Fresh install getting "Relay access denied" error

[ai42]

I just finished a fresh install of a server using the "The Perfect Server - Ubuntu 10.04 [ISPConfig 3]" article. With the exception that I installed VMware tools + installed ISPConfig 3.0.2.2 instead of 3.0.2.1

Everything seems to work ok I hooked up 1 of my domains to this box website works, setup a email box. The mailbox appears to work I can receive mail to the box from external sources (via imap). As well as I can send email out via webmail. However when attempting to send emails via smtp (using Thunderbird) I'm getting a "An error occurred while sending mail. The mail server responded: 5.7.1 <me@123.com>: Relay access denied. Please check the message recipient me@123.com and try again." I've googled around and I found a couple references to tweaks of /etc/postfix/main.cf but those appeared to be relevant for ISPConfig 2 and not 3.

Server setup
Ubuntu 10.04 with normal updates
ISPConfig 3.0.2.2
Inside of DMZ then connected to WAN via NAT

Relavant bit of /ver/log/mail.log
Sep 14 18:51:20 roslin postfix/smtpd[29921]: connect from cpe-173-172-xx-xxx.tx.res.rr.com[173.172.xx.xxx]
Sep 14 18:51:20 roslin postfix/smtpd[29921]: NOQUEUE: reject: RCPT from cpe-173-172-xx-xxx.tx.res.rr.com[173.172.xx.xxx]: 554 5.7.1 <me@123.com>: Relay access denied; from=<me@abc.com> to=<me@123.com> proto=SMTP helo=<me-macbook.local>
Sep 14 18:53:10 roslin postfix/smtpd[29921]: lost connection after RCPT from cpe-173-172-xx-xxx.tx.res.rr.com[173.172.xx.xxx]
Sep 14 18:53:10 roslin postfix/smtpd[29921]: disconnect from cpe-173-172-xx-xxx.tx.res.rr.com[173.172.xx.xxx]

output of postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mailbox_size_limit = 0
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = roslin.123.com, localhost, localhost.localdomain
myhostname = roslin.123.com
mynetworks = 127.0.0.0/8 [::1]/128
myorigin = /etc/mailname
nested_header_checks = regexp:/etc/postfix/nested_header_checks
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = maildrop
virtual_uid_maps = static:5000

For reference 123.com is not currently hosted on this box and is external. abc.com is hosted on this box. I've played around with the mynetworks value and hardcoded my IP and it appears not to work. I do intend to use this email for potentially several customers so I need it WAN accessible.

Any help would be much appreciated

[till]

You have to enable smtp authentication in thunderbird.

[ai42]

Quote:

Originally Posted by till

You have to enable smtp authentication in thunderbird.

I do have smtp authentication enabled.

Actually I did make some progress I did change the mynetworks value to include my external IP address and it allowed me to send emails.

However, this isn't quite the behavior I'm looking for since I have users whom would be connecting through iphones, and who knows what kind of network connection.

So the question is how to I open up mynetworks to be internet facing without being a completely open relay.

[ai42]

So after much more reading I think my problem is that the postfix-sasl authentication is not working properly. I've opened up mynetworks to the world 0.0.0.0/256 however that just made an open relay to the world.

[till]

Post the exact sasl error messages that you get in the mail log file.

Quote:

I've opened up mynetworks to the world 0.0.0.0/256 however that just made an open relay to the world.

You should undo that as soon as possible!

[ai42]

Yea I backed out the mynetwork config pretty quick once I figured out what that was doing.

See thats the thing I don't see any SASL errors in the mail.log file. I'm not seeing a SASL error but that's the only thing I can assume is wrong. I do have Thunderbird setup to use authentication. But it appears based on the log if it does it's not working.

Sep 15 15:03:21 roslin postfix/smtpd[27210]: warning: 50.9.xxx.xx: hostname 50-9-xxx-xx.txr.clearwire-wmx.net verification failed: Name or service not known
Sep 15 15:03:21 roslin postfix/smtpd[27210]: connect from unknown[50.9.xxx.xx]
Sep 15 15:03:23 roslin postfix/smtpd[27210]: NOQUEUE: reject: RCPT from unknown[50.9.xxx.xx]: 554 5.7.1 <me@123.com>: Relay access denied; from=<me@abc.com> to=<me@123.com> proto=SMTP helo=<50-9-xxx-xx.txr.clearwire-wmx.net>
Sep 15 15:03:26 roslin postfix/smtpd[27210]: disconnect from unknown[50.9.xxx.xx]

Also a manual connection to the server remotely doesn't respond to ehlo command.
$ telnet 67.210.xxx.xx 25
Trying 67.210.xxx.xx...
Connected to 67.210.xxx.xx.
Escape character is '^]'.
220 roslin.abc.com ESMTP Postfix (Ubuntu)
ehlo
502 5.5.2 Error: command not recognized
ehlo abc.com
502 5.5.2 Error: command not recognized
ehlo localhost
502 5.5.2 Error: command not recognized

[falko]

Quote:

Originally Posted by ai42

Also a manual connection to the server remotely doesn't respond to ehlo command.
$ telnet 67.210.xxx.xx 25
Trying 67.210.xxx.xx...
Connected to 67.210.xxx.xx.
Escape character is '^]'.
220 roslin.abc.com ESMTP Postfix (Ubuntu)
ehlo
502 5.5.2 Error: command not recognized
ehlo abc.com
502 5.5.2 Error: command not recognized
ehlo localhost
502 5.5.2 Error: command not recognized

That's strange. Are there any other errors in your mail log?