smarthost forwarding, restricted by TLS-no-SASL, rejecting outbound recipient.

Wed, 10 Jun 2015 11:03:07 -0700 

I'm next configuring a service to provide outbound smarthosting to a local 
server. As with several of my other services, the goal is to use TLS cert 
check/auth only, no SASL.

Sending a test message via the local server, log at the smarthost shows message 
reject "Recipient address rejected: Access denied",

        Jun 10 08:14:52 remote016 postfix/smarthost/smtpd[20272]: connect from 
internal.local010.DDDD.com[10.128.1.10]
        Jun 10 08:14:52 remote016 postfix/smarthost/smtpd[20272]: Trusted TLS 
connection established from internal.local010.DDDD.com[10.128.1.10]: TLSv1.2 
with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
        Jun 10 08:14:52 remote016 postfix/smarthost/smtpd[20272]: NOQUEUE: 
reject: RCPT from internal.local010.DDDD.com[10.128.1.10]: 554 5.7.1 
<check-a...@verifier.port25.com>: Recipient address rejected: Access denied; 
from=<ad...@dddd.com> to=<check-a...@verifier.port25.com> proto=ESMTP 
helo=<mail.DDDD.com>
        Jun 10 08:14:52 remote016 postfix/smarthost/smtpd[20272]: disconnect 
from internal.local010.DDDD.com[10.128.1.10] ehlo=2 starttls=1 mail=1 rcpt=0/1 
data=0/1 rset=1 quit=1 commands=6/8

The smarhost config
        ...
        [internal.remote016.DDDD.com]:587  inet  n  -  n  -  -  smtpd
          -o permit_tls_clientcerts=yes
          -o relay_clientcerts=lmdb:/etc/postfix/smarthost_clientcerts
          -o smtpd_client_restrictions=
          -o smtpd_data_restrictions=
          -o smtpd_end_of_data_restrictions=
          -o smtpd_etrn_restrictions=
          -o smtpd_helo_restrictions=
          -o smtpd_recipient_restrictions=
          -o smtpd_relay_restrictions=permit_tls_clientcerts,reject
          -o smtpd_sasl_auth_enable=no
          -o smtpd_sender_restrictions=
          -o smtpd_tls_loglevel=1
          -o smtpd_tls_auth_only=yes
          -o smtpd_tls_security_level=encrypt
          -o smtpd_tls_CAfile=/etc/ssj/mail/DDDD_CA.crt
          -o smtpd_tls_CApath=/etc/ssl/certs
          -o smtpd_tls_cert_file=/etc/ssj/mail/relay-remote.crt
          -o smtpd_tls_ccert_verifydepth=9
          -o smtpd_tls_fingerprint_digest=sha1
          -o smtpd_tls_key_file=/etc/ssj/mail/relay-remote.key
          -o smtpd_tls_mandatory_ciphers=high
          -o smtpd_tls_mandatory_protocols=!TLSv1.1,!TLSv1,!SSLv3,!SSLv2
          -o smtpd_tls_req_ccert=yes
          -o smtpd_tls_wrappermode=no
          -o syslog_name=postfix/smarthost
          -o amavisdfeed:[127.0.0.1]:40001

where per reading

        permit_tls_clientcerts
                Allow the remote SMTP client request if the client certificate 
fingerprint or certificate public key fingerprint (Postfix 2.9 and later) is 
listed in the client certificate table (see relay_clientcerts discussion below).

at server

        openssl x509 -pubkey -noout -in /etc/ssh/mail/commercial.crt | openssl 
pkey -pubin -outform DER | openssl dgst -sha1 -c
                (stdin)= 
HH:HH:HH:HH:HH:HH:HH:HH:HH:HH:HH:HH:HH:HH:HH:HH:HH:HH:HH:HH

and on the smarthost, matching

        CLIENT/smarthost_clientcerts
                HH:HH:HH:HH:HH:HH:HH:HH:HH:HH:HH:HH:HH:HH:HH:HH:HH:HH:HH:HH 
commercial.crt

I suspect the "Recipient address rejected: Access denied" is due, again and now 
in this direction, to incorrect smtpd_relay_restrictions=permit_tls_clientcerts 
config ?  Perhaps incorrect usage of relay_clientcerts=.

Reply via email to