Joern Bredereck put forth on 7/14/2010 3:06 AM: > Hi, > > how can I tell why the following mail has been rejected: > > Jul 14 08:48:58 zarafa-xen postfix/smtpd[26113]: NOQUEUE: reject: RCPT > from ns.gbc.net[212.97.96.201]: 554 5.7.1 <ns.gbc.net[212.97.96.201]>: > Client host rejected: Access denied; from=<joerg.hal...@flaig-hommel.de> > to=<m.b...@otec.de> proto=ESMTP helo=<mail.gbc.net> > > "client host rejected" would require for the host to be in a > "check_client_access" table, right? > > I can't find the IP nor the hostname in the corresponding Hash-Table.
Do you have more than one access table/type? I have 7 access tables, including hash, CIDR, regexp, and PCRE. I add comments to my regexp and PCRE tables to make matching REJECTs in the mail log to a given filter possible. Without such comments finding the table entry that caused the rejection can be very difficult, if not impossible given time constraints. > Any idea why the mail was blocked anyway? What can I do to troubleshoot > such cases in the future? Can I increase the log level for mail > rejections like these without turning on the verbose logging mode in > general? Add rejection comments to your table entries. The comments will show up in the REJECT entry in the mail log. CIDR table, for example: 212.97.96.0/19 REJECT # GBC Internet Center GmbH Or, if you have this in a hash table: 212.97.96 REJECT # GBC Internet Center GmbH Keep in mind that in a hash table you can use network classes such as 212.97.96 Class C 212.97 Class B 212 Class A If you use such network notation, grepping this hash table for the exact IP address 212.97.96.201 won't show any matches, but Postfix will match the IP and reject the connection. Likewise, you can't grep a CIDR file for an exact IP address either. Again, commenting your access map file entries really helps avoid the problem you're currently having as you simply grep the access tables for the comment shown in the mail log rejection. If you'd have provided "postconf -n" output, per the list welcome instructions, I may have likely answered your question definitively. -- Stan
