Loading ...
Sorry, an error occurred while loading the content.

294808Re: how to see my_networks check in peer_debug, level 2 or greater?

Expand Messages
  • Len Conrad
    Aug 19, 2013
    • 0 Attachment
      >On Fri, Aug 16, 2013 at 04:22:50PM -0500, lconrad@... wrote:
      >> postconf mail_version
      >> mail_version = 2.3.3
      >>
      >>
      >> uname -a
      >> Linux ..... 2.6.18-128.2.1.el5 #1 SMP Wed Jul 8 11:54:47 EDT 2009
      >> x86_64 x86_64 x86_64 GNU/Linux
      >>
      >> got an "access denied" for an IP that is in a /20 postconf confirms
      >> is in mynetworks
      >
      >If by peer_debug in the Subject header, you are referring to the
      >debug_peer_list parameter, that's generally most useful for looking
      >for bugs in Postfix itself. Since you are using a version which was
      >EOL four years ago, there is no point in looking for bugs.
      >
      >Perhaps you'd do better here by describing the problem and goal,
      >showing your "postconf -n" and relevant NON-verbose logs for one mail
      >which wasn't handled as you expected.
      >
      >If your smtpd(8) instance has any -o option overrides, you must show
      >those as well. Pro tip: any smtpd or other daemon definition with -o
      >overrides should also include a " -o syslog_name=postfix/foo" where
      >"foo" is something relevant to what this instance does.
      >
      >"Access denied" means a "reject" restriction or access(5) lookup
      >result was encountered. There are of course 52.001 gazillion reasons
      >which could cause this.
      >
      >Good luck. I suggest you review this before posting again:


      >http://www.postfix.org/DEBUG_README.html#mail

      ok, ok, been doing this postfix stuff for 10+ years, it's simpler than full debug_readme:


      smtpd_recipient_restrictions =
      check_client_access hash:/etc/postfix/mta_clients_black.map,
      check_client_access hash:/etc/postfix/webmail_client.class,
      check_helo_access pcre:/etc/postfix/4tuple_main_unfiltered.pcre,
      reject_unauth_pipelining,
      reject_unknown_sender_domain,
      reject_unknown_recipient_domain,
      permit_mynetworks,
      ...
      permit_sasl_authenticated,
      reject

      the IPs with "Access denied" probably from the final "reject" after "permit_sasl_authenticated" are:

      NOT matching before mynetworks and

      are all in the mynetworks as members of 3 /20s,

      so they should have not been denied access.

      debug shows only match_hostname for "smtpd_client_event_limit_exceptions", but not for peer debugging.

      thanks,
      Len

      ================



      >> the only match_hostname I see is for
      >> smtpd_client_event_limit_exceptions
      >--
      > http://rob0.nodns4.us/ -- system administration and consulting
      > Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
    • Show all 5 messages in this topic