Client host rejected: Access denied

mnt_schred · December 28, 2012, 3:10pm

I’ve had this problem before, but the usual fixes wont work.
I made a copy of a workin virtualmin box (virtualized)
However, on the new webserver no mail is recieved:

i’ve changed the hostname in this output to ‘host’ and obfuscated IP’s etc.

 
[root@host ~]# tail -f /var/log/maillog
Dec 28 15:35:20 li postfix/smtpd[8258]: NOQUEUE: reject: RCPT from host2[1.2.3.4]: 554 5.7.1 : Client host rejected: Access denied; from= to= proto=ESMTP helo=
Dec 28 15:35:20 li postfix/smtpd[8258]: disconnect from host2[1.2.3.4]

I already tried changing my hostname in /etc/hosts and have added the ‘-r’ option in /etc/sysconfig/saslauthd.

my config:


[root@host ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = host
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sender_bcc_maps = hash:/etc/postfix/bcc
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = SMTP na. Only authorized access permitted.
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
smtpd_recipient_limit = 50
smtpd_recipient_restrictions = permit_mynetworks,   permit_sasl_authenticated,   reject_non_fqdn_hostname,  reject_non_fqdn_sender,  reject_non_fqdn_recipient,   reject_unauth_destination,   reject_unauth_pipelining,   reject_invalid_hostname,   reject_rhsbl_client blackhole.securitysage.com,  reject_rhsbl_sender blackhole.securitysage.com,   reject_rbl_client zombie.dnsbl.sorbs.net,   reject_rbl_client relays.ordb.org,   reject_rbl_client opm.blitzed.org,   reject_rbl_client sbl.spamhaus.org,  reject_unknown_reverse_client_hostname,  permit
smtpd_sasl_auth_enable = yes
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual

Locutus · December 28, 2012, 3:19pm

I guess we’d need some more information. What exactly did you try when the error occurred? Anything in the auth log?

mnt_schred · December 28, 2012, 3:32pm

i’ve tried sending a mail to the test@testdomain user on this system from myemailaddress.
It bounced (undelivered mail returned to sender) with a 554 5.7.1 error.

what do you mean wihth the ‘auth’ log?

Eric · December 28, 2012, 4:14pm

Howdy,

The auth.log file is an awesomely helpful logfile on Ubuntu/Debian… CentOS, which it looks like you’re using, doesn’t use that though

However, I suspect the issue is something in this line in your Postfix config:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname, reject_rhsbl_client blackhole.securitysage.com, reject_rhsbl_sender blackhole.securitysage.com, reject_rbl_client zombie.dnsbl.sorbs.net, reject_rbl_client relays.ordb.org, reject_rbl_client opm.blitzed.org, reject_rbl_client sbl.spamhaus.org, reject_unknown_reverse_client_hostname, permit

If you change that back to the default (temporarily, at least), are you then able to send an email?

The default line looks like this:

smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

After changing that, restart Postfix:

/etc/init.d/postfix restart

mnt_schred · December 28, 2012, 4:34pm

tried, no change.
And as I noted, the main.cf is a copy from a working virtualmin server…
I’m using @ in usernames (and changed the virtualmin settings accordingly), but on the other server it works without problems.

mnt_schred · December 30, 2012, 4:42pm

according to http://nixcraft.com/centos-rhel-fedora/13804-enable-auth-log-authenication-logs.html the auth log is /var/log/secure under CentOS. I’ve checked this log, but no errors are reported.

Ano other suggestions?

tpnsolutions · December 30, 2012, 4:48pm

Hi,

What did you do just before this issue presented itself?

-Peter

mnt_schred · January 3, 2013, 12:29pm

I’ve imported the virtual machine into another hypervisor
Then I added a new domain and tried importing a backup. In both cases mail would not be delivered.

mnt_schred · January 3, 2013, 11:02pm

I finaly found it.
in master.cf this line was present:

-o smtpd_client_restrictions=permit_sasl_authenticated,reject

changed it into

-o smtpd_client_restrictions=permit_sasl_authenticated,permit

I think it had something to do with the other server on which I used smtpd authentication. Don’t know why it workes on the other server though.