View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Postfix - "5.7.1 : Client host rejected" incoming
Log in to Ask a Question

Postfix - "5.7.1 : Client host rejected" incoming

email

I've just set up a Gentoo Linode with a Postfix/Courier-IMAP/MySQL/Roundcube schema. Local mail is working perfectly, outgoing mail (from console telnet localhost 25 and from Roundcube) also works. We don't have a DNS A or MX record yet, which may make debugging this tricky.

The problem is that I can't receive any mail. Below is a telnet session from my home pc:

hazuki@yagokoro-eirin ~ $ telnet 66.228.35.176 25

Trying 66.228.35.176…

Connected to 66.228.35.176.

Escape character is '^]'.

220 mail.anshell.com ESMTP Postfix (2.7.3)

ehlo gmail.com

250-mail.anshell.com

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

mail from:azumahazuki@gmail.com

250 2.1.0 Ok

rcpt to:sales@anshell.com

554 5.7.1 : Client host rejected: Access denied

Postfix is pretty persnickety, and I'm not sure what's causing this. I'm guessing it's something in smtpd*restrictions. My main.cf follows below (the helo_access map only contains three ways to reference the local host from OUTSIDE, which NO legit sender would ever to, and rather strongly-worded REJECT messages for them).

BEGIN DEFAULT POSTFIX SETTINGS

Some parameters for postfix itself to use

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = //usr/lib/postfix

data_directory = /var/lib/postfix

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

mail_owner = postfix

default_privs = nobody

myhostname = mail.anshell.com

mydomain = mail.anshell.com

debugpeerlevel = 2

debugpeerlist = 127.0.0.1

Sending mail

myorigin = $mydomain

Receiving mail

By default, set this to localhost. Gentoo's config is "any," and someone in #postfix had "localhost"

inet_interfaces = all

The mydestination param is, near as I can make out, what postfix does with mail coming in for one of its

defined mailboxen. I guess if this were an MX relay it would point somewhere else…?

mydestination = $mydomain

Rejecting mail - unknown local users

If a message comes in for someone we don't have a mailbox for, bounce it with err 550

unknownlocalrecipientrejectcode = 550

Relay control

We really, really don't want anyone using this box as a relay, so we're going to trust only

the /24 segment of 127.0.0.0 for this. Possibly this can be done without the /24?

mynetworks=127.0.0.0/24

Blank these out just to be absolutely certain

relay_domains = all

relayhost =

Aliases

Since I'll be using MySQL for this, I won't list the usual /etc/mail/aliases here.

Delivery to mailboxen

For QMail-style delivery (we're using Courier-IMAP and need these)

home_mailbox = Maildir/

Default MBox-style delivery destination. We won't be using these but define anyway…

mailspooldirectory = /var/spool/mailbox

When a client (or a curious little mousie with telnet) connects, we need to show a banner.

According to specifications (RFC), $myhostname needs to be at the start.

smtpdbanner = $myhostname ESMTP $mailname ($mail_version)

END DEFAULT POSTFIX SETTINGS

BEGIN SECURITY SETTINGS

This is the section I'm a bit nervous about. Here are the settings added in to (hopefully)

stop people from using this thing as a spambox. I don't want to see any more .tw addresses

in /var/log/maillog!

SMTP Daemon Settings

Gimme head(er) till I'm dead(er)

smtpdhelorequired = yes

SASL

smtpdsaslauth_enable = yes

smtpdsasl2auth_enable = yes

smtpdsaslsecurity_options = noanonymous

smtpdsasllocal_domain =

^---- leave this empty…or not?

brokensaslauth_clients = yes

^---- Outlook, I'm lookin' at YOU

Client

smtpdclientrestrictions =

permit_mynetworks,

reject

HELO

smtpdhelorestrictions =

permit_mynetworks,

checkheloaccess hash:/etc/postfix/helo_access,

rejectnonfqdnhelohostname,

rejectunknownhelo_hostname

Recipient

smtpdrecipientrestrictions =

rejectunauthpipelining,

rejectnonfqdn_recipient,

rejectinvalidhelo_hostname,

rejectunknownrecipient_domain,

permitsaslauthenticated,

permit_mynetworks,

rejectunauthdestination,

rejectrblclient zen.spamhaus.org

Sender

smtpdsenderrestrictions =

rejectnonfqdn_sender,

rejectunknownsender_domain,

rejectunauthdestination

TLS settings

smtpusetls = yes

smtptlsnotestarttlsoffer = yes

smtpdusetls = yes

smtpdtlsauth_only = yes

smtpdtlskey_file = /etc/postfix/newkey.pem

smtpdtlscert_file = /etc/postfix/newcert.pem

smtpdtlsCAfile = /etc/postfix/cacert.pem

smtpdtlsloglevel = 3

smtpdtlsreceived_header = yes

smtpdtlssessioncachetimeout = 3600s

tlsrandomsource = dev:/dev/urandom

END SECURITY SETTINGS

BEGIN VIRTUAL/MYSQL MAPPING DIRECTIVES

These settings point Postfix at the MySQL database I set up to handle

Maildir-style mailboxen and credentials. Mostly they point to map

files and tell postfix to parse them as MySQL.

virtualmailboxbase = /home/vmail/

virtualuidmaps = static:1002

virtualminimumuid = 1000

virtualgidmaps = static:1002

virtual_transport = virtual

virtualcreatemaildirsize = yes

virtualmailboxextended = yes

virtualmailboxlimit_override = yes

virtualmaildirlimit_message = Sorry, this user's mailbox is over quota; please try again soon.

virtualoverquotabounce = yes

Oddly, the people in #postfix say that the server itself MUST be here despite the default config saying not to…

Ahh, Postfix, you magnificent bastard. Is this an "IQ test" like OpenBSD's god-awful installer or what?

virtualmailboxdomains = anshell.com

Minimum UID is 1000 to prevent privileged system users from having a mailbox made for them.

GID is 1002 here because that's the GID of "vmail," our virtual mail non-user. Ditto for

the statis UID of 1002 below.

virtualminimumuid = 1000

virtualgidmaps = static:1002

virtualmailboxmaps = mysql:/etc/postfix/mysql-virtual-maps.cf

virtualaliasmaps = mysql:/etc/postfix/mysql-virtual.cf

virtualuidmaps = static:1002

virtualmailboxbase = /

virtualmailboxlimit =

This is where we define our aliases

alias_maps = mysql:/etc/postfix/mysql-aliases.cf

relocated_maps = mysql:/etc/postfix/mysql-relocated.cf

Local mail will check the Unix passwd file in addition to the virtuals.

local_transport = local

localrecipientmaps = $aliasmaps $virtualmailbox_maps unix:passwd.byname

END VIRTUAL/MYSQL MAPPING DIRECTIVES

/etc/init.d/postfix restart && sacrifice_goat && pray

readme_directory = no

sample_directory = /etc/postfix

html_directory = no

manpage_directory = /usr/local/man

3 Replies

Your smtpd*restrictions settings are kind of a mess, but your immediate problem is due to this:

smtpd_client_restrictions =
    permit_mynetworks,
    reject

This (in conjunction with your mynetworks setting) tells postfix to only allow incoming smtp connections from localhost. You need to drop the "reject" line.

You also need "permitsaslauthenticated" in every smtpd*restrictions setting, probably right after "permit_mynetworks"

Edit:

I think it's working! I can telnet in from another location, ehlo spoof as gmail.com, and send a message in!

If you follow this guide: https://netboot.xyz/docs/kb/providers/linode iq quiz
The "mynetworks" parameter should include the IP address range of the network from which you are trying to receive mail. You may also want to review the "smtpd_recipient_restrictions" parameter to ensure that it is not overly restrictive and is allowing incoming mail for valid recipients

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct