Loading ...
Sorry, an error occurred while loading the content.
 

Client can't access through submission protocol

Expand Messages
  • Pierre-Gilles RAYNAUD
    Hi Everyone, The submission port is setup like this submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o
    Message 1 of 3 , Nov 12 11:30 PM
      Hi Everyone,

      The submission port is setup like this
        submission inet n       -       n       -       -       smtpd
          -o smtpd_tls_security_level=encrypt
          -o smtpd_sasl_auth_enable=yes
          -o smtpd_sasl_security_options=noanonymous
          -o
      smtpd_sender_restrictions=reject_unknown_sender_domain,reject_non_fqdn_sender
          -o
      smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_recipient,reject
          -o milter_macro_daemon_name=ORIGINATING

      and when the client application is outside the mynetwork definition,
      i.e.: domaingprs.tld (see below)
      we get this error,

         Nov 11 14:16:31 serv001 postfix/smtpd[30545]: connect from
      wn1nat29.domaingprs.tld[xxx.yyy.zzz.29]
         Nov 11 14:16:42 serv001 postfix/smtpd[30545]: NOQUEUE: reject: RCPT
      from wn1nat29.domaingprs.tld[xxx.yyy.zzz..29]: 454 4.7.1
      <wn1nat29.domaingprs.tld[xxx.yyy.zzz.29]>: Client host rejected: Access
      denied; from=<user@...> to=<someone@...> proto=ESMTP
      helo=<[10.224.148.220]>
        Nov 11 14:16:48 serv001 postfix/smtpd[30545]: disconnect from
      wn1nat29.domaingprs.tld[xxx.yyy.zzz.29]

      but when the client application is inside our network definition, the
      mail is correctly sent.

      We have tried to add a
         check_sender_access hash:/etc/postfix/client-access
      clause with
        /etc/postfix/client-access
        domaingprs.tld OK
      at
        smtpd_client_restrictions
      but the syntax
          -o smtpd_client_restrictions=permit_mynetworks,check_client_access
      hash:/etc/postfix/client-access,permit_sasl_authenticated,reject_non_fqdn_recipient,reject
      is incorrect

      Postfix Version: 2.7.1-1+squeeze1

      How to solve this issue?
      Thank you for your attention.

      Faifthfully
      --
      PGR
    • Noel Jones
      ... OK so far. ... This isn t the cause of your rejections, but the reject_non_fqdn_recipient above is useless. If mail is in mynetworks or authenticated, it
      Message 2 of 3 , Nov 13 7:08 AM
        On 11/13/2012 1:30 AM, Pierre-Gilles RAYNAUD wrote:
        > Hi Everyone,
        >
        > The submission port is setup like this
        > submission inet n - n - - smtpd
        > -o smtpd_tls_security_level=encrypt
        > -o smtpd_sasl_auth_enable=yes
        > -o smtpd_sasl_security_options=noanonymous
        > -o
        > smtpd_sender_restrictions=reject_unknown_sender_domain,reject_non_fqdn_sender

        OK so far.

        > -o
        > smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_recipient,reject
        > -o milter_macro_daemon_name=ORIGINATING

        This isn't the cause of your rejections, but the
        reject_non_fqdn_recipient above is useless. If mail is in
        mynetworks or authenticated, it will pass anyway. Otherwise it is
        rejected anyway. If you want to enforce non fqdn recipient, move it
        to the front of the list.


        >
        > and when the client application is outside the mynetwork definition,
        > i.e.: domaingprs.tld (see below)
        > we get this error,
        >
        > Nov 11 14:16:31 serv001 postfix/smtpd[30545]: connect from
        > wn1nat29.domaingprs.tld[xxx.yyy.zzz.29]
        > Nov 11 14:16:42 serv001 postfix/smtpd[30545]: NOQUEUE: reject: RCPT
        > from wn1nat29.domaingprs.tld[xxx.yyy.zzz..29]: 454 4.7.1
        > <wn1nat29.domaingprs.tld[xxx.yyy.zzz.29]>: Client host rejected: Access
        > denied; from=<user@...> to=<someone@...
        > <mailto:someone@...>> proto=ESMTP
        > helo=<[10.224.148.220]>
        > Nov 11 14:16:48 serv001 postfix/smtpd[30545]: disconnect from
        > wn1nat29.domaingprs.tld[xxx.yyy.zzz.29]
        >
        > but when the client application is inside our network definition, the
        > mail is correctly sent.

        Your settings in main.cf are interfering with your submission port.
        Add to your submission entry:
        -o smtpd_helo_restrictions=
        -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

        You might want to add permit_mynetworks to the above also, but
        that's not usually used on the submission port.


        -- Noel Jones
      • Pierre-Gilles RAYNAUD
        ... Thank you for the advice. I have updated accordingly. I used an example as model. ... I did. But the issue was elsewehre .... and solved Thank you for your
        Message 3 of 3 , Nov 17 9:34 AM
          On 13/11/12 19:08, Noel Jones wrote:
          > On 11/13/2012 1:30 AM, Pierre-Gilles RAYNAUD wrote:
          >> Hi Everyone,
          >>
          >> The submission port is setup like this
          >> submission inet n - n - - smtpd
          >> -o smtpd_tls_security_level=encrypt
          >> -o smtpd_sasl_auth_enable=yes
          >> -o smtpd_sasl_security_options=noanonymous
          >> -o
          >> smtpd_sender_restrictions=reject_unknown_sender_domain,reject_non_fqdn_sender
          > OK so far.
          >
          >> -o
          >> smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_recipient,reject
          >> -o milter_macro_daemon_name=ORIGINATING
          > This isn't the cause of your rejections, but the
          > reject_non_fqdn_recipient above is useless. If mail is in
          > mynetworks or authenticated, it will pass anyway. Otherwise it is
          > rejected anyway. If you want to enforce non fqdn recipient, move it
          > to the front of the list.
          >
          Thank you for the advice.
          I have updated accordingly.
          I used an example as model.
          >> and when the client application is outside the mynetwork definition,
          >> i.e.: domaingprs.tld (see below)
          >> we get this error,
          >>
          >> Nov 11 14:16:31 serv001 postfix/smtpd[30545]: connect from
          >> wn1nat29.domaingprs.tld[xxx.yyy.zzz.29]
          >> Nov 11 14:16:42 serv001 postfix/smtpd[30545]: NOQUEUE: reject: RCPT
          >> from wn1nat29.domaingprs.tld[xxx.yyy.zzz..29]: 454 4.7.1
          >> <wn1nat29.domaingprs.tld[xxx.yyy.zzz.29]>: Client host rejected: Access
          >> denied; from=<user@...> to=<someone@...
          >> <mailto:someone@...>> proto=ESMTP
          >> helo=<[10.224.148.220]>
          >> Nov 11 14:16:48 serv001 postfix/smtpd[30545]: disconnect from
          >> wn1nat29.domaingprs.tld[xxx.yyy.zzz.29]
          >>
          >> but when the client application is inside our network definition, the
          >> mail is correctly sent.
          > Your settings in main.cf are interfering with your submission port.
          > Add to your submission entry:
          > -o smtpd_helo_restrictions=
          > -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
          >
          > You might want to add permit_mynetworks to the above also, but
          > that's not usually used on the submission port.
          >
          >
          > -- Noel Jones
          I did.
          But the issue was elsewehre .... and solved
          Thank you for your time and advice.

          PGR
        Your message has been successfully submitted and would be delivered to recipients shortly.