Author Topic: Client host rejected: Access denied  (Read 1477 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Client host rejected: Access denied
« on: April 10, 2023, 09:11:52 PM »
Hi,
Please help me. I get the following error.

Apr 10 23:56:17 server postfix/smtpd[13250]: NOQUEUE: reject: RCPT from unknown[xx.xxx.xxx.xxx]: 554 5.7.1 : Client host rejected: Access denied; from= to= proto=ESMTP helo=
Apr 10 23:56:17 server postfix/smtpd[13250]: disconnect from unknown[xx.xxx.xxx.xxx] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8

- I rebuild all mail server, Reject Unknown Hostname was unchecked.
- I added my IP address to the whitelist. /etc/postfix/sender_whitelist xx.xxx.xxx.xxx OK
- After run postmap /etc/postfix/sender_whitelist command and I am still getting this errors.

I changed the /etc/postfix/main.cf setting many times but none of them worked.

Offline
***
Re: Client host rejected: Access denied
« Reply #1 on: April 10, 2023, 09:45:51 PM »
Please post the content of /etc/postfix/main.cf

Offline
*
Re: Client host rejected: Access denied
« Reply #2 on: April 10, 2023, 10:17:13 PM »
I did not change the conf file after rebuild mailserver

Code: [Select]
# postfix config file

# uncomment for debugging if needed
#soft_bounce=yes

# postfix main
mail_owner = postfix
setgid_group = postdrop
delay_warning_time = 4
smtp_address_preference = ipv4

# postfix paths
html_directory = no
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
queue_directory = /var/spool/postfix
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man

# network settings
inet_interfaces = all
mydomain = mydomain.com
myhostname = mydomain.com
mynetworks = $config_directory/mynetworks
mydestination = $myhostname, localhost.$mydomain, localhost
relay_domains = proxy:mysql:/etc/postfix/mysql-relay_domains_maps.cf

# mail delivery
recipient_delimiter = +

# mappings
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
transport_maps = hash:/etc/postfix/transport
#local_recipient_maps =

# virtual setup
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_alias_default_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, regexp:/etc/postfix/virtual_regexp
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_pipe_maps.cf
virtual_minimum_uid = 101

#virtual_uid_maps = static:101
#virtual_gid_maps = static:12
#virtual_transport = dovecot

virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_uid_maps.cf
virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_gid_maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

dovecot_destination_recipient_limit = 1

# debugging
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5

# authentication
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

# tls config
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
# Change mail.example.com.* to your host name
smtpd_tls_key_file = /etc/pki/tls/private/hostname.key
smtpd_tls_cert_file = /etc/pki/tls/certs/hostname.bundle

# rules restrictions
smtpd_client_restrictions = reject_unknown_client
# smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_whitelist, check_sender_access hash:/etc/postfix/sender_blacklist
smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net

smtpd_helo_required = yes
unknown_local_recipient_reject_code = 550
disable_vrfy_command = yes
smtpd_data_restrictions = reject_unauth_pipelining

# Other options
# email size limit ~20Meg
message_size_limit = 204800000
mailbox_size_limit = 2048000000

# Limit 500 emails per hour per email address
anvil_rate_time_unit = 3600s
smtpd_client_message_rate_limit = 500

# Vacation Scripts
vacation_destination_recipient_limit = 1
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_vacation.cf
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2
« Last Edit: April 10, 2023, 10:19:57 PM by apsuva »

Offline
****
Re: Client host rejected: Access denied
« Reply #3 on: April 11, 2023, 02:16:10 AM »
The vanilla main.cf file leaves a lot to be desired -- much tweaking should be done to it for optimal delivery and UCE controls. But maybe too much to get into now for you if you just want to solve your more basic problem.

Offline
*
Re: Client host rejected: Access denied
« Reply #4 on: April 11, 2023, 08:12:01 AM »
It is default CWP config after rebuild all mail servers. I've read all the forums stackoverflow etc, tried all the suggestions but it didn't work.

Offline
***
Re: Client host rejected: Access denied
« Reply #5 on: April 13, 2023, 02:50:19 PM »
You seem to have a problem with this line:
Code: [Select]
smtpd_client_restrictions = reject_unknown_clientUncomment this.

Here's my resctrictions on my main.cf file:
Code: [Select]
# rules restrictions
smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_sender_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        check_sender_access hash:/etc/postfix/sender_access
smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031,
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        check_policy_service unix:private/policyd-spf
        #reject_rhsbl_helo dbl.spamhaus.org,
        #reject_rhsbl_reverse_client dbl.spamhaus.org,
        #reject_rhsbl_sender dbl.spamhaus.org,
        #reject_rbl_client zen.spamhaus.org
# uncomment for realtime black list checks
# ,reject_rbl_client zen.spamhaus.org
# ,reject_rbl_client bl.spamcop.net
# ,reject_rbl_client dnsbl.sorbs.net

Offline
*
Re: Client host rejected: Access denied
« Reply #6 on: April 14, 2023, 08:44:19 AM »
does CWP have in plans some GUI management of postfix options?
regarding spam and similar things?

Offline
****
Re: Client host rejected: Access denied
« Reply #7 on: April 14, 2023, 11:57:08 AM »
That's a question for the devs. On my end, I don't need them as I took their default postfix settings and put in my "usual" restrictions block from other servers I manage and fused the two together. Once it was tuned for CentOS and CWP specifically (10 mins) it was pretty much just set-it-and-forget-it. Spamassassin and the CSF firewall have been a lot more frequently tuned than Postfix, from my observeration over the past few years.