0

I am having an issue with setting up an alias "support-notify" in Postfix.

Recipient address rejected: Access denied;

I am running Postfix with OpenDKIM, OpenDMARC, Policyd-SPF, and Dovecot on Ubuntu 18.04 LTS.

The map looks like this in /etc/aliases

support-notify: user1, user2, user3

The user support-notify does not exist while users1-3 are actual users on the server with a mailbox.

I have included postconf -n below. 

postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = all
invalid_hostname_reject_code = 554
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mailbox_size_limit = 0
milter_default_action = accept
milter_protocol = 2
multi_recipient_bounce_reject_code = 554
mydestination = $myhostname, mail.domain.com, support-mgmt.domain.com, domain.com, localhost.$mydomain, localhost, 10.0.0.0/16
myhostname = mail.domain.com
mynetworks = 127.0.0.0/8 10.25.0.0/16 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_fqdn_reject_code = 554
non_smtpd_milters = unix:private/opendkim, inet:127.0.0.1:8892
readme_directory = no
recipient_delimiter = +
relay_domains_reject_code = 554
relayhost = [smtp.comcast.net]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining, check_policy_service unix:private/policy-spf, reject_rbl_client sbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, permit
smtpd_helo_required = yes
smtpd_milters = unix:private/opendkim, inet:127.0.0.1:8892
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
smtpd_tls_cert_file = /etc/ssl/certs/mailcert.pem
smtpd_tls_key_file = /etc/ssl/private/mail.key
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

edit - adding full log from connection to disconnection where x is my public ip and y is my private. Thanks to those who are taking the time to pretty up this post, I do not know how to format things on this site :)

Sep 13 20:02:32 support-mgmt postfix/submission/smtpd[7505]: connect from c-x.x.x.x.hsd1.md.comcast.net[x.x.x.x]
Sep 13 20:02:33 support-mgmt policyd-spf[7508]: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=x.x.x.x; helo=[y.y.y.y]; envelope-from=user1@domain.com; receiver=<UNKNOWN>
Sep 13 20:02:33 support-mgmt postfix/submission/smtpd[7505]: NOQUEUE: reject: RCPT from c-x.x.x.x.hsd1.md.comcast.net[x.x.x.x]: 554 5.7.1 <support-notify@domain.com>: Recipient address rejected: Access denied; from=<user1@domain.com> to=<support-notify@domain.com> proto=ESMTP helo=<[y.y.y.y]>
Sep 13 20:02:33 support-mgmt postfix/submission/smtpd[7505]: disconnect from c-x.x.x.x.hsd1.md.comcast.net[x.x.x.x] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=5/7

user3884824
  • 1
  • 2
  • 2
    What is the _complete_ error you get from Postfix? You truncated it. – Michael Hampton Sep 13 '18 at 01:01
  • Michael, I added the full log above bar any information I have redacted such as the domain name and the IP's. – user3884824 Sep 14 '18 at 00:13
  • The error you are getting is descriptive, "554, Recipient address rejected" which is the error code you told postfix to use when it can't verify the recipient in the unknown_local_recipient_reject_code directive. Which is expected since your configuration does not list any virtual_mailbox_domains and virtual_mailbox_maps. – cburn11 Sep 14 '18 at 02:09
  • Thanks for the info cburn11, I am not quite sure how to properly setup virtual mailboxes. – user3884824 Sep 15 '18 at 01:48
  • I didn't type that clearly, and I made a typo when I copy and pasted "unknown_local_recipient_reject_code". Your question made it clear that you were using local mailboxes, but your config includes `unknown_virtual_alias_reject_code = 554` and `unknown_virtual_mailbox_reject_code = 554`. SInce you are not using virtual mailboxes, if you remove those two directives, I think you will stop getting the error. – cburn11 Sep 17 '18 at 23:21
  • Hmm lets give it a go. – user3884824 Sep 18 '18 at 20:47
  • negative removing those statements did not impact the deliverability of the test email. – user3884824 Sep 18 '18 at 21:01

2 Answers2

0

Your /etc/aliases line seems ok, and so does the configuration.

alias_maps = hash:/etc/aliases

Since it's a hash: i.e. Berkeley DB, have you remembered the command:

postalias /etc/aliases
Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • Anytime i ran postmap it gave me an error stating that /etc/aliases was in the wrong format. – user3884824 Sep 15 '18 at 01:47
  • i always used the postalias /etc/aliases command over the postmap. is this inaccurate? should I not utilize alias_maps if I want this functionality? – user3884824 Sep 15 '18 at 15:51
  • Yes, `postalias` is the correct command for this input type. – Esa Jokinen Sep 16 '18 at 05:02
  • If postalias is correct than why isnt this working? Support-notify is not an account on the box itself, and is mapped to 3 users with accounts on the box. – user3884824 Sep 17 '18 at 12:56
0

I decided to blow away my entire postfix configuration and rebuild it to utilize virtual users/domains with mysql as a database.

user3884824
  • 1
  • 2