relay denied in postfix
Tim Dunphy
I've done some googling on this, and often people do site this setting as a potential cause of this situation. Here's mine, although nothing seems to stand out:
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit
Here is the output of postconf -n
root@mail:~# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = no
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
delay_warning_time = 4h
disable_vrfy_command = yes
inet_interfaces = all
local_recipient_maps =
mailbox_size_limit = 0
masquerade_domains = mail.example.com example.com !sub.dyndomain.com
masquerade_exceptions = root
maximal_backoff_time = 8000s
maximal_queue_lifetime = 7d
minimal_backoff_time = 1000s
mydestination =
myhostname = mail.example.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks_style = host
myorigin = example.com
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_helo_timeout = 60s
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_hard_error_limit = 12
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_recipient_limit = 16
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
Another potential trouble area may be that I can't seem to telnet to port 25 remotely from my work station:
[me@home:~] #telnet mail.example.com 25
Trying xx.xx.xx.xx..
telnet: connect to address xx.xx.xx.xx: Operation timed out
telnet: Unable to connect to remote host
As mentioned this is an amazon EC2 instance, but I have opened up port 25 on the security groups and made sure that ufw (the ubuntu firewall) was not running on the instance.
I'd definitely appreciate your esteemed advice on this!
Thanks,
Tim
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
Tim Dunphy
Mar 16 02:27:58 mail postfix/smtpd[22335]: connect from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]
Mar 16 02:27:59 mail postfix/smtpd[22335]: Anonymous TLS connection established from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Mar 16 02:27:59 mail postfix/smtpd[22335]: NOQUEUE: reject: RCPT from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]: 454 4.7.1 <bluet...@example.com>: Relay access denied; from=<reg.gi3tqmjyge4dama-bluethundr=examp...@returns.bulk.external.com> to=<bluet...@example.com> proto=ESMTP helo=<n11-vm3.bullet.mail.bf1.external.com>
Mar 16 02:27:59 mail postfix/smtpd[22335]: disconnect from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]
Mar 16 02:30:55 mail postfix/smtpd[22335]: connect from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]
Mar 16 02:30:55 mail postfix/smtpd[22335]: Anonymous TLS connection established from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Mar 16 02:30:55 mail postfix/smtpd[22335]: NOQUEUE: reject: RCPT from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]: 454 4.7.1 <bluet...@example.com>: Relay access denied; from=<reg.gi3tqmjyge4dama-bluethundr=examp...@returns.bulk.external.com> to=<bluet...@example.com> proto=ESMTP helo=<n11-vm3.bullet.mail.bf1.external.com>
Mar 16 02:30:55 mail postfix/smtpd[22335]: disconnect from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]
Mar 16 02:31:41 mail postfix/smtpd[22335]: connect from nm48.bullet.mail.ne1.external.com[98.138.120.55]Mar 16 02:31:41 mail postfix/smtpd[22335]: NOQUEUE: reject: RCPT from nm48.bullet.mail.ne1.external.com[98.138.120.55]: 454 4.7.1 <bluet...@example.com>: Relay access denied; from=<blueth...@external.com> to=<bluet...@example.com> proto=SMTP helo=<nm48.bullet.mail.ne1.external.com>Mar 16 02:31:41 mail postfix/smtpd[22335]: disconnect from nm48.bullet.mail.ne1.external.com[98.138.120.55]
Mar 16 02:33:24 mail postfix/smtpd[22335]: connect from nm48.bullet.mail.ne1.external.com[98.138.120.55]
Mar 16 02:33:24 mail postfix/smtpd[22335]: NOQUEUE: reject: RCPT from nm48.bullet.mail.ne1.external.com[98.138.120.55]: 454 4.7.1 <bluet...@example.com>: Relay access denied; from=<blueth...@external.com> to=<bluet...@example.com> proto=SMTP helo=<nm48.bullet.mail.ne1.external.com>
Mar 16 02:33:24 mail postfix/smtpd[22335]: disconnect from nm48.bullet.mail.ne1.external.com[98.138.120.55]
And here's an example from gmail
Mar 16 02:23:20 mail postfix/smtpd[21652]: NOQUEUE: reject: RCPT from mail-la0-f48.google.com[209.85.215.48]: 454 4.7.1 <bluet...@example.com>: Relay access denied; from=<bluet...@external.com> to=<bluet...@example.com> proto=ESMTP helo=<mail-la0-f48.google.com>
Mar 16 02:35:01 mail postfix/smtpd[22335]: NOQUEUE: reject: RCPT from mail-lb0-f177.google.com[209.85.217.177]: 454 4.7.1 <bluet...@example.com>: Relay access denied; from=<bluet...@external.com> to=<bluet...@example.com> proto=ESMTP helo=<mail-lb0-f177.google.com>
OK, so it seems as if I'm in the home stretch! What do I need to alter in my postfix configuration to get this mail server rocking?
Thanks!
Tim
Noel Jones
> Hey all,
> But it appears that mail IS making its way to the mail server, but
> being rejected once it arrives.
>
> Here's an example of a mail rejected from yahoo
>
>
> from n11-vm3.bullet.mail.bf1.external.com
> 4.7.1 <bluet...@example.com <mailto:bluet...@example.com>>:
> <mailto:examp...@returns.bulk.external.com>>
> to=<bluet...@example.com <mailto:bluet...@example.com>>
> proto=ESMTP helo=<n11-vm3.bullet.mail.bf1.external.com
> <http://n11-vm3.bullet.mail.bf1.external.com>>
Postfix doesn't know it should accept mail for example.com.
example.com must be listed in *one* of mydestination, relay_domains,
virtual_mailbox_domains, virtual_alias_domains, depending on where
the mail is to be delivered.
http://www.postfix.org/ADDRESS_CLASS_README.html
http://www.postfix.org/BASIC_CONFIGURATION_README.html
http://www.postfix.org/SOHO_README.html
http://www.postfix.org/STANDARD_CONFIGURATION_README.html
-- Noel Jones
Tim Dunphy
Postfix doesn't know it should accept mail for example.com.
example.com must be listed in *one* of mydestination, relay_domains,
virtual_mailbox_domains, virtual_alias_domains, depending on where
the mail is to be delivered.
mysql> select * from domains;
+------+-----------------------+-----------+---------+
| pkid | domain | transport | enabled |
+------+-----------------------+-----------+---------+
| 1 | localhost | virtual: | 1 |
| 2 | localhost.localdomain | virtual: | 1 |
| 3 | example.com | virtual: | 1 |
| 4 | mail.example.com | virtual: | 1 |
| 5 | example2.com | virtual: | 1 |
| 6 | mail.example2.com | virtual: | 1 |
+------+-----------------------+-----------+---------+
6 rows in set (0.00 sec)
It seems that postfix is able to read from the database, as would be evidenced of my being able to receive emails to accounts that are stored in the db. So why it's unable to read from the domains list is a bit puzzling.
Here's my current postconf -n output if anyone would like to help with advice on why virtual domains aren't working as desired.
[root@mail:~] #postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = no
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
delay_warning_time = 4h
disable_vrfy_command = yes
inet_interfaces = all
local_recipient_maps =
mailbox_size_limit = 0
masquerade_domains = mail.jokefire.com jokefire.com !sub.dyndomain.com
masquerade_exceptions = root
maximal_backoff_time = 8000s
maximal_queue_lifetime = 7d
minimal_backoff_time = 1000s
mydestination = mail.jokefire.com jokefire.com
myhostname = mail.jokefire.com
mynetworks = 127.0.0.0/8 mail.jokefire.com
mynetworks_style = host
myorigin = jokefire.com
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_helo_timeout = 60s
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_hard_error_limit = 12
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_recipient_limit = 16
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_soft_error_limit = 3
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = mysql:/etc/postfix/mysql_transport.cf
unknown_local_recipient_reject_code = 450
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_uid_maps = static:5000
Thanks!
Tim
Noel Jones
> Guys,
>
> For some reason gmail decided to shunt this conversation into my
> spam folder. So, sorry if I've missed any of your replies.
>
> At any rate I had a perusal of the digest form of the list and found
> this reply from Noel:
>
> Postfix doesn't know it should accept mail for example.com
> example.com <http://example.com/> must be listed in *one* of
> virtual_mailbox_domains, virtual_alias_domains, depending on where
> the mail is to be delivered.
>
>
>
> So my thanks to Noel. I set 'mydestination' to example.com
> roundcube webmail interface. Neat!
>
> However one thing that's still puzzling me is that my routing needs
> SHOULD be covered by my virtual_mailbox_domains setting, as best I
> would know.
Do not list your domain in more than one place, otherwise postfix
will log warnings and various things may not work as expected.
Apparently your virtual_mailbox_domains lookup isn't working. Test
your lookup with:
postmap -q example.com mysql:/etc/postfix/mysql_domains.cf
Listed domains should return a result -- any non-empty result is
considered valid.
Nothing should be printed when testing unlisted domains.
-- Noel Jones
bluet...@jokefire.com
> will log warnings and various things may not work as expected.
>
> Apparently your virtual_mailbox_domains lookup isn't working. Test
> your lookup with:
> postmap -q example.com mysql:/etc/postfix/mysql_domains.cf
>
> Listed domains should return a result -- any non-empty result is
> considered valid.
>
> Nothing should be printed when testing unlisted domains.
[root@mail:/etc/postfix] #postmap -q example.com
mysql:/etc/postfix/mysql_domains.cf
[root@mail:/etc/postfix] #postmap -q example.com
mysql:/etc/postfix/mysql_mailbox.cf
[root@mail:/etc/postfix] #postmap -q example.com
mysql:/etc/postfix/mysql_alias.cf
[root@mail:/etc/postfix] #postmap -q example.com
mysql:/etc/postfix/mysql_transport.cf
I actually tried testing all my mysql conf files this way and no info
was returned from any of them!
And I do have postfix-mysql installed.
[root@mail:/etc/postfix] #dpkg -l | grep postfix
ii postfix 2.10.2-1
amd64 High-performance mail transport agent
ii postfix-mysql 2.10.2-1
amd64 MySQL map support for Postfix
I'm wondering if there is some flaw in my config that is preventing
postfix from reading from the db? I'd really appreciate any advice you
might have n getting postfix to interface with mysql.
Thanks
Tim
Noel Jones
what response postfix expects.
Maybe someone else can help with your sql queries. Start a new
thread asking about this specific problem.
-- Noel Jones
Sergei
> I'm wondering if there is some flaw in my config that is preventing
> postfix from reading from the db? I'd really appreciate any advice you
> might have n getting postfix to interface with mysql.
and running the query. You might get some useful error messages from MySQL.
bluet...@jokefire.com
> what response postfix expects.
>
> Maybe someone else can help with your sql queries. Start a new
> thread asking about this specific problem.
shortly I'm sure. I actually used flurdy's postfix guide for the whole
thing. I sort of doubt the SQL is to blame. Maybe more of an Ubuntu
specific install issue where postfix can't communicate with the
database. Maybe I'll hit up the ubuntu forums with this problem at some
point.
Thanks again,
Tim
>> postfix from reading from the db? I'd really appreciate any advice
>> you might have n getting postfix to interface with mysql.
>>
bluet...@jokefire.com
> Try the connection specified in the files manually by logging as that
> exact user
> and running the query. You might get some useful error messages from
> MySQL.
specified to retrieve domain info in my postfix setup. Here's what the
file looks like:
[root@mail:/etc/postfix] #cat mysql_domains.cf
user=mail
password=secret
dbname=maildb
table=domains
select_field=domain
where_field=domain
hosts=127.0.0.1
additional_conditions = and enabled = 10
And I'm able to pull the info from the command line using the query
specified in the file:
[root@mail:/etc/postfix] #mysql -umail -p -h 127.0.0.1 maildb -e "select
domain from domains where domain like 'example.com'"
Enter password:
+--------------+
| domain |
+--------------+
| example.com |
+--------------+
Yet, nothing is still returned by querying the file using postmap:
[root@mail:/etc/postfix] #postmap -q example.com
mysql:/etc/postfix/mysql_domains.cf
[root@mail:/etc/postfix] #
Thanks,
Tim
Sergei
> user=mail
> password=secret
> dbname=maildb
> table=domains
> select_field=domain
> where_field=domain
> hosts=127.0.0.1
> additional_conditions = and enabled = 10
user = mail
password = secret
hosts = 127.0.0.1
dbname = maildb
query = SELECT * FROM domains WHERE domain='%s'
You might want to try this instead.
Viktor Dukhovni
query = SELECT domain FROM domains WHERE domain='%s' AND enabled = 10
there is no need to select all the columns. (No idea what the
significance of "enabled = 10" is, except that seemingly this is
what the OP wants or perhaps it is the reason why no results are
returned).
--
Viktor.
bluet...@jokefire.com
causing the problems. Instead of 'enabled = 10' should be 'enabled = 1'.
LOL
user = mail
password = secret
hosts = 127.0.0.1
dbname = maildb
Using the above query works fine with postfix:
3,example.com,virtual:,1
Once again, thank you ALL for your suggestions. Glad we got this one
solved.
Tim
bluet...@jokefire.com
better:
[root@mail:/etc/postfix] #cat mysql_domains.cf
password=secret
dbname=maildb
table=domains
select_field=domain
where_field=domain
hosts=127.0.0.1
additional_conditions = and enabled = 1
As opposed to the following output:
[root@mail:/etc/postfix] #postmap -q example.com
> mysql:/etc/postfix/mysql_domains.cf
> 3,example.com,virtual:,1
> user = mail
> password = secret
> hosts = 127.0.0.1
> dbname = maildb
> query = SELECT * FROM domains WHERE domain='%s' AND enabled = 1
Viktor Dukhovni
> > Better:
> >
> > query = SELECT domain FROM domains WHERE domain='%s' AND enabled = 10
> >
> > there is no need to select all the columns. (No idea what the
> > significance of "enabled = 10" is, except that seemingly this is
> > what the OP wants or perhaps it is the reason why no results are
> > returned).
>
> better:
> [root@mail:/etc/postfix] #postmap -q example.com
> >mysql:/etc/postfix/mysql_domains.cf
> >3,example.com,virtual:,1
> Using this syntax:
>
> >user = mail
> >password = secret
> >hosts = 127.0.0.1
> >dbname = maildb
> >query = SELECT * FROM domains WHERE domain='%s' AND enabled = 1
--
Viktor.
bluet...@jokefire.com
> On Sun, Mar 16, 2014 at 10:04:38PM -0400, bluet...@jokefire.com
> wrote:
>
>> > Better:
>> >
>> > query = SELECT domain FROM domains WHERE domain='%s' AND enabled = 10
>> >
>> > there is no need to select all the columns. (No idea what the
>> > significance of "enabled = 10" is, except that seemingly this is
>> > what the OP wants or perhaps it is the reason why no results are
>> > returned).
>>
>> Actually I should probably point out that the original syntax does
>> work
>> better:
>
> Inattention to detail!
>
>> [root@mail:/etc/postfix] #postmap -q example.com
>> >mysql:/etc/postfix/mysql_domains.cf
>> >3,example.com,virtual:,1
>
> Because you're selecting all the columns.
>
>> Using this syntax:
>>
>> >user = mail
>> >password = secret
>> >hosts = 127.0.0.1
>> >dbname = maildb
>> >query = SELECT * FROM domains WHERE domain='%s' AND enabled = 1
>
> See above. The syntax you're using is obsolete. Use "query = ...".
with my setup. It works. I'm keeping it. Appreciate the advice!
Tim