Home / server / Questions / 842986
In Process
Giovanni Tirloni
Asked: 2017-04-07 03:09:26 +0800 CST

Postfix using temporary error code for permanent error

  • 772

Postfix is returning a temporary error code (4xx) instead of a permanent error code (5xx) for "Relay Access Denied", which causes MX's to keep retrying:

Logs:

postfix/smtpd[14279]: connect from unknown[10.244.x.x]
postfix/smtpd[14279]: NOQUEUE: reject: RCPT from unknown[10.244.x.x]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mx.somewhere.com>
postfix/smtpd[14279]: disconnect from unknown[10.244.x.x]

Relevant configuration:

smtpd_recipient_restrictions =
        reject_unauth_destination
        reject_unknown_reverse_client_hostname,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_invalid_hostname,
        reject_rbl_client zen.spamhaus.org,
        permit

virtual_alias_domains = example.com
virtual_alias_maps = hash:/etc/postfix/virtual

I would prefer if Postfix would reply with a 554 error so the remote server stops retrying something that will never work.

postfix

2 Answers

  1. The numeric response code for reject_unauth_destination is defined by the relay_domains_reject_code parameter, but that is by default 554 already. Therefore I suspect that reject_unauth_destination is never triggered on your server. Please check the current configuration value for the (slightly newer) smtpd_relay_restrictions parameter by typing:

    postconf smtpd_relay_restrictions

    These relay restrictions are checked before your recipient restrictions and they default to:

    permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination

    This default defer_unauth_destination will send a non-permanent error code. If this is the case, simply change your configuration and put the reject_unauth_destination under the relay restrictions. You can now remove it from the recipient restrictions:

    smtpd_relay_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
smtpd_recipient_restrictions =
    reject_unknown_reverse_client_hostname
    reject_invalid_helo_hostname
    reject_non_fqdn_helo_hostname
    reject_non_fqdn_sender
    reject_non_fqdn_recipient
    reject_unknown_sender_domain
    reject_unknown_recipient_domain
    reject_rbl_client zen.spamhaus.org
    permit

    I have also removed reject_invalid_hostname because that is the old name (Postfix < 2.3) of the reject_invalid_helo_hostname value that you already have specified.

    An explanation of all the restriction lists, in which order the restrictions are checked and when they are skipped, can be found here: Postfix SMTP relay and access control

    • 1

  2. Hostname seems doesn't have a based DNS records in the named server which your SMTP can resolve. Due to which SMTP is blocking it per SMTP configuration of Postfix "reject_unknown_reverse_client_hostname".

    So try adding the DNS entry for the host from which you are trying to relay emails from SMTP server.

    Else try removing parameter related to checking FQDN or may need to check domain related things also.

    • 0