Below is a postmaster notification about a relay attempt.  The
notification is from my server running 3.4.7 on debian stable.

 Out: 220 ESMTP Postfix (Debian/GNU)
 In:  HELO win-sa71d6ou2qs.domain
 Out: 250
 In:  MAIL FROM:<>
 Out: 250 2.1.0 Ok
 In:  RCPT TO:<*******>
 Out: 554 5.7.1 <*******>: Relay access denied

(I've obscured the recipient address.)  This notification makes sense
to me.

   # postconf smtpd_relay_restrictions
   smtpd_relay_restrictions = permit_mynetworks,
      permit_sasl_authenticated, reject_unauth_destination

   # postconf smtpd_recipient_restrictions
   smtpd_recipient_restrictions = permit_mynetworks,
      permit_sasl_authenticated, reject_non_fqdn_recipient,
      reject_unknown_recipient_domain, reject_unauth_pipelining,
      reject_unverified_recipient, check_policy_service

The destination domain,, is not mine and is not a relay
domain, so the RCTP TO gets rejected.  So far so good.  (If I've
already misunderstood something, let me know!)

In the log however are things I don't understand.  The log extract is
below, with lines numbered for reference.

Why did my server contact google (lines 7 and 8)?

Is line 8 an "address verification probe"?

Why did reject_unauth_destination (line 11) only take effect after the
probe (line 8, if that's what it is) and after check_policy_service
(line 10)?

Did smtpd_relay_restrictions apply only after

What have I misunderstood or misconfigured?


[Begin log]
 1 Nov 18 01:28:37 rolly postfix/postscreen[26770]: CONNECT from
   []:61693 to []:25

 2 Nov 18 01:28:43 rolly postfix/postscreen[26770]: PASS NEW

 3 Nov 18 01:28:43 rolly postfix/smtpd[26774]: warning: hostname does not resolve to address Name or service not known

 4 Nov 18 01:28:43 rolly postfix/smtpd[26774]: connect from

 5 Nov 18 01:28:44 rolly postfix/cleanup[26776]: 564F4A0054:

 6 Nov 18 01:28:44 rolly postfix/qmgr[5583]: 564F4A0054:
   from=<>, size=266, nrcpt=1 (queue active)

 7 Nov 18 01:28:44 rolly postfix/smtp[26777]: Trusted TLS connection
   established to[2a00:1450:4013:c07::1a]:25:
   TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange
   X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256

 8 Nov 18 01:28:44 rolly postfix/smtp[26777]: 564F4A0054:
   delay=0.5, delays=0.01/0.03/0.33/0.13, dsn=2.1.5, status=deliverable
   (250 2.1.5 OK j5si12868810edc.195 - gsmtp)

 9 Nov 18 01:28:44 rolly postfix/qmgr[5583]: 564F4A0054: removed

10 Nov 18 01:28:47 rolly policyd-spf[26779]: prepend
   Authentication-Results:; spf=none (no SPF record) (client-ip=;

11 Nov 18 01:28:47 rolly postfix/smtpd[26774]: NOQUEUE: reject: RCPT from
   unknown[]: 554 5.7.1 <*******>: Relay access
   denied; from=<> to=<*******> proto=SMTP

12 Nov 18 01:28:47 rolly postfix/smtpd[26774]: lost connection after RCPT
   from unknown[]
[End log]


Reply via email to