
Sep 19 06:48:49 mx0 postfix/smtpd[17545]: NOQUEUE: reject: RCPT from server1.example.com[10.1.2.137]: 554 5.7.1 <logcheck@server1.example.com>: Sender address rejected: forged mail; from=<logcheck@server1.example.com> to=<etbe@example.com> proto=ESMTP helo=<server1.example.com> I have two servers with consecutive IP addresses named server0 and server1. They both try to send mail to my mail server, when I have a cron job or swaks send mail server1's mail is rejected with messages like the above and server0 mail goes through. The forward and reverse DNS entries all look to be good and the SPF entry is also correct. Does anyone have any suggestions for where to look in Postfix configuration to determine what the problem might be? A Google search didn't turn up any exact matches for the error message and no close matches that were useful. As an aside it would be really handy if the authors of complex software could make a web site mapping log messages to conditions that cause them. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/

Sep 19 06:48:49 mx0 postfix/smtpd[17545]: NOQUEUE: reject: RCPT from server1.example.com[10.1.2.137]: 554 5.7.1 <logcheck@server1.example.com>: Sender address rejected: forged mail; from=<logcheck@server1.example.com> to=<etbe@example.com> proto=ESMTP helo=<server1.example.com>
I have two servers with consecutive IP addresses named server0 and server1. They both try to send mail to my mail server, when I have a cron job or swaks send mail server1's mail is rejected with messages like the above and server0 mail goes through. The forward and reverse DNS entries all look to be good and the SPF entry is also correct.
Is it doing sender address validation in any way, eg is the address represented by "logcheck@server1.example.com" a valid address, and/or is server1 making that verification correctly? James

On Fri, 20 Sep 2013, James Harper <james.harper@bendigoit.com.au> wrote:
Is it doing sender address validation in any way, eg is the address represented by "logcheck@server1.example.com" a valid address, and/or is server1 making that verification correctly?
There is sender address validation, and it is a little complex. But it's not the issue in this case as both email addresses will work when sending mail from server0 and neither works when sending from server1. Thanks for the suggestion, I'm really stuck here. Below is an example of the swaks output from server1. The exact same data when sent from server0 gives a 250 ok response from mx0. I used sed to change the domain to example.com, but apart from that it's all a copy. While there are some other differences between server0 and server1 (Squeeze vs Wheezy) I don't think that they apply as I've verified all the text on "->" lines from Swaks and it's the same. As an aside for those who don't know of it Swaks is an excellent SMTP test tool, everyone who runs a mail server should know how to use it and have it installed in case of problems. <- 220 mx0.example.com ESMTP Postfix (Debian/GNU) -> EHLO example.com <- 250-mx0.example.com <- 250-PIPELINING <- 250-SIZE 51200000 <- 250-VRFY <- 250-ETRN <- 250-STARTTLS <- 250-ENHANCEDSTATUSCODES <- 250-8BITMIME <- 250 DSN -> MAIL FROM:<logcheck@server0.example.com> <- 250 2.1.0 Ok -> RCPT TO:<etbe@example.com> <** 554 5.7.1 <logcheck@server0.example.com>: Sender address rejected: forged mail -> QUIT -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/

On Fri, Sep 20, 2013 at 02:50:55PM +1000, Russell Coker wrote:
<- 220 mx0.example.com ESMTP Postfix (Debian/GNU) -> EHLO example.com [...] <** 554 5.7.1 <logcheck@server0.example.com>: Sender address rejected: forged mail -> QUIT
some questions that might lead you in the right direction: does mx0 have server0.example.com in its my_destination? is there a check_sender_access map in main.cf listing server0.example.com? is there a check_helo_access map listing example.com? if it does exist, does it come *AFTER* or *BEFORE* permit_mynetworks, permit_tls_clientcerts, and permit_sasl_authenticated? the order of rules is extremely significant in postfix. e.g. in main.cf I have "check_helo_access hash:/etc/postfix/nolocal,". This comes after the permit_* rules. /etc/postfix/nolocal contains lines like: taz.net.au 550 forgery of local address rejected. craig -- craig sanders <cas@taz.net.au> BOFH excuse #405: Sysadmins unavailable because they are in a meeting talking about why they are unavailable so much.

On Fri, 20 Sep 2013, Craig Sanders <cas@taz.net.au> wrote:
On Fri, Sep 20, 2013 at 02:50:55PM +1000, Russell Coker wrote:
<- 220 mx0.example.com ESMTP Postfix (Debian/GNU)
-> EHLO example.com
[...] <** 554 5.7.1 <logcheck@server0.example.com>: Sender address rejected: forged mail
-> QUIT
some questions that might lead you in the right direction:
does mx0 have server0.example.com in its my_destination?
is there a check_sender_access map in main.cf listing server0.example.com?
No. "grep server /etc/postfix/*" returns no matches.
is there a check_helo_access map listing example.com? if it does exist, does it come *AFTER* or *BEFORE* permit_mynetworks, permit_tls_clientcerts, and permit_sasl_authenticated? the order of rules is extremely significant in postfix.
smtpd_helo_restrictions = permit_mynetworks,reject_invalid_hostname,reject_unknown_sender_domain, reject_non_fqdn_hostname, reject_unknown_sender_domain Above is my only helo rule on that system. Thanks for the suggestions. James Harper's idea is interesting, is there any similar feature of Postfix for debugging these things? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/

[UPDATE: I wasn't following the thread so I'm just rambling below.] Russell Coker <russell@coker.com.au> writes:
No. "grep server /etc/postfix/*" returns no matches.
You should probably paste the whole "postconf -n", which we can then combine with "postconf -d" on our end to see all your config (except for stuff in master.cf, of course).
smtpd_helo_restrictions = permit_mynetworks,reject_invalid_hostname,reject_unknown_sender_domain, reject_non_fqdn_hostname, reject_unknown_sender_domain
Above is my only helo rule on that system.
Note those can all be bypassed unless you also require a HELO. smtpd_helo_required (default: no) Freenode #postfix BCP is have only one *_restrictions, unless you are being exceptionally clever. Namely, smtpd_recipient_restrictions. Earlier checks can be deferred until then. Also the AUTH stuff should only be on 587, not on 25, so it most likely goes in master.cf, not main.cf. Also postscreen is super super sexy and you should use it if you can -- I can't, my postfix is slightly too old :-(
James Harper's idea is interesting, is there any similar feature of Postfix for debugging these things?
I use "msmtp -v" for the other end, it's similar to "curl -v" in that you see the full conversation.

On Fri, Sep 20, 2013 at 05:50:09PM +1000, Russell Coker wrote:
No. "grep server /etc/postfix/*" returns no matches.
try: grep -ir 'forged mail' /etc/postfix "forged mail" isn't a standard postfix rejection message, so it must be in your configuration. the word 'forged' appears in the postfix cleanup and smtpd binaries, but not the phrase 'forged mail' # dpkg -L postfix | xargs -d '\n' grep -i forged Binary file /usr/lib/postfix/cleanup matches Binary file /usr/lib/postfix/smtpd matches # dpkg -L postfix | xargs -d '\n' grep -i 'forged mail' # craig -- craig sanders <cas@taz.net.au> BOFH excuse #296: The hardware bus needs a new token.

On Fri, 20 Sep 2013, Craig Sanders <cas@taz.net.au> wrote:
grep -ir 'forged mail' /etc/postfix
"forged mail" isn't a standard postfix rejection message, so it must be in your configuration.
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_sender_access hash:/etc/postfix/access_sender Thanks Craig, you've helped me solve that problem. It's in the /etc/postfix/access_sender file which is in the above main.cf line. The sole purpose of the access_sender line is to reject all mail from example.com. It turns out that server1 was routing packets tough the wrong interface and thus getting a source IP address that wasn't part of "mynetworks". -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/

-----Original Message----- From: Russell Coker [mailto:russell@coker.com.au] Sent: Friday, 20 September 2013 2:51 PM To: luv-main@luv.asn.au Cc: James Harper Subject: Re: strange postfix rejection
On Fri, 20 Sep 2013, James Harper <james.harper@bendigoit.com.au> wrote:
Is it doing sender address validation in any way, eg is the address represented by "logcheck@server1.example.com" a valid address, and/or is server1 making that verification correctly?
There is sender address validation, and it is a little complex. But it's not the issue in this case as both email addresses will work when sending mail from server0 and neither works when sending from server1. Thanks for the suggestion, I'm really stuck here.
I normally use exim, and there is a command line option to simulate an SMTP conversation from a given IP address and it basically logs everything that happens, every rule it traverses, and why it accepted/rejected/deferred/etc at any given point, optionally doing callouts or not (as obviously they interact with the real world so may not be desirable). Does postfix have such a thing? James
participants (4)
-
Craig Sanders
-
James Harper
-
Russell Coker
-
trentbuck@gmail.com