Postfix: "Relay Access Denied"
Solution 1
Remove reject_unauth_destination
from smtpd_client_restrictions
.
EDIT
You are using SMTP to send email, so postfix
still uses all smtpd_*_restrictions
even though you are connecting from 127.0.0.1
. These smtpd_*_restrictions
are applied in following order: client, helo, sender, recipient, data, or end-of-data. reject_unauth_destination
rejects any mail unless domain in RCPT TO matches $mydestionation
or $relay_domains
. In your case, when reject_unauth_destination
is used in smtpd_client_restrictions
, which is checked first, your mail almost immediately (after checking two RBLs) gets rejected because your postfix
obviously isn't final destination for gmail.com and all rules to allow relaying mail from local or authenticated clients (permit_mynetworks
, permit_sasl_authenticated
) are skipped because you are already got REJECT from smtpd_client_restrictions
.
Solution 2
Thank you, I sortered all smtpd_client_restrictions and my configuration works
This is a configuration should works:
smtpd_recipient_restrictions =
check_policy_service unix:/var/spool/postfix/postgrey/socket,
reject_rbl_client xbl.spamhaus.org,
reject_rbl_client pbl.spamhaus.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client multi.uribl.com,
reject_rbl_client rbl-plus.mail-abuse.org,
reject_rbl_client dialups.mail-abuse.org,
permit_mynetworks,
reject_unauth_destination,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain
Sorting is important.
Eli
Updated on September 18, 2022Comments
-
Eli over 1 year
I've been following this tutorial: http://flurdy.com/docs/postfix/index.html
For some reason, even after making sure that I set it up correctly, it will not send any mail to external domains. It can still receive from them, but sending results in this:
postfix/smtpd[26338]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<domain.com>
I've got TLS enabled, as well as amavis. Disabling either (or both) doesn't change anything. I can also send to my own domain, and it will arrive correctly.
Here's my /etc/postfix/main.cf:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. myorigin = domain.com masquerade_domains = mail.domain.com masquerade_exceptions = root smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file=/etc/postfix/postfix.cert smtpd_tls_key_file=/etc/postfix/postfix.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_security_level = may smtpd_tls_security_level = may smtp_tls_note_starttls_offer = yes smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = mail.domain.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = mail.domain.com mydestination = domain.com, localhost, localhost.localdomain relayhost = mynetworks = 127.0.0.0/8, [::ffff:127.0.0.0]/104, [::1]/128 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all mynetworks_style = host local_recipient_maps = mydestination = delay_warning_time = 4h unknown_local_recipient_reject_code = 450 maximum_queue_lifetime = 7d minimal_backoff_time = 1000s maximal_backoff_time = 8000s smtp_helo_timeout = 60s smtpd_recipient_limit = 32 smtpd_soft_error_limit = 3 smtpd_hard_error_limit = 12 smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_sender_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit_sasl_authenticated, permit smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_unauth_destination, permit smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_delay_reject = yes disable_vrfy_command = yes alias_maps = hash:/etc/postfix/aliases alias_database = hash:/etc/postfix/aliases virtual_mailbox_base = /var/spool/mail/virtual virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 content_filter = amavis:[127.0.0.1]:10024 # SASL smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = no smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = domain.com
-
mailq over 12 yearsAnd then you have to authenticate by SMTP-AUTH to be able to relay mails.
-
AlexD over 12 years@mailq could you explain that a little bit more?
-
mailq over 12 yearsHis log message doesn't match the configuration. If he really sends from 127.0.0.1 there shouldn't be a relay problem as it is allowed by permit_mynetworks. But if he sends from "outside" he must SMTP-AUTH to get past permit_sasl_authenticated.
-
AlexD over 12 years@mailq I've added more detailed explanation to my answer.