We’re having a situation where inbound emails from a specific company to legitimate recipients are bouncing with “Recipient address rejected: Access denied”:
Aug 23 09:15:27 extranet postfix/smtpd: NOQUEUE: reject: RCPT from sender.com[18.104.22.168]: 554 5.7.1 <email@example.com>: Recipient address rejected: Access denied; from=<firstname.lastname@example.org> to=<email@example.com> proto=ESMTP helo=<mg01d1.sender.com>
postconf -d | grep mail_version
mail_version = 2.7.1
alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases allow_percent_hack = no allow_untrusted_routing = yes append_dot_mydomain = no biff = no bounce_queue_lifetime = 24h broken_sasl_auth_clients = yes config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 delay_warning_time = 4h disable_vrfy_command = yes html_directory = /usr/share/doc/postfix/html inet_interfaces = all mailbox_size_limit = 0 maximal_queue_lifetime = 24h mydestination = mail.example.com, extranet.example.com, localhost myhostname = mail.example.com mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname readme_directory = /usr/share/doc/postfix recipient_delimiter = + relay_domains = $mydestination relayhost = smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_helo_required = yes smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_mynetworks, reject_unauth_destination, check_recipient_access hash:/etc/postfix/access, reject_non_fqdn_sender, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_hostname, reject_invalid_hostname, check_helo_access hash:/etc/postfix/helo_access, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit smtpd_sasl_auth_enable = no smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/mail.example.com.2013.chain.pem smtpd_tls_key_file = /etc/ssl/private/example.2013.key smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtpd_use_tls = no virtual_alias_domains = example.co.uk, example.co virtual_alias_maps = hash:/etc/postfix/virtual, ldap:/etc/postfix/ldap_virtual_alias_maps.cf, ldap:/etc/postfix/ldap_virtual_groups.cf virtual_mailbox_domains = ldap:/etc/postfix/ldap_virtual_domains.cf virtual_mailbox_maps = ldap:/etc/postfix/ldap_virtual_mailbox_maps.cf virtual_transport = dovecot
Now, we only use smtpd_recipient_restrictions because we’re pretty particular about the order of client, helo, recipient restrictions being applied. But, by my (obviously limited) understanding, the only directive in there that should be generating that error is the
check_recipient_access hash:/etc/postfix/access directive, but that file is only used to block some commonly spammed addresses at one of our virtual alias domains:
firstname.lastname@example.org REJECT Recipient address rejected. This domain name is only an alias. Please email postmaster @ the primary domain or the mail server hostname. email@example.com REJECT Recipient address rejected. This domain name is only an alias. Please email abuse @ the primary domain or the mail server hostname. firstname.lastname@example.org REJECT Recipient address rejected. This domain name is only an alias. Please email support @ the primary domain or the mail server hostname.
/etc/postfix/sender_access is empty (lying in wait) and
helo_access only contains:
extranet.example.com REJECT You are not me www.example.com REJECT You are not me mail.example.com REJECT You are not me
All of the other directives seem to be correctly fulfilled, or I would at least be expecting a different error, like
Helo command rejected,
User unknown in virtual mailbox table,
Service unavailable; Client host [22.214.171.124] blocked using zen.spamhaus.org, etc.
Where should I be looking next to see why I’m getting “Recipient address rejected: Access denied”? Would any of those other directives in smtpd_recipient_restrictions issue that error in the case of failure?
You are receiving mail addressed to a user
@example.com but you haven’t configured Postfix for this domain! In your
example.co are present. Thus Postfix thinks it is not supposed to accept mail for this domain and treats it as a relay situation (which of course is denied).
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.