# Relay access denied;

## elmar283

For more then a year I have a mailserver running under Gentoo.

Today I noticed that I'm unable to send mail true smtp to mailaddresses outsite of my own domain.

The error message is:

```

Apr 12 18:59:04 ZaphodBeeblebrox postfix/smtpd[10669]: NOQUEUE: reject: RCPT from mail.elmarotter.eu[83.161.154.53]: 554 5.7.1 <elmar283ATgmail.com>: Relay access denied; from=<elmarATelmarotter.nl> to=<elmar283ATgmail.com> proto=ESMTP helo=<[192.168.0.16]>

```

(I changed @ to AT to avoid spam).

I don't know why this is happening.

The only thing I can think of is that somehow my ip isn't seen as an auth_destination in 'reject_unauth_destination'. But that is just a guess.

Under here I have some configs:

```

elmarotter@ZaphodBeeblebrox ~ $ cat /etc/postfix/main.cf

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = //usr/libexec/postfix

data_directory = /var/lib/postfix

mail_owner = postfix

myhostname = mail.elmarotter.eu

mydomain = elmarotter.eu

myorigin = elmarotter.eu

inet_interfaces = all

mydestination = mail.elmarotter.eu, localhost.elmarotter.eu, elmarotter.eu

unknown_local_recipient_reject_code = 450

mynetworks = 192.168.0.0/24, 192.168.178.0/24, 127.0.0.0/8

home_mailbox = .maildir/

local_destination_concurrency_limit = 2

default_destination_concurrency_limit = 20

debug_peer_level = 2

debugger_command =

    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

    ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

html_directory = no

manpage_directory = /usr/share/man

sample_directory = /etc/postfix

readme_directory = no

home_mailbox = .maildir/

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_sasl_local_domain =

smtpd_recipient_restrictions =

  permit_sasl_authenticated,

  permit_mynetworks,

  reject_unauth_destination

smtp_use_tls = yes

smtp_tls_note_starttls_offer = yes

smtpd_use_tls = yes

#smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/postfix/newkey.pem

smtpd_tls_cert_file = /etc/postfix/newcert.pem

smtpd_tls_CAfile = /etc/postfix/cacert.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

# na hier is nieuw, als mijn mailboxen niet meer werken haal ik de tekst hieronder weg

# Beging nieuwe tekst ->

alias_maps = mysql:/etc/postfix/mysql-aliases.cf

relocated_maps = mysql:/etc/postfix/mysql-relocated.cf

local_transport = local

local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname

virtual_transport = virtual

virtual_mailbox_domains = dwarsleeuwarden.nl, elmarotter.nl

virtual_minimum_uid = 1000

virtual_gid_maps = static:1001

virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf

virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf

virtual_uid_maps = static:1001

virtual_mailbox_base = /

#virtual_mailbox_limit =

owner_request_special = no

recipient_delimiter = +

alias_maps  = mysql:/etc/postfix/mysql-aliases.cf

  hash:/var/lib/mailman/data/aliases,

  mysql:/etc/postfix/mysql-aliases.cf

virtual_alias_maps =

  hash:/var/lib/mailman/data/virtual-mailman,

  mysql:/etc/postfix/mysql-virtual.cf

#mailfitering starst here: Dus als de boel zo niet meer goed werkt dan hetgeen hieronder eerst in de prullenbak mieteren ;)

biff = no

empty_address_recipient = MAILER-DAEMON

queue_minfree = 120000000

content_filter = smtp-amavis:[127.0.0.1]:10024

#Equivalently when using lmtp:

#content_filter = lmtp-amavis:[127.0.0.1]:10024

# TRANSPORT MAP

# 

# Insert text from sample-transport.cf if you need explicit routing.

#transport_maps = hash:/etc/postfix/transport

#relay_domains = $transport_maps

mailbox_command = /usr/bin/procmail -a "elmarotter.eu"

#mailbox_command = /usr/bin/procmail -a "elmarotter.nl"

#mailbox_command = /usr/bin/procmail

```

```

elmarotter@ZaphodBeeblebrox ~ $ ping -c 3 mail.elmarotter.eu

PING mail.elmarotter.eu (83.161.154.53) 56(84) bytes of data.

64 bytes from mail.elmarotter.eu (83.161.154.53): icmp_seq=1 ttl=63 time=46.8 ms

64 bytes from mail.elmarotter.eu (83.161.154.53): icmp_seq=2 ttl=63 time=46.3 ms

--- mail.elmarotter.eu ping statistics ---

3 packets transmitted, 2 received, 33% packet loss, time 2001ms

rtt min/avg/max/mdev = 46.333/46.600/46.868/0.343 ms

```

```

elmarotter@ZaphodBeeblebrox ~ $ cat /etc/postfix/master.cf

#

# Postfix master process configuration file.  For details on the format

# of the file, see the master(5) manual page (command: "man 5 master").

#

# Do not forget to execute "postfix reload" after editing this file.

#

# ==========================================================================

# service type  private unpriv  chroot  wakeup  maxproc command + args

#               (yes)   (yes)   (yes)   (never) (100)

# ==========================================================================

smtp      inet  n       -       n       -       -       smtpd

#submission inet n       -       n       -       -       smtpd 

#  -o smtpd_tls_security_level=encrypt

#  -o smtpd_sasl_auth_enable=yes

#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

#  -o milter_macro_daemon_name=ORIGINATING

#smtps     inet  n       -       n       -       -       smtpd

#  -o smtpd_tls_wrappermode=yes

#  -o smtpd_sasl_auth_enable=yes

#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

#  -o milter_macro_daemon_name=ORIGINATING

#628       inet  n       -       n       -       -       qmqpd

pickup    fifo  n       -       n       60      1       pickup

cleanup   unix  n       -       n       -       0       cleanup

qmgr      fifo  n       -       n       300     1       qmgr

#qmgr     fifo  n       -       n       300     1       oqmgr

tlsmgr    unix  -       -       n       1000?   1       tlsmgr

rewrite   unix  -       -       n       -       -       trivial-rewrite

bounce    unix  -       -       n       -       0       bounce

defer     unix  -       -       n       -       0       bounce

trace     unix  -       -       n       -       0       bounce

verify    unix  -       -       n       -       1       verify

flush     unix  n       -       n       1000?   0       flush

proxymap  unix  -       -       n       -       -       proxymap

proxywrite unix -       -       n       -       1       proxymap

smtp      unix  -       -       n       -       -       smtp

# When relaying mail as backup MX, disable fallback_relay to avoid MX loops

relay     unix  -       -       n       -       -       smtp

   -o smtp_fallback_relay=

#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5

showq     unix  n       -       n       -       -       showq

error     unix  -       -       n       -       -       error

retry     unix  -       -       n       -       -       error

discard   unix  -       -       n       -       -       discard

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual

lmtp      unix  -       -       n       -       -       lmtp

anvil     unix  -       -       n       -       1       anvil

scache    unix  -       -       n       -       1       scache

#

# ====================================================================

# Interfaces to non-Postfix software. Be sure to examine the manual

# pages of the non-Postfix software to find out what options it wants.

#

# Many of the following services use the Postfix pipe(8) delivery

# agent.  See the pipe(8) man page for information about ${recipient}

# and other message envelope options.

# ====================================================================

#

# maildrop. See the Postfix MAILDROP_README file for details.

# Also specify in main.cf: maildrop_destination_recipient_limit=1

#

#maildrop  unix  -       n       n       -       -       pipe

#  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}

#

# ====================================================================

#

# Recent Cyrus versions can use the existing "lmtp" master.cf entry.

#

# Specify in cyrus.conf:

#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4

#

# Specify in main.cf one or more of the following:

#  mailbox_transport = lmtp:inet:localhost

#  virtual_transport = lmtp:inet:localhost

#

# ====================================================================

#

# Cyrus 2.1.5 (Amos Gouaux)

# Also specify in main.cf: cyrus_destination_recipient_limit=1

#

#cyrus     unix  -       n       n       -       -       pipe

#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}

#

# ====================================================================

#

# Old example of delivery via Cyrus.

#

#old-cyrus unix  -       n       n       -       -       pipe

#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}

#

# ====================================================================

#

# See the Postfix UUCP_README file for configuration details.

#

#uucp      unix  -       n       n       -       -       pipe

#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

#

# ====================================================================

#

# Other external delivery methods.

#

#ifmail    unix  -       n       n       -       -       pipe

#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)

#

#bsmtp     unix  -       n       n       -       -       pipe

#  flags=Fq. user=bsmtp argv=/usr/sbin/bsmtp -f $sender $nexthop $recipient

#

#scalemail-backend unix -       n       n       -       2       pipe

#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store

#  ${nexthop} ${user} ${extension}

#

#mailman   unix  -       n       n       -       -       pipe

#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py

#  ${nexthop} ${user}

# Hier begint mijn mailscan gededeelte. Dus als zo de boel niet meer werkt dan dit hieronder eerst weghalen.

smtp-amavis     unix -        -       n     -       2  smtp

  -o smtp_data_done_timeout=1200

  -o smtp_send_xforward_command=yes

#Equivalently when using lmtp:

#lmtp-amavis    unix -        -       n     -       2  lmtp

#   -o lmtp_data_done_timeout=1200

#   -o lmtp_send_xforward_command=yes

127.0.0.1:10024 inet n        -       n     -       -  smtpd

  -o content_filter=

  -o local_recipient_maps=

  -o relay_recipient_maps=

  -o smtpd_restriction_classes=

  -o smtpd_client_restrictions=

  -o smtpd_helo_restrictions=

  -o smtpd_sender_restrictions=

  -o smtpd_recipient_restrictions=permit_mynetworks,reject

  -o mynetworks=127.0.0.0/8

  -o strict_rfc821_envelopes=yes

  -o smtpd_error_sleep_time=0

  -o smtpd_soft_error_limit=1001

  -o smtpd_hard_error_limit=1000

#If you want to use proxy filtering instead

#smtp            inet n         -       n      -       8 smtpd

# -o smtpd_proxy_filter=127.0.0.1:10024

# -o smtpd_client_connection_count_limit=4

#If you don't want to scan outgoing mail use this

#10.0.0.2:smtp   inet n         -       n       -      - smtpd

#-o content_filter=

```

----------

## khayyam

elmar283 ...

I updated postfix only a day or so ago to 2.10.0 and I did notice that when running dispatch-conf the following had been added to main.cf ... and which I subsequently merged with my current config.

```
smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination
```

As I don't see this in your main.cf, and taking the above error into account, this is probably the cause ... assuming of course you also updated postfix.

best ... khay

----------

## elmar283

@khayyam: Shoudl I add that rule and delete:

```

smtpd_recipient_restrictions =

  permit_sasl_authenticated,

  permit_mynetworks,

  reject_unauth_destination

```

Or should I just add it?

----------

## elmar283

Now it works again, only not on squirrelmail:

```

connect from ZaphodBeeblebrox.elmarotter.eu[::1]

Apr 12 19:53:47 ZaphodBeeblebrox postfix/smtpd[13413]: NOQUEUE: reject: RCPT from ZaphodBeeblebrox.elmarotter.eu[::1]: 454 4.7.1 <elmar283ATgmail.com>: Relay access denied; from=<elmarATelmarotter.nl> to=<elmar283ATgmail.com> proto=ESMTP helo=<elmarotter.eu>

```

The strange thing is that it connects form my hostname.domain and not form mail.elmarotter.eu.

----------

## khayyam

elmar283 ...

probably as elmarotter.nl isn't in $mynetworks and/or the client isn't sasl authenticated ... see the section local_header_rewrite_clients in postfix config parameters.

HTH & best ... khay

----------

## elmar283

I have never had a domain in '$mynetworks' only networks (eg 192.168.178.0 and 192.168.0.0).

What do you mean with no sasl authentication? 

As far as I know this lines make sure it is:

```

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_sasl_local_domain =

#smtpd_recipient_restrictions =

#  permit_sasl_authenticated,

#  permit_mynetworks,

#  reject_unauth_destination

smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination

smtp_use_tls = yes

smtp_tls_note_starttls_offer = yes

smtpd_use_tls = yes

#smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/postfix/newkey.pem

smtpd_tls_cert_file = /etc/postfix/newcert.pem

smtpd_tls_CAfile = /etc/postfix/cacert.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

```

The point is that I had a perfect good working postfix until I updated to version 2.10.0

I can only guess it has something to do with that, because before the update everything worked just fine.

----------

## dianthus

 *elmar283 wrote:*   

> 
> 
> The point is that I had a perfect good working postfix until I updated to version 2.10.0
> 
> I can only guess it has something to do with that, because before the update everything worked just fine.

 

I would like to confirm that postfix 2.9.10 after the recent update stopped relaying on the submission port (587), although prior to the upgrade it worked fine for months. I could not figure our where the problem is, so I downgraded to 2.9.5 (still working).

It may have something to do with USE flags flags or a subtle change of configuration options.

----------

## BrummBrumm

same here.

They mention changes to the relay policy in http://www.postfix.org/announcements/postfix-2.10.0.html and here: http://www.postfix.org/SMTPD_ACCESS_README.html

EDIT:

When i re-emerged postfix-2.10.0 i noticed following message:

 * COMPATIBILITY: adding smtpd_relay_restrictions to main.cf

 * to prevent inbound mail from unexpectedly bouncing.

 * Specify an empty smtpd_relay_restrictions value to keep using

 * smtpd_recipient_restrictions as before.

works for me :)

----------

## dianthus

 *BrummBrumm wrote:*   

> 
> 
> When i re-emerged postfix-2.10.0 i noticed following message:
> 
>  * COMPATIBILITY: adding smtpd_relay_restrictions to main.cf
> ...

 

You did my day, thank you   :Very Happy: 

----------

## Skymotz

oh my god,

it just took me 6,5 hours to find this post and it was exactly what I needed.

Thank you so much!

----------

