Hello,
I'm trying to get a new mail server going. It's running in a FreeBSD
12.0 jail and it's postfix 3.4.5, and dovecot 2.3.6. The machine's ip
is 172.16.21.3 i'm telnetting I'm on the host and telnetting to the
server on port 25 after rcpt I'm getting:
Jun 17 13:47:49 mail postfix/smtpd[29888]: NOQUEUE: reject: RCPT from
mail.example.local[172.16.21.3]: 554 5.7.1 <u...@gmail.com>: Relay
access denied; from=<u...@example.com> to=<u...@gmail.com> proto=ESMTP
helo=<example.com>
I believe I've got a configuration issue with my *restrictions, i'd
appreciate any suggestions. I've got a full postconf -n later. All of
my users are virtual in a mysql database, the db communication is
working fine and returning the appropriate results.
Thanks.
Dave.
main.cf (snipet):
inet_interfaces = 172.16.21.3
mydestination = 172.16.21.3
mynetworks = $config_directory/mynetworks
# Dovecot sasl authentication
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $mydomain
broken_sasl_auth_clients = no
smtpd_sasl_security_options = noanonymous
# but plaintext auth is fine when using TLS
smtpd_sasl_tls_security_options = noanonymous
# Restrictions for all sending foreign servers ("SMTP clients")
smtpd_client_restrictions =
permit_sasl_authenticated
reject_unknown_reverse_client_hostname
check_client_access cidr:/usr/local/etc/postfix/spamfarms
check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr
check_reverse_client_hostname_access
pcre:/usr/local/etc/postfix/fqrdns.pcre
# helo restrictions
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
check_helo_access hash:/usr/local/etc/postfix/helo_access,
# sender restrictions
smtpd_sender_restrictions =
reject_non_fqdn_sender
reject_unknown_sender_domain
,check_sender_mx_access cidr:/usr/local/etc/postfix/bogus_mx
check_sender_access hash:/usr/local/etc/postfix/safe_addresses
check_sender_access hash:/usr/local/etc/postfix/auto-whtlst
smtpd_relay_restrictions =
permit_sasl_authenticated
reject_unauth_destination
smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_unknown_recipient_domain
reject_unauth_pipelining
permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
reject_unlisted_recipient
# TLS parameters
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_eccert_file = /usr/local/etc/ssl/acme.sh/example.com/fullchain.crt
smtpd_tls_eckey_file =
/usr/local/etc/ssl/acme.sh/example.com/private/server-ec256.key
smtpd_tls_CAfile = /usr/local/etc/ssl/acme.sh/example.com/cacert.crt
smtpd_tls_eecdh_grade = ultra
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 !TLSv1.1 TLSv1.2
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1 !TLSv1.1 TLSv1.2
smtpd_tls_mandatory_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES,
CBC3-SHA
smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
smtpd_tls_security_level = may
smtpd_tls_dh1024_param_file = /usr/local/etc/postfix/dh.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_received_header = yes
tls_preempt_cipherlist = yes
tls_high_cipherlist =
ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_ciphers = high
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_protocols=!SSLv2,!SSLv3, !TLSv1
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3, !TLSv1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtp_tls_ciphers = high
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_key_file = $smtpd_tls_key_file
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
mua_relay_restrictions =
reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_restrictions =
permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
