Re: Postfix error 450 4.7.1 Sender address rejected: Access denied
On 5 May 2016, at 22:24, Bill Cole wrote: [ blah blah blah ] OR: I was entirely wrong about the broken SPF records being the cause of that rejection. Noel & Christian were right in pointing you at the access maps. You MIGHT also run into the SPF issue after exempting that sender from the shunning of their DNS provider, depending on how you do it, but that is dependent on how your policyd-spf responds in the case of bad records.
Re: Postfix error 450 4.7.1 Sender address rejected: Access denied
On Thu, May 05, 2016 at 10:24:49PM -0400, Bill Cole wrote: > >I discovered this issue in their DNS with respect to SPF: > > > >;; ANSWER SECTION: > >lymanworldwide.com. 1800IN TXT "v=spf1 > >include:netcore.co.in -all" > >lymanworldwide.com. 1800IN TXT "v=spf1 > >include:spf.protection.outlook.com -all" > > Yes, that's almost certainly the cause of the problem. Except that the logs clearly indicate it isn't. The rejection is a sender access(5) check. -- Viktor.
Re: Postfix error 450 4.7.1 Sender address rejected: Access denied
On 5 May 2016, at 11:57, James B. Byrne wrote: On Thu, May 5, 2016 11:34, James B. Byrne wrote: Can anyone clue me in on what configuration issue might be causing this and whose configuration it is, mine or theirs? postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1 : Sender address rejected: Access denied; from= to= proto=ESMTP helo= I discovered this issue in their DNS with respect to SPF: ;; ANSWER SECTION: lymanworldwide.com. 1800IN TXT "v=spf1 include:netcore.co.in -all" lymanworldwide.com. 1800IN TXT "v=spf1 include:spf.protection.outlook.com -all" Yes, that's almost certainly the cause of the problem. Having 2 SPF TXT records is fundamentally broken in addition to being formally incorrect. There's no defined way to merge records and any of the obvious mechanisms with those 2 records would be indeterminate because they are explicitly contradictory and there is no way to prioritize one over the other. The rejection is "soft" (450 instead of 550) because presumably your SPF checking is configured to do that when SPF records are formally improper. But it does not appear to me that the connection is getting to the point where SPF is considered. Sure it is. The usual order of SMTP commands is (EHLO|HELO) MAIL RCPT (maybe multiple times) DATA QUIT Your config includes: smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, check_policy_service unix:/var/spool/postfix/postgrey/socket, check_policy_service unix:private/policyd-spf, permit Assuming that "policyd-spf" is where you check and enforce SPF, this config entry means that it is checked for each recipient, i.e. each SMTP "RCPT" command. The quoted log entry records that smtpd got a command from 202.162.245.174 that was probably exactly like this: RCPT TO: and replied with something much like: 450 4.7.1 : Sender address rejected: Access denied (the reply at least started with '450 4.7.1'; I'm not sure exactly what smtpd says in the following text part but it really doesn't matter) Postfix smtpd waits to make that check until RCPT because you told it to do so explicitly by putting it in smtpd_recipient_restrictions and would do so in any case (unless you put it in smtpd_data_restrictions, which would be perverse) because smtpd_delay_reject=yes is a default setting.
Re: Postfix error 450 4.7.1 Sender address rejected: Access denied
On Thu, May 5, 2016 12:37, Christian Kivalo wrote: > > There it is: lymanworldwide.com uses nameservices provided by > name-services.com > Thanks, that is it. I suppose we will just have to explicitly permit them in. Not that I approve of their choice of registrars (enom). Thanks for the help. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Re: Postfix error 450 4.7.1 Sender address rejected: Access denied
Am 5. Mai 2016 18:30:40 MESZ, schrieb "James B. Byrne" : > >On Thu, May 5, 2016 12:11, Christian Kivalo wrote: >> >> >> Am 5. Mai 2016 17:34:36 MESZ, schrieb "James B. Byrne" >> : >>>Can anyone clue me in on what configuration issue might be causing >>>this and whose configuration it is, mine or theirs? >>> >>>postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from >>>smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1 >>>: Sender address rejected: Access denied; >>>from= to= >>>proto=ESMTP helo= >>> >>> >>># postconf -n >. . . >>>smtpd_sender_restrictions = permit_mynetworks, check_sender_access >>>hash:/etc/postfix/sender_access, check_sender_mx_access >>>hash:/etc/postfix/sender_mx_access, check_sender_ns_access >>>hash:/etc/postfix/sender_ns_access, permit_sasl_authenticated, >>>reject_non_fqdn_sender, reject_unknown_sender_domain, permit >> >> Whats in these files? ... ># cat /etc/postfix/sender_ns_access >. . . ># Cannot use OK result in this map, use DUNNO instead. ># >colocrossings.com DEFER >name-services.com DEFER >name-services.net DEFER There it is: lymanworldwide.com uses nameservices provided by name-services.com valo@karl:~ $ dig ns lymanworldwide.com ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> ns lymanworldwide.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51294 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;lymanworldwide.com.IN NS ;; ANSWER SECTION: lymanworldwide.com. 3600IN NS dns5.name-services.com. lymanworldwide.com. 3600IN NS dns3.name-services.com. lymanworldwide.com. 3600IN NS dns4.name-services.com. lymanworldwide.com. 3600IN NS dns1.name-services.com. lymanworldwide.com. 3600IN NS dns2.name-services.com. ;; Query time: 179 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu May 05 18:33:14 CEST 2016 ;; MSG SIZE rcvd: 156 -- Christian Kivalo
Re: Postfix error 450 4.7.1 Sender address rejected: Access denied
On Thu, May 5, 2016 12:11, Christian Kivalo wrote: > > > Am 5. Mai 2016 17:34:36 MESZ, schrieb "James B. Byrne" > : >>Can anyone clue me in on what configuration issue might be causing >>this and whose configuration it is, mine or theirs? >> >>postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from >>smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1 >>: Sender address rejected: Access denied; >>from= to= >>proto=ESMTP helo= >> >> >># postconf -n . . . >>smtpd_sender_restrictions = permit_mynetworks, check_sender_access >>hash:/etc/postfix/sender_access, check_sender_mx_access >>hash:/etc/postfix/sender_mx_access, check_sender_ns_access >>hash:/etc/postfix/sender_ns_access, permit_sasl_authenticated, >>reject_non_fqdn_sender, reject_unknown_sender_domain, permit > > Whats in these files? > # cat /etc/postfix/sender_access . . . # ACCESS(5) ::1 OK 127.0.0.1 OK 216.185.71.9 OK 216.185.71.10 OK 216.185.71.11 OK 216.185.71.12 OK 216.185.71.13 OK 216.185.71.14 OK 216.185.71.15 OK 216.185.71.16 OK 216.185.71.17 OK 216.185.71.18 OK 216.185.71.19 OK 216.185.71.20 OK 216.185.71.21 OK 216.185.71.22 OK 216.185.71.23 OK 216.185.71.24 OK 216.185.71.25 OK 216.185.71.26 OK 216.185.71.27 OK 216.185.71.28 OK 216.185.71.29 OK forex.cont...@harte-lyne.ca OK mailman.halisp.netOK upsdocs.com OK .upsdocs.com OK verticalresponse.com REJECT # cat /etc/postfix/sender_mx_access . . . # Cannot use OK result in this map, use DUNNO instead. # cat /etc/postfix/sender_ns_access . . . # Cannot use OK result in this map, use DUNNO instead. # colocrossings.com DEFER name-services.com DEFER name-services.net DEFER leaseweb.be DEFER leaseweb.ca DEFER leaseweb.ch DEFER leaseweb.comDEFER leaseweb.de DEFER leaseweb.fr DEFER leaseweb.netDEFER leaseweb.nl DEFER leaseweb.orgDEFER leaseweb.us DEFER -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Re: Postfix error 450 4.7.1 Sender address rejected: Access denied
On 5/5/2016 10:34 AM, James B. Byrne wrote: > Can anyone clue me in on what configuration issue might be causing > this and whose configuration it is, mine or theirs? > > postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from > smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1 > : Sender address rejected: Access denied; > from= to= > proto=ESMTP helo= > "Sender address rejected: Access denied;" is caused by one of your check_sender_access maps. > smtpd_sender_restrictions = permit_mynetworks, check_sender_access > hash:/etc/postfix/sender_access, check_sender_mx_access > hash:/etc/postfix/sender_mx_access, check_sender_ns_access > hash:/etc/postfix/sender_ns_access, permit_sasl_authenticated, One of these. -- Noel Jones
Re: Postfix error 450 4.7.1 Sender address rejected: Access denied
Am 5. Mai 2016 17:34:36 MESZ, schrieb "James B. Byrne" : >Can anyone clue me in on what configuration issue might be causing >this and whose configuration it is, mine or theirs? > >postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from >smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1 >: Sender address rejected: Access denied; >from= to= >proto=ESMTP helo= > > ># postconf -n >alias_maps = hash:/etc/aliases >broken_sasl_auth_clients = yes >command_directory = /usr/sbin >config_directory = /etc/postfix >content_filter = smtp-amavis:[127.0.0.1]:10024 >daemon_directory = /usr/libexec/postfix >data_directory = /var/lib/postfix >debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin >ddd $daemon_directory/$process_name $process_id & sleep 5 >delay_warning_time = 30m >disable_vrfy_command = yes >header_checks = regexp:/etc/postfix/header_checks.regexp >home_mailbox = Maildir/ >html_directory = no >ignore_mx_lookup_error = no >inet_interfaces = localhost, inet08.hamilton.harte-lyne.ca >inet_protocols = all >local_transport = smtp >mail_spool_directory = /var/spool/mail >mailman_destination_recipient_limit = 1 >mailq_path = /usr/bin/mailq.postfix >manpage_directory = /usr/share/man >message_size_limit = 2048 >milter_default_action = accept >milter_protocol = 2 >mydestination = >mynetworks = 216.185.71.0/26, 127.0.0.0/8 >newaliases_path = /usr/bin/newaliases.postfix >non_smtpd_milters = $smtpd_milters >policyd-spf_time_limit = 3600 >queue_minfree = 4096 >rbl_reply_maps = hash:/etc/postfix/rbl_reply >readme_directory = /usr/share/doc/postfix-2.11.1/README_FILES >recipient_delimiter = + >relay_clientcerts = hash:/etc/postfix/relay_clientcerts >relay_domains = hash:/etc/postfix/relay_domains >sample_directory = /usr/share/doc/postfix-2.11.1/samples >sendmail_path = /usr/sbin/sendmail.postfix >setgid_group = postdrop >smtp_dns_support_level = dnssec >smtp_host_lookup = dns >smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt >smtp_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtp.crt >smtp_tls_ciphers = medium >smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED, >IDEA, RC2, RC5 >smtp_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtp.key >smtp_tls_protocols = !SSLv2, !SSLv3 >smtp_tls_security_level = dane >smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache >smtp_tls_session_cache_timeout = 3600s >smtpd_client_restrictions = permit >smtpd_data_restrictions = permit_mynetworks, >reject_multi_recipient_bounce, reject_unauth_pipelining, permit >smtpd_helo_required = yes >smtpd_helo_restrictions = permit_mynetworks, check_helo_access >pcre:/etc/postfix/helo_checks.pcre, reject_non_fqdn_helo_hostname, >reject_unknown_helo_hostname, permit >smtpd_milters = inet:127.0.0.1:8891 >smtpd_proxy_timeout = 300s >smtpd_recipient_restrictions = reject_non_fqdn_recipient, >reject_unknown_recipient_domain, permit_mynetworks, >permit_sasl_authenticated, reject_unauth_destination, >reject_unauth_pipelining, check_policy_service >unix:/var/spool/postfix/postgrey/socket, check_policy_service >unix:private/policyd-spf, permit >smtpd_relay_restrictions = permit_mynetworks, >permit_sasl_authenticated, defer_unauth_destination >smtpd_sasl_auth_enable = yes >smtpd_sasl_path = smtpd >smtpd_sender_restrictions = permit_mynetworks, check_sender_access >hash:/etc/postfix/sender_access, check_sender_mx_access >hash:/etc/postfix/sender_mx_access, check_sender_ns_access >hash:/etc/postfix/sender_ns_access, permit_sasl_authenticated, >reject_non_fqdn_sender, reject_unknown_sender_domain, permit Whats in these files? >smtpd_starttls_timeout = ${stress?10}${stress:120}s >smtpd_timeout = ${stress?10}${stress:120}s >smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt >smtpd_tls_ask_ccert = yes >smtpd_tls_auth_only = yes >smtpd_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtpd.crt >smtpd_tls_ciphers = medium >smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem >smtpd_tls_fingerprint_digest = sha1 >smtpd_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtpd.key >smtpd_tls_protocols = !SSLv2, !SSLv3 >smtpd_tls_received_header = yes >smtpd_tls_security_level = may >smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache >smtpd_tls_session_cache_timeout = 3600s >soft_bounce = no >strict_rfc821_envelopes = yes >tls_random_source = dev:/dev/urandom >transport_maps = hash:/etc/postfix/transport >unknown_local_recipient_reject_code = 550 >virtual_alias_maps = hash:/etc/postfix/virtual, >regexp:/etc/postfix/virtual.regexp
Re: Postfix error 450 4.7.1 Sender address rejected: Access denied
try use "~all" instead of "-all" in your SPF txt record. On 16-05-05 08:57 AM, James B. Byrne wrote: On Thu, May 5, 2016 11:34, James B. Byrne wrote: Can anyone clue me in on what configuration issue might be causing this and whose configuration it is, mine or theirs? postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1 : Sender address rejected: Access denied; from= to= proto=ESMTP helo= I discovered this issue in their DNS with respect to SPF: ;; ANSWER SECTION: lymanworldwide.com. 1800IN TXT "v=spf1 include:netcore.co.in -all" lymanworldwide.com. 1800IN TXT "v=spf1 include:spf.protection.outlook.com -all" But it does not appear to me that the connection is getting to the point where SPF is considered.
Re: Postfix error 450 4.7.1 Sender address rejected: Access denied
On Thu, May 5, 2016 12:01, Gao wrote: > try use "~all" instead of "-all" in your SPF txt record. > We are not the sender. We are the recipient. Our SPF record does not bear on this issue insofar as I can see. In any case, our SPF TXT RR already includes ~all, not -all. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Re: Postfix error 450 4.7.1 Sender address rejected: Access denied
On Thu, May 5, 2016 11:34, James B. Byrne wrote: > Can anyone clue me in on what configuration issue might be causing > this and whose configuration it is, mine or theirs? > > postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from > smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1 > : Sender address rejected: Access denied; > from= to= > proto=ESMTP helo= > > I discovered this issue in their DNS with respect to SPF: ;; ANSWER SECTION: lymanworldwide.com. 1800IN TXT "v=spf1 include:netcore.co.in -all" lymanworldwide.com. 1800IN TXT "v=spf1 include:spf.protection.outlook.com -all" But it does not appear to me that the connection is getting to the point where SPF is considered. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Re: Postfix error 450 4.7.1 Sender address rejected: Access denied
Can anyone clue me in on what configuration issue might be causing this and whose configuration it is, mine or theirs? postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1 : Sender address rejected: Access denied; from= to= proto=ESMTP helo= # postconf -n alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 delay_warning_time = 30m disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks.regexp home_mailbox = Maildir/ html_directory = no ignore_mx_lookup_error = no inet_interfaces = localhost, inet08.hamilton.harte-lyne.ca inet_protocols = all local_transport = smtp mail_spool_directory = /var/spool/mail mailman_destination_recipient_limit = 1 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 2048 milter_default_action = accept milter_protocol = 2 mydestination = mynetworks = 216.185.71.0/26, 127.0.0.0/8 newaliases_path = /usr/bin/newaliases.postfix non_smtpd_milters = $smtpd_milters policyd-spf_time_limit = 3600 queue_minfree = 4096 rbl_reply_maps = hash:/etc/postfix/rbl_reply readme_directory = /usr/share/doc/postfix-2.11.1/README_FILES recipient_delimiter = + relay_clientcerts = hash:/etc/postfix/relay_clientcerts relay_domains = hash:/etc/postfix/relay_domains sample_directory = /usr/share/doc/postfix-2.11.1/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_dns_support_level = dnssec smtp_host_lookup = dns smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtp.crt smtp_tls_ciphers = medium smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED, IDEA, RC2, RC5 smtp_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtp.key smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_security_level = dane smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache smtp_tls_session_cache_timeout = 3600s smtpd_client_restrictions = permit smtpd_data_restrictions = permit_mynetworks, reject_multi_recipient_bounce, reject_unauth_pipelining, permit smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access pcre:/etc/postfix/helo_checks.pcre, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, permit smtpd_milters = inet:127.0.0.1:8891 smtpd_proxy_timeout = 300s smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, check_policy_service unix:/var/spool/postfix/postgrey/socket, check_policy_service unix:private/policyd-spf, permit smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = smtpd smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_access, check_sender_mx_access hash:/etc/postfix/sender_mx_access, check_sender_ns_access hash:/etc/postfix/sender_ns_access, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_starttls_timeout = ${stress?10}${stress:120}s smtpd_timeout = ${stress?10}${stress:120}s smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtpd_tls_ask_ccert = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtpd.crt smtpd_tls_ciphers = medium smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem smtpd_tls_fingerprint_digest = sha1 smtpd_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtpd.key smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 3600s soft_bounce = no strict_rfc821_envelopes = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual, regexp:/etc/postfix/virtual.regexp -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3