Below is a postmaster notification about a relay attempt. The
notification is from my server running 3.4.7 on debian stable.
Out: 220 mail.acrasis.net ESMTP Postfix (Debian/GNU)
In: HELO win-sa71d6ou2qs.domain
Out: 250 mail.acrasis.net
In: MAIL FROM:<t...@test.com>
Out: 250 2.1.0 Ok
In: RCPT TO:<*******@gmail.com>
Out: 554 5.7.1 <*******@gmail.com>: Relay access denied
(I've obscured the recipient address.) This notification makes sense
to me.
# postconf smtpd_relay_restrictions
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
# postconf smtpd_recipient_restrictions
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_recipient,
reject_unknown_recipient_domain, reject_unauth_pipelining,
reject_unverified_recipient, check_policy_service
unix:private/policyd-spf
The destination domain, gmail.com, is not mine and is not a relay
domain, so the RCTP TO gets rejected. So far so good. (If I've
already misunderstood something, let me know!)
In the log however are things I don't understand. The log extract is
below, with lines numbered for reference.
Why did my server contact google (lines 7 and 8)?
Is line 8 an "address verification probe"?
Why did reject_unauth_destination (line 11) only take effect after the
probe (line 8, if that's what it is) and after check_policy_service
(line 10)?
Did smtpd_relay_restrictions apply only after
smtpd_recipient_restrictions?
What have I misunderstood or misconfigured?
Thanks.
[Begin log]
1 Nov 18 01:28:37 rolly postfix/postscreen[26770]: CONNECT from
[162.246.19.201]:61693 to [46.235.227.79]:25
2 Nov 18 01:28:43 rolly postfix/postscreen[26770]: PASS NEW
[162.246.19.201]:61693
3 Nov 18 01:28:43 rolly postfix/smtpd[26774]: warning: hostname
rever.aftermathdevelopment.com does not resolve to address
162.246.19.201: Name or service not known
4 Nov 18 01:28:43 rolly postfix/smtpd[26774]: connect from
unknown[162.246.19.201]
5 Nov 18 01:28:44 rolly postfix/cleanup[26776]: 564F4A0054:
message-id=<20191118012844.564f4a0...@mail.acrasis.net>
6 Nov 18 01:28:44 rolly postfix/qmgr[5583]: 564F4A0054:
from=<double-bou...@acrasis.net>, size=266, nrcpt=1 (queue active)
7 Nov 18 01:28:44 rolly postfix/smtp[26777]: Trusted TLS connection
established to gmail-smtp-in.l.google.com[2a00:1450:4013:c07::1a]:25:
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange
X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
8 Nov 18 01:28:44 rolly postfix/smtp[26777]: 564F4A0054:
to=<*******@gmail.com>,
relay=gmail-smtp-in.l.google.com[2a00:1450:4013:c07::1a]:25,
delay=0.5, delays=0.01/0.03/0.33/0.13, dsn=2.1.5, status=deliverable
(250 2.1.5 OK j5si12868810edc.195 - gsmtp)
9 Nov 18 01:28:44 rolly postfix/qmgr[5583]: 564F4A0054: removed
10 Nov 18 01:28:47 rolly policyd-spf[26779]: prepend
Authentication-Results: mail.acrasis.net; spf=none (no SPF record)
smtp.mailfrom=test.com (client-ip=162.246.19.201;
helo=win-sa71d6ou2qs.domain; envelope-from=t...@test.com;
receiver=<UNKNOWN>)
11 Nov 18 01:28:47 rolly postfix/smtpd[26774]: NOQUEUE: reject: RCPT from
unknown[162.246.19.201]: 554 5.7.1 <*******@gmail.com>: Relay access
denied; from=<t...@test.com> to=<*******@gmail.com> proto=SMTP
helo=<win-sa71d6ou2qs.domain>
12 Nov 18 01:28:47 rolly postfix/smtpd[26774]: lost connection after RCPT
from unknown[162.246.19.201]
[End log]
--
Nick
