Relay access denied when using SMTP to external recipients

Discussion in 'Installation/Configuration' started by Kamran Shah, Oct 10, 2005.

  1. nevernamed

    nevernamed New Member

    lol....

    odd... I have port 25 open...
     
  2. ThePFY

    ThePFY New Member

    Post Fix Issues

    Hi

    i have got postfix installed on fedora core 6 (I followed the Howto)
    i can get e-mail out to my gmail address but when i reply i get the error message relay access denied when i try to reply from my g-mail account

    NDR from gmail
    Technical details of permanent failure:
    PERM_FAILURE: SMTP Error (state 13): 554 5.7.1 <rjb@ramage.org.uk>: Relay access denied

    ----- Original message -----

    Received: by 10.114.36.1 with SMTP id j1mr1494765waj.1185033628511;
    Sat, 21 Jul 2007 09:00:28 -0700 (PDT)
    Received: by 10.114.190.16 with HTTP; Sat, 21 Jul 2007 09:00:28 -0700 (PDT)
    Message-ID: <f8927d890707210900q7e8c2b21qe8c503ec73a0aca5@mail.gmail.com>
    Date: Sat, 21 Jul 2007 17:00:28 +0100
    From: "Ryan Bryant" <ryan.bryant@gmail.com>
    To: "Ryan John Bryant" <rjb@ramage.org.uk>
    Subject: Re: Tester
    In-Reply-To: <002001c7cbb0$3bdb2a10$6801a8c0@dreadnought>
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_Part_121565_8195519.1185033628354"
    References: <002001c7cbb0$3bdb2a10$6801a8c0@dreadnought>


    if you want / need any more info i will be glad to provide it and welcome and thank you for your support in advance
    :)
     
  3. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    What tutorial exactly (URL)?
    What's the output of
    Code:
    postconf -n
    ? Do you use ISPConfig?
     
  4. rusty

    rusty New Member

    I have a similar issue. I can send mail from the server using command line (telnet), however using Outlook I get relay access denied. I have Outlook set to use authentication (same settings as incoming mailserver). I receive mail just fine in Outlook.

    log: Dec 17 02:13:46 mail postfix/smtpd[10296]: NOQUEUE: reject: RCPT from static-12-134-58-18.verizon.net[12-134-58-18]: 554 5.7.1 <joe@aol.com>: Relay access denied; from=<rusty@domain.com> to=<joe@aol.com> proto=ESMTP helo=<computername>

    Would you have any ideas? Thanks!
     
  5. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Are you absolutely sure you checked the right option in Outlook? If so, what's in /etc/postfix/main.cf, and what's the output of
    Code:
    telnet localhost 25
    and then
    Code:
    ehlo localhost
    ?
     
  6. rusty

    rusty New Member

    # telnet localhost 25
    Trying 127.0.0.1...
    telnet: connect to address 127.0.0.1: Connection refused
    telnet: Unable to connect to remote host: Connection refused

    # postconf -n
    alias_database = hash:/etc/aliases
    alias_maps = hash:/etc/aliases
    broken_sasl_auth_clients = yes
    command_directory = /usr/sbin
    config_directory = /etc/postfix
    content_filter = smtp-amavis:[127.0.0.1]:10024
    daemon_directory = /usr/libexec/postfix
    debug_peer_level = 2
    html_directory = no
    inet_interfaces = all
    inet_protocols = ipv4
    mail_owner = postfix
    mailq_path = /usr/bin/mailq.postfix
    manpage_directory = /usr/share/man
    mydestination = $myhostname, localhost.$mydomain, localhost
    mydomain = domain.com
    myhostname = mail.domain.com
    mynetworks = 127.0.0.0/8
    myorigin = $myhostname
    newaliases_path = /usr/bin/newaliases.postfix
    queue_directory = /var/spool/postfix
    readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
    receive_override_options = no_address_mappings
    recipient_delimiter = +
    relayhost =
    sample_directory = /usr/share/doc/postfix-2.3.3/samples
    sendmail_path = /usr/sbin/sendmail.postfix
    setgid_group = postdrop
    smtp_tls_note_starttls_offer = yes
    smtp_use_tls = yes
    smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
    smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_local_domain =
    smtpd_sasl_path = private/auth
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_type = dovecot
    smtpd_tls_auth_only = no
    smtpd_tls_cert_file = /etc/pki/tls/certs/mail.domain.com.crt
    smtpd_tls_key_file = /etc/pki/tls/private/mail.domain.com.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_security_level = may
    smtpd_tls_session_cache_database = btree:/var/spool/postfix/mtpd_tls_session_cache
    smtpd_use_tls = yes
    tls_random_source = dev:/dev/urandom
    unknown_local_recipient_reject_code = 550
    virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
    virtual_gid_maps = static:5000
    virtual_mailbox_base = /home/vmail
    virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
    virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
    virtual_transport = dovecot
    virtual_uid_maps = static:5000




    # dovecot -n
    # 1.0.7: /etc/dovecot.conf
    login_dir: /var/run/dovecot/login
    login_executable(default): /usr/libexec/dovecot/imap-login
    login_executable(imap): /usr/libexec/dovecot/imap-login
    login_executable(pop3): /usr/libexec/dovecot/pop3-login
    mail_location: maildir:/home/vmail/%d/%n
    mail_executable(default): /usr/libexec/dovecot/imap
    mail_executable(imap): /usr/libexec/dovecot/imap
    mail_executable(pop3): /usr/libexec/dovecot/pop3
    mail_plugin_dir(default): /usr/lib64/dovecot/imap
    mail_plugin_dir(imap): /usr/lib64/dovecot/imap
    mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3
    auth default:
    passdb:
    driver: sql
    args: /etc/dovecot-mysql.conf
    userdb:
    driver: passwd
    userdb:
    driver: static
    args: uid=5000 gid=5000 home=/home/vmail/%d/%n allow_all_users=yes
    socket:
    type: listen
    client:
    path: /var/spool/postfix/private/auth
    mode: 432
    user: postfix
    group: postfix
    master:
    path: /var/run/dovecot/auth-master
    mode: 384
    user: vmail
     
  7. rusty

    rusty New Member

    I wanted to repost my output from postconf -n and dovecot -n because I'm not sure I was using my the latest main.cf and dovecot.conf files. Also I have the output from netstat -tap that doesn't show anything on port 25.

    I hope someone can help me as I've been stuck at this point for a week. Thanks so much for your time and effort!

    netstat -tap
    tcp 0 0 localhost.localdomain:2208 *:* LISTEN 2639/hpiod
    tcp 0 0 *:imaps *:* LISTEN 6975/dovecot
    tcp 0 0 *:pop3s *:* LISTEN 6975/dovecot
    tcp 0 0 localhost.localdomain:10025 *:* LISTEN 7058/master
    tcp 0 0 *:rtps-dd-mt *:* LISTEN 3235/hptsvr
    tcp 0 0 *:mysql *:* LISTEN 2821/mysqld
    tcp 0 0 *:courierpassd *:* LISTEN 2701/xinetd
    tcp 0 0 *:fcp-udp *:* LISTEN 2324/rpc.statd
    tcp 0 0 *:7403 *:* LISTEN 3235/hptsvr
    tcp 0 0 *:5900 *:* LISTEN 3485/vino-server
    tcp 0 0 *:pop3 *:* LISTEN 6975/dovecot
    tcp 0 0 localhost.local:dyna-access *:* LISTEN 2717/clamd
    tcp 0 0 *:imap *:* LISTEN 6975/dovecot
    tcp 0 0 localhost.localdomain:783 *:* LISTEN 2869/spamd.pid
    tcp 0 0 *:sunrpc *:* LISTEN 2285/portmap
    tcp 0 0 *:x11 *:* LISTEN 3401/X
    tcp 0 0 *:ndmp *:* LISTEN 3291/perl
    tcp 0 0 *:http *:* LISTEN 3006/httpd
    tcp 0 0 *:ftp *:* LISTEN 3265/pure-ftpd (SER
    tcp 0 0 *:ssh *:* LISTEN 2682/sshd
    tcp 0 0 localhost.localdomain:ipp *:* LISTEN 2661/cupsd
    tcp 0 0 *:https *:* LISTEN 3006/httpd
    tcp 0 0 localhost.localdomain:2207 *:* LISTEN 2644/python

    # postconf -n
    alias_database = hash:/etc/aliases
    alias_maps = hash:/etc/aliases
    broken_sasl_auth_clients = yes
    command_directory = /usr/sbin
    config_directory = /etc/postfix
    content_filter = smtp-amavis:[127.0.0.1]:10024
    daemon_directory = /usr/libexec/postfix
    debug_peer_level = 2
    html_directory = no
    inet_interfaces = all
    inet_protocols = ipv4
    mail_owner = postfix
    mailq_path = /usr/bin/mailq.postfix
    manpage_directory = /usr/share/man
    mydestination = localhost
    mydomain = domain.com
    myhostname = mail.domain.com
    mynetworks = 127.0.0.0/8
    myorigin = $myhostname
    newaliases_path = /usr/bin/newaliases.postfix
    queue_directory = /var/spool/postfix
    readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
    receive_override_options = no_address_mappings
    recipient_delimiter = +
    relayhost =
    sample_directory = /usr/share/doc/postfix-2.3.3/samples
    sendmail_path = /usr/sbin/sendmail.postfix
    setgid_group = postdrop
    smtp_tls_note_starttls_offer = yes
    smtp_use_tls = yes
    smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
    smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_local_domain =
    smtpd_sasl_path = private/auth
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_type = dovecot
    smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem
    smtpd_tls_auth_only = no
    smtpd_tls_cert_file = /etc/postfix/tls/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/tls/smtpd.key
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_security_level = may
    smtpd_tls_session_cache_database = btree:/var/spool/postfix/mtpd_tls_session_cache
    smtpd_use_tls = yes
    tls_random_source = dev:/dev/urandom
    unknown_local_recipient_reject_code = 550
    virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
    virtual_gid_maps = static:5000
    virtual_mailbox_base = /home/vmail
    virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
    virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
    virtual_transport = dovecot
    virtual_uid_maps = static:5000

    # dovecot -n
    # 1.0.7: /etc/dovecot.conf
    listen(default): *:143
    listen(imap): *:143
    listen(pop3): *:110
    ssl_listen(default): *:993
    ssl_listen(imap): *:993
    ssl_listen(pop3): *:995
    login_dir: /var/run/dovecot/login
    login_executable(default): /usr/libexec/dovecot/imap-login
    login_executable(imap): /usr/libexec/dovecot/imap-login
    login_executable(pop3): /usr/libexec/dovecot/pop3-login
    first_valid_uid: 5000
    last_valid_uid: 5000
    first_valid_gid: 5000
    last_valid_gid: 5000
    mail_location: maildir:/home/vmail/%d/%n
    mail_executable(default): /usr/libexec/dovecot/imap
    mail_executable(imap): /usr/libexec/dovecot/imap
    mail_executable(pop3): /usr/libexec/dovecot/pop3
    mail_plugin_dir(default): /usr/lib64/dovecot/imap
    mail_plugin_dir(imap): /usr/lib64/dovecot/imap
    mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3
    auth default:
    passdb:
    driver: sql
    args: /etc/dovecot-mysql.conf
    userdb:
    driver: passwd
    userdb:
    driver: static
    args: uid=5000 gid=5000 home=/home/vmail/%d/%n allow_all_users=yes
    socket:
    type: listen
    client:
    path: /var/spool/postfix/private/auth
    mode: 432
    user: postfix
    group: postfix
    master:
    path: /var/run/dovecot/auth-master
    mode: 384
    user: vmail
     
  8. rusty

    rusty New Member

    Aha, I removed amavisd from main.cf and master.cf and uncommented
    smtp inet n - n - - smtpd in master.cf
    and now smtp is working. Unfortunately, I'm still stuck with this relay access denied message. I'll have to find out why the amavisd service fails to start, but still could use help on the relay access denied issue.
     
  9. rusty

    rusty New Member

    Postfix-Dovecot-MySQL

    I think that my authentication issue may arise out of postfix or dovecot not being able to get the user name and password from mysql. I'm trying to understand how that process works so I can look in the right place.

    It would be great if someone could explain how this part works. On the incoming side, there doesn't seem to be a problem with mysql.

    I'm not sure whether I should look at dovecot or postfix for the problem. Dovecot is the SASL type. I've done a lot of reading on this, but there doesn't seem to be very specific info on what is actually happening when Outlook attempts to authenticate with the SMTP part of Postfix/Dovecot.

    And I have questions about where I should look. Should I look in main.cf or master.cf? Or should I look at dovecot-mysql.conf or one of the mysql_virtual.....cf files? All this work is good for me as I'm learning alot, but I sure could use some help on this part.

    Thanks,

    Eric
     
  10. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    The relay access denied error has nothing to do with Dovecot - Dovecot is for fetching the emails from the server only. I think it's a problem with saslauthd.
    Which distribution are you using? What's the output of
    Code:
    ps aux | grep saslauthd
    ?
     
  11. rusty

    rusty New Member

    Thanks falco.

    I'm on Centos 5 (64).

    # ps aux | grep saslauthd
    root 3138 0.0 0.0 40008 476 ? Ss 11:18 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
    root 3139 0.0 0.0 40008 264 ? S 11:18 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
    root 3140 0.0 0.0 40008 260 ? S 11:18 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
    root 3141 0.0 0.0 40008 260 ? S 11:18 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
    root 3143 0.0 0.0 40008 260 ? S 11:18 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
    root 3742 0.0 0.0 60252 720 pts/0 R+ 11:42 0:00 grep saslauthd
     
  12. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    What's in /usr/lib64/sasl2/smtpd.conf? It should look like this:

    Code:
    pwcheck_method: saslauthd
    mech_list: plain login
     
  13. rusty

    rusty New Member

    Sorry for the delay, I was away on vacation. I resolved the issue.

    In Postfix 2.3 or later, one can use dovecot for sasl, which is what I was doing. Falko's comments about SASL helped me focus on that area and I found that PAM was not enabled in dovecot.conf

    Thank you Falko!
     
  14. Challenger

    Challenger New Member

    Similar Problem (fits with thread title!)

    Hello all,

    My problem is similar. I can connect when on my internal network through a variety of means, including IMAP and SMTP/POP, with and without TLS. However when I try to connect externally, I get 'relay denied' errors in my Postfix mail log as follows:

    NOQUEUE: reject: RCPT from unknown[xxx.xxx.xxx.xxx <but see comment below>]: 554 5.7.1 <username1@in.access.table>: Relay access denied; from=<username2@in.access.table> to=<username1@in.access.table> proto=ESMTP helo=<Inbox>

    (I have of course blanked out the IP address and changed the email addresses to show that I think they are checked)

    Now, I'm not sure whether this is a Postfix configuration problem, or a sasl problem (I do not have a sasl2/smtpd.conf file that I can find anywhere on my system!), or indeed a NAT problem (see below). I have checked 'authenticate outgoing mail' on my client.

    But here's the IP address discussion bit (possible NAT problem) as promised in the log entry: I have of course defined my networks and specified to permit them in Postfix's main.cf. However the error log suggests that Postfix might be rejecting on the IP address. It appears that it is seeing my public IP address from the public side of my router, not my local network IP address. I.E. my router might not be performing NAT properly. I.E. it is port forwarding, (Telnetting gets through fine) but not network address translating. Could this be (part of) the problem?

    I hope you can help, I've been on this for weeks. I'm happy to post any config file snippets, log entries etc that you might need.

    Thanks in advance,

    Andy
    :(
     
  15. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Which distribution are you using? Did you enable "Server requires authentication" in your email client?
     
  16. Challenger

    Challenger New Member

    Hi Falko, thanks for replying.

    I'm using Ubuntu 7.10. Yes, I have checked "Server requires authentication" in my client - and specified to use SSL for both incoming and outgoing.

    Andy
     
  17. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    What's in /etc/postfix/sasl/smtpd.conf and /etc/postfix/main.cf?

    Does it work if you disable SSL?
     
  18. Challenger

    Challenger New Member

    Hi again Falko,

    Thanks for trying to help. I answer your questions in the order you asked them.

    1. My /etc/postfix/sasl directory is completely empty! Might that be the problem!?

    2. The non-comment bits of /etc/postfix/main.cf are (I've protected anything sensitive like: 'working access file'):

    ----------------------------------------------------------------
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no

    smtpd_tls_cert_file = 'a file'
    smtpd_tls_key_file = 'another file'
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

    alias_maps = hash:/etc/aliases
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +

    smtp_sasl_auth_enable=yes
    smtp_sasl_password_maps=hash:'working passwd file location'
    smtp_sasl_security_options=

    maximal_queue_lifetime = 1d
    mydomain = pooh.boul.net
    myorigin = pooh.boul.net
    mydestination = pooh.boul.net, localhost.pooh.boul.net, localhost.boul.net, localhost
    home_mailbox = Maildir/

    mynetworks = 127.0.0.0/8, 192.168.1.0/24

    relayhost = outbound.mailhop.org:2525
    smtpd_delay_reject = no
    smtpd_sender_restrictions = hash:'working access file', reject_unknown_sender_domain
    smtpd_recipient_restrictions = permit_mynetworks, check_client_access hash:'working access file', reject_unauth_destination
    smtpd_helo_required = yes
    relay_domains = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit_inet_interfaces
    hash_queue_depth = 3
    delay_warning_time = 1
    --------------------------------------------------------

    3. It doesn't work if I turn of SSL in the client; it makes no difference. As you can see from above, SSL isn't required, just nice to have. I haven't tried turning off SSL completely (i.e. commenting out the relevant lines completely in main.cf).

    Any ideas?

    Thanks,

    Andy
     
  19. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Which tutorial did you use to set up the system? Are you trying to use virtual users or system users?
     
  20. Challenger

    Challenger New Member

    I didn't really use a tutorial as such. I installed packages then used help files to adjust out-of-the-box settings.

    I am only interested in system users.

    Thanks.
     

Share This Page