Postfix : relay access denied

Question

Since I can't find a solution that works with my config, I lean on you guys to help me out with this.

I've installed postfix and dovecot on a CentOS server. Everything's running well. But when I try to send an e-mail from Outlook to tld that is not .com, server returns : Relay access denied.

Here's the result from the postconf -n command

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_protocols = all
mailbox_size_limit = 104857600
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20971520
mydestination = $myhostname, $mydomain, localhost, localhost.$mydomain
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_loglevel = 3
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/mailserver.pem
smtpd_tls_key_file = /etc/postfix/mailserver.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550

Here's the maillog error :

Nov 23 13:26:24 website_name postfix/smtpd[16391]: extract_addr: input: <mrm@website_name.com>
Nov 23 13:26:24 website_name postfix/smtpd[16391]: smtpd_check_addr: addr=mrm@website_name.com
Nov 23 13:26:24 website_name postfix/smtpd[16391]: ctable_locate: move existing entry key mrm@website_name.com
Nov 23 13:26:24 website_name postfix/smtpd[16391]: extract_addr: in: <mrm@website_name.com>, result: mrm@website_name.com
Nov 23 13:26:24 website_name postfix/smtpd[16391]: fsspace: .: block size 4096, blocks free 23679665
Nov 23 13:26:24 website_name postfix/smtpd[16391]: smtpd_check_queue: blocks 4096 avail 23679665 min_free 0 msg_size_limit 20971520
Nov 23 13:26:24 website_name postfix/smtpd[16391]: > unknown[178.193.xxx.xxx]: 250 2.1.0 Ok
Nov 23 13:26:24 website_name postfix/smtpd[16391]: < unknown[178.193.xxx.xxx]: RCPT TO:<webmaster@somehost.fr>
Nov 23 13:26:24 website_name postfix/smtpd[16391]: extract_addr: input: <webmaster@somehost.fr>
Nov 23 13:26:24 website_name postfix/smtpd[16391]: smtpd_check_addr: addr=webmaster@somehost.fr
Nov 23 13:26:24 website_name postfix/smtpd[16391]: ctable_locate: move existing entry key webmaster@somehost.fr
Nov 23 13:26:24 website_name postfix/smtpd[16391]: extract_addr: in: <webmaster@somehost.fr>, result: webmaster@somehost.fr
Nov 23 13:26:24 website_name postfix/smtpd[16391]: >>> START Recipient address RESTRICTIONS <<<
Nov 23 13:26:24 website_name postfix/smtpd[16391]: generic_checks: name=permit_sasl_authenticated
Nov 23 13:26:24 website_name postfix/smtpd[16391]: generic_checks: name=permit_sasl_authenticated status=0
Nov 23 13:26:24 website_name postfix/smtpd[16391]: generic_checks: name=reject_unauth_destination
Nov 23 13:26:24 website_name postfix/smtpd[16391]: reject_unauth_destination: webmaster@somehost.fr
Nov 23 13:26:24 website_name postfix/smtpd[16391]: permit_auth_destination: webmaster@somehost.fr
Nov 23 13:26:24 website_name postfix/smtpd[16391]: ctable_locate: leave existing entry key webmaster@somehost.fr
Nov 23 13:26:24 website_name postfix/smtpd[16391]: NOQUEUE: reject: RCPT from unknown[178.193.xxx.xxx]: 554 5.7.1 <webmaster@somehost.fr>: Relay access denied; from=<mrm@website_name.com> to=<webmaster@somehost.fr> proto=ESMTP helo=<[192.168.1.38]>
Nov 23 13:26:24 website_name postfix/smtpd[16391]: generic_checks: name=reject_unauth_destination status=2
Nov 23 13:26:24 website_name postfix/smtpd[16391]: > unknown[178.193.xxx.xxx]: 554 5.7.1 <webmaster@somehost.fr>: Relay access denied
Nov 23 13:26:24 website_name postfix/smtpd[16391]: smtp_get: EOF

What's wrong with this?

UPDATE : added to main.cf

broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous noplaintext
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot

UPDATE : EHLO

EHLO mail.perflux.com
250-perflux.com
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

UPDATE : log

: connection established
: master_notify: status 0
: name_mask: resource
: name_mask: software
: connect from unknown[remoteIP]
: match_list_match: unknown: no match
: match_list_match: remoteIP: no match
: match_list_match: unknown: no match
: match_list_match: remoteIP: no match
: match_hostname: unknown ~? 127.0.0.0/8
: match_hostaddr: remoteIP ~? 127.0.0.0/8
: match_hostname: unknown ~? 195.70.x.x/24
: match_hostaddr: remoteIP ~? 195.70.x.x/24
: match_hostname: unknown ~? [::1]/128
: match_hostaddr: remoteIP ~? [::1]/128
: match_hostname: unknown ~? [fe80::%eth0]/64
: match_hostaddr: remoteIP ~? [fe80::%eth0]/64
: match_list_match: unknown: no match
: match_list_match: remoteIP: no match
: send attr request = connect
: send attr ident = smtp:remoteIP
: private/anvil: wanted attribute: status
: input attribute name: status
: input attribute value: 0
: private/anvil: wanted attribute: count
: input attribute name: count
: input attribute value: 1
: private/anvil: wanted attribute: rate
: input attribute name: rate
: input attribute value: 2
: private/anvil: wanted attribute: (list terminator)
: input attribute name: (end)
: > unknown[remoteIP]: 220 domain.com ESMTP Postfix
: < unknown[remoteIP]: EHLO [192.168.1.38]
: > unknown[remoteIP]: 250-domain.com
: > unknown[remoteIP]: 250-PIPELINING
: > unknown[remoteIP]: 250-SIZE 20971520
: > unknown[remoteIP]: 250-VRFY
: > unknown[remoteIP]: 250-ETRN
: match_list_match: unknown: no match
: match_list_match: remoteIP: no match
: > unknown[remoteIP]: 250-STARTTLS
: > unknown[remoteIP]: 250-ENHANCEDSTATUSCODES
: > unknown[remoteIP]: 250-8BITMIME
: > unknown[remoteIP]: 250 DSN
: < unknown[remoteIP]: STARTTLS
: > unknown[remoteIP]: 220 2.0.0 Ready to start TLS
: setting up TLS connection from unknown[remoteIP]
: unknown[remoteIP]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
: auto_clnt_open: connected to private/tlsmgr
: send attr request = seed
: send attr size = 32
: private/tlsmgr: wanted attribute: status
: input attribute name: status
: input attribute value: 0
: private/tlsmgr: wanted attribute: seed
: input attribute name: seed
: input attribute value: 7FfGXFU+Rpalr27a4Gy4AcFT7UY0uKwxVopJXiqNiJQ=
: private/tlsmgr: wanted attribute: (list terminator)
: input attribute name: (end)
: SSL_accept:before/accept initialization […]
: SSL_accept:SSLv3 read client hello A
: SSL_accept:SSLv3 write server hello A
: SSL_accept:SSLv3 write certificate A
: SSL_accept:SSLv3 write server done A […]
: SSL_accept:SSLv3 flush data […]
: SSL_accept:SSLv3 read client key exchange A […]
: SSL_accept:SSLv3 read finished A
: SSL_accept:SSLv3 write change cipher spec A
: SSL_accept:SSLv3 write finished A […]
: SSL_accept:SSLv3 flush data
: Anonymous TLS connection established from unknown[remoteIP]: TLSv1 with cipher DES-CBC3-SHA (168/168 bits)
: xsasl_dovecot_server_create: SASL service=smtp, realm=(null)
: name_mask: noanonymous
: xsasl_dovecot_server_mech_filter: keep mechanism: PLAIN
: xsasl_dovecot_server_mech_filter: keep mechanism: LOGIN
: < unknown[remoteIP]: EHLO [192.168.1.38]
: > unknown[remoteIP]: 250-domain.com
: > unknown[remoteIP]: 250-PIPELINING
: > unknown[remoteIP]: 250-SIZE 20971520

And it stops...

looks like you didn't configure SASL authentication - http://www.postfix.org/SASL_README.html (in your case read the chapter about dovecot sasl) — Gryphius, Nov 26 '12 at 14:07
Thank you for the answer. I tried to configure the SASL authentication before but it didn't work. When I try to send an e-mail, outlooks returns "Connection to the server failed or was dropped" and nothing much in the maillog... hmmm. — kfa, Nov 26 '12 at 14:40
Can you explain how did you tried to configure the SASL authentication? What made you think it didn't work? — philippe, Nov 26 '12 at 14:51
I configured postfix to allow SASL authentication (as you can see in the update). Now, when I try to send an e-mail from a remote client, the connection keeps loading forever before saying "Connection was dropped out". — kfa, Nov 26 '12 at 15:02
Yes, dovecot is running and delivers new emails perfectly :/ — kfa, Nov 26 '12 at 15:34
First of all, can you update ticket with server output for EHLO command? — kworr, Nov 26 '12 at 16:41
Please include NON-VERBOSE logs of a complete SMTP transaction. — adaptr, Nov 27 '12 at 13:11

score 1 · Answer 1 · edited Oct 07 '21 at 06:58

1

Unless this system is purely internal, setting

smtpd_tls_security_level = encrypt

will ensure that it never, ever receives internet mail.

If instead you meant to secure user submission, you need to configure the submission service as commented out in the master.cf file.

Submission occurs on port 587, not port 25, and should always be secured and authenticated, as per RFC6409

edited Oct 07 '21 at 06:58

Community

1

answered Nov 27 '12 at 13:09

adaptr

16,479
21
33

Thanks for the help. So I've configured the submission service (inet), set smtpd_tls_security_level to **may** and smptd_tls_auth_only to **no**. It's still doesn't work :/ – kfa Nov 29 '12 at 10:58

score 0 · Answer 2 · answered Nov 27 '12 at 07:51

0

For a start you could add the IP address of your workstation to mynetworks. For example:

mynetworks = 127.0.0.0/8 178.193.xxx.xxx

If everything works ok then try to debug why SASL authentication does not work, if you need help you should post maillog after SASL was enabled.

answered Nov 27 '12 at 07:51

Laurentiu Roescu

2,246
16
17

No. This is a very bad practice in general, as you have no control over what comes in from that IP. – adaptr Nov 27 '12 at 13:10
Thanks for the answer but that would be even easier to add all tlds to mydestination. But I'm trying to solve the problem with good practices only ^^ – kfa Nov 29 '12 at 10:45
You got it all wrong. I suggested that just for debugging purposes and not as a final solution. On the other hand I suspect that your client is not properly configured to use authentication. – Laurentiu Roescu Nov 29 '12 at 11:06
It works and yes, the problem is the authentication – kfa Nov 29 '12 at 16:24

kworr · Answer 3 · 2012-12-03T08:52:50.850

Try #2:

I was right stating that your server refuses to authenticate. Now I see that the problem has layers:

You haven't added your sending host to $mynetworks (you can check it with postconf -d | grep mynetworks) and as such server will accept mail from you only if you will authenticate to it.
As you had specified smtpd_tls_auth_only = yes authentication should proceed only over encrypted connection.
Your client starts encrypted connection but... your log is over. What happened next? Is there anything about authentication errors on other logs?

I also know that sasl by default authenticates users to its internal database. But you haven't specified your authentication source also. The good guide on setting Postfix/SASL/Dovecot auth is at http://www.postfix.org/SASL_README.html#server_dovecot_comm, try checking it out.

I know (TM), but if he is connecting on non-encrypted port so server would not even say about possible authentication and treat user unauthenticated. And he configured authentication the way it would only permit authenticated users to send mail. — kworr, Nov 29 '12 at 08:15

Postfix : relay access denied

3 Answers3