reject: RCPT from unknown[]: 450 4.7.1 Client host rejected: cannot find your reverse hostname

Question

Sending an email from my local network is going fine. Also through Thunderbird or remote with Roundcube, which is locally installed. But now, I am in Asia and try to send an email with Thunderbird. The following error is in the log:

postfix/submission/smtpd[4588]: NOQUEUE: reject: RCPT from unknown[110.170.163.146]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [110.170.163.146]; from=<<me>@<mydomain.com>> to=<<me>@<mydomain.co>> proto=ESMTP helo=<[10.10.3.55]>

dig +short -t A mail.<mydomain.com> gives: xxx.xxx.xxx.xxx, the IP of my server.

dig +short -x 110.170.163.146 gives: 110-170-163-146.static.asianet.co.th. Here you can see, I am now in Thailand.

In Thunderbird I have:

Server Name: mail.<mydomain.com>
Port: 587
Connection security: STARTTLS
Authentication method: Normal password
Username: <me>@<mydomain.com>

All smtpd lines in master.cf:

submission     inet     n    -    y    -    -    smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_wrappermode=no
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=inet:10.89.0.10:12345

All smtpd rules in main.cf:

smtpd_tls_cert_file = /etc/letsencrypt/live/mail.<mydomain.com>/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.<mydomain.com>/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_sasl_auth_enable = yes
smtpd_tls_auth_only = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = inet:dovecot:12345
reject_unauth_destination, check_policy_service unix:private/spfcheck check_sender_access /etc/postfix/sender_access check_recipient_access /etc/postfix/recipient_access
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/spfcheck
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated,
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
smtpd_client_restrictions = permit_mynetworks, reject_unknown_reverse_client_hostname

As far as I can tell, the error message is "reverse hostname" related. I am outside my normal hostname. But Thunderbird should log in and still send the email.

Anyone any idea how to solve this issue?

Answer 1

What is happening is that your submission service is inheriting the main.cf options. Those deviations from the postfix defaults may not be unreasonable for server to server mail exchange. But for clients connecting from just about anywhere (not through fixed uplinks or VPN), a resolvable reverse name not be expected.

It also is unnecessary to demand both reverse name and sasl. The name submitted during authentication serves as a much more useful identifier anyway (unique, locally administered, verified).

Suggested fix: Override the relevant option for the authentication-only port(s) in your master.cf, as is already done with the restriction set demanding authentication:

submission     inet     n    -    y    -    -    smtpd
  -o ...
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_client_restrictions=
  -o ...
  -o ...

After making changes, reload configuration (depending on distribution, something like systemctl reload postfix) and check logs produced during startup.