Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Sender address rejected: Access denied - Part II

0 views
Skip to first unread message

Wayne Spivak

unread,
Oct 24, 2003, 1:03:55 PM10/24/03
to
It now seems that every person who sends email from their DLS/Cable
provider to my box and uses their earthlink.net account is being bounced
by the above error.

Is there a work-around?

-----Original Message-----
From: owner-pos...@postfix.org
[mailto:owner-pos...@postfix.org] On Behalf Of Wayne Spivak
Sent: Thursday, October 23, 2003 3:52 PM
To: 'John Peach'; 'Postfix users'
Subject: RE: Sender address rejected: Access denied


In answer to your question:

check_sender_access = hash:/etc/postfix/maps/access_usernames,

I don't show earthlink in this file....

Thanks for the help

-----Original Message-----
From: owner-pos...@postfix.org
[mailto:owner-pos...@postfix.org] On Behalf Of John Peach
Sent: Thursday, October 23, 2003 3:45 PM
To: Postfix users
Subject: Re: Sender address rejected: Access denied

what is in your check_sender_access - that will tell you why you're
rejecting it....

Michael Breton

unread,
Oct 24, 2003, 1:09:05 PM10/24/03
to

Please do not top-post....

What is the output of:

postmap -q "sender_ema...@whatever.com"
hash:/etc/postfix/maps/access_usernames

(This should be on one line)

postmap -q "whatever.com" hash:/etc/postfix/maps/access_usernames

(This should be on one line as well)

The check_sender_access ONLY looks at the envelope sender address and
domain. It has nothing to do with what host the mail is sent from.

If either of those postmap commands outputs "REJECT", then dig deeper to
figure out which entry in that file is causing it.

Michael Breton
Commtel

Wayne Spivak

unread,
Oct 24, 2003, 1:16:02 PM10/24/03
to
Thank you.

Responses to both postmap statements were no response.

Wietse Venema

unread,
Oct 24, 2003, 1:21:07 PM10/24/03
to
Wayne Spivak:

> It now seems that every person who sends email from their DLS/Cable
> provider to my box and uses their earthlink.net account is being bounced
> by the above error.
>
> Is there a work-around?
>
> -----Original Message-----
> From: owner-pos...@postfix.org
> [mailto:owner-pos...@postfix.org] On Behalf Of Wayne Spivak
> Sent: Thursday, October 23, 2003 3:52 PM
> To: 'John Peach'; 'Postfix users'
> Subject: RE: Sender address rejected: Access denied
>
>
> In answer to your question:
>
> check_sender_access = hash:/etc/postfix/maps/access_usernames,
>
> I don't show earthlink in this file....

Please post the complete output of:

postconf smtpd_recipient_restrictions smtpd_sender_restrictions

Michael Breton

unread,
Oct 24, 2003, 1:23:04 PM10/24/03
to
> -----Original Message-----
> From: Wayne Spivak [mailto:wsp...@sbanetweb.com]
> Sent: Friday, October 24, 2003 1:16 PM
> To: 'Postfix-Users (E-mail)'
> Subject: RE: Sender address rejected: Access denied - Part II
>
>
> Thank you.
>
> Responses to both postmap statements were no response.
>
> -----Original Message-----
> From: owner-pos...@postfix.org
> [mailto:owner-pos...@postfix.org] On Behalf Of Michael Breton
> Sent: Friday, October 24, 2003 1:09 PM
> To: 'Postfix users'
> Subject: RE: Sender address rejected: Access denied - Part II
>
> Please do not top-post....
>
> What is the output of:
>
> postmap -q "sender_ema...@whatever.com"
> hash:/etc/postfix/maps/access_usernames
>
> (This should be on one line)
>
> postmap -q "whatever.com" hash:/etc/postfix/maps/access_usernames
>
> (This should be on one line as well)
>
> The check_sender_access ONLY looks at the envelope sender address and
> domain. It has nothing to do with what host the mail is sent from.
>
> If either of those postmap commands outputs "REJECT", then
> dig deeper to
> figure out which entry in that file is causing it.

Again.....Please do not top-post. Put your comments below what they are
referring to.

Here is your reject message from a previous message:

Oct 23 15:08:31 gelt postfix/smtpd[44470]: 35D92D4: reject: RCPT from
nycsmtp3out.rdc-nyc.rr.com[24.29.99.224]: 554 <quickcity
@earthlink.net>: Sender address rejected: Access denied;
from=<quic...@earthlink.net> to=<ja...@sendroff.com> proto=ESMTP he
lo=<nycsmtp3out.rdc-nyc.rr.com>

So you actually did:

postmap -q "quic...@earthlink.net" hash:/etc/postfix/maps/access_usernames

postmap -q "earthlink.net" hash:/etc/postfix/maps/access_usernames

Try this one too:

postmap -q "net" hash:/etc/postfix/maps/access_usernames

Michael Breton
Commtel

Wayne Spivak

unread,
Oct 24, 2003, 1:23:36 PM10/24/03
to
postconf smtpd_recipient_restrictions smtpd_sender_restrictions
smtpd_recipient_restrictions = permit_mynetworks,
check_client_access hash:/etc/postfix/pop-before-smtp,
reject_unauth_destination, reject_invalid_hostname,
reject_unauth_pipelining, reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_non_fqdn_recipient,
reject_unknown_recipient_domain, check_client_access
hash:/etc/postfix/maps/exceptions_client, check_helo_access
hash:/etc/postfix/maps/verify_helo, check_sender_access
hash:/etc/postfix/maps/access_usernames, check_helo_access
hash:/etc/postfix/maps/access, check_sender_access
hash:/etc/postfix/maps/verify_domain, reject_rhsbl_client
blackhole.securitysage.com, reject_rhsbl_sender
blackhole.securitysage.com, reject_rbl_client bl.spamcop.net,
reject_rbl_client relays.ordb.org, reject_rbl_client
sbl.spamhaus.org
smtpd_sender_restrictions =


-----Original Message-----
From: Wietse Venema [mailto:wie...@porcupine.org]
Sent: Friday, October 24, 2003 1:21 PM
To: WSp...@sbanetweb.com
Cc: 'John Peach'; 'Postfix users'
Subject: Re: Sender address rejected: Access denied - Part II


Wayne Spivak:
> It now seems that every person who sends email from their DLS/Cable
> provider to my box and uses their earthlink.net account is being
> bounced by the above error.
>
> Is there a work-around?
>

> -----Original Message-----
> From: owner-pos...@postfix.org
> [mailto:owner-pos...@postfix.org] On Behalf Of Wayne Spivak
> Sent: Thursday, October 23, 2003 3:52 PM

> To: 'John Peach'; 'Postfix users'
> Subject: RE: Sender address rejected: Access denied
>
>

Wayne Spivak

unread,
Oct 24, 2003, 1:26:16 PM10/24/03
to
Yes, I did exactly as you wrote, and the new command also returned no
answer.

Thanks for the help!

-----Original Message-----
From: owner-pos...@postfix.org
[mailto:owner-pos...@postfix.org] On Behalf Of Michael Breton
Sent: Friday, October 24, 2003 1:23 PM
To: 'Postfix-Users (E-mail)'
Subject: RE: Sender address rejected: Access denied - Part II


> -----Original Message-----
> From: Wayne Spivak [mailto:wsp...@sbanetweb.com]
> Sent: Friday, October 24, 2003 1:16 PM
> To: 'Postfix-Users (E-mail)'
> Subject: RE: Sender address rejected: Access denied - Part II
>
>
> Thank you.
>
> Responses to both postmap statements were no response.
>

Michael Breton

unread,
Oct 24, 2003, 1:26:52 PM10/24/03
to
> -----Original Message-----
> From: Wayne Spivak [mailto:wsp...@sbanetweb.com]
> Sent: Friday, October 24, 2003 1:24 PM
> To: 'Wietse Venema'
> Cc: 'John Peach'; 'Postfix users'
> Subject: RE: Sender address rejected: Access denied - Part II
>
> postconf smtpd_recipient_restrictions smtpd_sender_restrictions
> smtpd_recipient_restrictions = permit_mynetworks,
> check_client_access hash:/etc/postfix/pop-before-smtp,
> reject_unauth_destination, reject_invalid_hostname,
> reject_unauth_pipelining, reject_non_fqdn_sender,
> reject_unknown_sender_domain, reject_non_fqdn_recipient,
> reject_unknown_recipient_domain, check_client_access
> hash:/etc/postfix/maps/exceptions_client, check_helo_access
> hash:/etc/postfix/maps/verify_helo, check_sender_access
> hash:/etc/postfix/maps/access_usernames, check_helo_access
> hash:/etc/postfix/maps/access, check_sender_access
> hash:/etc/postfix/maps/verify_domain, reject_rhsbl_client
> blackhole.securitysage.com, reject_rhsbl_sender
> blackhole.securitysage.com, reject_rbl_client bl.spamcop.net,
> reject_rbl_client relays.ordb.org, reject_rbl_client
> sbl.spamhaus.org
> smtpd_sender_restrictions =


So you actually have two check_sender_access files

check_sender_access hash:/etc/postfix/maps/access_usernames

and

check_sender_access hash:/etc/postfix/maps/verify_domain

You should check both of the using "postmap -q" as I showed in a previous
email.

Michael Breton
Commtel

Wayne Spivak

unread,
Oct 24, 2003, 1:30:19 PM10/24/03
to
Success!

On this command:
postmap -q earthlink.net hash:/etc/postfix/maps/verify_domain

I received this response:
verify_domain_client,verify_domain_helo

-----Original Message-----
From: owner-pos...@postfix.org
[mailto:owner-pos...@postfix.org] On Behalf Of Michael Breton

Michael Breton

unread,
Oct 24, 2003, 1:32:34 PM10/24/03
to
> -----Original Message-----
> From: Wayne Spivak [mailto:wsp...@sbanetweb.com]
> Sent: Friday, October 24, 2003 1:30 PM
> To: 'Postfix-Users (E-mail)'
> Subject: RE: Sender address rejected: Access denied - Part II
>
>
> Success!
>
> On this command:
> postmap -q earthlink.net hash:/etc/postfix/maps/verify_domain
>
> I received this response:
> verify_domain_client,verify_domain_helo

Hopefully you know what to do now....

If not, please post output from:

postconf verify_domain_client verify_domain_helo

Michael Breton
Commtel

Wayne Spivak

unread,
Oct 24, 2003, 1:35:48 PM10/24/03
to
Unfortuantely, I don't, so here's the output...

postconf verify_domain_client verify_domain_helo
postconf: warning: verify_domain_client: unknown parameter
postconf: warning: verify_domain_helo: unknown parameter

-----Original Message-----
From: owner-pos...@postfix.org
[mailto:owner-pos...@postfix.org] On Behalf Of Michael Breton

Michael Breton

unread,
Oct 24, 2003, 1:41:14 PM10/24/03
to
> -----Original Message-----
> From: Wayne Spivak [mailto:wsp...@sbanetweb.com]
> Sent: Friday, October 24, 2003 1:36 PM
> To: 'Postfix-Users (E-mail)'
> Subject: RE: Sender address rejected: Access denied - Part II
>
> Unfortuantely, I don't, so here's the output...
>
> postconf verify_domain_client verify_domain_helo
> postconf: warning: verify_domain_client: unknown parameter
> postconf: warning: verify_domain_helo: unknown parameter

Then you should go grab the settings for those parameters from the main.cf
file, and post them here.

Michael Breton
Commtel

Wayne Spivak

unread,
Oct 24, 2003, 1:51:34 PM10/24/03
to
# These restriction classes are based on information available in the
rest of the guides.
smtpd_restriction_classes =
verify_sender,
verify_domain_client,
verify_domain_helo,
verify_domain_sender,
verify_exceptions_recipients

verify_domain_client =
check_client_access hash:/etc/postfix/maps/bad_domains,
check_client_access
regexp:/etc/postfix/maps/text_domain_client_mismatch,
reject

verify_domain_helo =
check_helo_access hash:/etc/postfix/maps/bad_domains,
check_client_access
regexp:/etc/postfix/maps/text_domain_helo_mismatch,
reject


-----Original Message-----
From: owner-pos...@postfix.org
[mailto:owner-pos...@postfix.org] On Behalf Of Michael Breton

Michael Breton

unread,
Oct 24, 2003, 2:25:29 PM10/24/03
to
> -----Original Message-----
> From: Wayne Spivak [mailto:wsp...@sbanetweb.com]
> Sent: Friday, October 24, 2003 1:52 PM
> To: 'Postfix-Users (E-mail)'
> Subject: RE: Sender address rejected: Access denied - Part II
>
>
> # These restriction classes are based on information available in the
> rest of the guides.
> smtpd_restriction_classes =
> verify_sender,
> verify_domain_client,
> verify_domain_helo,
> verify_domain_sender,
> verify_exceptions_recipients
>
>
>
> verify_domain_client =
> check_client_access hash:/etc/postfix/maps/bad_domains,
> check_client_access
> regexp:/etc/postfix/maps/text_domain_client_mismatch,
> reject

What is the contents of /etc/postfix/maps/bad_domains ? If large, does the
client appear in this file?

Here is the reject again:

Oct 23 15:08:31 gelt postfix/smtpd[44470]: 35D92D4: reject: RCPT from
nycsmtp3out.rdc-nyc.rr.com[24.29.99.224]: 554 <quickcity
@earthlink.net>: Sender address rejected: Access denied;
from=<quic...@earthlink.net> to=<ja...@sendroff.com> proto=ESMTP he
lo=<nycsmtp3out.rdc-nyc.rr.com>

Find out by doing:

postmap -q "nycsmtp3out.rdc-nyc.rr.com" hash:/etc/postfix/maps/bad_domains
postmap -q "rdc-nyc.rr.com" hash:/etc/postfix/maps/bad_domains
postmap -q "rr.com" hash:/etc/postfix/maps/bad_domains
postmap -q "com" hash:/etc/postfix/maps/bad_domains
postmap -q "24.29.99.224" hash:/etc/postfix/maps/bad_domains
postmap -q "24.29.99" hash:/etc/postfix/maps/bad_domains
postmap -q "24.29" hash:/etc/postfix/maps/bad_domains
postmap -q "24" hash:/etc/postfix/maps/bad_domains

and

postmap -q "nycsmtp3out.rdc-nyc.rr.com"
regexp:/etc/postfix/maps/text_domain_client_mismatch
postmap -q "rdc-nyc.rr.com"
regexp:/etc/postfix/maps/text_domain_client_mismatch
postmap -q "rr.com" regexp:/etc/postfix/maps/text_domain_client_mismatch
postmap -q "com" regexp:/etc/postfix/maps/text_domain_client_mismatch
postmap -q "24.29.99.224"
regexp:/etc/postfix/maps/text_domain_client_mismatch
postmap -q "24.29.99" regexp:/etc/postfix/maps/text_domain_client_mismatch
postmap -q "24.29" regexp:/etc/postfix/maps/text_domain_client_mismatch
postmap -q "24" regexp:/etc/postfix/maps/text_domain_client_mismatch

If none of these return an OK, then the final REJECT in the
verify_comain_client must be the cause.

What is your purpose in this restriction class? Just copying settings
without knowing what they do is not recommended.

Michael Breton
Commtel

Wayne Spivak

unread,
Oct 24, 2003, 2:36:21 PM10/24/03
to
My reasoning for having these settings is to eliminate as much spam as
possible. I'm hit by a spammer approximately ever 15 seconds...

Thanks for the help again...

Here are the answers...

This entire grouping (starting with: postmap -q
"nycsmtp3out.rdc-nyc.rr.com"
regexp:/etc/postfix/maps/text_domain_client_mismatch) all gave this
error:

554 Client Domain Mismatch

My bad_domains list is:
aol.com OK
att.net OK
earthlink.net OK
excite.com OK
hotmail.com OK
juno.com OK
karamail.com OK
lycos.com OK
mac.com OK
mail.com OK
msn.com OK
netscape.com OK
netscape.net OK
optonline.com OK
optonline.net OK
rocketmail.com OK
untd.com OK
yahoo.ca OK
yahoo.com OK

-----Original Message-----
From: owner-pos...@postfix.org
[mailto:owner-pos...@postfix.org] On Behalf Of Michael Breton

Ralf Hildebrandt

unread,
Oct 25, 2003, 5:21:35 AM10/25/03
to
* Michael Breton <mbr...@commtel.net>:

> So you actually did:
>
> postmap -q "quic...@earthlink.net" hash:/etc/postfix/maps/access_usernames
>
> postmap -q "earthlink.net" hash:/etc/postfix/maps/access_usernames
>
> Try this one too:
>
> postmap -q "net" hash:/etc/postfix/maps/access_usernames

and of course:

postmap -q "quickcity@" hash:/etc/postfix/maps/access_usernames

--
Ralf Hildebrandt Ralf.Hil...@charite.de
my current spamtrap spam...@charite.de
http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155
Gates' Law: Every 18 months, the speed of software halves.

Ralf Hildebrandt

unread,
Oct 25, 2003, 5:22:15 AM10/25/03
to
* Wayne Spivak <wsp...@sbanetweb.com>:

> Unfortuantely, I don't, so here's the output...
>
> postconf verify_domain_client verify_domain_helo
> postconf: warning: verify_domain_client: unknown parameter
> postconf: warning: verify_domain_helo: unknown parameter

That doesn't work, you'll have to show the main.cf lines for that.

--
Ralf Hildebrandt Ralf.Hil...@charite.de
my current spamtrap spam...@charite.de
http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155

Why you can't find your system administrators:
has worked so much overtime he is now owed 6 months contiguous, paid leave. --Russell Street russ...@ccu1.auckland.ac.nz

0 new messages