On 8/29/2016 11:34 AM, Scott W. Sander wrote: > Here is the exact error message that is received by the mail client:
We prefer postfix log messages rather than messages from a mail client that may have been altered. > > ------- > > Server error: '554 5.7.1 <client47.domain.com > <http://client47.domain.com>[10.10.10.47]:51423>: Client host > rejected: Access denied' > > ------- > > I know that this error is caused by the smptd_client_restrictions > parameter and not smptd_relay_restrictions. Is there a way I can > whitelist clients that authenticated to dovecot via IMAP in postfix > as well as other application servers that are currently whitelisted > by IP address? I thought the permit_sasl_authenticated entry in > smtpd_client_restrictions would have solved the issue, but it > doesn't seem to. The config line in questions: > smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, > reject The client must either be listed in mynetworks, or must SASL AUTH to postfix. It does not consult dovecot to see who might be logged in via IMAP. The easy solution is to require your clients to use SASL when sending mail. If that isn't possible, then your restriction is too strict. Maybe you can use a check_client_access map with listed exceptions rather than a flat reject. -- Noel Jones > > Here is postconf -n: > > ------- > > user@appserver4:~$ postconf -n > alias_database = hash:/etc/aliases > alias_maps = hash:/etc/aliases > append_dot_mydomain = no > biff = no > config_directory = /etc/postfix > debug_peer_level = 1 > debug_peer_list = domain.com <http://domain.com> > inet_interfaces = all > inet_protocols = all > lmtp_tls_security_level = none > mailbox_size_limit = 0 > mydestination = appserver4.subdomain.domain.com > <http://appserver4.subdomain.domain.com>, localhost.domain.com > <http://localhost.domain.com>, localhost, mail.domain.test > myhostname = mail.domain.test > mynetworks = 127.0.0.0/8 <http://127.0.0.0/8> [::ffff:127.0.0.0]/104 > [::1]/128 10.253.254.225 10.254.254.225 10.254.254.226 > 10.254.254.171 10.254.254.172 > myorigin = /etc/mailname > readme_directory = no > recipient_delimiter = + > relay_domains = domain.com <http://domain.com> > relayhost = [exchangefe01.subdomain.domain.com > <http://exchangefe01.subdomain.domain.com>] > smtp_sasl_auth_enable = yes > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd > smtp_sasl_security_options = noanonymous > smtp_sasl_type = cyrus > smtp_tls_ciphers = medium > smtp_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4 > smtp_tls_mandatory_ciphers = medium > smtp_tls_mandatory_exclude_ciphers = aNULL, MD5, DES, ADH, RC4 > smtp_tls_note_starttls_offer = yes > smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1 > smtp_tls_security_level = encrypt > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache > smtp_use_tls = yes > smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) > smtpd_client_connection_rate_limit = 1000 > smtpd_client_message_rate_limit = 1000 > smtpd_client_new_tls_session_rate_limit = 1000 > smtpd_client_port_logging = yes > smtpd_client_recipient_rate_limit = 3000 > smtpd_client_restrictions = permit_mynetworks, > permit_sasl_authenticated, reject > smtpd_helo_required = yes > smtpd_helo_restrictions = permit_mynetworks, > permit_sasl_authenticated, reject_invalid_helo_hostname, > reject_non_fqdn_helo_hostname > smtpd_recipient_limit = 3000 > smtpd_reject_unlisted_sender = no > smtpd_relay_restrictions = permit_mynetworks, > permit_sasl_authenticated, reject_unverified_recipient, > reject_unauth_destination > smtpd_sasl_auth_enable = yes > smtpd_sasl_path = private/auth > smtpd_sasl_type = dovecot > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/ssl/certs/apps4_combined.pem > smtpd_tls_ciphers = medium > smtpd_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4 > smtpd_tls_key_file = /etc/ssl/private/apps4_key.pem > smtpd_tls_loglevel = 1 > smtpd_tls_mandatory_ciphers = medium > smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5, DES, ADH, RC4 > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 > smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1 > smtpd_tls_received_header = yes > smtpd_tls_req_ccert = no > smtpd_tls_security_level = may > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache > smtpd_use_tls = yes > strict_rfc821_envelopes = yes > virtual_mailbox_domains = /etc/postfix/virtual_mailbox_domains > virtual_transport = lmtp:unix:private/dovecot-lmtp
