[pfx] Re: relay access denied

[Patrice Go via Postfix-users]

it seems that if the relay restrictions define a network restriction, i ve
to indicate a network in main.cf, otherwise it will fail.
i did it, and it is working now.
thanks.

Le jeu. 7 sept. 2023 à 22:14, Noel Jones via Postfix-users <
postfix-users@postfix.org> a écrit :

> On 9/7/2023 2:31 PM, Patrice Go via Postfix-users wrote:
> > Hi,
> >
> > In fact i ve a server www.domain.org  which
> > send emails (from PHP www-data) to an external email t...@.net
> >  by the mean of a mail relay mail.domain.org
> > . the message from www is transmitted to
> > mail, but i don't understand what happen, the message is rejected
> > with a relay access denied.
> > i have this log (from mail.domain.org ):
> > NOQUEUE: reject: RCPT from unknown[xxx.22.xx.1x]: 554 5.7.1
> > mailto:t...@x.net>>: Relay access denied;
> > from=mailto:www-d...@domain.org>>
> > to=mailto:t...@x.net>> proto=ESMTP
> > helo=http://www.domain.org>>
> >
> > you can see the postconf -n :
> > https://paste.debian.net/1291288/ 
> >
> > i tested without check_sender_access, but the result is the same.
> >
> > is there something i am missing ?
> >
>
>
> To allow relay, the client must either be listed in mynetworks, or
> authenticate via SASL or an approved TLS certificate.
>
> Please see
> http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_from
>
> and also possibly
> http://www.postfix.org/SASL_README.html
> http://www.postfix.org/TLS_README.html
>
>
>
>-- Noel Jones
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: relay access denied

[Noel Jones via Postfix-users]

On 9/7/2023 2:31 PM, Patrice Go via Postfix-users wrote:

Hi,

In fact i ve a server www.domain.org  which 
send emails (from PHP www-data) to an external email t...@.net 
 by the mean of a mail relay mail.domain.org 
. the message from www is transmitted to 
mail, but i don't understand what happen, the message is rejected 
with a relay access denied.

i have this log (from mail.domain.org ):
NOQUEUE: reject: RCPT from unknown[xxx.22.xx.1x]: 554 5.7.1 
mailto:t...@x.net>>: Relay access denied; 
from=mailto:www-d...@domain.org>> 
to=mailto:t...@x.net>> proto=ESMTP 
helo=http://www.domain.org>>


you can see the postconf -n :
https://paste.debian.net/1291288/ 

i tested without check_sender_access, but the result is the same.

is there something i am missing ?




To allow relay, the client must either be listed in mynetworks, or 
authenticate via SASL or an approved TLS certificate.


Please see
http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_from

and also possibly
http://www.postfix.org/SASL_README.html
http://www.postfix.org/TLS_README.html



  -- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Relay access denied (Dovecot)

[Jaroslaw Rafa via Postfix-users]

Dnia  4.09.2023 o godz. 15:38:38 lejeczek via Postfix-users pisze:
> 
> I did have '#virtual_mailbox_domains' - being amateur in my mind it
> did not make sense, since I wanted Postfix to relay on Dovecot, to
> have it & removed those.
[...]
> If I add more, like 'virtual_mailbox_maps', etc. then it "fixes"
> delivery but !! defeats the purpose/goal - Dovecot's auth & delivery
> - no?

So you want to relay mail to Dovecot via LMTP for Dovecot to do delivery? In
that case you need to define "virtual_transport=". An example is here:
http://www.postfix.org/VIRTUAL_README.html#in_virtual_other . It is also
described in Dovecot documentation:
https://doc.dovecot.org/configuration_manual/howto/postfix_dovecot_lmtp/
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Relay access denied (Dovecot)

[lejeczek via Postfix-users]

On 04/09/2023 15:05, Jaroslaw Rafa via Postfix-users wrote:

Dnia  4.09.2023 o godz. 14:53:42 lejeczek via Postfix-users pisze:

Postfix logs when mail is sent to it:
...
connect from smtpo71.interia.pl[217.74.67.71]
Anonymous TLS connection established from
smtpo71.interia.pl[217.74.67.71]: TLSv1.2 with cipher
ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
NOQUEUE: reject: RCPT from smtpo71.interia.pl[217.74.67.71]: 554
5.7.1 : Relay access denied; from=
to= proto=ESMTP helo=
...

but at the same time Postifx sends mail out just find.
I'm hoping what missed or got wrong must be trivial - what that
might be?

Did you define in the Postfix config that Postfix should handle mail for
domain some.xyz ? Like "mydestination=", "virtual_mailbox_domains=" or
"virtual_alias_domains=" (depending on how do you deliver mail for that
domain).
I did have '#virtual_mailbox_domains' - being amateur in my 
mind it did not make sense, since I wanted Postfix to relay 
on Dovecot, to have it & removed those.

Which one of those would be 'best practice/option' ?

If I use "virtual_mailbox_domains" then logs show:
...
fatal: bad string length 0 < 1: virtual_mailbox_base =
...
so I add that.
Now Postifx errors out:
...
prepend Received-SPF: Pass (mailfrom) identity=mailfrom; 
client-ip=217.74.67.62; helo=smtpo62.interia.pl; 
envelope-from=s...@int.pl; receiver=

E603C6070980: client=smtpo62.interia.pl[217.74.67.62]
E603C6070980: 
message-id=
disconnect from smtpo62.interia.pl[217.74.67.62] ehlo=2 
starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
E603C6070980: from=, size=2699, nrcpt=1 (queue 
active)

connect from localhost[127.0.0.1]
BCA3A6070981: client=localhost[127.0.0.1]
BCA3A6070981: 
message-id=
disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 
data=1 quit=1 commands=5
BCA3A6070981: from=, size=3207, nrcpt=1 (queue 
active)
E603C6070980: to=, 
relay=127.0.0.1[127.0.0.1]:10024, delay=21, 
delays=5.2/0.01/0/16, dsn=2.0.0, status=sent (250 2.0.0 from 
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 
BCA3A6070981)

E603C6070980: removed
BCA3A6070981: to=, relay=virtual, 
delay=0.05, delays=0.02/0/0/0.02, dsn=5.1.1, status=bounced 
(unknown user: "syst...@some.xyz")
C7D846070980: 
message-id=<20230904131848.c7d846070...@swir.mine.priv>

BCA3A6070981: sender non-delivery notification: C7D846070980
C7D846070980: from=<>, size=5075, nrcpt=1 (queue active)
BCA3A6070981: removed


but that user "syst...@some.xyz do exist, Dovecot says so. 
(& sends out successfully)
If I add more, like 'virtual_mailbox_maps', etc. then it 
"fixes" delivery but !! defeats the purpose/goal - Dovecot's 
auth & delivery - no?



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Relay access denied (Dovecot)

[Jaroslaw Rafa via Postfix-users]

Dnia  4.09.2023 o godz. 14:53:42 lejeczek via Postfix-users pisze:
> Postfix logs when mail is sent to it:
> ...
> connect from smtpo71.interia.pl[217.74.67.71]
> Anonymous TLS connection established from
> smtpo71.interia.pl[217.74.67.71]: TLSv1.2 with cipher
> ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
> NOQUEUE: reject: RCPT from smtpo71.interia.pl[217.74.67.71]: 554
> 5.7.1 : Relay access denied; from=
> to= proto=ESMTP helo=
> ...
> 
> but at the same time Postifx sends mail out just find.
> I'm hoping what missed or got wrong must be trivial - what that
> might be?

Did you define in the Postfix config that Postfix should handle mail for
domain some.xyz ? Like "mydestination=", "virtual_mailbox_domains=" or
"virtual_alias_domains=" (depending on how do you deliver mail for that
domain).
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Re: Relay access denied if mysql table is used

[Wietse Venema]

Robert Nemet:
> postmap query:
> postmap -q robert.ne...@virtualdomain.uk  mysql:/etc/postfix/
> mysql-virtual-mailbox-domains.cf

That is the wrong query. As documented, virtual_mailbox_domains
is queried with the DOMAIN NAME not the email address.

Wietse

Re: Relay access denied if mysql table is used

[Robert Nemet]

"A table that is expected to return a result for a query with a lookup
key of each of the *domain names* (the result is ignored, the
*existence* of the key is what counts)."e

Yes, OK, I checked the manual: ""type:table
" lookup table is matched when
a name matches a lookup key (the lookup result is ignored)."
But doesn't this mean that if there is a return, it should pass, if there
isn't, it shouldn't? So even if I list all the domains, it should be
working?
Anyway, I changed the query, and now it just returns '1', but it still
doesn't work.

"That's not the right lookup key, and an irrelevant result."
So what is the problem with this?:
mysql-virtual-domain.cf:
...
query = SELECT 1 FROM domain WHERE name='%d'

postmap query:
postmap -q robert.ne...@virtualdomain.uk  mysql:/etc/postfix/
mysql-virtual-mailbox-domains.cf
1
postmap -q robert.ne...@anyotherdomain.uk  mysql:/etc/postfix/
mysql-virtual-mailbox-domains.cf



" But frankly, I
don't recommend using an SQL table for the virtual domains unless you're
going to be hosting a much larger (dynamic) population of these than
just three."
There are 58 domains in the table on production, and it will be more. I
wouldn't bother using SQL if it was just a couple of domains and new ones
were added once in every year :)






On Mon, May 4, 2020 at 8:18 PM Viktor Dukhovni 
wrote:

> On Mon, May 04, 2020 at 08:08:25PM +0100, Robert Nemet wrote:
>
> > main.cf
> >
> > *** version one, working configuration ***
> >
> > virtual_mailbox_domains = myvirtualdomain.uk,myvirtualdomain2.uk,
> myvirtualdomain3.uk
>
> A list of *domain names*.
>
> > *** version two ***
> >
> > virtual_mailbox_domains = proxy:mysql:/etc/postfix/
> mysql-virtual-mailbox-domains.cf
> > [...]
> > Mail is rejected:
>
> A table that is expected to return a result for a query with a lookup
> key of each of the *domain names* (the result is ignored, the
> *existence* of the key is what counts).
>
> > If I query the table with postmap, I get the same result as the working
> > config:
> >
> > postmap -q robert.ne...@virtualdomain.uk  mysql:/etc/postfix/
> mysql-virtual-mailbox-domains.cf
> > myvirtualdomain.uk,myvirtualdomain2.uk,myvirtualdomain3.uk
>
> That's not the right lookup key, and an irrelevant result.
>
> > Could anybody tell me what can be the problem?
>
> The table does not hold the domains as lookup keys.  But frankly, I
> don't recommend using an SQL table for the virtual domains unless you're
> going to be hosting a much larger (dynamic) population of these than
> just three.
>
> --
> Viktor.
>

Re: Relay access denied if mysql table is used

[@lbutlr]

On 04 May 2020, at 13:08, Robert Nemet  wrote:
> 
> virtual_mailbox_domains = 
> proxy:mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf

What is in mysql-virtual-mailbox-domains.cf?

> virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf 

> proxy:mysql:/etc/postfix/mysql-virtual-mailbox-maps2.cf 
> proxy:mysql:/etc/postfix/mysql-virtual-recipients-alias.cf

VMM should only contain the map for the mailboxes (ie username in the database).

virtual_alias_maps =
proxy:mysql:$config_directory/mysql_virtual_alias_maps.cf
hash:$config_directory/virtual
virtual_mailbox_domains =
proxy:mysql:$config_directory/mysql_virtual_domains_maps.cf
virtual_mailbox_maps =
proxy:mysql:$config_directory/mysql_virtual_mailbox_maps.cf

mysql_virtual_alias_maps.cf 
user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = alias
select_field = goto
where_field = address

mysql_virtual_domains_maps.c
user = postfix
password = postfix
hosts = localhost
dbname = postfix
query  = SELECT domain FROM domain WHERE domain='%u’

mysql_virtual_mailbox_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = mailbox
select_field = maildir
where_field = username

Note the differences in these files and where they are used in main.cf 
)obviously, set you own surname, password, dynamo, and hosts.

> postmap -q robert.ne...@virtualdomain.uk 
> mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf 
> myvirtualdomain.uk,myvirtualdomain2.uk,myvirtualdomain3.uk

That is wrong, a lookup for domain should lookup only the domain and returns 
only the domain if it exists.

# postmap -q kreme.com 
mysql:/usr/local/etc/postfix/mysql_virtual_domains_maps.cf
kreme.com
# postmap -q notkreme.com 
mysql:/usr/local/etc/postfix/mysql_virtual_domains_maps.cf 
#

Mailbox maps might return “user” or “u...@domain.tld” depending on your setup.

# postmap -q krem...@kreme.com 
mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf  
krem...@kreme.com/
# postmap -q krem...@notkreme.com 
mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf
#   

And alias maps will only return a result if the user@domains maps to an alias 
to a different user@domain. (So most of the time it should probably return 
nothing.



-- 
"Are you pondering what I'm pondering?"
Yeah, but I thought Madonna already had a steady bloke!”

Re: Relay access denied if mysql table is used

[Viktor Dukhovni]

On Mon, May 04, 2020 at 08:08:25PM +0100, Robert Nemet wrote:

> main.cf
> 
> *** version one, working configuration ***
> 
> virtual_mailbox_domains = myvirtualdomain.uk,myvirtualdomain2.uk, 
> myvirtualdomain3.uk

A list of *domain names*.

> *** version two ***
> 
> virtual_mailbox_domains = 
> proxy:mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
> [...]
> Mail is rejected:

A table that is expected to return a result for a query with a lookup
key of each of the *domain names* (the result is ignored, the
*existence* of the key is what counts).

> If I query the table with postmap, I get the same result as the working
> config:
> 
> postmap -q robert.ne...@virtualdomain.uk  
> mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
> myvirtualdomain.uk,myvirtualdomain2.uk,myvirtualdomain3.uk

That's not the right lookup key, and an irrelevant result.

> Could anybody tell me what can be the problem?

The table does not hold the domains as lookup keys.  But frankly, I
don't recommend using an SQL table for the virtual domains unless you're
going to be hosting a much larger (dynamic) population of these than
just three.

-- 
Viktor.

Re: Relay Access Denied

[VP Lists]

> 
> On Mar 25, 2019, at 11:28 AM, Viktor Dukhovni  
> wrote:
> 
> As for why "mynetworks" is not enough, perhaps time to look
> at your master.cf file...

Fixed.  I needed a “From” header for gmail to accept it.  That was inside the 
Ruby gem configuration.  

Cheers

_
Rich in Toronto @ VP

Re: Relay Access Denied

[VP Lists]

> On Mar 25, 2019, at 11:28 AM, Viktor Dukhovni  
> wrote:
> 
> As for why "mynetworks" is not enough, perhaps time to look
> at your master.cf file...

Here it is:

# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==
# service type  private unpriv  chroot  wakeup  maxproc command + args
#   (yes)   (yes)   (yes)   (never) (100)
# ==
#  Begin auto-generated section 
# This section of the master.cf file is auto-generated by the Server Admin
#  Mail backend plugin whenever mails settings are modified.
smtp  inet  n   -   n   -   1   postscreen
smtpd pass  -   -   n   -   -   smtpd
dnsblog   unix  -   -   n   -   0   dnsblog
tlsproxy  unix  -   -   n   -   0   tlsproxy
submission inet n   -   n   -   -   smtpd
  -o smtpd_tls_security_level=encrypt
smtp  unix  -   -   n   -   -   smtp
# === End auto-generated section ===
# Modern SMTP clients communicate securely over port 25 using the STARTTLS 
command.
# Some older clients, such as Outlook 2000 and its predecessors, do not properly
# support this command and instead assume a preconfigured secure connection
# on port 465. This was sometimes called "smtps", but such usage was never
# approved by the IANA and therefore conflicts with another, legitimate 
assignment.
# For more details about managing secure SMTP connections with postfix, please 
see:
#   http://www.postfix.org/TLS_README.html
# To read more about configuring secure connections with Outlook 2000, please 
read:
#   http://support.microsoft.com/default.aspx?scid=kb;en-us;Q307772
# Apple does not support the use of port 465 for this purpose.
# After determining that connecting clients do require this behavior, you may 
choose
# to manually enable support for these older clients by uncommenting the 
following
# four lines.
#465  inet  n   -   n   -   -   smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628   inet  n   -   n   -   -   qmqpd
pickupfifo  n   -   n   60  1   pickup
  -o content_filter=
cleanup   unix  n   -   n   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
#qmgr fifo  n   -   n   300 1   oqmgr
tlsmgrunix  -   -   n   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial-rewrite
bounceunix  -   -   n   -   0   bounce
defer unix  -   -   n   -   0   bounce
trace unix  -   -   n   -   0   bounce
verifyunix  -   -   n   -   1   verify
sacl-cache unix -   -   n   -   1   sacl-cache
flush unix  n   -   n   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix  -   -   n   -   -   smtp
-o smtp_fallback_relay=
#   -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix  n   -   n   -   -   showq
error unix  -   -   n   -   -   error
retry unix  -   -   n   -   -   error
discard   unix  -   -   n   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   n   -   -   lmtp
anvil unix  -   -   n   -   1   anvil
scacheunix  -   -   n   -   1   scache
#
# 
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# 
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop  unix  -   n   n   -   -   pipe
#  flags=DRhu user=vmail 

Re: Relay Access Denied

[Viktor Dukhovni]

> On Mar 25, 2019, at 7:23 AM, VP Lists  wrote:
> 
>>> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated 
>>> permit
>> 
>> This is rather pointless.

Delete it, it serves no purpose.

>>> smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks
>>>   reject unauthdestination permit
>> 
>> This is rather busted.
> 
> I don’t know why.  This is how the package came.  

No, it did not.  It probably had:

   smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
permit

what you have rejects all inbound email from outside senders.

>>> smtpd_tls_ciphers = medium
>>> smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
>> 
>> The default settings are better.
> 
> These are the defaults it came with.

Take the defaults from a more recent release:

  # Remove this from main.cf, taking the empty default
  smtpd_tls_exclude_ciphers =

  # Add these:
  smtpd_tls_ciphers = medium
  smtpd_tls_protocols = !SSLv2, !SSLv3
  smtp_tls_ciphers = medium
  smtp_tls_protocols = !SSLv2, !SSLv3

As for why "mynetworks" is not enough, perhaps time to look
at your master.cf file...

-- 
Viktor.

Re: Relay Access Denied

[B. Reino]

On Mon, 25 Mar 2019, VP Lists wrote:


On Mar 25, 2019, at 1:37 AM, Viktor Dukhovni  wrote:

This must be some Apple-specific Postfix setting, are you running Apple's
Postfix binaries?


mail_version = 2.9.2


smtpd_relay_restrictions appeared only with 2.10. That explains the 
"unused parameter" warning.


Your (old) version should IIRC use only smtpd_recipient_restrictions.

But given that you have some weird version on a weird OS with a weird 
configuration, I will have to pass.


Best is to reinstall, from a trusted (non-Apple?) source, and start with 
default configuration, which is very sane. Only touch what you actually 
need to touch, and leave the rest to Viktor and Wietse, who seem to know 
what they do :)


Cheers and good luck.

Re: Relay Access Denied

[VP Lists]

> On Mar 25, 2019, at 1:37 AM, Viktor Dukhovni  
> wrote:
> 
>> 
>> # /var/log/mail.log:
>> Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: CONNECT from 
>> [192.168.1.4]:52147 to [192.168.1.6]:25
>> Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: PASS OLD 
>> [192.168.1.4]:52147
>> Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: connect from 
>> unknown[192.168.1.4]
>> Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: NOQUEUE: reject: 
>> RCPT from unknown[192.168.1.4]: 554 5.7.1 : Relay access 
>> denied; from= to= proto=ESMTP 
>> helo=
> 
> This is likely blocked by "smtpd_relay_restrictions", or your
> mynetworks setting had not yet taken effect for all the running
> smtpd(8) processes.

At the moment, that directive is commented-out.  I was getting reports that it 
was not being used:

$ sudo postfix reload
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: 
smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated 
reject_unauth_destination
postfix/postfix-script: refreshing the Postfix mail system

Either way, with that directive active or not, same results: Relay access denied

>> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated 
>> permit
> 
> This is rather pointless.
> 
>> smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks
>>reject unauthdestination permit
> 
> This is rather busted.

I don’t know why.  This is how the package came.  

>> smtpd_tls_ciphers = medium
>> smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
> 
> The default settings are better.

These are the defaults it came with.  

>> use_sacl_cache = yes
> 
> This must be some Apple-specific Postfix setting, are you running Apple's
> Postfix binaries?

They all are.  Yes this is Mountain Lion (10.8.5) Server.  Is there a default 
setup for LAN access?  I find their setup rather restrictive.  I’ve had issues 
with this setup before.  Security in the LAN is tight already, so I don’t need 
my mail server keeping me out.  

Cheers

_
Rich in Toronto @ VP

Re: Relay Access Denied

[VP Lists]

> On Mar 25, 2019, at 1:37 AM, Viktor Dukhovni  
> wrote:
> 
> This must be some Apple-specific Postfix setting, are you running Apple's
> Postfix binaries?

mail_version = 2.9.2

_
Rich in Toronto @ VP

Re: Relay Access Denied

[Viktor Dukhovni]

On Sun, Mar 24, 2019 at 06:38:40PM -0400, VP Lists wrote:

> # /var/log/mail.log:
> Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: CONNECT from 
> [192.168.1.4]:52147 to [192.168.1.6]:25
> Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: PASS OLD 
> [192.168.1.4]:52147
> Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: connect from 
> unknown[192.168.1.4]
> Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: NOQUEUE: reject: 
> RCPT from unknown[192.168.1.4]: 554 5.7.1 : Relay access 
> denied; from= to= proto=ESMTP 
> helo=

This is likely blocked by "smtpd_relay_restrictions", or your
mynetworks setting had not yet taken effect for all the running
smtpd(8) processes.

> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit

This is rather pointless.

> smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks
> reject unauthdestination permit

This is rather busted.

> smtpd_tls_ciphers = medium
> smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL

The default settings are better.

> use_sacl_cache = yes

This must be some Apple-specific Postfix setting, are you running Apple's
Postfix binaries?

-- 
Viktor.

Re: Relay Access Denied

[VP Lists]

> On Mar 24, 2019, at 6:31 PM, Viktor Dukhovni  
> wrote:
> 
> On Sun, Mar 24, 2019 at 05:36:56PM -0400, VP Lists wrote:
> 
>> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated 
>> permit
> 
> What do you expect this to do?

At this point I have no clue.  I think it was in there from previous messing.  

>> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
>> reject_unauth_destination
>> 
>> Same error.  
> 
> Care to post logs?  Care to post "postconf -nf" (older versions
> "postconf -n") output?

# /var/log/mail.log:
Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: CONNECT from 
[192.168.1.4]:52147 to [192.168.1.6]:25
Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: PASS OLD 
[192.168.1.4]:52147
Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: connect from 
unknown[192.168.1.4]
Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: NOQUEUE: reject: RCPT 
from unknown[192.168.1.4]: 554 5.7.1 : Relay access denied; 
from= to= proto=ESMTP 
helo=
Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: disconnect from 
unknown[192.168.1.4]

So below we see that mynetworks includes the LAN for relaying.  But above, it 
says my workstation (192.168.1.4) is unknown.  No clue why.  

$ postconf -nf

biff = no
command_directory = /usr/sbin
config_directory = /Library/Server/Mail/Config/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /Library/Server/Mail/Data/mta
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
$daemon_directory/$process_name $process_id & sleep 5
dovecot_destination_recipient_limit = 1
html_directory = /usr/share/doc/postfix/html
imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred
inet_interfaces = loopback-only
inet_protocols = all
mail_owner = _postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 10485760
mydomain_fallback = localhost
mynetworks = 192.168.1.0/24, 192.168.1.23, 192.168.1.4, 127.0.0.0/8, [::1]/128 
# RF
newaliases_path = /usr/bin/newaliases
queue_directory = /Library/Server/Mail/Data/spool
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks
reject unauthdestination permit
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
use_sacl_cache = yes


_
Rich in Toronto @ VP

Re: Relay Access Denied

[Viktor Dukhovni]

On Sun, Mar 24, 2019 at 05:36:56PM -0400, VP Lists wrote:

> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit

What do you expect this to do?

> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
> reject_unauth_destination
> 
> Same error.  

Care to post logs?  Care to post "postconf -nf" (older versions
"postconf -n") output?

-- 
Viktor.

Re: Relay Access Denied

[VP Lists]

> On Mar 24, 2019, at 5:20 PM, B. Reino  wrote:
> 
> Sorry for top posting. Mobile client here..

No problem.  I don’t mind top-posting anywhere.

> Your mynetworks has 192.168.0.0/24 but you say you use 192.168.x.x, i.e. 
> 192.168.0.0/16.
> 
> In the headers of your mail I see 192.168.1.4, which would thus not be in 
> mynetworks.

Yes, it’s now corrected.

mynetworks = 192.168.1.0/24 127.0.0.0/8

smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit
recipient_delimiter = +
smtpd_tls_ciphers = medium
inet_protocols = all
inet_interfaces = loopback-only
config_directory = /Library/Server/Mail/Config/postfix

smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks 
reject unauthdestination permit

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
reject_unauth_destination


Same error.  


> So you may want to check that..

_
Rich in Toronto @ VP

Re: Relay Access Denied

[B. Reino]

Sorry for top posting. Mobile client here..

Your mynetworks has 192.168.0.0/24 but you say you use 192.168.x.x, i.e. 
192.168.0.0/16.

In the headers of your mail I see 192.168.1.4, which would thus not be in 
mynetworks.

So you may want to check that..
Cheers.


On March 24, 2019 8:35:59 PM UTC, VP Lists  
wrote:
>Hi folks.
>
>I’m on a LAN, with a mail server on OS X Server Mountain Lion. It’s
>running Postfix as a mail server.  
>
>My LAN has a 192.168.x.x range.  I’m getting that error when an app I’m
>developing, is trying to send an email out through this email server to
>the internet.  A gmail address specifically. 
>
>
>
>My main.cf:
>
>biff = no
>command_directory = /usr/sbin
>config_directory = /Library/Server/Mail/Config/postfix
>daemon_directory = /usr/libexec/postfix
>data_directory = /Library/Server/Mail/Data/mta
>debug_peer_level = 2
>debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
>xxgdb $daemon_directory/$process_name $process_id & sleep 5
>dovecot_destination_recipient_limit = 1
>html_directory = /usr/share/doc/postfix/html
>imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred
>inet_interfaces = loopback-only
>inet_protocols = all
>mail_owner = _postfix
>mailbox_size_limit = 0
>mailq_path = /usr/bin/mailq
>manpage_directory = /usr/share/man
>message_size_limit = 10485760
>mydomain_fallback = localhost
>mynetworks = 192.168.0.0/24 127.0.0.0/8# RF
>newaliases_path = /usr/bin/newaliases
>queue_directory = /Library/Server/Mail/Data/spool
>readme_directory = /usr/share/doc/postfix
>recipient_delimiter = +
>sample_directory = /usr/share/doc/postfix/examples
>sendmail_path = /usr/sbin/sendmail
>setgid_group = _postdrop
>smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated
>permit
>smtpd_recipient_restrictions = permit_sasl_authenticated
>permit_mynetworks reject unauthdestination permit
>smtpd_tls_ciphers = medium
>smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
>tls_random_source = dev:/dev/urandom
>unknown_local_recipient_reject_code = 550
>use_sacl_cache = yes
>postconf: warning: /etc/postfix/main.cf: unused parameter:
>smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated
>reject_unauth_destination
>
>I’m hosting a handful of local and FQDN on the LAN, and I develop using
>a machine.local naming scheme.  Just wondering how I can whitelist my
>internal domains to get outgoing emails past my mail server.  Not
>really sure what to post here as well.
>
>Any insight appreciated.
>
>Cheers
>
>
>_
>Rich in Toronto @ VP

Re: Relay access denied

[wilfried.es...@essignetz.de]

Am 03.12.18 um 19:57 schrieb Wolfgang Paul Rauchholz:
> Thank you for the help.
> But I might not have explained myself correctly. My plan is not to relay
> email from my home server via gmail.
> But I want to be able to send emails also to gmail accounts.

It's the same.

> How can I do that?

Didn't work the suggestions you got yesterday?


Willi

> 
> Wolfgang
> 
> On Mon, Dec 3, 2018 at 11:38 AM wilfried.es...@essignetz.de <
> wilfried.es...@essignetz.de> wrote:
> 
>> Hi Wolfgang,
>>
>>
>> i don`t think you have an open relay:
>>> smtpd_recipient_restrictions = permit_mynetworks,
>> permit_auth_destination,> permit_sasl_authenticated, reject,
>> reject_unauth_destination
>> But you have a dynamic IP-Address.
>>> host 83.50.89.156
>>> 156.89.50.83.in-addr.arpa domain name pointer
>> 156.red-83-50-89.dynamicip.rima-tde.net.
>>
>> Gmail doesn't like dynamic IPs very much.
>>
>> Obviously you have a gmail account. I`d suggest to setup your postfix to
>> use authenticated smtp to port 587, using your gmail credentials.
>>
>>
>> Willi
>>
> 
> 

Re: Relay access denied

[wilfried.es...@essignetz.de]

Hi Wolfgang,


i don`t think you have an open relay:
> smtpd_recipient_restrictions = permit_mynetworks, permit_auth_destination,> 
> permit_sasl_authenticated, reject, reject_unauth_destination
But you have a dynamic IP-Address.
> host 83.50.89.156
> 156.89.50.83.in-addr.arpa domain name pointer 
> 156.red-83-50-89.dynamicip.rima-tde.net.

Gmail doesn't like dynamic IPs very much.

Obviously you have a gmail account. I`d suggest to setup your postfix to
use authenticated smtp to port 587, using your gmail credentials.


Willi

Re: Relay access denied

[Wolfgang Paul Rauchholz]

Got finally some time over the weekend...

I got a step further, but still one topic open.
It appears that I have configured an open relay server? When trying to send
emails to my gmail account I get this error message:

   550-5.7.1 [83.50.89.156] The IP you're using to send mail is not
authorized to 550-5.7.1 send email directly to our servers. .

I went thrgouh documentation on the web and assume it is my submission
statement that makes it an open relay?

This is what I setup in main.cf. How do I need to harden this to close the
open relay?
submission inet n   -   n   -   -   smtpd
  -o syslog_name=postfix/submission
  -o smtpd_sasl_auth_enable=yes


main.cf
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_mynetworks, permit_auth_destination,
permit_sasl_authenticated, reject, reject_unauth_destination
smtpd_use_tls = yes
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_cert_file = /etc/letsencrypt/live//fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live//privkey.pem
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
content_filter=smtp-amavis:[127.0.0.1]:10024


Wolfgang

On Wed, Nov 28, 2018 at 11:26 PM Bill Cole <
postfixlists-070...@billmail.scconsult.com> wrote:

> On 28 Nov 2018, at 15:47, Wolfgang Paul Rauchholz wrote:
>
> > Thanks for the taking this up.
> > Concerning hardening TLS settings; can you recommend a read / web page
> > that
> > is suitable for a home email server?
>
> The TLS "readme" files in the Postfix distribution (and at
> http://www.postfix.org/TLS_README.html and
> http://www.postfix.org/FORWARD_SECRECY_README.html) cover what you need
> to know.
>
> The short version: Postfix default TLS cipher and protocol settings are
> fine, for releases after 2015. For older versions, you may need to set
> smtpd_tls_protocols and smtpd_tls_mandatory_protocols to "!SSLv2,
> !SSLv3" which is the default in currently supported versions.
>
> > Thanks in advance
> >
> > Here the podtconf -Mf output
> >
> > smtp   inet  n   -   n   -   -   smtpd
> > amavisfeed unix  -   -   n   -   2   lmtp
> > -o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes
> > -o disable_dns_lookups=yes -o max_use=20
> > submission inet  n   -   n   -   -   smtpd
> > -o syslog_name=postfix/submission -o smtpd_sasl_auth_enable=yes
> > -o
> >
> smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
> > -o milter_macro_daemon_name=ORIGINATING
>
> That's the 'submission' (port 587) daemon, which opens connections in
> cleartext and supports the "STARTTLS" command to upgrade the connection
> to TLS encryption (because your main config includes
> "smtpd_tls_security_level = may"). To send mail through this daemon, you
> MUST either be sending to a domain that Postfix is configured to accept
> mail for (local, virtual, and relay domains) OR authenticate using SASL
> first. Because of "smtpd_tls_auth_only = yes" in your main config, you
> can only authenticate using SASL *after* using STARTTLS to negotiate a
> TLS session.
>
> > smtps  inet  n   -   n   -   -   smtpd
> > -o syslog_name=postfix/smtps -o smtpd_sasl_auth_enable=yes
> > -o
> >
> smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
> > -o milter_macro_daemon_name=ORIGINATING
>
> That's supposedly the 'smtps' (port 465) daemon, which *NORMALLY* would
> have an additional configuration  override directive:
>
>  -o smtpd_tls_wrappermode=yes
>
> Which "wraps" the SMTP session in TLS encryption that is negotiated
> immediately at connect time, rather than having clients connect in the
> clear. As it stands, your 'submission' and 'smtps' daemons will behave
> identically, except for listening on different ports and using different
> syslog labels. There's no benefit in that, because any client using port
> 465 will expect the smtps 'wrappermode' behavior and any using port 587
> will expect the configured cleartext/STARTTLS behavior.
>
> Because you are overriding the default smtpd_recipient_restrictions with
> a restriction list which only permits mail from authenticated senders or
> to recipients in local and relay-authorized domains, your attempt to
> send mail to a gmail.com address was rejected.
>
> You were able to send through port 25 because by default,
> smtpd_recipient_restrictions is empty (giving an implicit 'DUNNO'
> result) and smtpd_relay_restrictions starts with 'permit_mynetworks'.
> This lets the mail through because you are connection from the loopback,
> which is included in your mynetworks setting.
>
> I hope this helps. Good luck!
>
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA 

Re: Relay access denied

[Wolfgang Paul Rauchholz]

Thanks for help.
A lot to digest and read before doing changes to config.

Wolfgang

On Wed, Nov 28, 2018 at 11:26 PM Bill Cole <
postfixlists-070...@billmail.scconsult.com> wrote:

> On 28 Nov 2018, at 15:47, Wolfgang Paul Rauchholz wrote:
>
> > Thanks for the taking this up.
> > Concerning hardening TLS settings; can you recommend a read / web page
> > that
> > is suitable for a home email server?
>
> The TLS "readme" files in the Postfix distribution (and at
> http://www.postfix.org/TLS_README.html and
> http://www.postfix.org/FORWARD_SECRECY_README.html) cover what you need
> to know.
>
> The short version: Postfix default TLS cipher and protocol settings are
> fine, for releases after 2015. For older versions, you may need to set
> smtpd_tls_protocols and smtpd_tls_mandatory_protocols to "!SSLv2,
> !SSLv3" which is the default in currently supported versions.
>
> > Thanks in advance
> >
> > Here the podtconf -Mf output
> >
> > smtp   inet  n   -   n   -   -   smtpd
> > amavisfeed unix  -   -   n   -   2   lmtp
> > -o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes
> > -o disable_dns_lookups=yes -o max_use=20
> > submission inet  n   -   n   -   -   smtpd
> > -o syslog_name=postfix/submission -o smtpd_sasl_auth_enable=yes
> > -o
> >
> smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
> > -o milter_macro_daemon_name=ORIGINATING
>
> That's the 'submission' (port 587) daemon, which opens connections in
> cleartext and supports the "STARTTLS" command to upgrade the connection
> to TLS encryption (because your main config includes
> "smtpd_tls_security_level = may"). To send mail through this daemon, you
> MUST either be sending to a domain that Postfix is configured to accept
> mail for (local, virtual, and relay domains) OR authenticate using SASL
> first. Because of "smtpd_tls_auth_only = yes" in your main config, you
> can only authenticate using SASL *after* using STARTTLS to negotiate a
> TLS session.
>
> > smtps  inet  n   -   n   -   -   smtpd
> > -o syslog_name=postfix/smtps -o smtpd_sasl_auth_enable=yes
> > -o
> >
> smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
> > -o milter_macro_daemon_name=ORIGINATING
>
> That's supposedly the 'smtps' (port 465) daemon, which *NORMALLY* would
> have an additional configuration  override directive:
>
>  -o smtpd_tls_wrappermode=yes
>
> Which "wraps" the SMTP session in TLS encryption that is negotiated
> immediately at connect time, rather than having clients connect in the
> clear. As it stands, your 'submission' and 'smtps' daemons will behave
> identically, except for listening on different ports and using different
> syslog labels. There's no benefit in that, because any client using port
> 465 will expect the smtps 'wrappermode' behavior and any using port 587
> will expect the configured cleartext/STARTTLS behavior.
>
> Because you are overriding the default smtpd_recipient_restrictions with
> a restriction list which only permits mail from authenticated senders or
> to recipients in local and relay-authorized domains, your attempt to
> send mail to a gmail.com address was rejected.
>
> You were able to send through port 25 because by default,
> smtpd_recipient_restrictions is empty (giving an implicit 'DUNNO'
> result) and smtpd_relay_restrictions starts with 'permit_mynetworks'.
> This lets the mail through because you are connection from the loopback,
> which is included in your mynetworks setting.
>
> I hope this helps. Good luck!
>
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Available For Hire: https://linkedin.com/in/billcole
>


-- 

Wolfgang Rauchholz

Re: Relay access denied

[Bill Cole]

On 28 Nov 2018, at 15:47, Wolfgang Paul Rauchholz wrote:


Thanks for the taking this up.
Concerning hardening TLS settings; can you recommend a read / web page 
that

is suitable for a home email server?


The TLS "readme" files in the Postfix distribution (and at 
http://www.postfix.org/TLS_README.html and 
http://www.postfix.org/FORWARD_SECRECY_README.html) cover what you need 
to know.


The short version: Postfix default TLS cipher and protocol settings are 
fine, for releases after 2015. For older versions, you may need to set 
smtpd_tls_protocols and smtpd_tls_mandatory_protocols to "!SSLv2, 
!SSLv3" which is the default in currently supported versions.



Thanks in advance

Here the podtconf -Mf output

smtp   inet  n   -   n   -   -   smtpd
amavisfeed unix  -   -   n   -   2   lmtp
-o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes -o max_use=20
submission inet  n   -   n   -   -   smtpd
-o syslog_name=postfix/submission -o smtpd_sasl_auth_enable=yes
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o milter_macro_daemon_name=ORIGINATING


That's the 'submission' (port 587) daemon, which opens connections in 
cleartext and supports the "STARTTLS" command to upgrade the connection 
to TLS encryption (because your main config includes 
"smtpd_tls_security_level = may"). To send mail through this daemon, you 
MUST either be sending to a domain that Postfix is configured to accept 
mail for (local, virtual, and relay domains) OR authenticate using SASL 
first. Because of "smtpd_tls_auth_only = yes" in your main config, you 
can only authenticate using SASL *after* using STARTTLS to negotiate a 
TLS session.



smtps  inet  n   -   n   -   -   smtpd
-o syslog_name=postfix/smtps -o smtpd_sasl_auth_enable=yes
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o milter_macro_daemon_name=ORIGINATING


That's supposedly the 'smtps' (port 465) daemon, which *NORMALLY* would 
have an additional configuration  override directive:


-o smtpd_tls_wrappermode=yes

Which "wraps" the SMTP session in TLS encryption that is negotiated 
immediately at connect time, rather than having clients connect in the 
clear. As it stands, your 'submission' and 'smtps' daemons will behave 
identically, except for listening on different ports and using different 
syslog labels. There's no benefit in that, because any client using port 
465 will expect the smtps 'wrappermode' behavior and any using port 587 
will expect the configured cleartext/STARTTLS behavior.


Because you are overriding the default smtpd_recipient_restrictions with 
a restriction list which only permits mail from authenticated senders or 
to recipients in local and relay-authorized domains, your attempt to 
send mail to a gmail.com address was rejected.


You were able to send through port 25 because by default, 
smtpd_recipient_restrictions is empty (giving an implicit 'DUNNO' 
result) and smtpd_relay_restrictions starts with 'permit_mynetworks'. 
This lets the mail through because you are connection from the loopback, 
which is included in your mynetworks setting.


I hope this helps. Good luck!

--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole

Re: Relay access denied

[Viktor Dukhovni]

> On Nov 28, 2018, at 3:47 PM, Wolfgang Paul Rauchholz  
> wrote:
> 
> Thanks for the taking this up.
> Concerning hardening TLS settings; can you recommend a read / web page that
> is suitable for a home email server?

Run with default Postfix settings.  They are good enough, worst case
exclude a cipher type or two, but don't redefine the low-level
"tls_*_cipherlist" parameters.

-- 
Viktor.

Re: Relay access denied

[Bill Cole]

On 28 Nov 2018, at 6:49, wp.rauchholz wrote:


[root@home postfix]# telnet localhost 465


That's abnormal. Port 465 is normally TLS-wrapped, so telnet should not 
work for testing it. That it seemingly DOES work (at least to connect 
and try mail...) means that you've done something unusual in master.cf.


Please provide the output of "postconf -Mf" so that we can see how that 
port is configured.


Tangentially: all those customized "hardening" smtpd_tls_* settings you 
have will result in your server receiving more mail over unencrypted 
sessions, because many sending systems won't be able to live up to your 
TLS standards and so will fall back to sending in the clear. This makes 
your mail flow in aggregate much LESS secure.

Re: Relay access denied to local IPv6 client

[Nikolaos Milas]

On 23/2/2018 9:00 μμ, Bill Cole wrote:

The restriction lists in Postfix are run in a fixed logical order 
(client, helo, sender, relay, recipient, data, end_of_data) and 'OK' 
from an early restriction list (smtpd_client_restrictions) *DOES 
NOT*prevent 'REJECT' by a later restriction list 
(smtpd_recipient_restrictions.) OK only terminates a single 
restriction list, not the whole set of lists, so in this case the 
transaction is exiting the smtpd_client_restrictions list with OK at 
"check_client_access cidr:/etc/postfix/non-tls-clients.cidr" but it 
still must pass through smtpd_recipient_restrictions, where it is 
rejected by "reject_unauth_destination" because you are not the final 
destination for the recipient domain nor do you have the recipient 
domain in $relay_domains.


Thank you all for your feedback and especially Bill for the detailed 
explanation.


The solution was as simple as adding permit_mynetworks to 
smtpd_recipient_restrictions. Since client connectivity is controlled by 
smtpd_client_restrictions, in this scenario there is no reason to not 
allow relay access to all mynetwork.


Best Regards,
Nick

Re: Relay access denied to local IPv6 client

[Bill Cole]

On 23 Feb 2018, at 3:49, Nikolaos Milas wrote:


Hello,

We are using Postfix v3.2.4and we arefacing the followingproblem: 
Aclient (a data storage system) with an IPv6 address of 
[2001:648:2011:a21:320e:d5ff:fec6:b55] tries to send an (autosupport) 
email and it's being denied access:


Feb 23 06:22:17 vmail2 postfix/smtpd[16146]: NOQUEUE: reject: RCPT 
from unknown[2001:648:2011:a21:320e:d5ff:fec6:b55]: 554 5.7.1 
: Relay access denied; 
from= to= 
proto=SMTP helo=


All /48 IPv6 address blockis included in mynetworks: ..., 
[2001:648:2011::]/48, ...


The client does not support TLS or authentication. For such clients we 
provide explicit permission:


smtpd_client_restrictions =
  ...
  check_client_access cidr:/etc/postfix/non-tls-clients.cidr
  permit_sasl_authenticated
  reject

where /etc/postfix/non-tls-clients.cidr:

   ...
   [2001:648:2011:a21:320e:d5ff:fec6:b55]   OK
   ...

Please, be kind to help me understand what is causing this client 
rejection and correct my postfix configuration.


postconf -n follows:

[...]
smtpd_client_restrictions = check_client_access 
cidr:/etc/postfix/localhost.cidr check_client_access 
cidr:/etc/postfix/gwservers.cidr check_client_access 
cidr:/etc/postfix/non-tls-clients.cidr permit_sasl_authenticated 
reject

[...]
smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/protected_destinations permit_sasl_authenticated 
reject_unverified_recipient reject_unauth_destination


The restriction lists in Postfix are run in a fixed logical order 
(client, helo, sender, relay, recipient, data, end_of_data) and 'OK' 
from an early restriction list (smtpd_client_restrictions) *DOES NOT* 
prevent 'REJECT' by a later restriction list 
(smtpd_recipient_restrictions.) OK only terminates a single restriction 
list, not the whole set of lists, so in this case the transaction is 
exiting the smtpd_client_restrictions list with OK at 
"check_client_access cidr:/etc/postfix/non-tls-clients.cidr" but it 
still must pass through smtpd_recipient_restrictions, where it is 
rejected by "reject_unauth_destination" because you are not the final 
destination for the recipient domain nor do you have the recipient 
domain in $relay_domains.


See the SMTPD_ACCESS_README file for complete details.

Re: Relay access denied to local IPv6 client

[Wietse Venema]

Nikolaos Milas:
> Hello,
> 
> We are using Postfix v3.2.4and we arefacing the followingproblem: 
> Aclient (a data storage system) with an IPv6 address of 
> [2001:648:2011:a21:320e:d5ff:fec6:b55] tries to send an (autosupport) 
> email and it's being denied access:
> 
> Feb 23 06:22:17 vmail2 postfix/smtpd[16146]: NOQUEUE: reject: RCPT from 
> unknown[2001:648:2011:a21:320e:d5ff:fec6:b55]: 554 5.7.1 
> : Relay access denied; 
> from= to= 
> proto=SMTP helo=
> 
> All /48 IPv6 address blockis included in mynetworks: ..., 
> [2001:648:2011::]/48, ...
> 
> The client does not support TLS or authentication. For such clients we 
> provide explicit permission:
> 
> smtpd_client_restrictions =
>  ? ...
>  ? check_client_access cidr:/etc/postfix/non-tls-clients.cidr
>  ? permit_sasl_authenticated
>  ? reject

Relay access is enforced in smtpd_RELAY_restrictions (or historically,
in smtpd_RECIPIENT_restrictions).

Wietse

Re: Relay access denied to local IPv6 client

[Jörg Backschues]

Am 23.02.2018 um 09:49 schrieb Nikolaos Milas:


where /etc/postfix/non-tls-clients.cidr:

    ...
    [2001:648:2011:a21:320e:d5ff:fec6:b55]   OK
    ...


Please check the CIDR table syntax 
:


e.g.

2001:db8::/32   REJECT

--
Regards
Jörg Backschues

Re: Relay access denied

[Noel Jones]

On 10/31/2017 11:01 AM, 9acca9 wrote:
> Ok thanks.
> i remove 
> mynetworks = 0.0.0.0/0
> 
> and add
> 
> relay_domains = mydomain.org.ar
> 
> The mail is accepted but this happend, and the mail dosent arrive:

http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall

Re: Relay access denied

[9acca9]

Ok thanks.
i remove 
mynetworks = 0.0.0.0/0

and add

relay_domains = mydomain.org.ar

The mail is accepted but this happend, and the mail dosent arrive:

Oct 31 12:45:04 postfix postfix/smtpd[1843]: connect from
mail-pf0-f181.google.com[209.85.192.181]
Oct 31 12:45:05 postfix postfix/smtpd[1843]: 3BBC2AFC0A:
client=mail-pf0-f181.google.com[209.85.192.181]
Oct 31 12:45:05 postfix postfix/cleanup[1844]: 3BBC2AFC0A:
message-id=
Oct 31 12:45:05 postfix postfix/qmgr[1830]: 3BBC2AFC0A:
from=, size=2697, nrcpt=1 (queue active)
Oct 31 12:45:05 postfix postfix/smtpd[1846]: connect from
unknown[172.16.0.1]
Oct 31 12:45:05 postfix postfix/smtp[1845]: warning: host
postfix.mydomain.org.ar[190.4.116.195]:25 greeted me with my own hostname
postfix.mydomain.org.ar
Oct 31 12:45:05 postfix postfix/smtp[1845]: warning: host
postfix.mydomain.org.ar[190.4.116.195]:25 replied to HELO/EHLO with my own
hostname postfix.mydomain.org.ar
Oct 31 12:45:05 postfix postfix/smtp[1845]: 3BBC2AFC0A:
to=, relay=postfix.mydomain.org.ar[190.4.116.195]:25,
delay=0.23, delays=0.2/0.01/0.02/0, dsn=5.4.6, status=bounced (mail for
mydomain.org.ar loops back to myself)
Oct 31 12:45:05 postfix postfix/smtpd[1846]: disconnect from
unknown[172.16.0.1]
Oct 31 12:45:05 postfix postfix/cleanup[1844]: 734A3AFC0C:
message-id=<20171031154505.734a3af...@postfix.mydomain.org.ar>
Oct 31 12:45:05 postfix postfix/qmgr[1830]: 734A3AFC0C: from=<>, size=4695,
nrcpt=1 (queue active)
Oct 31 12:45:05 postfix postfix/bounce[1847]: 3BBC2AFC0A: sender
non-delivery notification: 734A3AFC0C
Oct 31 12:45:05 postfix postfix/qmgr[1830]: 3BBC2AFC0A: removed
Oct 31 12:45:05 postfix postfix/smtpd[1843]: disconnect from
mail-pf0-f181.google.com[209.85.192.181]
Oct 31 12:45:07 postfix postfix/smtp[1848]: 734A3AFC0C:
to=, relay=gmail-smtp-in.l.google.com[64.233.190.26]:25,
delay=1.9, delays=0/0.01/0.59/1.3, dsn=2.0.0, status=sent (250 2.0.0 OK
1509465129 w2si557428vkh.72 - gsmtp)
Oct 31 12:45:07 postfix postfix/qmgr[1830]: 734A3AFC0C: removed


190.4.116.195=my public ip (not really)  
172.15.1.1 = a internal ip (firewall)



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: Relay access denied

[Noel Jones]

On 10/31/2017 9:59 AM, 9acca9 wrote:
> Hi
> Im having trouble with config postfix. i not receive anything from any mail
> (gmail, yahoo, hotmail).
> Hi have this, problem.
> 
> Oct 31 10:36:00 postfix postfix/smtpd[4863]: connect from
> mail-pg0-f42.google.com[74.125.83.42]
> Oct 31 10:36:00 postfix postfix/smtpd[4863]: NOQUEUE: reject: RCPT from
> mail-pg0-f42.google.com[74.125.83.42]: 454 4.7.1 :
> Relay access denied; from= to=
> proto=ESMTP helo=
> Oct 31 10:36:00 postfix postfix/smtpd[4863]: disconnect from
> mail-pg0-f42.google.com[74.125.83.42]
> 

Postfix doesn't know it's responsible for mail addressed to your
domain.  Your domain must be listed in one and only one of
{mydestination, relay_domains, virtual_alias_domains,
virtual_mailbox_domains}.  For mail relayed to another host for
final delivery, typically relay_domains is used.  For details see:
http://www.postfix.org/ADDRESS_CLASS_README.html

http://www.postfix.org/documentation.html


> if i change in my config too
> mynetworks=0.0.0.0/0

Yikes!  Don't do that.




  -- Noel Jones

Re: Relay access denied

[alexvojproc]

Thanks Viktor, I knew my sloppy configuration must have been at fault.
Everything related to this works now.

- Alex



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Relay-access-denied-tp90614p90623.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Relay access denied

[Viktor Dukhovni]

> On May 24, 2017, at 5:05 PM, alexvojproc  wrote:
> 
> smtpd_tls_cert_file=/etc/letsencrypt/live/REDACTED/fullchain.pem
> smtpd_tls_key_file=/etc/letsencrypt/live/REDACTED/privkey.pem
> smtpd_use_tls=yes

The non-obsolete setting is:

smtpd_tls_security_level = may

though if this is a submission service (not an MX host for any inbound
mail) you could use "encrypt" instead of "may".  If it is also an MX
host, it is best to handle outbound submission on port 587.

> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

With Postfix >= 2.11 you should leave this empty, session tickets are
a more appropriate way to handle session resumption.

> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated, 
> defer_unauth_destination

If you handle submission separately on 587 (aka submission/inet in
master.cf), then this just becomes "reject_unauth_destination".

> myhostname = localhost

Not a good idea, configure a sensible stable FQDN.

> smtp_tls_security_level = encrypt

Fine, provided your relayhost supports TLS.

> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_sasl_security_options = noanonymous

This handles SASL from your MTA to the relayhost, BUT you've
completely neglected to configure SASL for authenticating
inbound mail submission.  Those are "smtpd_sasl_..." settings.
See SASL_README for details.

> I'm intending for users to be able to connect to my server on port 25 and
> send mail, which is relayed through smtp.mailgun.org. However, I can only
> send mail to local users, and I receive "Server error: '454 4.7.1
> : Relay access denied'" when I try to send mail to remote
> hosts like my Gmail account.

Of course, since the users have no opportunity to authenticate.

-- 
Viktor.

Re: Relay access denied

[alexvojproc]

I forgot to add log info (although there's nothing particularly useful):

May 24 19:39:22 server postfix/smtpd[2506]: connect from REDACTED
May 24 19:39:22 server postfix/smtpd[2506]: NOQUEUE: reject: RCPT from
REDACTED: 454 4.7.1 : Relay access denied;
from= to= proto=ESMTP
helo=



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Relay-access-denied-tp90614p90615.html
Sent from the Postfix Users mailing list archive at Nabble.com.

SOLVED: Re: relay access denied by relayhost, but I have permit_mynetworks

[David Benfell]

Hello /dev/rob0 ,

Yup, this seems to have been it. Thanks very much for your eyes.


On 05/25/2016 03:34 PM, /dev/rob0 wrote:
> 50.250.218.164 is not in 50.250.218.0/28 ... not in $mynetworks

-- 
David Benfell, Ph.D.
benf...@parts-unknown.org



signature.asc
Description: OpenPGP digital signature

Re: relay access denied by relayhost, but I have permit_mynetworks

[/dev/rob0]

On Wed, May 25, 2016 at 02:43:09PM -0700, David Benfell wrote:
> I'm getting relay access denied when my main web server attempts to 
> relay mail through my main mail server to outside domains. The web 
> server also functions as a secondary MX (and this seems to work). 
> Here is the main mail server configuration:
> 
> [root@home ~]# postconf -nf

A lot of junk in there, but I won't comment on that stuff for now.

> mynetworks = 127.0.0.0/8, [::1]/128, 192.168.1.0/24, 10.8.0.0/16,
> 50.250.218.0/28, [2001:470:67:119::]/64
->^^^

> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
> defer_unauth_destination

> Here is the configuration on the web server:

> relayhost = mail.parts-unknown.org

(That means it does a MX lookup first for "mail.parts-unknown.org" 
before falling back to A/.)

> smtp_bind_address = 50.250.218.164

> A sample log entry on the web server (with email address obscured):
> May 25 07:52:18 vegan postfix/smtp[33049]: 17457F040DA9:
> to=, relay=mail.parts-unknown.org[50.250.218.162]:25,
> delay=241020, delays=241020/0.04/0.59/0.02, dsn=4.7.1, status=deferred
> (host mail.parts-unknown.org[50.250.218.162] said: 454 4.7.1
> : Relay access denied (in reply to RCPT TO command))
> 
> The corresponding entry on the mail server:
> May 25 07:52:18 home postfix/smtpd[55825]: NOQUEUE: reject: RCPT from
> unknown[50.250.218.164]: 454 4.7.1 : Relay access
> denied; from= to=
> proto=ESMTP helo=

> What other information do I need to supply? What is wrong?

50.250.218.164 is not in 50.250.218.0/28 ... not in $mynetworks
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: relay access denied question

[Noel Jones]

On 5/3/2016 4:05 PM, Chris Adams wrote:
> Hello all,
> 
>  
> 
> I recently rebuilt a server for use with Mailman and Postfix. I have
> the server running, Mailman and Postfix installed. I am using
> Postfix 2.10.1.   I copied the main.cf file over from the old server
> to the new server.
> 
>  
> 
> When I post a message to one of the Mailman lists, I encounter an
> error related to Postfix and I can’t quite figure out what setting
> in main.cf is causing this. It looks like all messages are being
> handled this way. I am wondering what is different in this new setup
> that would cause this.
> 
>  
> 
> May  3 16:59:58 mailmanserver postfix/smtpd[18060]: NOQUEUE: reject:
> RCPT from localhost[::1]: 454 4.7.1 : Relay
> access denied; from=
> to= proto=ESMTP helo=
> 
>  
> 
> I can provide output of postconf –n if requested.
> 
>  
> 
> Many thanks.
> 

Perhaps you forgot to read the RELEASE_NOTES.
See the "Major changes - relay safety" section

ftp://mirrors.loonybin.net/pub/postfix/official/postfix-2.10.9.RELEASE_NOTES

http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions

Also note that 2.10.1 is pretty old.  For a new server, consider
using a more current version.


  -- Noel Jones

Re: relay access denied

[Tim Dunphy]

 missing permit_mynetworks or sasl auth user in example
 to solve use a proper mail client that support sasl auth, you can use
 gmail webmail to test postfix as a sasl auth relay server, this is the
 proper test to do as your config is, this would work


Cool! Thanks Benny. I'll give that a try.

Thank you,
Tim

On Sun, Apr 5, 2015 at 1:01 PM, Benny Pedersen m...@junc.eu wrote:

 Tim Dunphy skrev den 2015-04-05 18:27:

  Apr  5 12:23:08 web1 postfix/smtpd[32140]: NOQUEUE: reject: RCPT from
 centos-7-x64[127.0.0.1]: 554 5.7.1 bluethu...@gmail.com: Relay
 access denied; from=bluethu...@web1.jokefire.com
 to=bluethu...@gmail.com proto=SMTP helo=web1.jokefire.com


 missing permit_mynetworks or sasl auth user in example

 to solve use a proper mail client that support sasl auth, you can use
 gmail webmail to test postfix as a sasl auth relay server, this is the
 proper test to do as your config is, this would work




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

Re: relay access denied

[Benny Pedersen]

Tim Dunphy skrev den 2015-04-05 18:27:


Apr  5 12:23:08 web1 postfix/smtpd[32140]: NOQUEUE: reject: RCPT from
centos-7-x64[127.0.0.1]: 554 5.7.1 bluethu...@gmail.com: Relay
access denied; from=bluethu...@web1.jokefire.com
to=bluethu...@gmail.com proto=SMTP helo=web1.jokefire.com


missing permit_mynetworks or sasl auth user in example

to solve use a proper mail client that support sasl auth, you can use 
gmail webmail to test postfix as a sasl auth relay server, this is the 
proper test to do as your config is, this would work

Re: Relay access denied, but destination address is in relay_recipients_map

[Wietse Venema]

Shawn Heisey:
 Now I'm encountering relay access denied ... but the destination
 address IS in relay_recipients_map.  The entry looks like this:

http://www.postfix.org/postconf.5.html#relay_domains

Wietse

Re: Relay access denied, but destination address is in relay_recipients_map

[Shawn Heisey]

On 12/5/2014 10:29 AM, Shawn Heisey wrote:
 It's probably a simple newbie mistake ... but I can't see it.  Can
 anyone point it out to me?  I'm already using a similar setup on an
 older postfix version, but with policyd-weight instead of postscreen.

It was indeed something simple that I overlooked.  I added this line to
main.cf and created the referenced hash table:

relay_domains = $mydestination, hash:/etc/postfix/relaydomains

Now it works.  This step was not necessary in the older postfix version
that is currently in production.

Thanks,
Shawn

Re: Relay access denied, but destination address is in relay_recipients_map

[Wietse Venema]

Shawn Heisey:
 On 12/5/2014 10:29 AM, Shawn Heisey wrote:
  It's probably a simple newbie mistake ... but I can't see it.  Can
  anyone point it out to me?  I'm already using a similar setup on an
  older postfix version, but with policyd-weight instead of postscreen.
 
 It was indeed something simple that I overlooked.  I added this line to
 main.cf and created the referenced hash table:
 
 relay_domains = $mydestination, hash:/etc/postfix/relaydomains
 
 Now it works.  This step was not necessary in the older postfix version
 that is currently in production.

relay_domains  (default:  Postfix  = 2.12: empty, Postfix  2.12: 
$mydestination)
   What destination domains (and subdomains thereof) this system will
   relay mail to.

As documented, the default has changed.

Wietse

Re: Relay access denied, but destination address is in relay_recipients_map

[Viktor Dukhovni]

On Fri, Dec 05, 2014 at 01:04:19PM -0500, Wietse Venema wrote:
 Shawn Heisey:
  On 12/5/2014 10:29 AM, Shawn Heisey wrote:
   It's probably a simple newbie mistake ... but I can't see it.  Can
   anyone point it out to me?  I'm already using a similar setup on an
   older postfix version, but with policyd-weight instead of postscreen.
  
  It was indeed something simple that I overlooked.  I added this line to
  main.cf and created the referenced hash table:
  
  relay_domains = $mydestination, hash:/etc/postfix/relaydomains
  
  Now it works.  This step was not necessary in the older postfix version
  that is currently in production.
 
 relay_domains  (default:  Postfix  = 2.12: empty, Postfix  2.12: 
 $mydestination)
What destination domains (and subdomains thereof) this system will
relay mail to.
 
 As documented, the default has changed.

But the OP reports using 2.11.0-1, and so is confused.  Nothing
changed in 2.11, and even in 2.12 IIRC the updated default is
subject to the new compatibility level controls.

-- 
Viktor.

Re: Relay access denied 454 not 544

[M. Rodrigo Monteiro]

2014-05-27 16:54 GMT-03:00 Viktor Dukhovni postfix-us...@dukhovni.org:

 On Tue, May 27, 2014 at 04:38:31PM -0300, M. Rodrigo Monteiro wrote:

  Hi.
  I wanna know why Postfix is reject mail with temp error (4xx) and not 5xx
  for Relay access denied.

 What version of Postfix is this?


# postconf | grep mail_v
mail_version = 2.11.1


  Here is the conf:

 Generally, you should post the output of postconf -n rather than
 just what you think is relevant.


Ok.


  smtpd_recipient_restrictions =
  reject_multi_recipient_bounce,
  permit_mynetworks,
  reject_unauth_destination,
  permit
 
  # postconf relay_domains_reject_code
  relay_domains_reject_code = 554

 With 2.10 or later, relay control is via smtpd_relay_restrictions.


# postconf  | grep smtpd_relay_restrictions
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
defer_unauth_destination

It's it. Thanks. I didn't know that was changed. Thanks!

In my scenario, should I use relay in transport_maps? Whats the diference
between relay and smtp?

MX - Content Filter (this) - Mailbox (Zimbra, Postfix or qmail)

--
 Viktor.

Re: Relay access denied 454 not 544

[Wietse Venema]

M. Rodrigo Monteiro:
 In my scenario, should I use relay in transport_maps? Whats the diference
 between relay and smtp?

Because:
default_transport = smtp
relay_transport = relay

The purpose of this separation is (roughly) to give relayed mail
the same priority as outbound mail.

Without this separation, one inbound destination would get the same
priority as one outbound destination.  On a busy mail server, inbound
mail would suffer delays when there are more outbound destinations
than inbound.

Wietse

Re: Relay access denied 454 not 544

[Viktor Dukhovni]

On Wed, May 28, 2014 at 08:54:23AM -0300, M. Rodrigo Monteiro wrote:

  With 2.10 or later, relay control is via smtpd_relay_restrictions.
 
 # postconf  | grep smtpd_relay_restrictions
 smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
 defer_unauth_destination
 
 It's it. Thanks. I didn't know that was changed. Thanks!

That was the most plausible explanation, most of the time that
yields the right answer.

 In my scenario, should I use relay in transport_maps? Whats the diference
 between relay and smtp?
 
 MX - Content Filter (this) - Mailbox (Zimbra, Postfix or qmail)

A completely unrelated and all too concisely stated question, you
sure like to keep people guessing.  If the parenthetical (this)
means that the MTA in question is handling content filtering between
the inbound MX host and the downstream message stores, so that all
mail flow is one direction, then it makes little difference which
transport handles all the mail.

The smtp/relay transport split is for bi-directional MTAs, where
at peak loads you get lower latency for inbound mail when the outbound
mail direction is congested.

One should also generally use a separate transport for the advanced smtp
content_filter than for post-filter delivery, don't want one competing
with the other.

If you still have a question along these lines, start a new thread,
and ask it properly.  My reply should not be significantly longer
than your question.

-- 
Viktor.

Re: Relay access denied 454 not 544

[Wietse Venema]

M. Rodrigo Monteiro:
 Hi.
 I wanna know why Postfix is reject mail with temp error (4xx) and not 5xx
 for Relay access denied.
 
 Here is the log:
 
 May 27 12:11:34  postfix/smtpd[31197]: NOQUEUE: reject: RCPT from
 mx2.mydomain.com.br[XXX.XXX.XXX.37]: 454 4.7.1 

Maybe the SMTP server has soft_bounce turned on.

Maybe the server has logged a DNS temporary lookup error prior to
this reject.

Wietse

Re: Relay access denied 454 not 544

[M. Rodrigo Monteiro]

2014-05-27 16:43 GMT-03:00 Wietse Venema wie...@porcupine.org:


 Maybe the SMTP server has soft_bounce turned on.


# postconf soft_bounce
soft_bounce = no



 Maybe the server has logged a DNS temporary lookup error prior to
 this reject.


No.


 Wietse

Re: Relay access denied 454 not 544

[Viktor Dukhovni]

On Tue, May 27, 2014 at 04:38:31PM -0300, M. Rodrigo Monteiro wrote:

 Hi.
 I wanna know why Postfix is reject mail with temp error (4xx) and not 5xx
 for Relay access denied.

What version of Postfix is this?

 Here is the conf:

Generally, you should post the output of postconf -n rather than
just what you think is relevant.

 smtpd_recipient_restrictions =
 reject_multi_recipient_bounce,
 permit_mynetworks,
 reject_unauth_destination,
 permit
 
 # postconf relay_domains_reject_code
 relay_domains_reject_code = 554

With 2.10 or later, relay control is via smtpd_relay_restrictions.

-- 
Viktor.

Re: Relay Access Denied

[Mark Goodge]

On 28/10/2013 18:36, Tim Legg wrote:


Attached is the postconf -n
I've also been reading the link that Dr. Venema sent me.  Could it be
that the mydestination is incorrect?  Could it be:
mydestination = timothy.com, localhost.localdomain, localhost


The above is what you need in order for your machine to accept mail 
addressed to {user}@timothy.com. However, you currently have this 
instead:


 mydestination = mail.timothy.com, localhost.localdomain, localhost

That will accept mail addressed to {user}@mail.timothy.com, which is 
not the same thing.


You appear to be under the mistaken impression that mydestination and 
myhostname are equivalent and must contain the same (or similar) values. 
That's not the case, at all. myhostname is, as the name implies, the 
specific name of the *machine* on which Postfix is running. 
mydestination is the domain, or comma-separated list of domains, that 
the machine handles mail for.


Typically, the hostname of the machine will be a hostname within one of 
the domains in mydestination, simply because most people use an MTA to 
receive mail for themselves. But it doesn't have to be.


In your particular case, since the MX records for timothy.com point 
to mail.timothy.com, then the most obvious (although not necessarily 
essential) myhostname value is mail.timothy.com. And, since the MX 
records for timothy.com point to mail.timothy.com, then the 
server needs to include timothy.com in mydestnations. Simple!


Having said that, I do agree that the Ubuntu documentation is 
misleading. In the basic configuration section, it says this:


  The user interface will be displayed. On each screen, select the
  following values:

  Internet Site
  mail.example.com
  steve
  mail.example.com, localhost.localdomain, localhost
  No
  127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 192.168.0.0/24
  0
  +
  all

  Replace mail.example.com with the domain for which you'll accept
  email, 192.168.0.0/24 with the actual network and class range of your
  mail server, and steve with the appropriate username.

Although the final paragraph is correct to say that you must Replace 
mail.example.com with the domain for which you'll accept email, it's a 
poor example because mail.example.com is not, normally, used to 
illustrate a domain - instead, that value is usually used to illustrate 
a hostname (which, in the second line, it does). And using the same 
example value in myhostname (line 2) and mydestination (line 4) wrongly 
implies that the two should be the same.


What the documentation should say is this:

  The user interface will be displayed. On each screen, select the
  following values:

  Internet Site
  mail.example.com
  steve
  example.com, localhost.localdomain, localhost
  No
  127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 192.168.0.0/24
  0
  +
  all

  Replace example.com with the domain(s) for which you'll accept email,
  mail.example.com with your actual hostname, 192.168.0.0/24 with the
  actual network and class range of your mail server, and steve with
  the appropriate username.

Specifically, the error made by the author is to use the same sample 
value for two different fields which, in real life, will usually have 
different actual values (albeit often, though not necessarily, related). 
Although someone who reads the official Postfix documentation will be 
able to figure it out for themselves, it still behoves the author of any 
tutorial to ensure that any worked examples or sample values they use 
reflect the most common real life usage.


If you want to feed that back to the Ubuntu documentation maintainer, 
then feel free.


Mark
--
My blog: http://mark.goodge.co.uk

Re: Relay Access Denied

[Tim Legg]

Attached is the postconf -n

I've also been reading the link that Dr. Venema sent me. Could it be that the 
mydestination is incorrect? Could it be:

mydestination = timothy.com, localhost.localdomain, localhost
myhostname = timothylegg.com

I haven't tried that yet, but I'm willing to try anything at this point.

I'm documenting the steps I'm doing as I set this up. I'm writing a howto 
document for this on wordpress to help out the next guy trying this out. I've 
been pretty disappointed with the quality of documents people have written so 
far for Ubuntu 12.04 LTS. Many claim to work, but actually don't nor do they 
include steps for testing your progress.

Yeah, my domain name is semi-munged. Just munged enough to fool most search 
engines. I don't mind if humans figure it out.

Thank you very much.

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mailbox_command = /usr/lib/dovecot/deliver -c 
/etc/dovecot/conf.d/01-mail-stack-delivery.conf -m ${EXTENSION}
mailbox_size_limit = 0
mydestination = mail.timothy.com, localhost.localdomain, localhost
myhostname = mail.timothy.com
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 10.0.1.0/24
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = reject_unknown_sender_domain, 
reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, 
permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom

- Original Message -
From: Mark Goodge
Sent: 10/25/13 03:46 AM
To: Postfix users
Subject: Re: Relay Access Denied

On 25/10/2013 09:19, Simon B wrote:   This also assumes the OP has set up the 
DNS correctly. And if he's  having trouble understanding how to fix relay 
access denied, I would  suspect not, but I'll be happy to be wrong. I suspect 
he has, as he showed extracts of his logs showing the mails hitting his server 
and being rejected. If the DNS was wrong then they wouldn't even get that far. 
Anyway, given that we know the OP's name, it isn't hard to guess what the 
semi-munged domain of 'timothy.com' really is :-) A little test with dig 
and telnet does, indeed, return the outcome that he gave us. So it's almost 
certainly a Postfix configuration error, not a DNS configuration error.  As 
others have said, we need postconf -n Indeed. Mark -- My blog: 
http://mark.goodge.co.uk

Re: Relay Access Denied

[Wietse Venema]

Tim Legg:
 Attached is the postconf -n
 
 I've also been reading the link that Dr. Venema sent me. Could it
 be that the mydestination is incorrect? Could it be:
 
 mydestination = timothy.com, [other stuff]

This is necessary to deliver mail for usern...@timothy.com
with mailbox_command, as you appear to do.

It's also necessary that username is a UNIX system account.

 I haven't tried that yet, but I'm willing to try anything at this point.

It's a good idea to consult Postfix documentation while you work
your way through random writeups on the web.

Wietse

Re: Relay Access Denied

[Daniele Nicolodi]

On 28/10/2013 19:36, Tim Legg wrote:
 Attached is the postconf -n
  
 I've also been reading the link that Dr. Venema sent me.  Could it be
 that the mydestination is incorrect?  Could it be:
  
 mydestination = timothy.com, localhost.localdomain, localhost

However, your configuration contains something different:

 mydestination = mail.timothy.com, localhost.localdomain, localhost

This is one of the reasons postfix is not accepting mail for
timothy.com.


Best,
Daniele

Re: Relay Access Denied

[Mark Goodge]

On 24/10/2013 23:50, Tim Legg wrote:

Hello,
I'm not tring to do virtual domains.  Just trying to get it to work with
just one domain.  This time, I used this guide:
https://help.ubuntu.com/12.04/serverguide/postfix.html
I can telnet to my machine just fine on port 25.
I tried to send an e-mail from my address on mail.com to my own machine
to test it out. It bounced.  Below is the tail of my mail.log
postfix/smtpd[12344]: NOQUEUE: reject: RCPT from
mout.gmx.net[74.208.4.201]: 554 5.7.1 m...@timothy.com: Relay access
denied; from=timx...@mail.com to=m...@timothy.com proto=ESMTP
helo=mout.gmx.net
postfix/smtpd[12344]: disconnect from mout.gmx.net[74.208.4.201]


Then it would appear that you haven't actually followed that guide 
correctly. Under the Basic configuration section, it tells you how to 
configure Postfix to receive mail for your domain:


https://help.ubuntu.com/12.04/serverguide/postfix.html#postfix-configuration

At a guess, you haven't correctly replaced 'example.com' with 
'timothyxxx.com' when following those instructions. If you can show us 
the output from 'postconf -n' then I suspect we can confirm that.



I read about this error on other forums, but I had no idea what they
were talking about.  I just need to do what needs to be done to make it
work.  Unfortunately, on Ubuntu, postfix doesn't seem to work
out-of-the-box.


Postfix does work out of the box, in the sense that you don't need to 
add any plugins or do any advanced configuration to make it work. Where 
default settings are possible, then Postfix will work fine with the 
defaults. But there are some settings for which a default value is 
impossible because it will be different for every installation. Those 
settings have to be configured correctly. One of the most important is 
the list of domains in the 'mydestination' parameter.



I don't need to even relay mail, I just want my own
incoming mail to be delivered.  I don't get why this has to be so hard.


It isn't hard. it just requires the ability to read and follow simple 
instructions. If you think postfix is hard to understand, try exim, or 
sendmail :-)


Having said that, I'm not convinced that the Ubuntu Postfix 
documentation is as clear and easy to follow as it could be. Using 'sudo 
dpkg-reconfigure postfix' seems a rather unnecessarily obscure way of 
setting basic parameters; I'm pretty sure most people would do 'sudo vim 
/etc/postfix/main.cf' instead as that makes it a lot easier to see 
exactly what you need to change.


To be more specific about that, if you edit /etc/postfix/main.cf using 
vim (or you favourite text editor) then you'll see a line which looks 
like this:


mydestination = example.com, localhost.example.com, localhost

You need to make sure that it contains the domain you are receiving mail 
for, like this:


mydestination = timothyxxx.com, localhost.timothyxxx.com, localhost

(The 'localhost.timothyxxx.com' entry may be superfluous, or 
alternatively you may need to add other subdomains of your domain, but 
you can tweak that later if necessary).


Once you've set that correctly, reload Postfix and you should find it 
accepts mail correctly from the Internet. If it doesn't, follow up to 
this message with a copy of your output from 'postconf -n' and we can 
possibly give you some more clues.


Mark
--
My blog: http://mark.goodge.co.uk

Re: Relay Access Denied

[Simon B]

On 25 Oct 2013 09:51, Mark Goodge m...@good-stuff.co.uk wrote:

 On 24/10/2013 23:50, Tim Legg wrote:

 Hello,
 I'm not tring to do virtual domains.  Just trying to get it to work with
 just one domain.  This time, I used this guide:
 https://help.ubuntu.com/12.04/serverguide/postfix.html
 I can telnet to my machine just fine on port 25.
 I tried to send an e-mail from my address on mail.com to my own machine
 to test it out. It bounced.  Below is the tail of my mail.log
 postfix/smtpd[12344]: NOQUEUE: reject: RCPT from
 mout.gmx.net[74.208.4.201]: 554 5.7.1 m...@timothy.com: Relay access
 denied; from=timx...@mail.com to=m...@timothy.com proto=ESMTP
 helo=mout.gmx.net
 postfix/smtpd[12344]: disconnect from mout.gmx.net[74.208.4.201]


 Then it would appear that you haven't actually followed that guide
correctly. Under the Basic configuration section, it tells you how to
configure Postfix to receive mail for your domain:


https://help.ubuntu.com/12.04/serverguide/postfix.html#postfix-configuration

 At a guess, you haven't correctly replaced 'example.com' with '
timothyxxx.com' when following those instructions. If you can show us the
output from 'postconf -n' then I suspect we can confirm that.


 I read about this error on other forums, but I had no idea what they
 were talking about.  I just need to do what needs to be done to make it
 work.  Unfortunately, on Ubuntu, postfix doesn't seem to work
 out-of-the-box.


 Postfix does work out of the box, in the sense that you don't need to add
any plugins or do any advanced configuration to make it work. Where default
settings are possible, then Postfix will work fine with the defaults. But
there are some settings for which a default value is impossible because it
will be different for every installation. Those settings have to be
configured correctly. One of the most important is the list of domains in
the 'mydestination' parameter.


 I don't need to even relay mail, I just want my own
 incoming mail to be delivered.  I don't get why this has to be so hard.


 It isn't hard. it just requires the ability to read and follow simple
instructions. If you think postfix is hard to understand, try exim, or
sendmail :-)

 Having said that, I'm not convinced that the Ubuntu Postfix documentation
is as clear and easy to follow as it could be. Using 'sudo dpkg-reconfigure
postfix' seems a rather unnecessarily obscure way of setting basic
parameters; I'm pretty sure most people would do 'sudo vim /etc/postfix/
main.cf' instead as that makes it a lot easier to see exactly what you need
to change.

 To be more specific about that, if you edit /etc/postfix/main.cf using
vim (or you favourite text editor) then you'll see a line which looks like
this:

 mydestination = example.com, localhost.example.com, localhost

 You need to make sure that it contains the domain you are receiving mail
for, like this:

 mydestination = timothyxxx.com, localhost.timothyxxx.com, localhost

 (The 'localhost.timothyxxx.com' entry may be superfluous, or
alternatively you may need to add other subdomains of your domain, but you
can tweak that later if necessary).

 Once you've set that correctly, reload Postfix and you should find it
accepts mail correctly from the Internet. If it doesn't, follow up to this
message with a copy of your output from 'postconf -n' and we can possibly
give you some more clues.

This also assumes the OP has set up the DNS correctly.  And if he's having
trouble understanding how to fix relay access denied, I would suspect not,
but I'll be happy to be wrong.

As others have said, we need postconf -n

Simon

Re: Relay Access Denied

[Mark Goodge]

On 25/10/2013 09:19, Simon B wrote:


This also assumes the OP has set up the DNS correctly.  And if he's
having trouble understanding how to fix relay access denied, I would
suspect not, but I'll be happy to be wrong.


I suspect he has, as he showed extracts of his logs showing the mails 
hitting his server and being rejected. If the DNS was wrong then they 
wouldn't even get that far.


Anyway, given that we know the OP's name, it isn't hard to guess what 
the semi-munged domain of 'timothy.com' really is :-) A little test 
with dig and telnet does, indeed, return the outcome that he gave us. So 
it's almost certainly a Postfix configuration error, not a DNS 
configuration error.



As others have said, we need postconf -n


Indeed.

Mark
--
My blog: http://mark.goodge.co.uk

Re: Relay Access Denied

[li...@rhsoft.net]

Am 25.10.2013 00:50, schrieb Tim Legg:
 I tried to send an e-mail from my address on mail.com to my own machine to 
 test it out. It bounced.  Below is the
 tail of my mail.log
  
 postfix/smtpd[12344]: NOQUEUE: reject: RCPT from mout.gmx.net[74.208.4.201]: 
 554 5.7.1 m...@timothy.com: Relay
 access denied; from=timx...@mail.com to=m...@timothy.com proto=ESMTP 
 helo=mout.gmx.net
 postfix/smtpd[12344]: disconnect from mout.gmx.net[74.208.4.201]
  
 I read about this error on other forums, but I had no idea what they were 
 talking about.  I just need to do what
 needs to be done to make it work.  

output of postconf -n would be helpful

 Unfortunately, on Ubuntu, postfix doesn't seem to work out-of-the-box

it is impossible to work out of the box because without configuration
no MTA (not only) postfix knows what domains you are hosting nor how
to deliver messages to the mailboxes

Re: Relay Access Denied

[Wietse Venema]

Tim Legg:
 postfix/smtpd[12344]: NOQUEUE: reject: RCPT from
 mout.gmx.net[74.208.4.201]: 554 5.7.1 m...@timothy.com: Relay
 access denied; from=timx...@mail.com to=m...@timothy.com
 proto=ESMTP helo=mout.gmx.net
 postfix/smtpd[12344]: disconnect from mout.gmx.net[74.208.4.201]
 
 I read about this error on other forums, but I had no idea what
 they were talking about. I just need to do what needs to be done
 to make it work. Unfortunately, on Ubuntu, postfix doesn't seem
 to work out-of-the-box. I don't need to even relay mail, I just
 want my own incoming mail to be delivered. I don't get why this
 has to be so hard.

*Someone* needs to tell Postfix that it should receive mail for
timothy.com. 

There is no way that Postfix will figure out that by itself.

http://www.postfix.org/BASIC_CONFIGURATION_README.html

Wietse

Re: Relay access denied on submission?

[LuKreme]

On 26 Aug 2013, at 16:47 , LuKreme krem...@kreme.com wrote:

 postfix/smtpd[4289]: Anonymous TLS connection established from 
 mobile-166-147-083-103.mycingular.net[166.147.83.103]: TLSv1 with cipher 
 ECDHE-RSA-AES256-SHA (256/256 bits)
 
 mail postfix/smtpd[4289]: NOQUEUE: reject: RCPT from 
 mobile-166-147-083-103.mycingular.net[166.147.83.103]: 454 4.7.1 
 *munged*@mac.com: Relay access denied; from=krem...@kreme.com 
 to=*munged*@mac.com proto=ESMTP helo=[10.33.25.94]
 
 postfix/smtpd[4289]: disconnect from 
 mobile-166-147-083-103.mycingular.net[166.147.83.103]

Doh. Never mind. I was not connecting to the submission port.

'sall working properly if I connect to the right port.

-- 
This was music that had not only escaped but had robbed a bank on the
way out. It was music with its sleeves rolled up and its top button
undone, raising its hat and grinning and stealing the silver.  It was
music that went down to the feet by way of the pelvis without paying a
call on Mr. Brain. --Soul Music

Re: Relay access denied

[Viktor Dukhovni]

http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_from
http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_to
http://www.postfix.org/DEBUG_README.html#mail

-- 
Viktor.

Re: relay access denied

[Noel Jones]

On 1/23/2013 11:11 AM, Bernics Gábor | Penta Unió Zrt. wrote:
 Hello,
 
 I get 554 5.7.1-t (relay access denied) when I will use my server
 for smarthost out mynetwork.


To report a problem, please see
http://www.postfix.org/DEBUG_README.html#mail

Re: relay access denied

[Bernics Gábor | Penta Unió Zrt .]

thanks

postfix log:

xx.xxx.xx[89.135.xxx.xx]: 554 5.7.1 i...@xxx.hu: Relay access denied;

postconf:

http://pastebin.com/YSFbKDjw

2013-01-23 18:49 időpontban Noel Jones ezt írta:


On 1/23/2013 11:11 AM, Bernics Gábor | Penta Unió Zrt. wrote:

Hello, I get 554 5.7.1-t (relay access denied) when I will use my 
server for smarthost out mynetwork.


To report a problem, please see
http://www.postfix.org/DEBUG_README.html#mail [1]

Re: relay access denied

[Noel Jones]

On 1/23/2013 12:12 PM, Bernics Gábor | Penta Unió Zrt. wrote:
 thanks
 
 postfix log:
 
 xx.xxx.xx[89.135.xxx.xx]: 554 5.7.1 i...@xxx.hu: Relay access denied;
 
 postconf:
 
 http://pastebin.com/YSFbKDjw


Sorry, there is no useful information here.


Please do not top-post.

Please post the full log entry, not snippings.

Please post postconf -n in-line, not 600+ lines of full postconf
to an external site.

Please explain what you're trying to do, and point out the unwanted
behavior.



  -- Noel Jones

Re: relay access denied

[Bernics Gábor | Penta Unió Zrt .]

2013-01-23 19:43 időpontban Noel Jones ezt írta:

On 1/23/2013 12:12 PM, Bernics Gábor | Penta Unió Zrt. wrote:

thanks

postfix log:

xx.xxx.xx[89.135.xxx.xx]: 554 5.7.1 i...@xxx.hu: Relay access 
denied;


postconf:

http://pastebin.com/YSFbKDjw



Sorry, there is no useful information here.


Please do not top-post.

Please post the full log entry, not snippings.

Please post postconf -n in-line, not 600+ lines of full postconf
to an external site.

Please explain what you're trying to do, and point out the unwanted
behavior.



  -- Noel Jones



full log:

http://pastebin.com/k5fS8ujZ

error log:

http://pastebin.com/xGXtnL5T

postconf -n

http://pastebin.com/tHXWZGxC

I will use my server to authenticated smarthost.
The clients aren't in my network.

--
Tisztelettel:

Bernics Gábor
Informatikus

Penta Unió Zrt.

Mobil: 30/389-2627
E-mail: i...@penta.hu



Amennyiben hozzá kívánja adni a névjegyemet a névjegyzékéhez, 
kattintson ide!

Re: relay access denied

[Larry Stone]

On Wed, 23 Jan 2013, Bernics G?bor | Penta Uni? Zrt. wrote:


Please post postconf -n in-line, not 600+ lines of full postconf
to an external site.


In-line means in the body of your message, not via pastebin or other 
websites.



postconf -n

http://pastebin.com/tHXWZGxC


And if you actually compared what's here vs. what you posted in your 
first message (presumably from main.cf), you'd see that there is no 
definition of smtpd_recipient_restrictions because you misspelled 
restrictions.


It is because of these kinds of errors that it is asked that you post 
postconf -n output, not main.cf contents (in other words, the 
configuration postfix is actually using, not the one you think it is 
using).


-- Larry Stone
   lston...@stonejongleux.com

Re: relay access denied

[Stan Hoeppner]

On 1/23/2013 12:12 PM, Bernics Gábor | Penta Unió Zrt. wrote:
 thanks
 
 postfix log:
 
 xx.xxx.xx[89.135.xxx.xx]: 554 5.7.1 i...@xxx.hu: Relay access denied;
 
 postconf:
 
 http://pastebin.com/YSFbKDjw

'postconf -n' NOT 'postconf -d'


-- 
Stan

Re: relay access denied

[Bernics Gábor | Penta Unió Zrt .]

2013-01-24 6:21 időpontban Stan Hoeppner ezt írta:

On 1/23/2013 12:12 PM, Bernics Gábor | Penta Unió Zrt. wrote:

thanks

postfix log:

xx.xxx.xx[89.135.xxx.xx]: 554 5.7.1 i...@xxx.hu: Relay access 
denied;


postconf:

http://pastebin.com/YSFbKDjw


'postconf -n' NOT 'postconf -d'


thanks everyone

I corrected the recipient restrictions, it works.

Have a nice day!

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_size_limit = 1500
config_directory = /etc/postfix
debug_peer_level = 4
inet_interfaces = all
mailbox_command = procmail -a $EXTENSION
mailbox_size_limit = 0
mailbox_transport = dovecot
message_size_limit = 1500
mydestination = localhost, localhost.localdomain
myhostname = mail.penta.hu
mynetworks = 127.0.0.0/8  xxx.xxx.xxx.xxx
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_destination_rate_delay = 10s
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions =
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks,			   
permit_sasl_authenticated,			   reject_unauth_destination,			   
reject_rbl_client bl.spamcop.net,			   reject_rbl_client 
sbl-xbl.spamhaus.org			   reject_non_fqdn_hostname,			   
reject_unknown_hostname,			   reject_invalid_hostname,			   
reject_non_fqdn_recipient			   check_policy_service 
inet:127.0.0.1:6,			   permit

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions =
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_domains =
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_forwardings.cf, 
mysql:/etc/postfix/mysql-virtual_email2email.cf

virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000

--
Tisztelettel:

Bernics Gábor
Informatikus

Penta Unió Zrt.

Mobil: 30/389-2627
E-mail: i...@penta.hu



Amennyiben hozzá kívánja adni a névjegyemet a névjegyzékéhez, 
kattintson ide!

Re: Relay access denied

[Ansgar Wiechers]

On 2013-01-17 Muzaffer wrote:
 On 17 January 2013 18:40, Ansgar Wiechers li...@planetcobalt.net wrote:
 On 2013-01-17 Muzaffer wrote:
 I've just found out a virtual file in the format u...@example.com
 example doesn't work with virtual_alias_domains. Guess I need to
 find another solution.

 Please describe in more detail what you're trying to achieve. Given
 this little information it's highly unlikely anyone could come up
 with a satisfactory solution/recommendation.
 
 I'm running a server with Virtualmin, and I'd like to be able to
 automate the generation of $virtual_alias_domains. If there is no way
 other than adding them manually, that is also not desired but fine.

$virtual_alias_domains is just a list of domains. This is most trivial
to automate. The real question is: which source is providing that list?

Judging from your comment above you probably don't want just the virtual
alias domains, but also a list/mapping of valid recipients for those
domains. Is that correct?

Regards
Ansgar Wiechers
-- 
Abstractions save us time working, but they don't save us time learning.
--Joel Spolsky

Re: Relay access denied

[Muzaffer]

On 18 January 2013 12:15, Ansgar Wiechers li...@planetcobalt.net wrote:

 On 2013-01-17 Muzaffer wrote:
  On 17 January 2013 18:40, Ansgar Wiechers li...@planetcobalt.net
 wrote:
  On 2013-01-17 Muzaffer wrote:
  I've just found out a virtual file in the format u...@example.com
  example doesn't work with virtual_alias_domains. Guess I need to
  find another solution.
 
  Please describe in more detail what you're trying to achieve. Given
  this little information it's highly unlikely anyone could come up
  with a satisfactory solution/recommendation.
 
  I'm running a server with Virtualmin, and I'd like to be able to
  automate the generation of $virtual_alias_domains. If there is no way
  other than adding them manually, that is also not desired but fine.

 $virtual_alias_domains is just a list of domains. This is most trivial
 to automate. The real question is: which source is providing that list?

 Judging from your comment above you probably don't want just the virtual
 alias domains, but also a list/mapping of valid recipients for those
 domains. Is that correct?

 Regards
 Ansgar Wiechers


I've got that covered, it seems I have to put both domains and aliases in
the same file, setting virtual_alias_domains = $virtual_alias_maps, and
setting virtual_alias_maps = hash:/etc/postfix/virtual

Thanks and regards,

--
 Abstractions save us time working, but they don't save us time learning.
 --Joel Spolsky

Re: Relay access denied

[Noel Jones]

On 1/17/2013 3:58 AM, Muzaffer wrote:
 Hi,
 
 Is there a simpler way of making postfix accept mail for all the
 domains I'm hosting, than adding them one by one to
 $virtual_alias_domains?
 
 Regards,

In addition to listing the domains in main.cf, postfix can read from
an sql database or from an indexed file.  If you have lots of
frequently-changing domains, you are expected to generate this list
automatically or use a shared db.


  -- Noel Jones

Re: Relay access denied

[Muzaffer]

On 17 January 2013 16:17, Noel Jones njo...@megan.vbhcs.org wrote:

 On 1/17/2013 3:58 AM, Muzaffer wrote:
  Hi,
 
  Is there a simpler way of making postfix accept mail for all the
  domains I'm hosting, than adding them one by one to
  $virtual_alias_domains?
 
  Regards,

 In addition to listing the domains in main.cf, postfix can read from
 an sql database or from an indexed file.  If you have lots of
 frequently-changing domains, you are expected to generate this list
 automatically or use a shared db.


   -- Noel Jones


I've just found out a virtual file in the format u...@example.com example
doesn't work with virtual_alias_domains. Guess I need to find another
solution.

Re: Relay access denied

[Ansgar Wiechers]

On 2013-01-17 Muzaffer wrote:
 On 17 January 2013 16:17, Noel Jones njo...@megan.vbhcs.org wrote:
 On 1/17/2013 3:58 AM, Muzaffer wrote:
 Is there a simpler way of making postfix accept mail for all the
 domains I'm hosting, than adding them one by one to
 $virtual_alias_domains?

 In addition to listing the domains in main.cf, postfix can read from
 an sql database or from an indexed file.  If you have lots of
 frequently-changing domains, you are expected to generate this list
 automatically or use a shared db.
 
 I've just found out a virtual file in the format u...@example.com
 example doesn't work with virtual_alias_domains. Guess I need to find
 another solution.

Please describe in more detail what you're trying to achieve. Given this
little information it's highly unlikely anyone could come up with a
satisfactory solution/recommendation.

Regards
Ansgar Wiechers
-- 
Abstractions save us time working, but they don't save us time learning.
--Joel Spolsky

Re: Relay access denied

[Noel Jones]

On 1/17/2013 10:28 AM, Muzaffer wrote:
 
 
 On 17 January 2013 16:17, Noel Jones njo...@megan.vbhcs.org
 mailto:njo...@megan.vbhcs.org wrote:
 
 On 1/17/2013 3:58 AM, Muzaffer wrote:
  Hi,
 
  Is there a simpler way of making postfix accept mail for all the
  domains I'm hosting, than adding them one by one to
  $virtual_alias_domains?
 
  Regards,
 
 In addition to listing the domains in main.cf http://main.cf,
 postfix can read from
 an sql database or from an indexed file.  If you have lots of
 frequently-changing domains, you are expected to generate this list
 automatically or use a shared db.
 
 
   -- Noel Jones
 
 
 I've just found out a virtual file in the format u...@example.com
 mailto:u...@example.com example doesn't work with
 virtual_alias_domains. Guess I need to find another solution.


The supported format is documented.
http://www.postfix.org/VIRTUAL_README.html#virtual_alias
http://www.postfix.org/postconf.5.html#virtual_alias_domains


If you need more help, you'll need to describe your problem in more
detail.  To report a problem, please see
http://www.postfix.org/DEBUG_README.html#mail




  -- Noel Jones

Re: Relay access denied

[Muzaffer]

On 17 January 2013 18:40, Ansgar Wiechers li...@planetcobalt.net wrote:

 On 2013-01-17 Muzaffer wrote:
  On 17 January 2013 16:17, Noel Jones njo...@megan.vbhcs.org wrote:
  On 1/17/2013 3:58 AM, Muzaffer wrote:
  Is there a simpler way of making postfix accept mail for all the
  domains I'm hosting, than adding them one by one to
  $virtual_alias_domains?
 
  In addition to listing the domains in main.cf, postfix can read from
  an sql database or from an indexed file.  If you have lots of
  frequently-changing domains, you are expected to generate this list
  automatically or use a shared db.
 
  I've just found out a virtual file in the format u...@example.com
  example doesn't work with virtual_alias_domains. Guess I need to find
  another solution.

 Please describe in more detail what you're trying to achieve. Given this
 little information it's highly unlikely anyone could come up with a
 satisfactory solution/recommendation.


I'm running a server with Virtualmin, and I'd like to be able to automate
the generation of $virtual_alias_domains. If there is no way other than
adding them manually, that is also not desired but fine.

Regards,
Muzaffer,


 Regards
 Ansgar Wiechers
 --
 Abstractions save us time working, but they don't save us time learning.
 --Joel Spolsky

Re: Relay access denied problem

[Larry Stone]

On Mar 5, 2012, at 8:41 PM, David Renstrom wrote:

 Hi,
 
 I've set up a mail server with Postfix and Dovecot using virtual mailboxes.
 I'm now trying to get mailman to work together with Postfix which has turned
 out to be harder than I thought. :(

...

 I think I have entered everything correctly in main.cf but I'm not sure. The
 file /etc/postfix/transport (used for transport_maps) directs incoming list
 emails to the local delivery agent. See further down for the current
 configuration.


THis part is more appropriate to the Mailman list but why are you sending list 
mail to the local delivery agent? Standard Mailman practice is to use aliases 
to pipe list mail to Mailman. That you're doing it via a transport map suggests 
that you're not following Mailman documentation and that there may be other 
things you have done non-standard which may be related to your relay denied 
problem.

-- 
Larry Stone
lston...@stonejongleux.com
http://www.stonejongleux.com/

Re: Relay access denied problem

[/dev/rob0]

On Tue, Mar 06, 2012 at 03:41:08AM +0100, David Renstrom wrote:
 Date: Tue, 6 Mar 2012 03:41:08 +0100
 From: David Renstrom da...@davidrenstrom.com
 To: postfix-users@postfix.org
 Subject: Relay access denied problem
 X-Mailer: Microsoft Office Outlook 11
 
 Hi,
 
 I've set up a mail server with Postfix and Dovecot using virtual mailboxes.
 I'm now trying to get mailman to work together with Postfix which has turned
 out to be harder than I thought. :(
 
 Postfix always logs the error Relay access denied when mailman is trying
 to deliver an email to a list member (se log below).
 
 I think I have entered everything correctly in main.cf but I'm not sure. The
 file /etc/postfix/transport (used for transport_maps) directs incoming list
 emails to the local delivery agent. See further down for the current
 configuration.
 
 I might be completely wrong, but it seems as if mailman is trying to contact
 Postfix using IPv6. Is this correct?
 
 Log file snippet:
 
 Mar  6 02:12:42 rus01 postfix/smtpd[14091]: connect from unknown[::1]
 Mar  6 02:12:42 rus01 postfix/smtpd[14091]: NOQUEUE: reject: RCPT from
 unknown[::1]: 554 5.7.1 da...@anotherdomain.se: Relay access denied;
 from=testlist-boun...@mydomain.se to=da...@anotherdomain.se proto=ESMTP
 helo=[127.0.0.1]
 Mar  6 02:12:42 rus01 postfix/smtpd[14091]: disconnect from unknown[::1]
 
 Output from postconf -n:
 alias_database = hash:/etc/aliases
 alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
 broken_sasl_auth_clients = yes command_directory = /usr/sbin
 config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix
 data_directory = /var/lib/postfix debug_peer_level = 2 disable_vrfy_command
 = yes home_mailbox = /var/spool/mail/user html_directory = no
 inet_interfaces = all inet_protocols = all invalid_hostname_reject_code =
 450 local_transport = virtual mail_owner = postfix mail_spool_directory =
 /var/spool/mail mailq_path = /usr/bin/mailq.postfix manpage_directory =
 /usr/share/man maps_rbl_reject_code = 450 mydestination = $myhostname
 localhost.$mydomain localhost mydomain = mydomain.se myhostname =
 host01.mydomain.se mynetworks = 127.0.0.1 mynetworks_style = host myorigin =
 $mydomain newaliases_path = /usr/bin/newaliases.postfix non_fqdn_reject_code
 = 450 queue_directory = /var/spool/postfix readme_directory =
 /usr/share/doc/postfix-2.8.7/README_FILES
 recipient_delimiter = +
 relay_domains = $mydestination
 sample_directory = /usr/share/doc/postfix-2.8.7/samples
 sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop
 smtpd_client_restrictions = permit_mynetworks permit smtpd_helo_required =
 yes smtpd_recipient_restrictions = permit_mynetworks
 permit_sasl_authenticated reject_unauth_destination permit
 smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth
 smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot
 soft_bounce = no transport_maps = hash:/etc/postfix/transport
 unknown_local_recipient_reject_code = 550 virtual_alias_maps =
 hash:/etc/mailman/virtual-mailman, mysql:/etc/postfix/virtual_alias_maps.cf
 virtual_gid_maps = static:12
 virtual_mailbox_base = /var/vmail
 virtual_mailbox_domains = mysql:/etc/postfix/virtual_domains_maps.cf
 virtual_mailbox_maps = mysql:/etc/postfix/virtual_mailbox_maps.cf
 virtual_minimum_uid = 101
 virtual_transport = dovecot
 virtual_uid_maps = static:101
 
 I'm getting crazy over here, so please help! :-)
 
 Cheers,
 /David R.
 

-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if /dev/rob0 is in the Subject:

Re: Relay access denied problem

[/dev/rob0]

Apologies for the misfire. Here's a real post. :)

On Tue, Mar 06, 2012 at 03:41:08AM +0100, David Renstrom wrote:
 I've set up a mail server with Postfix and Dovecot using virtual 
 mailboxes. I'm now trying to get mailman to work together with 
 Postfix which has turned out to be harder than I thought. :(
 
 Postfix always logs the error Relay access denied when mailman
 is trying to deliver an email to a list member (se log below).
 
 I think I have entered everything correctly in main.cf but I'm not 
 sure. The file /etc/postfix/transport (used for transport_maps) 
 directs incoming list emails to the local delivery agent.

Ugly. Why not just use mydestination and leave local_transport as 
intended?

 See further down for the current configuration.
 
 I might be completely wrong, but it seems as if mailman is trying 
 to contact Postfix using IPv6. Is this correct?

Completely right, and that is in fact the problem.

 Log file snippet:
 
 Mar  6 02:12:42 rus01 postfix/smtpd[14091]: connect from unknown[::1]
 Mar  6 02:12:42 rus01 postfix/smtpd[14091]: NOQUEUE: reject: RCPT from
 unknown[::1]: 554 5.7.1 da...@anotherdomain.se: Relay access denied;
 from=testlist-boun...@mydomain.se to=da...@anotherdomain.se proto=ESMTP
 helo=[127.0.0.1]
 Mar  6 02:12:42 rus01 postfix/smtpd[14091]: disconnect from unknown[::1]
 
 Output from postconf -n:

In that jumble, I found this: mynetworks = 127.0.0.1. A solution 
(among many possible) is to remove that, thus allowing your setting 
mynetworks_style = host to define $mynetworks.

Why Mailman is using IPv6 but a EHLO of [127.0.0.1] is a matter for 
Mailman documentation/support.

 alias_database = hash:/etc/aliases
 alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
 broken_sasl_auth_clients = yes command_directory = /usr/sbin
 config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix
 data_directory = /var/lib/postfix debug_peer_level = 2 disable_vrfy_command
 = yes home_mailbox = /var/spool/mail/user html_directory = no
 inet_interfaces = all inet_protocols = all invalid_hostname_reject_code =
 450 local_transport = virtual mail_owner = postfix mail_spool_directory =
 /var/spool/mail mailq_path = /usr/bin/mailq.postfix manpage_directory =
 /usr/share/man maps_rbl_reject_code = 450 mydestination = $myhostname
 localhost.$mydomain localhost mydomain = mydomain.se myhostname =
 host01.mydomain.se mynetworks = 127.0.0.1 mynetworks_style = host myorigin =
 $mydomain newaliases_path = /usr/bin/newaliases.postfix non_fqdn_reject_code
 = 450 queue_directory = /var/spool/postfix readme_directory =
 /usr/share/doc/postfix-2.8.7/README_FILES
 recipient_delimiter = +
 relay_domains = $mydestination
 sample_directory = /usr/share/doc/postfix-2.8.7/samples
 sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop
 smtpd_client_restrictions = permit_mynetworks permit smtpd_helo_required =
 yes smtpd_recipient_restrictions = permit_mynetworks
 permit_sasl_authenticated reject_unauth_destination permit
 smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth
 smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot
 soft_bounce = no transport_maps = hash:/etc/postfix/transport
 unknown_local_recipient_reject_code = 550 virtual_alias_maps =
 hash:/etc/mailman/virtual-mailman, mysql:/etc/postfix/virtual_alias_maps.cf
 virtual_gid_maps = static:12
 virtual_mailbox_base = /var/vmail
 virtual_mailbox_domains = mysql:/etc/postfix/virtual_domains_maps.cf
 virtual_mailbox_maps = mysql:/etc/postfix/virtual_mailbox_maps.cf
 virtual_minimum_uid = 101
 virtual_transport = dovecot
 virtual_uid_maps = static:101
 
 I'm getting crazy over here, so please help! :-)

If you want to repost that with proper newlines, I'll nitpick the 
rest of it. But here's your solution.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if /dev/rob0 is in the Subject:

Re: Relay access denied issue

[Jeroen Geilman]

On 2011-08-12 09:00, Marco van Kammen wrote:


Dear List,

Very basic relaying setup.

Mail coming in from specific range of servers is allowed and forwarded 
to their final destinations.


Postfix 2.3.3



Consider upgrading; this version is no longer suported.


postconf --n

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/libexec/postfix

debug_peer_level = 2

html_directory = no

inet_interfaces = all

mail_owner = postfix

mailq_path = /usr/bin/mailq.postfix

manpage_directory = /usr/share/man

mydestination = $myhostname, localhost.$mydomain, localhost

newaliases_path = /usr/bin/newaliases.postfix

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES

sample_directory = /usr/share/doc/postfix-2.3.3/samples

sendmail_path = /usr/sbin/sendmail.postfix

setgid_group = postdrop

unknown_local_recipient_reject_code = 550

/etc/postfix/access

/etc/postfix/access.db

10.35.0.0/16OK



This database is not referenced anywhere.


Most servers within the 10.35.0.0/16 range are allowed just fine..

Mail from one specific ip keeps bouncing:

Aug 11 14:22:33 serverX postfix/smtpd[28348]: NOQUEUE: reject: RCPT 
from serverX.is.local[10.35.10.34]: 554 5.7.1 exter...@domain.com: 
Relay access denied; from=inter...@domain.com 
to=exter...@domain.com proto=ESMTP helo=serverX


I'm pretty sure I'm missing something very simple, but I just can't 
see it!




To RELAY mail through postfix, one of the following must be true:

- either the recipient domain appears in relay_domains, OR
- the source IP(s) appear in mynetworks, OR
- there is a client access map that is actually applied somewere.

I don't see any of the above happening; this means the default for 
mynetworks is used: the IP of the postfix server, and the smallest IP 
range it is a member of.


Since you say this concerns a known set of internal IPs, use the following:

mynetworks = 127.0.0.1/8 10.35.0.0/16

and verify that:

smtpd_recipient_restrictions = permit_mynetworks, 
reject_unauth_destination


http://www.postfix.org/postconf.5.html#mynetworks
http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions

If this server is accessible from the outside, those restrictions are 
NOT sufficient: http://www.postfix.org/SMTPD_ACCESS_README.html



--
J.

Re: Relay access denied

[Benny Pedersen]

On Sat, 28 May 2011 12:27:21 +0200, Reindl Harald wrote:

Am 28.05.2011 12:22, schrieb Wojciech Giel:

May 28 11:00:18 badger postfix/smtpd[19869]: connect from 
MYISPDOMAINHOST[10.10.10.10]
May 28 11:00:18 badger postfix/smtpd[19869]: NOQUEUE: reject: RCPT 
from MYISPDOMAINHOST[10.10.10.10.]: 554 5.7.1
some.u...@gmail.com: Relay access denied; 
from=freddie.kru...@my.example.com to=some.u...@gmail.com

proto=ESMTP helo=[192.168.1.2]


there is no line about authentication, so this is what postfix should 
do!


reject pr default from rfc1918 ? :-)

Re: Relay access denied

[Reindl Harald]

Am 28.05.2011 12:22, schrieb Wojciech Giel:

 May 28 11:00:18 badger postfix/smtpd[19869]: connect from 
 MYISPDOMAINHOST[10.10.10.10]
 May 28 11:00:18 badger postfix/smtpd[19869]: NOQUEUE: reject: RCPT from 
 MYISPDOMAINHOST[10.10.10.10.]: 554 5.7.1
 some.u...@gmail.com: Relay access denied; 
 from=freddie.kru...@my.example.com to=some.u...@gmail.com
 proto=ESMTP helo=[192.168.1.2]

there is no line about authentication, so this is what postfix should do!



signature.asc
Description: OpenPGP digital signature

Re: Relay access denied

[Stan Hoeppner]

On 5/28/2011 5:22 AM, Wojciech Giel wrote:

 when I'm sending mail from my domain, localhost, to external recipients
 it works fine but when I'm trying to send from home (my isp domain) I get

I'm guessing you didn't enable the 587 listener in master.cf, which is
what enables authenticated submission.  If you haven't already,
un-comment the following line, and restart Postfix.

#587  inet  n   -   n   -   -   smtpd

Configure your MUA to relay to your server's hostname or IP address on
TCP 587.  In Tbird this is called Outgoing Server (SMTP).

What is?

 relayhost = main_parent_domain_gateway

Where exactly is your Debian/Postfix server box located?  Is it also at
home or in a colo/ISP facility?

-- 
Stan

Re: Relay access denied

[Wojciech Giel]

On 28/05/11 12:13, Stan Hoeppner wrote:

On 5/28/2011 5:22 AM, Wojciech Giel wrote:

when I'm sending mail from my domain, localhost, to external 
recipients
it works fine but when I'm trying to send from home (my isp domain) 
I get


I'm guessing you didn't enable the 587 listener in master.cf, which 
is

what enables authenticated submission.  If you haven't already,
un-comment the following line, and restart Postfix.

#587  inet  n   -   n   -   -   smtpd

Configure your MUA to relay to your server's hostname or IP address 
on

TCP 587.  In Tbird this is called Outgoing Server (SMTP).

submission inet n   -   -   -   -   smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

netstat -ntlp
tcp0  0 0.0.0.0:587 0.0.0.0:*   
LISTEN  21406/master


thunderbird has 587 + authentication is configured. when i'm at work in 
my domain sending to local and external users works. with the same 
configuration when i'm connection from home I can send only to local 
users but not to users in different domains.


What is?


relayhost = main_parent_domain_gateway


Where exactly is your Debian/Postfix server box located?  Is it also 
at

home or in a colo/ISP facility?

I'm working at the university so my departament has separate mail 
server and domain. so sending to outside world i have to do using main 
university server.

thanks

Re: Relay access denied

[Ralf Hildebrandt]

* Wojciech Giel wojciech.g...@cimr.cam.ac.uk:

 my main.cnf

Show postconf -n output please.
And postfix logs.

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: Relay access denied

[Wojciech Giel]

I think I found what was te problem:
was
smtp_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination

now
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination

I will test from different location. Thanks for any help.
Wojciech


On 28/05/11 12:13, Stan Hoeppner wrote:

On 5/28/2011 5:22 AM, Wojciech Giel wrote:


when I'm sending mail from my domain, localhost, to external recipients
it works fine but when I'm trying to send from home (my isp domain) I get

I'm guessing you didn't enable the 587 listener in master.cf, which is
what enables authenticated submission.  If you haven't already,
un-comment the following line, and restart Postfix.

#587  inet  n   -   n   -   -   smtpd

Configure your MUA to relay to your server's hostname or IP address on
TCP 587.  In Tbird this is called Outgoing Server (SMTP).

What is?


relayhost = main_parent_domain_gateway

Where exactly is your Debian/Postfix server box located?  Is it also at
home or in a colo/ISP facility?

Re: Relay Access Denied

[mouss]

Le 27/05/2011 09:40, Kurniawan Junaidy a écrit :
 Hi folks,
 
 I am not able to send email through my postfix server by using any
 external ip, but ok from my internal ip. The file says about Relay
 Access Denied 554 5.7.1. How to fix this?
 

it's already fixed! this prevents your server from becoming an open relay.

to send mail to external domains via your postfix server, you need either
- send from trusted IP addresses, such as internal IPs. this is what
mynetworks is for. do not add IPs that you don't control.

- authenticate using SASL. check the SASL_README. if you use clear text
passwords, then you should also use TLS. see the TLS_README.

Re: Relay Access Denied

[Thomas Berger]

Hi Kurniawan, 

this is the default. Please have a look at the great docs: 
http://www.postfix.org/SMTPD_ACCESS_README.html

Greetings, 
Thomas

Am Freitag, 27. Mai 2011, 09:40:24 schrieb Kurniawan Junaidy:
 Hi folks,
 
 I am not able to send email through my postfix server by using any 
 external ip, but ok from my internal ip. The file says about Relay 
 Access Denied 554 5.7.1. How to fix this?
 
 Thanks.
 
 regards,
 Kurniawan

signature.asc
Description: This is a digitally signed message part.

Re: Relay Access Denied

[Nikolaos Milas]

On 27/5/2011 10:42 πμ, Thomas Berger wrote:


Hi Kurniawan,

this is the default. Please have a look at the great docs: 
http://www.postfix.org/SMTPD_ACCESS_README.html



In two words: Do not open access to external IP addresses (except 
perhaps particular trusted ones!) unless you restrict access with 
required authentication and (preferably) TLS. Otherwise you'll become an 
open relay and in no time a spam bot (typical story).


Good luck,
Nick



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Relay access denied

[Stan Hoeppner]

Georg Schönweger put forth on 2/14/2011 1:59 AM:
 Hi,
 
 yesterday i received a failure-notice;
 Remote host said: 554 5.7.1 i...@domain.com: Relay access denied --
 this is the error-message which i received from the final recipient.
 The email was send from our webserver. The webserver (postfix) sends the
 email via relayhost (another external postfix Server) to the world outside.
 Does this mean that the email provider from the recipient doesn't allow
 the use of relayhosts? Is it generally better to not use relayhosts?
 ..we had problems with spam some years ago if we sent mails directly
 with postfix, so we used our external email provider as relayhost. But i
 think this was because we didn't have a valid RDNS entry. So should i
 switch off the relayhost?

The first thing you should do is provide complete logging of the transaction
from end to end so we don't have to make guesses as to what actually occurred
where and when.

-- 
Stan

Re: Relay access denied

[Georg Schönweger]

you mean the failure-notice email? Ok here it is;

Hi. This is the qmail-send program at smtplq01.our-external-smtp.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

i...@final-recipient.com:
IP.IP.IP.IP does not like recipient.
Remote host said: 554 5.7.1 i...@final-recipient.com: Relay access denied
Giving up on IP.IP.IP.IP

--- Below this line is a copy of the message.

Return-Path: m...@our-domain.com
Received: (qmail 11324 invoked by uid 89); 12 Feb 2011 18:00:39 -
Received: from unknown (HELO smtp7.our-external-smtp.com) (62.149.158.227)
  by smtplq01.our-external-smtp.com with SMTP; 12 Feb 2011 18:00:39 -
Received: (qmail 7959 invoked by uid 89); 12 Feb 2011 18:00:39 -
Received: from unknown (HELO our-local-smtp.com) 
(i...@our-domain.com@XX.XX.XX.XX)
  by smtp7.ad.our-external-smtp.com with SMTP; 12 Feb 2011 18:00:39 -
Received: by our-local-smtp.com (Postfix, from userid 33)
id B7B27255B449; Sat, 12 Feb 2011 19:00:40 +0100 (CET)
To: i...@final-recipient.com
Subject: Subject of the mail..
Message-ID: 89322dca13c16dcd962bbd3f199ed...@www.our-domain.com
Errors-To: i...@our-domain.com
From: Snillo Shop i...@our-domain.com
Reply-To: i...@our-domain.com
X-Mailer: TYPO3 Mailer :: commerce


- Georg

Am 14.02.2011 09:37, schrieb Stan Hoeppner:
 Georg Schönweger put forth on 2/14/2011 1:59 AM:
 Hi,

 yesterday i received a failure-notice;
 Remote host said: 554 5.7.1 i...@domain.com: Relay access denied --
 this is the error-message which i received from the final recipient.
 The email was send from our webserver. The webserver (postfix) sends the
 email via relayhost (another external postfix Server) to the world outside.
 Does this mean that the email provider from the recipient doesn't allow
 the use of relayhosts? Is it generally better to not use relayhosts?
 ..we had problems with spam some years ago if we sent mails directly
 with postfix, so we used our external email provider as relayhost. But i
 think this was because we didn't have a valid RDNS entry. So should i
 switch off the relayhost?
 The first thing you should do is provide complete logging of the transaction
 from end to end so we don't have to make guesses as to what actually occurred
 where and when.

Re: Relay access denied

[Reindl Harald]

Is your server using authentication on the relay-host?
If not this MUST NOT work because if it would work the
relayserver coul be used from everybody out there for spam

Am 14.02.2011 08:59, schrieb Georg Schönweger:
 Hi,
 
 yesterday i received a failure-notice;
 Remote host said: 554 5.7.1 i...@domain.com: Relay access denied --
 this is the error-message which i received from the final recipient.
 The email was send from our webserver. The webserver (postfix) sends the
 email via relayhost (another external postfix Server) to the world outside.
 Does this mean that the email provider from the recipient doesn't allow
 the use of relayhosts? Is it generally better to not use relayhosts?
 ..we had problems with spam some years ago if we sent mails directly
 with postfix, so we used our external email provider as relayhost. But i
 think this was because we didn't have a valid RDNS entry. So should i
 switch off the relayhost?



signature.asc
Description: OpenPGP digital signature

Re: Relay access denied

[Bjørn Ruberg]

On 02/14/2011 10:47 AM, Georg Schönweger wrote:

you mean the failure-notice email?


No, he meant logs from your mail server.


Ok here it is;

Hi. This is the qmail-send program at smtplq01.our-external-smtp.com.


That's not postfix.

When it comes to why your e-mail can't be delivered, the message from 
the remote host IP.IP.IP.IP does not like recipient. should provide 
you with plenty of hints.


--
Bjørn

Re: Relay access denied

[Georg Schönweger]

Yes the server is using authentication on the relay-host.
/etc/postfix/main.cf:
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes

it is just only this particular recipient where it doesn't work!

- Georg

Am 14.02.2011 11:05, schrieb Reindl Harald:
 Is your server using authentication on the relay-host?
 If not this MUST NOT work because if it would work the
 relayserver coul be used from everybody out there for spam

 Am 14.02.2011 08:59, schrieb Georg Schönweger:
 Hi,

 yesterday i received a failure-notice;
 Remote host said: 554 5.7.1 i...@domain.com: Relay access denied --
 this is the error-message which i received from the final recipient.
 The email was send from our webserver. The webserver (postfix) sends the
 email via relayhost (another external postfix Server) to the world outside.
 Does this mean that the email provider from the recipient doesn't allow
 the use of relayhosts? Is it generally better to not use relayhosts?
 ..we had problems with spam some years ago if we sent mails directly
 with postfix, so we used our external email provider as relayhost. But i
 think this was because we didn't have a valid RDNS entry. So should i
 switch off the relayhost?

Re: Relay access denied

[Stan Hoeppner]

Bjørn Ruberg put forth on 2/14/2011 4:18 AM:
 On 02/14/2011 10:47 AM, Georg Schönweger wrote:
 you mean the failure-notice email?
 
 No, he meant logs from your mail server.
 
 Ok here it is;

 Hi. This is the qmail-send program at smtplq01.our-external-smtp.com.
 
 That's not postfix.
 
 When it comes to why your e-mail can't be delivered, the message from the 
 remote
 host IP.IP.IP.IP does not like recipient. should provide you with plenty of
 hints.

That's where I was leaning but wanted to see the OP's server logs first.  It's
likely that the mx for the recipient domain in question is an smtp gateway, and
this gateway responds with a less than fully helpful relay access denied error
msg instead of the more appropriate unknown user, or similar, error msg.

-- 
Stan

Re: Relay access denied

[Daniel Bromberg]

On 2/14/2011 5:32 AM, Georg Schönweger wrote:

Yes the server is using authentication on the relay-host.
/etc/postfix/main.cf:
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes

it is just only this particular recipient where it doesn't work!

- Georg

Am 14.02.2011 11:05, schrieb Reindl Harald:

Is your server using authentication on the relay-host?
If not this MUST NOT work because if it would work the
relayserver coul be used from everybody out there for spam

Am 14.02.2011 08:59, schrieb Georg Schönweger:

Hi,

yesterday i received a failure-notice;
Remote host said: 554 5.7.1i...@domain.com: Relay access denied --
this is the error-message which i received from the final recipient.
The email was send from our webserver. The webserver (postfix) sends the
email via relayhost (another external postfix Server) to the world outside.
Does this mean that the email provider from the recipient doesn't allow
the use of relayhosts? Is it generally better to not use relayhosts?
..we had problems with spam some years ago if we sent mails directly
with postfix, so we used our external email provider as relayhost. But i
think this was because we didn't have a valid RDNS entry. So should i
switch off the relayhost?
You get Relay access denied when you're contacting a RECEIVING mail 
server with a message that that mailserver doesn't want to handle, 
because it's not the authoritative destination for that domain. Nothing 
here implies anything wrong with a legitimate relay that you're using on 
the SENDING side. If that works at all, then it's fine. Either you're 
authorized to relay through it or not. Using/not using that is a 
separate decision altogether. The receiver doesn't care how many relays 
a message has been through. It cares only about two things: 1) is the 
most recent hop blacklisted; 2) do I (the receiver) handle the recipient 
address (domain and username) either as a relay or as the final destination.


You are failing test 2) it seems.

Main question -- is the receiving mail server in question listed as a 
current MX for domain.com? (Or is your webserver somehow accessing stale 
MX...)  But If the MX indeed is current, the receiving server is 
probably just misconfigured and you can do nothing but contact the 
remote site's postmaster. (By phone perhaps, depending on the level of 
brokenness?!? :-))


-Daniel

Re: Relay access denied

[Georg Schönweger]

Well in the server logs (our local smtp) there are only these lines; I
don't have access to the logs of our relayhost smtp.
Feb 12 19:00:40 susi1 postfix/pickup[23920]: B7B27255B449: uid=33
from=www-data
Feb 12 19:00:40 susi1 postfix/cleanup[25085]: B7B27255B449:
message-id=89322dca13c16dcd962bbd3f199ed...@our-domain.com
Feb 12 19:00:40 susi1 postfix/qmgr[22376]: B7B27255B449:
from=m...@our-domain.com, size=22289, nrcpt=1 (queue active)
Feb 12 19:00:41 susi1 postfix/smtp[25087]: B7B27255B449:
to=i...@final-recipient.com, relay=our-external-smtp[IP.IP.IP.IP]:25,
delay=0.57, delays=0.07/0.01/0.27/0.23, dsn=2.0.0, status=sent (250 ok
1297533639 qp 7959)
Feb 12 19:00:41 susi1 postfix/qmgr[22376]: B7B27255B449: removed

You are right, the relayhost smtp isn't postfix, i missed that.

- Georg


Am 14.02.2011 11:37, schrieb Stan Hoeppner:
 Bjørn Ruberg put forth on 2/14/2011 4:18 AM:
 On 02/14/2011 10:47 AM, Georg Schönweger wrote:
 you mean the failure-notice email?
 No, he meant logs from your mail server.

 Ok here it is;

 Hi. This is the qmail-send program at smtplq01.our-external-smtp.com.
 That's not postfix.

 When it comes to why your e-mail can't be delivered, the message from the 
 remote
 host IP.IP.IP.IP does not like recipient. should provide you with plenty of
 hints.
 That's where I was leaning but wanted to see the OP's server logs first.  It's
 likely that the mx for the recipient domain in question is an smtp gateway, 
 and
 this gateway responds with a less than fully helpful relay access denied 
 error
 msg instead of the more appropriate unknown user, or similar, error msg.

Re: Relay access denied

[Daniel Bromberg]

On 2/14/2011 6:12 AM, Georg Schönweger wrote:

[SNIP]

You get Relay access denied when you're contacting a RECEIVING mail
server with a message that that mailserver doesn't want to handle,
because it's not the authoritative destination for that domain.
Nothing here implies anything wrong with a legitimate relay that
you're using on the SENDING side. If that works at all, then it's
fine. Either you're authorized to relay through it or not. Using/not
using that is a separate decision altogether. The receiver doesn't
care how many relays a message has been through. It cares only about
two things: 1) is the most recent hop blacklisted; 2) do I (the
receiver) handle the recipient address (domain and username) either as
a relay or as the final destination.

You are failing test 2) it seems.

Main question -- is the receiving mail server in question listed as a
current MX for domain.com? (Or is your webserver somehow accessing
stale MX...)  But If the MX indeed is current, the receiving server is
probably just misconfigured and you can do nothing but contact the
remote site's postmaster. (By phone perhaps, depending on the level of
brokenness?!? :-))

-Daniel



On 2/14/2011 6:12 AM, Georg Schönweger wrote:

[REPOSTED FROM PERSONAL REPLY]
Hello Daniel,

thank you for this clear explanation! How can i figure out if the
receving mail server is listet as current MX for the recipient mail
address? It's not a big problem for us if the recipients mail server is
misconfigured, it's just 1 customer on our websites :) I only want to
know if it is our fault or not..

Anyway, i think removing the relayhost would be a great thing because
the system would be easier to handle and we don't depend anymore on the
external smtp server. BUT i'm afraid that we get then higher
spam-rankings like in the past.. Our local server has now a valid RDNS
entry. Is there anything else i have to take care about?

- Georg



Please keep all replies to the list so people know the status of the 
thread, and so it can be closed as soon as possible. Also as I learned 
at first, the convention is to bottom-post.


[Aside: As far as spam rankings: rDNS is but one minor test. I lacked an 
rDNS on my server for awhile and had only one (rather minor) receiving 
MX that complained compared to thousands of successes. IP Reputation 
is all the rage. There are a number of utility sites out there that will 
take the IP of any Mail Exchanger, (actually any IP at all, which can be 
used to evaluate potential), and report on its blacklist status and some 
even try to rank its general trustworthiness. Here's a random one that 
looks legit from an obvious Google keyword search: 
http://www.mxtoolbox.com/blacklists.aspx  Veterans of this mailing list 
may have other favorites to recommend.  The main thing is to have no red 
flags when querying spamhaus.org: 
http://www.spamhaus.org/query/bl?ip=x.y.z.w]


But back to the main point: finding a current MX is a standard DNS 
query. If you're admin'ing a mail server, facility with a DNS query like 
dig or nslookup is essential. For example (note, I picked this to show 
large sites have many exchangers, but only one is required)


unix% dig yahoo.com MX

;  DiG 9.x  yahoo.com MX
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 42579
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 7, ADDITIONAL: 7

;; QUESTION SECTION:
;yahoo.com. IN  MX

;; ANSWER SECTION:
yahoo.com.  1691IN  MX  1 m.mx.mail.yahoo.com.
yahoo.com.  1691IN  MX  1 a.mx.mail.yahoo.com.
yahoo.com.  1691IN  MX  1 b.mx.mail.yahoo.com.
yahoo.com.  1691IN  MX  1 c.mx.mail.yahoo.com.
yahoo.com.  1691IN  MX  1 d.mx.mail.yahoo.com.
yahoo.com.  1691IN  MX  1 e.mx.mail.yahoo.com.
yahoo.com.  1691IN  MX  1 f.mx.mail.yahoo.com.
yahoo.com.  1691IN  MX  1 g.mx.mail.yahoo.com.
yahoo.com.  1691IN  MX  1 h.mx.mail.yahoo.com.
yahoo.com.  1691IN  MX  1 i.mx.mail.yahoo.com.
yahoo.com.  1691IN  MX  1 j.mx.mail.yahoo.com.
yahoo.com.  1691IN  MX  1 k.mx.mail.yahoo.com.
yahoo.com.  1691IN  MX  1 l.mx.mail.yahoo.com.

[excess deleted]

-Daniel

Re: Relay access denied

[Georg Schönweger]

Am 14.02.2011 12:28, schrieb Daniel Bromberg:
 On 2/14/2011 6:12 AM, Georg Schönweger wrote:
 [SNIP]
 You get Relay access denied when you're contacting a RECEIVING mail
 server with a message that that mailserver doesn't want to handle,
 because it's not the authoritative destination for that domain.
 Nothing here implies anything wrong with a legitimate relay that
 you're using on the SENDING side. If that works at all, then it's
 fine. Either you're authorized to relay through it or not. Using/not
 using that is a separate decision altogether. The receiver doesn't
 care how many relays a message has been through. It cares only about
 two things: 1) is the most recent hop blacklisted; 2) do I (the
 receiver) handle the recipient address (domain and username) either as
 a relay or as the final destination.

 You are failing test 2) it seems.

 Main question -- is the receiving mail server in question listed as a
 current MX for domain.com? (Or is your webserver somehow accessing
 stale MX...)  But If the MX indeed is current, the receiving server is
 probably just misconfigured and you can do nothing but contact the
 remote site's postmaster. (By phone perhaps, depending on the level of
 brokenness?!? :-))

 -Daniel


 On 2/14/2011 6:12 AM, Georg Schönweger wrote:
 [REPOSTED FROM PERSONAL REPLY]
 Hello Daniel,

 thank you for this clear explanation! How can i figure out if the
 receving mail server is listet as current MX for the recipient mail
 address? It's not a big problem for us if the recipients mail server is
 misconfigured, it's just 1 customer on our websites :) I only want to
 know if it is our fault or not..

 Anyway, i think removing the relayhost would be a great thing because
 the system would be easier to handle and we don't depend anymore on the
 external smtp server. BUT i'm afraid that we get then higher
 spam-rankings like in the past.. Our local server has now a valid RDNS
 entry. Is there anything else i have to take care about?

 - Georg


 Please keep all replies to the list so people know the status of the
 thread, and so it can be closed as soon as possible. Also as I learned
 at first, the convention is to bottom-post.

 [Aside: As far as spam rankings: rDNS is but one minor test. I lacked
 an rDNS on my server for awhile and had only one (rather minor)
 receiving MX that complained compared to thousands of successes. IP
 Reputation is all the rage. There are a number of utility sites out
 there that will take the IP of any Mail Exchanger, (actually any IP at
 all, which can be used to evaluate potential), and report on its
 blacklist status and some even try to rank its general
 trustworthiness. Here's a random one that looks legit from an obvious
 Google keyword search: http://www.mxtoolbox.com/blacklists.aspx 
 Veterans of this mailing list may have other favorites to recommend. 
 The main thing is to have no red flags when querying spamhaus.org:
 http://www.spamhaus.org/query/bl?ip=x.y.z.w]

 But back to the main point: finding a current MX is a standard DNS
 query. If you're admin'ing a mail server, facility with a DNS query
 like dig or nslookup is essential. For example (note, I picked this to
 show large sites have many exchangers, but only one is required)

 unix% dig yahoo.com MX

 ;  DiG 9.x  yahoo.com MX
 ;; global options:  printcmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 42579
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 7, ADDITIONAL: 7

 ;; QUESTION SECTION:
 ;yahoo.com. IN  MX

 ;; ANSWER SECTION:
 yahoo.com.  1691IN  MX  1 m.mx.mail.yahoo.com.
 yahoo.com.  1691IN  MX  1 a.mx.mail.yahoo.com.
 yahoo.com.  1691IN  MX  1 b.mx.mail.yahoo.com.
 yahoo.com.  1691IN  MX  1 c.mx.mail.yahoo.com.
 yahoo.com.  1691IN  MX  1 d.mx.mail.yahoo.com.
 yahoo.com.  1691IN  MX  1 e.mx.mail.yahoo.com.
 yahoo.com.  1691IN  MX  1 f.mx.mail.yahoo.com.
 yahoo.com.  1691IN  MX  1 g.mx.mail.yahoo.com.
 yahoo.com.  1691IN  MX  1 h.mx.mail.yahoo.com.
 yahoo.com.  1691IN  MX  1 i.mx.mail.yahoo.com.
 yahoo.com.  1691IN  MX  1 j.mx.mail.yahoo.com.
 yahoo.com.  1691IN  MX  1 k.mx.mail.yahoo.com.
 yahoo.com.  1691IN  MX  1 l.mx.mail.yahoo.com.

 [excess deleted]

 -Daniel





thx for your help. i can't check the DNS query on our relayhost smtp
server. On our local Server the MX is current. My conclusion is that a)
our external relayhost smtp has wrong MX entry or b) recipient
mailserver is misconfigured. I will switch off now the relayhost since
our ip isn't listet on any blacklist i checked so far..
Other question: I have a local postfix server with a dynamich IP which
sometimes is blacklisted. Does it help in this case to