Re: looks like smtpd_recipient_restrictions check_client_access is being ignored ?

Mon, 23 Jun 2014 05:10:26 -0700 

Per Jessen:
> I have just built 2.11.1 from source, but otherwise retained 
> my old config. 
> 
> For outgoing mail via port 587, I have the following:
> 
> smtpd_recipient_restrictions=permit_mynetworks,
>         reject_non_fqdn_recipient,
>         reject_unknown_recipient_domain,
>         permit_sasl_authenticated,
>         check_client_access hash:/etc/postfix-in/pop-before-smtp
>         reject_unauth_destination
> 
> Judging by a trace, it looks like "check_client_access" is being
> ignored?
> 
> smtpd[20213]: >>> START Recipient address RESTRICTIONS <<<
> smtpd[20213]: generic_checks: name=permit_mynetworks
> smtpd[20213]: permit_mynetworks: kzinti.enidan.ch 88.198.24.135
> smtpd[20213]: match_hostname: kzinti.enidan.ch ~? 192.168.2.0/24
> smtpd[20213]: match_hostaddr: 88.198.24.135 ~? 192.168.2.0/24
> smtpd[20213]: match_hostname: kzinti.enidan.ch ~? 127.0.0.0/8
> smtpd[20213]: match_hostaddr: 88.198.24.135 ~? 127.0.0.0/8
> smtpd[20213]: match_hostname: kzinti.enidan.ch ~? 10.42.8.253
> smtpd[20213]: match_hostaddr: 88.198.24.135 ~? 10.42.8.253
> smtpd[20213]: match_hostname: kzinti.enidan.ch ~? 10.42.8.249
> smtpd[20213]: match_hostaddr: 88.198.24.135 ~? 10.42.8.249
> smtpd[20213]: match_hostname: kzinti.enidan.ch ~? 192.168.3.0/24
> smtpd[20213]: match_hostaddr: 88.198.24.135 ~? 192.168.3.0/24
> smtpd[20213]: match_list_match: kzinti.enidan.ch: no match
> smtpd[20213]: match_list_match: 88.198.24.135: no match
> smtpd[20213]: generic_checks: name=permit_mynetworks status=0
> smtpd[20213]: generic_checks: name=permit_sasl_authenticated

Note that this has no reject_unknown_recipient_domain. That's
because Postfix is not evalating smtpd_recipient_restrictions!

With Postfox 2.11, relay access control is enforced with
smtpd_relay_restrictions.

Either set smtpd_relay_restrictions instead of smtpd_recipient_restrictions,
or sent "smtpd_relay_restrictions=" i.e. empty.

        Wietse

> smtpd[20213]: generic_checks: name=permit_sasl_authenticated status=0
> smtpd[20213]: generic_checks: name=defer_unauth_destination
> smtpd[20213]: reject_unauth_destination: supp...@example.com
> smtpd[20213]: permit_auth_destination: supp...@example.com
> smtpd[20213]: ctable_locate: leave existing entry key
> supp...@example.com
> smtpd[20213]: NOQUEUE: reject: RCPT from
> kzinti.enidan.ch[88.198.24.135]: 454 4.7.1 <supp...@example.com>: Relay
> access denied; from=<p...@jessen.ch> to=<supp...@example.com>
> proto=ESMTP helo=<klop99>
> smtpd[20213]: generic_checks: name=defer_unauth_destination status=2
> smtpd[20213]: >>> END Recipient address RESTRICTIONS <<<
> 
> 
> Should there not be a trace entry after "permit_sasl_authenticated
> status=0" that checks my pop-before-smtp table?
> What am I over looking?
> 
> 
> -- 
> Per Jessen, Z?rich (24.9?C)
> http://www.dns24.ch/ - your free DNS host, made in Switzerland.
> 
>

Reply via email to