Postfix: Relay Access Denied when sending mail from outside the network

Question

I am running Postfix, where it is possible to send email from the webmail interface (inside the "network"), as well as from mail clients (such as Microsoft Outlook, Thunderbird, etc...).

Here's the server details:

CentOS 5.x
Name       : postfix
Arch       : i386
Epoch      : 2
Version    : 2.3.3
Release    : 2.1.centos.mysql_pgsql

Here is a strange scenario:

1. All email that is sent to other domains located on the server are delivered perfectly fine.
2. Email sent via webmail (inside the network) to outside addresses is delivered
3. Email sent via a mail client is not delivered.

Here's an excerpt from the maillog for scenario #3:

2010-10-16T04:36:59.462704-04:00 myers postfix/smtpd[31167]: connect from {my-home-IP-address}
2010-10-16T04:36:59.595662-04:00 myers postfix/smtpd[31167]: NOQUEUE: reject: RCPT from pool-72-93-172-197.bstnma.east.verizon.net[72.93.172.197]: 554 5.7.1 <someone@gmail.com>: Relay access denied; from=<my-email-address@somedomain.com> to=<someone@gmail.com> proto=ESMTP helo=<smoothstoneserv>
2010-10-16T04:37:02.820216-04:00 myers postfix/smtpd[31167]: disconnect from {my-home-IP-address}

In the excerpt above, you will immediately notice that the HELO is wrong. My hostname is myers.smoothstoneservices.com.

I worked on this issue for several hours with some good folks in #postfix on #Freenode last night. Thinking the master.cf conf was bad, I made a backup copy of the file and then reinstalled postfix with yum (I'm running CentOS 5.x) and got the new file. That didn't work.

Here's postconf -n:

    alias_database = hash:/etc/postfix/aliases
alias_maps = $alias_database
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = no
html_directory = no
inet_interfaces = all
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain
mydomain = myers
myhostname = myers.smoothstoneservices.com
mynetworks = 127.0.0.0/8
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
recipient_delimiter = +
relayhost =
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,rejec                                             t_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/mailserver/postfix.pem
smtpd_tls_key_file = /etc/ssl/mailserver/private/postfix.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = no
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 450
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/p                                             ostfix/mysql-email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_minimum_uid = 5000
virtual_transport = dovecot
virtual_uid_maps = static:5000

Here's main.cf:

[root@myers postfix]# cat main.cf

############## Postfix###############
smtpd_banner = $myhostname
biff = no
append_dot_mydomain = no
relayhost =
mynetworks = 127.0.0.0/8
inet_interfaces = all
mailbox_size_limit = 0
recipient_delimiter = +
alias_database = hash:/etc/postfix/aliases
alias_maps = $alias_database
myhostname = myers.smoothstoneservices.com
mydomain = myers
myorigin = $myhostname
mydestination = $myhostname, localhost.$mydomain
mail_spool_directory = /var/spool/mail
debug_peer_level = 2
debugger_command =
  PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
  xxgdb  $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = no
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail
html_directory = no
setgid_group = postdrop
command_directory = /usr/sbin
manpage_directory = /usr/share/man
daemon_directory = /usr/libexec/postfix
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
queue_directory = /var/spool/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 450
####################postfix section ends here###############

#######################Virtual Domains Users and mailboxes###############
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_base = /var/vmail
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
virtual_minimum_uid = 5000
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
##############################Virtual section of main.cf ends##############

#################### SASL/TLS Authentication###########################
######SASL PART#########
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =
smtpd_recipient_restriction = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
######TLS PART###########
smtpd_tls_cert_file = /etc/ssl/mailserver/postfix.pem
smtpd_tls_key_file = /etc/ssl/mailserver/private/postfix.pem
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_received_header = no
smtpd_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
tls_random_source = dev:/dev/urandom
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_recieved_header = yes
###########################SASL/TLS Authentication ends here#############

virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

content_filter=amavisfeed:[127.0.0.1]:10024

And here's master.cf:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
26        inet  n       -       n       -       -       smtpd
587       inet  n       -       n       -       -       smtpd
465       inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

dovecot   unix  -       n       n       -       -       pipe
    flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -d ${recipient}

amavisfeed unix    -       -       n        -      2     lmtp
    -o lmtp_data_done_timeout=1200
    -o lmtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet n    -       n       -       -     smtpd
    -o content_filter=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
    -o local_header_rewrite_clients=
    -o smtpd_milters=
    -o local_recipient_maps=
    -o relay_recipient_maps=

Answer 1

Is your mail client using authentication? Unless you're an open relay or set "mynetworks" this is required.

Answer 2

mynetworks parameter in main.cf should include your (trusted) network for which is possible to send mails to other domains. 127.0.0.1 only includes localhost (for webmail) that's the reason why webmail can send mails outside of your domain.

It's advised to include restrictions in your main.cf to use full power of postfix.

Answer 3

I wrote the following as a comment a few days ago, but I guess I should probably mark this question as "answered" ... so here's the comment, and below that, a summary of my answer:

I recently brought this up in a very similar question, as I still had not resolved this issue. The link to that issue is: serverfault.com/questions/240475/…. After doing some more digging tonight, I found the solution and have fixed my problem described in both this and the "new" question

The answer / solution is this: The problem was not in the postfix configuration file at all. The issue was in Dovecot's authentication. There's a auth {} section in /etc/dovecot.conf, and the appropriate login method(s) need to be specified. In my case, I needed the "login" method included.