[SOLVED] Postfix refuses to send to any domain, error 554 5.7.1
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Postfix refuses to send to any domain, error 554 5.7.1
I am trying to configure a mail server, for a site I'm building. I opted to use Postfix for the MTA, and Courier to provide IMAP (if that's relevant at all).
I can receive emails just fine, and checked this both using Telnet to port 25, and by sending an email from my gmail address, both of which were received without issues.
The problems start when I try to send. No matter where I send from (either my mail client, or telnet again), and where I try to send to, regardless of domain, I get a 554 5.7.1 error, "Relay accessed denied." If this were happening to gmail alone, or perhaps some of the other larger webmail providers as well, I would believe that the previous user of this IP (it's an Amazon EC2 Elastic IP) abused it, and had it blacklisted, however the fact that I can receive mails on the server, and the error occurs regardless of receiving domain, leads me to believe that I've misconfigured something.
I've checked already on various spam blacklists, and no, the IP I'm using is not listed. I can confirm that sending to myself works.
Sorry for not being able to provide any more information, I'm relatively new to using Postfix, and have done all I can think to do to resolve this issue, without posting on here. Googling for hours on end didn't yield any useful information (apart from something that broke receiving mails as well, which has since been undone.)
Thanks in advance for any help you can offer,
Connor
The 554 was coming from (in my test case) Google's servers. I've checked my IP and domain name against that list, and can confirm that no, I have not been blacklisted.
I do not currently have an SPF record in place, however I have done some reading on the subject, and believe that this may be the issue. I am putting it in place now, and will report back once the records have propogated and I can test it fully.
It may indeed be SPF related, but I'm slightly puzzled by the error message itself.
"Relay access denied" usually indicates that you're delivering mail to a server not listed as an MX for the recipient domain, thus necessitating relaying to another server in order to reach the recipient. If you're delivering mail using DNS records rather than using a Smart Host, that just shouldn't happen.
Of course, it could just be Google's mail servers being deliberately ambiguous, or the error message could be related to mail having to be forwarded from an anti-spam frontend to some hidden backend mail server cluster.
I'm assuming that it was gmail's servers generating the 554 error, as the error itself follows the email address on their servers, however I could be mistaken.
The SPF record has propagated now, however I still receive the same issue. This probably means that the error is local, and lies in one of my configuration files. The fact that the error occurs when telnetting over port 25 would indicate that the error is specific to Postfix, and has nothing to do with Courier IMAP, however as for narrowing the error down further than that, I'm at something of a loss.
Okay, I seem to have narrowed the search down significantly, though still can't seem to get anything working perfectly.
After a lot of messing around with smtpd_recipient_restrictions, using the Postfix documentation, I found that overriding reject_unauth_destination with a preceding permit allows mail to be sent anywhere (though reject_unauth_destination is needed). However, this puts Postfix in an open relay configuration, which is the surest way of getting myself on a blocklist I know of.
So, that all means that it is my server generating the 554. As of right now, I have:
however this still seems to generate the 554 error. Furthermore, I can confirm that email sent on the server itself (using telnet localhost 25, rather than telnet example.com 25) works without restriction, because of the permit_mynetworks clause. What this means, as best I understand it, is that I can either send mail from anybody to anybody, or from anybody only to the local server and from the local server to anybody.
What I need, however, is to be able to send from anybody to users on the server, and from users on the server to anybody, without having to "become" the server to send.
I think that was clear, if not let me know and I'll try to reword it.
According to the Postfix documentation, the "permit_mynetworks" directive means "permit any host in networks defined by the $mynetworks variable". You may want to check that $mynetworks actually does list all local (client) IP networks.
You don't seem to define mynetworks in your configuration file, and since you have a mynetworks_style = host setting, $mynetworks will by default only cover the local server. Try changing mynetworks_style to "subnets", or define mynetworks manually.
I've managed to fix it, after many a frustrating hour. Turns out, I wasn't specific enough. I should have specified, remote clients should have been possible. I'd assumed that this would have been implicit, when in reality this is not so.
It also turns out that, to properly send emails from remote clients, SASL should be used, and this is where my configuration fell down. I've fixed the problem now, thanks for your help.
I should have specified, remote clients should have been possible. I'd assumed that this would have been implicit, when in reality this is not so.
It also turns out that, to properly send emails from remote clients, SASL should be used, and this is where my configuration fell down.
The only way to distinguish "genuine" remote clients (with dynamic IP addresses) from random PCs attempting to relay spam, is to require SMTP authentication. Glad to hear you managed to fix it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.