1

Topic: Recipient address rejected: Access denied;

==== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version: 0.8.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version:  Debain 64bit
- Related log if you're reporting an issue: mail.log
====

I am trying to use http://www.port25.com/support/authentic … ification/ to test DKIM and SPF

When I send them an email according to the mail.log the email is sent correctly but when they try to reply I get the following:

Oct 21 17:24:05 mxs postfix/smtpd[3789]: connect from verifier.port25.com[2002:60f4:db13::1]
Oct 21 17:24:06 mxs postfix/smtpd[3789]: NOQUEUE: reject: RCPT from verifier.port25.com[2002:60f4:db13::1]: 450 4.7.1 <admin@yts.re>: Recipient address rejected: Access denied; from=<auth-results@verifier.port25.com> to=<admin@yts.re> proto=ESMTP helo=<verifier.port25.com>
Oct 21 17:24:06 mxs postfix/smtpd[3789]: disconnect from verifier.port25.com[2002:60f4:db13::1]

When I send to any gmail or hotmail the email is sent fine fromt he iRedMail server and also happy to be received. Seem so far I can only replicate it on check-auth@verifier.port25.com email test

my postfix conf is:

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 0h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 15728640
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
mydomain = yts.re
myhostname = mxs.yts.re
mynetworks = 127.0.0.0/8
mynetworks_style = host
myorigin = mxs.yts.re
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_run_delay = 300s
readme_directory = no
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
relayhost =
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
smtp-amavis_destination_recipient_limit = 1
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_loglevel = 0
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = permit_mynetworks, permit_sasl_authenticated, check_policy_service inet:127.0.0.1:10031
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, permit_mynetworks, permit_sasl_authenticated, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl_certificate/yts.re/chained.crt
smtpd_tls_key_file = /etc/ssl_certificate/yts.re/private.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Recipient address rejected: Access denied;

Do you have a IPv6 address?

3

Re: Recipient address rejected: Access denied;

ZhangHuangbin wrote:

Do you have a IPv6 address?

Yes, I have dual stack (native IPv6) and I have gone through and configured postfix and dovecot

Thank you for pointing me in the correct direction, Yes you are correct anythign IPv6 incoming seems to be getting in the error


Recipient address rejected: Access denied;

Any advice of how we might be able to overcome this?

4

Re: Recipient address rejected: Access denied;

Please try to remove all 'check_policy_service inet:127.0.0.1:xxxx' in Postfix /etc/postfix/main.cf (backup this file before modifying it), restart Postfix service and try again.

5

Re: Recipient address rejected: Access denied;

Thank you so much for pointing me in the correct direction.

It turns out it was in fact cluebringer, so I upgraded it to version 2.1 which adds the IPv6 support.

it was screaming in logs: ERROR: Protocol data validation error, required parameter 'client_address' was not found or invalid format

Things are working great now with receiving IPv6 emails.

Thank you again!

6

Re: Recipient address rejected: Access denied;

Could you help verify whether iRedAPD (check_policy_service inet:127.0.0.1:7777) works with IPv6 or not?

7

Re: Recipient address rejected: Access denied;

2014-10-21 21:54:57 INFO [2002:60f4:db13::1] auth-results@verifier.port25.com -> adnin@my-domain.com, DUNNO

Seems to be fine in that regards in the log file, is there any other specific way to check if its functioning correctly?

8

Re: Recipient address rejected: Access denied;

Thanks for your help. Could you please turn on debug mode in iRedAPD and try again? Paste detailed debug log here so that i can know whether it works or not.

Reference: How to turn on debug mode in iRedAPD.
http://www.iredmail.org/docs/turn.on.de … edapd.html

9

Re: Recipient address rejected: Access denied;

ZhangHuangbin wrote:

Thanks for your help. Could you please turn on debug mode in iRedAPD and try again? Paste detailed debug log here so that i can know whether it works or not.

Reference: How to turn on debug mode in iRedAPD.
http://www.iredmail.org/docs/turn.on.de … edapd.html

Here is the log receiving IPv6 email


2014-10-22 14:01:54 DEBUG Connect from 127.0.0.1, port 40954.
2014-10-22 14:01:54 DEBUG smtp session: request=smtpd_access_policy
2014-10-22 14:01:54 DEBUG smtp session: protocol_state=RCPT
2014-10-22 14:01:54 DEBUG smtp session: protocol_name=ESMTP
2014-10-22 14:01:54 DEBUG smtp session: client_address=2607:f8b0:400e:c02::22f
2014-10-22 14:01:54 DEBUG smtp session: client_name=mail-pd0-x22f.google.com
2014-10-22 14:01:54 DEBUG smtp session: reverse_client_name=mail-pd0-x22f.google.com
2014-10-22 14:01:54 DEBUG smtp session: helo_name=mail-pd0-x22f.google.com
2014-10-22 14:01:54 DEBUG smtp session: sender=me@gmail.com
2014-10-22 14:01:54 DEBUG smtp session: recipient=track@domain.com
2014-10-22 14:01:54 DEBUG smtp session: recipient_count=0
2014-10-22 14:01:54 DEBUG smtp session: queue_id=
2014-10-22 14:01:54 DEBUG smtp session: instance=3c36.5447ff22.81dc5.0
2014-10-22 14:01:54 DEBUG smtp session: size=1479
2014-10-22 14:01:54 DEBUG smtp session: etrn_domain=
2014-10-22 14:01:54 DEBUG smtp session: stress=
2014-10-22 14:01:54 DEBUG smtp session: sasl_method=
2014-10-22 14:01:54 DEBUG smtp session: sasl_username=
2014-10-22 14:01:54 DEBUG smtp session: sasl_sender=
2014-10-22 14:01:54 DEBUG smtp session: ccert_subject=
2014-10-22 14:01:54 DEBUG smtp session: ccert_issuer=
2014-10-22 14:01:54 DEBUG smtp session: ccert_fingerprint=
2014-10-22 14:01:54 DEBUG smtp session: ccert_pubkey_fingerprint=
2014-10-22 14:01:54 DEBUG smtp session: encryption_protocol=TLSv1
2014-10-22 14:01:54 DEBUG smtp session: encryption_cipher=ECDHE-RSA-RC4-SHA
2014-10-22 14:01:54 DEBUG smtp session: encryption_keysize=128
2014-10-22 14:01:54 DEBUG --> Apply plugin: sql_alias_access_policy
2014-10-22 14:01:54 DEBUG SQL: SELECT accesspolicy, goto, moderators
            FROM alias
            WHERE
                address='track@domain.com'
                AND address <> goto
                AND domain='domain.com'
                AND active=1
            LIMIT 1

2014-10-22 14:01:54 DEBUG SQL Record: None
2014-10-22 14:01:54 DEBUG <-- Result: DUNNO (Not mail alias)
2014-10-22 14:01:54 DEBUG --> Apply plugin: sql_user_restrictions
2014-10-22 14:01:54 DEBUG SQL to get restriction rules of sender (me@gmail.com):
        SELECT
            allowedrecipients, rejectedrecipients,
            allowedsenders, rejectedsenders
        FROM mailbox
        WHERE username='me@gmail.com'
        LIMIT 1

2014-10-22 14:01:54 DEBUG Returned SQL Record: None
2014-10-22 14:01:54 DEBUG SQL to get restriction rules of recipient (track@domain.com):
            SELECT
                allowedrecipients, rejectedrecipients,
                allowedsenders, rejectedsenders
            FROM mailbox
            WHERE username='track@domain.com'
            LIMIT 1

2014-10-22 14:01:54 DEBUG Returned SQL Record: (None, None, None, None)
2014-10-22 14:01:54 DEBUG No restrictions of recipient.
2014-10-22 14:01:54 DEBUG <-- Result: DUNNO
2014-10-22 14:01:54 INFO [2607:f8b0:400e:c02::22f] me@gmail.com -> track@domain.com, DUNNO
2014-10-22 14:01:54 DEBUG Connection closed
2014-10-22 14:01:54 DEBUG Closed SQL connection.

10

Re: Recipient address rejected: Access denied;

OK, great. thanks for your help.