Hi,
First thank you for all the work you do/have done on Postfix!
I have been using Postfix for 15+ years to handle mail for a handful
of my domains. I upgraded my mail server from Debian 8 to 10 a couple
months ago, and was running 3.4.10-0+deb10u1 as of the time I last saw
the issue below.
I noticed a couple days ago that there have been a few instances where
I expected a connection to have failed with 'Relay access denied' but
was instead rejected with 'Client host rejected: cannot find your
hostname', for example:
Aug 4 06:05:13 smtp2 postfix/smtpd[10561]: connect from
unknown[185.234.216.226]
Aug 4 06:05:14 smtp2 postfix/smtpd[10561]: 01BF6417EF:
client=unknown[185.234.216.226]
Aug 4 06:05:14 smtp2 postfix/smtpd[10561]: 01BF6417EF: reject: RCPT from
unknown[185.234.216.226]: 450 4.7.25 Client host rejected: cannot find your
hostname, [185.234.216.226];
from=<5rz5q2lvy6n9jfuolhhgg...@5rz5q2lvy6n9jfuolhhggumm.linux.com>
to=<c...@yauheng.com> proto=SMTP helo=<5rZ5Q2LVy6N9JFUoLHHGGUMM.linux.com>
Aug 4 06:05:14 smtp2 postfix/smtpd[10561]: disconnect from
unknown[185.234.216.226] helo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
so I am obviously concerned that my relay restriction may not be
properly implemented.
I don't know whether this is a new behavior since upgrading, and even
since upgrading I have seen relay denied:
Jul 24 10:27:39 smtp2 postfix/smtpd[13488]: C25DE417F1: reject: RCPT from
ip116.ip-149-56-180.net[149.56.180.116]: 554 5.7.1 <t...@gmail.com>: Relay
access denied; from=<t...@sample.com> to=<t...@gmail.com> proto=SMTP
helo=<win-avtrfec0scc.domain>
I believe the relevant parts of main.cf are:
compatibility_level = 0
mydomain = <my primary domain>.net
myhostname = smtp2.<my primary domain>.net
mydestination = $myhostname, $mydomain, localhost.$mydomain,
localhost.localdomain, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
inet_interfaces = all
virtual_alias_domains = <a few more domains>
smtpd_relay_restrictions =
permit_mynetworks,
reject_unauth_destination,
smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =
smtpd_recipient_restrictions =
.....,
reject_unknown_client_hostname,
.....
smtpd_relay_restrictions is documented as being checked before
smtpd_recipient_restrictions, and since the mail is being failed in
smtpd_recipient_restrictions, I am assuming smtpd_relay_restrictions
is not failing, and thus either permit_mynetworks is passing, or
reject_unauth_destination is not rejecting.
| permit_mynetworks
| Permit the request when the client IP address matches any net-
| work or network address listed in $mynetworks.
Seems like that should not be passing.
| reject_unauth_destination
| Reject the request unless one of the following is true:
|
| o Postfix is mail forwarder: the resolved RCPT TO domain matches
| $relay_domains or a subdomain thereof, and contains no
| sender-specified routing (user@elsewhere@domain),
|
| o Postfix is the final destination: the resolved RCPT TO domain
| matches $mydestination, $inet_interfaces, $proxy_interfaces,
| $virtual_alias_domains, or $virtual_mailbox_domains, and con-
| tains no sender-specified routing (user@elsewhere@domain).
| The relay_domains_reject_code parameter specifies the response
| code for rejected requests (default: 554).
according to postconf output these are the relevant defaults:
relay_domains = ${{$compatibility_level} < {2} ? {$mydestination} : {}}
proxy_interfaces =
virtual_mailbox_domains = $virtual_mailbox_maps
virtual_mailbox_maps =
So I don't see either of those conditions passing either.
Any ideas what I've done wrong here?
thank you,
Greg
