LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-01-2008, 02:20 AM   #1
i_nomad
Member
 
Registered: Mar 2008
Distribution: RedHatES4
Posts: 144

Rep: Reputation: 15
Postfix-Relay access denied


Can someone help. Mail in from internet and local mail on network works fine but no external mail is able to send out. Error 554: Relay Access Denied.

I have tried investigating this but have not managed to find what the key entry is. (I am not reliant on external entity to relay mail out). I want to use the mail server to send directly onto internet.

main.cf

fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp


myorigin = $mydomain
myhostname = mail.XXX.com
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, XXX.com, XXX.local
mydomain = XXX.com
mynetworks = 127.0.0.0/8 10.10.0.0/16 10.11.0.0/16 10.12.0.0/16


smtpd_helo_required = yes


smtpd_recipient_restrictions =
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
reject_non_fqdn_hostname
reject_invalid_hostname
permit
 
Old 05-01-2008, 02:40 AM   #2
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Try making permit_mynetworks the first sender restriction.

If that doesn't work, can you post the output of postconf -n

Rgds
 
Old 05-01-2008, 02:42 AM   #3
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Quote:
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, XXX.com, XXX.local
mydomain = XXX.com
Just as a point of neatness, you don't need both $mydomain and XXX.com in mydestination since they are the same thing
 
Old 05-01-2008, 03:01 AM   #4
i_nomad
Member
 
Registered: Mar 2008
Distribution: RedHatES4
Posts: 144

Original Poster
Rep: Reputation: 15
Sorry the previous output I posted was I my test script..this is the live output where I am having a problem at the moment.

Many thanks for the input

alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
html_directory = no
local_recipient_maps = unixasswd.byname $alias_maps
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, XXX.com, XXX.local
mydomain = XXX.com
myhostname = mail.XXX.com
mynetworks = 10.10.0.0/16, 127.0.0.0/8, 10.11.0.0/16, 10.12.0.0/16
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
sample_directory = /usr/share/doc/postfix-2.2.10/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
unknown_local_recipient_reject_code = 550
 
Old 05-01-2008, 04:20 AM   #5
i_nomad
Member
 
Registered: Mar 2008
Distribution: RedHatES4
Posts: 144

Original Poster
Rep: Reputation: 15
Hi Billy
As you can see the permit_mynetworks is first. It does not make any difference, relay is still denied

Regards
 
Old 05-01-2008, 04:25 AM   #6
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
And are you sending from a machine on one of 10.10.0.0/16, 127.0.0.0/8, 10.11.0.0/16, 10.12.0.0/16 ?

If so, can you please post the log messages around the attempt.
 
Old 05-01-2008, 04:40 AM   #7
i_nomad
Member
 
Registered: Mar 2008
Distribution: RedHatES4
Posts: 144

Original Poster
Rep: Reputation: 15
Yes I am sending from the internal network out

maillog:
May 1 09:33:58 master[6121]: process 19723 exited, status 0
May 1 09:33:59 imap[19717]: idle for too long, closing connection
May 1 09:34:03 imap[19718]: idle for too long, closing connection
May 1 09:34:08 imap[19720]: idle for too long, closing connection
May 1 09:34:12 imap[19721]: idle for too long, closing connection
May 1 09:34:37 postfix/smtpd[20055]: connect from hostXX-XX-XXX-XX.in-addr.bt.com[XX.XX.XX.XX]
May 1 09:34:37 postfix/smtpd[20055]: NOQUEUE: reject: RCPT from hostXX-XX-XX-XX.in-addr.bt.com[XX.XX.XX.XXX]: 554 <a@a.com>: Relay access denied; from=<AAA@XXX.com> to=<a@a.com> proto=ESMTP helo=<rl001>
May 1 09:34:38 master[6121]: process 20007 exited, status 0
May 1 09:34:38 master[6121]: process 19859 exited, status 0
May 1 09:34:38 master[6121]: process 20006 exited, status 0
May 1 09:34:38 master[6121]: process 19951 exited, status 0
May 1 09:34:38 master[6121]: process 20005 exited, status 0
May 1 09:34:40 postfix/smtpd[20055]: disconnect from hostXX.XX-XXX-XX.in-addr.bt.com[XX.XX.XX.XX]
 
Old 05-01-2008, 05:10 AM   #8
i_nomad
Member
 
Registered: Mar 2008
Distribution: RedHatES4
Posts: 144

Original Poster
Rep: Reputation: 15
OK this is what I am doing.

I have a vpn session into the mailserver. The ipaddress of this server is within the range of mynetworks.

The "local" mail client on the machine I am using to establish the vpn is using outlook express that has the imap and smtp settings set for the domain. The address that is allocated to the "local" ethernet card is not defined within the my networks. I am presuming this is OK?? It would not make sense to me to define this client in the range in mynetworks..

Regards

Last edited by i_nomad; 05-01-2008 at 05:12 AM.
 
Old 05-01-2008, 05:54 AM   #9
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
hard to say since you've cut out the IPs

That would make sense if you are confident that no one who shouldn't can connect from that address if it's private (for example, most firewalls block private ranges coming from public networks) or it's yours and yours alone if it's public

If that isn't the case, why not have the senders authenticate, and permit_sasl_authenticated. See for example http://www.thecabal.org/~devin/postfix/smtp-auth.txt - there are several examples given at http://www.postfix.org/docs.html

Note that if you need to go down this route, you would install saslauth through up2date or yum.


Rgds
 
Old 05-01-2008, 06:27 AM   #10
i_nomad
Member
 
Registered: Mar 2008
Distribution: RedHatES4
Posts: 144

Original Poster
Rep: Reputation: 15
OK in terms of the mail log...

The ip address is a public dsl one..say 85.78.10.2
The mynetworks are referring to the 10.X.X.X networks shown
The vpn client has a 10.x.x.x address but not defined in the my networks

As for SASL authenticatication I am planning on implementing TLS but at this stage is it a critical issue..do I need this?


Regards
 
Old 05-01-2008, 06:38 AM   #11
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
They're different things

TLS encrypts traffic - can be the authentication process and/or sending/receiving messages.

Authentication means that when a user connects (say to smtp), a username/password is required, and this is authenticated with a user database of some sort (can use pam for example).

I don't quite get your IP comments. What is the IP of May 1 09:34:37 postfix/smtpd[20055]: connect from hostXX-XX-XXX-XX.in-addr.bt.com[XX.XX.XX.XX]? it shouldn't be the public IP of your server, but your explanation isn't all that clear.
 
Old 05-01-2008, 07:15 AM   #12
i_nomad
Member
 
Registered: Mar 2008
Distribution: RedHatES4
Posts: 144

Original Poster
Rep: Reputation: 15
May 1 09:34:37 postfix/smtpd[20055]: connect from host85.78.10.2.in-addr.btopenworld.com[85.78.10.2]
May 1 09:34:37 postfix/smtpd[20055]: NOQUEUE: reject: RCPT from host85.78.10.2.in-addr.btopenworld.com[85.78.10.2]: 554 <a@a.com>: Relay access denied; from=<s@XXX.com> to=<a@a.com> proto=ESMTP helo=<rl21>

OK..I have a DSL connection 85.78.10.2(this is an example)
s@xxx is the user "s" on domain XXX
helo<r121> is the machine establishing helo??

The mail server is in a remote network. The local ip address of the mail server is 10.x.x.x. . This is defined in mynetworks.

The mail client could be anywhere in the world. The smtp and imap are as per domain etc...

Mail is received in but not sent out...realy denied.
 
Old 05-01-2008, 07:45 AM   #13
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Quote:
OK..I have a DSL connection 85.78.10.2(this is an example)
is this at the mailserver end or is it the remote end?
 
Old 05-01-2008, 08:06 AM   #14
i_nomad
Member
 
Registered: Mar 2008
Distribution: RedHatES4
Posts: 144

Original Poster
Rep: Reputation: 15
Mail server is in remote location connected to the internet...not linked to the DSL network. The ip of the mail server is 10.x.x.x

I have a client on a DSL network that I am trying to use to send mail from using the SMTP and IMAP settings to another mail server a@a.com (just an example)

Regards

Last edited by i_nomad; 05-01-2008 at 08:27 AM.
 
Old 05-01-2008, 07:01 PM   #15
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
So, if the IP is yours, you shoudl be able to add it to mynetworks.

I'd still investigate authentication, and since you are doing it obver the net, you may want to do it in conjunction with TLS. However, your VPN setup may take care of security concerns (you want to avoid plain text passwords being sent over the net)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix: Relay access denied TheZodiac Linux - Server 4 10-24-2007 11:23 AM
Postfix Relay Access Denied dwpondscum Linux - Networking 2 09-20-2007 05:37 AM
postfix: relay access denied cope Linux - Server 1 05-10-2007 02:35 AM
HELP! POSTFIX Relay access denied cozyk1515 Linux - Software 3 07-21-2006 09:56 AM
Postfix as a mail relay (getting relay access denied) hypexr Linux - Software 3 09-13-2005 08:15 PM


All times are GMT -5. The time now is 10:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration