Relay denied - temporary 454 error

[uk_user]

We have a lot of connections coming into our PMG cluster for domains we do not host the email for, eg clients who have since left but left MX records pointing to us. When remote servers try to send to these domains they are rejected because the domain isn't in our "relay domains" or "transport" settings with log lines such as:

Mar 28 12:24:08 pmg-slave01 postfix/smtpd[236047]: NOQUEUE: reject: RCPT from mx07-00707701.pphosted.com[205.220.184.226]: 454 4.7.1 <hidden@hidden.com>: Relay access denied; from=<> to=<hidden@hidden.com> proto=ESMTP helo=<mx07-00707701.pphosted.com>

Mar 28 12:24:07 pmg-slave03 postfix/smtpd[154700]: NOQUEUE: reject: RCPT from mail-ed1-f71.google.com[209.85.208.71]: 454 4.7.1 <hidden@hidden.com>: Relay access denied; from=<bounces+23855928-ad87-moore.s=hidden.com@em5888.hidden.com> to=<hidden@hidden.com> proto=ESMTP helo=<mail-ed1-f71.google.com>

Is there a reason Postfix is returning a temporary 454 error for attempted deliveries to domains we don't host? Shouldn't this be permenant?

 

[Onslow]

I think so.
As for the reason:
have you got defer_unauth_destination in your Postfix' config, by chance?

"defer_unauth_destination
Reject the same requests as reject_unauth_destination, with a non-permanent error code."

( https://www.postfix.org/postconf.5.html#defer_unauth_destination )

 

[uk_user]

have you got defer_unauth_destination in your Postfix' config, by chance?

Not that I can see:

root@pmg-slave02:/etc/postfix# grep defer_unauth_destination *
grep: postfix-files.d: Is a directory
grep: sasl: Is a directory

These are new installs of v9.0.6 with no customisations to postfix config.

 

[Onslow]

Maybe some parameters are placed in other directory.
I would check the output of [B]postconf[/B] command.
And specifically what settings are in smtpd_recipient_restrictions parameter.

 

[uk_user]

# postconf smtpd_relay_restrictions
smtpd_relay_restrictions = ${{$compatibility_level} <level {1} ? {} : {permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}}

# postconf smtpd_recipient_restrictions
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination reject_non_fqdn_recipient check_recipient_access regexp:/etc/postfix/rcptaccess reject_unknown_recipient_domain reject_unverified_recipient

# postconf relay_domains_reject_code
relay_domains_reject_code = 554

 

[Onslow]

# postconf smtpd_relay_restrictions

smtpd_relay_restrictions = ${{$compatibility_level} <level {1} ? {} : {permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}}

From the above we can see that defer_unauth_destination is used in smtpd_relay_restrictions

I'm not very experienced with PMG so I'm not sure how to change it in PMG "way", sorry.
P.S. I remember that one should edit some template file (not the raw postfix configs) so that the changes aren't overwritten during updates. Most likely you can find it in the docs or in this forum.

 

[uk_user]

Thanks for your help Onslow.

I think it should be possible to change using the templates feature. I'm curious to see if any staff can let us know why this is the default on new installs?