Bug#781785: marked as done (erroneous logging in Postfix: relay restrictions logged as recipient restrictions)

Debian Bug Tracking System Sun, 01 Dec 2024 02:45:19 -0800

Your message dated Sun, 1 Dec 2024 13:42:39 +0300
with message-id <[email protected]>
and subject line Re: Bug#781785: erroneous logging in Postfix: relay 
restrictions logged as recipient restrictions
has caused the Debian Bug report #781785,
regarding erroneous logging in Postfix: relay restrictions logged as recipient 
restrictions
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
781785: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781785
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: postfix
Version: 2.11.1.2z

At log level 5, postfix reports relay restrictions as recipient restrictions. 
This makes it difficult to track down configuration issues.

For example:

* given this stanza in master.cf:

465    inet  n       -       n       -       -       smtpd
        -o content_filter=scan:[127.0.0.1]:10030
        -o smtpd_tls_wrappermode=yes
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_client_restrictions=
        -o smtpd_data_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_recipient_restrictions=
        -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
        -o syslog_name=postfix/smtps
        -o milter_macro_daemon_name=ORIGINATING

* and given debug level set to 5 for the peer from which test emails are 
originating (in main.cf):

debug_peer_list = testing.example.com
debug_peer_level = 5

* then, upon receiving a message on port 465 from testing.example.com, the 
following appears in the log:

Apr  1 18:41:58 myserver postfix/smtps/smtpd[20737]: >>> START Recipient 
address RESTRICTIONS <<<
Apr  1 18:41:58 myserver postfix/smtps/smtpd[20737]: generic_checks: 
name=permit_sasl_authenticated
Apr  1 18:41:58 myserver postfix/smtps/smtpd[20737]: generic_checks: 
name=permit_sasl_authenticated status=0
Apr  1 18:41:58 myserver postfix/smtps/smtpd[20737]: generic_checks: name=reject
Apr  1 18:41:58 myserver postfix/smtps/smtpd[20737]: NOQUEUE: reject: RCPT from 
testing.example.com [192.0.2.1]: 554 5.7.1 <[email protected]>: 
Recipient address rejected: Access denied; from=<[email protected]> 
to=<[email protected]> proto=ESMTP helo=<testing.example.com>
Apr  1 18:41:58 myserver postfix/smtps/smtpd[20737]: generic_checks: 
name=reject status=2
Apr  1 18:41:58 myserver postfix/smtps/smtpd[20737]: >>> END Recipient address 
RESTRICTIONS <<<


Although the log reports “Recipient address RESTRICTIONS,” modifying the 
smtpd_relay_restrictions in master.cf demonstrates that in fact the relay 
restrictions are being logged.


For example, when smtp_relay_restrictions is changed to:

        -o 
smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination

then, upon receiving a message on port 465 from testing.example.com, the 
following appears in the log:

Apr  3 00:17:56 myserver postfix/smtps/smtpd[1182]: >>> START Recipient address 
RESTRICTIONS <<<
Apr  3 00:17:56 myserver postfix/smtps/smtpd[1182]: generic_checks: 
name=permit_sasl_authenticated
Apr  3 00:17:56 myserver postfix/smtps/smtpd[1182]: generic_checks: 
name=permit_sasl_authenticated status=0
Apr  3 00:17:56 myserver postfix/smtps/smtpd[1182]: generic_checks: 
name=reject_unauth_destination
Apr  3 00:17:56 myserver postfix/smtps/smtpd[1182]: reject_unauth_destination: 
[email protected]
Apr  3 00:17:56 myserver postfix/smtps/smtpd[1182]: permit_auth_destination: 
[email protected]
Apr  3 00:17:56 myserver postfix/smtps/smtpd[1182]: ctable_locate: leave 
existing entry key [email protected]
Apr  3 00:17:56 myserver postfix/smtps/smtpd[1182]: generic_checks: 
name=reject_unauth_destination status=0
Apr  3 00:17:56 myserver postfix/smtps/smtpd[1182]: >>> END Recipient address 
RESTRICTIONS <<<


Clearly, relay restrictions are being logged as recipient restrictions.


To correct this issue, I suggest that relay restrictions to be logged between 
delimiters looking something like:

Apr  3 00:17:56 myserver postfix/smtps/smtpd[1182]: >>> START Relay RESTRICTIONS
[log messages here]
Apr  3 00:17:56 myserver postfix/smtps/smtpd[1182]: >>> END Relay RESTRICTIONS


I am using Linux version 3.13.0-43-generic (buildd@tipua) (gcc version 4.8.2 
(Ubuntu 4.8.2-19ubuntu1) ) #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014

--- End Message ---

--- Begin Message ---

On Thu, 2 Apr 2015 18:43:21 -0600 Kerry Kurian <[email protected]> wrote:

Package: postfix
Version: 2.11.1.2z

At log level 5, postfix reports relay restrictions as recipient restrictions. 
This makes it difficult to track down configuration issues.

..

        -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

Apr  1 18:41:58 myserver postfix/smtps/smtpd[20737]: NOQUEUE: reject: RCPT from testing.example.com 
[192.0.2.1]: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied; 
from=<[email protected]> to=<[email protected]> proto=ESMTP 
helo=<testing.example.com>



The logging isn't coming from the name of the restriction list,
but from the actual restriction being applied.

In this case, you've a 'reject' restriction applied to the
recipient address, and this is exactly what postfix logs.

Closing this bug report.

/mjt

--- End Message ---

Bug#781785: marked as done (erroneous logging in Postfix: relay restrictions logged as recipient restrictions)

Reply via email to