[ALUG] Strange postfix problem

mick mbm at rlogin.net
Thu Dec 7 14:12:52 GMT 2017


On Thu, 7 Dec 2017 11:28:52 +0000
Laurie Brown <laurie at brownowl.com> allegedly wrote:

> On 06/12/17 16:57, Chris Green wrote:
> > On Wed, Dec 06, 2017 at 02:09:53PM +0000, Laurie Brown wrote:  
> >> Hi all,
> >>
> >> Do we have any postfix experts on here? I have a very strange
> >> problem I'm struggling to resolve, and I'd appreciate some help.
> >>  
> > Well I use postfix and have configured it for basic receiving and
> > sending of mail.  I'm also on the postfix users mailing list so can
> > forward questions there too - they've been very straightforward and
> > helpful to me in the past.  
> 
> Thanks Chris.
> 
> I've been using Postfix for years and know my way around it pretty
> well, but this has me stumped.
> 
> Essentially, a particular client who uses one of my SMTP servers to
> send email (along with many other clients) is having a fatal problem
> which manifests itself as follows. The mechanism we use is SMTP-AUTH,
> with a MySQL backend doing the validation, and it has worked well for
> a very long time. Except for this client, that is, who keeps getting
> "Relay access denied" errors at seemingly random times. Fail2ban then
> locks her out of the system. This started on November 27th, out of
> the blue and continues.
> 
> Said client is using Thunderbird on an iMac.
> 
> Having looked at the logs, said client is the only person this happens
> to, and there's one consistent feature which is seriously puzzling me.
> Here's a log entry (doctored):
> 
> Dec  6 07:56:57 mg3 postfix/smtpd[28482]: NOQUEUE: reject: RCPT from
> host86-141-***-***.range86-141.btcentralplus.com[86.141.***.***]: 554
> 5.7.1 <****@gmail.com>: Relay access denied; from=<***@****.co.uk>
> to=<****@gmail.com> proto=ESMTP helo=<[192.168.1.80]>
> 
> Note the IP address in that last "helo"; it's a non-public one. Each
> and every one of the failures has a seemingly-random non-public IP
> address in it. The IP remains consistent during each "session" but it
> changes every time a new connection is made.
> 
> There is no pattern in the recipients either.
> 
> Any ideas? Any suggestions for debugging this?
> 
> Cheers, Laurie.

Laurie

I'm not sure that the RFC1918 address is relevant (but I could be wrong
of course). 

How are you doing the authentication? Are you using cyrus or dovecot
for client authentication? If your "smtpd_helo_restrictions" include
"permit_sasl_authenticated" I'd expect you to see successful login by
this client before the smtpd exchange. Is the client actually
authenticated or do you see any "SASL LOGIN authentication failed"
messages anywhere? Is the client always connected as the same user? (By
that I mean does she always use the ID for your locally authenticated
user or does she sometimes erroneusly attempt to connect through you
using a gmail account?) You say she is not technical, it may be that
she has more than one mail id configured in Thunderbird and has mixed
up the conection mechanisms. 

As for debugging, perhaps you could ask the client to log off
completely then log back in and watch the mail log for the intial
authentication. Then ask her to attempt to send mail locally (i.e. to
another user on the same server) and then to send mail outside the
server (to say a gmail account as you have shown). Is there any
difference between the two transactions?

Mick  



---------------------------------------------------------------------
 Mick Morgan
 gpg fingerprint: FC23 3338 F664 5E66 876B  72C0 0A1F E60B 5BAD D312
 http://baldric.net

---------------------------------------------------------------------




More information about the main mailing list