Re: outlook connect postfix use tls will fail,reject: RCPT from , 554 5.7.1,Client host rejected: Access denied

Sun, 10 Sep 2017 09:20:41 -0700 

On Sun, Sep 10, 2017 at 04:05:02AM -0700, xiedeacc wrote:

> Sep 10 18:40:01 xiedeacc postfix/smtpd[5536]: Anonymous TLS connection
> established from unknown[122.226.185.66]: TLSv1 with cipher
> ECDHE-RSA-AES256-SHA (256/256 bits)

TLS encrypts the channel, but does not typically authenticate the
client, perhaps you're confusing TLS with SASL (a not uncommon
beginner mistake).

    * TLS:  Provides traffic integrity and confidentiality,
            may authenticate the server to the client.

    * SASL: Authenticates the client to the server, may
            also authenticate the server to the client
            (for some SASL "mechanisms").

> from here we can see tls established, but send mail will rejected by postfix

Authorization to send is not typically based on TLS alone.

> postfix/smtpd[5536]: NOQUEUE: reject: RCPT from unknown[122.226.185.66]:
>    554 5.7.1 <unknown[122.226.185.66]>:
>    Client host rejected: Access denied;

This is a "reject" action in "smtpd_client_restrictions" for a
client that *did not* do SASL authentication.  Perhaps this
client wants the SASL "LOGIN" mechanism to be available, but
you're only offering "PLAIN".

>    from=<te...@xiedeacc.com>
>    to=<te...@xiedeacc.com>
>    proto=ESMTP
>    helo=<yangzhenxieNB4>

> smtpd_client_restrictions =
>    check_client_access hash:/etc/postfix/access,

Most likely not this one unless you have a "REJECT" in this table
for the client's IP address.

>    reject_rbl_client anti-spam.org.cn,

This would be logged differently.

>    permit_mynetworks,
>    permit_inet_interfaces,
>    permit_sasl_authenticated,

None of the above passed.

>    reject

So this action took effect, assuming the client connected to
the SMTP service on port 25.


> submission inet n       -       y       -       -       smtpd
>   [...]
>   -o 
> smtpd_client_restrictions=permit_mynetworks,permit_inet_interfaces,permit_sasl_authenticated,reject

Much the same conclusion for the submission port (587).

> smtps     inet  n       -       y       -       -       smtpd
>   -o smtpd_tls_wrappermode=yes
>   -0 smtpd_tls_key_file=/etc/ssl/private/xiedeacc.com.nopassword.key

That "-0" (digit 0) is not "-o".  Use a font that clearly distinguishes
them.

>   -o 
> smtpd_client_restrictions=permit_mynetworks,permit_inet_interfaces,permit_sasl_authenticated,reject

And the same client reject observation for port 465.  The client
did not do SASL.

-- 
        Viktor.

Reply via email to