Postfix 5.7.1 Relay access denied
Solution 1
The problem is that you are not authenticating via SASL.
You have this set on submission:
-o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
The first allows mynetworks (which seems to be only localhost), the second allows ony authenticated users. Your log shows you establishing an anonymous TLS connection, but no SASL auth.
I don't see any SASL configuration in your main.cf, you may want to have a look at this.
Solution 2
As NickW said, your configuration only allow you to send mail anonymously from host in mynetworks and authenticated from other locations.
So you have two solutions :
- enabling SASL authentication
- adding your public IP to Postfix mynetworks parameter to allow you sending mail without being authenticated (I don't recommend this solution if you send mails from many locations)
Related videos on Youtube
src091
Updated on September 18, 2022Comments
-
src091 almost 2 years
I know there's a lot of similar questions here but none has helped me.
So I have a Debian 7.0 server with postfix and dovecot working on it with a self-signed certificate. I can send emails to other servers using telnet when I'm connected to a server via SSH but I can't send emails via Thunderbird client with the following error message:An error occurred while sending mail. The mail server responded:
5.7.1 : Relay access denied. Please check the message recipient [email protected] and try again.First of all, my ISP blocks port 25 so I'm using port 465 like this:
Here's a part my master.cf that I've edited on setup:
# ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - - - - smtpd #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth smtps inet n - - - - smtpd
Here's my main.cf:
myhostname = mail.server.com myorigin = /etc/mailname mydestination = mail.server.com, server.com, localhost, localhost.localdomain relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases smtpd_tls_cert_file=/etc/ssl/certs/mailcert.pem smtpd_tls_key_file=/etc/ssl/private/mail.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may smtp_tls_security_level = may smtp_tls_loglevel = 1 smtpd_tls_loglevel = 1 local_recipient_maps = proxy:unix:passwd.byname $alias_maps inet_protocols = all
Here's my dovecot.conf:
disable_plaintext_auth = no mail_privileged_group = mail mail_location = mbox:~/mail:INBOX=/var/mail/%u userdb { driver = passwd } passdb { args = %s driver = pam } protocols = " imap" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } ssl=required ssl_cert =< /etc/ssl/certs/mailcert.pem ssl_key =< /etc/ssl/private/mail.key
And finally the contents of my mail.log when the error is happening:
Nov 14 13:17:24 Test postfix/smtpd[10720]: connect from 49-3-134-95.pool.ukrtel.net[95.134.3.49] Nov 14 13:17:25 Test postfix/smtpd[10720]: Anonymous TLS connection established from 49-3-134-95.pool.ukrtel.net[95.134.3.49]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) Nov 14 13:17:25 Test postfix/smtpd[10720]: NOQUEUE: reject: RCPT from 49-3-134-95.pool.ukrtel.net[95.134.3.49]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.0.101]> Nov 14 13:17:30 Test postfix/smtpd[10720]: disconnect from 49-3-134-95.pool.ukrtel.net[95.134.3.49]
What should I do to fix this issue?
================ UPDATE ====================
After reading http://www.postfix.org/SASL_README.html and http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL here are the changes I made:
New master.cf:
submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_local_domain=$myhostname smtps inet n - - - - smtpd
Added to main.cf:
smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes
Added to dovecot.conf:
auth_mechanisms = plain login
Still no luck, I'm getting exactly the same error when I try to send a letter.
-
NickW over 9 yearsHave you restarted postfix and dovecot?
-
src091 over 9 years@NickW sure, I've restarted them both after making changes to conf files. Both restarted without error messages.
-
NickW over 9 yearsOk, add in these two lines to your master.cf
-o smtp_sasl_security_options = noanonymous, noplaintext -o smtp_sasl_tls_security_options = noanonymous
-
NickW over 9 yearsOr main.cf, without the
-o
-
sebix over 9 yearsTried connecting on port 587, you have a submission service configured in your master.cf for that purpose. What does the mail.log say about the failed SASL-Login? I can't see any.
-
-
src091 over 9 yearsThanks, I've read the articles and made some changes but sadly nothing has changed. I've updated my post with what I've done.
-
src091 over 9 yearsI'm trying to enable SASL auth with no success so far. Please take a look at my updated post, perhaps you could spot some error there.
-
src091 over 9 yearsOK, I've just installed everything from the scratch following this tutorial: rosehosting.com/blog/… and it works. Thanks anyway for pointing to the issue.
-
NickW over 9 yearsYeah, sometimes tossing it all and starting again fresh is the best option :)