I am trying to set up email alerts for cron jobs but I am having troubles sending mail from this one host. I have postfix and bsd-mailx installed but I am unable to send mail.
I tried to telnet host.name 25
and manually type the commands but that is not working. The output of the session is this:
root@laptop0:~# telnet mail0.lab.dblitt99.tk 25
Trying 192.168.0.16...
Connected to mail0.lab.dblitt99.tk.
Escape character is '^]'.
220 mail0.lab.dblitt99.tk ESMTP Postfix
HELO laptop0.lab.dblitt99.tk
250 mail0.lab.dblitt99.tk
MAIL FROM: [email protected]
250 2.1.0 Ok
RCPT TO: [email protected]
451 4.7.1 <[email protected]>: Recipient address rejected: Intentional policy rejection, please try again later
I do not understand why this is happening because I can send mail with no problems from another host. That telnet session is this:
root@pve ➜ ~ # telnet mail0.lab.dblitt99.tk 25
Trying 192.168.0.16...
Connected to mail0.lab.dblitt99.tk.
Escape character is '^]'.
220 mail0.lab.dblitt99.tk ESMTP Postfix
HELO laptop0.lab.dblitt99.tk
250 mail0.lab.dblitt99.tk
MAIL FROM: [email protected]
250 2.1.0 Ok
RCPT TO: [email protected]
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: why do you do this to me
why
.
250 2.0.0 Ok: queued as 75024A2AFF
I already checked on my mail host and fail2ban has not blocked the ip
I am pretty sure that there are no firewall rules blocking this:
root@laptop0:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
What are your smtpd_recipient_restrictions? You can probably find that in /etc/postfix/main.cf or
user@host:-$postconf smtpd_recipient_restrictions
root@mail0 ➜ ~ # postconf smtpd_recipient_restrictions
smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unlisted_recipient check_policy_service inet:127.0.0.1:7777 permit_mynetworks permit_sasl_authenticated reject_unauth_destination
So you have check_policy_service inet:127.0.0.1:7777 in the recipient restrictions. If you remove that restriction, you probably will stop the rejection. But you won’t have the policy check anymore. What are your external policy settings?
These are all the restrictions:
# HELO restriction
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_helo_access pcre:/etc/postfix/helo_access.pcre
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
# Sender restrictions
smtpd_sender_restrictions =
reject_unknown_sender_domain
reject_non_fqdn_sender
reject_unlisted_sender
permit_mynetworks
permit_sasl_authenticated
check_sender_access pcre:/etc/postfix/sender_access.pcre
# Recipient restrictions
smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_unlisted_recipient
check_policy_service inet:127.0.0.1:7777
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
# END-OF-MESSAGE restrictions
smtpd_end_of_data_restrictions =
check_policy_service inet:127.0.0.1:7777
# Data restrictions
smtpd_data_restrictions = reject_unauth_pipelining
Yeah, but you have an external policy service process running too that also has restrictions; and it’s the external policy that for some reason doesn’t like laptop0, but does like pve. So what is your external service’s configs?
you can use netstat to find out what process is listening on 7777.
As a side note, you should probably have check_policy_service (If you are going to leave it in) (edit: after) reject_unauth_destination
Edit: “451 Try again later” sounds like a grey list, possibly pve has an address or is on a subnet that is whitelisted and laptop0 is not?
Ok I checked port 7777 and its a python process running /opt/iredapd/iredapd.py.
File here: https://paste.fedoraproject.org/paste/nxKtC-lCSAS17X2E665Pwg
I am guessing that this is iRedMail doing client verification
So that’s definitely a greylist because 451 is a temporary error like it says “please try again later.” And you don’t the error when PVE is the client because you have probably sent mail from that host before. Once the greylist time lapses, you won’t get the error when laptop0 is the client host. There is almost surely a way to tell redmail to whitelist laptop0, but google can help you with that a lot quicker than I can.
Edit:
Quick google: iRedMail :: Recipient address rejected: Policy Rejection, I don’t know how advisable it is for you to turn off your check.
Ok Thanks! I found this https://docs.iredmail.org/manage.iredapd.html and I will probally just disable greylisting outright because I won’t be seeing that kind of traffic/spam.