On Thu, 7 Dec 2017 11:28:52 +0000 Laurie Brown laurie@brownowl.com allegedly wrote:
On 06/12/17 16:57, Chris Green wrote:
On Wed, Dec 06, 2017 at 02:09:53PM +0000, Laurie Brown wrote:
Hi all,
Do we have any postfix experts on here? I have a very strange problem I'm struggling to resolve, and I'd appreciate some help.
Well I use postfix and have configured it for basic receiving and sending of mail. I'm also on the postfix users mailing list so can forward questions there too - they've been very straightforward and helpful to me in the past.
Thanks Chris.
I've been using Postfix for years and know my way around it pretty well, but this has me stumped.
Essentially, a particular client who uses one of my SMTP servers to send email (along with many other clients) is having a fatal problem which manifests itself as follows. The mechanism we use is SMTP-AUTH, with a MySQL backend doing the validation, and it has worked well for a very long time. Except for this client, that is, who keeps getting "Relay access denied" errors at seemingly random times. Fail2ban then locks her out of the system. This started on November 27th, out of the blue and continues.
Said client is using Thunderbird on an iMac.
Having looked at the logs, said client is the only person this happens to, and there's one consistent feature which is seriously puzzling me. Here's a log entry (doctored):
Dec 6 07:56:57 mg3 postfix/smtpd[28482]: NOQUEUE: reject: RCPT from host86-141-***-***.range86-141.btcentralplus.com[86.141.***.***]: 554 5.7.1 ****@gmail.com: Relay access denied; from=<***@****.co.uk> to=****@gmail.com proto=ESMTP helo=<[192.168.1.80]>
Note the IP address in that last "helo"; it's a non-public one. Each and every one of the failures has a seemingly-random non-public IP address in it. The IP remains consistent during each "session" but it changes every time a new connection is made.
There is no pattern in the recipients either.
Any ideas? Any suggestions for debugging this?
Cheers, Laurie.
Laurie
I'm not sure that the RFC1918 address is relevant (but I could be wrong of course).
How are you doing the authentication? Are you using cyrus or dovecot for client authentication? If your "smtpd_helo_restrictions" include "permit_sasl_authenticated" I'd expect you to see successful login by this client before the smtpd exchange. Is the client actually authenticated or do you see any "SASL LOGIN authentication failed" messages anywhere? Is the client always connected as the same user? (By that I mean does she always use the ID for your locally authenticated user or does she sometimes erroneusly attempt to connect through you using a gmail account?) You say she is not technical, it may be that she has more than one mail id configured in Thunderbird and has mixed up the conection mechanisms.
As for debugging, perhaps you could ask the client to log off completely then log back in and watch the mail log for the intial authentication. Then ask her to attempt to send mail locally (i.e. to another user on the same server) and then to send mail outside the server (to say a gmail account as you have shown). Is there any difference between the two transactions?
Mick
--------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------