Postfix-Relay access denied
Can someone help. Mail in from internet and local mail on network works fine but no external mail is able to send out. Error 554: Relay Access Denied.
I have tried investigating this but have not managed to find what the key entry is. (I am not reliant on external entity to relay mail out). I want to use the mail server to send directly onto internet. main.cf fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp myorigin = $mydomain myhostname = mail.XXX.com mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, XXX.com, XXX.local mydomain = XXX.com mynetworks = 127.0.0.0/8 10.10.0.0/16 10.11.0.0/16 10.12.0.0/16 smtpd_helo_required = yes smtpd_recipient_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination reject_non_fqdn_hostname reject_invalid_hostname permit |
Try making permit_mynetworks the first sender restriction.
If that doesn't work, can you post the output of postconf -n Rgds |
Quote:
|
Sorry the previous output I posted was I my test script..this is the live output where I am having a problem at the moment.
Many thanks for the input alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp html_directory = no local_recipient_maps = unix:passwd.byname $alias_maps mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, XXX.com, XXX.local mydomain = XXX.com myhostname = mail.XXX.com mynetworks = 10.10.0.0/16, 127.0.0.0/8, 10.11.0.0/16, 10.12.0.0/16 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES sample_directory = /usr/share/doc/postfix-2.2.10/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination unknown_local_recipient_reject_code = 550 |
Hi Billy
As you can see the permit_mynetworks is first. It does not make any difference, relay is still denied Regards |
And are you sending from a machine on one of 10.10.0.0/16, 127.0.0.0/8, 10.11.0.0/16, 10.12.0.0/16 ?
If so, can you please post the log messages around the attempt. |
Yes I am sending from the internal network out
maillog: May 1 09:33:58 master[6121]: process 19723 exited, status 0 May 1 09:33:59 imap[19717]: idle for too long, closing connection May 1 09:34:03 imap[19718]: idle for too long, closing connection May 1 09:34:08 imap[19720]: idle for too long, closing connection May 1 09:34:12 imap[19721]: idle for too long, closing connection May 1 09:34:37 postfix/smtpd[20055]: connect from hostXX-XX-XXX-XX.in-addr.bt.com[XX.XX.XX.XX] May 1 09:34:37 postfix/smtpd[20055]: NOQUEUE: reject: RCPT from hostXX-XX-XX-XX.in-addr.bt.com[XX.XX.XX.XXX]: 554 <a@a.com>: Relay access denied; from=<AAA@XXX.com> to=<a@a.com> proto=ESMTP helo=<rl001> May 1 09:34:38 master[6121]: process 20007 exited, status 0 May 1 09:34:38 master[6121]: process 19859 exited, status 0 May 1 09:34:38 master[6121]: process 20006 exited, status 0 May 1 09:34:38 master[6121]: process 19951 exited, status 0 May 1 09:34:38 master[6121]: process 20005 exited, status 0 May 1 09:34:40 postfix/smtpd[20055]: disconnect from hostXX.XX-XXX-XX.in-addr.bt.com[XX.XX.XX.XX] |
OK this is what I am doing.
I have a vpn session into the mailserver. The ipaddress of this server is within the range of mynetworks. The "local" mail client on the machine I am using to establish the vpn is using outlook express that has the imap and smtp settings set for the domain. The address that is allocated to the "local" ethernet card is not defined within the my networks. I am presuming this is OK?? It would not make sense to me to define this client in the range in mynetworks.. Regards |
hard to say since you've cut out the IPs
That would make sense if you are confident that no one who shouldn't can connect from that address if it's private (for example, most firewalls block private ranges coming from public networks) or it's yours and yours alone if it's public If that isn't the case, why not have the senders authenticate, and permit_sasl_authenticated. See for example http://www.thecabal.org/~devin/postfix/smtp-auth.txt - there are several examples given at http://www.postfix.org/docs.html Note that if you need to go down this route, you would install saslauth through up2date or yum. Rgds |
OK in terms of the mail log...
The ip address is a public dsl one..say 85.78.10.2 The mynetworks are referring to the 10.X.X.X networks shown The vpn client has a 10.x.x.x address but not defined in the my networks As for SASL authenticatication I am planning on implementing TLS but at this stage is it a critical issue..do I need this? Regards |
They're different things
TLS encrypts traffic - can be the authentication process and/or sending/receiving messages. Authentication means that when a user connects (say to smtp), a username/password is required, and this is authenticated with a user database of some sort (can use pam for example). I don't quite get your IP comments. What is the IP of May 1 09:34:37 postfix/smtpd[20055]: connect from hostXX-XX-XXX-XX.in-addr.bt.com[XX.XX.XX.XX]? it shouldn't be the public IP of your server, but your explanation isn't all that clear. |
May 1 09:34:37 postfix/smtpd[20055]: connect from host85.78.10.2.in-addr.btopenworld.com[85.78.10.2]
May 1 09:34:37 postfix/smtpd[20055]: NOQUEUE: reject: RCPT from host85.78.10.2.in-addr.btopenworld.com[85.78.10.2]: 554 <a@a.com>: Relay access denied; from=<s@XXX.com> to=<a@a.com> proto=ESMTP helo=<rl21> OK..I have a DSL connection 85.78.10.2(this is an example) s@xxx is the user "s" on domain XXX helo<r121> is the machine establishing helo?? The mail server is in a remote network. The local ip address of the mail server is 10.x.x.x. . This is defined in mynetworks. The mail client could be anywhere in the world. The smtp and imap are as per domain etc... Mail is received in but not sent out...realy denied. |
Quote:
|
Mail server is in remote location connected to the internet...not linked to the DSL network. The ip of the mail server is 10.x.x.x
I have a client on a DSL network that I am trying to use to send mail from using the SMTP and IMAP settings to another mail server a@a.com (just an example) Regards |
So, if the IP is yours, you shoudl be able to add it to mynetworks.
I'd still investigate authentication, and since you are doing it obver the net, you may want to do it in conjunction with TLS. However, your VPN setup may take care of security concerns (you want to avoid plain text passwords being sent over the net) |
All times are GMT -5. The time now is 07:16 PM. |