On Mar 9, 2026, at 01:30, Viktor Dukhovni via Postfix-users <[email protected]> wrote: > > On Sun, Mar 08, 2026 at 11:28:30PM -0700, Doug Hardie via Postfix-users wrote: > >> However, mail from one of my machines on the local network (10.0.1.x) >> is rejected. I enabled trace for 10.0.1.250 and tried to deliver a >> message. It failed and here is an extract of the debug log: >> >> Mar 4 23:49:52 mail postfix-submission/smtpd[9591]: >>> START Recipient >> address >> RESTRICTIONS <<< >> Mar 4 23:49:52 mail postfix-submission/smtpd[9591]: generic_checks: >> name=permit >> _mynetworks >> Mar 4 23:49:52 mail postfix-submission/smtpd[9591]: permit_mynetworks: >> master 1 >> 0.0.1.250 >> Mar 4 23:49:52 mail postfix-submission/smtpd[9591]: match_hostname: >> mynetworks: >> master ~? 10.0.1.0/24 >> Mar 4 23:49:52 mail postfix-submission/smtpd[9591]: match_hostaddr: >> mynetworks: >> 10.0.1.250 ~? 10.0.1.0/24 >> Mar 4 23:49:52 mail postfix-submission/smtpd[9591]: smtpd_acl_permit: >> checking >> smtpd_log_access_permit_actions settings >> Mar 4 23:49:52 mail postfix-submission/smtpd[9591]: match_list_match: >> permit_my >> networks: no match >> Mar 4 23:49:52 mail postfix-submission/smtpd[9591]: smtpd_acl_permit: >> smtpd_log >> _access_permit_actions: no match >> Mar 4 23:49:52 mail postfix-submission/smtpd[9591]: generic_checks: >> name=permit >> _mynetworks status=1 > > The address **passed** the "permit_mynetworks" check (status=1). > This permit action was not explictly logged, because the string > "permit_mynetworks" is not matched by the (default value of) > $smtpd_log_access_permit_actions (that "no match" may have confused > you).
Sure did. I think I understand that now. Usually return code 0 is good and non-zero values indicate problems. It wasn't obvious that 1 is good and above on is a problem. > >> Mar 4 23:49:52 mail postfix-submission/smtpd[9591]: generic_checks: >> name=permit >> _sasl_authenticated status=0 > > The "permit_sasl_authenticated" test did not pass. The client did not use authentication as it is on my local LAN. > >> Mar 4 23:49:52 mail postfix-submission/smtpd[9591]: NOQUEUE: reject: RCPT >> from >> master[10.0.1.250]: 554 5.7.1 <[email protected]>: Recipient address rejected: >> Acces >> s denied; from=<[email protected]> to=<[email protected]> >> proto=ESMTP >> helo=<master.sermon-archive.info> > > It seems that's the one that's actually required. I think I am passed that now. > >> Mar 4 23:49:52 mail postfix-submission/smtpd[9591]: generic_checks: >> name=reject >> status=2 > > And so a final "reject" kicks in... > >> Mar 4 23:49:52 mail postfix-submission/smtpd[9591]: > master[10.0.1.250]: >> 554 5 >> .7.1 <[email protected]>: Recipient address rejected: Access denied > > Look at the "master.cf" entry of the submission service. The client actually uses dma as they are very small machines with little storage. However I am now to the point where there was a difference in behavior between ports 25 and 587. Port 25 delivered mail properly and port 587 gave an Access denied error for the same telnet inputs. After a lot of thought, I checked the submission restrictions and discovered that the submissions restrictions did not include permit_mynetworks. I have no idea how that could have worked for years and just failed after updating to FreeBSD 15 which did not affect either main.cf or master.cf. Anyway I cleaned that up and it appears that things are working again thanks to Vikrtor. -- Doug _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
