On Fri, Oct 18, 2013 at 02:48:55PM -0300, francis picabia wrote:
> OK, with the syslog entry Noel suggested, I can see traffic has arrived on
> submission port. Yet if I grep for the IP connecting, I see no sasl login.
>
> Oct 18 14:39:24 myserver postfix-internal/submission/smtpd[25329]:
> connect from blk-222-132-252.eastlink.ca[24.222.132.252]
> Oct 18 14:39:24 myserver postfix-internal/submission/smtpd[25329]:
> NOQUEUE: reject: RCPT from
> blk-222-132-252.eastlink.ca[24.222.132.252]: 454 4.7.1
> <[email protected]>: Relay access denied;
> from=<[email protected]> to=<[email protected]> proto=ESMTP
> helo=<[192.168.0.5]>
>
> There must be a config to be tightened up somewhere in there.
If you want submission clients that don't authenticate to be
rejected regardless of whether the mail is outbound or not:
main.cf:
submission_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject
master.cf submission entry:
submission inet n ... smtpd
-o smtpd_recipient_restrictions=$submission_recipient_restrictions
-o smtpd_relay_restrictions=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_data_restrictions=
-o smtpd_end_of_data_restrictions=
That will change the log entry you report from "Relay access denied"
to "access denied". Your current reject message is generated by
the default setting of smtpd_relay_restrictions which is the likely
source of the "454" error code. The above will cause the same
transaction to be rejected by the recipient restrictions instead.
http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions (default):
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
defer_unauth_destination
vs.
submission_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject
it really makes no difference. With the default setting you have
an extra safety net. There is no problem to solve here.
--
Viktor.
