Hi all,
I am having some trouble with filtering incoming mail. First, I do not
understand certain "access denied" actions. Second, I cannot get
filtering by sender domain to work correctly.
Relevant configuration snippets see below.
1. "access denied" actions
In the logs, I see several messages like these:
Nov 13 11:04:43 prokyon postfix/smtpd[30195]: connect from
s1.namares.eu[93.189.46.48]
Nov 13 11:04:44 prokyon postfix/smtpd[30195]: NOQUEUE: reject: RCPT from
s1.namares.eu[93.189.46.48]: 554 5.7.1 <rob....@microscopium.de>: Recipient
address rejected: Access denied; from=<u...@namares.eu>
to=<rob....@microscopium.de> proto=ESMTP helo=<mail.namares.eu>
Nov 13 11:04:44 prokyon postfix/smtpd[30195]: disconnect from
s1.namares.eu[93.189.46.48] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1
commands=4/6
Postfix immediately says "access denied". I see these lines for a small
number of domains, and only these three lines, nothing else. There's no
reason logged, as it is if other filtering options trigger (e.g. "Helo
command rejected: need fully-qualified hostname"). So, what is going on
here? None of the affected domains is listed in any access restrictions
file/db. At least one inportant domain (a big business social network,
popular in Germany) is affected and this is a problem for us.
2. Filtering by sender domain not working
I am trying to reject emails coming in from certain domains (e.g.
.sxxt.de, see below), but I can't get it to work. I've put the domains
into sender_access and recipient_access files, ran postmap, but emails
still go through.
I already tried to put sender_access and recipient_access into
smtpd_sender_restrictions and smtpd_recipient_restrictions in different
combinations/order, but no luck. I never see "550" in the logs. Why?
Thanks for help.
Robert
Access restrictions:
root@prokyon:/etc/postfix# cat sender_access
newslet...@info.sxxt.de 550 Blacklisted
info.sxxt.de 550 Blacklisted
i...@e.sxxt.de 550 Blacklisted
e.sxxt.de 550 Blacklisted
root@prokyon:/etc/postfix# cat sender_access
newslet...@info.sxxt.de 550 Blacklisted
root@prokyon:/etc/postfix# cat client_access
debian.org OK
root@prokyon:/etc/postfix# cat helo_access
maxx.maxx.shmoo.com OK
Smtp configuration:
master.cf (snippet):
smtp inet n - n - - smtpd
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=no
-o { smtpd_client_restrictions = check_client_access
hash:/etc/postfix/client_access,
reject_unknown_client_hostname,
reject_unauth_pipelining,
permit }
-o { smtpd_helo_restrictions = check_helo_access
hash:/etc/postfix/helo_access,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
reject_unauth_pipelining,
permit }
-o { smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_non_fqdn_sender,
permit }
-o { smtpd_relay_restrictions = reject_unauth_destination,
reject_unauth_pipelining,
permit }
-o { smtpd_recipient_restrictions = reject_unauth_destination,
reject_unauth_pipelining,
check_sender_access
hash:/etc/postfix/sender_access,
check_recipient_access
hash:/etc/postfix/recipient_access,
check_policy_service
unix:/var/run/postgrey/postgrey.sock,
check_policy_service
unix:private/policy-spf,
permit }
-o { milter_macro_daemon_name = ORIGINATING }
-o { smtpd_milters = unix:/var/run/opendkim/opendkim.sock,
unix:/var/run/opendmarc/opendmarc.sock,
unix:/var/run/clamav/clamav-milter.ctl,
unix:/var/run/spamass/spamass.sock }
--
Robert Senger
