# Can recieve mail but not send...relay access denied??

## jtp755

I am tryin to set up a mailhost on my server and i have been following the Virtual Mailhost guide and i am stuck. I am not sure if it is set up right or not. I am up to the part of testing before installing squirrelmail. I can login using 

```

telnet localhost 143

1 LOGIN user pass

```

and that works but im not sure if everything is configured right. How can i check auth and all that good stuff.

I am also kinda lost on what i am supposed to put in the mysql database.

Also why i had to change the stuff in the phpmyadmin config to reflect the mail user instead of using the pma control user.

Also does it affect anything if i dont have 

```
250-XVERP
```

 in the output of 

```

telnet localhost 25

ehlo domainname.com

```

because everywhere i have looked i see that in the output.

----------

## jtp755

ok. i decided to go ahead and install Squirrelmail and see if it works. Well i tried and this is what it gave me:

```
Transaction failed

Server replied: 554 <jtp755 at * dot rr dot com>: Relay access denied

```

What could be wrong?

i just found out that i can recieve mail using Squirrelmail but i still cant send any...

where is relay access controlled and what do i need to change?   :Confused: 

Changed the title of the thread to better suit the problem

----------

## nobspangle

are you using postfix as your mta, if so check 

mynetworks 

and 

smtpd_recipient_restrictions

mynetworks should be a list of the IP addresses/ranges you are going to send mail from (for squirrelmail this is 127.0.0.1) and smtpd_recipient_restrictions should at least contain permit_mynetworks reject_unauth_destination

----------

## jtp755

ok.

smtpd_recipient_restrictions does contain both of those.

as for mynetworks, mine looks like this:

```

mynetworks = 192.168.0.0/24, 127.0.0.0/8

```

should it be the exact IP of the server and changed 127.0.0.0 to 127.0.0.1?

----------

## jtp755

Here is my main.cf for postfix:

```
alias_database = hash:/etc/mail/aliases

alias_maps = mysql:/etc/postfix/mysql-aliases.cf

broken_sasl_auth_clients = yes

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/lib/postfix

debug_peer_level = 2

default_destination_concurrency_limit = 10

home_mailbox = .maildir/

html_directory = no

inet_interfaces = all

local_destination_concurrency_limit = 2

local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname

local_transport = local

mail_owner = postfix

mailq_path = /usr/bin/mailq

manpage_directory = /usr/share/man

mydestination = $myhostname, localhost.$mydomain, $mydomain, mail.$mydomain

mydomain = eternalfireproof.com

myhostname = mail.eternalfireproof.com

mynetworks = 192.168.0.0/16, 127.0.0.0/8

myorigin = $mydomain

newaliases_path = /usr/bin/newaliases

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.1.3/readme

relocated_maps = mysql:/etc/postfix/mysql-relocated.cf

sample_directory = /etc/postfix

sendmail_path = /usr/sbin/sendmail

setgid_group = postdrop

smtpd_recipient_restrictions = permit_sasl_authenticated,       permit_mynetworks,      reject_unauth_destination

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain =

smtpd_sasl_security_options = noanonymous

smtpd_tls_CAfile = /etc/postfix/cacert.pem

smtpd_tls_cert_file = /etc/postfix/newcert.pem

smtpd_tls_key_file = /etc/postfix/newreq.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

smtpd_use_tls = yes

tls_random_source = dev:/dev/urandom

unknown_local_recipient_reject_code = 550

virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf

virtual_gid_maps = static:$vmail-gid

virtual_mailbox_base = /

virtual_mailbox_domains = whiteguardian.net     $other-virtual-domain.com

virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf

virtual_minimum_uid = 1000

virtual_transport = virtual

virtual_uid_maps = static:$vmail-uid

```

Does it look ok? What should i change?

----------

## nobspangle

try putting permit_mynetworks before permit_sasl_authenticated

----------

## jtp755

nope still didnt work.

ive been looking through the logs and i have noticed that everytime it tries to use the certs i created, it cant find them but they are in the path that is specified. what should the privs and owner be?

Im beginning to think God doesnt want to me to have email right now   :Razz: 

----------

## jtp755

Just wanted to say that i have put this project to the side for a while until god is ready for me to have my own email server. thanks for the help though.  :Very Happy: 

----------

## opm8

Well, maybe it's been enough time for this project of yours to remain in hiatus.   :Smile: 

Anyway, I just fixed this same problem for myself.   I needed to add 'permit_my_networks' to smtpd_client_restrictions in /etc/postfix/main.cf:

```

smtpd_client_restrictions =  permit_mynetworks,

                             permit_sasl_authenticated,

                             reject_unauth_destination

```

--opm8

----------

## jtp755

thanks....i will try it in the next few days.

----------

## framirez

try to fix mynetworks = 192.168.0.0/16, 127.0.0.0/8  for mynetworks = 192.168.0.0/24, 127.0.0.0/8 

remember that /24 is not for the range of ur dhcp but for the netmask bla blah....   :Idea: 

also this will help to:

 smtpd_recipient_restrictions =

        permit_sasl_authenticated,

        permit_mynetworks,

        reject_unauth_destination

----------

## infecticide

Just wanted to post confimation that this resolved my issue beautifully.

----------

## infecticide

I've got the same issue again but I believe mine stems from HOW I want to use my MTA.

I'm getting this in the logs:

```

Jan 24 22:06:20 [postfix/smtpd] >>> START Client host RESTRICTIONS <<<

Jan 24 22:06:20 [postfix/smtpd] generic_checks: name=permit_mynetworks

Jan 24 22:06:20 [postfix/smtpd] permit_mynetworks: static24-72-138-xxx.regina.accesscomm.ca 24.72.138.xxx

Jan 24 22:06:20 [postfix/smtpd] match_hostname: static24-72-138-xxx.regina.accesscomm.ca ~? 127.0.0.0/8

Jan 24 22:06:20 [postfix/smtpd] match_hostaddr: 24.72.138.xxx ~? 127.0.0.0/8

Jan 24 22:06:20 [postfix/smtpd] match_list_match: static24-72-138-xxx.regina.accesscomm.ca: no match

Jan 24 22:06:20 [postfix/smtpd] match_list_match: 24.72.138.xxx: no match

Jan 24 22:06:20 [postfix/smtpd] generic_checks: name=permit_mynetworks status=0

Jan 24 22:06:20 [postfix/smtpd] generic_checks: name=permit_sasl_authenticated

Jan 24 22:06:20 [postfix/smtpd] generic_checks: name=permit_sasl_authenticated status=1

Jan 24 22:06:20 [postfix/smtpd] >>> START Recipient address RESTRICTIONS <<<

Jan 24 22:06:20 [postfix/smtpd] generic_checks: name=permit_mynetworks

Jan 24 22:06:21 [postfix/smtpd] permit_mynetworks: static24-72-138-xxx.regina.accesscomm.ca 24.72.138.xxx

Jan 24 22:06:21 [postfix/smtpd] match_hostname: static24-72-138-xxx.regina.accesscomm.ca ~? 127.0.0.0/8

Jan 24 22:06:21 [postfix/smtpd] match_hostaddr: 24.72.138.xxx ~? 127.0.0.0/8

Jan 24 22:06:21 [postfix/smtpd] match_list_match: static24-72-138-xxx.regina.accesscomm.ca: no match

Jan 24 22:06:21 [postfix/smtpd] match_list_match: 24.72.138.xxx: no match

Jan 24 22:06:21 [postfix/smtpd] generic_checks: name=permit_mynetworks status=0

Jan 24 22:06:21 [postfix/smtpd] generic_checks: name=reject_unauth_destination

Jan 24 22:06:21 [postfix/smtpd] reject_unauth_destination: infecticide@accesscomm.ca

Jan 24 22:06:21 [postfix/smtpd] permit_auth_destination: infecticide@accesscomm.ca

Jan 24 22:06:21 [postfix/smtpd] ctable_locate: leave existing entry key infecticide@accesscomm.ca

Jan 24 22:06:21 [postfix/smtpd] NOQUEUE: reject: RCPT from static24-72-138-xxx.regina.accesscomm.ca[24.72.138.xxx]: 554 <infecticide@accesscomm.ca>: Relay access denied; from=<infecticide@tuxsteve.net> to=<infecticide@accesscomm.ca> proto=ESMTP helo=<[192.168.1.100]>

Jan 24 22:06:21 [postfix/smtpd] generic_checks: name=reject_unauth_destination status=2

```

I need the following:

- Optional TLS encryption, I can proceed without it if necessary. (I think I can get this by setting smtpd_tls_only = no)

- Use SquirrelMail using IMAP (which is working inbound and outbound currently)

- If you can authenticate you can send and recieve mail, if not you can't do anything. I want to be able to use a mail client anywhere and use it with full function.

Here's some useful tidbits from main.cf:

```

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

myorigin = tuxsteve.net

mydestination = infecticide.no-ip.org, infecticide.tuxsteve.net, mail.tuxsteve.net, tuxsteve.net, localhost

local_recipient_maps = $alias_maps unix:passwd.byname

unknown_local_recipient_reject_code = 450

mynetworks_style = subnet

mynetworks = 127.0.0.0/8

relay_domains = $mydestination

alias_maps = hash:/etc/mail/aliases

alias_database = hash:/etc/mail/aliases

home_mailbox = .maildir/

mailbox_command = /usr/bin/procmail

local_destination_concurrency_limit = 2

default_destination_concurrency_limit = 2

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

html_directory = /usr/share/doc/postfix-2.2.10/html

manpage_directory = /usr/share/man

sample_directory = /etc/postfix

readme_directory = /usr/share/doc/postfix-2.2.10/readme

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

#smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject

#smtpd_use_tls=yes

#smtpd_tls_auth_only = yes

#smtpd_tls_key_file = /etc/ssl/postfix/server.key

#smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

#smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

#smtpd_tls_loglevel = 3

#smtpd_tls_received_header = yes

#smtpd_tls_session_cache_timeout = 3600s

#tls_random_source = dev:/dev/urandom

```

----------

## infecticide

Forgive me for I am a dolt.

I neglected to include the  smtpd_recipient_restrictions line entirely!

Doh!

These are the lines i've ended up with:

```

smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

```

----------

