Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Postfix being an ass: Relay access denied when rcpt to: is issued

81 views
Skip to first unread message

Archangel

unread,
Mar 12, 2013, 7:37:18 PM3/12/13
to
Ok, Postfix is acting like a three year old.
When I try to send e-mail in roudcube, it returns, "Relay access denied".  I telnet to port 25 on the server, ehlo and rcpt from without a problem.  When I enter mail to: us...@domain.com it returns 554 5.7.1 <us...@domain.com>: Relay access denied.  Apparently, this is a postfix issue, but idk how to fix it...even reinstalling postfix from scratch doesn't fix it.  Help.
-Aaron

Larry Stone

unread,
Mar 12, 2013, 7:47:00 PM3/12/13
to
Hmmm. You must have missed the part of your list welcome message that said "TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail". Had you read that, you would found that we need postconf -n output as well as relevant non-verbose logging. It's probably a simple configuration issue. Reinstalling software rather than correcting the configuration is rarely helpful.

--
Larry Stone
lsto...@stonejongleux.com
http://www.stonejongleux.com/

Ansgar Wiechers

unread,
Mar 12, 2013, 7:47:38 PM3/12/13
to
On 2013-03-12 Archangel wrote:
> Ok, Postfix is acting like a three year old.

Blame the person who messed up the configuration. Postfix is just the
messenger.

> When I try to send e-mail in roudcube, it returns, "Relay access
> denied". I telnet to port 25 on the server, ehlo and rcpt from without
> a problem. When I enter mail to: us...@domain.com it returns 554 5.7.1
> <us...@domain.com>: Relay access denied. Apparently, this is a postfix
> issue, but idk how to fix it...even reinstalling postfix from scratch
> doesn't fix it. Help.

You have to help us help you. Post the output of postconf -n as well as
an excerpt from your mail log demonstrating the problem.

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Viktor Dukhovni

unread,
Mar 12, 2013, 8:03:27 PM3/12/13
to

James Griffin

unread,
Mar 13, 2013, 3:45:30 AM3/13/13
to
[--------- Tue 12.Mar'13 at 18:47:00 -0500 Larry Stone :---------]

>
> On Mar 12, 2013, at 6:37 PM, Archangel <killerpe...@gmail.com> wrote:
>
> > Ok, Postfix is acting like a three year old.
> > When I try to send e-mail in roudcube, it returns, "Relay access denied". I telnet to port 25 on the server, ehlo and rcpt from without a problem. When I enter mail to: us...@domain.com it returns 554 5.7.1 <us...@domain.com>: Relay access denied. Apparently, this is a postfix issue, but idk how to fix it...even reinstalling postfix from scratch doesn't fix it. Help.
> > -Aaron
>
> Hmmm. You must have missed the part of your list welcome message that said "TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail". Had you read that, you would found that we need postconf -n output as well as relevant non-verbose logging. It's probably a simple configuration issue. Reinstalling software rather than correcting the configuration is rarely helpful.

It's always a configuration problem if you can't send mail using your own domain. Reinstalling the software is more likely to cause problems as you would be inclined to change some compile option "thinking" it were the cause. It may also be an issue with how you've set up your web client. You need to show the configuration options you've chsen for the mta to be able to diagnose the mistake you have made. I wonder if you've followed some misguided "how To" on the internet?

--
James Griffin: jmz at kontrol.kode5.net
jmzgriffin at gmail.com

A4B9 E875 A18C 6E11 F46D B788 BEE6 1251 1D31 DC38

Benny Pedersen

unread,
Mar 13, 2013, 4:15:05 AM3/13/13
to
Archangel skrev den 2013-03-13 00:37:
> Ok, Postfix is acting like a three year old.

+1

you did not show postconf -n here

> When I try to send e-mail in roudcube, it returns, "Relay access
> denied".

and you used port 25

> I telnet to port 25 on the server, ehlo and rcpt from
> without a problem.

what ip did you do this test from ?

show it worked btw

> When I enter mail to: us...@domain.com it returns
> 554 5.7.1 <us...@domain.com>: Relay access denied.

means either you are not in mynetwork, or domain.com is not local, or
you need to use smtp auth

> Apparently, this is
> a postfix issue, but idk how to fix it...even reinstalling postfix
> from scratch doesn't fix it.

you get more help if you show postconf -n, and logs for whats works and
what does not "like a tree year old"

> Help.

as kids are listning now ? :=)

> -Aaron

Ansgar Wiechers

unread,
Mar 13, 2013, 8:48:57 AM3/13/13
to
Please keep this on-list. I'm not doing personal support for free.

On 2013-03-12 Archangel wrote:
> mydestination = bayesianmarketing.com, mediaserver, localhost.localdomain,
> localhost
> myhostname = bayesianmarketing.com
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
[...]
> mail.log:
> Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: NOQUEUE: reject: RCPT
> from ip68-227-115-116.ok.ok.cox.net[68.227.115.116]: 451 4.3.5 <
> reci...@domain.com>: Recipient address rejected: Server configuration
> error; from=<aaronc...@bayesianmarketing.com> to=<recie...@domain.com>
> proto=ESMTP

You don't have "domain.com" in your $mydestination and your $mynetworks
doesn't include 68.227.115.116. Unless you sent the mail via TLS it's
going to be rejected anyway.

The message "Server configuration error" is curious, though. Please post
the output of "grep 12785 /var/log/mail.log".

> smtpd_recipient_restrictions =
> permit_sasl_authenticated
> check_recipient_access hash:/etc/postfix/filtered_domains
> permit_mynetworks
> reject_unauth_destination
> smtpd_sender_restrictions = permit_sasl_authenticated permit_mynetworks

"check_recipient_access" should go *after* "reject_unauth_destination",
otherwise you're prone to becoming an open relay.

Also put all restrictions under $smtpd_recipient_restrictions. Unless
you set "smtpd_delay_reject = no" (which you shouldn't) the result will
be the same, and it's easier to maintain this way.

Viktor Dukhovni

unread,
Mar 13, 2013, 12:00:57 PM3/13/13
to
On Wed, Mar 13, 2013 at 01:48:57PM +0100, Ansgar Wiechers wrote:

> > Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: NOQUEUE: reject: RCPT
> > from ip68-227-115-116.ok.ok.cox.net[68.227.115.116]: 451 4.3.5 <
> > reci...@domain.com>: Recipient address rejected: Server configuration
> > error; from=<aaronc...@bayesianmarketing.com> to=<recie...@domain.com>
> > proto=ESMTP
>
> The message "Server configuration error" is curious, though. Please post
> the output of "grep 12785 /var/log/mail.log".

That's the problem: mail is rejected because of configuration errors,
not incorrectly applied. policy.

> > smtpd_recipient_restrictions =
> > permit_sasl_authenticated
> > check_recipient_access hash:/etc/postfix/filtered_domains
> > permit_mynetworks
> > reject_unauth_destination
> > smtpd_sender_restrictions = permit_sasl_authenticated permit_mynetworks
>
> "check_recipient_access" should go *after* "reject_unauth_destination",
> otherwise you're prone to becoming an open relay.

No, it is generally safe to do recipient access lookups, even before
anti-relay policy, since the recipient cannot be spoofed. Just don't
allow mail to recipients in outside domains.

The permit-only sender restrictions are pointless (slow version of empty).

--
Viktor.

Ansgar Wiechers

unread,
Mar 13, 2013, 1:35:41 PM3/13/13
to
On 2013-03-13 Viktor Dukhovni wrote:
> On Wed, Mar 13, 2013 at 01:48:57PM +0100, Ansgar Wiechers wrote:
>>> Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: NOQUEUE: reject:
>>> RCPT from ip68-227-115-116.ok.ok.cox.net[68.227.115.116]: 451 4.3.5
>>> <reci...@domain.com>: Recipient address rejected: Server
>>> configuration error; from=<aaronc...@bayesianmarketing.com>
>>> to=<recie...@domain.com> proto=ESMTP
>>
>> The message "Server configuration error" is curious, though. Please
>> post the output of "grep 12785 /var/log/mail.log".
>
> That's the problem: mail is rejected because of configuration errors,
> not incorrectly applied. policy.

I think so, too. That's why I asked for the log entries from this
particular smtpd process.

>>> smtpd_recipient_restrictions =
>>> permit_sasl_authenticated
>>> check_recipient_access hash:/etc/postfix/filtered_domains
>>> permit_mynetworks
>>> reject_unauth_destination
>>> smtpd_sender_restrictions = permit_sasl_authenticated permit_mynetworks
>>
>> "check_recipient_access" should go *after* "reject_unauth_destination",
>> otherwise you're prone to becoming an open relay.
>
> No, it is generally safe to do recipient access lookups, even before
> anti-relay policy, since the recipient cannot be spoofed. Just don't
> allow mail to recipients in outside domains.

The latter is what I meant by "prone to becoming an open relay". Is
there any advantage in putting check_recipient_access before
reject_unauth_destination? If not I'd recommend sticking with the safe
variant.

Viktor Dukhovni

unread,
Mar 13, 2013, 1:54:38 PM3/13/13
to
On Wed, Mar 13, 2013 at 06:35:41PM +0100, Ansgar Wiechers wrote:

> > No, it is generally safe to do recipient access lookups, even before
> > anti-relay policy, since the recipient cannot be spoofed. Just don't
> > allow mail to recipients in outside domains.
>
> The latter is what I meant by "prone to becoming an open relay". Is
> there any advantage in putting check_recipient_access before
> reject_unauth_destination? If not I'd recommend sticking with the safe
> variant.

Sometimes it is easier to have only a subset of valid recipients admitted
via "permit_auth_destination", so "reject_unauth_destination" would
reject the rest, and one adds the remaining recipients above. Such
configurations are safe, but uncommon.

--
Viktor.

Archangel

unread,
Mar 13, 2013, 3:45:50 PM3/13/13
to
here's the output of the grep command on mail.log:
Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: error: open database /etc/postfix/filtered_domains.db: No such file or directory
Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: connect from ip68-227-115-116.ok.ok.cox.net[68.227.115.116]
Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: warning: hash:/etc/postfix/filtered_domains is unavailable. open database /etc/postfix/filtered_domains.db: No such file or directory
Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: warning: hash:/etc/postfix/filtered_domains: table lookup problem
Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: NOQUEUE: reject: RCPT from ip68-227-115-116.ok.ok.cox.net[68.227.115.116]: 451 4.3.5 <reci...@domain.com>: Recipient address rejected: Server configuration error; from=<aaronc...@bayesianmarketing.com> to=<recie...@domain.com> proto=ESMTP helo=<bayesianmarketing.com>
Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: disconnect from ip68-227-115-116.ok.ok.cox.net[68.227.115.116]

Reindl Harald

unread,
Mar 13, 2013, 4:05:09 PM3/13/13
to


Am 13.03.2013 20:45, schrieb Archangel:
> here's the output of the grep command on mail.log:
> Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: error: open database /etc/postfix/filtered_domains.db: No such
> file or directory
> Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: connect from ip68-227-115-116.ok.ok.cox.net
> <http://ip68-227-115-116.ok.ok.cox.net>[68.227.115.116]
> Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: warning: hash:/etc/postfix/filtered_domains is unavailable. open
> database /etc/postfix/filtered_domains.db: No such file or directory
> Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: warning: hash:/etc/postfix/filtered_domains: table lookup problem
> Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: NOQUEUE: reject: RCPT from ip68-227-115-116.ok.ok.cox.net
> <http://ip68-227-115-116.ok.ok.cox.net>[68.227.115.116]: 451 4.3.5 <reci...@domain.com
> <mailto:reci...@domain.com>>: Recipient address rejected: Server configuration error;
> from=<aaronc...@bayesianmarketing.com <mailto:aaronc...@bayesianmarketing.com>> to=<recie...@domain.com
> <mailto:recie...@domain.com>> proto=ESMTP helo=<bayesianmarketing.com <http://bayesianmarketing.com>>
> Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: disconnect from ip68-227-115-116.ok.ok.cox.net
> <http://ip68-227-115-116.ok.ok.cox.net>[68.227.115.116]

and you do not think it would be good idea to fix
the errors?

"/etc/postfix/filtered_domains" what is with that?
does it exist at all?
did you postmap it?

signature.asc

Ansgar Wiechers

unread,
Mar 13, 2013, 5:23:20 PM3/13/13
to
On 2013-03-13 Archangel wrote:
> here's the output of the grep command on mail.log:
> Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: error: open database
> /etc/postfix/filtered_domains.db: No such file or directory

Well, the error message is rather self-explanatory. You advised Postfix
to check a hash table hash:/etc/postfix/filtered_domains, but neglected
to actually create it. You probably just created the text file
/etc/postfix/filtered_domains without converting it to an actual hash
table. Run "postmap /etc/postfix/filtered_domains".

Benny Pedersen

unread,
Mar 14, 2013, 9:05:23 AM3/14/13
to
Viktor Dukhovni skrev den 2013-03-13 18:54:

> Sometimes it is easier to have only a subset of valid recipients
> admitted
> via "permit_auth_destination", so "reject_unauth_destination" would
> reject the rest, and one adds the remaining recipients above. Such
> configurations are safe, but uncommon.

is it possible to replace OK with permit_auth_destination ?, in C code
?

usefull or not i dont know, will it break anything ?

Benny Pedersen

unread,
Mar 14, 2013, 9:09:10 AM3/14/13
to
Archangel skrev den 2013-03-13 20:45:
> here's the output of the grep command on mail.log:
> Mar 12 17:13:01 mediaserver postfix/smtpd[12785]: error: open
> database /etc/postfix/filtered_domains.db: No such file or directory

postmap /etc/postfix/filtered_domains

0 new messages