# ISPConfig3 + Postfix = 554 5.7.1 (access denied)



## Umatech (22. Juli 2013)

Hallo !!

Nachdem ich böse Widrigkeiten aus dem Weg geräumt habe, kommt nun das nächste Problem: Mails rein und raus sind kein Problem. Mit Outlook über Port 25 geht das auch ohne Probleme. Wenn ich versuche über 587 zu senden, dann kommt die Meldung: "Antwort des Servers: 554 5.7.1" und im log steht folgendes:


```
Jul 22 10:05:48 chicago012 postfix/smtpd[9268]: connect from 91-65-51-195-dynip.superkabel.de[91.65.51.195]
Jul 22 10:05:48 chicago012 postfix/smtpd[9268]: NOQUEUE: reject: CONNECT from 91-65-51-195-dynip.superkabel.de[91.65.51.195]: 554 5.7.1 <91-65-51-195-dynip.superkabel.de[91.65.51.195]>: Client host rejected: Access denied; proto=SMTP
Jul 22 10:05:48 chicago012 postfix/smtpd[9268]: lost connection after CONNECT from 91-65-51-195-dynip.superkabel.de[91.65.51.195]
Jul 22 10:05:48 chicago012 postfix/smtpd[9268]: disconnect from 91-65-51-195-dynip.superkabel.de[91.65.51.195]
```
Habe schon mit etlichen Einstellungen umher probiert, aber nichts ändert sich ... ich werde weiterhin rejected :-(

main.cf

```
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = chicago012.server4you.de
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = chicago012.server4you.de, localhost, localhost.localdomain, $mydomain
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains = 
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
inet_protocols = all
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf reject_unauth_destination permit_inet_interfaces
smtpd_tls_security_level = may
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = dovecot
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
smtpd_delay_reject = no
```
Kann mir hier evtl. noch jemand einen Tip geben, warum ich auf 587 rejected werde und eben nur da ???


----------



## nowayback (22. Juli 2013)

hi,

hast du in der master.cf die # vor submission entfernt und postfix neugestartet?

Grüße
nwb


----------



## Umatech (22. Juli 2013)

ja.. beides 

master.cf:


```
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
    -o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix    -    n    n    -    2    pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

dovecot   unix  -       n       n       -       -       pipe
  flags=DROhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
amavis unix - - - - 2 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
```


----------



## nowayback (22. Juli 2013)

was sagt denn

```
netstat -tap | grep submission
```


----------



## Umatech (22. Juli 2013)

das sieht recht normal aus !?


```
tcp        0      0 *:submission            *:*                     LISTEN      11442/master
tcp6       0      0 [::]:submission         [::]:*                  LISTEN      11442/master
```


----------



## nowayback (22. Juli 2013)

ja das sieht normal aus.

änder mal die zeile submission inet n       -       -       -       -       smtpd in der master.cf in


```
submission inet n       -       -       -       -       smtpd -v
```
danach ein /etc/init.d/postfix reload

dann versuche die verbindung über submission. danach schau mal in die logfiles.

nicht vergessen, nach der lösung -v wieder zu entfernen sonst haste schnell riesen logfiles


----------



## Umatech (22. Juli 2013)

danke für die tipps... die kiste versucht da immer irgendwas zu matchen ...


```
Jul 22 13:50:03 chicago012 postfix/smtpd[21959]: match_list_match: 91-65-51-195-dynip.superkabel.de: no match 
Jul 22 13:50:03 chicago012 postfix/smtpd[21959]: match_list_match: 91-65-51-195-dynip.superkabel.de: no match 
Jul 22 13:50:03 chicago012 postfix/smtpd[21959]: match_hostname: 91-65-51-195-dynip.superkabel.de ~? 127.0.0.0/8 
Jul 22 13:50:03 chicago012 postfix/smtpd[21959]: match_hostname: 91-65-51-195-dynip.superkabel.de ~? [::1]/128 
Jul 22 13:50:03 chicago012 postfix/smtpd[21959]: match_list_match: 91-65-51-195-dynip.superkabel.de: no match 
Jul 22 13:50:03 chicago012 postfix/smtpd[21959]: NOQUEUE: reject: CONNECT from 91-65-51-195-dynip.superkabel.de[91.65.51.195]: 554 5.7.1 <91-65-51-195-dynip.superkabel.de[91.65.51.195]>: Client host rejected: Access denied; proto=SMTP 
Jul 22 13:50:03 chicago012 postfix/smtpd[21959]: > 91-65-51-195-dynip.superkabel.de[91.65.51.195]: 554 5.7.1 <91-65-51-195-dynip.superkabel.de[91.65.51.195]>: Client host rejected: Access denied 
Jul 22 13:50:03 chicago012 postfix/smtpd[21959]: match_hostname: 91-65-51-195-dynip.superkabel.de ~? 127.0.0.0/8 
Jul 22 13:50:03 chicago012 postfix/smtpd[21959]: match_hostname: 91-65-51-195-dynip.superkabel.de ~? [::1]/128 
Jul 22 13:50:03 chicago012 postfix/smtpd[21959]: match_list_match: 91-65-51-195-dynip.superkabel.de: no match 
Jul 22 13:50:03 chicago012 postfix/smtpd[21959]: lost connection after CONNECT from 91-65-51-195-dynip.superkabel.de[91.65.51.195] 
Jul 22 13:50:03 chicago012 postfix/smtpd[21959]: disconnect from 91-65-51-195-dynip.superkabel.de[91.65.51.195]
```


----------



## nowayback (22. Juli 2013)

main.cf


```
smtpd_delay_reject = no
```
ändern in


```
smtpd_delay_reject = yes
```



> smtpd_delay_reject (default: yes)
> Wait until the RCPT TO command before evaluating $smtpd_client_restrictions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait until the ETRN command before evaluating $smtpd_client_restrictions and $smtpd_helo_restrictions.
> 
> This feature is turned on by default because some clients apparently mis-behave when the Postfix SMTP server rejects commands before RCPT TO.
> ...


Quelle: Postfix Configuration Parameters



hast du noch mehr selbst geändert?

Beispiel:

```
mydestination = chicago012.server4you.de, localhost, localhost.localdomain, [B][U]$mydomain[/U][/B]
```
ich hab $mydomain per default z.b. da nicht drinstehen


----------



## Umatech (23. Juli 2013)

Ich habe da endlos umhergeschraubt und musste feststellen, dass es wieder nicht ging. Da werde ich wohl vergessen haben, das eine oder andere zurückzustellen. Das entfernen von *$mydomain* brachte gar nichts, aber smtpd_delay_reject war dann DER(!) Bringer und alles funktionierte dann perfekt. Somit bist Du für gestern der Held des Tages  Danke nochmal für den Tip!!


----------



## nowayback (23. Juli 2013)

> Das entfernen von $mydomain brachte gar nichts


richtig... das hatte nichts mit deinem problem zutun, aber hätte dich in ein anderes führen können. deswegen fragte ich 

trotzdem schön das es nun läuft.

grüße
nwb


----------

