Re: Making relay_access_denied permanent?

Sun, 08 Jul 2018 01:11:20 -0700

Maybe I can answer the question myself - it would be nice if anybody could confirm: 

# postconf -d|grep smtpd_relay_restr
...
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination 

I guess that I should set:


smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination


Am I right?

Thank you in advance
  Jan



Am 08.07.2018 um 10:04 schrieb Jan P. Kessler:

Hi,

I was wondering why the following error is returned as tempfail:


Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: connect from 
hwsrv-288880.hostwindsdns.com[108.174.196.241]
Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: NOQUEUE: reject: RCPT 
from hwsrv-288880.hostwindsdns.com[108.174.196.241]: 454 4.7.1 
<1029mandadi...@gmail.com>: Relay access denied; 
from=<co...@jpkessler.de> to=<1029mandadi...@gmail.com> proto=ESMTP 
helo=<hwsrv-288880.hostwindsdns.com>
Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: lost connection after 
RCPT from hwsrv-288880.hostwindsdns.com[108.174.196.241]
Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: disconnect from 
hwsrv-288880.hostwindsdns.com[108.174.196.241] ehlo=1 mail=1 rcpt=0/1 
commands=2/3
Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: connect from 
hwsrv-288880.hostwindsdns.com[108.174.196.241]
Jul  8 09:49:04 mx3 postfix-cluster/smtpd[3420]: NOQUEUE: reject: RCPT 
from hwsrv-288880.hostwindsdns.com[108.174.196.241]: 454 4.7.1 
<1029mandadi...@gmail.com>: Relay access denied; 
from=<com...@jpkessler.de> to=<1029mandadi...@gmail.com> proto=ESMTP 
helo=<hwsrv-288880.hostwindsdns.com>
Jul  8 09:49:05 mx3 postfix-cluster/smtpd[3420]: lost connection after 
RCPT from hwsrv-288880.hostwindsdns.com[108.174.196.241]
Jul  8 09:49:05 mx3 postfix-cluster/smtpd[3420]: disconnect from 
hwsrv-288880.hostwindsdns.com[108.174.196.241] ehlo=1 mail=1 rcpt=0/1 
commands=2/3


Here's the configuration:

# postconf mail_version
mail_version = 3.1.0

# postconf -n
absenderverifizierung = reject_unverified_sender
address_verify_map = btree:$data_directory/db_address_verify
address_verify_positive_refresh_time = 30d
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
delay_warning_time = 4h
empfaengerverifizierung = reject_unverified_recipient
empty_address_recipient = EMAIL-DIENST
greylistcheck = check_policy_service inet:127.0.0.1:10031
header_checks = pcre:/etc/postfix/header_checks
home_mailbox = Maildir/
inet_interfaces = 10.10.10.3
mail_name = Mailservice
mail_owner = postfix
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
message_size_limit = 41943040
multi_instance_directories = /etc/postfix-cluster
multi_instance_enable = yes
multi_instance_wrapper = ${command_directory}/postmulti -p --
mydestination = localhost
myhostname = box4.jpkessler.de
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = $myhostname
pfwpolicycheck = check_policy_service inet:127.0.0.1:10045
readme_directory = no
recipient_delimiter = +

relay_domains = jpkessler.de, jpkessler.info, notrust.de, postfwd.org, 
jpkit.de, jpkit.net, jpk.mine.nu, mail.jpkessler.de, 
mbox.jpkessler.de, test.jpkessler.de, notrust.de, cint.jpkessler.de, 
lists.jpkessler.de, box3.jpkessler.de, box4.jpkessler.de
relaycheck = permit_mynetworks, check_ccert_access 
cdb:/etc/postfix/tls_ccerts

relayhost =
setgid_group = postdrop
show_user_unknown_table_name = no
smtp_tls_CAfile = /etc/postfix/CERTS/ca.cer
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_cert_file = /etc/postfix/CERTS/fullchain.cer
smtp_tls_key_file = /etc/postfix/CERTS/jpkessler.de.key
smtp_tls_loglevel = 1
smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP Mailservice
smtpd_policy_service_max_idle = 600s
smtpd_policy_service_max_ttl = 1000s
smtpd_policy_service_timeout = 300s

smtpd_recipient_restrictions = reject_non_fqdn_recipient, 
reject_unknown_recipient_domain, permit_mynetworks, 
check_client_access cidr:/etc/postfix/allowed_ips, check_ccert_access 
cdb:/etc/postfix/tls_ccerts, reject_non_fqdn_sender, 
reject_unauth_destination, reject_unknown_sender_domain, 
pfwpolicycheck, empfaengerverifizierung, permit
smtpd_restriction_classes = relaycheck, pfwpolicycheck, greylistcheck, 
empfaengerverifizierung, absenderverifizierung

smtpd_sasl_auth_enable = no
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/CERTS/ca.cer
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file = /etc/postfix/CERTS/fullchain.cer
smtpd_tls_dh1024_param_file = /etc/postfix/CERTS/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/CERTS/dh_512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_key_file = /etc/postfix/CERTS/jpkessler.de.key
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_preempt_cipherlist = yes
transport_maps = cdb:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_recipient_reject_reason = Unknown user -- Empfaenger unbekannt
unverified_sender_reject_code = 550

# postconf -Mf
smtp       inet  n       -       n       -       - smtpd
pickup     fifo  n       -       y       60      1 pickup
cleanup    unix  n       -       y       -       0 cleanup
qmgr       fifo  n       -       n       300     1 qmgr
tlsmgr     unix  -       -       y       1000?   1 tlsmgr
rewrite    unix  -       -       y       -       - trivial-rewrite
bounce     unix  -       -       y       -       0 bounce
defer      unix  -       -       y       -       0 bounce
trace      unix  -       -       y       -       0 bounce
verify     unix  -       -       y       -       1 verify
flush      unix  n       -       y       1000?   0 flush
proxymap   unix  -       -       n       -       - proxymap
proxywrite unix  -       -       n       -       1 proxymap
smtp       unix  -       -       n       -       - smtp
relay      unix  -       -       n       -       - smtp
showq      unix  n       -       y       -       - showq
error      unix  -       -       y       -       - error
retry      unix  -       -       y       -       - error
discard    unix  -       -       y       -       - discard
local      unix  -       n       n       -       - local
virtual    unix  -       n       n       -       - virtual
lmtp       unix  -       -       y       -       - lmtp
anvil      unix  -       -       y       -       1 anvil
scache     unix  -       -       y       -       1 scache
maildrop   unix  -       n       n       -       - pipe flags=DRhu
    user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp       unix  -       n       n       -       - pipe flags=Fqhu
    user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail     unix  -       n       n       -       - pipe flags=F user=ftn
    argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp      unix  -       n       n       -       - pipe flags=Fq.
    user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n       n       -       2 pipe flags=R
    user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
    ${user} ${extension}
mailman    unix  -       n       n       -       - pipe flags=FR
    user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
    ${user}

























					Reply via email to