My email server worked fine till now but for unknown reasons, possibly after setting up forced TLS connection, I am no longer able to receive emails; I did test it during the TLS configuration though, and I'm pretty sure it was working at the time. Sending still works, so does connecting and using Roundcube.
If have tried cleaning up both my master.cf and main.cf but to no avail, and I cannot understand what is happening.
What's bugging me the most is that it seems the restrictions list used by postfix is the one for the relay and not the recipient and I cannot fathom why it would no use the recipient's.
Postfix version: 2.11.3
The log file (debug enabled):
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: generic_checks: name=reject_unknown_sender_domain status=0
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: >>> END Sender address RESTRICTIONS <<<
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: >>> START Recipient address RESTRICTIONS <<<
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: generic_checks: name=permit_mynetworks
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: permit_mynetworks: mail-il1-f172.google.com 209.85.166.172
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: match_hostname: mail-il1-f172.google.com ~? 127.0.0.0/8
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: match_hostaddr: 209.85.166.172 ~? 127.0.0.0/8
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: match_hostname: mail-il1-f172.google.com ~? [::ffff:127.0.0.0]/104
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: match_hostaddr: 209.85.166.172 ~? [::ffff:127.0.0.0]/104
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: match_hostname: mail-il1-f172.google.com ~? [::1]/128
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: match_hostaddr: 209.85.166.172 ~? [::1]/128
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: match_hostname: mail-il1-f172.google.com ~? 88.191.5.85/32
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: match_hostaddr: 209.85.166.172 ~? 88.191.5.85/32
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: match_list_match: mail-il1-f172.google.com: no match
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: match_list_match: 209.85.166.172: no match
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: generic_checks: name=permit_mynetworks status=0
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: generic_checks: name=reject_unauth_destination
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: reject_unauth_destination: me@myaddress.com
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: permit_auth_destination: me@myaddress.com
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: ctable_locate: move existing entry key me@myaddress.com
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: generic_checks: name=reject_unauth_destination status=0
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: generic_checks: name=permit_sasl_authenticated
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: generic_checks: name=permit_sasl_authenticated status=0
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: generic_checks: name=reject
## ERROR HERE ## Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: NOQUEUE: reject: RCPT from mail-il1-f172.google.com[209.85.166.172]: 554 5.7.1 <me@myaddress.com>: Recipient address rejected: Access denied; from=<me@gmail.com> to=<me@myaddress.com> proto=ESMTP helo=<mail-il1-f172.google.com>
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: generic_checks: name=reject status=2
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: >>> END Recipient address RESTRICTIONS <<<
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: report recipient to all milters (flags=0x1)
Nov 13 00:08:01 sd-123 postfix/smtpd[6005]: > mail-il1-f172.google.com[209.85.166.172]: 554 5.7.1 <me@myaddress.com>: Recipient address rejected: Access denied
Here's the output of postconf -nf
:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
debug_peer_list = 209.85.166.0/24
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 1280000000
milter_connect_macros = i j {daemon_name} v {if_name} _
milter_default_action = accept
milter_protocol = 6
mydestination = myaddress.com mail.myaddress.com, sd-123.hoster.com,
localhost.hoster.com, localhost
myhostname = myaddress.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 some.ip.addr/32
myorigin = /etc/mailname
non_smtpd_milters = unix:/opendkim/opendkim.sock,unix:/opendmarc/opendmarc.sock
policyd-spf_time_limit = 3600
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
smtp_tls_CAfile = /etc/letsencrypt/live/myaddress.com/fullchain.pem
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_milters =
unix:/spamass/spamass.sock,unix:/opendkim/opendkim.sock,unix:/opendmarc/opendmarc.sock
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
check_policy_service unix:private/policyd-spf, reject_unauth_pipelining,
reject_invalid_hostname, reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_non_fqdn_recipient,
reject_unknown_recipient_domain, reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org, reject_rbl_client dnsbl.sorbs.net,
reject_unauth_destination, permit
smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination,
permit_sasl_authenticated, reject
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated,
permit_tls_clientcerts, reject_non_fqdn_sender, reject_unknown_sender_domain
smtpd_tls_CAfile = /etc/letsencrypt/live/myaddress.com/fullchain.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/myaddress.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/myaddress.com/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
virtual_alias_maps =
mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
Output of postconf -Mf
:
smtp inet n - - - - smtpd
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cf
-o smtpd_sender_restrictions=permit_mynetworks,permit_sasl_authenticated,permit_tls_clientcerts,reject_non_fqdn_sender,reject_unknown_sender_domain
-o smtpd_sasl_local_domain=$myhostname
pickup unix n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe flags=DRhu
user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe flags=Fqhu
user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe flags=F user=ftn
argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe flags=Fq.
user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe flags=R
user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
${user} ${extension}
mailman unix - n n - - pipe flags=FR
user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
${user}
policyd-spf unix - n n - 0 spawn user=policyd-spf
argv=/usr/bin/policyd-spf
Relevant submission conf from master.cf:
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cf
#-o smtpd_sender_restrictions=reject_sender_login_mismatch -- ORIGINAL // new value was extracted from main.cf
-o smtpd_sender_restrictions=permit_mynetworks,permit_sasl_authenticated,permit_tls_clientcerts,reject_non_fqdn_sender,reject_unknown_sender_domain
-o smtpd_sasl_local_domain=$myhostname
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#-o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject ;; original value, but main.cf should be better
Relevant conf from main.cf:
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, reject_non_fqdn_sender, reject_unknown_sender_domain
smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination, permit_sasl_authenticated, reject
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_policy_service unix:private/policyd-spf,
reject_unauth_pipelining,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client dnsbl.sorbs.net,
reject_unauth_destination,
permit
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_tls_security_level = encrypt
smtp_tls_security_level = may
smtpd_sasl_security_options = noanonymous
EDIT:
Removed -o smtpd_client_restrictions=permit_sasl_authenticated,reject
from master.cf
, added output of postconf -Mf
.
Best Answer
A friend of mine found the issue. Postfix evaluates all restriction lists, including the relay one for received emails. Since my configuration had a "reject" at the end of
smtpd_relay_restrictions
, thesmtpd_recipient_restrictions
was never evaluated. Changing thereject
todefer_unauth_destination
did the trick.