28/11/13

linux - How to correct Postfix' 'Relay Access Denied'? - Server Fault

Server Fault is a question and answer site for professional system and network administrators. It's 100% free, no registration required.

Tell me more

How to correct Postfix' 'Relay Access Denied'?

This morning, in order to correct a problem with a name mismatch in the security certificate, I followed the recommended steps from How to fix mail server SSL?, but now, when attempting to send an email from a client (in this case the client is Windows Mail), I receive the following error. The rejected e-mail address was 'email@gmail.com'. Subject 'This is a test. ', Account: 'mail.domain.com', Server: 'mail.domain.com', Protocol: SMTP, Server Response: '554 5.7.1 : Relay access denied', Port: 25, Secure(SSL): No, Server Error: 554, Error Number: 0x800CCC79 Edit: I can still retrieve emails from this account, and I send emails to other accounts at the same domain. I just can't send emails to recipients outside of our domain. I tried disabling TLS altogether but no dice, I still get the same error. When I check file m a i l . l o g, I see the following.

J u l1 80 8 : 2 4 : 4 1c o m p a n yi m a p d :L O G I N ,u s e r = u s e r _ n a m e @ d o m a i n . c o m ,i p = [ : : f f f f : 1 1 1 . 1 1 1 . 1 1 . 1 1 ] ,p r o t o c o l = I M A P J u l1 80 8 : 2 4 : 4 2c o m p a n yi m a p d :D I S C O N N E C T E D ,u s e r = u s e r _ n a m e @ d o m a i n . c o m ,i p = [ : : f f f f : 1 1 1 . 1 1 1 . 1 1 . 1 1 ] ,h e a d e r s = 0 ,b o d y = 0 ,r c v J u l1 80 8 : 2 5 : 1 9c o m p a n yp o s t f i x / s m t p d [ 2 9 2 8 2 ] :c o n n e c tf r o mc o m p a n y . u n i v e r s i t y . e d u [ 1 1 1 . 1 1 1 . 1 1 . 1 1 ] J u l1 80 8 : 2 5 : 1 9c o m p a n yp o s t f i x / s m t p d [ 2 9 2 8 2 ] :N O Q U E U E :r e j e c t :R C P Tf r o mc o m p a n y . u n i v e r s i t y . e d u [ 1 1 1 . 1 1 1 . 1 1 . 1 1 ] :5 5 45 . 7 . 1 J u l1 80 8 : 2 5 : 1 9c o m p a n yp o s t f i x / s m t p d [ 2 9 2 8 2 ] :d i s c o n n e c tf r o mc o m p a n y . u n i v e r s i t y . e d u [ 1 1 1 . 1 1 1 . 1 1 . 1 1 ] J u l1 80 8 : 2 5 : 2 2c o m p a n yi m a p d :D I S C O N N E C T E D ,u s e r = u s e r _ n a m e @ d o m a i n . c o m ,i p = [ : : f f f f : 1 1 1 . 1 1 1 . 1 1 . 1 1 ] ,h e a d e r s = 1 3 ,b o d y = 1 4 2 5 7 File m a i n . c f looks like this:

# #P o s t f i xM T AM a n a g e rM a i nC o n f i g u r a t i o nF i l e ; # #P l e a s ed oN O Te d i tt h i sf i l em a n u a l l y ; # # #P o s t f i xd i r e c t o r ys e t t i n g s ;T h e s ea r ec r i t i c a lf o rn o r m a lP o s t f i xM T Af u n c t i o n a l l i t y ; # c o m m a n d _ d i r e c t o r y=/ u s r / s b i n d a e m o n _ d i r e c t o r y=/ u s r / l i b / p o s t f i x p r o g r a m _ d i r e c t o r y=/ u s r / l i b / p o s t f i x # #S o m ec o m m o nc o n f i g u r a t i o np a r a m e t e r s ; # i n e t _ i n t e r f a c e s=a l l m y n e t w o r k s=1 2 7 . 0 . 0 . 0 / 8 m y n e t w o r k s _ s t y l e=h o s t m y h o s t n a m e=m a i l . d o m a i n . c o m m y d o m a i n=d o m a i n . c o m m y o r i g i n=$ m y d o m a i n serverfault.com/questions/42519/how-to-correct-postfix-relay-access-denied

1/3

28/11/13

m y o r i g i n=$ m y d o m a i n

linux - How to correct Postfix' 'Relay Access Denied'? - Server Fault

s m t p d _ b a n n e r=$ m y h o s t n a m eE S M T P2 . 4 . 7 . 1( D e b i a n / G N U ) s e t g i d _ g r o u p=p o s t d r o p # #R e c e i v i n gm e s s a g e sp a r a m e t e r s ; # m y d e s t i n a t i o n=l o c a l h o s t ,c o m p a n y a p p e n d _ d o t _ m y d o m a i n=n o to be able to send emails from clients (Thunderbird and Outlook) As a side note, my employer wants a p p e n d _ a t _ m y o r i g i n= y e s and outside it. both from within our local network t r a n s p o r t _ m a p s=m y s q l : / e t c / p o s t f i x / t r a n s p o r t . c f
linux

# # D e l i v e r n g l o c a lm e s s a g e sp a r a m e t e r s ; edited Feb 2i '12 at 20:49 # Peter Mortensen m a i l _ s p o o l _ d i r e c t o r y=/ v a r / s p o o l / m a i l add comment

1,324 4 12 21

postfix

smtp-relay

asked Jul 18 '09 at 14:59 Noah Goodrich 1,254 4 13 15

4 Answers

m a i l b o x _ s i z e _ l i m i t=0 m a i l b o x _ c o m m a n d=p r o c m a i la" $ E X T E N S I O N "

b i f f=n o TLS just enables encryption on the smtp session and doesn't directly affect whether or not Postfix will be a l i a s _ d a t a b a s =h a s h : / e t c / a l i a s e s allowed to relay ae message. The relaying denied message l o c a l _ r e c i p i e n t _ m a p s = occurs because the smtpd_recipient_restrictions rules was not matched. One of those conditions must be fulfilled to allow the message to go through: # #D e l i v e r i n gv i r t u a lm e s s a g e sp a r a m e t e r s ; # s m t p d _ r e c i p i e n t _ r e s t r i c t i o n s= v i r t u a l _ m a i l b o x _ m a p s = m y s q l : / e t c / p o s t f i x / m y s q l _ v i r t . c f p e r m i t _ s a s l _ a u t h e n t i c a t e d v i r t u a l _ u i d _ m a p s = m y s q l : / e t c / p o s t f i x / u i d s . c f c h e c k _ r e c i p i e n t _ a c c e s sh a s h : / e t c / p o s t f i x / f i l t e r e d _ d o m a i n s v i r t u a l _ g i d _ m a p s = m y s q l : / e t c / p o s t f i x / g i d s . c f p e r m i t _ m y n e t w o r k s v i r t u a l _ m a i l b o x _ b a s e = / u s r / l o c a l / v i r t u a l r e j e c t _ u n a u t h _ d e s t i n a t i o n v i r t u a l _ m a p s = m y s q l : / e t c / p o s t f i x / v i r t u a l . c f v i r t u a l _ m a i l b o x _ d o m a i n s = m y s q l : / e t c / p o s t f i x / v i r t u a l _ d o m a i n s . c f To explain those rules: p e r m i t _ s a s l _ a u t h e n t i c a t e d # #S A S L p a r a m t e r s ; permits authenticated senders through SASL. This will be necessary to authenticate users outside of # network which are normally blocked. your s m t p _ u s e _ t l s=y e s s m t p d _ u s e _ t l s = y e s c h e c k _ r e c i p i e n t _ a c c e s s s m t p d _ t l s _ a u t h _ o n l y=y e s s m t p d _ t l s _ l o g l e v e llook = 1in /etc/postfix/filtered_domains for rules based on the recipient address. This will cause postfix to s m t p d _ t l s _ r e c e i v e d _ h e a d e r = name, y e s it is probably just blocking specific domains... Check to see if (Judging by the file name on the file s m t p d _ t l s _ s e s s i o n _ c a c h e _ t i m e o u t=3 6 0 0 s gmail.com is listed in there?) s m t p _ t l s _ C A f i l e = e t c / p o s t f i x / s s l / s m p t d . p e m p e r m i _ m y n e t w o r k s/ s m t p _ t l s _ c e r t _ f i l e=/ e t c / p o s t f i x / s s l / s m p t d . c r t This will permit hosts by= IP/ address that match IP ranges specified in $mynetworks. In the main.cf you s m t p _ t l s _ k e y _ f i l e e t c / p o s t f i x / s s l / s m p t d . k e y posted, $mynetworks was set to 127.0.0.1, so it will only relay emails generated by the server itself. s m t p d _ t l s _ C A f i l e=/ e t c / p o s t f i x / s s l / s m p t d . p e m Based on that configuration, your mail client will need to use SMTP Authentication before being allowed s m t p d _ t l s _ c e r t _ f i l e=/ e t c / p o s t f i x / s s l / s m p t d . c r t to relay messages. I'm not sure what database SASL is using. s m t p d _ t l s _ k e y _ f i l e = / e t c / p o s t f i x / s s l / s m p t d . k e y That is specified in /usr/lib/sasl2/smtpd.conf Presumably it also uses the same database as your virtual mailboxes, so you should be able enable SMTP in your mail client and be all set. s m t p d _ s a s l _ a u t h _ e n a b l eauthentication =y e s
answered Jul 22 '09 at 20:59 s m t p d _ s a s l _ s e c u r i t y _ o p t i o n s=n o a n o n y m o u s Brandon 447 2 4 add comment

s m t p d _ s a s l _ l o c a l _ d o m a i n=

b r o k e n _ s a s l _ a u t h _ c l i e n t s=y e s s m t p d _ s e n d e r _ r e s t r i c t i o n s= p e r m i t _ s a s l _ a u t h e n t i c a t e d p e r m i t _ m y n e t w o r k s s m t p d _ r e c i p i e n t _ r e s t r i c t i o n s= p e r m i t _ s a s l _ a u t h e n t i c a t e d c h e c k _ r e c i p i e n t _ a c c e s sh a s h : / e t c / p o s t f i x / f i l t e r e d _ d o m a i n s s m t p d _ u s e _ t l s = n o p e r m i t _ m y n e t w o r k s r e j e c t _ u n a u t h _ d e s t i n a t i o n You've disabled TLS, so you now need to authorise your local network by adding it to m y n e t w o r k s. For example, m y n e t w o r k s=1 9 2 . 1 6 8 . 1 . 0 / 2 41 2 7 . 0 . 0 . 0 / 8 This will fix sending from your local network only. For sending email from outside your local network, you'll need to get TLS authentication working. serverfault.com/questions/42519/how-to-correct-postfix-relay-access-denied

2/3

28/11/13

linux - How to correct Postfix' 'Relay Access Denied'? - Server Fault you'll need to get TLS authentication working.
edited Feb 2 '12 at 20:49 Peter Mortensen 1,324 4 12 21 answered Jul 18 '09 at 15:47 pgs 2,311 8 16

I've set smtpd_use_tls = yes because we have to be able to send email from outside the network. However, the problem persists. Noah Goodrich Jul 18 '09 at 15:50 Bump smtpd_tls_loglevel up to 3 and see if anything interesting shows up in the logs (and remember to drop it back down to 1 or 0 when you're finished). pgs Jul 18 '09 at 16:16 Also, try setting smtp_use_tls to no (for sending external email). See postfix.org/postconf.5.html#smtp_use_tls pgs Jul 18 '09 at 16:22 -1 because not everyone can disable tls. jgifford25 Oct 30 '11 at 23:02

I'm not saying that he should disable tls; I'm saying that since he has already disabled it he then needs to setup mynetworks. And that the full solution is to get tls working again. pgs Nov 7 '11 at 3:17

add comment

I think you miss you domain.com in mydestination, because the default relay_domains=$mydestination, so you you can append you configuration the line: mydestinations = $mydomain, $myhostname, localhost, localhost.localdomain or: relay_domains = $mydomain Dont forget to restart the postfix sever (service postfix restart) every time you edit postfix conf file
edited Sep 3 '12 at 12:30 Community 1 answered Nov 20 '09 at 16:54 Dzung Nguyen

+ 1 for adding "localhost, localhost.localdomain" to the list of hosts (often a problem on some systems, not clear why it's not an issue on others though) Iain Collins May 23 '11 at 4:40 add comment

I had the same issue in Outlook (with dovecote and postfix backend) and I spent two days looking for solution and tweaking my config files. All I needed to do was check "Server requires authentication" in the Outgoing tab in mail settings in outlook and my messages are now sent to gmail. See detailed instruction on how to find the setting here http://support.bluetie.com/node/440.
answered May 10 at 22:29 Dee 111 1 add comment

Not the answer you're looking for? Browse other questions tagged linux postfix
smtp-relay or ask your own question.

serverfault.com/questions/42519/how-to-correct-postfix-relay-access-denied

3/3