Postfix 'Relay access denied', hoe te voorkomen?

Jul 11 12:41:24 www postfix/smtpd[17940]: NOQUEUE: reject: RCPT from 203-113-206-105-static.TCS.netspace.net.au[203.113.206.105]: 554 5.7.1 <mike24@outlook.it>: Relay access denied; from=<joe@535790D4.cm-6-8c.dynamic.ziggo.nl> to=<mike24@outlook.it> proto=ESMTP helo=<souzhaqiri>

#his file must be "compiled" with "postmap"

# Using a domain name
#example.tld             REJECT Spam not tolerated here
# Maybe example2.tld is on a DNSbl, but we want to let their
# email in anyway.
#example2.tld            OK

# We get lots of spam from example3.tld, but we have somebody
# there from which we do want to hear
#someuser@example3.tld   OK
#example3.tld            REJECT
41.21.178.0/24           REJECT Spam not tolerated here
203.231.35.0/24          REJECT Spam not tolerated here
196.46.142.0/24          REJECT Spam not tolerated here
203.113.206.0/24         REJECT Spam not tolerated here
212.54.42.0/24           REJECT Spam not tolerated here
mike24@outlook.it        REJECT Spam not tolerated here

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
 
# The first text sent to a connecting process.
smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
readme_directory = no
 
# SASL parameters
# ---------------------------------
 
# Use Dovecot to authenticate.
smtpd_sasl_type = dovecot
# Referring to /var/spool/postfix/private/auth
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
smtpd_sasl_authenticated_header = yes
 
# TLS parameters
# ---------------------------------
 
# Replace this with your SSL certificate path if you are using one.
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
# The snakeoil self-signed certificate has no need for a CA file. But
# if you are using your own SSL certificate, then you probably have
# a CA certificate bundle from your provider. The path to that goes
# here.
#smtpd_tls_CAfile=/path/to/ca/file
smtpd_use_tls=yes
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_sasl_security_options = noanonymous
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
 
# SMTPD parameters
# ---------------------------------
 
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
# will it be a permanent error or temporary
unknown_local_recipient_reject_code = 450
# how long to keep message on queue before return as failed.
# some have 3 days, I have 16 days as I am backup server for some people
# whom go on holiday with their server switched off.
maximal_queue_lifetime = 7d
# max and min time in seconds between retries if connection failed
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s
# how long to wait when servers connect before receiving rest of data
smtp_helo_timeout = 60s
# how many address can be used in one message.
# effective stopper to mass spammers, accidental copy in whole address list
# but may restrict intentional mail shots.
smtpd_recipient_limit = 16
# how many error before back off.
smtpd_soft_error_limit = 3
# how many max errors before blocking it.
smtpd_hard_error_limit = 12

# This next set are important for determining who can send mail and relay mail
# to other servers. It is very important to get this right - accidentally producing
# an open relay that allows unauthenticated sending of mail is a Very Bad Thing.
#
# You are encouraged to read up on what exactly each of these options accomplish.
 
# Requirements for the HELO statement
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject, reject_non_fqdn_hostname, reject_invalid_hostname, permit
# Requirements for the sender details
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
# Requirements for the connecting server
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org
# Requirement for the recipient address. Note that the entry for
# "check_policy_service inet:127.0.0.1:10023" enables Postgrey.
smtpd_recipient_restrictions = reject_unauth_pipelining permit_mynetworks permit_sasl_authenticated reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unauth_destination check_policy_service inet:127.0.0.1:10023, check_client_access hash:/etc/postfix/client_checks, check_sender_access hash:/etc/postfix/sender_checks, permit

smtpd_data_restrictions = reject_unauth_pipelining 

# This is a new option as of Postfix 2.10, and is required in addition to
# smtpd_recipient_restrictions for things to work properly in this setup.
#smtpd_relay_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination,  permit

 
# require proper helo at connections
smtpd_helo_required = yes
# waste spammers time before rejecting them
smtpd_delay_reject = yes
disable_vrfy_command = yes
 
# General host and delivery info
# ----------------------------------
 
myhostname = mail.mijndomein.nl
myorigin = /etc/hostname
# Some people see issues when setting mydestination explicitly to the server
# subdomain, while leaving it empty generally doesn't hurt. So it is left empty here.
# mydestination = mail.example.com, localhost
mydestination =localhost
# If you have a separate web server that sends outgoing mail through this
# mailserver, you may want to add its IP address to the space-delimited list in
# mynetworks, e.g. as 111.222.333.444/32.
mynetworks = 192.168.0.0/32 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
mynetworks_style = host
inet_protocols = ipv4
 
# This specifies where the virtual mailbox folders will be located.
virtual_mailbox_base = /var/vmail
# This is for the mailbox location for each user. The domainaliases
# map allows us to make use of Postfix Admin's domain alias feature.
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf, mysql:/etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf
# and their user id
virtual_uid_maps = static:150
# and group id
virtual_gid_maps = static:8
# This is for aliases. The domainaliases map allows us to make 
# use of Postfix Admin's domain alias feature.
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/mysql_virtual_alias_domainaliases_maps.cf
# This is for domain lookups.
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
 
# Integration with other packages
# ---------------------------------------
 
# Tell postfix to hand off mail to the definition for dovecot in master.cf
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
 
# Use amavis for virus and spam scanning
content_filter = amavis:[127.0.0.1]:10024
 
# Header manipulation
# --------------------------------------
 
# Getting rid of unwanted headers. See: https://posluns.com/guides/header-removal/
header_checks = regexp:/etc/postfix/header_checks
# getting rid of x-original-to
enable_original_recipient = no

relayhost = smtp.mijnrelay.nl




smtpd_relay_restrictions = reject_unauth_pipelining permit_mynetworks permit_sasl_authenticated reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unauth_destination check_policy_service unix:private/policy-spf  permit


alias_maps = hash:/etc/aliases


policy-spf_time_limit = 3600s

Jul 14 13:28:47 www postfix/smtpd[16513]: NOQUEUE: reject: RCPT from unknown[69.193.208.230]: 554 5.7.1 <inzaclubc@yahoo.es>: Relay access denied; from=<test@live.com> to=<inzaclubc@yahoo.es> proto=ESMTP helo=<[192.168.2.33]>
Jul 14 12:52:15 www postfix/smtpd[13378]: NOQUEUE: reject: RCPT from LPuteaux-656-01-11-44.w82-127.abo.wanadoo.fr[82.127.142.44]: 554 5.7.1 <inzaclubc@yahoo.es>: Relay access denied; from=<test@live.com> to=<inzaclubc@yahoo.es> proto=ESMTP helo=<[192.168.2.33]>
Jul 14 12:31:59 www postfix/smtpd[11471]: NOQUEUE: reject: RCPT from 64-132-114-250.static.twtelecom.net[64.132.114.250]: 554 5.7.1 <inzaclubc@yahoo.es>: Relay access denied; from=<test@live.com> to=<inzaclubc@yahoo.es> proto=ESMTP helo=<[192.168.2.33]>
Jul 14 12:30:51 www postfix/smtpd[11471]: NOQUEUE: reject: RCPT from sip.qbsradio.qa[213.130.118.102]: 554 5.7.1 <mike24@outlook.it>: Relay access denied; from=<jonathan@535790D4.cm-6-8c.dynamic.ziggo.nl> to=<mike24@outlook.it> proto=ESMTP helo=<owgsmnrdun>
Jul 14 11:45:10 www postfix/smtpd[7123]: NOQUEUE: reject: RCPT from 79.142.46.196.static.impol.net[196.46.142.79]: 554 5.7.1 <mike24@outlook.it>: Relay access denied; from=<eric@535790D4.cm-6-8c.dynamic.ziggo.nl> to=<mike24@outlook.it> proto=ESMTP helo=<gqviexcapg>
Jul 14 11:32:31 www postfix/smtpd[6066]: NOQUEUE: reject: RCPT from 78.130.81.5.rev.optimus.pt[78.130.81.5]: 554 5.7.1 <inzaclubc@yahoo.es>: Relay access denied; from=<test@live.com> to=<inzaclubc@yahoo.es> proto=ESMTP helo=<[192.168.2.33]>
Jul 14 10:50:19 www postfix/smtpd[24193]: NOQUEUE: reject: RCPT from unknown[69.193.208.230]: 554 5.7.1 <inzaclubc@yahoo.es>: Relay access denied; from=<test@live.com> to=<inzaclubc@yahoo.es> proto=ESMTP helo=<[192.168.2.33]>
Jul 14 10:29:26 www postfix/smtpd[1238]: NOQUEUE: reject: RCPT from unknown[90.164.124.235]: 554 5.7.1 <inzaclubc@yahoo.es>: Relay access denied; from=<test@live.com> to=<inzaclubc@yahoo.es> proto=ESMTP helo=<[192.168.2.33]>

# Fail2Ban filter for selected Postfix SMTP rejections
#
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = postfix/smtpd

failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
            ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
            : NOQUEUE: reject: RCPT from [-._\w]+\[<HOST>\]: 554 5.7.1 Service unavailable; Client host .* blocked using (sbl-xbl.spamhaus.org|combined.njabl.org);
            reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
            reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
            reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1

ignoreregex =

# Author: Cyril Jaquier