• 注册日期: 2012-04-12
  • 文章数: 206

主题: 454 4.7.1 Relay access denied

"必填訊息" 現在提問不用填寫了嗎?沒出現 ; 爾後提問改在forum.iredmail.org ?
不過我還是手動填上
==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): Pro-LDAP-3.0
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

maillog 出現如下訊息:
mydomain.com 無下面此帳號

 
Nov 21 05:43:46 mail postfix/smtpd[31872]: NOQUEUE: reject: RCPT from hwsrv-201014.hostwindsdns.com[23.254.203.80]: 454 4.7.1 <1029mandaditos@gmail.com>: Relay access denied; from=<cocacola@mydomain.com> to=<1029mandaditos@gmail.com> proto=ESMTP helo=<hwsrv-201014.hostwindsdns.com>
Nov 21 05:44:02 mail postfix/smtpd[31555]: NOQUEUE: reject: RCPT from hwsrv-201014.hostwindsdns.com[23.254.203.80]: 454 4.7.1 <1029mandaditos@gmail.com>: Relay access denied; from=<action@mydomain.com> to=<1029mandaditos@gmail.com> proto=ESMTP helo=<hwsrv-201014.hostwindsdns.com>

另一台

Nov 21 05:07:13 mx postfix/smtpd[4678]: NOQUEUE: reject: RCPT from hwsrv-201014.hostwindsdns.com[23.254.203.80]: 454 4.7.1 <1029mandaditos@gmail.com>: Relay access denied; from=<environnement@hinet.net> to=<1029mandaditos@gmail.com> proto=ESMTP helo=<hwsrv-201014.hostwindsdns.com>
Nov 21 05:07:15 mx postfix/smtpd[4678]: NOQUEUE: reject: RCPT from hwsrv-201014.hostwindsdns.com[23.254.203.80]: 454 4.7.1 <1029mandaditos@gmail.com>: Relay access denied; from=<base@hinet.net> to=<1029mandaditos@gmail.com> proto=ESMTP helo=<hwsrv-201014.hostwindsdns.com>

在 fail2ban/filter.d/postfix.iredmail.conf 新增
reject: RCPT from (.*)\[<HOST>\]: 454 4.7.1 (.*): Relay access denied.*$

reject: RCPT from (.*)\[<HOST>\]: 454 4.7.1
使用:
fail2ban-regex -v /var/log/maillog /etc/fail2ban/filter.d/postfix.iredmail.conf> test.log
查看 test.log 可有效阻擋 ,
請問版主, 上面哪個較好? (目前是有450 4.7.1 無 454 4.7.1)

我試著在 postfix main.cf 加入
smtpd_client_connection_count_limit = 8

smtpd_client_connection_rate_limit = 12
#anvil_rate_time_unit = 60s                     #default
其作用似乎是無效?

Nov 21 05:07:42 mx postfix/smtpd[4714]: warning: Connection rate limit exceeded: 81 from hwsrv-201014.hostwindsdns.com[23.254.203.80] for service smtpd
Nov 21 05:07:42 mx postfix/smtpd[4714]: disconnect from hwsrv-201014.hostwindsdns.com[23.254.203.80]
Nov 21 05:09:04 mx postfix/anvil[4450]: statistics: max connection rate 81/60s for (smtpd:23.254.203.80) at Nov 21 05:07:42
Nov 21 05:09:04 mx postfix/anvil[4450]: statistics: max connection count 2 for (smtpd:23.254.203.80) at Nov 21 04:59:04

我設為smtpd_client_connection_rate_limit = 12 ,還是出現 81次 ?

在iRedMail 或 iRedAdmin-Pro 版 , 除fail2ban 可阻擋 , 針對454 4.7.1  Relay access denied ,還有哪個地方可設定?

  • 注册日期: 2009-12-18
  • 文章数: 2,864

回复: 454 4.7.1 Relay access denied

直接用 iRedMail 最新的:
https://bitbucket.org/zhb/iredmail/src/ … dmail.conf

已在部署于生产环境的 iRedMail 负载均衡集群里使用了几个星期,没有一个错杀。

  • 注册日期: 2012-04-12
  • 文章数: 206

回复: 454 4.7.1 Relay access denied

maillog:

Dec 26 06:20:52 mail postfix/smtpd[19316]: NOQUEUE: reject: RCPT from unknown[194.136.193.154]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [194.136.193.154]; from=<announce-bounces@mariadb.org> to=<test@mydomain.com> proto=ESMTP helo=<hasky.askmonty.org>

這個 450 4.7.1  Client host rejected: cannot find your reverse hostname

採用下面是擋不到的

failregex = \[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed
            lost connection after (AUTH|UNKNOWN|EHLO) from (.*)\[<HOST>\]
            reject: RCPT from .*\[<HOST>\]: .*: Relay access denied
            reject: RCPT from .*\[<HOST>\]: .*: Sender address rejected: Domain not found
            reject: RCPT from .*\[<HOST>\]: .*: Helo command rejected: Host not found
            reject: RCPT from .*\[<HOST>\]: .*: Helo command rejected: need fully-qualified hostname
            reject: RCPT from .*\[<HOST>\]: 554 5.7.1
            reject: RCPT from .*\[<HOST>\]:\d+: 550 5.5.1 Protocol error
            warning: Illegal address syntax from (.*)\[<HOST>\] in RCPT command
            from \[<HOST>\]:.*: EHLO ylmf-pc

請問版主:

1).上面訊息的IP , 要擋嗎? 或加白名單?

以下分析:
就 announce-bounces@mariadb.org  寄信者:

#host -t mx mariadb.org
mariadb.org mail is handled by 1 mail.askmonty.org.

#host mail.askmonty.org
mail.askmonty.org has address 173.203.201.185
mail.askmonty.org mail is handled by 1 mail.askmonty.org.

# host hasky.askmonty.org
hasky.askmonty.org has address 194.136.193.154
hasky.askmonty.org mail is handled by 1 hasky.askmonty.org.

helo 為 hasky.askmonty.org , 和查詢mariadb.org 的MX , mail.askmonty.org  兩個IP是不一樣 .

194.136.193.154 hasky.askmonty.org 要檔 ?
若來信為173.203.201.185 , 加白名單?

2). 若確實要擋, fail2ban 是無法擋住的
我網域管理者, 收到很多這樣的信件:
主旨:
"Postfix SMTP server: errors from unknown[194.136.193.154]"

信件內容:

Transcript of session follows.

 Out: 220 mail.mydomain.com ESMTP Postfix
 In:  EHLO hasky.askmonty.org
 Out: 250-mail.mydomain.com
 Out: 250-PIPELINING
 Out: 250-SIZE 104857600
 Out: 250-ETRN
 Out: 250-STARTTLS
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  STARTTLS
 Out: 220 2.0.0 Ready to start TLS
 In:  EHLO hasky.askmonty.org
 Out: 250-mail.mydomain.com
 Out: 250-PIPELINING
 Out: 250-SIZE 104857600
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM:<announce-bounces@mariadb.org> SIZE=5863 BODY=7BIT
 Out: 250 2.1.0 Ok
 In:  RCPT TO:<test@mydomain.com> ORCPT=rfc822;test@mydomain.com
 Out: 451 4.3.5 Server configuration error
 In:  DATA
 Out: 554 5.5.1 Error: no valid recipients
 In:  RSET
 Out: 250 2.0.0 Ok
 In:  QUIT
 Out: 221 2.0.0 Bye

最後改回我原來的設定 , 並加入
            reject: RCPT from \S+\[<HOST>\]: 450 4.7.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
            reject: RCPT from \S+\[<HOST>\]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$

煩請版主 ,幫忙解惑!

Thank's

  • 注册日期: 2009-12-18
  • 文章数: 2,864

回复: 454 4.7.1 Relay access denied

这类因 mail server admin 没有正确设置 DNS 导致的错误,我个人不建议在 fail2ban 里 block。

比如:“cannot find your reverse hostname”,确实很多 server 是没有 PTR record 的,因此就说对方是 spam?这样不是很合理。只能是继续通过 reject message 提醒对方。

许多 mail server admin 对邮件服务并不是很了解,只是搭建了能用就撒手不管了,对相关的 DNS 设置也不熟悉。而大陆有一些 hosting vendor 根本就不提供/不支持设置 PTR 的功能。基于此考虑我才没有将它们列入 fail2ban 的 regx。

从技术上说,你可以 block 它,因为已经 reject 了,而且 DNS record 缺失一般会持续一段时间,block 一段时间也没有影响。

  • 注册日期: 2009-12-18
  • 文章数: 2,864

回复: 454 4.7.1 Relay access denied

补充一下,对于 DNS record 缺失相关的错误,需要做一点区分。

例如:“cannot find your hostname”,"Domain not found", "Host not found" 这类依赖于 A record 的,可以判定它为 spam,因为不管你做邮件还是 web,一般 A 都是会设置的。而 PTR, SPF, DKIM, DMARC 这类,是可选但不是必须,所以不应该判为 spam。