SMTP/Postfix/mail command not working (Debian 9)

I am trying to set up email alerts for cron jobs but I am having troubles sending mail from this one host. I have postfix and bsd-mailx installed but I am unable to send mail.

I tried to telnet host.name 25 and manually type the commands but that is not working. The output of the session is this:

root@laptop0:~# telnet mail0.lab.dblitt99.tk 25
Trying 192.168.0.16...
Connected to mail0.lab.dblitt99.tk.
Escape character is '^]'.
220 mail0.lab.dblitt99.tk ESMTP Postfix
HELO laptop0.lab.dblitt99.tk
250 mail0.lab.dblitt99.tk
MAIL FROM: [email protected]
250 2.1.0 Ok
RCPT TO: [email protected]
451 4.7.1 <[email protected]>: Recipient address rejected: Intentional policy rejection, please try again later

I do not understand why this is happening because I can send mail with no problems from another host. That telnet session is this:

root@pve ➜ ~ # telnet mail0.lab.dblitt99.tk 25
Trying 192.168.0.16...
Connected to mail0.lab.dblitt99.tk.
Escape character is '^]'.
220 mail0.lab.dblitt99.tk ESMTP Postfix
HELO laptop0.lab.dblitt99.tk
250 mail0.lab.dblitt99.tk
MAIL FROM: [email protected]
250 2.1.0 Ok
RCPT TO: [email protected]
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: why do you do this to me
why
.
250 2.0.0 Ok: queued as 75024A2AFF

I already checked on my mail host and fail2ban has not blocked the ip

I am pretty sure that there are no firewall rules blocking this:

root@laptop0:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

What are your smtpd_recipient_restrictions? You can probably find that in /etc/postfix/main.cf or

user@host:-$postconf smtpd_recipient_restrictions
root@mail0 ➜ ~ # postconf smtpd_recipient_restrictions
smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unlisted_recipient check_policy_service inet:127.0.0.1:7777 permit_mynetworks permit_sasl_authenticated reject_unauth_destination

So you have check_policy_service inet:127.0.0.1:7777 in the recipient restrictions. If you remove that restriction, you probably will stop the rejection. But you won’t have the policy check anymore. What are your external policy settings?

These are all the restrictions:

# HELO restriction
smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    check_helo_access pcre:/etc/postfix/helo_access.pcre
    reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname

# Sender restrictions
smtpd_sender_restrictions =
    reject_unknown_sender_domain
    reject_non_fqdn_sender
    reject_unlisted_sender
    permit_mynetworks
    permit_sasl_authenticated
    check_sender_access pcre:/etc/postfix/sender_access.pcre

# Recipient restrictions
smtpd_recipient_restrictions =
    reject_non_fqdn_recipient
    reject_unlisted_recipient
    check_policy_service inet:127.0.0.1:7777
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination

# END-OF-MESSAGE restrictions
smtpd_end_of_data_restrictions =
    check_policy_service inet:127.0.0.1:7777

# Data restrictions
smtpd_data_restrictions = reject_unauth_pipelining

Yeah, but you have an external policy service process running too that also has restrictions; and it’s the external policy that for some reason doesn’t like laptop0, but does like pve. So what is your external service’s configs?

you can use netstat to find out what process is listening on 7777.

As a side note, you should probably have check_policy_service (If you are going to leave it in) (edit: after) reject_unauth_destination

Edit: “451 Try again later” sounds like a grey list, possibly pve has an address or is on a subnet that is whitelisted and laptop0 is not?

Ok I checked port 7777 and its a python process running /opt/iredapd/iredapd.py.

File here: https://paste.fedoraproject.org/paste/nxKtC-lCSAS17X2E665Pwg

I am guessing that this is iRedMail doing client verification

So that’s definitely a greylist because 451 is a temporary error like it says “please try again later.” And you don’t the error when PVE is the client because you have probably sent mail from that host before. Once the greylist time lapses, you won’t get the error when laptop0 is the client host. There is almost surely a way to tell redmail to whitelist laptop0, but google can help you with that a lot quicker than I can.

Edit:

Quick google: iRedMail :: Recipient address rejected: Policy Rejection, I don’t know how advisable it is for you to turn off your check.

Ok Thanks! I found this https://docs.iredmail.org/manage.iredapd.html and I will probally just disable greylisting outright because I won’t be seeing that kind of traffic/spam.