Reason for blocked access?
in [Postfix]
|
Prev: Simple hack to get $500 to your home.
Next: Any way to archive the same using regexp transport in versions 2.3+
From: Joern Bredereck on 14 Jul 2010 04:06 Hi, how can I tell why the following mail has been rejected: Jul 14 08:48:58 zarafa-xen postfix/smtpd[26113]: NOQUEUE: reject: RCPT from ns.gbc.net[212.97.96.201]: 554 5.7.1 <ns.gbc.net[212.97.96.201]>: Client host rejected: Access denied; from=<joerg.haller(a)flaig-hommel.de> to=<m.bott(a)otec.de> proto=ESMTP helo=<mail.gbc.net> "client host rejected" would require for the host to be in a "check_client_access" table, right? I can't find the IP nor the hostname in the corresponding Hash-Table. Any idea why the mail was blocked anyway? What can I do to troubleshoot such cases in the future? Can I increase the log level for mail rejections like these without turning on the verbose logging mode in general? Thanks in advance! Regards, Joern
From: Ralf Hildebrandt on 14 Jul 2010 04:20 * Joern Bredereck <jb(a)bw-networx.net>: > Hi, > > how can I tell why the following mail has been rejected: > > Jul 14 08:48:58 zarafa-xen postfix/smtpd[26113]: NOQUEUE: reject: RCPT > from ns.gbc.net[212.97.96.201]: 554 5.7.1 <ns.gbc.net[212.97.96.201]>: > Client host rejected: Access denied; from=<joerg.haller(a)flaig-hommel.de> > to=<m.bott(a)otec.de> proto=ESMTP helo=<mail.gbc.net> > > "client host rejected" would require for the host to be in a > "check_client_access" table, right? Hostname or IP or net or domain, yes. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebrandt(a)charite.de | http://www.charite.de
From: Joern Bredereck on 14 Jul 2010 04:30 Disregard my posting... I found the IP in one of the tables.... Sorry for bothering you! Jörn Am 14.07.10 10:06, schrieb Joern Bredereck: > Hi, > > how can I tell why the following mail has been rejected: > > Jul 14 08:48:58 zarafa-xen postfix/smtpd[26113]: NOQUEUE: reject: RCPT > from ns.gbc.net[212.97.96.201]: 554 5.7.1 <ns.gbc.net[212.97.96.201]>: > Client host rejected: Access denied; from=<joerg.haller(a)flaig-hommel.de> > to=<m.bott(a)otec.de> proto=ESMTP helo=<mail.gbc.net> > > "client host rejected" would require for the host to be in a > "check_client_access" table, right? > > I can't find the IP nor the hostname in the corresponding Hash-Table. > > Any idea why the mail was blocked anyway? What can I do to troubleshoot > such cases in the future? Can I increase the log level for mail > rejections like these without turning on the verbose logging mode in > general? > > Thanks in advance! > > Regards, > > Joern > > > > > !DSPAM:4c3d702d235138362916074!
From: Stan Hoeppner on 14 Jul 2010 04:45 Joern Bredereck put forth on 7/14/2010 3:06 AM: > Hi, > > how can I tell why the following mail has been rejected: > > Jul 14 08:48:58 zarafa-xen postfix/smtpd[26113]: NOQUEUE: reject: RCPT > from ns.gbc.net[212.97.96.201]: 554 5.7.1 <ns.gbc.net[212.97.96.201]>: > Client host rejected: Access denied; from=<joerg.haller(a)flaig-hommel.de> > to=<m.bott(a)otec.de> proto=ESMTP helo=<mail.gbc.net> > > "client host rejected" would require for the host to be in a > "check_client_access" table, right? > > I can't find the IP nor the hostname in the corresponding Hash-Table. Do you have more than one access table/type? I have 7 access tables, including hash, CIDR, regexp, and PCRE. I add comments to my regexp and PCRE tables to make matching REJECTs in the mail log to a given filter possible. Without such comments finding the table entry that caused the rejection can be very difficult, if not impossible given time constraints. > Any idea why the mail was blocked anyway? What can I do to troubleshoot > such cases in the future? Can I increase the log level for mail > rejections like these without turning on the verbose logging mode in > general? Add rejection comments to your table entries. The comments will show up in the REJECT entry in the mail log. CIDR table, for example: 212.97.96.0/19 REJECT # GBC Internet Center GmbH Or, if you have this in a hash table: 212.97.96 REJECT # GBC Internet Center GmbH Keep in mind that in a hash table you can use network classes such as 212.97.96 Class C 212.97 Class B 212 Class A If you use such network notation, grepping this hash table for the exact IP address 212.97.96.201 won't show any matches, but Postfix will match the IP and reject the connection. Likewise, you can't grep a CIDR file for an exact IP address either. Again, commenting your access map file entries really helps avoid the problem you're currently having as you simply grep the access tables for the comment shown in the mail log rejection. If you'd have provided "postconf -n" output, per the list welcome instructions, I may have likely answered your question definitively. -- Stan
From: Joern Bredereck on 14 Jul 2010 04:50
Am 14.07.10 10:45, schrieb Stan Hoeppner: > Do you have more than one access table/type? I have 7 access tables, > including hash, CIDR, regexp, and PCRE. I add comments to my regexp and PCRE > tables to make matching REJECTs in the mail log to a given filter possible. > Without such comments finding the table entry that caused the rejection can be > very difficult, if not impossible given time constraints. Thanks for the tip with the comments. I didn't know they would show up in the logs. That's really the best way to tell which table entry matched. Regards, Joern |