Why am I receiving rejected email?

I have these client restrictions set in my postfix 2.2.2-2
main.cf file:

smtpd_client_restrictions =
warn_if_reject check_client_access cidr:/etc/postfix/spam_china_korea.cidr
warn_if_reject check_client_access hash:/etc/postfix/access
warn_if_reject reject_unknown_client
warn_if_reject reject_unknown_hostname
warn_if_reject reject_non_fqdn_hostname
warn_if_reject reject_invalid_hostname
warn_if_reject reject_non_fqdn_sender
warn_if_reject reject_unknown_sender_domain
warn_if_reject reject_non_fqdn_recipient
warn_if_reject reject_unknown_recipient_domain
warn_if_reject reject_unauth_destination
warn_if_reject reject_unauth_pipelining


I just received an email from 219.133.251.247, which is
in my mailbox. Now according to maillog, there was a
reject_warning for this message:

Oct 8 10:36:40 polaris postfix/smtpd[4726]: NOQUEUE: reject_warning: RCPT from unknown[219.133.251.247]: 554 <unknown[219.133.251.247]>: Client host rejected: WE REJECT SPAM FROM ASIA!!!; from=<richardse@hereinreality.com> to=<fred@mydomain.com> proto=SMTP helo=<hereinreality.com>
Oct 8 10:36:40 polaris postfix/smtpd[4726]: NOQUEUE: reject_warning: RCPT from unknown[219.133.251.247]: 554 <unknown[219.133.251.247]>: Client host rejected: "550 WE REJECT SPAM FROM CHINA!!!"; from=<richardse@hereinreality.com> to=<fred@mydomain.com> proto=SMTP helo=<hereinreality.com>
Oct 8 10:36:40 polaris postfix/smtpd[4726]: NOQUEUE: reject_warning: RCPT from unknown[219.133.251.247]: 450 Client host rejected: cannot find your hostname, [219.133.251.247]; from=<richardse@hereinreality.com> to=<fred@mydomain.com> proto=SMTP helo=<hereinreality.com>
Oct 8 10:36:41 polaris postfix/qmgr[1506]: 379804D833C: from=<richardse@hereinreality.com>, size=1416, nrcpt=1 (queue active)


So my newbie questions are:

1. Why was this message still received by me?

2. Why are there 4 entries in the maillog pertaining to this message?


-Thanks

1. warn_if_reject
Change the meaning of the next restriction, so that it logs a warning
instead of rejecting a request (look for logfile records that contain
"reject_warning"). This is useful for testing new restrictions in a "live"
environment without risking unnecessary loss of mail.

2. Because the mail failed three of your many restrictions and was then
delivered.

3. Try to minimize restrictions. Find the restrictions that present the
least false-positives. Blocking entire countries will generate many
false-positives. Using client restrictions will usually generate 4xx errors
which may result in repeat traffic. Using recipient restrictions and placing
criteria that generate 5xx errors first will minimize repeat delivery
attempts. Restrictions such as reject_unknown_sender_domain are not
applicable to client restrictions because postfix hasn't yet received the
smtp mail from. Restriction correspond the smtp sequence.

connect: client restrictions
mail from: sender restrictions
rcpt to: recipient restrictions

http://www.postfix.org/postconf.5.html

Here's the configuration I have found effective:

smtpd_recipient_restrictions=permit_mynetworks reject_unauth_destination
reject_unlisted_recipient reject_unknown_client reject_unknown_sender_domain
reject_unverified_sender

I believe reject_unknown_client to cause the most false positives in my
configuration and reject_unlisted_recipient to cause the least..

On Sat, 08 Oct 2005 12:58:06 -0500, Dom wrote:

> 2. Because the mail failed three of your many restrictions and was then
> delivered.


Thanks for your response. But if the mail failed the restrictions,
then why was it delivered? Is there another setting to tell
postfix NOT to deliver the mail if it fails the restrictions?

-Thanks

On Sat, 08 Oct 2005 12:58:06 -0500, Dom wrote:

> 1. warn_if_reject
> Change the meaning of the next restriction, so that it logs a warning
> instead of rejecting a request (look for logfile records that contain
> "reject_warning"). This is useful for testing new restrictions in a "live"
> environment without risking unnecessary loss of mail.


So is there a way to reject email AND generate a log entry?
It seems to indicate that you can either have a log entry
by adding warn_if_reject, which will still deliver the
message, but if you remove warn_if_reject, you don't see
any log messages for rejected messages.

-Thanks

warn_if_reject logs rejections with actually rejecting

remove warn_if_reject and rejections will be logged and actually rejected

On Sat, 08 Oct 2005 17:09:23 -0500, Dom wrote:

> warn_if_reject logs rejections with actually rejecting
>
> remove warn_if_reject and rejections will be logged and actually rejected


Got it, thanks.

typo

....with actually rejecting

should be

....without actually rejecting

On Sat, 08 Oct 2005 12:58:06 -0500, Dom wrote:

> 2. Because the mail failed three of your many restrictions and was then
> delivered.


Thanks for your answer. Yes, it occurred to me that the
mail failed several restrictions. But as you say, "was
then delivered". If it failed the restrictions, why
was it delivered? What do I need to do to completely
reject the mail that meets these conditions?

-Thanks