On 5 May 2016, at 11:57, James B. Byrne wrote:
On Thu, May 5, 2016 11:34, James B. Byrne wrote:
Can anyone clue me in on what configuration issue might be causing
this and whose configuration it is, mine or theirs?
postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from
smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1
<impo...@lymanworldwide.com>: Sender address rejected: Access denied;
from=<impo...@lymanworldwide.com> to=<expo...@harte-lyne.ca>
proto=ESMTP helo=<smout-245176.nsmailserv.com>
I discovered this issue in their DNS with respect to SPF:
;; ANSWER SECTION:
lymanworldwide.com. 1800 IN TXT "v=spf1
include:netcore.co.in -all"
lymanworldwide.com. 1800 IN TXT "v=spf1
include:spf.protection.outlook.com -all"
Yes, that's almost certainly the cause of the problem. Having 2 SPF TXT
records is fundamentally broken in addition to being formally incorrect.
There's no defined way to merge records and any of the obvious
mechanisms with those 2 records would be indeterminate because they are
explicitly contradictory and there is no way to prioritize one over the
other. The rejection is "soft" (450 instead of 550) because presumably
your SPF checking is configured to do that when SPF records are formally
improper.
But it does not appear to me that the connection is getting to the
point where SPF is considered.
Sure it is. The usual order of SMTP commands is
(EHLO|HELO) MAIL RCPT (maybe multiple times) DATA QUIT
Your config includes:
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_unauth_pipelining, check_policy_service
unix:/var/spool/postfix/postgrey/socket, check_policy_service
unix:private/policyd-spf, permit
Assuming that "policyd-spf" is where you check and enforce SPF, this
config entry means that it is checked for each recipient, i.e. each SMTP
"RCPT" command. The quoted log entry records that smtpd got a command
from 202.162.245.174 that was probably exactly like this:
RCPT TO:<expo...@harte-lyne.ca>
and replied with something much like:
450 4.7.1 <impo...@lymanworldwide.com>: Sender address rejected:
Access denied
(the reply at least started with '450 4.7.1'; I'm not sure exactly what
smtpd says in the following text part but it really doesn't matter)
Postfix smtpd waits to make that check until RCPT because you told it to
do so explicitly by putting it in smtpd_recipient_restrictions and would
do so in any case (unless you put it in smtpd_data_restrictions, which
would be perverse) because smtpd_delay_reject=yes is a default setting.
