×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

smtp host : Relay access denied

smtp host : Relay access denied

smtp host : Relay access denied

(OP)
I've just built a postfix server in amazon EC2 with an elastic IP. And I found that while I can connect to and send emails to my mail server when I telnet to localhost when I telnet to the external FQDN I get relay denied.

I'll first demonstrate success, then failure.

CODE

root@mail:~# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix (Ubuntu)
HELO mail.example.com
250 mail.example.com
MAIL FROM: <bluethundr@external.com>
250 2.1.0 Ok
RCPT TO: <bluethundr@example.com>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: Test to internal localhost
.
250 2.0.0 Ok: queued as B97CA24B8B
quit
[code]

And the logs confirm success:
[code]
Mar 15 19:27:35 mail postfix/smtpd[5294]: B97CA24B8B: client=localhost[127.0.0.1]
Mar 15 19:28:18 mail postfix/cleanup[5306]: B97CA24B8B: message-id=<20140315192735.B97CA24B8B@mail.example.com>
Mar 15 19:28:18 mail postfix/qmgr[5221]: B97CA24B8B: from=<bluethundr@external.com>, size=356, nrcpt=1 (queue active)
Mar 15 19:28:18 mail postfix/cleanup[5306]: AD51725096: message-id=<20140315192735.B97CA24B8B@mail.example.com>
Mar 15 19:28:18 mail amavis[3401]: (03401-09) Passed BAD-HEADER-1 {RelayedOutbound,Quarantined}, LOCAL [127.0.0.1]:58766 [127.0.0.1] <bluethundr@external.com> -> <bluethundr@example.com>, quarantine: W/badh-WyjD4kEQ4Mls, Queue-ID: B97CA24B8B, Message-ID: <20140315192735.B97CA24B8B@mail.example.com>, mail_id: WyjD4kEQ4Mls, Hits: -, size: 356, queued_as: AD51725096, 140 ms
Mar 15 19:28:18 mail postfix/smtp[5317]: B97CA24B8B: to=<bluethundr@example.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=51, delays=51/0.03/0/0.16, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as AD51725096)
Mar 15 19:28:18 mail postfix/qmgr[5221]: B97CA24B8B: removed 

However, if I telnet to the externally available FQDN (from the mail server) I get a relay denied error:

CODE

root@mail:~# telnet mail.example.com 25
Trying xx.xx.xx.xx...
Connected to mail.example.com.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix (Ubuntu)
HELO mail.example.com
250 mail.example.com
MAIL FROM: <bluethundr@external.com>
250 2.1.0 Ok
RCPT TO: <bluethundr@example.com>
454 4.7.1 <bluethundr@example.com>: Relay access denied 

In the logs when I try to telnet to the FQDN, I see this:

CODE

Mar 15 19:38:00 mail postfix/smtpd[5392]: NOQUEUE: reject: RCPT from unknown[xx.xx.xx.xx]: 454 4.7.1 <bluethundr@example.com>: Relay access denied; from=<bluethundr@external.com> to=<bluethundr@example.com> proto=SMTP helo=<mail.example.com> 

I've done some googling on this, and often people do site this setting as a potential cause of this situation. Here's mine:

CODE

smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated,  reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit 

Here is the output of postconf -n

CODE

root@mail:~# postconf -n

alias_database = hash:/etc/postfix/aliases

alias_maps = hash:/etc/postfix/aliases

append_dot_mydomain = no

biff = no

broken_sasl_auth_clients = no

config_directory = /etc/postfix

content_filter = amavis:[127.0.0.1]:10024

delay_warning_time = 4h

disable_vrfy_command = yes

inet_interfaces = all

local_recipient_maps =

mailbox_size_limit = 0

masquerade_domains = mail.example.com example.com !sub.dyndomain.com

masquerade_exceptions = root

maximal_backoff_time = 8000s

maximal_queue_lifetime = 7d

minimal_backoff_time = 1000s

mydestination =

myhostname = mail.example.com

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

mynetworks_style = host

myorigin = example.com

readme_directory = no

recipient_delimiter = +

relayhost =

smtp_helo_timeout = 60s

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

smtp_tls_note_starttls_offer = yes

smtp_tls_security_level = may

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)

smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl

smtpd_data_restrictions = reject_unauth_pipelining

smtpd_delay_reject = yes

smtpd_hard_error_limit = 12

smtpd_helo_required = yes

smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit

smtpd_recipient_limit = 16

smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

smtpd_sasl_auth_enable = yes 

Another potential trouble area may be that I can't seem to telnet to port 25 remotely from my work station:

CODE

[me@home:~] #telnet mail.example.com 25

Trying xx.xx.xx.xx..

telnet: connect to address xx.xx.xx.xx: Operation timed out

telnet: Unable to connect to remote host 


As mentioned this is an amazon EC2 instance, but I have opened up port 25 on the security groups and made sure that ufw (the ubuntu firewall) was not running on the instance.

I'd definitely appreciate your esteemed advice on this!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Apollo: “I will not serve under a man who questions my integrity.”

Adama: “And I won’t have an officer under my command who doesn’t have any.”


This is my public RSA key: F186197B
Key fingerprint = 4341 204A FC44 11E2 3F7D 2B00 AF72 A4E6 F186 197B
GPG me!!!

RE: smtp host : Relay access denied

(OP)
Hey all,

I fixed the problem with being able to access the FQDN of the mail host via telnet from the command line by editing mynetworks to contain the name of the mail host:

CODE

mynetworks = 127.0.0.0/8 mail.exmaple.com 

But it appears that mail IS making its way to the mail server, but being rejected once it arrives.

Here's an example of a mail rejected from yahoo

CODE

Mar 16 02:27:58 mail postfix/smtpd[22335]: connect from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]

Mar 16 02:27:59 mail postfix/smtpd[22335]: Anonymous TLS connection established from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

Mar 16 02:27:59 mail postfix/smtpd[22335]: NOQUEUE: reject: RCPT from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]: 454 4.7.1 <bluethundr@example.com>: Relay access denied; from=<reg.gi3tqmjyge4dama-bluethundr=example.com@returns.bulk.external.com> to=<bluethundr@example.com> proto=ESMTP helo=<n11-vm3.bullet.mail.bf1.external.com>

Mar 16 02:27:59 mail postfix/smtpd[22335]: disconnect from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]

Mar 16 02:30:55 mail postfix/smtpd[22335]: connect from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]

Mar 16 02:30:55 mail postfix/smtpd[22335]: Anonymous TLS connection established from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

Mar 16 02:30:55 mail postfix/smtpd[22335]: NOQUEUE: reject: RCPT from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]: 454 4.7.1 <bluethundr@example.com>: Relay access denied; from=<reg.gi3tqmjyge4dama-bluethundr=example.com@returns.bulk.external.com> to=<bluethundr@example.com> proto=ESMTP helo=<n11-vm3.bullet.mail.bf1.external.com>

Mar 16 02:30:55 mail postfix/smtpd[22335]: disconnect from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]

Mar 16 02:31:41 mail postfix/smtpd[22335]: connect from nm48.bullet.mail.ne1.external.com[98.138.120.55]Mar 16 02:31:41 mail postfix/smtpd[22335]: NOQUEUE: reject: RCPT from nm48.bullet.mail.ne1.external.com[98.138.120.55]: 454 4.7.1 <bluethundr@example.com>: Relay access denied; from=<bluethundr609@external.com> to=<bluethundr@example.com> proto=SMTP helo=<nm48.bullet.mail.ne1.external.com>Mar 16 02:31:41 mail postfix/smtpd[22335]: disconnect from nm48.bullet.mail.ne1.external.com[98.138.120.55]

Mar 16 02:33:24 mail postfix/smtpd[22335]: connect from nm48.bullet.mail.ne1.external.com[98.138.120.55]

Mar 16 02:33:24 mail postfix/smtpd[22335]: NOQUEUE: reject: RCPT from nm48.bullet.mail.ne1.external.com[98.138.120.55]: 454 4.7.1 <bluethundr@example.com>: Relay access denied; from=<bluethundr609@external.com> to=<bluethundr@example.com> proto=SMTP helo=<nm48.bullet.mail.ne1.external.com>

Mar 16 02:33:24 mail postfix/smtpd[22335]: disconnect from nm48.bullet.mail.ne1.external.com[98.138.120.55] 





And here's an example from gmail


CODE

Mar 16 02:23:20 mail postfix/smtpd[21652]: NOQUEUE: reject: RCPT from mail-la0-f48.google.com[209.85.215.48]: 454 4.7.1 <bluethundr@example.com>: Relay access denied; from=<bluethundr@external.com> to=<bluethundr@example.com> proto=ESMTP helo=<mail-la0-f48.google.com>

Mar 16 02:35:01 mail postfix/smtpd[22335]: NOQUEUE: reject: RCPT from mail-lb0-f177.google.com[209.85.217.177]: 454 4.7.1 <bluethundr@example.com>: Relay access denied; from=<bluethundr@external.com> to=<bluethundr@example.com> proto=ESMTP helo=<mail-lb0-f177.google.com> 


OK, so it seems as if I'm in the home stretch! What do I need to alter in my postfix configuration to get this mail server rocking?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Apollo: “I will not serve under a man who questions my integrity.”

Adama: “And I won’t have an officer under my command who doesn’t have any.”


This is my public RSA key: F186197B
Key fingerprint = 4341 204A FC44 11E2 3F7D 2B00 AF72 A4E6 F186 197B
GPG me!!!

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close