On 23 Feb 2018, at 3:49, Nikolaos Milas wrote:


We are using Postfix v3.2.4and we arefacing the followingproblem: Aclient (a data storage system) with an IPv6 address of [2001:648:2011:a21:320e:d5ff:fec6:b55] tries to send an (autosupport) email and it's being denied access:

Feb 23 06:22:17 vmail2 postfix/smtpd[16146]: NOQUEUE: reject: RCPT from unknown[2001:648:2011:a21:320e:d5ff:fec6:b55]: 554 5.7.1 <autosupp...@autosupport.datadomain.com>: Relay access denied; from=<sysad...@noa.gr> to=<autosupp...@autosupport.datadomain.com> proto=SMTP helo=<DD2500.astro.private.noa.gr>

All /48 IPv6 address blockis included in mynetworks: ..., [2001:648:2011::]/48, ...

The client does not support TLS or authentication. For such clients we provide explicit permission:

smtpd_client_restrictions =
  check_client_access cidr:/etc/postfix/non-tls-clients.cidr

where /etc/postfix/non-tls-clients.cidr:

   [2001:648:2011:a21:320e:d5ff:fec6:b55]   OK

Please, be kind to help me understand what is causing this client rejection and correct my postfix configuration.

postconf -n follows:
smtpd_client_restrictions = check_client_access cidr:/etc/postfix/localhost.cidr check_client_access cidr:/etc/postfix/gwservers.cidr check_client_access cidr:/etc/postfix/non-tls-clients.cidr permit_sasl_authenticated reject
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/protected_destinations permit_sasl_authenticated reject_unverified_recipient reject_unauth_destination

The restriction lists in Postfix are run in a fixed logical order (client, helo, sender, relay, recipient, data, end_of_data) and 'OK' from an early restriction list (smtpd_client_restrictions) *DOES NOT* prevent 'REJECT' by a later restriction list (smtpd_recipient_restrictions.) OK only terminates a single restriction list, not the whole set of lists, so in this case the transaction is exiting the smtpd_client_restrictions list with OK at "check_client_access cidr:/etc/postfix/non-tls-clients.cidr" but it still must pass through smtpd_recipient_restrictions, where it is rejected by "reject_unauth_destination" because you are not the final destination for the recipient domain nor do you have the recipient domain in $relay_domains.

See the SMTPD_ACCESS_README file for complete details.

Reply via email to