111.183]>: Client host rejected:
>> Access denied; from=<z200...@yahoo.com.tw> to=<fj39k...@yahoo.com.tw>
>> proto=SMTP helo=<new.ip.range.host>
>> Jun 19 09:14:53 lacn postfix/smtpd[10930]: NOQUEUE: reject: RCPT from
>> mail-gx0-f209.google.com[209.85.217.209]: 554 <mail-gx0-f209.google.com[209.
>85.
>> 217.209]>: Client host rejected: Access denied; from=<rem...@real-domain.gma
>il.
>> com> to=<examp...@host.example.com> proto=ESMTP helo=<mail-gx0-f209.google.c
>om>
>> Jun 19 09:14:56 lacn postfix/smtpd[10930]: NOQUEUE: reject: RCPT from
>> mail-gx0-f209.google.com[209.85.217.209]: 554 <mail-gx0-f209.google.com[209.
>85.
>> 217.209]>: Client host rejected: Access denied; from=<rem...@real-domain.gma
>il.
>> com> to=<examp...@host.example.com> proto=ESMTP helo=<mail-gx0-f209.google.c
>om>
>> Jun 19 10:21:44 lacn postfix/smtpd[5512]: NOQUEUE: reject: RCPT from
>> mx-out.forthnet.gr[193.92.150.104]: 554 <mx-out.forthnet.gr[193.92.150.104]>
>:
>> Client host rejected: Access denied; from=<rem...@real-domain.cha.forthnet.g
>r>
>> to=<examp...@host.example.com> proto=ESMTP helo=<mx-out.forthnet.gr>
>> Jun 20 03:32:55 lacn postfix/smtpd[1723]: NOQUEUE: reject: RCPT from
>> snt0-omc1-s4.snt0.hotmail.com[65.55.90.15]: 554 <snt0-omc1-s4.snt0.hotmail.c
>om[
>> 65.55.90.15]>: Client host rejected: Access denied;
>> from=<rem...@real-domain.hotmail.com> to=<examp...@host.example.com>
>> proto=ESMTP helo=<snt0-omc1-s4.snt0.hotmail.com>
>> Jun 21 06:10:48 lacn postfix/smtpd[8387]: NOQUEUE: reject: RCPT from
>> mail-gx0-f209.google.com[209.85.217.209]: 554 <mail-gx0-f209.google.com[209.
>85.
>> 217.209]>: Client host rejected: Access denied; from=<rem...@real-domain.gma
>il.
>> com> to=<examp...@host.example.com> proto=ESMTP helo=<mail-gx0-f209.google.c
>om>
>> Jun 21 07:43:31 lacn postfix/smtpd[12774]: NOQUEUE: reject: RCPT from
>> unknown[119.206.224.135]: 554 <unknown[119.206.224.135]>: Client host
>> rejected: Access denied; from=<kimjint...@hotmail.com>
>> to=<kimjintae...@naver.com> proto=SMTP helo=<new.ip.range.host>
>>
>>
>>
>
>you have a rule that calls "REJECT". but your 'postconf -n' shows no
>restrictions nor header/body checks. a first bet is that the rules are
>in master.cf.
Note that messages from the same sender, taking the same path, do
get accepted, too. There seem to be 6 of those in the same log
interval from a sender who had 3 rejected. Do you want more detailed
log entries about those?
These are the master.cf sections that are uncommented and include the
string reject (the word reject is simply preceded by permit_mynetworks
in all 4 relevant cases, plus one smtpd_delay_reject=no line)(at
least I think I know which 4 might be relevant, please let me know if
that's wrong):
smtp inet n - - - - smtpd -D
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_recipient_restrictions=permit_mynetworks,reject
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_chec
k
s
