[SOLVED] Postfix: SMTP Relay Access Denied with external auth'd clients

Gargravarr2112 · 01-19-2012, 06:38 AM

Hi all,

I successfully set up a mail server for my domain yesterday. Everything works fine from within the LAN; clients can connect to the server via IMAP/SMTP and send and receive mail. I've even set up SSL and DNS so I can send and receive mail externally, but this is giving me a problem. I'm receiving 'Relay Access Denied' when I connect with an external client (Thunderbird or Email on my Android phone). All Google seems to tell me is that I've got some kind of restriction in place, but I have Postfix configured to allow SASL authenticated users SMTP access, and I'm logged into the server properly from what I can tell (no SASL auth errors in the mail logs). Postfix is configured to use Dovecot's SASL auth methods, and I'm connecting externally via port 465 using SSL.

My logs look like this every time I try to send mail externally. I should add that I can receive it externally.

Code:

Jan 19 12:23:17 Excalibur postfix/smtpd[20879]: connect from <hostname>[<remote IP>]
Jan 19 12:23:18 Excalibur postfix/smtpd[20879]: NOQUEUE: reject: RCPT from <hostname>[<remote IP>]: 554 5.7.1 <<destination GMail>>: Relay access denied; from=<<domain email>> to=<<destination GMail> proto=ESMTP helo=<<hostname>>

My Postfix main.cf looks like this:

Code:

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = mydomain.co.uk
smtpd_recepient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destrination
smtpd_sasl_security_options = noanonymous

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/QPR/qpr.pem
smtpd_tls_key_file=/etc/ssl/certs/QPR/ca.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

myhostname = myhostname.mydomain.co.uk
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mydomain.co.uk, myinternallan.net, localhost.myinternallan, localhost
relayhost = 
mynetworks = 127.0.0.0/8, 192.168.1.0/24
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 10737418240
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4

Have I missed something? Any hints would be greatly appreciated.
Cheers,
Gargravarr

Berhanie · 01-19-2012, 07:59 AM

first, check your spelling (smtpd_recepient_restrictions). if this typo does not appear in your postfix config, then check to make sure your client is really authenticating. an sasl-authenticated client looks like this:

Code:

Jan 18 23:42:09 host postfix/smtpd[28697]: C18816686A: client=unknown[xxx.xxx.xxx.xxx], sasl_method=PLAIN, sasl_username=user@example.com

as a sidenote, if you use PLAIN authentication, you might consider adding "smtpd_tls_auth_only = yes" (and make the correspoding adjustment to the clients) to prevent anyone from transmitting the password in the clear.

lithos · 01-19-2012, 08:29 AM

I could only point you to some how-to's on SMTP Auth and relaying

- SMTP Authentication with Postfix
- postfix relay
- smtp auth mailservers

good luck, I know mail server is a lot of mastering to set up.

Gargravarr2112 · 02-12-2012, 08:29 AM

Quote:

Originally Posted by Berhanie

first, check your spelling (smtpd_recepient_restrictions). if this typo does not appear in your postfix config, then check to make sure your client is really authenticating. an sasl-authenticated client looks like this:

Code:

Jan 18 23:42:09 host postfix/smtpd[28697]: C18816686A: client=unknown[xxx.xxx.xxx.xxx], sasl_method=PLAIN, sasl_username=user@example.com

as a sidenote, if you use PLAIN authentication, you might consider adding "smtpd_tls_auth_only = yes" (and make the correspoding adjustment to the clients) to prevent anyone from transmitting the password in the clear.

*facepalm*

I do not believe this one eluded me for so long. Even though you highlighted it, it didn't immediately register - I thought you were suggesting the correct spelling!

As soon as I put in 'recipient' it worked.

Thanks for your help!