Invalid response code: 503 5.7.0 Error: access denied

George Forman Wed, 17 Nov 2010 09:25:16 -0800

All,

We are experiencing a problem where Postfix (Using 2.6.2) continuously returns 
a 503 5.7.0 Error: access denied response.


The scenario is as follows (see log snipet below for sequence details):
   The client MTA attempts to send a message. On the DOT command, Postfix 
returns: '451 4.3.0 Error: queue file write error'
   The client MTA sends a RSET command. Postfix responds with '503 5.7.0 Error: 
access denied'
   The client MTA ignores the RSET response (based on RFC2821).
   The client MTA sends MAIL FROM command. Postfix responds with '503 5.7.0 
Error: access denied'
   The client MTA bounces the message.
   The client MTA repeats sequence (RSET, MAIL FROM and bounces the message) 
until Postfix hard error limit has been exceeded (ours is set to 75).
   Postfix closes the connnection.
   

My analysis has shown the Postfix's milter interface fails when waiting for a 
response.
I am still actively investigating specifically the vstream event that triggers 
CLEANUP_STAT_WRITE to be returned. 

My QUICK FIX was to modify the 503 to a 521 error code in smtpd.c (smtpd_proto 
function).
This prevented the problem from continuing.

I am looking for suggestions on a longer term solution.
I have made a change in smtpd_proto function:

            /* XXX We use the real client for connect access control. */
            if (state->access_denied && cmdp->action != quit_cmd) {
                smtpd_chat_reply(state, "503 5.7.0 Error: access denied for %s",
                                 state->namaddr);        RFC 2821 Sec 3.1 */
                state->error_count++;
                continue;
            }
 
New code:
            /* XXX We use the real client for connect access control. */
            if (state->access_denied &&
               (! (cmdp->action == quit_cmd || cmdp->action == rset_cmd))) {
                smtpd_chat_reply(state, "%s", state->access_denied);
                state->error_count++;
                continue;
            }


The only side effect (I have found) is the following case where access to the 
host response is 
changed on any commands.  

New code: On connect this is returned:
554 5.7.1 <remote.mta.client[xxx.xx.xxx.xxx]>: Client host rejected: Access 
denied
New code: Any commands would return:

554 5.7.1 <remote.mta.client[xxx.xx.xxx.xxx]>: Client host rejected: Access 
denied


Old code: On connect this is returned:

554 5.7.1 <remote.mta.client[xxx.xx.xxx.xxx]>: Client host rejected: Access 
denied
Old code: Any commands would return:
503 5.7.0 Error: access denied for remote.mta.clent[xxx.xx.xxx.xxx]


I don't know if my solution breaks RFC2821 Sec 3.1.
Any help is greatly appreciated.

George


Log snipet:

Nov 11 14:03:24 mtain-dc12 postfix/smtpd[26639]: rec_put: type N len 0 data  
Nov 11 14:03:24 mtain-dc12 postfix/smtpd[26639]: rec_put: type N len 45 data 
------=_Ne
Nov 11 14:03:24 mtain-dc12 postfix/smtpd[26639]: rec_put: type N len 0 data  
Nov 11 14:03:24 mtain-dc12 postfix/smtpd[26639]: rec_put: type X len 0 data
Nov 11 14:03:24 mtain-dc12 postfix/smtpd[26639]: rec_put: type E len 0 data
Nov 11 14:03:24 mtain-dc12 postfix/smtpd[26639]: vstream_fflush_some: fd 24 
flush 1079
==> added debugging log messages
Nov 11 14:03:24 mtain-mb02 postfix/smtpd-log[26639]: vstream_buf_get_ready: 
read_fn flags indicate VSTREAM_FLAG_TIMEOUT
Nov 11 14:03:24 mtain-mb02 postfix/smtpd-log[26639]: attr_scan0: EOF Check
Nov 11 14:03:24 mtain-mb02 postfix/smtpd-log[26639]: mail_stream_finish_ipc: 
attr_scan failed != 2 - CLEANUP_STAT_WRITE
===> end of added debugging log messages
Nov 11 14:03:29 mtain-dc12 postfix/smtpd[26639]: > 
remote.mta.clent[xx.xx.xx.xx]: 451 4.3.0 Error: queue file write error
Nov 11 14:03:29 mtain-dc12 postfix/smtpd[26639]: abort all milters
Nov 11 14:03:29 mtain-dc12 postfix/smtpd[26639]: milter8_abort: abort milter 
inet:localhost:12345
Nov 11 14:03:29 mtain-dc12 postfix/smtpd[26639]: watchdog_pat: 0xf3a8a40
Nov 11 14:03:29 mtain-dc12 postfix/smtpd[26639]: vstream_fflush_some: fd 20 
flush 41
Nov 11 14:03:29 mtain-dc12 postfix/smtpd[26639]: vstream_buf_get_ready: fd 20 
got 6
Nov 11 14:03:29 mtain-dc12 postfix/smtpd[26639]: < 
remote.mta.clent[xx.xx.xx.xx]: RSET
Nov 11 14:03:29 mtain-dc12 postfix/smtpd[26639]: > 
remote.mta.clent[xx.xx.xx.xx]: 503 5.7.0 Error: access denied for 
remote.mta.clent[xx.xx.xx.xx]
Nov 11 14:03:29 mtain-dc12 postfix/smtpd[26639]: watchdog_pat: 0xf3a8a40
Nov 11 14:03:29 mtain-dc12 postfix/smtpd[26639]: vstream_fflush_some: fd 20 
flush 88
Nov 11 14:03:57 mtain-dc12 postfix/smtpd[26639]: vstream_buf_get_ready: fd 20 
got 84
Nov 11 14:03:57 mtain-dc12 postfix/smtpd[26639]: < 
remote.mta.clent[xx.xx.xx.xx]: MAIL FROM:<some...@example.com>
Nov 11 14:03:57 mtain-dc12 postfix/smtpd[26639]: > 
remote.mta.clent[xx.xx.xx.xx]: 503 5.7.0 Error: access denied for 
remote.mta.clent[xx.xx.xx.xx]
Nov 11 14:03:57 mtain-dc12 postfix/smtpd[26639]: watchdog_pat: 0xf3a8a40
Nov 11 14:03:57 mtain-dc12 postfix/smtpd[26639]: vstream_fflush_some: fd 20 
flush 88
Nov 11 14:03:57 mtain-dc12 postfix/smtpd[26639]: vstream_buf_get_ready: fd 20 
got 6
Nov 11 14:03:57 mtain-dc12 postfix/smtpd[26639]: < 
remote.mta.clent[xx.xx.xx.xx]: RSET
Nov 11 14:03:57 mtain-dc12 postfix/smtpd[26639]: > 
remote.mta.clent[xx.xx.xx.xx]: 503 5.7.0 Error: access denied for 
remote.mta.clent[xx.xx.xx.xx]
Nov 11 14:03:57 mtain-dc12 postfix/smtpd[26639]: watchdog_pat: 0xf3a8a40
Nov 11 14:03:57 mtain-dc12 postfix/smtpd[26639]: vstream_fflush_some: fd 20 
flush 88
Nov 11 14:04:09 mtain-dc12 postfix/smtpd[26639]: vstream_buf_get_ready: fd 20 
got 33
Nov 11 14:04:09 mtain-dc12 postfix/smtpd[26639]: < 
remote.mta.client[xx.xx.xx.xx]: MAIL FROM:<anotheraut...@example.com>
Nov 11 14:04:09 mtain-dc12 postfix/smtpd[26639]: > 
remote.mta.client[xx.xx.xx.xx]: 503 5.7.0 Error: access denied for 
remote.mta.client[xx.xx.xx.xx]
Nov 11 14:04:09 mtain-dc12 postfix/smtpd[26639]: watchdog_pat: 0xf3a8a40
Nov 11 14:04:09 mtain-dc12 postfix/smtpd[26639]: vstream_fflush_some: fd 20 
flush 88
Nov 11 14:04:09 mtain-dc12 postfix/smtpd[26639]: vstream_buf_get_ready: fd 20 
got 6
Nov 11 14:04:09 mtain-dc12 postfix/smtpd[26639]: < 
remote.mta.client[xx.xx.xx.xx]: RSET
Nov 11 14:04:09 mtain-dc12 postfix/smtpd[26639]: > 
remote.mta.client[xx.xx.xx.xx]: 503 5.7.0 Error: access denied for 
remote.mta.client[xx.xx.xx.xx]
Nov 11 14:04:09 mtain-dc12 postfix/smtpd[26639]: watchdog_pat: 0xf3a8a40
Nov 11 14:04:09 mtain-dc12 postfix/smtpd[26639]: vstream_fflush_some: fd 20 
flush 88
Nov 11 14:04:31 mtain-dc12 postfix/smtpd[26639]: vstream_buf_get_ready: fd 20 
got 36
Nov 11 14:04:31 mtain-dc12 postfix/smtpd[26639]: < 
remote.mta.client[xx.xx.xx.xx]: MAIL FROM:<adifferenaut...@example.om>
Nov 11 14:04:31 mtain-dc12 postfix/smtpd[26639]: > 
remote.mta.client[xx.xx.xx.xx]: 503 5.7.0 Error: access denied for 
remote.mta.client[xx.xx.xx.xx]

Invalid response code: 503 5.7.0 Error: access denied

Reply via email to