[pfx] Re: relay access denied

[Patrice Go via Postfix-users]

it seems that if the relay restrictions define a network restriction, i ve
to indicate a network in main.cf, otherwise it will fail.
i did it, and it is working now.
thanks.

Le jeu. 7 sept. 2023 à 22:14, Noel Jones via Postfix-users <
postfix-users@postfix.org> a écrit :

> On 9/7/2023 2:31 PM, Patrice Go via Postfix-users wrote:
> > Hi,
> >
> > In fact i ve a server www.domain.org <http://www.domain.org> which
> > send emails (from PHP www-data) to an external email t...@.net
> > <mailto:t...@.net> by the mean of a mail relay mail.domain.org
> > <http://mail.domain.org>. the message from www is transmitted to
> > mail, but i don't understand what happen, the message is rejected
> > with a relay access denied.
> > i have this log (from mail.domain.org <http://mail.domain.org>):
> > NOQUEUE: reject: RCPT from unknown[xxx.22.xx.1x]: 554 5.7.1
> > mailto:t...@x.net>>: Relay access denied;
> > from=mailto:www-d...@domain.org>>
> > to=mailto:t...@x.net>> proto=ESMTP
> > helo=http://www.domain.org>>
> >
> > you can see the postconf -n :
> > https://paste.debian.net/1291288/ <https://paste.debian.net/1291288/>
> >
> > i tested without check_sender_access, but the result is the same.
> >
> > is there something i am missing ?
> >
>
>
> To allow relay, the client must either be listed in mynetworks, or
> authenticate via SASL or an approved TLS certificate.
>
> Please see
> http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_from
>
> and also possibly
> http://www.postfix.org/SASL_README.html
> http://www.postfix.org/TLS_README.html
>
>
>
>-- Noel Jones
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: relay access denied

[Noel Jones via Postfix-users]

On 9/7/2023 2:31 PM, Patrice Go via Postfix-users wrote:

Hi,

In fact i ve a server www.domain.org <http://www.domain.org> which 
send emails (from PHP www-data) to an external email t...@.net 
<mailto:t...@.net> by the mean of a mail relay mail.domain.org 
<http://mail.domain.org>. the message from www is transmitted to 
mail, but i don't understand what happen, the message is rejected 
with a relay access denied.

i have this log (from mail.domain.org <http://mail.domain.org>):
NOQUEUE: reject: RCPT from unknown[xxx.22.xx.1x]: 554 5.7.1 
mailto:t...@xxxxx.net>>: Relay access denied; 
from=mailto:www-d...@domain.org>> 
to=mailto:t...@x.net>> proto=ESMTP 
helo=http://www.domain.org>>


you can see the postconf -n :
https://paste.debian.net/1291288/ <https://paste.debian.net/1291288/>

i tested without check_sender_access, but the result is the same.

is there something i am missing ?




To allow relay, the client must either be listed in mynetworks, or 
authenticate via SASL or an approved TLS certificate.


Please see
http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_from

and also possibly
http://www.postfix.org/SASL_README.html
http://www.postfix.org/TLS_README.html



  -- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] relay access denied

[Patrice Go via Postfix-users]

Hi,

In fact i ve a server www.domain.org which send emails (from PHP www-data)
to an external email t...@.net by the mean of a mail relay
mail.domain.org. the message from www is transmitted to mail, but i don't
understand what happen, the message is rejected with a relay access denied.
i have this log (from mail.domain.org):
NOQUEUE: reject: RCPT from unknown[xxx.22.xx.1x]: 554 5.7.1 :
Relay access denied; from= to=
proto=ESMTP helo=

you can see the postconf -n :
https://paste.debian.net/1291288/

i tested without check_sender_access, but the result is the same.

is there something i am missing ?

Regards,

Thx.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Relay access denied (Dovecot)

[Jaroslaw Rafa via Postfix-users]

Dnia  4.09.2023 o godz. 15:38:38 lejeczek via Postfix-users pisze:
> 
> I did have '#virtual_mailbox_domains' - being amateur in my mind it
> did not make sense, since I wanted Postfix to relay on Dovecot, to
> have it & removed those.
[...]
> If I add more, like 'virtual_mailbox_maps', etc. then it "fixes"
> delivery but !! defeats the purpose/goal - Dovecot's auth & delivery
> - no?

So you want to relay mail to Dovecot via LMTP for Dovecot to do delivery? In
that case you need to define "virtual_transport=". An example is here:
http://www.postfix.org/VIRTUAL_README.html#in_virtual_other . It is also
described in Dovecot documentation:
https://doc.dovecot.org/configuration_manual/howto/postfix_dovecot_lmtp/
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Relay access denied (Dovecot)

[lejeczek via Postfix-users]

On 04/09/2023 15:05, Jaroslaw Rafa via Postfix-users wrote:

Dnia  4.09.2023 o godz. 14:53:42 lejeczek via Postfix-users pisze:

Postfix logs when mail is sent to it:
...
connect from smtpo71.interia.pl[217.74.67.71]
Anonymous TLS connection established from
smtpo71.interia.pl[217.74.67.71]: TLSv1.2 with cipher
ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
NOQUEUE: reject: RCPT from smtpo71.interia.pl[217.74.67.71]: 554
5.7.1 : Relay access denied; from=
to= proto=ESMTP helo=
...

but at the same time Postifx sends mail out just find.
I'm hoping what missed or got wrong must be trivial - what that
might be?

Did you define in the Postfix config that Postfix should handle mail for
domain some.xyz ? Like "mydestination=", "virtual_mailbox_domains=" or
"virtual_alias_domains=" (depending on how do you deliver mail for that
domain).
I did have '#virtual_mailbox_domains' - being amateur in my 
mind it did not make sense, since I wanted Postfix to relay 
on Dovecot, to have it & removed those.

Which one of those would be 'best practice/option' ?

If I use "virtual_mailbox_domains" then logs show:
...
fatal: bad string length 0 < 1: virtual_mailbox_base =
...
so I add that.
Now Postifx errors out:
...
prepend Received-SPF: Pass (mailfrom) identity=mailfrom; 
client-ip=217.74.67.62; helo=smtpo62.interia.pl; 
envelope-from=s...@int.pl; receiver=

E603C6070980: client=smtpo62.interia.pl[217.74.67.62]
E603C6070980: 
message-id=
disconnect from smtpo62.interia.pl[217.74.67.62] ehlo=2 
starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
E603C6070980: from=, size=2699, nrcpt=1 (queue 
active)

connect from localhost[127.0.0.1]
BCA3A6070981: client=localhost[127.0.0.1]
BCA3A6070981: 
message-id=
disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 
data=1 quit=1 commands=5
BCA3A6070981: from=, size=3207, nrcpt=1 (queue 
active)
E603C6070980: to=, 
relay=127.0.0.1[127.0.0.1]:10024, delay=21, 
delays=5.2/0.01/0/16, dsn=2.0.0, status=sent (250 2.0.0 from 
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 
BCA3A6070981)

E603C6070980: removed
BCA3A6070981: to=, relay=virtual, 
delay=0.05, delays=0.02/0/0/0.02, dsn=5.1.1, status=bounced 
(unknown user: "syst...@some.xyz")
C7D846070980: 
message-id=<20230904131848.c7d846070...@swir.mine.priv>

BCA3A6070981: sender non-delivery notification: C7D846070980
C7D846070980: from=<>, size=5075, nrcpt=1 (queue active)
BCA3A6070981: removed


but that user "syst...@some.xyz do exist, Dovecot says so. 
(& sends out successfully)
If I add more, like 'virtual_mailbox_maps', etc. then it 
"fixes" delivery but !! defeats the purpose/goal - Dovecot's 
auth & delivery - no?



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Relay access denied (Dovecot)

[Jaroslaw Rafa via Postfix-users]

Dnia  4.09.2023 o godz. 14:53:42 lejeczek via Postfix-users pisze:
> Postfix logs when mail is sent to it:
> ...
> connect from smtpo71.interia.pl[217.74.67.71]
> Anonymous TLS connection established from
> smtpo71.interia.pl[217.74.67.71]: TLSv1.2 with cipher
> ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
> NOQUEUE: reject: RCPT from smtpo71.interia.pl[217.74.67.71]: 554
> 5.7.1 : Relay access denied; from=
> to= proto=ESMTP helo=
> ...
> 
> but at the same time Postifx sends mail out just find.
> I'm hoping what missed or got wrong must be trivial - what that
> might be?

Did you define in the Postfix config that Postfix should handle mail for
domain some.xyz ? Like "mydestination=", "virtual_mailbox_domains=" or
"virtual_alias_domains=" (depending on how do you deliver mail for that
domain).
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Relay access denied (Dovecot)

[lejeczek via Postfix-users]

Hi guys.

Having a goal to use Dovecot's auth & delivery I have this 
(before I dump whole config the snippet I guess is relevant) :

...
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = aa.dom bb.dom cc.dom
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject_unauth_destination

# delivery via dovecot
mailbox_command = /usr/libexec/dovecot/deliver

Postfix logs when mail is sent to it:
...
connect from smtpo71.interia.pl[217.74.67.71]
Anonymous TLS connection established from 
smtpo71.interia.pl[217.74.67.71]: TLSv1.2 with cipher 
ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
NOQUEUE: reject: RCPT from smtpo71.interia.pl[217.74.67.71]: 
554 5.7.1 : Relay access denied; 
from= to= proto=ESMTP 
helo=

...

but at the same time Postifx sends mail out just find.
I'm hoping what missed or got wrong must be trivial - what 
that might be?


many thanks, L.___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Re: Debugging Relay Access Denied

[Bob Proulx]

Viktor Dukhovni wrote:
> Bob Proulx wrote:
> > I am helping a friend with his system.  As such things are not as I
> > would set them up.  But just the same I can't figure out this
> > problem.  So I come here seeking a second set of eyes on it.  What is
> > the problem that I am not seeing here?
> > 
> > mynetworks = "172.105.151.107/32, 96.88.95.55/32, 127.0.0.0/8"
> 
> Is there a particularly good reason for those double-quotes?

That's it!  I am sure of it.  I will have my friend make that change
and I am sure that will solve the problem.

What a relief to finally see the problem!

> Also, I'd be tempted to not relay on port 25, and accept outbound
> submission only on port 587 (and perhaps TLS wrapper mode on 465).

Yes... but...  Since it is localhost to localhost this seems
sufficient.  It's not relaying from elsewhere.  And too many things
default these days to smtp port 25 when I would simply use the
/usr/sbin/sendmail interface instead.

THANKS! :-)
Bob

Re: Debugging Relay Access Denied

[Viktor Dukhovni]

On Mon, Oct 18, 2021 at 09:50:33PM -0600, Bob Proulx wrote:

> I am helping a friend with his system.  As such things are not as I
> would set them up.  But just the same I can't figure out this
> problem.  So I come here seeking a second set of eyes on it.  What is
> the problem that I am not seeing here?
> 
> mynetworks = "172.105.151.107/32, 96.88.95.55/32, 127.0.0.0/8"

Is there a particularly good reason for those double-quotes?

Also, I'd be tempted to not relay on port 25, and accept outbound
submission only on port 587 (and perhaps TLS wrapper mode on 465).

-- 
Viktor.

Debugging Relay Access Denied

[Bob Proulx]

I am helping a friend with his system.  As such things are not as I
would set them up.  But just the same I can't figure out this
problem.  So I come here seeking a second set of eyes on it.  What is
the problem that I am not seeing here?

rwp@teton:~$ echo test | mailx -s test b...@proulx.com
...works...  ...the message arrives in my mailbox...
...this comes in through /usr/sbin/sendmail of course...

rwp@teton:~$ swaks --to b...@proulx.com --server 127.0.0.1:25
=== Trying 127.0.0.1:25...
=== Connected to 127.0.0.1.
<-  220 teton.example.net ESMTP Postfix (Debian/GNU)
 -> EHLO teton.example.net
<-  250-teton.example.net
<-  250-PIPELINING
<-  250-SIZE 4000
<-  250-ETRN
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250-DSN
<-  250-SMTPUTF8
<-  250 CHUNKING
 -> MAIL FROM:
<-  250 2.1.0 Ok
     -> RCPT TO:
<** 554 5.7.1 : Relay access denied
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.

Oct 18 21:21:03 teton postfix/smtpd[8049]: connect from localhost[127.0.0.1]
Oct 18 21:21:03 teton postfix/smtpd[8049]: NOQUEUE: reject: RCPT from 
localhost[127.0.0.1]: 554 5.7.1 : Relay access denied; 
from= to= proto=ESMTP 
helo=
Oct 18 21:21:03 teton postfix/smtpd[8049]: disconnect from 
localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4

That illustrates the problem.  My friend has SquirrelMail set up but
it can't send mail to the 127.0.0.1:25 via SMTP due to Relay Access
Denied.  That's the actual problem.  But of course I use swaks to
debug things.  But the goal is to get SquirrelMail running.  And I
think that is running again.  Pretty sure it had been working.

Here is the main.cf file, which my friend has modified extensively.
Personally I would trim out the items that are the same as the default
values.  I know, I know, I changed the actual domain names so that my
friend wouldn't be annoyed that I posted this information.  But
otherwise it's all there.  I prettied up smtpd_recipient_restrictions
a little as the default wrapping was not good.

Because smtpd_recipient_restrictions starts with permit_mynetworks and
mynetworks includes 127.0.0.0/8 I would expect that smtp on the local
host to 127.0.0.1:25 should be allowed.  But instead it is the Relay
error.

rwp@teton:~$ postconf mail_version  # Debian Stable 10 Buster
mail_version = 3.4.14

rwp@teton:~$ postconf -nf
alias_maps = hash:/etc/aliases
bounce_queue_lifetime = 3d
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mail_owner = postfix
maximal_queue_lifetime = 3d
message_size_limit = 4000
mydestination = $myhostname, localhost.$mydomain, $mydomain, localhost,
example.com, example.org
mydomain = example.net
myhostname = teton.example.net
mynetworks = "172.105.151.107/32, 96.88.95.55/32, 127.0.0.0/8"
mynetworks_style = host
myorigin = $mydomain
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock
queue_directory = /var/spool/postfix
relay_domains = $mydestination
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_helo_required = yes
smtpd_milters = unix:/var/run/opendkim/opendkim.sock
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination
check_helo_access hash:/etc/postfix/helo-access
reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],
reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99],
reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99],
reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99],
warn_if_reject reject_rbl_client zen.spamhaus.org=127.255.255.[1..255]
unknown_local_recipient_reject_code = 550

The helo-access file contains:

localhost   REJECT  You are not localhost.
93.184.216.34   REJECT  You are not 93.184.216.34

The master.cf file is unchanged from the OS package.

rwp@teton:~$ postconf -Mf
smtp   inet  n   -   y   -   -   smtpd
pickup unix  n   -   y   60  1   pickup
cleanupunix  n   -   y   -   0   cleanup
qmgr   unix  n   -   n   300 1   qmgr
tlsmgr unix  -   -   y   1000?   1   tlsmgr
rewriteunix  -   -   y   -   -   trivial-rewrite
bounce unix  -   -   y   -   0   bounce
defer  unix  -   -   y   

Re: Why 454 on Relay access denied?

[Markus E.]

On Wed, 10 Mar 2021, Viktor Dukhovni wrote:


On Wed, Mar 10, 2021 at 04:45:29PM +0100, Markus E. wrote:


Sorry, I meant it's empty in my config. I know that defaults to
"permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination".

But, you gave me a good hint here. I'll try to set
smtpd_relay_restrictions to "permit_mynetworks, reject_unauth_destination"
instead (I dont need sasl auth here).

I'll give it a try.

I thought it was enought to have reject_unauth_destination in
smtpd_recipient_restrictions.


It is.  You also need to have the default settings for:

   soft_bounce = no
   relay_domains_reject_code = 554

Either of:

   soft_bounce = yes
   relay_domains_reject_code = 454

would explain your symptoms.



OK, just a quick follow-up.

I moved reject_unauth_destination from smtpd_recipient_restrictions to 
smtpd_relay_restrictions.
I didn't have smtpd_relay_restrictions specified in my config before, so the 
default values were in use (one of them being defer_unauth_destination)
Now I see 554 reject codes on Relay access denied, as wanted.

All the best.

-me

Re: Why 454 on Relay access denied?

[Viktor Dukhovni]

On Wed, Mar 10, 2021 at 04:45:29PM +0100, Markus E. wrote:

> Sorry, I meant it's empty in my config. I know that defaults to 
> "permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination".
> 
> But, you gave me a good hint here. I'll try to set 
> smtpd_relay_restrictions to "permit_mynetworks, reject_unauth_destination" 
> instead (I dont need sasl auth here).
> 
> I'll give it a try.
> 
> I thought it was enought to have reject_unauth_destination in 
> smtpd_recipient_restrictions.

It is.  You also need to have the default settings for:

soft_bounce = no
relay_domains_reject_code = 554

Either of:

soft_bounce = yes
relay_domains_reject_code = 454

would explain your symptoms.

-- 
Viktor.

Re: Why 454 on Relay access denied?

[Markus E.]

On Wed, 10 Mar 2021, Wietse Venema wrote:


Markus E.:

On Wed, 10 Mar 2021, Wietse Venema wrote:


Markus E.:

Hello!

I just noticed my servers replies with a 454 (instead of 554) when a bot
checks for an open relay. Here's one exameple:

Mar 10 08:53:46 mx1 postfix/smtpd[16747]: connect from 
xxx.fesersglobal.com[45.85.90.xxx]
Mar 10 08:53:51 mx1 postfix/smtpd[16747]: NOQUEUE: reject: RCPT from 
xxx.fesersglobal.com[45.85.90.xxx]: 454 4.7.1 : Relay access denied; 
from= to= proto=ESMTP helo=
Mar 10 08:53:52 mx1 postfix/smtpd[16747]: disconnect from 
xxx.fesersglobal.com[45.85.90.xxx] ehlo=1 mail=1 rcpt=0/1 rset=1 quit=1 
commands=4/5



smtpd_relay_restrictions, I presume?

Wietse



Hi Wietse and others,

smtpd_relay_restrictions is emty, i.e. using the defaults.


The default is NOT EMPTY since 2015. That is six years now,

Wietse



Sorry, I meant it's empty in my config. I know that defaults to 
"permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination".


But, you gave me a good hint here. I'll try to set 
smtpd_relay_restrictions to "permit_mynetworks, reject_unauth_destination" 
instead (I dont need sasl auth here).


I'll give it a try.

I thought it was enought to have reject_unauth_destination in 
smtpd_recipient_restrictions.


Thank you!

-me

Re: Why 454 on Relay access denied?

[Wietse Venema]

Markus E.:
> On Wed, 10 Mar 2021, Wietse Venema wrote:
> 
> > Markus E.:
> >> Hello!
> >>
> >> I just noticed my servers replies with a 454 (instead of 554) when a bot
> >> checks for an open relay. Here's one exameple:
> >>
> >> Mar 10 08:53:46 mx1 postfix/smtpd[16747]: connect from 
> >> xxx.fesersglobal.com[45.85.90.xxx]
> >> Mar 10 08:53:51 mx1 postfix/smtpd[16747]: NOQUEUE: reject: RCPT from 
> >> xxx.fesersglobal.com[45.85.90.xxx]: 454 4.7.1 : Relay 
> >> access denied; from= to= 
> >> proto=ESMTP helo=
> >> Mar 10 08:53:52 mx1 postfix/smtpd[16747]: disconnect from 
> >> xxx.fesersglobal.com[45.85.90.xxx] ehlo=1 mail=1 rcpt=0/1 rset=1 quit=1 
> >> commands=4/5
> >>
> >
> > smtpd_relay_restrictions, I presume?
> >
> > Wietse
> >
> 
> Hi Wietse and others,
> 
> smtpd_relay_restrictions is emty, i.e. using the defaults.

The default is NOT EMPTY since 2015. That is six years now,

Wietse

Re: Why 454 on Relay access denied?

[Markus E.]

On Wed, 10 Mar 2021, Wietse Venema wrote:


Markus E.:

Hello!

I just noticed my servers replies with a 454 (instead of 554) when a bot
checks for an open relay. Here's one exameple:

Mar 10 08:53:46 mx1 postfix/smtpd[16747]: connect from 
xxx.fesersglobal.com[45.85.90.xxx]
Mar 10 08:53:51 mx1 postfix/smtpd[16747]: NOQUEUE: reject: RCPT from 
xxx.fesersglobal.com[45.85.90.xxx]: 454 4.7.1 : Relay access denied; 
from= to= proto=ESMTP helo=
Mar 10 08:53:52 mx1 postfix/smtpd[16747]: disconnect from 
xxx.fesersglobal.com[45.85.90.xxx] ehlo=1 mail=1 rcpt=0/1 rset=1 quit=1 
commands=4/5



smtpd_relay_restrictions, I presume?

Wietse



Hi Wietse and others,

smtpd_relay_restrictions is emty, i.e. using the defaults.

From the manual "Either the smtpd_relay_restrictions or the 
smtpd_recipient_restrictions parameter must specify at least one of the 
following restrictions. Otherwise Postfix will refuse to receive mail: 
reject, reject_unauth_destination defer, defer_if_permit, 
defer_unauth_destination"


I do have reject_unauth_destination in smtpd_recipient_restrictions, and 
relay_domains_reject_code is not set, so default code would be 554?


I'm a bit lost here to be honest. Any more clues?

-me

Re: Why 454 on Relay access denied?

[Wietse Venema]

Markus E.:
> Hello!
> 
> I just noticed my servers replies with a 454 (instead of 554) when a bot 
> checks for an open relay. Here's one exameple:
> 
> Mar 10 08:53:46 mx1 postfix/smtpd[16747]: connect from 
> xxx.fesersglobal.com[45.85.90.xxx]
> Mar 10 08:53:51 mx1 postfix/smtpd[16747]: NOQUEUE: reject: RCPT from 
> xxx.fesersglobal.com[45.85.90.xxx]: 454 4.7.1 : Relay 
> access denied; from= to= proto=ESMTP 
> helo=
> Mar 10 08:53:52 mx1 postfix/smtpd[16747]: disconnect from 
> xxx.fesersglobal.com[45.85.90.xxx] ehlo=1 mail=1 rcpt=0/1 rset=1 quit=1 
> commands=4/5
> 

smtpd_relay_restrictions, I presume?

Wietse

Why 454 on Relay access denied?

[Markus E.]

Hello!

I just noticed my servers replies with a 454 (instead of 554) when a bot 
checks for an open relay. Here's one exameple:


Mar 10 08:53:46 mx1 postfix/smtpd[16747]: connect from 
xxx.fesersglobal.com[45.85.90.xxx]
Mar 10 08:53:51 mx1 postfix/smtpd[16747]: NOQUEUE: reject: RCPT from 
xxx.fesersglobal.com[45.85.90.xxx]: 454 4.7.1 : Relay access denied; 
from= to= proto=ESMTP helo=
Mar 10 08:53:52 mx1 postfix/smtpd[16747]: disconnect from 
xxx.fesersglobal.com[45.85.90.xxx] ehlo=1 mail=1 rcpt=0/1 rset=1 quit=1 
commands=4/5

Relevant config (I believe):

smtpd_client_restrictions =
permit_mynetworks
sleep 5
reject_unauth_pipelining

smtpd_helo_restrictions =

smtpd_sender_restrictions =

smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_pipelining
# Always permit abuse, postmaster accounts
check_recipient_access hash:/usr/local/etc/postfix/excluded_users
# Always permit trustet ip networks
check_client_access cidr:/usr/local/etc/postfix/ip_access.cidr
# Always permit trusted domains
check_client_access hash:/usr/local/etc/postfix/access
reject_unknown_client_hostname
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_non_fqdn_recipient
reject_unknown_recipient_domain
reject_unauth_destination
permit

relay_domains = domain1.com domain2.com
relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients
relayhost = [my.internal.relay.host]

- me

Re: Getting 'Relay access denied' from one LAN host but not from another - why?

[Chris Green]

On Wed, Nov 11, 2020 at 11:43:48AM +0100, Matus UHLAR - fantomas wrote:
[snip]
> 
> this message is not relayed, but delivered locally.
> 
[snip]
> 
> this message is not to be delivered locally, but to relayed.
> 

Of course, thanks Matus, one was to chris@esprimo whereas the rejected
one was to ch...@isbd.co.uk.

> 
> 
[snip]
> > 
> > 
> > Shouldn't that permit_mynetworks allow E-Mail from 
> > 2820n.zbmc.eu[192.168.1.20]
> > as it does allow it from pibackup.zbmc.eu[192.168.1.108]?  Can anyone
> > suggest what might be wrong?
> 
> only if 192.168.1.20 was in your mynetworks list, and it is not.
> 
Correct!  I should have looked at main.cf a bit harder.


Anyway, thanks for all the answers Matus, as you can see I'm am more
of a Postfix 'user' than anything else.  :-)   (At least I managed to
provide all the information needed!)

-- 
Chris Green

Re: Getting 'Relay access denied' from one LAN host but not from another - why?

[Matus UHLAR - fantomas]

On 11.11.20 10:30, Chris Green wrote:

Subject: Getting 'Relay access denied' from one LAN host but not from
another - why?



I have Postfix 3.4.13 running on my xubuntu 20.04 system.

It's configured to send outgoing E-Mail to my hosting provider's smart
host and to deliver incoming E-Mail to local users (basically just me).
This has been working for several years.

Also configured a while ago and working OK are some local E-Mail
senders such as a backup system on the LAN which send any backup error
messages to me.  I have just tested this by sending a test error
message and this works OK, see this bit of mail.log:-

   Nov 11 10:10:39 esprimo postfix/smtpd[2245946]: connect from 
pibackup.zbmc.eu[192.168.1.108]
   Nov 11 10:10:39 esprimo postfix/smtpd[2245946]: D36AC2C059A: 
client=pibackup.zbmc.eu[192.168.1.108]
   Nov 11 10:10:39 esprimo postfix/cleanup[2245950]: D36AC2C059A: message-id=<> Nov 
11 10:10:39 esprimo postfix/qmgr[1320]: D36AC2C059A: from=, size=433, 
nrcpt=1 (queue active)
   Nov 11 10:10:39 esprimo postfix/smtpd[2245946]: disconnect from 
pibackup.zbmc.eu[192.168.1.108] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
   Nov 11 10:10:39 esprimo postfix/local[2245951]: D36AC2C059A: 
to=, relay=local, delay=0.08, delays=0.01/0.01/0/0.06, 
dsn=2.0.0, status=sent (delivered to command: /home/chris/.mutt/bin/filter.py)
   Nov 11 10:10:39 esprimo postfix/qmgr[1320]: D36AC2C059A: removed


this message is not relayed, but delivered locally.


However E-Mail sent from another system on the LAN (a Draytek 2820n
router) is being rejected with "Relay access denied" and I don't
understand why.  Here is the mail.log output:-

   Nov  9 09:41:09 esprimo postfix/smtpd[1894400]: connect from 
2820n.zbmc.eu[192.168.1.20]
   Nov  9 09:41:09 esprimo postfix/smtpd[1894400]: NOQUEUE: reject: RCPT from 
2820n.zbmc.eu[192.168.1.20]: 454 4.7.1 : Relay access denied; 
from=<28...@isbd.co.uk> to= proto=SMTP helo=
   Nov  9 09:41:09 esprimo postfix/smtpd[1894400]: disconnect from 
2820n.zbmc.eu[192.168.1.20] helo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
   Nov  9 10:09:54 esprimo postfix/smtpd[1897924]: connect from 
2820n.zbmc.eu[192.168.1.20]
   Nov  9 10:09:54 esprimo postfix/smtpd[1897924]: NOQUEUE: reject: RCPT from 
2820n.zbmc.eu[192.168.1.20]: 454 4.7.1 : Relay access denied; 
from=<28...@isbd.co.uk> to= proto=SMTP helo=
   Nov  9 10:09:54 esprimo postfix/smtpd[1897924]: disconnect from 
2820n.zbmc.eu[192.168.1.20] helo=1 mail=1 rcpt=0/1 quit=1 commands=3/4

I can't understand why one message is delivered while the other is
rejected.


this message is not to be delivered locally, but to relayed.




   # See /usr/share/postfix/main.cf.dist for a commented, more complete
   version


   # Debian specific:  Specifying a file name will cause the first
   # line of that file to be used as the name.  The Debian default
   # is /etc/mailname.
   #myorigin = /etc/mailname

   smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
   biff = no

   # appending .domain is the MUA's job.
   append_dot_mydomain = no

   # Uncomment the next line to generate "delayed mail" warnings
   #delay_warning_time = 4h

   readme_directory = no

   # TLS parameters
   smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
   smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
   smtpd_use_tls=yes
   smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
   smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

   # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package
   for
   # information on enabling SSL in the smtp client.

   smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
   defer_unauth_destination
   myhostname = esprimo.zbmc.eu
   alias_maps = hash:/etc/aliases
   alias_database = hash:/etc/aliases
   myorigin = zbmc.eu
   mydestination = zbmc.eu esprimo.zbmc.eu, esprimo, chris.zbmc.eu
   relayhost = [mail.gandi.net]:465
   # relayhost = [mail.gridhost.co.uk]:465
   mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
   mailbox_size_limit = 0
   recipient_delimiter = +
   inet_interfaces = all
   inet_protocols = ipv4
   smtp_sasl_auth_enable = yes
   smtp_tls_wrappermode = yes
   smtp_tls_security_level = encrypt
   smtp_sasl_tls_security_options = noanonymous
   smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
   message_size_limit = 12048
   compatibility_level = 2


Shouldn't that permit_mynetworks allow E-Mail from 2820n.zbmc.eu[192.168.1.20]
as it does allow it from pibackup.zbmc.eu[192.168.1.108]?  Can anyone
suggest what might be wrong?


only if 192.168.1.20 was in your mynetworks list, and it is not.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.

Getting 'Relay access denied' from one LAN host but not from another - why?

[Chris Green]

I have Postfix 3.4.13 running on my xubuntu 20.04 system.

It's configured to send outgoing E-Mail to my hosting provider's smart
host and to deliver incoming E-Mail to local users (basically just me).
This has been working for several years.

Also configured a while ago and working OK are some local E-Mail
senders such as a backup system on the LAN which send any backup error
messages to me.  I have just tested this by sending a test error
message and this works OK, see this bit of mail.log:-

Nov 11 10:10:39 esprimo postfix/smtpd[2245946]: connect from 
pibackup.zbmc.eu[192.168.1.108]
Nov 11 10:10:39 esprimo postfix/smtpd[2245946]: D36AC2C059A: 
client=pibackup.zbmc.eu[192.168.1.108]
Nov 11 10:10:39 esprimo postfix/cleanup[2245950]: D36AC2C059A: 
message-id=<> Nov 11 10:10:39 esprimo postfix/qmgr[1320]: D36AC2C059A: 
from=, size=433, nrcpt=1 (queue active)
Nov 11 10:10:39 esprimo postfix/smtpd[2245946]: disconnect from 
pibackup.zbmc.eu[192.168.1.108] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Nov 11 10:10:39 esprimo postfix/local[2245951]: D36AC2C059A: 
to=, relay=local, delay=0.08, delays=0.01/0.01/0/0.06, 
dsn=2.0.0, status=sent (delivered to command: /home/chris/.mutt/bin/filter.py)
Nov 11 10:10:39 esprimo postfix/qmgr[1320]: D36AC2C059A: removed

However E-Mail sent from another system on the LAN (a Draytek 2820n
router) is being rejected with "Relay access denied" and I don't
understand why.  Here is the mail.log output:-

Nov  9 09:41:09 esprimo postfix/smtpd[1894400]: connect from 
2820n.zbmc.eu[192.168.1.20]
Nov  9 09:41:09 esprimo postfix/smtpd[1894400]: NOQUEUE: reject: RCPT from 
2820n.zbmc.eu[192.168.1.20]: 454 4.7.1 : Relay access denied; 
from=<28...@isbd.co.uk> to= proto=SMTP helo=
Nov  9 09:41:09 esprimo postfix/smtpd[1894400]: disconnect from 
2820n.zbmc.eu[192.168.1.20] helo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
Nov  9 10:09:54 esprimo postfix/smtpd[1897924]: connect from 
2820n.zbmc.eu[192.168.1.20]
Nov  9 10:09:54 esprimo postfix/smtpd[1897924]: NOQUEUE: reject: RCPT from 
2820n.zbmc.eu[192.168.1.20]: 454 4.7.1 : Relay access denied; 
from=<28...@isbd.co.uk> to= proto=SMTP helo=
Nov  9 10:09:54 esprimo postfix/smtpd[1897924]: disconnect from 
2820n.zbmc.eu[192.168.1.20] helo=1 mail=1 rcpt=0/1 quit=1 commands=3/4

I can't understand why one message is delivered while the other is
rejected.

Here's my main.cf:-

# See /usr/share/postfix/main.cf.dist for a commented, more complete
version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package
for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
myhostname = esprimo.zbmc.eu
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = zbmc.eu
mydestination = zbmc.eu esprimo.zbmc.eu, esprimo, chris.zbmc.eu
relayhost = [mail.gandi.net]:465
# relayhost = [mail.gridhost.co.uk]:465
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
smtp_sasl_auth_enable = yes
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
message_size_limit = 12048
compatibility_level = 2


Shouldn't that permit_mynetworks allow E-Mail from 2820n.zbmc.eu[192.168.1.20]
as it does allow it from pibackup.zbmc.eu[192.168.1.108]?  Can anyone
suggest what might be wrong?

-- 
Chris Green

Re: Relay access denied if mysql table is used

[Wietse Venema]

Robert Nemet:
> postmap query:
> postmap -q robert.ne...@virtualdomain.uk  mysql:/etc/postfix/
> mysql-virtual-mailbox-domains.cf

That is the wrong query. As documented, virtual_mailbox_domains
is queried with the DOMAIN NAME not the email address.

Wietse

Re: Relay access denied if mysql table is used

[Robert Nemet]

"A table that is expected to return a result for a query with a lookup
key of each of the *domain names* (the result is ignored, the
*existence* of the key is what counts)."e

Yes, OK, I checked the manual: ""type:table
" lookup table is matched when
a name matches a lookup key (the lookup result is ignored)."
But doesn't this mean that if there is a return, it should pass, if there
isn't, it shouldn't? So even if I list all the domains, it should be
working?
Anyway, I changed the query, and now it just returns '1', but it still
doesn't work.

"That's not the right lookup key, and an irrelevant result."
So what is the problem with this?:
mysql-virtual-domain.cf:
...
query = SELECT 1 FROM domain WHERE name='%d'

postmap query:
postmap -q robert.ne...@virtualdomain.uk  mysql:/etc/postfix/
mysql-virtual-mailbox-domains.cf
1
postmap -q robert.ne...@anyotherdomain.uk  mysql:/etc/postfix/
mysql-virtual-mailbox-domains.cf



" But frankly, I
don't recommend using an SQL table for the virtual domains unless you're
going to be hosting a much larger (dynamic) population of these than
just three."
There are 58 domains in the table on production, and it will be more. I
wouldn't bother using SQL if it was just a couple of domains and new ones
were added once in every year :)






On Mon, May 4, 2020 at 8:18 PM Viktor Dukhovni 
wrote:

> On Mon, May 04, 2020 at 08:08:25PM +0100, Robert Nemet wrote:
>
> > main.cf
> >
> > *** version one, working configuration ***
> >
> > virtual_mailbox_domains = myvirtualdomain.uk,myvirtualdomain2.uk,
> myvirtualdomain3.uk
>
> A list of *domain names*.
>
> > *** version two ***
> >
> > virtual_mailbox_domains = proxy:mysql:/etc/postfix/
> mysql-virtual-mailbox-domains.cf
> > [...]
> > Mail is rejected:
>
> A table that is expected to return a result for a query with a lookup
> key of each of the *domain names* (the result is ignored, the
> *existence* of the key is what counts).
>
> > If I query the table with postmap, I get the same result as the working
> > config:
> >
> > postmap -q robert.ne...@virtualdomain.uk  mysql:/etc/postfix/
> mysql-virtual-mailbox-domains.cf
> > myvirtualdomain.uk,myvirtualdomain2.uk,myvirtualdomain3.uk
>
> That's not the right lookup key, and an irrelevant result.
>
> > Could anybody tell me what can be the problem?
>
> The table does not hold the domains as lookup keys.  But frankly, I
> don't recommend using an SQL table for the virtual domains unless you're
> going to be hosting a much larger (dynamic) population of these than
> just three.
>
> --
> Viktor.
>

Re: Relay access denied if mysql table is used

[@lbutlr]

On 04 May 2020, at 13:08, Robert Nemet  wrote:
> 
> virtual_mailbox_domains = 
> proxy:mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf

What is in mysql-virtual-mailbox-domains.cf?

> virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf 

> proxy:mysql:/etc/postfix/mysql-virtual-mailbox-maps2.cf 
> proxy:mysql:/etc/postfix/mysql-virtual-recipients-alias.cf

VMM should only contain the map for the mailboxes (ie username in the database).

virtual_alias_maps =
proxy:mysql:$config_directory/mysql_virtual_alias_maps.cf
hash:$config_directory/virtual
virtual_mailbox_domains =
proxy:mysql:$config_directory/mysql_virtual_domains_maps.cf
virtual_mailbox_maps =
proxy:mysql:$config_directory/mysql_virtual_mailbox_maps.cf

mysql_virtual_alias_maps.cf 
user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = alias
select_field = goto
where_field = address

mysql_virtual_domains_maps.c
user = postfix
password = postfix
hosts = localhost
dbname = postfix
query  = SELECT domain FROM domain WHERE domain='%u’

mysql_virtual_mailbox_maps.cf
user = postfix
password = postfix
hosts = localhost
dbname = postfix
table = mailbox
select_field = maildir
where_field = username

Note the differences in these files and where they are used in main.cf 
)obviously, set you own surname, password, dynamo, and hosts.

> postmap -q robert.ne...@virtualdomain.uk 
> mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf 
> myvirtualdomain.uk,myvirtualdomain2.uk,myvirtualdomain3.uk

That is wrong, a lookup for domain should lookup only the domain and returns 
only the domain if it exists.

# postmap -q kreme.com 
mysql:/usr/local/etc/postfix/mysql_virtual_domains_maps.cf
kreme.com
# postmap -q notkreme.com 
mysql:/usr/local/etc/postfix/mysql_virtual_domains_maps.cf 
#

Mailbox maps might return “user” or “u...@domain.tld” depending on your setup.

# postmap -q krem...@kreme.com 
mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf  
krem...@kreme.com/
# postmap -q krem...@notkreme.com 
mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf
#   

And alias maps will only return a result if the user@domains maps to an alias 
to a different user@domain. (So most of the time it should probably return 
nothing.



-- 
"Are you pondering what I'm pondering?"
Yeah, but I thought Madonna already had a steady bloke!”

Re: Relay access denied if mysql table is used

[Viktor Dukhovni]

On Mon, May 04, 2020 at 08:08:25PM +0100, Robert Nemet wrote:

> main.cf
> 
> *** version one, working configuration ***
> 
> virtual_mailbox_domains = myvirtualdomain.uk,myvirtualdomain2.uk, 
> myvirtualdomain3.uk

A list of *domain names*.

> *** version two ***
> 
> virtual_mailbox_domains = 
> proxy:mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
> [...]
> Mail is rejected:

A table that is expected to return a result for a query with a lookup
key of each of the *domain names* (the result is ignored, the
*existence* of the key is what counts).

> If I query the table with postmap, I get the same result as the working
> config:
> 
> postmap -q robert.ne...@virtualdomain.uk  
> mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
> myvirtualdomain.uk,myvirtualdomain2.uk,myvirtualdomain3.uk

That's not the right lookup key, and an irrelevant result.

> Could anybody tell me what can be the problem?

The table does not hold the domains as lookup keys.  But frankly, I
don't recommend using an SQL table for the virtual domains unless you're
going to be hosting a much larger (dynamic) population of these than
just three.

-- 
Viktor.

Relay access denied if mysql table is used

[Robert Nemet]

Hello,

I have a simple virtual domain configuration, based on postfix virtual
howto.
If I try to use mysql table for virtual domains, mails are rejected. If I
don't, everything works.

configuration:
Real server names are replaced in the configurations and logs.

master.cf:
I have my own delivery service for incoming mail, but it doesn't seem to
affect delivery at all.

main.cf

*** version one, working configuration ***

virtual_mailbox_domains = myvirtualdomain.uk,myvirtualdomain2.uk,
myvirtualdomain3.uk
virtual_mailbox_maps = proxy:mysql:/etc/postfix/
mysql-virtual-mailbox-maps.cf proxy:mysql:/etc/postfix/
mysql-virtual-mailbox-maps2.cf proxy:mysql:/etc/postfix/
mysql-virtual-recipients-alias.cf

Mail is delviered:

May  4 17:39:54 myserver postfix/smtpd[27490]: connect from
unknown[213.48.6.18]
May  4 17:39:55 myserver postfix/smtpd[27490]: 3B53D7E9C3:
client=unknown[213.48.6.18]
May  4 17:39:55 myserver postfix/cleanup[27493]: 3B53D7E9C3: message-id=<
1588613990.28840.3.ca...@mydomain.com>
May  4 17:39:55 myserver postfix/qmgr[26365]: 3B53D7E9C3: from=<
m...@mydomain.com>, size=1441, nrcpt=1 (queue active)
May  4 17:39:55 myserver postfix/smtpd[27490]: disconnect from
unknown[213.48.6.18] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1
commands=7
May  4 17:39:55 myserver postfix/pipe[27494]: 3B53D7E9C3: to=<
robert.ne...@virtualdomain.uk>, relay=myservice, delay=0.43,
delays=0.04/0/0/0.39, dsn=2.0.0, status=sent (delivered via myservice
service)

*** version two ***

virtual_mailbox_domains = proxy:mysql:/etc/postfix/
mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/
mysql-virtual-mailbox-maps.cf proxy:mysql:/etc/postfix/
mysql-virtual-mailbox-maps2.cf proxy:mysql:/etc/postfix/
mysql-virtual-recipients-alias.cf

Mail is rejected:

May  4 17:44:52 myserver postfix/smtpd[28478]: connect from
unknown[213.48.6.18]
May  4 17:44:52 myserver postfix/smtpd[28478]: NOQUEUE: reject: RCPT from
unknown[213.48.6.18]: 554 5.7.1 : Relay
access denied; from= to=
proto=ESMTP helo=
May  4 17:44:53 myserver postfix/smtpd[28478]: disconnect from
unknown[213.48.6.18] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1
quit=1 commands=6/8

If I query the table with postmap, I get the same result as the working
config:

postmap -q robert.ne...@virtualdomain.uk  mysql:/etc/postfix/
mysql-virtual-mailbox-domains.cf
myvirtualdomain.uk,myvirtualdomain2.uk,myvirtualdomain3.uk

Could anybody tell me what can be the problem?

This is a test server, where I have only 3 domains. I have a few dozens on
my production server, and users can add their own if they want, therefore
using SQL tables would be reasonable. (Current production uses Exim, we
want to replace it with Postfix.)

Thanks
Robert

Re: Split Domain MTA relay access denied

[Adam Barnett]

ah, got it

Thanks
Adam

-- 
__ 
Adam Barnett 
Systems Engineer 
Double Negative 
160 Great Portland Street,W1W 5QA 
T: 020-7268-5000 
[ http://www.dneg.com/ | www.dneg.com ] 
__

- Original Message -
| From: "Wietse Venema" 
| To: "Postfix users" 
| Sent: Friday, 11 October, 2019 12:14:52
| Subject: Re: Split Domain MTA relay access denied

| You have EXTERNAL domain listed in relay_domains? Don't do that.
| 
| For relaying to arbitrary remote sites, the SMTP client should be
| in a trusted network (mynetworks), or the client should authenticate
| (with SASL login, or TLS cert).
| 
| It was not clear from the anonymized description which was which.
| 
|   Wietse
| 
| Adam Barnett:
|> This was happening when sending internal to external so how can i populate
|> relay_recipient_maps ?
|> 
|> --
|> __
|> Adam Barnett
|> Systems Engineer
|> Double Negative
|> 160 Great Portland Street,W1W 5QA
|> T: 020-7268-5000
|> [ http://www.dneg.com/ | www.dneg.com ]
|> __
|> 
|> - Original Message -
|> | From: "Wietse Venema" 
|> | To: "Postfix users" 
|> | Sent: Friday, 11 October, 2019 12:01:57
|> | Subject: Re: Split Domain MTA relay access denied
|> 
|> | ab:
|> |> Hi
|> |> 
|> |> Added the domain to $relay_domian but they i get this error
|> | 
|> | Good.
|> | 
|> |>  Recipient address rejected: User unknown in relay recipient table;
|> | 
|> | Populate relay_recipient_maps, or use recipient address verification.
|> | 
|> | http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup
|> | http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient
|> | 
|> | Background info:
|> | 
|> | http://www.postfix.org/postconf.5.html#relay_recipient_maps
|> | http://www.postfix.org/ADDRESS_CLASS_README.html
|> | 
|> |Wietse

Re: Split Domain MTA relay access denied

[Wietse Venema]

You have EXTERNAL domain listed in relay_domains? Don't do that.

For relaying to arbitrary remote sites, the SMTP client should be
in a trusted network (mynetworks), or the client should authenticate
(with SASL login, or TLS cert).

It was not clear from the anonymized description which was which.

Wietse

Adam Barnett:
> This was happening when sending internal to external so how can i populate 
> relay_recipient_maps ?
> 
> -- 
> __ 
> Adam Barnett 
> Systems Engineer 
> Double Negative 
> 160 Great Portland Street,W1W 5QA 
> T: 020-7268-5000 
> [ http://www.dneg.com/ | www.dneg.com ] 
> __
> 
> - Original Message -
> | From: "Wietse Venema" 
> | To: "Postfix users" 
> | Sent: Friday, 11 October, 2019 12:01:57
> | Subject: Re: Split Domain MTA relay access denied
> 
> | ab:
> |> Hi
> |> 
> |> Added the domain to $relay_domian but they i get this error
> | 
> | Good.
> | 
> |>  Recipient address rejected: User unknown in relay recipient table;
> | 
> | Populate relay_recipient_maps, or use recipient address verification.
> | 
> | http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup
> | http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient
> | 
> | Background info:
> | 
> | http://www.postfix.org/postconf.5.html#relay_recipient_maps
> | http://www.postfix.org/ADDRESS_CLASS_README.html
> | 
> | Wietse
> 

Re: Split Domain MTA relay access denied

[Adam Barnett]

This was happening when sending internal to external so how can i populate 
relay_recipient_maps ?

-- 
__ 
Adam Barnett 
Systems Engineer 
Double Negative 
160 Great Portland Street,W1W 5QA 
T: 020-7268-5000 
[ http://www.dneg.com/ | www.dneg.com ] 
__

- Original Message -
| From: "Wietse Venema" 
| To: "Postfix users" 
| Sent: Friday, 11 October, 2019 12:01:57
| Subject: Re: Split Domain MTA relay access denied

| ab:
|> Hi
|> 
|> Added the domain to $relay_domian but they i get this error
| 
| Good.
| 
|>  Recipient address rejected: User unknown in relay recipient table;
| 
| Populate relay_recipient_maps, or use recipient address verification.
| 
| http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup
| http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient
| 
| Background info:
| 
| http://www.postfix.org/postconf.5.html#relay_recipient_maps
| http://www.postfix.org/ADDRESS_CLASS_README.html
| 
|   Wietse

Re: Split Domain MTA relay access denied

[Wietse Venema]

ab:
> Hi
> 
> Added the domain to $relay_domian but they i get this error

Good.

>  Recipient address rejected: User unknown in relay recipient table;

Populate relay_recipient_maps, or use recipient address verification.

http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup
http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient

Background info:

http://www.postfix.org/postconf.5.html#relay_recipient_maps
http://www.postfix.org/ADDRESS_CLASS_README.html

Wietse

Re: Split Domain MTA relay access denied

[ab]

Hi

Added the domain to $relay_domian but they i get this error

 Recipient address rejected: User unknown in relay recipient table;

Thanks
adam 



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: Split Domain MTA relay access denied

[Wietse Venema]

ab:
> When sending Outside world to @bar.com and the account lives in zimbra, it
> hits the MTA and the get "Relay Access Denied"

The recipient domain is not listed in $relay_domains.

Wietse

Split Domain MTA relay access denied

[ab]

Hi All, 

We have a split domian with a MTA relay in the middle, the domain is
@bar.com. and it configured in Zimbra and Gsuite, 

Zimbra -> MTA Relay -> GSuite


Sending from zimbra as the -> Gsuite , and Zimbra -> Outside World works
correctly, the mail flows though zimbra -> mta -> gsuite 

When sending Outside world to @bar.com and the account lives in zimbra, it
hits the MTA and the get "Relay Access Denied"

Postfix config: 

address_verify_map = btree:${data_directory}/address_verify_map
amavis_destination_concurrency_limit = 25
append_dot_mydomain = no
biff = no
bounce_size_limit = 1024
canonical_maps = hash:/etc/postfix/canonical
config_directory = /etc/postfix
content_filter = amavis:localhost:10024
debug_peer_list = 92.243.13.63
default_destination_recipient_limit = 1000
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
inet_protocols = ipv4
local_recipient_maps =
mailbox_size_limit = 0
message_size_limit = 31457280
mydestination =
mydomain = foo.com
mynetworks = /etc/postfix/mynetworks
myorigin = foo.com
readme_directory = no
recipient_delimiter = +
relay_domains = $myhostname /etc/postfix/our_domains
relay_recipient_maps = ldap:/etc/postfix/ldap-relay-zimbra.cf
smtp_destination_concurrency_limit = 75
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_helo_required = yes
smtpd_recipient_restrictions = check_recipient_access
regexp:/etc/postfix/recipient_access permit_mynetworks
reject_unauth_destination reject_unlisted_recipient check_client_access
hash:/etc/postfix/client_access check_sender_access
hash:/etc/postfix/sender_access reject_unknown_sender_domain
reject_invalid_hostname reject_non_fqdn_hostname
reject_unknown_reverse_client_hostname reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com check_policy_service inet:127.0.0.1:1337
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_cert_file = /etc/postfix/${myhostname}.crt
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = aNULL
smtpd_tls_key_file = /etc/postfix/${myhostname}.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/transport
ldap:/etc/postfix/ldap-transport-bar.cf
virtual_alias_maps = hash:/etc/postfix/virtual_aliases


The transport map for is from a ldap lookup
/etc/postfix/ldap-transport-foo.cf which looks like this



server_host = ldap://zimbraldap:389
server_port = 389
search_base =
query_filter =
(&(|(zimbraMailDeliveryAddress=%s))(zimbraMailStatus=enabled))
result_attribute = zimbraMailDeliveryAddress
version = 3
result_format=relay:[smtp.foo.com]
start_tls = no
size_limit = 1
timeout = 60

smtp.foo.com being the zimbra server to relay onto 

And the logs look like this 

 NOQUEUE: reject: RCPT from mail-pg1-f199.google.com[209.85.215.199]: 554
5.7.1 : Relay access denied; from= to=
proto=ESMTP helo=

I've removed and personal info from the above

Any suggestions on why it is getting deined 

Thanks




--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: Relay Access Denied

[VP Lists]

> 
> On Mar 25, 2019, at 11:28 AM, Viktor Dukhovni  
> wrote:
> 
> As for why "mynetworks" is not enough, perhaps time to look
> at your master.cf file...

Fixed.  I needed a “From” header for gmail to accept it.  That was inside the 
Ruby gem configuration.  

Cheers

_
Rich in Toronto @ VP

Re: Relay Access Denied

[VP Lists]

> On Mar 25, 2019, at 11:28 AM, Viktor Dukhovni  
> wrote:
> 
> As for why "mynetworks" is not enough, perhaps time to look
> at your master.cf file...

Here it is:

# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==
# service type  private unpriv  chroot  wakeup  maxproc command + args
#   (yes)   (yes)   (yes)   (never) (100)
# ==
#  Begin auto-generated section 
# This section of the master.cf file is auto-generated by the Server Admin
#  Mail backend plugin whenever mails settings are modified.
smtp  inet  n   -   n   -   1   postscreen
smtpd pass  -   -   n   -   -   smtpd
dnsblog   unix  -   -   n   -   0   dnsblog
tlsproxy  unix  -   -   n   -   0   tlsproxy
submission inet n   -   n   -   -   smtpd
  -o smtpd_tls_security_level=encrypt
smtp  unix  -   -   n   -   -   smtp
# === End auto-generated section ===
# Modern SMTP clients communicate securely over port 25 using the STARTTLS 
command.
# Some older clients, such as Outlook 2000 and its predecessors, do not properly
# support this command and instead assume a preconfigured secure connection
# on port 465. This was sometimes called "smtps", but such usage was never
# approved by the IANA and therefore conflicts with another, legitimate 
assignment.
# For more details about managing secure SMTP connections with postfix, please 
see:
#   http://www.postfix.org/TLS_README.html
# To read more about configuring secure connections with Outlook 2000, please 
read:
#   http://support.microsoft.com/default.aspx?scid=kb;en-us;Q307772
# Apple does not support the use of port 465 for this purpose.
# After determining that connecting clients do require this behavior, you may 
choose
# to manually enable support for these older clients by uncommenting the 
following
# four lines.
#465  inet  n   -   n   -   -   smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628   inet  n   -   n   -   -   qmqpd
pickupfifo  n   -   n   60  1   pickup
  -o content_filter=
cleanup   unix  n   -   n   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
#qmgr fifo  n   -   n   300 1   oqmgr
tlsmgrunix  -   -   n   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial-rewrite
bounceunix  -   -   n   -   0   bounce
defer unix  -   -   n   -   0   bounce
trace unix  -   -   n   -   0   bounce
verifyunix  -   -   n   -   1   verify
sacl-cache unix -   -   n   -   1   sacl-cache
flush unix  n   -   n   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix  -   -   n   -   -   smtp
-o smtp_fallback_relay=
#   -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix  n   -   n   -   -   showq
error unix  -   -   n   -   -   error
retry unix  -   -   n   -   -   error
discard   unix  -   -   n   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   n   -   -   lmtp
anvil unix  -   -   n   -   1   anvil
scacheunix  -   -   n   -   1   scache
#
# 
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# 
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop  unix  -   n   n   -   -   pipe
#  flags=DRhu user=vmail 

Re: Relay Access Denied

[Viktor Dukhovni]

> On Mar 25, 2019, at 7:23 AM, VP Lists  wrote:
> 
>>> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated 
>>> permit
>> 
>> This is rather pointless.

Delete it, it serves no purpose.

>>> smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks
>>>   reject unauthdestination permit
>> 
>> This is rather busted.
> 
> I don’t know why.  This is how the package came.  

No, it did not.  It probably had:

   smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
permit

what you have rejects all inbound email from outside senders.

>>> smtpd_tls_ciphers = medium
>>> smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
>> 
>> The default settings are better.
> 
> These are the defaults it came with.

Take the defaults from a more recent release:

  # Remove this from main.cf, taking the empty default
  smtpd_tls_exclude_ciphers =

  # Add these:
  smtpd_tls_ciphers = medium
  smtpd_tls_protocols = !SSLv2, !SSLv3
  smtp_tls_ciphers = medium
  smtp_tls_protocols = !SSLv2, !SSLv3

As for why "mynetworks" is not enough, perhaps time to look
at your master.cf file...

-- 
Viktor.

Re: Relay Access Denied

[B. Reino]

On Mon, 25 Mar 2019, VP Lists wrote:


On Mar 25, 2019, at 1:37 AM, Viktor Dukhovni  wrote:

This must be some Apple-specific Postfix setting, are you running Apple's
Postfix binaries?


mail_version = 2.9.2


smtpd_relay_restrictions appeared only with 2.10. That explains the 
"unused parameter" warning.


Your (old) version should IIRC use only smtpd_recipient_restrictions.

But given that you have some weird version on a weird OS with a weird 
configuration, I will have to pass.


Best is to reinstall, from a trusted (non-Apple?) source, and start with 
default configuration, which is very sane. Only touch what you actually 
need to touch, and leave the rest to Viktor and Wietse, who seem to know 
what they do :)


Cheers and good luck.

Re: Relay Access Denied

[VP Lists]

> On Mar 25, 2019, at 1:37 AM, Viktor Dukhovni  
> wrote:
> 
>> 
>> # /var/log/mail.log:
>> Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: CONNECT from 
>> [192.168.1.4]:52147 to [192.168.1.6]:25
>> Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: PASS OLD 
>> [192.168.1.4]:52147
>> Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: connect from 
>> unknown[192.168.1.4]
>> Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: NOQUEUE: reject: 
>> RCPT from unknown[192.168.1.4]: 554 5.7.1 : Relay access 
>> denied; from= to= proto=ESMTP 
>> helo=
> 
> This is likely blocked by "smtpd_relay_restrictions", or your
> mynetworks setting had not yet taken effect for all the running
> smtpd(8) processes.

At the moment, that directive is commented-out.  I was getting reports that it 
was not being used:

$ sudo postfix reload
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: 
smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated 
reject_unauth_destination
postfix/postfix-script: refreshing the Postfix mail system

Either way, with that directive active or not, same results: Relay access denied

>> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated 
>> permit
> 
> This is rather pointless.
> 
>> smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks
>>reject unauthdestination permit
> 
> This is rather busted.

I don’t know why.  This is how the package came.  

>> smtpd_tls_ciphers = medium
>> smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
> 
> The default settings are better.

These are the defaults it came with.  

>> use_sacl_cache = yes
> 
> This must be some Apple-specific Postfix setting, are you running Apple's
> Postfix binaries?

They all are.  Yes this is Mountain Lion (10.8.5) Server.  Is there a default 
setup for LAN access?  I find their setup rather restrictive.  I’ve had issues 
with this setup before.  Security in the LAN is tight already, so I don’t need 
my mail server keeping me out.  

Cheers

_
Rich in Toronto @ VP

Re: Relay Access Denied

[VP Lists]

> On Mar 25, 2019, at 1:37 AM, Viktor Dukhovni  
> wrote:
> 
> This must be some Apple-specific Postfix setting, are you running Apple's
> Postfix binaries?

mail_version = 2.9.2

_
Rich in Toronto @ VP

Re: Relay Access Denied

[Viktor Dukhovni]

On Sun, Mar 24, 2019 at 06:38:40PM -0400, VP Lists wrote:

> # /var/log/mail.log:
> Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: CONNECT from 
> [192.168.1.4]:52147 to [192.168.1.6]:25
> Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: PASS OLD 
> [192.168.1.4]:52147
> Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: connect from 
> unknown[192.168.1.4]
> Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: NOQUEUE: reject: 
> RCPT from unknown[192.168.1.4]: 554 5.7.1 : Relay access 
> denied; from= to= proto=ESMTP 
> helo=

This is likely blocked by "smtpd_relay_restrictions", or your
mynetworks setting had not yet taken effect for all the running
smtpd(8) processes.

> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit

This is rather pointless.

> smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks
> reject unauthdestination permit

This is rather busted.

> smtpd_tls_ciphers = medium
> smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL

The default settings are better.

> use_sacl_cache = yes

This must be some Apple-specific Postfix setting, are you running Apple's
Postfix binaries?

-- 
Viktor.

Re: Relay Access Denied

[VP Lists]

> On Mar 24, 2019, at 6:31 PM, Viktor Dukhovni  
> wrote:
> 
> On Sun, Mar 24, 2019 at 05:36:56PM -0400, VP Lists wrote:
> 
>> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated 
>> permit
> 
> What do you expect this to do?

At this point I have no clue.  I think it was in there from previous messing.  

>> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
>> reject_unauth_destination
>> 
>> Same error.  
> 
> Care to post logs?  Care to post "postconf -nf" (older versions
> "postconf -n") output?

# /var/log/mail.log:
Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: CONNECT from 
[192.168.1.4]:52147 to [192.168.1.6]:25
Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: PASS OLD 
[192.168.1.4]:52147
Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: connect from 
unknown[192.168.1.4]
Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: NOQUEUE: reject: RCPT 
from unknown[192.168.1.4]: 554 5.7.1 : Relay access denied; 
from= to= proto=ESMTP 
helo=
Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: disconnect from 
unknown[192.168.1.4]

So below we see that mynetworks includes the LAN for relaying.  But above, it 
says my workstation (192.168.1.4) is unknown.  No clue why.  

$ postconf -nf

biff = no
command_directory = /usr/sbin
config_directory = /Library/Server/Mail/Config/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /Library/Server/Mail/Data/mta
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
$daemon_directory/$process_name $process_id & sleep 5
dovecot_destination_recipient_limit = 1
html_directory = /usr/share/doc/postfix/html
imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred
inet_interfaces = loopback-only
inet_protocols = all
mail_owner = _postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 10485760
mydomain_fallback = localhost
mynetworks = 192.168.1.0/24, 192.168.1.23, 192.168.1.4, 127.0.0.0/8, [::1]/128 
# RF
newaliases_path = /usr/bin/newaliases
queue_directory = /Library/Server/Mail/Data/spool
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks
reject unauthdestination permit
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
use_sacl_cache = yes


_
Rich in Toronto @ VP

Re: Relay Access Denied

[Viktor Dukhovni]

On Sun, Mar 24, 2019 at 05:36:56PM -0400, VP Lists wrote:

> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit

What do you expect this to do?

> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
> reject_unauth_destination
> 
> Same error.  

Care to post logs?  Care to post "postconf -nf" (older versions
"postconf -n") output?

-- 
Viktor.

Re: Relay Access Denied

[VP Lists]

> On Mar 24, 2019, at 5:20 PM, B. Reino  wrote:
> 
> Sorry for top posting. Mobile client here..

No problem.  I don’t mind top-posting anywhere.

> Your mynetworks has 192.168.0.0/24 but you say you use 192.168.x.x, i.e. 
> 192.168.0.0/16.
> 
> In the headers of your mail I see 192.168.1.4, which would thus not be in 
> mynetworks.

Yes, it’s now corrected.

mynetworks = 192.168.1.0/24 127.0.0.0/8

smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit
recipient_delimiter = +
smtpd_tls_ciphers = medium
inet_protocols = all
inet_interfaces = loopback-only
config_directory = /Library/Server/Mail/Config/postfix

smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks 
reject unauthdestination permit

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
reject_unauth_destination


Same error.  


> So you may want to check that..

_
Rich in Toronto @ VP

Re: Relay Access Denied

[B. Reino]

Sorry for top posting. Mobile client here..

Your mynetworks has 192.168.0.0/24 but you say you use 192.168.x.x, i.e. 
192.168.0.0/16.

In the headers of your mail I see 192.168.1.4, which would thus not be in 
mynetworks.

So you may want to check that..
Cheers.


On March 24, 2019 8:35:59 PM UTC, VP Lists  
wrote:
>Hi folks.
>
>I’m on a LAN, with a mail server on OS X Server Mountain Lion. It’s
>running Postfix as a mail server.  
>
>My LAN has a 192.168.x.x range.  I’m getting that error when an app I’m
>developing, is trying to send an email out through this email server to
>the internet.  A gmail address specifically. 
>
>
>
>My main.cf:
>
>biff = no
>command_directory = /usr/sbin
>config_directory = /Library/Server/Mail/Config/postfix
>daemon_directory = /usr/libexec/postfix
>data_directory = /Library/Server/Mail/Data/mta
>debug_peer_level = 2
>debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
>xxgdb $daemon_directory/$process_name $process_id & sleep 5
>dovecot_destination_recipient_limit = 1
>html_directory = /usr/share/doc/postfix/html
>imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred
>inet_interfaces = loopback-only
>inet_protocols = all
>mail_owner = _postfix
>mailbox_size_limit = 0
>mailq_path = /usr/bin/mailq
>manpage_directory = /usr/share/man
>message_size_limit = 10485760
>mydomain_fallback = localhost
>mynetworks = 192.168.0.0/24 127.0.0.0/8# RF
>newaliases_path = /usr/bin/newaliases
>queue_directory = /Library/Server/Mail/Data/spool
>readme_directory = /usr/share/doc/postfix
>recipient_delimiter = +
>sample_directory = /usr/share/doc/postfix/examples
>sendmail_path = /usr/sbin/sendmail
>setgid_group = _postdrop
>smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated
>permit
>smtpd_recipient_restrictions = permit_sasl_authenticated
>permit_mynetworks reject unauthdestination permit
>smtpd_tls_ciphers = medium
>smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
>tls_random_source = dev:/dev/urandom
>unknown_local_recipient_reject_code = 550
>use_sacl_cache = yes
>postconf: warning: /etc/postfix/main.cf: unused parameter:
>smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated
>reject_unauth_destination
>
>I’m hosting a handful of local and FQDN on the LAN, and I develop using
>a machine.local naming scheme.  Just wondering how I can whitelist my
>internal domains to get outgoing emails past my mail server.  Not
>really sure what to post here as well.
>
>Any insight appreciated.
>
>Cheers
>
>
>_
>Rich in Toronto @ VP

Relay Access Denied

[VP Lists]

Hi folks.

I’m on a LAN, with a mail server on OS X Server Mountain Lion. It’s running 
Postfix as a mail server.  

My LAN has a 192.168.x.x range.  I’m getting that error when an app I’m 
developing, is trying to send an email out through this email server to the 
internet.  A gmail address specifically. 



My main.cf:

biff = no
command_directory = /usr/sbin
config_directory = /Library/Server/Mail/Config/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /Library/Server/Mail/Data/mta
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb 
$daemon_directory/$process_name $process_id & sleep 5
dovecot_destination_recipient_limit = 1
html_directory = /usr/share/doc/postfix/html
imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred
inet_interfaces = loopback-only
inet_protocols = all
mail_owner = _postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 10485760
mydomain_fallback = localhost
mynetworks = 192.168.0.0/24 127.0.0.0/8 # RF
newaliases_path = /usr/bin/newaliases
queue_directory = /Library/Server/Mail/Data/spool
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks 
reject unauthdestination permit
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
use_sacl_cache = yes
postconf: warning: /etc/postfix/main.cf: unused parameter: 
smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated 
reject_unauth_destination

I’m hosting a handful of local and FQDN on the LAN, and I develop using a 
machine.local naming scheme.  Just wondering how I can whitelist my internal 
domains to get outgoing emails past my mail server.  Not really sure what to 
post here as well.

Any insight appreciated.

Cheers


_
Rich in Toronto @ VP

Re: Relay access denied

[wilfried.es...@essignetz.de]

Am 03.12.18 um 19:57 schrieb Wolfgang Paul Rauchholz:
> Thank you for the help.
> But I might not have explained myself correctly. My plan is not to relay
> email from my home server via gmail.
> But I want to be able to send emails also to gmail accounts.

It's the same.

> How can I do that?

Didn't work the suggestions you got yesterday?


Willi

> 
> Wolfgang
> 
> On Mon, Dec 3, 2018 at 11:38 AM wilfried.es...@essignetz.de <
> wilfried.es...@essignetz.de> wrote:
> 
>> Hi Wolfgang,
>>
>>
>> i don`t think you have an open relay:
>>> smtpd_recipient_restrictions = permit_mynetworks,
>> permit_auth_destination,> permit_sasl_authenticated, reject,
>> reject_unauth_destination
>> But you have a dynamic IP-Address.
>>> host 83.50.89.156
>>> 156.89.50.83.in-addr.arpa domain name pointer
>> 156.red-83-50-89.dynamicip.rima-tde.net.
>>
>> Gmail doesn't like dynamic IPs very much.
>>
>> Obviously you have a gmail account. I`d suggest to setup your postfix to
>> use authenticated smtp to port 587, using your gmail credentials.
>>
>>
>> Willi
>>
> 
> 

Re: Relay access denied

[wilfried.es...@essignetz.de]

Hi Wolfgang,


i don`t think you have an open relay:
> smtpd_recipient_restrictions = permit_mynetworks, permit_auth_destination,> 
> permit_sasl_authenticated, reject, reject_unauth_destination
But you have a dynamic IP-Address.
> host 83.50.89.156
> 156.89.50.83.in-addr.arpa domain name pointer 
> 156.red-83-50-89.dynamicip.rima-tde.net.

Gmail doesn't like dynamic IPs very much.

Obviously you have a gmail account. I`d suggest to setup your postfix to
use authenticated smtp to port 587, using your gmail credentials.


Willi

Re: Relay access denied

[Wolfgang Paul Rauchholz]

Got finally some time over the weekend...

I got a step further, but still one topic open.
It appears that I have configured an open relay server? When trying to send
emails to my gmail account I get this error message:

   550-5.7.1 [83.50.89.156] The IP you're using to send mail is not
authorized to 550-5.7.1 send email directly to our servers. .

I went thrgouh documentation on the web and assume it is my submission
statement that makes it an open relay?

This is what I setup in main.cf. How do I need to harden this to close the
open relay?
submission inet n   -   n   -   -   smtpd
  -o syslog_name=postfix/submission
  -o smtpd_sasl_auth_enable=yes


main.cf
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_mynetworks, permit_auth_destination,
permit_sasl_authenticated, reject, reject_unauth_destination
smtpd_use_tls = yes
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_cert_file = /etc/letsencrypt/live//fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live//privkey.pem
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
content_filter=smtp-amavis:[127.0.0.1]:10024


Wolfgang

On Wed, Nov 28, 2018 at 11:26 PM Bill Cole <
postfixlists-070...@billmail.scconsult.com> wrote:

> On 28 Nov 2018, at 15:47, Wolfgang Paul Rauchholz wrote:
>
> > Thanks for the taking this up.
> > Concerning hardening TLS settings; can you recommend a read / web page
> > that
> > is suitable for a home email server?
>
> The TLS "readme" files in the Postfix distribution (and at
> http://www.postfix.org/TLS_README.html and
> http://www.postfix.org/FORWARD_SECRECY_README.html) cover what you need
> to know.
>
> The short version: Postfix default TLS cipher and protocol settings are
> fine, for releases after 2015. For older versions, you may need to set
> smtpd_tls_protocols and smtpd_tls_mandatory_protocols to "!SSLv2,
> !SSLv3" which is the default in currently supported versions.
>
> > Thanks in advance
> >
> > Here the podtconf -Mf output
> >
> > smtp   inet  n   -   n   -   -   smtpd
> > amavisfeed unix  -   -   n   -   2   lmtp
> > -o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes
> > -o disable_dns_lookups=yes -o max_use=20
> > submission inet  n   -   n   -   -   smtpd
> > -o syslog_name=postfix/submission -o smtpd_sasl_auth_enable=yes
> > -o
> >
> smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
> > -o milter_macro_daemon_name=ORIGINATING
>
> That's the 'submission' (port 587) daemon, which opens connections in
> cleartext and supports the "STARTTLS" command to upgrade the connection
> to TLS encryption (because your main config includes
> "smtpd_tls_security_level = may"). To send mail through this daemon, you
> MUST either be sending to a domain that Postfix is configured to accept
> mail for (local, virtual, and relay domains) OR authenticate using SASL
> first. Because of "smtpd_tls_auth_only = yes" in your main config, you
> can only authenticate using SASL *after* using STARTTLS to negotiate a
> TLS session.
>
> > smtps  inet  n   -   n   -   -   smtpd
> > -o syslog_name=postfix/smtps -o smtpd_sasl_auth_enable=yes
> > -o
> >
> smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
> > -o milter_macro_daemon_name=ORIGINATING
>
> That's supposedly the 'smtps' (port 465) daemon, which *NORMALLY* would
> have an additional configuration  override directive:
>
>  -o smtpd_tls_wrappermode=yes
>
> Which "wraps" the SMTP session in TLS encryption that is negotiated
> immediately at connect time, rather than having clients connect in the
> clear. As it stands, your 'submission' and 'smtps' daemons will behave
> identically, except for listening on different ports and using different
> syslog labels. There's no benefit in that, because any client using port
> 465 will expect the smtps 'wrappermode' behavior and any using port 587
> will expect the configured cleartext/STARTTLS behavior.
>
> Because you are overriding the default smtpd_recipient_restrictions with
> a restriction list which only permits mail from authenticated senders or
> to recipients in local and relay-authorized domains, your attempt to
> send mail to a gmail.com address was rejected.
>
> You were able to send through port 25 because by default,
> smtpd_recipient_restrictions is empty (giving an implicit 'DUNNO'
> result) and smtpd_relay_restrictions starts with 'permit_mynetworks'.
> This lets the mail through because you are connection from the loopback,
> which is included in your mynetworks setting.
>
> I hope this helps. Good luck!
>
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA 

Re: Relay access denied

[Wolfgang Paul Rauchholz]

Thanks for help.
A lot to digest and read before doing changes to config.

Wolfgang

On Wed, Nov 28, 2018 at 11:26 PM Bill Cole <
postfixlists-070...@billmail.scconsult.com> wrote:

> On 28 Nov 2018, at 15:47, Wolfgang Paul Rauchholz wrote:
>
> > Thanks for the taking this up.
> > Concerning hardening TLS settings; can you recommend a read / web page
> > that
> > is suitable for a home email server?
>
> The TLS "readme" files in the Postfix distribution (and at
> http://www.postfix.org/TLS_README.html and
> http://www.postfix.org/FORWARD_SECRECY_README.html) cover what you need
> to know.
>
> The short version: Postfix default TLS cipher and protocol settings are
> fine, for releases after 2015. For older versions, you may need to set
> smtpd_tls_protocols and smtpd_tls_mandatory_protocols to "!SSLv2,
> !SSLv3" which is the default in currently supported versions.
>
> > Thanks in advance
> >
> > Here the podtconf -Mf output
> >
> > smtp   inet  n   -   n   -   -   smtpd
> > amavisfeed unix  -   -   n   -   2   lmtp
> > -o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes
> > -o disable_dns_lookups=yes -o max_use=20
> > submission inet  n   -   n   -   -   smtpd
> > -o syslog_name=postfix/submission -o smtpd_sasl_auth_enable=yes
> > -o
> >
> smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
> > -o milter_macro_daemon_name=ORIGINATING
>
> That's the 'submission' (port 587) daemon, which opens connections in
> cleartext and supports the "STARTTLS" command to upgrade the connection
> to TLS encryption (because your main config includes
> "smtpd_tls_security_level = may"). To send mail through this daemon, you
> MUST either be sending to a domain that Postfix is configured to accept
> mail for (local, virtual, and relay domains) OR authenticate using SASL
> first. Because of "smtpd_tls_auth_only = yes" in your main config, you
> can only authenticate using SASL *after* using STARTTLS to negotiate a
> TLS session.
>
> > smtps  inet  n   -   n   -   -   smtpd
> > -o syslog_name=postfix/smtps -o smtpd_sasl_auth_enable=yes
> > -o
> >
> smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
> > -o milter_macro_daemon_name=ORIGINATING
>
> That's supposedly the 'smtps' (port 465) daemon, which *NORMALLY* would
> have an additional configuration  override directive:
>
>  -o smtpd_tls_wrappermode=yes
>
> Which "wraps" the SMTP session in TLS encryption that is negotiated
> immediately at connect time, rather than having clients connect in the
> clear. As it stands, your 'submission' and 'smtps' daemons will behave
> identically, except for listening on different ports and using different
> syslog labels. There's no benefit in that, because any client using port
> 465 will expect the smtps 'wrappermode' behavior and any using port 587
> will expect the configured cleartext/STARTTLS behavior.
>
> Because you are overriding the default smtpd_recipient_restrictions with
> a restriction list which only permits mail from authenticated senders or
> to recipients in local and relay-authorized domains, your attempt to
> send mail to a gmail.com address was rejected.
>
> You were able to send through port 25 because by default,
> smtpd_recipient_restrictions is empty (giving an implicit 'DUNNO'
> result) and smtpd_relay_restrictions starts with 'permit_mynetworks'.
> This lets the mail through because you are connection from the loopback,
> which is included in your mynetworks setting.
>
> I hope this helps. Good luck!
>
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Available For Hire: https://linkedin.com/in/billcole
>


-- 

Wolfgang Rauchholz

Re: Relay access denied

[Bill Cole]

On 28 Nov 2018, at 15:47, Wolfgang Paul Rauchholz wrote:


Thanks for the taking this up.
Concerning hardening TLS settings; can you recommend a read / web page 
that

is suitable for a home email server?


The TLS "readme" files in the Postfix distribution (and at 
http://www.postfix.org/TLS_README.html and 
http://www.postfix.org/FORWARD_SECRECY_README.html) cover what you need 
to know.


The short version: Postfix default TLS cipher and protocol settings are 
fine, for releases after 2015. For older versions, you may need to set 
smtpd_tls_protocols and smtpd_tls_mandatory_protocols to "!SSLv2, 
!SSLv3" which is the default in currently supported versions.



Thanks in advance

Here the podtconf -Mf output

smtp   inet  n   -   n   -   -   smtpd
amavisfeed unix  -   -   n   -   2   lmtp
-o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes -o max_use=20
submission inet  n   -   n   -   -   smtpd
-o syslog_name=postfix/submission -o smtpd_sasl_auth_enable=yes
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o milter_macro_daemon_name=ORIGINATING


That's the 'submission' (port 587) daemon, which opens connections in 
cleartext and supports the "STARTTLS" command to upgrade the connection 
to TLS encryption (because your main config includes 
"smtpd_tls_security_level = may"). To send mail through this daemon, you 
MUST either be sending to a domain that Postfix is configured to accept 
mail for (local, virtual, and relay domains) OR authenticate using SASL 
first. Because of "smtpd_tls_auth_only = yes" in your main config, you 
can only authenticate using SASL *after* using STARTTLS to negotiate a 
TLS session.



smtps  inet  n   -   n   -   -   smtpd
-o syslog_name=postfix/smtps -o smtpd_sasl_auth_enable=yes
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o milter_macro_daemon_name=ORIGINATING


That's supposedly the 'smtps' (port 465) daemon, which *NORMALLY* would 
have an additional configuration  override directive:


-o smtpd_tls_wrappermode=yes

Which "wraps" the SMTP session in TLS encryption that is negotiated 
immediately at connect time, rather than having clients connect in the 
clear. As it stands, your 'submission' and 'smtps' daemons will behave 
identically, except for listening on different ports and using different 
syslog labels. There's no benefit in that, because any client using port 
465 will expect the smtps 'wrappermode' behavior and any using port 587 
will expect the configured cleartext/STARTTLS behavior.


Because you are overriding the default smtpd_recipient_restrictions with 
a restriction list which only permits mail from authenticated senders or 
to recipients in local and relay-authorized domains, your attempt to 
send mail to a gmail.com address was rejected.


You were able to send through port 25 because by default, 
smtpd_recipient_restrictions is empty (giving an implicit 'DUNNO' 
result) and smtpd_relay_restrictions starts with 'permit_mynetworks'. 
This lets the mail through because you are connection from the loopback, 
which is included in your mynetworks setting.


I hope this helps. Good luck!

--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole

Re: Relay access denied

[Viktor Dukhovni]

> On Nov 28, 2018, at 3:47 PM, Wolfgang Paul Rauchholz  
> wrote:
> 
> Thanks for the taking this up.
> Concerning hardening TLS settings; can you recommend a read / web page that
> is suitable for a home email server?

Run with default Postfix settings.  They are good enough, worst case
exclude a cipher type or two, but don't redefine the low-level
"tls_*_cipherlist" parameters.

-- 
Viktor.

Re: Relay access denied

[Bill Cole]

On 28 Nov 2018, at 6:49, wp.rauchholz wrote:


[root@home postfix]# telnet localhost 465


That's abnormal. Port 465 is normally TLS-wrapped, so telnet should not 
work for testing it. That it seemingly DOES work (at least to connect 
and try mail...) means that you've done something unusual in master.cf.


Please provide the output of "postconf -Mf" so that we can see how that 
port is configured.


Tangentially: all those customized "hardening" smtpd_tls_* settings you 
have will result in your server receiving more mail over unencrypted 
sessions, because many sending systems won't be able to live up to your 
TLS standards and so will fall back to sending in the clear. This makes 
your mail flow in aggregate much LESS secure.

Relay access denied

[wp.rauchholz]

All goolging has not helped. I hope to find here the solution.
Thanks in advance for your help.

Wolfgang

* Background:
Getting error message: Relay access denied
The following command works fine: telenet localhost 25
The following command cretes above mentioned error message when entering
"rcpt to: email_address"

* Setup:
CENTOS 7.5 home server. Letsencrypt certificates
postfix-2.10.1-6.el7.x86_64


* Maillog:
Nov 28 12:22:15 home postfix/smtpd[12253]: disconnect from
localhost[127.0.0.1]
Nov 28 12:22:20 home postfix/smtps/smtpd[12360]: connect from
localhost[127.0.0.1]
Nov 28 12:22:40 home postfix/smtps/smtpd[12360]: NOQUEUE: reject: RCPT from
localhost[127.0.0.1]: 554 5.7.1 : Relay access
denied; from= to=
proto=SMTP

* ehlo localhost
[root@home postfix]# telnet localhost 465
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 host ESMTP Sendmail 2.1
ehlo localhost
250-home.wo-lar.com
250-PIPELINING
250-SIZE 1024
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN


* postconf -n
content_filter = amavisfeed:[127.0.0.1]:10024
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = 
myhostname = 
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtp_use_tls = yes
smtpd_banner = host ESMTP Sendmail 2.1
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live//fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_key_file = /etc/letsencrypt/live//privkey.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_high_cipherlist =
ECDH+aRSA+AES256:ECDH+aRSA+AES128:AES256-SHA:AES128+EECDH:AES128+EDH
tls_preempt_cipherlist = yes
unknown_local_recipient_reject_code = 550




--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: 454 4.7.1 Relay access denied

[Viktor Dukhovni]

> On Apr 30, 2018, at 6:57 AM, Wietse Venema  wrote:
> 
>>> http://www.postfix.org/SMTPD_ACCESS_README.html
>>> 
>>> But it lists smtpd_relay_restrictions in the wrong place (before
>>> smtpd_recipient_restrictions). It's fixed now.
>> 
>> ?Thanks, but the change in the web page isn't apparent to me.
> 
> Fixed in the source code. You may see it later today on the web.

Looks good now.

-- 
Viktor.

Re: 454 4.7.1 Relay access denied

[Wietse Venema]

Dominic Raferd:
> On 29 April 2018 at 21:46, Wietse Venema  wrote:
> 
> > Dominic Raferd:
> > > Do you publish the order in which smtpd restriction lists are
> > > processed? I thought I knew it but evidently not.
> >
> > ??
> > http://www.postfix.org/SMTPD_ACCESS_README.html
> >
> > But it lists smtpd_relay_restrictions in the wrong place (before
> > smtpd_recipient_restrictions). It's fixed now.
> 
> ?Thanks, but the change in the web page isn't apparent to me.

Fixed in the source code. You may see it later today on the web.

Wietse

Re: 454 4.7.1 Relay access denied

[Dominic Raferd]

On 29 April 2018 at 21:46, Wietse Venema  wrote:

> Dominic Raferd:
> > Do you publish the order in which smtpd restriction lists are
> > processed? I thought I knew it but evidently not.
>
> ​​
> http://www.postfix.org/SMTPD_ACCESS_README.html
>
> But it lists smtpd_relay_restrictions in the wrong place (before
> smtpd_recipient_restrictions). It's fixed now.


​Thanks, but the change in the web page isn't apparent to me.

Re: 454 4.7.1 Relay access denied

[Wietse Venema]

Dominic Raferd:
> Do you publish the order in which smtpd restriction lists are
> processed? I thought I knew it but evidently not.

http://www.postfix.org/SMTPD_ACCESS_README.html

But it lists smtpd_relay_restrictions in the wrong place (before 
smtpd_recipient_restrictions). It's fixed now.

Wietse

Re: 454 4.7.1 Relay access denied

[Viktor Dukhovni]

> On Apr 29, 2018, at 2:03 PM, Dominic Raferd  wrote:
> 
> Thanks for the correction. Not sure how they were slipping past -
> maybe it was one of my permit_dnswl_client lines in
> smtpd_recipient_restrictions (which came before
> reject_unauth_destination), but am pleased that I am now stopping
> them.

Indeed that permit SHOULD NOT precede reject_unauth_destination if
the intent is to use the recipient restrictions also for relay
control (the traditional combined role).

It is good to see relay restrictions working as intended.  The all
in one approach can be fragile.

-- 
Viktor.

Re: 454 4.7.1 Relay access denied

[Dominic Raferd]

On 29 April 2018 at 17:51, Wietse Venema <wie...@porcupine.org> wrote:
> Dominic Raferd:
>> On 29 April 2018 at 17:16, Wietse Venema <wie...@porcupine.org> wrote:
>> > Dominic Raferd:
>> >> Checking my logs I see that some senders are trying to fake our domain
>> >> and use our server to send mails to third parties masquerading as one
>> >> of our own domains (without authenticating first).
>> >>
>> >> They are stopped by smtpd with response 'Relay access denied', but
>> >> instead of 5xx permanent rejection smtpd gives 454 4.7.1 temporary
>> >> rejection, which surely encourages them to keep trying. Why is this,
>> >> and can I change it?
>> >
>> > postconf -x smtpd_relay_restrictions
>> >
>> > As a safety for sites migrating from Postfix 2.x, the default
>> > is to defer instead of reject.
>>
>> Thanks Wietse. I was not defining smtpd_relay_restrictions and relying
>> instead on smtpd_recipient_restrictions (which contained
>> reject_unauth_destination), but presumably this was never activated
>> because the default defer_unauth_destination in
>> smtpd_relay_restrictions took precedence.
>
> I have to contradict you: smtpd_recipient_restrictions is evaluated
> BEFORE smtpd_relay_restrictions. And smtpd_relay_restrictions is
> evaluated only if the recipient was not already blocked.
>
> restrctions[0] = rcpt_restrctions;
> restrctions[1] = warn_compat_break_relay_restrictions ?
> fake_relay_restrctions : relay_restrctions;
> for (n = 0; n < 2; n++) {
> enforce restrctions[n]
> }
>
> The newer smtpd_relay_restrictions activated later, to avoid
> unnecessary WTF experiences.
>
>> Have now explicitly defined:
>>
>> smtpd_relay_restrictions = permit_mynetworks,
>> permit_sasl_authenticated, reject_unauth_destination
>
> Fine. Just so you know, your smtpd_recipient_restrictions was not
> blocking a recipient that you are now happy to block with
> smtpd_relay_restrictions. The feature is working as intended:
> block mail that has slipped past smtpd_recipient_restrictions.

Thanks for the correction. Not sure how they were slipping past -
maybe it was one of my permit_dnswl_client lines in
smtpd_recipient_restrictions (which came before
reject_unauth_destination), but am pleased that I am now stopping
them.

Do you publish the order in which smtpd restriction lists are
processed? I thought I knew it but evidently not.

Re: 454 4.7.1 Relay access denied

[Wietse Venema]

Dominic Raferd:
> On 29 April 2018 at 17:16, Wietse Venema <wie...@porcupine.org> wrote:
> > Dominic Raferd:
> >> Checking my logs I see that some senders are trying to fake our domain
> >> and use our server to send mails to third parties masquerading as one
> >> of our own domains (without authenticating first).
> >>
> >> They are stopped by smtpd with response 'Relay access denied', but
> >> instead of 5xx permanent rejection smtpd gives 454 4.7.1 temporary
> >> rejection, which surely encourages them to keep trying. Why is this,
> >> and can I change it?
> >
> > postconf -x smtpd_relay_restrictions
> >
> > As a safety for sites migrating from Postfix 2.x, the default
> > is to defer instead of reject.
> 
> Thanks Wietse. I was not defining smtpd_relay_restrictions and relying
> instead on smtpd_recipient_restrictions (which contained
> reject_unauth_destination), but presumably this was never activated
> because the default defer_unauth_destination in
> smtpd_relay_restrictions took precedence.

I have to contradict you: smtpd_recipient_restrictions is evaluated
BEFORE smtpd_relay_restrictions. And smtpd_relay_restrictions is
evaluated only if the recipient was not already blocked.

restrctions[0] = rcpt_restrctions;
restrctions[1] = warn_compat_break_relay_restrictions ?
fake_relay_restrctions : relay_restrctions;
for (n = 0; n < 2; n++) {
enforce restrctions[n]
}

The newer smtpd_relay_restrictions activated later, to avoid
unnecessary WTF experiences.

> Have now explicitly defined:
> 
> smtpd_relay_restrictions = permit_mynetworks,
> permit_sasl_authenticated, reject_unauth_destination

Fine. Just so you know, your smtpd_recipient_restrictions was not
blocking a recipient that you are now happy to block with
smtpd_relay_restrictions. The feature is working as intended:
block mail that has slipped past smtpd_recipient_restrictions.

Wietse

Re: 454 4.7.1 Relay access denied

[Dominic Raferd]

On 29 April 2018 at 17:16, Wietse Venema <wie...@porcupine.org> wrote:
> Dominic Raferd:
>> Checking my logs I see that some senders are trying to fake our domain
>> and use our server to send mails to third parties masquerading as one
>> of our own domains (without authenticating first).
>>
>> They are stopped by smtpd with response 'Relay access denied', but
>> instead of 5xx permanent rejection smtpd gives 454 4.7.1 temporary
>> rejection, which surely encourages them to keep trying. Why is this,
>> and can I change it?
>
> postconf -x smtpd_relay_restrictions
>
> As a safety for sites migrating from Postfix 2.x, the default
> is to defer instead of reject.

Thanks Wietse. I was not defining smtpd_relay_restrictions and relying
instead on smtpd_recipient_restrictions (which contained
reject_unauth_destination), but presumably this was never activated
because the default defer_unauth_destination in
smtpd_relay_restrictions took precedence. Have now explicitly defined:

smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination

454 4.7.1 Relay access denied

[Dominic Raferd]

Checking my logs I see that some senders are trying to fake our domain
and use our server to send mails to third parties masquerading as one
of our own domains (without authenticating first).

They are stopped by smtpd with response 'Relay access denied', but
instead of 5xx permanent rejection smtpd gives 454 4.7.1 temporary
rejection, which surely encourages them to keep trying. Why is this,
and can I change it?

Re: Relay access denied to local IPv6 client

[Nikolaos Milas]

On 23/2/2018 9:00 μμ, Bill Cole wrote:

The restriction lists in Postfix are run in a fixed logical order 
(client, helo, sender, relay, recipient, data, end_of_data) and 'OK' 
from an early restriction list (smtpd_client_restrictions) *DOES 
NOT*prevent 'REJECT' by a later restriction list 
(smtpd_recipient_restrictions.) OK only terminates a single 
restriction list, not the whole set of lists, so in this case the 
transaction is exiting the smtpd_client_restrictions list with OK at 
"check_client_access cidr:/etc/postfix/non-tls-clients.cidr" but it 
still must pass through smtpd_recipient_restrictions, where it is 
rejected by "reject_unauth_destination" because you are not the final 
destination for the recipient domain nor do you have the recipient 
domain in $relay_domains.


Thank you all for your feedback and especially Bill for the detailed 
explanation.


The solution was as simple as adding permit_mynetworks to 
smtpd_recipient_restrictions. Since client connectivity is controlled by 
smtpd_client_restrictions, in this scenario there is no reason to not 
allow relay access to all mynetwork.


Best Regards,
Nick

Re: Relay access denied to local IPv6 client

[Bill Cole]

On 23 Feb 2018, at 3:49, Nikolaos Milas wrote:


Hello,

We are using Postfix v3.2.4and we arefacing the followingproblem: 
Aclient (a data storage system) with an IPv6 address of 
[2001:648:2011:a21:320e:d5ff:fec6:b55] tries to send an (autosupport) 
email and it's being denied access:


Feb 23 06:22:17 vmail2 postfix/smtpd[16146]: NOQUEUE: reject: RCPT 
from unknown[2001:648:2011:a21:320e:d5ff:fec6:b55]: 554 5.7.1 
<autosupp...@autosupport.datadomain.com>: Relay access denied; 
from=<sysad...@noa.gr> to=<autosupp...@autosupport.datadomain.com> 
proto=SMTP helo=


All /48 IPv6 address blockis included in mynetworks: ..., 
[2001:648:2011::]/48, ...


The client does not support TLS or authentication. For such clients we 
provide explicit permission:


smtpd_client_restrictions =
  ...
  check_client_access cidr:/etc/postfix/non-tls-clients.cidr
  permit_sasl_authenticated
  reject

where /etc/postfix/non-tls-clients.cidr:

   ...
   [2001:648:2011:a21:320e:d5ff:fec6:b55]   OK
   ...

Please, be kind to help me understand what is causing this client 
rejection and correct my postfix configuration.


postconf -n follows:

[...]
smtpd_client_restrictions = check_client_access 
cidr:/etc/postfix/localhost.cidr check_client_access 
cidr:/etc/postfix/gwservers.cidr check_client_access 
cidr:/etc/postfix/non-tls-clients.cidr permit_sasl_authenticated 
reject

[...]
smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/protected_destinations permit_sasl_authenticated 
reject_unverified_recipient reject_unauth_destination


The restriction lists in Postfix are run in a fixed logical order 
(client, helo, sender, relay, recipient, data, end_of_data) and 'OK' 
from an early restriction list (smtpd_client_restrictions) *DOES NOT* 
prevent 'REJECT' by a later restriction list 
(smtpd_recipient_restrictions.) OK only terminates a single restriction 
list, not the whole set of lists, so in this case the transaction is 
exiting the smtpd_client_restrictions list with OK at 
"check_client_access cidr:/etc/postfix/non-tls-clients.cidr" but it 
still must pass through smtpd_recipient_restrictions, where it is 
rejected by "reject_unauth_destination" because you are not the final 
destination for the recipient domain nor do you have the recipient 
domain in $relay_domains.


See the SMTPD_ACCESS_README file for complete details.

Re: Relay access denied to local IPv6 client

[Wietse Venema]

Nikolaos Milas:
> Hello,
> 
> We are using Postfix v3.2.4and we arefacing the followingproblem: 
> Aclient (a data storage system) with an IPv6 address of 
> [2001:648:2011:a21:320e:d5ff:fec6:b55] tries to send an (autosupport) 
> email and it's being denied access:
> 
> Feb 23 06:22:17 vmail2 postfix/smtpd[16146]: NOQUEUE: reject: RCPT from 
> unknown[2001:648:2011:a21:320e:d5ff:fec6:b55]: 554 5.7.1 
> <autosupp...@autosupport.datadomain.com>: Relay access denied; 
> from=<sysad...@noa.gr> to=<autosupp...@autosupport.datadomain.com> 
> proto=SMTP helo=
> 
> All /48 IPv6 address blockis included in mynetworks: ..., 
> [2001:648:2011::]/48, ...
> 
> The client does not support TLS or authentication. For such clients we 
> provide explicit permission:
> 
> smtpd_client_restrictions =
>  ? ...
>  ? check_client_access cidr:/etc/postfix/non-tls-clients.cidr
>  ? permit_sasl_authenticated
>  ? reject

Relay access is enforced in smtpd_RELAY_restrictions (or historically,
in smtpd_RECIPIENT_restrictions).

Wietse

Re: Relay access denied to local IPv6 client

[Jörg Backschues]

Am 23.02.2018 um 09:49 schrieb Nikolaos Milas:


where /etc/postfix/non-tls-clients.cidr:

    ...
    [2001:648:2011:a21:320e:d5ff:fec6:b55]   OK
    ...


Please check the CIDR table syntax 
:


e.g.

2001:db8::/32   REJECT

--
Regards
Jörg Backschues

Relay access denied to local IPv6 client

[Nikolaos Milas]

Hello,

We are using Postfix v3.2.4and we arefacing the followingproblem: 
Aclient (a data storage system) with an IPv6 address of 
[2001:648:2011:a21:320e:d5ff:fec6:b55] tries to send an (autosupport) 
email and it's being denied access:


Feb 23 06:22:17 vmail2 postfix/smtpd[16146]: NOQUEUE: reject: RCPT from 
unknown[2001:648:2011:a21:320e:d5ff:fec6:b55]: 554 5.7.1 
<autosupp...@autosupport.datadomain.com>: Relay access denied; 
from=<sysad...@noa.gr> to=<autosupp...@autosupport.datadomain.com> 
proto=SMTP helo=


All /48 IPv6 address blockis included in mynetworks: ..., 
[2001:648:2011::]/48, ...


The client does not support TLS or authentication. For such clients we 
provide explicit permission:


smtpd_client_restrictions =
  ...
  check_client_access cidr:/etc/postfix/non-tls-clients.cidr
  permit_sasl_authenticated
  reject

where /etc/postfix/non-tls-clients.cidr:

   ...
   [2001:648:2011:a21:320e:d5ff:fec6:b55]   OK
   ...

Please, be kind to help me understand what is causing this client 
rejection and correct my postfix configuration.


postconf -n follows:

# postconf -n
alias_database = hash:/etc/postfix/aliases, 
hash:/etc/postfix/aliases.d/virtual_aliases

alias_maps = hash:/etc/aliases
allowed_list1 = check_sasl_access 
hash:/etc/postfix/allowed_groupmail_users,reject

allowed_list2 = permit_sasl_authenticated,reject
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
controlled_senders = check_sender_access hash:/etc/postfix/blocked_senders
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin 
xxgdb $daemon_directory/$process_name $process_id & sleep 5

default_process_limit = 25
delay_logging_resolution_limit = 3
deliver_lock_attempts = 40
gwcheck = reject_unverified_recipient, reject_unauth_destination
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4, ipv6
local_header_rewrite_clients = static:all
mail_name = IC-XC-NI-KA
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 41943040
meta_directory = /etc/postfix
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = noa.gr
myhostname = vmail2.noa.gr
mynetworks = 195.251.204.0/24, 195.251.202.0/23, 194.177.194.0/23, 
127.0.0.0/8, 10.201.0.0/16, [2001:648:2011::]/48, 83.212.5.24/29, 
[2001:648:2ffc:1115::]/64, 62.217.124.0/29, [2001:648:2ffc:126::]/64, 
[::1]/128

myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
parent_domain_matches_subdomains =
postfwdcheck = check_policy_service inet:127.0.0.1:10040
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix3-3.2.4/README_FILES
recipient_canonical_maps = hash:/etc/postfix/domainrecipientmap
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix3-3.2.4/samples
sender_canonical_maps = hash:/etc/postfix/domainsendermap
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
smtp_tls_security_level = may
smtpd_client_restrictions = check_client_access 
cidr:/etc/postfix/localhost.cidr check_client_access 
cidr:/etc/postfix/gwservers.cidr check_client_access 
cidr:/etc/postfix/non-tls-clients.cidr permit_sasl_authenticated reject

smtpd_delay_reject = yes
smtpd_end_of_data_restrictions = check_client_access 
cidr:/etc/postfix/postfwdpolicy.cidr

smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/protected_destinations permit_sasl_authenticated 
reject_unverified_recipient reject_unauth_destination
smtpd_restriction_classes = 
controlled_senders,allowed_list1,allowed_list2, postfwdcheck,gwcheck

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/pki/tls/certs/DigiCertCA.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/star_noa_gr-1243437.crt
smtpd_tls_key_file = /etc/pki/tls/private/star_noa_gr-1243437.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/aliases, 
hash:/etc/postfix/aliases.d/virtual_aliases, 
proxy:ldap:/etc/postfix/ldap-alias-vacation.cf, 
proxy:ldap:/etc/postfix/ldap-aliases.cf

virtual_gid_maps = static:500
virtual_mailbox_base = /home/vmail/
virtual_mailbox_domains = $mydomain, 

Re: Relay access denied

[Noel Jones]

On 10/31/2017 11:01 AM, 9acca9 wrote:
> Ok thanks.
> i remove 
> mynetworks = 0.0.0.0/0
> 
> and add
> 
> relay_domains = mydomain.org.ar
> 
> The mail is accepted but this happend, and the mail dosent arrive:

http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall

Re: Relay access denied

[9acca9]

Ok thanks.
i remove 
mynetworks = 0.0.0.0/0

and add

relay_domains = mydomain.org.ar

The mail is accepted but this happend, and the mail dosent arrive:

Oct 31 12:45:04 postfix postfix/smtpd[1843]: connect from
mail-pf0-f181.google.com[209.85.192.181]
Oct 31 12:45:05 postfix postfix/smtpd[1843]: 3BBC2AFC0A:
client=mail-pf0-f181.google.com[209.85.192.181]
Oct 31 12:45:05 postfix postfix/cleanup[1844]: 3BBC2AFC0A:
message-id=
Oct 31 12:45:05 postfix postfix/qmgr[1830]: 3BBC2AFC0A:
from=, size=2697, nrcpt=1 (queue active)
Oct 31 12:45:05 postfix postfix/smtpd[1846]: connect from
unknown[172.16.0.1]
Oct 31 12:45:05 postfix postfix/smtp[1845]: warning: host
postfix.mydomain.org.ar[190.4.116.195]:25 greeted me with my own hostname
postfix.mydomain.org.ar
Oct 31 12:45:05 postfix postfix/smtp[1845]: warning: host
postfix.mydomain.org.ar[190.4.116.195]:25 replied to HELO/EHLO with my own
hostname postfix.mydomain.org.ar
Oct 31 12:45:05 postfix postfix/smtp[1845]: 3BBC2AFC0A:
to=, relay=postfix.mydomain.org.ar[190.4.116.195]:25,
delay=0.23, delays=0.2/0.01/0.02/0, dsn=5.4.6, status=bounced (mail for
mydomain.org.ar loops back to myself)
Oct 31 12:45:05 postfix postfix/smtpd[1846]: disconnect from
unknown[172.16.0.1]
Oct 31 12:45:05 postfix postfix/cleanup[1844]: 734A3AFC0C:
message-id=<20171031154505.734a3af...@postfix.mydomain.org.ar>
Oct 31 12:45:05 postfix postfix/qmgr[1830]: 734A3AFC0C: from=<>, size=4695,
nrcpt=1 (queue active)
Oct 31 12:45:05 postfix postfix/bounce[1847]: 3BBC2AFC0A: sender
non-delivery notification: 734A3AFC0C
Oct 31 12:45:05 postfix postfix/qmgr[1830]: 3BBC2AFC0A: removed
Oct 31 12:45:05 postfix postfix/smtpd[1843]: disconnect from
mail-pf0-f181.google.com[209.85.192.181]
Oct 31 12:45:07 postfix postfix/smtp[1848]: 734A3AFC0C:
to=, relay=gmail-smtp-in.l.google.com[64.233.190.26]:25,
delay=1.9, delays=0/0.01/0.59/1.3, dsn=2.0.0, status=sent (250 2.0.0 OK
1509465129 w2si557428vkh.72 - gsmtp)
Oct 31 12:45:07 postfix postfix/qmgr[1830]: 734A3AFC0C: removed


190.4.116.195=my public ip (not really)  
172.15.1.1 = a internal ip (firewall)



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: Relay access denied

[Noel Jones]

On 10/31/2017 9:59 AM, 9acca9 wrote:
> Hi
> Im having trouble with config postfix. i not receive anything from any mail
> (gmail, yahoo, hotmail).
> Hi have this, problem.
> 
> Oct 31 10:36:00 postfix postfix/smtpd[4863]: connect from
> mail-pg0-f42.google.com[74.125.83.42]
> Oct 31 10:36:00 postfix postfix/smtpd[4863]: NOQUEUE: reject: RCPT from
> mail-pg0-f42.google.com[74.125.83.42]: 454 4.7.1 <ad...@mydomain.org.ar>:
> Relay access denied; from=<pablo...@gmail.com> to=<ad...@mydomain.org.ar>
> proto=ESMTP helo=
> Oct 31 10:36:00 postfix postfix/smtpd[4863]: disconnect from
> mail-pg0-f42.google.com[74.125.83.42]
> 

Postfix doesn't know it's responsible for mail addressed to your
domain.  Your domain must be listed in one and only one of
{mydestination, relay_domains, virtual_alias_domains,
virtual_mailbox_domains}.  For mail relayed to another host for
final delivery, typically relay_domains is used.  For details see:
http://www.postfix.org/ADDRESS_CLASS_README.html

http://www.postfix.org/documentation.html


> if i change in my config too
> mynetworks=0.0.0.0/0

Yikes!  Don't do that.




  -- Noel Jones

Relay access denied

[9acca9]

Hi
Im having trouble with config postfix. i not receive anything from any mail
(gmail, yahoo, hotmail).
Hi have this, problem.

Oct 31 10:36:00 postfix postfix/smtpd[4863]: connect from
mail-pg0-f42.google.com[74.125.83.42]
Oct 31 10:36:00 postfix postfix/smtpd[4863]: NOQUEUE: reject: RCPT from
mail-pg0-f42.google.com[74.125.83.42]: 454 4.7.1 <ad...@mydomain.org.ar>:
Relay access denied; from=<pablo...@gmail.com> to=<ad...@mydomain.org.ar>
proto=ESMTP helo=
Oct 31 10:36:00 postfix postfix/smtpd[4863]: disconnect from
mail-pg0-f42.google.com[74.125.83.42]

if i change in my config too
mynetworks=0.0.0.0/0

the mail is accepted but not delivered 

And.. this
if i put this
relayhost = 192.168.1.12 (zimbra)

the mail is received ok! but now i cant send mails... i get this:
error too many hops.

This is my config


queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = postfix.mydomain.org.ar
mydomain = mydomain.org.ar
inet_interfaces = all
inet_protocols = all
smtpd_sasl_path = /etc/sasl2/smtpd.conf
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = mydomain.org.ar
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
unknown_local_recipient_reject_code = 550
mynetworks = 0.0.0.0/0
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
 ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop








--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: Relay access denied

[alexvojproc]

Thanks Viktor, I knew my sloppy configuration must have been at fault.
Everything related to this works now.

- Alex



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Relay-access-denied-tp90614p90623.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Relay access denied

[Viktor Dukhovni]

> On May 24, 2017, at 5:05 PM, alexvojproc <alexvojtkoproc...@gmail.com> wrote:
> 
> smtpd_tls_cert_file=/etc/letsencrypt/live/REDACTED/fullchain.pem
> smtpd_tls_key_file=/etc/letsencrypt/live/REDACTED/privkey.pem
> smtpd_use_tls=yes

The non-obsolete setting is:

smtpd_tls_security_level = may

though if this is a submission service (not an MX host for any inbound
mail) you could use "encrypt" instead of "may".  If it is also an MX
host, it is best to handle outbound submission on port 587.

> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

With Postfix >= 2.11 you should leave this empty, session tickets are
a more appropriate way to handle session resumption.

> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated, 
> defer_unauth_destination

If you handle submission separately on 587 (aka submission/inet in
master.cf), then this just becomes "reject_unauth_destination".

> myhostname = localhost

Not a good idea, configure a sensible stable FQDN.

> smtp_tls_security_level = encrypt

Fine, provided your relayhost supports TLS.

> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_sasl_security_options = noanonymous

This handles SASL from your MTA to the relayhost, BUT you've
completely neglected to configure SASL for authenticating
inbound mail submission.  Those are "smtpd_sasl_..." settings.
See SASL_README for details.

> I'm intending for users to be able to connect to my server on port 25 and
> send mail, which is relayed through smtp.mailgun.org. However, I can only
> send mail to local users, and I receive "Server error: '454 4.7.1
> <myem...@gmail.com>: Relay access denied'" when I try to send mail to remote
> hosts like my Gmail account.

Of course, since the users have no opportunity to authenticate.

-- 
Viktor.

Re: Relay access denied

[alexvojproc]

I forgot to add log info (although there's nothing particularly useful):

May 24 19:39:22 server postfix/smtpd[2506]: connect from REDACTED
May 24 19:39:22 server postfix/smtpd[2506]: NOQUEUE: reject: RCPT from
REDACTED: 454 4.7.1 <myem...@gmail.com>: Relay access denied;
from=<myserverem...@myserver.com> to=<myem...@gmail.com> proto=ESMTP
helo=



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Relay-access-denied-tp90614p90615.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Relay access denied

[alexvojproc]

I have a Google Compute VM that I would like to use as a mail server.
<https://goo.gl/6NE1wH> However, outgoing ports 25, 465, and 587 are blocked
so I must use a third-party mail service. I followed the instructions for
Mailjet <https://goo.gl/gKpcda>, but I changed inet_interfaces to all. I
have this main.cf config (I removed comments for brevity):


smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/etc/letsencrypt/live/REDACTED/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/REDACTED/privkey.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
myhostname = localhost
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = REDACTED, localhost, localhost.localdomain, localhost
relayhost = [smtp.mailgun.org]:2525
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtp_tls_security_level = encrypt
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
home_mailbox = Maildir/
alias_database = hash:/etc/aliases

The contents of /etc/postfix/sasl_passwd (before it was hashed) was:
[smtp.gridhost.org]:2525 postmaster@REDACTED:REDACTED


I'm intending for users to be able to connect to my server on port 25 and
send mail, which is relayed through smtp.mailgun.org. However, I can only
send mail to local users, and I receive "Server error: '454 4.7.1
<myem...@gmail.com>: Relay access denied'" when I try to send mail to remote
hosts like my Gmail account.

I figured this is a problem with my smtp_sasl security settings, and I'm not
authenticating properly. So, I tried specifying "My outgoing server (SMTP)
requires authentication", but this does not work, since it seems this is not
supported. Then, I (think) I realised that the smtp_sasl_auth is for my
server connecting to the relay. I think what I need to do is disable this
authentication for the clients, but not for connecting to the relay. That
would make my server a relay to a relay, I think.

Can anybody make sense of this? If it's relevant, I'm also using Dovecot for
IMAP.



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Relay-access-denied-tp90614.html
Sent from the Postfix Users mailing list archive at Nabble.com.

SOLVED: Re: relay access denied by relayhost, but I have permit_mynetworks

[David Benfell]

Hello /dev/rob0 ,

Yup, this seems to have been it. Thanks very much for your eyes.


On 05/25/2016 03:34 PM, /dev/rob0 wrote:
> 50.250.218.164 is not in 50.250.218.0/28 ... not in $mynetworks

-- 
David Benfell, Ph.D.
benf...@parts-unknown.org



signature.asc
Description: OpenPGP digital signature

Re: relay access denied by relayhost, but I have permit_mynetworks

[/dev/rob0]

On Wed, May 25, 2016 at 02:43:09PM -0700, David Benfell wrote:
> I'm getting relay access denied when my main web server attempts to 
> relay mail through my main mail server to outside domains. The web 
> server also functions as a secondary MX (and this seems to work). 
> Here is the main mail server configuration:
> 
> [root@home ~]# postconf -nf

A lot of junk in there, but I won't comment on that stuff for now.

> mynetworks = 127.0.0.0/8, [::1]/128, 192.168.1.0/24, 10.8.0.0/16,
> 50.250.218.0/28, [2001:470:67:119::]/64
->^^^

> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
> defer_unauth_destination

> Here is the configuration on the web server:

> relayhost = mail.parts-unknown.org

(That means it does a MX lookup first for "mail.parts-unknown.org" 
before falling back to A/.)

> smtp_bind_address = 50.250.218.164

> A sample log entry on the web server (with email address obscured):
> May 25 07:52:18 vegan postfix/smtp[33049]: 17457F040DA9:
> to=<x...@gmail.com>, relay=mail.parts-unknown.org[50.250.218.162]:25,
> delay=241020, delays=241020/0.04/0.59/0.02, dsn=4.7.1, status=deferred
> (host mail.parts-unknown.org[50.250.218.162] said: 454 4.7.1
> <x...@gmail.com>: Relay access denied (in reply to RCPT TO command))
> 
> The corresponding entry on the mail server:
> May 25 07:52:18 home postfix/smtpd[55825]: NOQUEUE: reject: RCPT from
> unknown[50.250.218.164]: 454 4.7.1 <x...@gmail.com>: Relay access
> denied; from=<w...@vegan.parts-unknown.org> to=<x...@gmail.com>
> proto=ESMTP helo=

> What other information do I need to supply? What is wrong?

50.250.218.164 is not in 50.250.218.0/28 ... not in $mynetworks
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

relay access denied by relayhost, but I have permit_mynetworks

[David Benfell]

Hi all,

I'm getting relay access denied when my main web server attempts to
relay mail through my main mail server to outside domains. The web
server also functions as a secondary MX (and this seems to work). Here
is the main mail server configuration:

[root@home ~]# postconf -nf
address_verify_map = btree:$data_directory/verify_cache
alias_database = $alias_maps
alias_maps = hash:/etc/aliases, hash:/usr/local/mailman/data/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo
cont;
echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
>$config_directory/$process_name.$process_id.log & sleep 5
fast_flush_domains = $relay_domains
header_checks = pcre:/usr/local/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
in_flow_delay = 1s
inet_interfaces = 127.0.0.1, [::1], 10.8.0.1, 50.250.218.162,
[2001:470:67:119::4]
inet_protocols = ipv4, ipv6
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
local_destination_concurrency_limit = 2
mail_owner = postfix
mailbox_command_maps = hash:/usr/local/etc/postfix/mailbox_commands
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 20971520
mydestination = localhost, localhost.$mydomain, cybernude.org,
mail.cybernude.org, munich.cybernude.org, vegan.cybernude.org,
www.cybernude.org, disunitedstates.com, mail.disunitedstates.com,
munich.disunitedstates.com, vegan.disunitedstates.com,
www.disunitedstates.com, disunitedstates.org, mail.disunitedstates.org,
munich.disunitedstates.org, vegan.disunitedstates.org,
www.disunitedstates.org, greybeard95a.com, mail.greybeard95a.com,
munich.greybeard95a.com, vegan.greybeard95a.com, www.greybeard95a.com,
n4rky.me, mail.n4rky.me, munich.n4rky.me, vegan.n4rky.me, www.n4rky.me,
parts-unknown.org, mail.parts-unknown.org, munich.parts-unknown.org,
www.parts-unknown.org, vegan.parts-unknown.org, n4rky.parts-unknown.org,
carolb.parts-unknown.org, home.parts-unknown.org, humansci.org,
home.humansci.org, mail.humansci.org, vegan.humansci.org,
www.humansci.org,
humanscience.institute, home.humanscience.institute,
mail.humanscience.institute, vegan.humanscience.institute,
www.humanscience.institute, reykjavik.parts-unknown.org,
reykjavik2.parts-unknown.org
mydomain = parts-unknown.org
myhostname = mail.parts-unknown.org
mynetworks = 127.0.0.0/8, [::1]/128, 192.168.1.0/24, 10.8.0.0/16,
50.250.218.0/28, [2001:470:67:119::]/64
mynetworks_style = subnet
myorigin = $myhostname
newaliases_path = /usr/local/bin/newaliases
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_bare_newline_action = enforce
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:$config_directory/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net
psbl.surriel.com
bl.mailspike.net swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
queue_run_delay = 200s
readme_directory = /usr/local/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_bind_address = 50.250.218.162
smtp_tls_ciphers = medium
smtp_tls_key_file = /var/www/ssl/home-2015-03-23/privateKey.key
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_use_tls = yes
smtpd_authorized_verp_clients = $mynetworks
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions =
   
permit_mynetworks,permit_sasl_authenticated,check_reverse_client_hostname_access
pcre:/etc/postfix/fqrdns.pcre
smtpd_command_filter = pcre:/etc/postfix/append_verp.pcre
smtpd_peername_lookup = no
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,check_sender_access
   
hash:/etc/postfix/sender_access,reject_unauth_destination,reject_rbl_client
zen.spamhaus.org,reject_rbl_client bl.spamcop.net,check_policy_service
unix:private/spf-policy
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_se

Re: relay access denied question

[Noel Jones]

On 5/3/2016 4:05 PM, Chris Adams wrote:
> Hello all,
> 
>  
> 
> I recently rebuilt a server for use with Mailman and Postfix. I have
> the server running, Mailman and Postfix installed. I am using
> Postfix 2.10.1.   I copied the main.cf file over from the old server
> to the new server.
> 
>  
> 
> When I post a message to one of the Mailman lists, I encounter an
> error related to Postfix and I can’t quite figure out what setting
> in main.cf is causing this. It looks like all messages are being
> handled this way. I am wondering what is different in this new setup
> that would cause this.
> 
>  
> 
> May  3 16:59:58 mailmanserver postfix/smtpd[18060]: NOQUEUE: reject:
> RCPT from localhost[::1]: 454 4.7.1 <joe.sm...@anywhere.com>: Relay
> access denied; from=<eclips-boun...@mailmanserver.com>
> to=<joe.sm...@anywhere.com> proto=ESMTP helo=
> 
>  
> 
> I can provide output of postconf –n if requested.
> 
>  
> 
> Many thanks.
> 

Perhaps you forgot to read the RELEASE_NOTES.
See the "Major changes - relay safety" section

ftp://mirrors.loonybin.net/pub/postfix/official/postfix-2.10.9.RELEASE_NOTES

http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions

Also note that 2.10.1 is pretty old.  For a new server, consider
using a more current version.


  -- Noel Jones

relay access denied question

[Chris Adams]

Hello all,

I recently rebuilt a server for use with Mailman and Postfix. I have the server 
running, Mailman and Postfix installed. I am using Postfix 2.10.1.   I copied 
the main.cf file over from the old server to the new server.

When I post a message to one of the Mailman lists, I encounter an error related 
to Postfix and I can't quite figure out what setting in main.cf is causing 
this. It looks like all messages are being handled this way. I am wondering 
what is different in this new setup that would cause this.

May  3 16:59:58 mailmanserver postfix/smtpd[18060]: NOQUEUE: reject: RCPT from 
localhost[::1]: 454 4.7.1 <joe.sm...@anywhere.com>: Relay access denied; 
from=<eclips-boun...@mailmanserver.com> to=<joe.sm...@anywhere.com> proto=ESMTP 
helo=

I can provide output of postconf -n if requested.

Many thanks.

Re: postfix to mailman: User doesn't exist/relay access denied

[wilfried.es...@essignetz.de]

Hi Walter,


would suggest to expand "mydestination" by "lists.ifkuk.org".



Willi


Am 01.02.2016 um 00:21 schrieb wal...@ifkuk.org:
> Hey guys
> 
> since three days I am stuck with a problem and it seems to me I am blind
> for the solution by digging
> into it so much, so I need your help to have a look at it please!
> 
> our server is up and running dovecot/postfix on debian 8 for three years
> by now, without any problems.
> 
> I urgently needed to set up some mailinglists and choose mailman for it
> (what else?).
> 
> I thought everything went fine till I tried to test my installation and
> discovered that,
> when I try to send from an internal emailaddress (managed by the server
> itself) I get an
> "User doesn't exist" error and if I send an email from an external
> service like gmail,
> I get "relay access denied".
> 
> Like I've said, I tried to fix this problem for over three days now and
> can't see my mistake.
> 
> I uploaded my config files at HowtoForge, where you can have a look at it:
> https://www.howtoforge.com/community/threads/postfix-mailman-debian8.72052/
> 
> 
> Greetings and thank you in advance for your help
> Walter
> 

postfix to mailman: User doesn't exist/relay access denied

[wal...@ifkuk.org]

Hey guys

since three days I am stuck with a problem and it seems to me I am blind
for the solution by digging
into it so much, so I need your help to have a look at it please!

our server is up and running dovecot/postfix on debian 8 for three years
by now, without any problems.

I urgently needed to set up some mailinglists and choose mailman for it
(what else?).

I thought everything went fine till I tried to test my installation and
discovered that,
when I try to send from an internal emailaddress (managed by the server
itself) I get an
"User doesn't exist" error and if I send an email from an external
service like gmail,
I get "relay access denied".

Like I've said, I tried to fix this problem for over three days now and
can't see my mistake.

I uploaded my config files at HowtoForge, where you can have a look at it:
https://www.howtoforge.com/community/threads/postfix-mailman-debian8.72052/


Greetings and thank you in advance for your help
Walter

Re: postfix to mailman: User doesn't exist/relay access denied

[wal...@ifkuk.org]

  
  
dead steven

i ve just checked, bot variables virtual_alias_maps and
virtual_email2email point to the file
/var/lib/mailman/data/virtual_mailman,
which contains:

mail...@lists.ifkuk.org  mailman
mailman-ad...@lists.ifkuk.org    mailman-admin
mailman-boun...@lists.ifkuk.org  mailman-bounces
mailman-conf...@lists.ifkuk.org  mailman-confirm
mailman-j...@lists.ifkuk.org mailman-join
mailman-le...@lists.ifkuk.org    mailman-leave
mailman-ow...@lists.ifkuk.org    mailman-owner
mailman-requ...@lists.ifkuk.org  mailman-request
mailman-subscr...@lists.ifkuk.org    mailman-subscribe
mailman-unsubscr...@lists.ifkuk.org  mailman-unsubscribe

t...@lists.ifkuk.org  test
test-ad...@lists.ifkuk.org    test-admin
test-boun...@lists.ifkuk.org  test-bounces
test-conf...@lists.ifkuk.org  test-confirm
test-j...@lists.ifkuk.org test-join
test-le...@lists.ifkuk.org    test-leave
test-ow...@lists.ifkuk.org    test-owner
test-requ...@lists.ifkuk.org  test-request
test-subscr...@lists.ifkuk.org    test-subscribe
test-unsubscr...@lists.ifkuk.org  test-unsubscribe

i ve followed a howto when doing so, the marked as solution answer@
http://stackoverflow.com/questions/27431010/postfix-mailman-recipient-address-rejected-user-unknown-in-local-recipient-tab

so what you are saying is, that i need an entry like
"*@lists.ifkuk.org XXX" ?
but to where should i forward it to? "mailman:"?

thx for pointing out the debug level, will check it asap!


thank you for your time
walter

On 2016-02-01 03:28, Steven Kiehl
  wrote:


  Not having used Mailman in a Postfix setup before,
I can only speculate a bit.  From what I can tell, all your mail
is delivering through the dovecot transport and no transport
designation is being performed for the mailman address aliases. 
I'm not familiar with a virtual_email2email configuration
option.  Do your list addresses map to anything in your
virtual_mailbox_maps configuration? That is, do they map to a
real address defined in virtual_mailbox_maps?


For me, aliases in virtual_alias_maps map to real addresses
  in virtual_mailbox_maps, and then map to transports in
  transport_maps where they get passed off to the appropriate
  handler.  I would imagine the mailman addresses need to be
  mapped in virtual_mailbox_maps and handed off via
  transport_maps.


Also, have you tried raising the debug level to diagnose
  the hand-off in logs?
  
  
On Sun, Jan 31, 2016 at 6:21 PM, wal...@ifkuk.org
  <wal...@ifkuk.org>
  wrote:
  Hey guys

since three days I am stuck with a problem and it seems to
me I am blind
for the solution by digging
into it so much, so I need your help to have a look at it
please!

our server is up and running dovecot/postfix on debian 8 for
three years
by now, without any problems.

I urgently needed to set up some mailinglists and choose
mailman for it
(what else?).

I thought everything went fine till I tried to test my
installation and
discovered that,
when I try to send from an internal emailaddress (managed by
the server
itself) I get an
"User doesn't exist" error and if I send an email from an
external
service like gmail,
    I get "relay access denied".

Like I've said, I tried to fix this problem for over three
days now and
can't see my mistake.

I uploaded my config files at HowtoForge, where you can have
a look at it:
https://www.howtoforge.com/community/threads/postfix-mailman-debian8.72052/


Greetings and thank you in advance for your help
Walter
  


  


  

Re: postfix to mailman: User doesn't exist/relay access denied

[Steven Kiehl]

Another thing to try is running the 'postfix check' command to test if
there are any obvious configuration errors.  As I said before, I'm not
familiar with a 'virtual_email2email' configuration, which is not
documented on the Postfix website; I believe people just use that as their
alias map configuration file name.

I'd have to defer to someone else mroe familiar with Mailman, but do you
know if it works to add 'hash:/var/lib/mailman/data/virtual-mailman' to the
'virtual_mailbox_maps' configuration to basically add the mailman addresses
in as real addresses instead of aliases, then set up a transport_maps
configuration for them.

virtual_mailbox_maps = proxy:pgsql:/etc/postfix/pgsql-virtual_mailboxes.cf,
hash:/var/lib/mailman/data/virtual-mailman

A number of support forums suggest the following type of configuration for
'transport_maps'. Most put the virtual-mailman in the virtual_alias_maps,
but it really comes down to being able to find the address somewhere as
valid before sending it to a designated transport.

transport_maps = hash:/var/lib/mailman/data/transport-mailman,
proxy:pgsql:/etc/postfix/pgsql-virtual_transports.cf

On Sun, Jan 31, 2016 at 9:43 PM, wal...@ifkuk.org <wal...@ifkuk.org> wrote:

> dead steven
>
> i ve just checked, bot variables virtual_alias_maps and
> virtual_email2email point to the file /var/lib/mailman/data/virtual_mailman,
> which contains:
>
> mail...@lists.ifkuk.org  mailman
> mailman-ad...@lists.ifkuk.orgmailman-admin
> mailman-boun...@lists.ifkuk.org  mailman-bounces
> mailman-conf...@lists.ifkuk.org  mailman-confirm
> mailman-j...@lists.ifkuk.org mailman-join
> mailman-le...@lists.ifkuk.orgmailman-leave
> mailman-ow...@lists.ifkuk.orgmailman-owner
> mailman-requ...@lists.ifkuk.org  mailman-request
> mailman-subscr...@lists.ifkuk.orgmailman-subscribe
> mailman-unsubscr...@lists.ifkuk.org  mailman-unsubscribe
>
> t...@lists.ifkuk.org  test
> test-ad...@lists.ifkuk.orgtest-admin
> test-boun...@lists.ifkuk.org  test-bounces
> test-conf...@lists.ifkuk.org  test-confirm
> test-j...@lists.ifkuk.org test-join
> test-le...@lists.ifkuk.orgtest-leave
> test-ow...@lists.ifkuk.orgtest-owner
> test-requ...@lists.ifkuk.org  test-request
> test-subscr...@lists.ifkuk.orgtest-subscribe
> test-unsubscr...@lists.ifkuk.org  test-unsubscribe
>
> i ve followed a howto when doing so, the marked as solution answer@
>
> http://stackoverflow.com/questions/27431010/postfix-mailman-recipient-address-rejected-user-unknown-in-local-recipient-tab
>
> so what you are saying is, that i need an entry like "*@lists.ifkuk.org
> XXX" <*@lists.ifkuk.orgXXX> ?
> but to where should i forward it to? "mailman:"?
>
> thx for pointing out the debug level, will check it asap!
>
>
> thank you for your time
> walter
>
>
> On 2016-02-01 03:28, Steven Kiehl wrote:
>
> Not having used Mailman in a Postfix setup before, I can only speculate a
> bit.  From what I can tell, all your mail is delivering through the dovecot
> transport and no transport designation is being performed for the mailman
> address aliases.  I'm not familiar with a virtual_email2email configuration
> option.  Do your list addresses map to anything in your
> virtual_mailbox_maps configuration? That is, do they map to a real address
> defined in virtual_mailbox_maps?
>
> For me, aliases in virtual_alias_maps map to real addresses in
> virtual_mailbox_maps, and then map to transports in transport_maps where
> they get passed off to the appropriate handler.  I would imagine the
> mailman addresses need to be mapped in virtual_mailbox_maps and handed off
> via transport_maps.
>
> Also, have you tried raising the debug level to diagnose the hand-off in
> logs?
>
> On Sun, Jan 31, 2016 at 6:21 PM, <wal...@ifkuk.org>wal...@ifkuk.org <
> wal...@ifkuk.org> wrote:
>
>> Hey guys
>>
>> since three days I am stuck with a problem and it seems to me I am blind
>> for the solution by digging
>> into it so much, so I need your help to have a look at it please!
>>
>> our server is up and running dovecot/postfix on debian 8 for three years
>> by now, without any problems.
>>
>> I urgently needed to set up some mailinglists and choose mailman for it
>> (what else?).
>>
>> I thought everything went fine till I tried to test my installation and
>> discovered that,
>> when I try to send from an internal emailaddress (managed by the server
>> itself) I get an
>> "User doesn't exist" error and if I send an email from an external
>> service like gmail,
>> I get "relay access denied".
>>
>> Like I've said, I tried to fix this problem for over three days now and
>> can't see my mistake.
>>
>> I uploaded my config files at HowtoForge, where you can have a look at it:
>>
>> https://www.howtoforge.com/community/threads/postfix-mailman-debian8.72052/
>>
>>
>> Greetings and thank you in advance for your help
>> Walter
>>
>
>
>

Re: postfix to mailman: User doesn't exist/relay access denied

[Larry Stone]

> Mailman requires local(8) delivery via an aliases(5) file that
> belongs to the mailman user.  With any luck the OP will post actual
> configuration details to this list, rather than some website most
> readers won't bother to look at, and someone how knows Postfix<->mailman
> integration will provide some help.

I expect the poster will get better help on the Mailman Users list 
(https://mail.python.org/mailman/listinfo/mailman-users/ for information). 
There are lots of people who use Mailman with Postfix there.

In a standard Mailman with Postfix configuration, aliases are created 
(automatically by Mailman) to pipe the Mailman addresses to the proper Mailman 
program. Postfix transports are not involved (however, there are a lot of 
non-standard Mailman distributions out there). It appears the OP is doing 
something non-standard.

-- 
Larry Stone
lston...@stonejongleux.com







smime.p7s
Description: S/MIME cryptographic signature

Re: postfix to mailman: User doesn't exist/relay access denied

[Steven Kiehl]

Not having used Mailman in a Postfix setup before, I can only speculate a
bit.  From what I can tell, all your mail is delivering through the dovecot
transport and no transport designation is being performed for the mailman
address aliases.  I'm not familiar with a virtual_email2email configuration
option.  Do your list addresses map to anything in your
virtual_mailbox_maps configuration? That is, do they map to a real address
defined in virtual_mailbox_maps?

For me, aliases in virtual_alias_maps map to real addresses in
virtual_mailbox_maps, and then map to transports in transport_maps where
they get passed off to the appropriate handler.  I would imagine the
mailman addresses need to be mapped in virtual_mailbox_maps and handed off
via transport_maps.

Also, have you tried raising the debug level to diagnose the hand-off in
logs?

On Sun, Jan 31, 2016 at 6:21 PM, wal...@ifkuk.org <wal...@ifkuk.org> wrote:

> Hey guys
>
> since three days I am stuck with a problem and it seems to me I am blind
> for the solution by digging
> into it so much, so I need your help to have a look at it please!
>
> our server is up and running dovecot/postfix on debian 8 for three years
> by now, without any problems.
>
> I urgently needed to set up some mailinglists and choose mailman for it
> (what else?).
>
> I thought everything went fine till I tried to test my installation and
> discovered that,
> when I try to send from an internal emailaddress (managed by the server
> itself) I get an
> "User doesn't exist" error and if I send an email from an external
> service like gmail,
> I get "relay access denied".
>
> Like I've said, I tried to fix this problem for over three days now and
> can't see my mistake.
>
> I uploaded my config files at HowtoForge, where you can have a look at it:
> https://www.howtoforge.com/community/threads/postfix-mailman-debian8.72052/
>
>
> Greetings and thank you in advance for your help
> Walter
>

Re: postfix to mailman: User doesn't exist/relay access denied

[Viktor Dukhovni]

On Sun, Jan 31, 2016 at 11:35:51PM -0500, Steven Kiehl wrote:

> Another thing to try is running the 'postfix check' command to test if
> there are any obvious configuration errors.

Neither the debug level suggestion nor this one are likely to be
of any use.

> I'd have to defer to someone else more familiar with Mailman, but do you
> know if it works to add 'hash:/var/lib/mailman/data/virtual-mailman' to the
> 'virtual_mailbox_maps' configuration to basically add the mailman addresses
> in as real addresses instead of aliases, then set up a transport_maps
> configuration for them.

Mailman requires local(8) delivery via an aliases(5) file that
belongs to the mailman user.  With any luck the OP will post actual
configuration details to this list, rather than some website most
readers won't bother to look at, and someone how knows Postfix<->mailman
integration will provide some help.

-- 
Viktor.

making relay access denied permanent

[A. Meyer]

Hello!

# postconf mail_version
mail_version = 2.11.3

I have this in my log this morning:

Sep  5 08:05:46 bitmachine1 postfix/smtpd[7475]: NOQUEUE: reject: RCPT from 
unknown[14.215.136.46]: 454 4.7.1 <xiaonanzi11...@163.com>: Relay access 
denied; from=<vy...@nimmini.de> to=<xiaonanzi11...@163.com> proto=ESMTP 
helo=
Sep  5 08:05:49 bitmachine1 postfix/smtpd[7475]: too many errors after DATA 
from unknown[14.215.136.46]

How can I change the temporary 454 to a 5xx reject?

I dont find anything in the main.cf regarding this.

smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/access_sender,
permit_mynetworks,
#check_recipient_access hash:/etc/postfix/hold,
reject_sender_login_mismatch,
permit_sasl_authenticated,
#permit_mynetworks,
reject_invalid_helo_hostname,
reject_unlisted_recipient,
reject_unknown_sender_domain,
check_sender_access pcre:/etc/postfix/umlaute.pcre,
check_recipient_access pcre:/etc/postfix/umlaute.pcre,
reject_unauth_destination,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client spam.bl.alt-backspace.org,
reject_rbl_client spamtrap.bl.alt-backspace.org,
check_client_access cidr:/etc/postfix/client.cidr,
check_policy_service inet:127.0.0.1:10023

# postconf -n | grep reject_code
unknown_address_reject_code = 550

# postconf -d | grep reject_code
access_map_reject_code = 554
invalid_hostname_reject_code = 501
maps_rbl_reject_code = 554
multi_recipient_bounce_reject_code = 550
non_fqdn_reject_code = 504
plaintext_reject_code = 450
reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 450
unknown_client_reject_code = 450
unknown_hostname_reject_code = 450
unknown_local_recipient_reject_code = 550
unknown_relay_recipient_reject_code = 550
unknown_virtual_alias_reject_code = 550
unknown_virtual_mailbox_reject_code = 550
unverified_recipient_reject_code = 450
unverified_sender_reject_code = 450

bitmachine1:/etc/postfix # fgrep -r 454 .
bitmachine1:/etc/postfix # fgrep -r defer_unauth_destination .

outputs nothing.

I'm a bit helpless with this one.

Greetings

  Andreas

Re: making relay access denied permanent

[A. Meyer]

Hello!

Christian Kivalo <ml+postfix-us...@valo.at> schrieb am 05.09.15 um 14:14:39 Uhr:

> > # postconf mail_version
> > mail_version = 2.11.3
> > 
> > I have this in my log this morning:
> > 
> > Sep  5 08:05:46 bitmachine1 postfix/smtpd[7475]: NOQUEUE: reject: RCPT
> > from unknown[14.215.136.46]: 454 4.7.1 <xiaonanzi11...@163.com>: Relay
> > access denied; from=<vy...@nimmini.de> to=<xiaonanzi11...@163.com>
> > proto=ESMTP helo=
> > Sep  5 08:05:49 bitmachine1 postfix/smtpd[7475]: too many errors after
> > DATA from unknown[14.215.136.46]
> > 
> > How can I change the temporary 454 to a 5xx reject?
> > 
> 
> Take a look at http://www.postfix.org/postconf.5.html#soft_bounce

# postconf -n soft_bounce
soft_bounce = no

  Andreas

Re: making relay access denied permanent

[Wietse Venema]

A. Meyer:
> Hello!
> 
> # postconf mail_version
> mail_version = 2.11.3

Look at smtpd_relay_restrictions (new with Postfix 2.11):

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, 
defer_unauth_destination

Replace defer_unauth_destination with reject_unauth_destination.

Wietse

Re: making relay access denied permanent

[Christian Kivalo]

Hi,

On 2015-09-05 14:07, A. Meyer wrote:

Hello!

# postconf mail_version
mail_version = 2.11.3

I have this in my log this morning:

Sep  5 08:05:46 bitmachine1 postfix/smtpd[7475]: NOQUEUE: reject: RCPT
from unknown[14.215.136.46]: 454 4.7.1 <xiaonanzi11...@163.com>: Relay
access denied; from=<vy...@nimmini.de> to=<xiaonanzi11...@163.com>
proto=ESMTP helo=
Sep  5 08:05:49 bitmachine1 postfix/smtpd[7475]: too many errors after
DATA from unknown[14.215.136.46]

How can I change the temporary 454 to a 5xx reject?



Take a look at http://www.postfix.org/postconf.5.html#soft_bounce


I dont find anything in the main.cf regarding this.

smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/access_sender,
permit_mynetworks,
#check_recipient_access hash:/etc/postfix/hold,
reject_sender_login_mismatch,
permit_sasl_authenticated,
#permit_mynetworks,
reject_invalid_helo_hostname,
reject_unlisted_recipient,
reject_unknown_sender_domain,
check_sender_access pcre:/etc/postfix/umlaute.pcre,
check_recipient_access pcre:/etc/postfix/umlaute.pcre,
reject_unauth_destination,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client spam.bl.alt-backspace.org,
reject_rbl_client spamtrap.bl.alt-backspace.org,
check_client_access cidr:/etc/postfix/client.cidr,
check_policy_service inet:127.0.0.1:10023

# postconf -n | grep reject_code
unknown_address_reject_code = 550

# postconf -d | grep reject_code
access_map_reject_code = 554
invalid_hostname_reject_code = 501
maps_rbl_reject_code = 554
multi_recipient_bounce_reject_code = 550
non_fqdn_reject_code = 504
plaintext_reject_code = 450
reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 450
unknown_client_reject_code = 450
unknown_hostname_reject_code = 450
unknown_local_recipient_reject_code = 550
unknown_relay_recipient_reject_code = 550
unknown_virtual_alias_reject_code = 550
unknown_virtual_mailbox_reject_code = 550
unverified_recipient_reject_code = 450
unverified_sender_reject_code = 450

bitmachine1:/etc/postfix # fgrep -r 454 .
bitmachine1:/etc/postfix # fgrep -r defer_unauth_destination .

outputs nothing.

I'm a bit helpless with this one.

Greetings

  Andreas


regards
- c

Re[2]: 454 Relay access denied

[Managed Pvt nets]

On 07/06/2015 6:40:44 AM, Michael B Allen iop...@gmail.com wrote:

On Sat, Jun 6, 2015 at 11:29 PM, Michael B Allen iop...@gmail.com 
wrote:

 Jun  6 23:21:06 www postfix/smtpd[2228]: NOQUEUE: reject: RCPT from
 mail-la0-f44.google.com[209.85.215.44]: 454 4.7.1
 jsm...@busicorp.com: Relay access denied; from=jo...@gmail.com
 to=jsm...@busicorp.com proto=ESMTP helo=mail-la0-f44.google.com

snip

 mydestination = $myhostname, localhost.$mydomain, localhost
 mydomain = busicorp.com


It seems to be working now. Apparently I need $mydomain in 
mydestination?


  mydestination = $mydomain, $myhostname, localhost.$mydomain, 
localhost



This is the right way and should work for you.



Cheers,

Molla.

Re: 454 Relay access denied

[Herbert J. Skuhra]

On Sun, Jun 07, 2015 at 12:40:44AM -0400, Michael B Allen wrote:
 On Sat, Jun 6, 2015 at 11:29 PM, Michael B Allen iop...@gmail.com wrote:
  Jun  6 23:21:06 www postfix/smtpd[2228]: NOQUEUE: reject: RCPT from
  mail-la0-f44.google.com[209.85.215.44]: 454 4.7.1
  jsm...@busicorp.com: Relay access denied; from=jo...@gmail.com
  to=jsm...@busicorp.com proto=ESMTP helo=mail-la0-f44.google.com
 snip
  mydestination = $myhostname, localhost.$mydomain, localhost
  mydomain = busicorp.com
 
 It seems to be working now. Apparently I need $mydomain in mydestination?
 
   mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost
 
 But I just stumbled on this through trial and error so someone please
 confirm that this needs to be set and that I don't have some other
 kind of problem like DNS is wrong.

Maybe you should consult the fine postfix documentation:

postconf(5)
http://www.postfix.org/postconf.5.html#mydestination
http://www.postfix.org/postconf.5.html#mydomain

But why does your mx point to hotmail.com?

-- 
Herbert

454 Relay access denied

[Michael B Allen]

I just moved over to my new server and I can't receive mail. I can
send mail and do IMAP stuff authenticated. I just cannot receive mail.
The server is just a single all-in-one smtpd / submission / imap
server for a handful of users. I just copied my old config pretty much
verbatim but I must admit is has been a long time since I've done
this. Hopefully you nice people can tell me what's wrong ...

Jun  6 23:21:05 www postfix/smtpd[2228]: connect from
mail-la0-f44.google.com[209.85.215.44]
Jun  6 23:21:05 www postfix/smtpd[2228]: Anonymous TLS connection
established from mail-la0-f44.google.com[209.85.215.44]: TLSv1.2 with
cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Jun  6 23:21:06 www postfix/smtpd[2228]: NOQUEUE: reject: RCPT from
mail-la0-f44.google.com[209.85.215.44]: 454 4.7.1
jsm...@busicorp.com: Relay access denied; from=jo...@gmail.com
to=jsm...@busicorp.com proto=ESMTP helo=mail-la0-f44.google.com
Jun  6 23:21:06 www postfix/smtpd[2228]: disconnect from
mail-la0-f44.google.com[209.85.215.44]
Jun  6 23:22:03 www postfix/smtpd[2228]: connect from
mail2.linode.com[173.255.198.11]
Jun  6 23:22:03 www postfix/smtpd[2248]: connect from
mail2.linode.com[173.255.198.11]
Jun  6 23:22:03 www postfix/smtpd[2228]: NOQUEUE: reject: RCPT from
mail2.linode.com[173.255.198.11]: 454 4.7.1 jsm...@busicorp.com:
Relay access denied; from=nore...@linode.com
to=jsm...@busicorp.com proto=ESMTP helo=mail2.linode.com
Jun  6 23:22:03 www postfix/smtpd[2248]: NOQUEUE: reject: RCPT from
mail2.linode.com[173.255.198.11]: 454 4.7.1 jsm...@busicorp.com:
Relay access denied; from=nore...@linode.com
to=jsm...@busicorp.com proto=ESMTP helo=mail2.linode.com
Jun  6 23:22:03 www postfix/smtpd[2228]: disconnect from
mail2.linode.com[173.255.198.11]
Jun  6 23:22:03 www postfix/smtpd[2248]: disconnect from
mail2.linode.com[173.255.198.11]

postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin; export PATH;
(echo cont; echo where) | gdb $daemon_directory/$process_name
$process_id 21 $config_directory/$process_name.$process_id.log 
sleep 5
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = $myhostname, localhost
inet_protocols = all
mail_owner = postfix
mailbox_command = /usr/bin/procmail -a $EXTENSION
DEFAULT=$HOME/Maildir/ MAILDIR=$HOME/Maildir
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = busicorp.com
myhostname = mail.busicorp.com
mynetworks_style = host
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_sasl_authenticated
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/tls/postfix.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550

Re: 454 Relay access denied

[Michael B Allen]

On Sat, Jun 6, 2015 at 11:29 PM, Michael B Allen iop...@gmail.com wrote:
 Jun  6 23:21:06 www postfix/smtpd[2228]: NOQUEUE: reject: RCPT from
 mail-la0-f44.google.com[209.85.215.44]: 454 4.7.1
 jsm...@busicorp.com: Relay access denied; from=jo...@gmail.com
 to=jsm...@busicorp.com proto=ESMTP helo=mail-la0-f44.google.com
snip
 mydestination = $myhostname, localhost.$mydomain, localhost
 mydomain = busicorp.com

It seems to be working now. Apparently I need $mydomain in mydestination?

  mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost

But I just stumbled on this through trial and error so someone please
confirm that this needs to be set and that I don't have some other
kind of problem like DNS is wrong.

Mike

relay access denied

[Tim Dunphy]

Hey all,

 I tried following this guide to install postifx on a centos machine. My
CentOS version is 7 but the guide is for 6. I doubt that makes a difference
however.

Everything went ok, up to a point. I can telnet into the server and send
mail to virual mailbox recipients. They arrive at their destination and I
can read the messages no problem.

However when I try to send mail off to another address, like a gmail
address, I get a relay access denied error!

[root@web1:/etc/postfix] #telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 web1.jokefire.com ESMTP Postfix
HELO web1.jokefire.com
250 web1.jokefire.com
MAIL FROM: bluethu...@web1.jokefire.com
250 2.1.0 Ok
RCPT TO: bluethu...@gmail.com
*554 5.7.1 bluethu...@gmail.com bluethu...@gmail.com: Relay access
denied*

And I'm seeing this in the mail logs:

Apr  5 12:23:08 web1 postfix/smtpd[32140]: NOQUEUE: reject: RCPT from
centos-7-x64[127.0.0.1]: 554 5.7.1 bluethu...@gmail.com: Relay access
denied; from=bluethu...@web1.jokefire.com to=bluethu...@gmail.com
proto=SMTP helo=web1.jokefire.com

I'm hoping if I show you my postfix config you can help me pinpoint the
source of the problem.

Here's my master config:

[root@web1:/etc/postfix] #grep -v '#' main.cf|sed '/^\s*$/d'
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = web1.jokefire.com
myorigin = localhost
append_dot_mydomain = no
inet_interfaces = localhost
inet_protocols = all
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_minimum_uid = 5000
virtual_mailbox_base = /var/mail/virtual
virtual_mailbox_limit = 0
virtual_alias_maps = mysql:/etc/postfix/virtual_alias_maps.sql
virtual_mailbox_domains = mysql:/etc/postfix/virtual_domains_maps.sql
virtual_mailbox_maps = mysql:/etc/postfix/virtual_mailbox_maps.sql
smtpd_sender_login_maps = mysql:/etc/postfix/smtpd_sender_login_maps.sql
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtp_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/pki/tls/certs/mail.crt
smtpd_tls_cert_file = /etc/pki/tls/private/mail.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:$data_directory/smtp_tls_session_cache
smtpd_recipient_restrictions =
   reject_non_fqdn_recipient,
   reject_sender_login_mismatch,
   permit_sasl_authenticated,
   reject_rbl_client zen.spamhaus.org,
   reject_rhsbl_helo dbl.spamhaus.org,
   reject_rhsbl_sender dbl.spamhaus.org,
   reject_unauth_destination
local_recipient_maps =
unknown_local_recipient_reject_code = 550
relay_domains = $mydomain
relayhost =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
 ddd $daemon_directory/$process_name $process_id  sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/examples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES

Here's my master config:

[root@web1:/etc/postfix] #grep -v '#' master.cf|sed '/^\s*$/d'
smtp  inet  n   -   n   -   -   smtpd
submission inet n   -   n   -   -   smtpd
smtps inet  n   -   n   -   -   smtpd
pickupunix  n   -   n   60  1   pickup
cleanup   unix  n   -   n   -   0   cleanup
qmgr  unix  n   -   n   300 1   qmgr
tlsmgrunix  -   -   n   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial-rewrite
bounceunix  -   -   n   -   0   bounce
defer unix  -   -   n   -   0   bounce
trace unix  -   -   n   -   0   bounce
verifyunix  -   -   n   -   1   verify
flush unix  n   -   n   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   n   -   -   smtp
relay unix  -   -   n   -   -   smtp
showq unix  n   -   n   -   -   showq
error unix  -   -   n   -   -   error
retry unix  -   -   n   -   -   error
discard   unix  -   -   n   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   n   -   -   lmtp
anvil unix  -   -   n   -   1   anvil
scacheunix  -   -   n   -   1   scache

Does anyone have any thoughts

Re: relay access denied

[Tim Dunphy]

 missing permit_mynetworks or sasl auth user in example
 to solve use a proper mail client that support sasl auth, you can use
 gmail webmail to test postfix as a sasl auth relay server, this is the
 proper test to do as your config is, this would work


Cool! Thanks Benny. I'll give that a try.

Thank you,
Tim

On Sun, Apr 5, 2015 at 1:01 PM, Benny Pedersen m...@junc.eu wrote:

 Tim Dunphy skrev den 2015-04-05 18:27:

  Apr  5 12:23:08 web1 postfix/smtpd[32140]: NOQUEUE: reject: RCPT from
 centos-7-x64[127.0.0.1]: 554 5.7.1 bluethu...@gmail.com: Relay
 access denied; from=bluethu...@web1.jokefire.com
 to=bluethu...@gmail.com proto=SMTP helo=web1.jokefire.com


 missing permit_mynetworks or sasl auth user in example

 to solve use a proper mail client that support sasl auth, you can use
 gmail webmail to test postfix as a sasl auth relay server, this is the
 proper test to do as your config is, this would work




-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

Re: relay access denied

[Benny Pedersen]

Tim Dunphy skrev den 2015-04-05 18:27:


Apr  5 12:23:08 web1 postfix/smtpd[32140]: NOQUEUE: reject: RCPT from
centos-7-x64[127.0.0.1]: 554 5.7.1 bluethu...@gmail.com: Relay
access denied; from=bluethu...@web1.jokefire.com
to=bluethu...@gmail.com proto=SMTP helo=web1.jokefire.com


missing permit_mynetworks or sasl auth user in example

to solve use a proper mail client that support sasl auth, you can use 
gmail webmail to test postfix as a sasl auth relay server, this is the 
proper test to do as your config is, this would work

Unable to receive mail: Relay access denied

[Andreas Fagschlunger]

Hello!

I'm trying to setup a mail server with postfix, dovecot and MySQL. At this
point dovecot seems to work (pop3, imap), but I'm unable to receive mails.
The postfix error is (replaced user/domains):

Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: NOQUEUE: reject: RCPT
from node-mec2.wormly.com[184.72.226.23]: 454 4.7.1
m...@mydomain.com: Relay access denied;
from=f...@example.com to=m...@mydomain.com proto=ESMTP
helo=www.wormly.com

What I found out so far is, that postfix doesn't feel responsible for
mydomain.com. When I change mydestination to mydomain.com, postfix accepts
mails.

But I want postfix to lookup the domain against mysql. I've read all the
tutorials around and I'm still getting this error. I tested my SQL queries
with postmap -q and they seem to work fine.

So I enabled verbose logging on smtpd and I didn't find any SQL query, so
I think postfix isn't even accessing the database. So here is a syslog
(real names replaced):

Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: 
node-mec2.wormly.com[184.72.226.23]: MAIL FROM:f...@example.com
...
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: 
node-mec2.wormly.com[184.72.226.23]: 250 2.1.0 Ok
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: 
node-mec2.wormly.com[184.72.226.23]: RCPT TO:m...@mydomain.com
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: extract_addr: input:
m...@mydomain.com
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: smtpd_check_addr:
addr=m...@mydomain.com
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: ctable_locate: move
existing entry key m...@mydomain.com
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: extract_addr: in:
m...@mydomain.com, result: m...@mydomain.com
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]:  START
Recipient address RESTRICTIONS 
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: generic_checks:
name=permit_mynetworks
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: permit_mynetworks:
node-mec2.wormly.com 184.72.226.23
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: match_hostname:
node-mec2.wormly.com ~? 127.0.0.0/8
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: match_hostaddr:
184.72.226.23 ~? 127.0.0.0/8
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: match_hostname:
node-mec2.wormly.com ~? 93.189.*.*/26
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: match_hostaddr:
184.72.226.23 ~? 93.189.*.*/26
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: match_hostname:
node-mec2.wormly.com ~? 172.20.0.0/24
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: match_hostaddr:
184.72.226.23 ~? 172.20.0.0/24
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: match_hostname:
node-mec2.wormly.com ~? [::1]/128
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: match_hostaddr:
184.72.226.23 ~? [::1]/128
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: match_hostname:
node-mec2.wormly.com ~? [fe80::]/64
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: match_hostaddr:
184.72.226.23 ~? [fe80::]/64
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: match_list_match:
node-mec2.wormly.com: no match
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: match_list_match:
184.72.226.23: no match
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: generic_checks:
name=permit_mynetworks status=0
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: generic_checks:
name=permit_sasl_authenticated
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: generic_checks:
name=permit_sasl_authenticated status=0
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: generic_checks:
name=defer_unauth_destination
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]:
reject_unauth_destination: m...@mydomain.com
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: permit_auth_destination:
m...@mydomain.com
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: ctable_locate: leave
existing entry key m...@mydomain.com
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: NOQUEUE: reject: RCPT
from node-mec2.wormly.com[184.72.226.23]: 454 4.7.1
m...@mydomain.com: Relay access denied;
from=f...@example.com to=m...@mydomain.com proto=ESMTP
helo=www.wormly.com
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]: generic_checks:
name=defer_unauth_destination status=2
Jan 28 23:04:22 k002867vsa postfix/smtpd[22830]:  END
Recipient address RESTRICTIONS 
...

and postconf -d output:

alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id  sleep 5
html_directory = no
local_recipient_maps =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination =
newaliases_path = /usr/bin/newaliases
readme_directory = /usr/share/doc/postfix
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth

Re: Unable to receive mail: Relay access denied

[li...@rhsoft.net]

Am 30.01.2015 um 14:59 schrieb Andreas Fagschlunger:

What I found out so far is, that postfix doesn't feel responsible for
mydomain.com. When I change mydestination to mydomain.com, postfix accepts
mails.

But I want postfix to lookup the domain against mysql. I've read all the
tutorials around and I'm still getting this error. I tested my SQL queries
with postmap -q and they seem to work fine

So I enabled verbose logging on smtpd and I didn't find any SQL query, so
I think postfix isn't even accessing the database


don't do that


and postconf -d output


that is luckily not true and you posted correct postconf -n


alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id  sleep 5
html_directory = no
local_recipient_maps =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination =
newaliases_path = /usr/bin/newaliases
readme_directory = /usr/share/doc/postfix
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
unknown_local_recipient_reject_code = 550
virtual_gid_maps = static:8
virtual_mailbox_base = /var/vmail
virtual_mailbox_maps = mysql:/etc/postfix/virtual_mailbox_maps.cf
virtual_uid_maps = static:999

Now why postfix doesn't lookup mydomain.com over MySQL?


because you don't define virtual_mailbox_domains which lists *domains* 
while virtual_mailbox_maps is the RCPT table


http://www.postfix.org/postconf.5.html#virtual_mailbox_maps

virtual_mailbox_maps (default: empty)
Optional lookup tables with all valid addresses in the domains that 
match $virtual_mailbox_domains.


http://www.postfix.org/postconf.5.html#virtual_mailbox_domains

Re: Unable to receive mail: Relay access denied

[Andreas Fagschlunger]

Since the virtual_mailbox_domains default value is virtual_mailbox_maps I
thought I didn't need a new query, but it works!

Thank you a lot!