0

This is a fairly common question, but any of the answers I've found (e.g. How to correct Postfix' 'Relay Access Denied'?, https://unix.stackexchange.com/questions/360960/relay-access-denied, https://stackoverflow.com/questions/18318789/linux-postfix-dovecot-554-relay-access-denied) don't work. I've now spent days trying to find what the source of the error is with no luck.

When using my mail client to send an email to an external domain, here is what the log (/var/log/mail.log) shows:

Feb 24 19:02:37 (name) postfix/submission/smtpd[27783]: connect from (my domain)[(myip)]

Feb 24 19:02:37 (name) postfix/submission/smtpd[27783]: NOQUEUE: reject: RCPT from (mydomain)[(myip)]: 554 5.7.1 <(my email)@gmail.com>: Relay access denied; from=<admin@(my domain)> to=<(my email)@gmail.com> proto=ESMTP helo=<mail.(my domain)>

Feb 24 19:02:37 (name) postfix/submission/smtpd[27783]: disconnect from (my domain) [(my ip)] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=7/8

Everything here looks like I would expect. The request is coming internally from my own domain at my own ip. My domain is configured as a virtual_host and my ip address is specified in /etc/postfix/main.cf under the mynetworks key. In addition, I have set the smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination as suggested elsewhere. These have done nothing to alleviate this error.

EDIT: added output of postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
mydestination = localhost.(my tld), , localhost, (my ip), 127.0.0.1
myhostname = (my domain)
mynetworks = 127.0.0.0/8, [::ffff:127.0.0.0]/104, [::1]/128, 127.0.0.1, (my ip)
myorigin = /etc/mailname
non_smtpd_milters = inet:127.0.0.1:11332
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_milters = inet:127.0.0.1:11332
smtpd_recipient_restrictions = reject_unauth_destination check_policy_service unix:private/quota-status
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = mysql:/etc/postfix/mysql-email2email.cf
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = (path to certs)/fullchain.pem
smtpd_tls_key_file = (path to certs)/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

EDIT: and here is /etc/postconf/master.cf

submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache

maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}

uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

What is causing the Relay access denied error?

1 Answers1

0

The smtpd_relay_restrictions controls who can relay via your Postfix server.

By setting it up as below (note the commas) you should be fine:

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Of course you should also configure the mynetworks parameter to include the IP addresses from which you would like to connect and send mail from. For example:

mynetworks = 127.0.0.0/8, 192.168.0.0/24

Also please make sure that you do not have any other of the smtpd_*_restrictions set or if necessary configure similar to the smtpd_relay_restrictions. Run postconf -n:

postconf -n | grep restrictions
basekat
  • 416
  • 2
  • 5
  • I tried changing `defer_unauth_destination` to `reject_unauth_destination`, but that gives the same error. The commas also seem to have no effect. `mynetworks` also includes my IP address given in the logs. – Klaus Haukenstein Feb 25 '21 at 14:23
  • Do ```postconf -d | grep restrictions``` and check if any of the other restrictions parameter have some values or are they empty? – basekat Feb 25 '21 at 14:29
  • the only restriction with values seems to be `smtpd_relay_restrictions = ${{$compatibility_level} < {1} ? {} : {permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}}`, which just looks like some formatting around what I put in. – Klaus Haukenstein Feb 25 '21 at 17:56
  • No, that is not correct. According to your postconf -n output you have setup smtp_recipient_restrictions as well. For the sake of testing, please delete the value of this parameter and re-test again. IMHO it should work. And finally consult: http://www.postfix.org/SMTPD_ACCESS_README.html#danger – basekat Feb 26 '21 at 06:17
  • Huh. The postconf -d output was blank for `smtp_recipient_restrictions`, so I assumed some value was overwriting mine. However, deleting that line from `/etc/postfix/main.cf` works now. Thanks! Do you want to update your answer or should I create a new one? – Klaus Haukenstein Feb 26 '21 at 18:49
  • Are there any security concerns with removing the recipient restrictions? The documentation kind of makes it seem like it is replaced by relay restrictions, but it wasn't clear. – Klaus Haukenstein Feb 26 '21 at 18:54
  • Glad that it worked! I actually mistyped postconf -d where I meant postconf -n. I have updated my answer to include also this. – basekat Feb 26 '21 at 18:55
  • As for the security concerns: smtpd_recipient_restrictions and smtpd_relay_restrictions are complementary as described by the documentation: Optional restrictions that the Postfix SMTP server applies in the context of a client RCPT TO command, after smtpd_relay_restrictions. For private use, I think removing them has no security implications. – basekat Feb 26 '21 at 18:58