postfix Relay access denied错误的解决方法
发现服务器不能向外域发邮件,日志中有记录如下:
Jan 18 15:20:26 www postfix/smtpd[23419]: NOQUEUE: reject: RCPT from unknown[124.200.70.112]: 554 5.7.1 < wan695@gmail.com>: Relay access denied; from=< from@from.com> to=< to@to.com> proto=ESMTP helo=
百思不得其解,放狗也没有找到什么有价值的资源,后来我看到一段注释了的配置
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
reject_invalid_hostname,
reject_rbl_client cbl.anti-spam.org.cn
这段配置是当时为了搞另外一个反垃圾系统给注释掉的,后来把这个反垃圾系统给去掉了,但是没有把这段配置反注释,于是我的邮件就出问题了,幸好我习惯还比较好,通常都是注释配置文件,要不然一点头绪都找不到.
Postfix Configuration Parameters如是说
smtpd_recipient_restrictions (default: permit_mynetworks, reject_unauth_destination)
The access restrictions that the Postfix SMTP server applies in the context of the RCPT TO command.
By default, the Postfix SMTP server accepts:
Mail from clients whose IP address matches $mynetworks, or:
Mail to remote destinations that match $relay_domains, except for addresses that contain sender-specified routing (user@elsewhere@domain), or:
Mail to local destinations that match $inet_interfaces or $proxy_interfaces, $mydestination, $virtual_alias_domains, or $virtual_mailbox_domains.
IMPORTANT: If you change this parameter setting, you must specify at least one of the following restrictions. Otherwise Postfix will refuse to receive mail:
reject, defer, defer_if_permit, reject_unauth_destination
Specify a list of restrictions, separated by commas and/or whitespace. Continue long lines by starting the next line with whitespace. Restrictions are applied in the order as specified; the first restriction that matches wins.
The following restrictions are specific to the recipient address that is received with the RCPT TO command.
check_recipient_access type:table
Search the specified access(5) database for the resolved RCPT TO address, domain, parent domains, or localpart@, and execute the corresponding action.
check_recipient_mx_access type:table
Search the specified access(5) database for the MX hosts for the RCPT TO address, and execute the corresponding action. Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.1 and later.
check_recipient_ns_access type:table
Search the specified access(5) database for the DNS servers for the RCPT TO address, and execute the corresponding action. Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.1 and later.
permit_auth_destination
Permit the request when one of the following is true:
Postfix is mail forwarder: the resolved RCPT TO address matches $relay_domains or a subdomain thereof, and the address contains no sender-specified routing (user@elsewhere@domain),
Postfix is the final destination: the resolved RCPT TO address matches $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains, and the address contains no sender-specified routing (user@elsewhere@domain).
permit_mx_backup
Permit the request when the local mail system is backup MX for the RCPT TO address, or when the address is an authorized destination (see permit_auth_destination for definition).
Safety: permit_mx_backup does not accept addresses that have sender-specified routing information (example: user@elsewhere@domain).
Safety: permit_mx_backup can be vulnerable to mis-use when access is not restricted with permit_mx_backup_networks.
Safety: as of Postfix version 2.3, permit_mx_backup no longer accepts the address when the local mail system is primary MX for the recipient domain. Exception: permit_mx_backup accepts the address when it specifies an authorized destination (see permit_auth_destination for definition).
Limitation: mail may be rejected in case of a temporary DNS lookup problem with Postfix prior to version 2.0.
reject_non_fqdn_recipient
Reject the request when the RCPT TO address is not in fully-qualified domain form, as required by the RFC.
The non_fqdn_reject_code parameter specifies the response code to rejected requests (default: 504).
reject_rhsbl_recipient rbl_domain=d.d.d.d
Reject the request when the RCPT TO domain is listed with the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later only). If no "=d.d.d.d" is specified, reject the request when the RCPT TO domain is listed with any A record under rbl_domain.
The maps_rbl_reject_code parameter specifies the response code for rejected requests (default: 554); the default_rbl_reply parameter specifies the default server reply; and the rbl_reply_maps parameter specifies tables with server replies indexed by rbl_domain. This feature is available in Postfix version 2.0 and later.
reject_unauth_destination
Reject the request unless one of the following is true:
Postfix is mail forwarder: the resolved RCPT TO address matches $relay_domains or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain),
Postfix is the final destination: the resolved RCPT TO address matches $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain).
The relay_domains_reject_code parameter specifies the response code for rejected requests (default: 554).
reject_unknown_recipient_domain
Reject the request when Postfix is not final destination for the recipient address, and the RCPT TO address has no DNS A or MX record, or when it has a malformed MX record such as a record with a zero-length MX hostname (Postfix version 2.3 and later).
The unknown_address_reject_code parameter specifies the response code for rejected requests (default: 450). The response is always 450 in case of a temporary DNS error.
reject_unlisted_recipient (with Postfix version 2.0: check_recipient_maps)
Reject the request when the RCPT TO address is not listed in the list of valid recipients for its domain class. See the smtpd_reject_unlisted_recipient parameter description for details. This feature is available in Postfix 2.1 and later.
reject_unverified_recipient
Reject the request when mail to the RCPT TO address is known to bounce, or when the recipient address destination is not reachable. Address verification information is managed by the verify(
server; see the ADDRESS_VERIFICATION_README file for details.
The unverified_recipient_reject_code parameter specifies the response when an address is known to bounce (default: 450, change into 550 when you are confident that it is safe to do so). Postfix replies with 450 when an address probe failed due to a temporary problem. This feature is available in Postfix 2.1 and later.
Other restrictions that are valid in this context:
Generic restrictions that can be used in any SMTP command context, described under smtpd_client_restrictions.
SMTP command specific restrictions described under smtpd_client_restrictions, smtpd_helo_restrictions and smtpd_sender_restrictions.
Example:
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
发现服务器不能向外域发邮件,日志中有记录如下:
Jan 18 15:20:26 www postfix/smtpd[23419]: NOQUEUE: reject: RCPT from unknown[124.200.70.112]: 554 5.7.1 < wan695@gmail.com>: Relay access denied; from=< from@from.com> to=< to@to.com> proto=ESMTP helo=
百思不得其解,放狗也没有找到什么有价值的资源,后来我看到一段注释了的配置
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
reject_invalid_hostname,
reject_rbl_client cbl.anti-spam.org.cn
这段配置是当时为了搞另外一个反垃圾系统给注释掉的,后来把这个反垃圾系统给去掉了,但是没有把这段配置反注释,于是我的邮件就出问题了,幸好我习惯还比较好,通常都是注释配置文件,要不然一点头绪都找不到.
Postfix Configuration Parameters如是说
smtpd_recipient_restrictions (default: permit_mynetworks, reject_unauth_destination)
The access restrictions that the Postfix SMTP server applies in the context of the RCPT TO command.
By default, the Postfix SMTP server accepts:
Mail from clients whose IP address matches $mynetworks, or:
Mail to remote destinations that match $relay_domains, except for addresses that contain sender-specified routing (user@elsewhere@domain), or:
Mail to local destinations that match $inet_interfaces or $proxy_interfaces, $mydestination, $virtual_alias_domains, or $virtual_mailbox_domains.
IMPORTANT: If you change this parameter setting, you must specify at least one of the following restrictions. Otherwise Postfix will refuse to receive mail:
reject, defer, defer_if_permit, reject_unauth_destination
Specify a list of restrictions, separated by commas and/or whitespace. Continue long lines by starting the next line with whitespace. Restrictions are applied in the order as specified; the first restriction that matches wins.
The following restrictions are specific to the recipient address that is received with the RCPT TO command.
check_recipient_access type:table
Search the specified access(5) database for the resolved RCPT TO address, domain, parent domains, or localpart@, and execute the corresponding action.
check_recipient_mx_access type:table
Search the specified access(5) database for the MX hosts for the RCPT TO address, and execute the corresponding action. Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.1 and later.
check_recipient_ns_access type:table
Search the specified access(5) database for the DNS servers for the RCPT TO address, and execute the corresponding action. Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from blacklists. This feature is available in Postfix 2.1 and later.
permit_auth_destination
Permit the request when one of the following is true:
Postfix is mail forwarder: the resolved RCPT TO address matches $relay_domains or a subdomain thereof, and the address contains no sender-specified routing (user@elsewhere@domain),
Postfix is the final destination: the resolved RCPT TO address matches $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains, and the address contains no sender-specified routing (user@elsewhere@domain).
permit_mx_backup
Permit the request when the local mail system is backup MX for the RCPT TO address, or when the address is an authorized destination (see permit_auth_destination for definition).
Safety: permit_mx_backup does not accept addresses that have sender-specified routing information (example: user@elsewhere@domain).
Safety: permit_mx_backup can be vulnerable to mis-use when access is not restricted with permit_mx_backup_networks.
Safety: as of Postfix version 2.3, permit_mx_backup no longer accepts the address when the local mail system is primary MX for the recipient domain. Exception: permit_mx_backup accepts the address when it specifies an authorized destination (see permit_auth_destination for definition).
Limitation: mail may be rejected in case of a temporary DNS lookup problem with Postfix prior to version 2.0.
reject_non_fqdn_recipient
Reject the request when the RCPT TO address is not in fully-qualified domain form, as required by the RFC.
The non_fqdn_reject_code parameter specifies the response code to rejected requests (default: 504).
reject_rhsbl_recipient rbl_domain=d.d.d.d
Reject the request when the RCPT TO domain is listed with the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later only). If no "=d.d.d.d" is specified, reject the request when the RCPT TO domain is listed with any A record under rbl_domain.
The maps_rbl_reject_code parameter specifies the response code for rejected requests (default: 554); the default_rbl_reply parameter specifies the default server reply; and the rbl_reply_maps parameter specifies tables with server replies indexed by rbl_domain. This feature is available in Postfix version 2.0 and later.
reject_unauth_destination
Reject the request unless one of the following is true:
Postfix is mail forwarder: the resolved RCPT TO address matches $relay_domains or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain),
Postfix is the final destination: the resolved RCPT TO address matches $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain).
The relay_domains_reject_code parameter specifies the response code for rejected requests (default: 554).
reject_unknown_recipient_domain
Reject the request when Postfix is not final destination for the recipient address, and the RCPT TO address has no DNS A or MX record, or when it has a malformed MX record such as a record with a zero-length MX hostname (Postfix version 2.3 and later).
The unknown_address_reject_code parameter specifies the response code for rejected requests (default: 450). The response is always 450 in case of a temporary DNS error.
reject_unlisted_recipient (with Postfix version 2.0: check_recipient_maps)
Reject the request when the RCPT TO address is not listed in the list of valid recipients for its domain class. See the smtpd_reject_unlisted_recipient parameter description for details. This feature is available in Postfix 2.1 and later.
reject_unverified_recipient
Reject the request when mail to the RCPT TO address is known to bounce, or when the recipient address destination is not reachable. Address verification information is managed by the verify(
server; see the ADDRESS_VERIFICATION_README file for details.
The unverified_recipient_reject_code parameter specifies the response when an address is known to bounce (default: 450, change into 550 when you are confident that it is safe to do so). Postfix replies with 450 when an address probe failed due to a temporary problem. This feature is available in Postfix 2.1 and later.
Other restrictions that are valid in this context:
Generic restrictions that can be used in any SMTP command context, described under smtpd_client_restrictions.
SMTP command specific restrictions described under smtpd_client_restrictions, smtpd_helo_restrictions and smtpd_sender_restrictions.
Example:
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/94384/viewspace-600328/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/94384/viewspace-600328/
2201
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
