On 8/4/2010 6:01 PM, Bill Gee wrote:
Hello everyone -
I have my Postfix server set up to reject mail from servers which are unknown
in DNS. Normally that is a good thing, but every now and then I run across
one that I want to accept mail from.
I have tried several ways to set up the exceptions in Postfix, but so far it is
not working. What rule is causing the rejection? I've tried changing all of
the rules I list below, but no luck.
I may have two problems here. The listings below show two servers that are
being denied. The maillog entries are slightly different. I may have two
different rules to change.
This is Postfix 2.3.3 running on CentOS 5.5.
Here is a sample entry from maillog:
=============
Jul 25 15:54:53 server2 postfix/smtpd[7338]: NOQUEUE: reject: RCPT from
unknown[212.96.160.162]
: 450 4.7.1 Client host rejected: cannot find your hostname, 212.96.160.162];
from=<therion-bo
This was rejected by reject_unknown_client_hostname
un...@speleo.sk> to=<b...@campercaver.net> proto=ESMTP
helo=<outsider2.texxar.cz>
Jul 25 15:54:55 server2 postfix/smtpd[7338]: lost connection after RSET from
unknown[212.96.160.162]
Jul 25 15:54:55 server2 postfix/smtpd[7338]: disconnect from
unknown[212.96.160.162]
Jul 25 16:15:22 server2 postfix/smtpd[7829]: connect from
unknown[67.213.214.192]
Jul 25 16:15:23 server2 postfix/smtpd[7829]: NOQUEUE: reject: RCPT from
unknown[67.213.214.192]: 450 4.7.1<vps.zr2usa.com>: Helo command rejected:
Host not found; from=<nob...@vps.zr2usa.com> to=<b...@campercaver.net>
proto=ESMTP helo=<vps.zr2usa.com>
This was rejected by reject_unknown_helo_hostname
Jul 25 16:15:23 server2 postfix/smtpd[7829]: disconnect from
unknown[67.213.214.192]
============
Here are the relevant entries from main.cf:
==============
smtpd_client_restrictions = check_client_access hash:/etc/postfix/access,
reject_unknown_client_hostname
This access table will whitelist the specified clients from
reject_unknown_client_hostname, but the client can still be
rejected by checks in other smtpd_*_restrictions sections.
smtpd_require_helo = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
check_helo_access hash:/etc/postfix/ok-ipaddresses,
The ok-ipaddresses will check the HELO name the client gives,
which should never be an IP address. This table probably
doesn't really whitelist anything.
reject_invalid_helo_hostname,
reject_unknown_helo_hostname,
reject_non_fqdn_hostname,
permit
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/special-senders,
The special-senders file checks the recipient name. You're an
open relay to any address listed in this file. Fortunately,
IP addresses don't match, and names with leading dots ie.
".foo.example.com" won't match unless you've changed the
default value of parent_domain_matches_subdomains.
This table isn't matching anything, which is probably a good
thing.
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
check_recipient_access hash:/etc/postfix/denied-system-mailboxes,
reject_unauth_destination,
permit
====================
Here is the 'access' file:
==================
zr2usa.com OK
vps.zr2usa.com OK
client names are OK. This must be the client hostname and not
necessarily the email domain name.
nob...@vps.zr2usa.com OK
ke...@vps.zr2usa.com OK
email addresses will never match a check_client_access lookup.
67.213.214.192 OK
212.96.160.162 OK
IP addresses are OK
================
Here is the special-senders file:
================
75.144.158.125 OK
IPs are never matched in a check_recipient_access table.
.onsetcomp.com OK
Domains with leading dots are not matched unless you change
parent_domain_matches_subdomains.
65.55.90.161 OK
.snt0.hotmail.com OK
67.213.214.192 OK
212.96.160.162 OK
Nothing matches here.
===============
And finally, the ok-ipaddresses file:
This file is used with check_helo_access. IPs and names with
leading dots will never be matched.
===============
65.55.90.161 OK
.snt0.hotmail.com OK
65.55.90.175 OK
67.213.214.192 OK
212.96.160.162 OK
===============
Thanks - Bill Gee
You should remove your smtpd_client_restrictions and
smtpd_helo_restrictions (and smtpd_sender_restrictions if
you're using it) and put everything under smtpd_recipient
restrictions arranged like so:
smtpd_recipient_restrictions =
# allow local access
permit_mynetworks
# reject relay attempts
reject_unauth_destination
# client whitelist. Whitelist CLIENTS here. A client
# can be an IP or a domain name without leading dots.
check_client_access hash:/etc/postfix/client_whitelist
# local recipient blacklist
check_recipient_access
hash:/etc/postfix/denied-system-mailboxes
# all anti-spam restrictions go below here
...
-- Noel Jones
