Whitelisted IP still rejected

Questions and answers about how to do stuff
Post Reply
northwindit
Posts: 14
Joined: 11 Apr 2016 18:32

Whitelisted IP still rejected

Post by northwindit »

Hello,

Getting the following error in postfix logs even after adding the IP and hostname to the RBL override located at /etc/postfix/rbl_override

NOQUEUE: reject: RCPT from mail.XXXXXX.ru[185.51.158.XX]: 554 5.7.1 <tenders@XXXXX.ru>: Sender address rejected: Access denied; from=<tenders@XXXXXX.ru> to=<derekr@XXXXXX.com>

Kind of at a loss of where i need to edit to allow this IP to deliver email to our employees.

EDIT: Resolved this on my own
User avatar
pdwalker
Posts: 1489
Joined: 18 Mar 2015 09:16

Re: Whitelisted IP still rejected

Post by pdwalker »

How did you resolve it? Why was that address being rejected in the first place?
AITCS
Posts: 42
Joined: 13 Mar 2017 11:12

Re: Whitelisted IP still rejected

Post by AITCS »

I'm also getting this with an M365 hosted address and can't work it out. It's being rejected for reason "Access Denied" and is baffling me.
Sender is claiming no issues sending to anyone but our client, so if this is our issue I'll need to get it resolved.
I have whitelised the email address but they're still getting rejected. They are not in the blacklist nor in any filter files.
Any ideas?

Code: Select all

Jul 28 19:13:08 efa postfix/smtpd[11446]: Anonymous TLS connection established from mail-sy4aus01on2076.outbound.protection.outlook.com[40.107.107.76]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jul 28 19:13:09 efa postfix/smtpd[11446]: NOQUEUE: reject: RCPT from mail-sy4aus01on2076.outbound.protection.outlook.com[40.107.107.76]: 554 5.7.1 <sender@fake-domain.com>: Sender address rejected: Access denied; from=<sender@fake-domain.com> to=<our-client@own-fake-domain.com> proto=ESMTP helo=<AUS01-SY4-obe.outbound.protection.outlook.com>
Jul 28 19:13:10 efa postfix/smtpd[11446]: disconnect from mail-sy4aus01on2076.outbound.protection.outlook.com[40.107.107.76] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=5/7
Addresses masked for privacy.
User avatar
pdwalker
Posts: 1489
Joined: 18 Mar 2015 09:16

Re: Whitelisted IP still rejected

Post by pdwalker »

<sender@fake-domain.com>: Sender address rejected: Access denied; from=<sender@fake-domain.com> to=<our-client@own-fake-domain.com>
This is your problem. EFA/postfix is rejecting the message because it does not like the sender address for some reason.

Can you check your /etc/postfix/main.cf smtpd_sender_restrictions restrictions and post your setting here?

(this is probably your problem: https://serverfault.com/questions/40840 ... ess-denied)
AITCS
Posts: 42
Joined: 13 Mar 2017 11:12

Re: Whitelisted IP still rejected

Post by AITCS »

Yep, I'm pretty sure I'm the idiot in this situation and I think there was a malformed regex filter.
I've removed what I suspected what was causing it and the client will test tomorrow as it's now out of hours.
If this is successful, I'll pop back in and confirm precisely what happened.
AITCS
Posts: 42
Joined: 13 Mar 2017 11:12

Re: Whitelisted IP still rejected

Post by AITCS »

Finally back and can confirm that it was a malformed RegEx. I'd forgotten to prefix a period with a backslash, so it was including a lot more domains than it should have. I've now resolved it and things are back to normal :dance:

eg. the regex was /.biz/ but since I don't deal with them often enough, didn't realise this would include any domains that had 'biz' anywhere in it. This has now been modified to /\.biz$/ so it filters out only domains ending in .biz. This client gets absolutely slaughtered with spam from that TLD and analyis showed that they don't get any (useful) emails from that TLD so we're just rejecting them all.
User avatar
pdwalker
Posts: 1489
Joined: 18 Mar 2015 09:16

Re: Whitelisted IP still rejected

Post by pdwalker »

Good to hear you found a solution.

Another way to have handled it would have been to add a .biz handling rule to the spamassassin local.cf to give .biz domains a bump up in spam score.

That way if a message really did come through that was legitimate, you could train the system to recognize it while keeping the spam flagged and the high spam undelivered.

If you block all .biz mail at the postfix level, then you'll never get any real data on whether it's really legit mail or not. (I know, it's probably spam).

In my case, I only reject the most obvious spam at the postfix level (such as mail coming from non existent domains) but spam that is "legit" looking, I'll accept so I can train the bayesian filter to recognize what current spam looks like.
AITCS
Posts: 42
Joined: 13 Mar 2017 11:12

Re: Whitelisted IP still rejected

Post by AITCS »

Yeah, we already had to bump up the fake Gmail score in local.cf as they are the next worst culprit for spam. I wish Google would do something about that. It's all good though... We'll keep filtering out all .biz TLDs until someone makes a complaint. It took about 4 months for someone to realise the regex was malformed, so I don't think they're losing anything valuable at this stage.
User avatar
pdwalker
Posts: 1489
Joined: 18 Mar 2015 09:16

Re: Whitelisted IP still rejected

Post by pdwalker »

AITCS wrote: 30 Aug 2022 11:45It took about 4 months for someone to realise the regex was malformed, so I don't think they're losing anything valuable at this stage.
:D
Post Reply