Postfix 5.7.1 Relay access denied

postfix email-server dovecot

17,454

Solution 1

The problem is that you are not authenticating via SASL.

You have this set on submission:

-o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

The first allows mynetworks (which seems to be only localhost), the second allows ony authenticated users. Your log shows you establishing an anonymous TLS connection, but no SASL auth.

I don't see any SASL configuration in your main.cf, you may want to have a look at this.

Solution 2

As NickW said, your configuration only allow you to send mail anonymously from host in mynetworks and authenticated from other locations.

So you have two solutions :

enabling SASL authentication
adding your public IP to Postfix mynetworks parameter to allow you sending mail without being authenticated (I don't recommend this solution if you send mails from many locations)

17,454

src091

Updated on September 18, 2022

Comments

src091 almost 2 years

I know there's a lot of similar questions here but none has helped me.
So I have a Debian 7.0 server with postfix and dovecot working on it with a self-signed certificate. I can send emails to other servers using telnet when I'm connected to a server via SSH but I can't send emails via Thunderbird client with the following error message:

An error occurred while sending mail. The mail server responded:
5.7.1 : Relay access denied. Please check the message recipient [email protected] and try again.

First of all, my ISP blocks port 25 so I'm using port 465 like this:
enter image description here

Here's a part my master.cf that I've edited on setup:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

smtps     inet  n       -       -       -       -       smtpd

Here's my main.cf:

myhostname = mail.server.com
myorigin = /etc/mailname
mydestination = mail.server.com, server.com, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

smtpd_tls_cert_file=/etc/ssl/certs/mailcert.pem
smtpd_tls_key_file=/etc/ssl/private/mail.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_protocols = !SSLv2, !SSLv3

smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1

local_recipient_maps = proxy:unix:passwd.byname $alias_maps

inet_protocols = all

Here's my dovecot.conf:

disable_plaintext_auth = no
mail_privileged_group = mail
mail_location = mbox:~/mail:INBOX=/var/mail/%u
userdb {
  driver = passwd
}
passdb {
  args = %s
  driver = pam
}
protocols = " imap"

service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}

ssl=required
ssl_cert =< /etc/ssl/certs/mailcert.pem
ssl_key =< /etc/ssl/private/mail.key

And finally the contents of my mail.log when the error is happening:

Nov 14 13:17:24 Test postfix/smtpd[10720]: connect from 49-3-134-95.pool.ukrtel.net[95.134.3.49]
Nov 14 13:17:25 Test postfix/smtpd[10720]: Anonymous TLS connection established from 49-3-134-95.pool.ukrtel.net[95.134.3.49]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Nov 14 13:17:25 Test postfix/smtpd[10720]: NOQUEUE: reject: RCPT from 49-3-134-95.pool.ukrtel.net[95.134.3.49]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.0.101]>
Nov 14 13:17:30 Test postfix/smtpd[10720]: disconnect from 49-3-134-95.pool.ukrtel.net[95.134.3.49]

What should I do to fix this issue?

================ UPDATE ====================

After reading http://www.postfix.org/SASL_README.html and http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL here are the changes I made:

New master.cf:

submission inet n       -       -       -       -       smtpd
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
      -o milter_macro_daemon_name=ORIGINATING
      -o smtpd_sasl_type=dovecot
      -o smtpd_sasl_path=private/auth
      -o smtpd_sasl_local_domain=$myhostname

    smtps     inet  n       -       -       -       -       smtpd

Added to main.cf:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

Added to dovecot.conf:

auth_mechanisms = plain login

Still no luck, I'm getting exactly the same error when I try to send a letter.

NickW over 9 years

Have you restarted postfix and dovecot?
src091 over 9 years

@NickW sure, I've restarted them both after making changes to conf files. Both restarted without error messages.
NickW over 9 years

Ok, add in these two lines to your master.cf -o smtp_sasl_security_options = noanonymous, noplaintext -o smtp_sasl_tls_security_options = noanonymous
NickW over 9 years

Or main.cf, without the -o
sebix over 9 years

Tried connecting on port 587, you have a submission service configured in your master.cf for that purpose. What does the mail.log say about the failed SASL-Login? I can't see any.

src091 over 9 years

Thanks, I've read the articles and made some changes but sadly nothing has changed. I've updated my post with what I've done.
src091 over 9 years

I'm trying to enable SASL auth with no success so far. Please take a look at my updated post, perhaps you could spot some error there.
src091 over 9 years

OK, I've just installed everything from the scratch following this tutorial: rosehosting.com/blog/… and it works. Thanks anyway for pointing to the issue.
NickW over 9 years

Yeah, sometimes tossing it all and starting again fresh is the best option :)