Postfix: "Relay Access Denied"

linux email debian postfix
23,846

Solution 1

Remove reject_unauth_destination from smtpd_client_restrictions.

EDIT

You are using SMTP to send email, so postfix still uses all smtpd_*_restrictions even though you are connecting from 127.0.0.1. These smtpd_*_restrictions are applied in following order: client, helo, sender, recipient, data, or end-of-data. reject_unauth_destination rejects any mail unless domain in RCPT TO matches $mydestionation or $relay_domains. In your case, when reject_unauth_destination is used in smtpd_client_restrictions, which is checked first, your mail almost immediately (after checking two RBLs) gets rejected because your postfix obviously isn't final destination for gmail.com and all rules to allow relaying mail from local or authenticated clients (permit_mynetworks, permit_sasl_authenticated) are skipped because you are already got REJECT from smtpd_client_restrictions.

Solution 2

Thank you, I sortered all smtpd_client_restrictions and my configuration works

This is a configuration should works:

smtpd_recipient_restrictions =
check_policy_service unix:/var/spool/postfix/postgrey/socket,
reject_rbl_client xbl.spamhaus.org,
reject_rbl_client pbl.spamhaus.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client multi.uribl.com,
reject_rbl_client rbl-plus.mail-abuse.org,
reject_rbl_client dialups.mail-abuse.org,
permit_mynetworks,
reject_unauth_destination,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain

Sorting is important.

Share:
23,846
Eli
Author by

Eli

Updated on September 18, 2022

Comments

  • Eli
    Eli over 1 year

    I've been following this tutorial: http://flurdy.com/docs/postfix/index.html

    For some reason, even after making sure that I set it up correctly, it will not send any mail to external domains. It can still receive from them, but sending results in this:

    postfix/smtpd[26338]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<domain.com>

    I've got TLS enabled, as well as amavis. Disabling either (or both) doesn't change anything. I can also send to my own domain, and it will arrive correctly.

    Here's my /etc/postfix/main.cf:

    # See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
myorigin = domain.com
masquerade_domains = mail.domain.com
masquerade_exceptions = root

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/postfix/postfix.cert
smtpd_tls_key_file=/etc/postfix/postfix.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtp_tls_security_level = may

smtpd_tls_security_level = may

smtp_tls_note_starttls_offer = yes

smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = mail.domain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = mail.domain.com
mydestination = domain.com, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8, [::ffff:127.0.0.0]/104, [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
mynetworks_style = host

local_recipient_maps =
mydestination =
delay_warning_time = 4h
unknown_local_recipient_reject_code = 450
maximum_queue_lifetime = 7d
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s

smtp_helo_timeout = 60s
smtpd_recipient_limit = 32
smtpd_soft_error_limit = 3
smtpd_hard_error_limit = 12

smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname,  reject_invalid_hostname, permit
smtpd_sender_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit_sasl_authenticated, permit
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_unauth_destination, permit
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
smtpd_data_restrictions = reject_unauth_pipelining

smtpd_helo_required = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes

alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases

virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf

virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf

virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf

virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

content_filter = amavis:[127.0.0.1]:10024

# SASL
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = no
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = domain.com
  • mailq
    mailq over 12 years
    And then you have to authenticate by SMTP-AUTH to be able to relay mails.
  • AlexD
    AlexD over 12 years
    @mailq could you explain that a little bit more?
  • mailq
    mailq over 12 years
    His log message doesn't match the configuration. If he really sends from 127.0.0.1 there shouldn't be a relay problem as it is allowed by permit_mynetworks. But if he sends from "outside" he must SMTP-AUTH to get past permit_sasl_authenticated.
  • AlexD
    AlexD over 12 years
    @mailq I've added more detailed explanation to my answer.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to Run a script when a mail arrives in mail server? (Debian)
Fetching mails into postfix/dovecot via pop3/imap
Mailx is is not working
Linux: Use maildir instead of mbox
How to configure Postfix mail on Red Hat Linux?
Postfix can send but not receive mail
How do I deliver an email stuck in my Postfix mail queue?
How to find out what port is Exim 4 using for SMTP?
Postfix mail storage files
Postfix allows unauthenticated users to send emails