Postfix Recipient address rejected: Access denied Error

Question

Trying to use zend mail smtp to send email from my php app login authenticated and give me this constant error I don't have to deal with I look into de 36 question here on serverfault.com changing parameters as they explain without success.

The data:

MY POSTFIX version 2.6.6
I'm on Centos 6.5
I'm trying to use Postfix and Dovecot with Dovecot-sasl
My users are virtual created
I'm able to sent mail via telnet on port 25 and 587
5000 is my POSTFIX user
Ips where i'm testing my app (if it help) is listed on bl.spamcannibal.org b.barracudacentral.org pbl.spamhaus.org and zend.spamhaus.org
My ip server is not listed

Telnet to 587 look like this:

Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.mydomain.com ESMTP Postfix
ehlo localhost
250-mail.mydomain.com
250-PIPELINING
250-SIZE 10485760
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Testing my ssl with:

openssl s_client -starttls smtp -crlf -connect mail.mydomain.com:25

Give me this answer ,last lines (I assume is OK)

Verify return code: 18 (self signed certificate)
---
250 DSN

if you need anything more just ask for that.

I Need to know, if you know, where this error used to came from ,at least.

Jan 13 13:44:16 domainname postfix/smtpd[22902]: NOQUEUE: reject: RCPT from mydomain.com[XX:XX:MY:IP]: 554 5.7.1 <mipersonalemail@hotmail.com>: Recipient address rejected: Access denied; from=<no-replay@mydomain.com> to=<mipersonalemail@hotmail.com> proto=ESMTP helo=<domainname>

My Postfix conf NON DEFAULT (postconf -n) give me this: /postfix/main.cf

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = mydomain.com
myhostname = mail.mydomain.com
mynetworks = 127.0.0.1 xx:xx:xx:xx 127.0.0.0/8
myorigin = $mydomain
queue_directory = /var/spool/postfix
relay_domains = mysql:/etc/postfix/mysql_relay_domains.cf
relayhost = $mydomain
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtpd_client_restrictions = sleep 1,reject_unauth_pipelining,permit_sasl_authenticated
smtpd_delay_reject = yes
smtpd_error_sleep_time = 30
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks permit_tls_clientcerts reject_unauth_pipelining reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unauth_destination reject_invalid_hostname reject_rbl_client bl.spamcop.net reject_rbl_client b.barracudacentral.org reject_rbl_client sbl-xbl.spamhaus.org reject_rbl_client pbl.spamhaus.org reject_rbl_client zen.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain = 
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
smtpd_soft_error_limit = 10
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /path/to/my/domain.crt
smtpd_tls_key_file = /path/to/my/domain.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_exchange_name = /var/lib/postfix/prng_exch
tls_random_source = dev:/dev/urandom

And my master.cf look like this:

smtp      inet  n       -       n       -       -       smtpd -o content_filter=spamassassin
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,permit
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

Any suggestion would be good help.

THe error came from `smtpd_recipient_restrictions` on `submission` service in *master.cf*. You only permit a client who authenticated via SASL. Did you set that properly? — masegaloeh, Jan 13 '15 at 14:34
Also, you should only need to use `permit_sasl_authenticated` once in the `smtpd_XXX_restrictions` as it won't be setting up multiple sasl connections for each test, and if any of the steps rejects it, it will end up rejected in totality. — NickW, Jan 13 '15 at 14:38
@masegaloeh I set that according to this wiki http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL except for "permit" at the end of smtpd_client_restrictions in submission just was something I change for testing pourposes, if I replace that permit with as a reject as in the Wiki page now It gives me a "the Client host rejected: Access denied". — MikZuit, Jan 13 '15 at 16:31
@NickW you mean in the main.cf and master.cf ? Could you be more specific? — MikZuit, Jan 13 '15 at 16:32
Basically, all of the the `smtpd_` series restrictions are in series, each testing a certain set of criteria. When you walk through those lists, there are three possible answers to the check `YES` `NO` `DUNNO`, both `YES` and `NO` are short circuits (Though NO means end all checks), meaning skip the rest of the checks for that line. `permit_sasl_authenticated,deny` on one of those lines would ensure that only sasl authenticated clients got to the next checks. P.S. some like `permit_mynetworks` is a `YES DUNNO` pair, it matches, or moves on to the next. — NickW, Jan 13 '15 at 16:41
It's not wrong the way you're doing it, it just makes things harder to read, and to understand where the connection is stopped. BTW, masegaloeh is right, permit sasl authenticated means they are authenticating via SASL, not just making an SSL/TLS connection. — NickW, Jan 13 '15 at 16:44
@NickW I think I got you now reading http://www.postfix.org/master.5.html , I tell you something in a moment. — MikZuit, Jan 13 '15 at 17:14

Reinaldo Gil · Accepted Answer · 2019-05-17T19:00:32.800

15

In this line:

-o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject

You are rejecting not authenticated messages from submission port. You need change the test, to authenticate (AUTH command) or replace reject to reject_unauth_destination

edited May 17 '19 at 19:00

answered Jan 14 '15 at 11:28

Reinaldo Gil

621
4
8

Sorry for not come here before , was busy . This is actually what I do and everything looks fine since then. Thanks anyway and I'm going to accept this answer because is what I already have done. – MikZuit Jan 15 '15 at 21:15
this comment saved my development enviroment, thank you – MiPnamic Nov 23 '15 at 16:37
1

Even after this long of a period, this answer still holds true (because there are too many bad blogs out there, such as https://www.ait.com/tech-corner/11480-how-to-setup-postfix-and-dovecotnbspon-a-vpsnbsp ) – John Greene Dec 30 '19 at 22:55
1

I was searching to solve this problem for more than two days.. no chance.. not finding why mails was not being delivered to mailboxes! Thanks to telnet and your flawless answer to its describing error message! – Mojtaba Rezaeian Jan 08 '20 at 06:55

Postfix Recipient address rejected: Access denied Error

1 Answers1