* vr <postfix-u...@iotk.net>: > > I have a sender from a web hosting company who is not able to send to > one of my users. The log entry looks like this: > > Nov 16 10:50:57 smtp postfix/smtpd[15063]: NOQUEUE: reject: RCPT from > ip67-89-97-251.z97-89-67.customer.algx.net[67.89.97.251]: 554 5.7.1 > <ip67-89-97-251.z97-89-67.customer.algx.net[67.89.97.251]>: Client > host rejected: Access denied; > from=<prvs=1936c65064=sen...@senderdomain.tld> > to=<myu...@mydomain.tld> proto=ESMTP helo=<tigsnet.com>
Why are you rejecting the client? > I have "sen...@senderdomain.tld" in my whitelist (ok_by_email_hash) > but this sender still rejecting. Of course! The sender is NOT sen...@senderdomain.tld It's prvs=1936c65064=sen...@senderdomain.tld Which is something different > How do things like "prvs=1936c65064=" preceding a recipients email > address affect this They make the sender address different from what you check is checking for. > and how can I successfully permit that sender without re-working the > postfix configuration drastically? a) Don't block the client b) Allow that particular client c) Change the whitelist to use regexp instead: /^(prvs=[0-9a-f]+=)?sen...@senderdomain\.tld$/ OK This allows both prvs=...=sen...@senderdomain.tld and sen...@senderdomain.tld > smtpd_banner = Ready You shouldn't do that. The default banner announces ESMTP, yours should too! > smtpd_recipient_restrictions = > permit_mynetworks > reject_unauth_destination check_sender_access regexp:/etc/postfix/ok_by_email.regexp > check_sender_access hash:/etc/postfix/ok_by_email_hash > check_sender_access hash:/etc/postfix/ok_by_domain_hash > check_sender_access hash:/etc/postfix/access_hash > check_client_access hash:/etc/postfix/ok_by_domain_hash > check_client_access hash:/etc/postfix/access_hash > warn_if_reject check_client_access hash:/etc/postfix/reject_by_ip_hash > check_helo_access hash:/etc/postfix/ok_by_domain_hash > check_helo_access hash:/etc/postfix/access_hash You're using this for both check_sender_access AND check_helo_access - this might not be useful > check_client_access regexp:/etc/postfix/access_regexp > check_recipient_access hash:/etc/postfix/reject_by_recipient_hash > reject_unknown_reverse_client_hostname > reject_unknown_client_hostname > reject_non_fqdn_helo_hostname > reject_invalid_helo_hostname > reject_unknown_sender_domain > reject_rbl_client dnsbl-1.uceprotect.net > reject_rbl_client dnsbl-2.uceprotect.net -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
