Re: reject with Access denied on legitimate messages

[Noel Jones]

Dale Carstensen wrote:
Dale Carstensen a écrit :
I searched on the MARC archive for "access denied" and got 30 hits
since 4-30-2009, but none of the subjects looked promising, so here's
a question.
A local recipient has registered a complaint that correspondents are
getting 554 responses part of the time (not always) when attempting
to send mail to this local recipient.  An example message includes:

554 554 <mail-gx0-f209.google.com[209.85.217.209]>: Client
host rejected: Access denied (state 14)

In the interval since the current /var/log/maillog started at
Jun 16 11:00:01, there have been 12 'reject.*Access denied'
entries.  5 of them involve this local recipient.  1 involves
another valid recipient.  6 look like spam to me.

The 6 with valid local recipients should not have had access
denied, I think.  Why did they?

There are 13 "reject" messages in the log.  The other one is an
outgoing message where qwest.net said the recipient is not valid.
There are 15,380 "sent" messages in the log, just to give some
perspective.

This postfix is somewhat dated.  I'm working on a whole new
up-to-date server, but that project has stalled on getting a
conversion to virtual users instead of adding every mail user
as a Unix shell account.  The version running is 2.2.8p1 on
OpenBSD 3.9 amd64.

postconf -n output (names changed to example.com, IP addr to old/new.ip.rang
e):
command_directory = /usr/local/sbin 
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/local/libexec/postfix
debug_peer_level = 2
html_directory = /usr/local/share/doc/postfix/html
mail_owner = _postfix
mailbox_size_limit = 512000000
mailq_path = /usr/local/sbin/mailq
manpage_directory = /usr/local/man
message_size_limit = 102400000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = example.com
myhostname = host.example.com
mynetworks = old.ip.range.0/23, 127.0.0.0/8, new.ip.range.192/26, 10.9.64.0/
18
myorigin = $mydomain
newaliases_path = /usr/local/sbin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix/readme
sample_directory = /etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = _postdrop
unknown_local_recipient_reject_code = 550

Log entries (local names changed to exam...@example.com, remote to
rem...@remote.real-domain..., address of local postfix server to
new.ip.range.host), otherwise "grep 'reject.*Access denied'
/var/log/maillog":

Jun 16 20:04:47 lacn postfix/smtpd[4529]: NOQUEUE: reject: RCPT from 
unknown[67.118.51.103]: 554 <unknown[67.118.51.103]>: Client host rejected: 
Access denied; from=<spam...@tiscali.it> to=<spam...@tiscali.it> proto=ESMTP
helo=<Sandy-pnowdsakp>
Jun 17 10:45:45 lacn postfix/smtpd[14521]: NOQUEUE: reject: RCPT from 
mx-out.forthnet.gr[193.92.150.104]: 554 <mx-out.forthnet.gr[193.92.150.104]>
: 
Client host rejected: Access denied; from=<rem...@real-domain.cha.forthnet.g
r> 
to=<examp...@host.example.com> proto=ESMTP helo=<mx-out.forthnet.gr>
Jun 17 16:24:09 lacn postfix/smtpd[12055]: NOQUEUE: reject: RCPT from 
unknown[66.191.14.222]: 554 <unknown[66.191.14.222]>: Client host rejected: 
Access denied; from=<spam...@tiscali.it> to=<spam...@tiscali.it> proto=ESMTP
helo=<SERVER2>
Jun 18 09:08:44 lacn postfix/smtpd[26877]: NOQUEUE: reject: RCPT from 
mx-out.forthnet.gr[193.92.150.104]: 554 <mx-out.forthnet.gr[193.92.150.104]>
: 
Client host rejected: Access denied; from=<rem...@real-domain.cha.forthnet.g
r> 
to=<examp...@host.example.com> proto=ESMTP helo=<mx-out.forthnet.gr>
Jun 18 23:53:21 lacn postfix/smtpd[10310]: NOQUEUE: reject: RCPT from 
124-11-136-70.dynamic.tfn.net.tw[124.11.136.70]: 554 
<124-11-136-70.dynamic.tfn.net.tw[124.11.136.70]>: Client host rejected: 
Access denied; from=<vi...@gmail.com> to=<vbibi...@gmail.com> proto=SMTP 
helo=<new.ip.range.host>
Jun 19 01:40:44 lacn postfix/smtpd[12721]: NOQUEUE: reject: RCPT from 
118-168-111-183.dynamic.hinet.net[118.168.111.183]: 554 
<118-168-111-183.dynamic.hinet.net[118.168.111.183]>: Client host rejected: 
Access denied; from=<z200...@yahoo.com.tw> to=<fj39k...@yahoo.com.tw> 
proto=SMTP helo=<new.ip.range.host>
Jun 19 09:14:53 lacn postfix/smtpd[10930]: NOQUEUE: reject: RCPT from 
mail-gx0-f209.google.com[209.85.217.209]: 554 <mail-gx0-f209.google.com[209.
85.
217.209]>: Client host rejected: Access denied; from=<rem...@real-domain.gma
il.
com> to=<examp...@host.example.com> proto=ESMTP helo=<mail-gx0-f209.google.c
om>
Jun 19 09:14:56 lacn postfix/smtpd[10930]: NOQUEUE: reject: RCPT from 
mail-gx0-f209.google.com[209.85.217.209]: 554 <mail-gx0-f209.google.com[209.
85.
217.209]>: Client host rejected: Access denied; from=<rem...@real-domain.gma
il.
com> to=<examp...@host.example.com> proto=ESMTP helo=<mail-gx0-f209.google.c
om>
Jun 19 10:21:44 lacn postfix/smtpd[5512]: NOQUEUE: reject: RCPT from 
mx-out.forthnet.gr[193.92.150.104]: 554 <mx-out.forthnet.gr[193.92.150.104]>
: 
Client host rejected: Access denied; from=<rem...@real-domain.cha.forthnet.g
r> 
to=<examp...@host.example.com> proto=ESMTP helo=<mx-out.forthnet.gr>
Jun 20 03:32:55 lacn postfix/smtpd[1723]: NOQUEUE: reject: RCPT from 
snt0-omc1-s4.snt0.hotmail.com[65.55.90.15]: 554 <snt0-omc1-s4.snt0.hotmail.c
om[
65.55.90.15]>: Client host rejected: Access denied; 
from=<rem...@real-domain.hotmail.com> to=<examp...@host.example.com> 
proto=ESMTP helo=<snt0-omc1-s4.snt0.hotmail.com>
Jun 21 06:10:48 lacn postfix/smtpd[8387]: NOQUEUE: reject: RCPT from 
mail-gx0-f209.google.com[209.85.217.209]: 554 <mail-gx0-f209.google.com[209.
85.
217.209]>: Client host rejected: Access denied; from=<rem...@real-domain.gma
il.
com> to=<examp...@host.example.com> proto=ESMTP helo=<mail-gx0-f209.google.c
om>
Jun 21 07:43:31 lacn postfix/smtpd[12774]: NOQUEUE: reject: RCPT from 
unknown[119.206.224.135]: 554 <unknown[119.206.224.135]>: Client host 
rejected: Access denied; from=<kimjint...@hotmail.com> 
to=<kimjintae...@naver.com> proto=SMTP helo=<new.ip.range.host>



you have a rule that calls "REJECT". but your 'postconf -n' shows no
restrictions nor header/body checks. a first bet is that the rules are
in master.cf.

Note that messages from the same sender, taking the same path, do
get accepted, too.  There seem to be 6 of those in the same log
interval from a sender who had 3 rejected.  Do you want more detailed
log entries about those?

These are the master.cf sections that are uncommented and include the
string reject (the word reject is simply preceded by permit_mynetworks
in all 4 relevant cases, plus one smtpd_delay_reject=no line)(at
least I think I know which 4 might be relevant, please let me know if
that's wrong):

smtp      inet  n       -       -       -       -       smtpd -D
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_recipient_restrictions=permit_mynetworks,reject

The above appears to be your "default" smtpd entry.  It says 
any client not listed in $mynetworks will be rejected with an 
"Access denied" message.

This is not appropriate for an internet-facing mail service; 
you won't receive any mail from outside your network.

Remove both the smtpd_client_restrictions and 
smtpd_recipient_restrictions entries from this entry.

The "-D" enables debug output.  While this probably won't 
break anything, it is not necessary and adds lots of unneeded 
and potentially confusing log entries.  Remove it.

127.0.0.1:10025 inet n  -       -     -       -  smtpd
...

This is the entry that handles mail re-entering postfix after 
amavisd-new has processed it.  It's not causing any problems. 
 The only minor change I suggest is remove the 
"strict_rfc821_envelopes" option (or set it explicitly "no") - 
you don't want to reject anything that amavisd sends back into 
postfix.  The "smtpd_delay_reject" entry should also be left 
at the default "yes", but that doesn't really make any 
difference here since you shouldn't be rejecting anything anyway.

  -- Noel Jones