# postfix Client host rejected: issue

## nasher

i tried to send a mail from outside to my mailserver.

but when i try this i get this error,

554 <unknown[ipofmailserv]]>: Client host rejected: Access denied

i tried to search in this forum and i need to add a permit

i dont know what permit  :Smile: 

because its from outside and i dont wanne have an open relay

i saw 

# By default, Postfix relays mail

# - from "trusted" clients (IP address matches $mynetworks) to any destination,

# - from "untrusted" clients to destinations that match $relay_domains or

#   subdomains thereof, except addresses with sender-specified routing.

# The default relay_domains value is $mydestination.

so i dont know the problem  :Sad: 

----------

## UberLord

If the mailserver host is bloggs.com then it should accept emails to bloggs.com 

But really, you need to enable SASL on the postfix server and permit SASL authenticated clients. There's a HOW-TO on this in the Docs forum

https://forums.gentoo.org/viewtopic.php?t=56633

----------

## nasher

i cant auth against sasl.

the admins here dont know anything about linux.

im using webmin so they can view in mailboxes and add users

webmin uses /etc/passwd and cant work with sasl this is why i do this

my situation is now:

wan > firewall > 192.168.0.252(mailserver) spam filter > .maildir

when a user sends mail :

lan > 192.168.0.254(mailserver) > wan

.252 is an alias on eth0

----------

## UberLord

You can configure SASL to work with /etc/passwd easily enough - my server does this.

----------

## nasher

can you post your main.cf and your master.cf

what i did(im not sure coz its a while a go i did this and im not at work now)

i changed 

root@server # vi /etc/sasl2/smtpd.conf 

pwcheck_method: sasldb

sasldb > passwd

but then, i guess i dont have something right in the main.cf with permissions from outside  :Sad: 

(edit);

users can email without authentication to postfix because i have permit network, the solution is not to do this? they need to auth agains /etc/passwd when they are sending an email ?!

----------

## UberLord

main.cf bits

```
smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains, reject_unauth_destination

smtpd_use_tls = yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/private/key.pem

smtpd_tls_cert_file = /etc/ssl/private/cert.pem

smtpd_tls_CAfile = /etc/ssl/private/ca.cert.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_session_cache_timeout = 3600s

tls_daemon_random_source = dev:/dev/urandom

tls_random_source = dev:/dev/urandom

```

/usr/lib/sasl2/smtpd.conf

```
pwcheck_method: saslauthd
```

then start up the saslauthd daemon and restart postfix

```
rc-update add saslauthd default

rc

/etc/init.d/postfix restart
```

Note that my configuration forces SASL clients only unless they are on internal network. So users will need relatively new email clients to send mail.

----------

## UberLord

 *nasher wrote:*   

> 
> 
> users can email without authentication to postfix because i have permit network, the solution is not to do this? they need to auth agains /etc/passwd when they are sending an email ?!

 

They have to auth against something as you don't know any network details from where they may be sending from!

----------

## nasher

oh man

i changed the mydomain parameter

now i've the following error  :Neutral: |

554 <asd@asd.orgl>: Recipient address rejected: Access denied

----------

## nasher

owye

problem solved

there was an other     -o smtpd_recipient_restrictions= in my master.cf that points to an other ip

i changed it into 

192.168.0.254:smtp        inet  n       -       n       -       - smtpd

    -o content_filter=

    -o local_recipient_maps=

    -o relay_recipient_maps=

    -o smtpd_restriction_classes=

    -o smtpd_client_restrictions=

    -o smtpd_helo_restrictions=

    -o smtpd_sender_restrictions=

    -o smtpd_recipient_restrictions=check_relay_domains,permit_mynetworks,reject

    -o mynetworks=127.0.0.0/8,192.168.0.0/24

    -o strict_rfc821_envelopes=yes

    -o smtpd_error_sleep_time=0

    -o smtpd_soft_error_limit=1001

    -o smtpd_hard_error_limit=1000

and it works now

----------

