On 23 Feb 2018, at 3:49, Nikolaos Milas wrote:
Hello,
We are using Postfix v3.2.4and we arefacing the followingproblem:
Aclient (a data storage system) with an IPv6 address of
[2001:648:2011:a21:320e:d5ff:fec6:b55] tries to send an (autosupport)
email and it's being denied access:
Feb 23 06:22:17 vmail2 postfix/smtpd[16146]: NOQUEUE: reject: RCPT
from unknown[2001:648:2011:a21:320e:d5ff:fec6:b55]: 554 5.7.1
<autosupp...@autosupport.datadomain.com>: Relay access denied;
from=<sysad...@noa.gr> to=<autosupp...@autosupport.datadomain.com>
proto=SMTP helo=<DD2500.astro.private.noa.gr>
All /48 IPv6 address blockis included in mynetworks: ...,
[2001:648:2011::]/48, ...
The client does not support TLS or authentication. For such clients we
provide explicit permission:
smtpd_client_restrictions =
...
check_client_access cidr:/etc/postfix/non-tls-clients.cidr
permit_sasl_authenticated
reject
where /etc/postfix/non-tls-clients.cidr:
...
[2001:648:2011:a21:320e:d5ff:fec6:b55] OK
...
Please, be kind to help me understand what is causing this client
rejection and correct my postfix configuration.
postconf -n follows:
[...]
smtpd_client_restrictions = check_client_access
cidr:/etc/postfix/localhost.cidr check_client_access
cidr:/etc/postfix/gwservers.cidr check_client_access
cidr:/etc/postfix/non-tls-clients.cidr permit_sasl_authenticated
reject
[...]
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/protected_destinations permit_sasl_authenticated
reject_unverified_recipient reject_unauth_destination
The restriction lists in Postfix are run in a fixed logical order
(client, helo, sender, relay, recipient, data, end_of_data) and 'OK'
from an early restriction list (smtpd_client_restrictions) *DOES NOT*
prevent 'REJECT' by a later restriction list
(smtpd_recipient_restrictions.) OK only terminates a single restriction
list, not the whole set of lists, so in this case the transaction is
exiting the smtpd_client_restrictions list with OK at
"check_client_access cidr:/etc/postfix/non-tls-clients.cidr" but it
still must pass through smtpd_recipient_restrictions, where it is
rejected by "reject_unauth_destination" because you are not the final
destination for the recipient domain nor do you have the recipient
domain in $relay_domains.
See the SMTPD_ACCESS_README file for complete details.