Hi all,
Do we have any postfix experts on here? I have a very strange problem I'm struggling to resolve, and I'd appreciate some help.
Cheers, Laurie.
On Wed, Dec 06, 2017 at 02:09:53PM +0000, Laurie Brown wrote:
Hi all,
Do we have any postfix experts on here? I have a very strange problem I'm struggling to resolve, and I'd appreciate some help.
Well I use postfix and have configured it for basic receiving and sending of mail. I'm also on the postfix users mailing list so can forward questions there too - they've been very straightforward and helpful to me in the past.
On 06/12/17 16:57, Chris Green wrote:
On Wed, Dec 06, 2017 at 02:09:53PM +0000, Laurie Brown wrote:
Hi all,
Do we have any postfix experts on here? I have a very strange problem I'm struggling to resolve, and I'd appreciate some help.
Well I use postfix and have configured it for basic receiving and sending of mail. I'm also on the postfix users mailing list so can forward questions there too - they've been very straightforward and helpful to me in the past.
Thanks Chris.
I've been using Postfix for years and know my way around it pretty well, but this has me stumped.
Essentially, a particular client who uses one of my SMTP servers to send email (along with many other clients) is having a fatal problem which manifests itself as follows. The mechanism we use is SMTP-AUTH, with a MySQL backend doing the validation, and it has worked well for a very long time. Except for this client, that is, who keeps getting "Relay access denied" errors at seemingly random times. Fail2ban then locks her out of the system. This started on November 27th, out of the blue and continues.
Said client is using Thunderbird on an iMac.
Having looked at the logs, said client is the only person this happens to, and there's one consistent feature which is seriously puzzling me. Here's a log entry (doctored):
Dec 6 07:56:57 mg3 postfix/smtpd[28482]: NOQUEUE: reject: RCPT from host86-141-***-***.range86-141.btcentralplus.com[86.141.***.***]: 554 5.7.1 ****@gmail.com: Relay access denied; from=<***@****.co.uk> to=****@gmail.com proto=ESMTP helo=<[192.168.1.80]>
Note the IP address in that last "helo"; it's a non-public one. Each and every one of the failures has a seemingly-random non-public IP address in it. The IP remains consistent during each "session" but it changes every time a new connection is made.
There is no pattern in the recipients either.
Any ideas? Any suggestions for debugging this?
Cheers, Laurie.
On Thu, Dec 07, 2017 at 11:28:52AM +0000, Laurie Brown wrote:
Having looked at the logs, said client is the only person this happens to, and there's one consistent feature which is seriously puzzling me. Here's a log entry (doctored):
Dec 6 07:56:57 mg3 postfix/smtpd[28482]: NOQUEUE: reject: RCPT from host86-141-***-***.range86-141.btcentralplus.com[86.141.***.***]: 554 5.7.1 ****@gmail.com: Relay access denied; from=<***@****.co.uk> to=****@gmail.com proto=ESMTP helo=<[192.168.1.80]>
Note the IP address in that last "helo"; it's a non-public one. Each and every one of the failures has a seemingly-random non-public IP address in it. The IP remains consistent during each "session" but it changes every time a new connection is made.
How odd! How is that client connecting to your system? I.e. is it via their ADSL then in to yours, or is your postfix server 'out there' somwhere and thus not behind a NAT router? Does the non-local IP make any sense at either their end or your end?
Should we take this off list?
On 07/12/17 11:59, Chris Green wrote:
[SNIP]
How odd! How is that client connecting to your system? I.e. is it via their ADSL then in to yours, or is your postfix server 'out there' somwhere and thus not behind a NAT router? Does the non-local IP make any sense at either their end or your end?
It's a straight connection via their ADSL to a server "out there" and not behind any kind of NAT that I know of, and the IP address is random and does not match that of her desktop. It only affects this one client.
Should we take this off list?
Maybe, but not yet, I think.
Cheers, Laurie.
On Thu, Dec 07, 2017 at 12:14:13PM +0000, Laurie Brown wrote:
On 07/12/17 11:59, Chris Green wrote:
[SNIP]
How odd! How is that client connecting to your system? I.e. is it via their ADSL then in to yours, or is your postfix server 'out there' somwhere and thus not behind a NAT router? Does the non-local IP make any sense at either their end or your end?
It's a straight connection via their ADSL to a server "out there" and not behind any kind of NAT that I know of, and the IP address is random and does not match that of her desktop. It only affects this one client.
My first suspicion would fall on her ADSL connection/router then, i.e. the router's NAT is throwing a wobbly of some sort and putting a private IP address out.
Is there any chance you can get her to use a different router?
Should we take this off list?
Maybe, but not yet, I think.
OK
On 07/12/17 12:26, Chris Green wrote:
On Thu, Dec 07, 2017 at 12:14:13PM +0000, Laurie Brown wrote:
On 07/12/17 11:59, Chris Green wrote:
[SNIP]
How odd! How is that client connecting to your system? I.e. is it via their ADSL then in to yours, or is your postfix server 'out there' somwhere and thus not behind a NAT router? Does the non-local IP make any sense at either their end or your end?
It's a straight connection via their ADSL to a server "out there" and not behind any kind of NAT that I know of, and the IP address is random and does not match that of her desktop. It only affects this one client.
My first suspicion would fall on her ADSL connection/router then, i.e. the router's NAT is throwing a wobbly of some sort and putting a private IP address out.
Is there any chance you can get her to use a different router?
I thought of that as well, but I doubt it. All through the logs, the NAT from her end is working fine, it seems.
She is the least technically literate person I've ever dealt with, so there is no chance of any sense whatsoever coming from that direction!
Cheers, Laurie.
On Thu, 7 Dec 2017 11:28:52 +0000 Laurie Brown laurie@brownowl.com allegedly wrote:
On 06/12/17 16:57, Chris Green wrote:
On Wed, Dec 06, 2017 at 02:09:53PM +0000, Laurie Brown wrote:
Hi all,
Do we have any postfix experts on here? I have a very strange problem I'm struggling to resolve, and I'd appreciate some help.
Well I use postfix and have configured it for basic receiving and sending of mail. I'm also on the postfix users mailing list so can forward questions there too - they've been very straightforward and helpful to me in the past.
Thanks Chris.
I've been using Postfix for years and know my way around it pretty well, but this has me stumped.
Essentially, a particular client who uses one of my SMTP servers to send email (along with many other clients) is having a fatal problem which manifests itself as follows. The mechanism we use is SMTP-AUTH, with a MySQL backend doing the validation, and it has worked well for a very long time. Except for this client, that is, who keeps getting "Relay access denied" errors at seemingly random times. Fail2ban then locks her out of the system. This started on November 27th, out of the blue and continues.
Said client is using Thunderbird on an iMac.
Having looked at the logs, said client is the only person this happens to, and there's one consistent feature which is seriously puzzling me. Here's a log entry (doctored):
Dec 6 07:56:57 mg3 postfix/smtpd[28482]: NOQUEUE: reject: RCPT from host86-141-***-***.range86-141.btcentralplus.com[86.141.***.***]: 554 5.7.1 ****@gmail.com: Relay access denied; from=<***@****.co.uk> to=****@gmail.com proto=ESMTP helo=<[192.168.1.80]>
Note the IP address in that last "helo"; it's a non-public one. Each and every one of the failures has a seemingly-random non-public IP address in it. The IP remains consistent during each "session" but it changes every time a new connection is made.
There is no pattern in the recipients either.
Any ideas? Any suggestions for debugging this?
Cheers, Laurie.
Laurie
I'm not sure that the RFC1918 address is relevant (but I could be wrong of course).
How are you doing the authentication? Are you using cyrus or dovecot for client authentication? If your "smtpd_helo_restrictions" include "permit_sasl_authenticated" I'd expect you to see successful login by this client before the smtpd exchange. Is the client actually authenticated or do you see any "SASL LOGIN authentication failed" messages anywhere? Is the client always connected as the same user? (By that I mean does she always use the ID for your locally authenticated user or does she sometimes erroneusly attempt to connect through you using a gmail account?) You say she is not technical, it may be that she has more than one mail id configured in Thunderbird and has mixed up the conection mechanisms.
As for debugging, perhaps you could ask the client to log off completely then log back in and watch the mail log for the intial authentication. Then ask her to attempt to send mail locally (i.e. to another user on the same server) and then to send mail outside the server (to say a gmail account as you have shown). Is there any difference between the two transactions?
Mick
--------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------
-
Chris Green -
Laurie Brown -
mick