Postfix-Relay access denied
 

Can someone help. Mail in from internet and local mail on network works fine but no external mail is able to send out. Error 554: Relay Access Denied.

I have tried investigating this but have not managed to find what the key entry is. (I am not reliant on external entity to relay mail out). I want to use the mail server to send directly onto internet.

main.cf

fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp


myorigin = $mydomain
myhostname = mail.XXX.com
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, XXX.com, XXX.local
mydomain = XXX.com
mynetworks = 127.0.0.0/8 10.10.0.0/16 10.11.0.0/16 10.12.0.0/16


smtpd_helo_required = yes


smtpd_recipient_restrictions =
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
reject_non_fqdn_hostname
reject_invalid_hostname
permit

Try making permit_mynetworks the first sender restriction.

If that doesn't work, can you post the output of postconf -n

Rgds

Just as a point of neatness, you don't need both $mydomain and XXX.com in mydestination since they are the same thing

Sorry the previous output I posted was I my test script..this is the live output where I am having a problem at the moment.

Many thanks for the input

alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
html_directory = no
local_recipient_maps = unix:passwd.byname $alias_maps
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, XXX.com, XXX.local
mydomain = XXX.com
myhostname = mail.XXX.com
mynetworks = 10.10.0.0/16, 127.0.0.0/8, 10.11.0.0/16, 10.12.0.0/16
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
sample_directory = /usr/share/doc/postfix-2.2.10/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
unknown_local_recipient_reject_code = 550

Hi Billy
As you can see the permit_mynetworks is first. It does not make any difference, relay is still denied

Regards

And are you sending from a machine on one of 10.10.0.0/16, 127.0.0.0/8, 10.11.0.0/16, 10.12.0.0/16 ?

If so, can you please post the log messages around the attempt.

Yes I am sending from the internal network out

maillog:
May 1 09:33:58 master[6121]: process 19723 exited, status 0
May 1 09:33:59 imap[19717]: idle for too long, closing connection
May 1 09:34:03 imap[19718]: idle for too long, closing connection
May 1 09:34:08 imap[19720]: idle for too long, closing connection
May 1 09:34:12 imap[19721]: idle for too long, closing connection
May 1 09:34:37 postfix/smtpd[20055]: connect from hostXX-XX-XXX-XX.in-addr.bt.com[XX.XX.XX.XX]
May 1 09:34:37 postfix/smtpd[20055]: NOQUEUE: reject: RCPT from hostXX-XX-XX-XX.in-addr.bt.com[XX.XX.XX.XXX]: 554 <a@a.com>: Relay access denied; from=<AAA@XXX.com> to=<a@a.com> proto=ESMTP helo=<rl001>
May 1 09:34:38 master[6121]: process 20007 exited, status 0
May 1 09:34:38 master[6121]: process 19859 exited, status 0
May 1 09:34:38 master[6121]: process 20006 exited, status 0
May 1 09:34:38 master[6121]: process 19951 exited, status 0
May 1 09:34:38 master[6121]: process 20005 exited, status 0
May 1 09:34:40 postfix/smtpd[20055]: disconnect from hostXX.XX-XXX-XX.in-addr.bt.com[XX.XX.XX.XX]

OK this is what I am doing.

I have a vpn session into the mailserver. The ipaddress of this server is within the range of mynetworks.

The "local" mail client on the machine I am using to establish the vpn is using outlook express that has the imap and smtp settings set for the domain. The address that is allocated to the "local" ethernet card is not defined within the my networks. I am presuming this is OK?? It would not make sense to me to define this client in the range in mynetworks..

Regards

hard to say since you've cut out the IPs

That would make sense if you are confident that no one who shouldn't can connect from that address if it's private (for example, most firewalls block private ranges coming from public networks) or it's yours and yours alone if it's public

If that isn't the case, why not have the senders authenticate, and permit_sasl_authenticated. See for example http://www.thecabal.org/~devin/postfix/smtp-auth.txt - there are several examples given at http://www.postfix.org/docs.html

Note that if you need to go down this route, you would install saslauth through up2date or yum.


Rgds

OK in terms of the mail log...

The ip address is a public dsl one..say 85.78.10.2
The mynetworks are referring to the 10.X.X.X networks shown
The vpn client has a 10.x.x.x address but not defined in the my networks

As for SASL authenticatication I am planning on implementing TLS but at this stage is it a critical issue..do I need this?


Regards

They're different things

TLS encrypts traffic - can be the authentication process and/or sending/receiving messages.

Authentication means that when a user connects (say to smtp), a username/password is required, and this is authenticated with a user database of some sort (can use pam for example).

I don't quite get your IP comments. What is the IP of May 1 09:34:37 postfix/smtpd[20055]: connect from hostXX-XX-XXX-XX.in-addr.bt.com[XX.XX.XX.XX]? it shouldn't be the public IP of your server, but your explanation isn't all that clear.

May 1 09:34:37 postfix/smtpd[20055]: connect from host85.78.10.2.in-addr.btopenworld.com[85.78.10.2]
May 1 09:34:37 postfix/smtpd[20055]: NOQUEUE: reject: RCPT from host85.78.10.2.in-addr.btopenworld.com[85.78.10.2]: 554 <a@a.com>: Relay access denied; from=<s@XXX.com> to=<a@a.com> proto=ESMTP helo=<rl21>

OK..I have a DSL connection 85.78.10.2(this is an example)
s@xxx is the user "s" on domain XXX
helo<r121> is the machine establishing helo??

The mail server is in a remote network. The local ip address of the mail server is 10.x.x.x. . This is defined in mynetworks.

The mail client could be anywhere in the world. The smtp and imap are as per domain etc...

Mail is received in but not sent out...realy denied.

is this at the mailserver end or is it the remote end?

Mail server is in remote location connected to the internet...not linked to the DSL network. The ip of the mail server is 10.x.x.x

I have a client on a DSL network that I am trying to use to send mail from using the SMTP and IMAP settings to another mail server a@a.com (just an example)

Regards

So, if the IP is yours, you shoudl be able to add it to mynetworks.

I'd still investigate authentication, and since you are doing it obver the net, you may want to do it in conjunction with TLS. However, your VPN setup may take care of security concerns (you want to avoid plain text passwords being sent over the net)