Join Log in
Score:0
St4rb0y avatar Server

Postfix: "relay access denied" for all incoming mail?

pr flag
St4rb0y

I'm attempting to setup a small mail server with Postfix, Dovecot, and MySQL (MariaDB) on Debian. I've also configured SSL with Let's Encrypt.

So far I haven't setup rDNS, DKIM, DMARC, SPF, etc. - which I will still attempt later -, but sending e-mails with the mail command already works great. They don't end up in spam or get rejected.

Receiving mail doesn't work! Here's the error message from /var/log/mail.log:

Jan 13 09:27:39 [hostname] postfix/smtpd[1016]: connect from mx1.riseup.net[198.252.153.129]
Jan 13 09:27:40 [hostname] postfix/smtpd[1016]: NOQUEUE: reject: RCPT from mx1.riseup.net[198.252.153.129]: 554 5.7.1 <info@[domain].net>: Relay access denied; from=<[user]@riseup.net> to=<info@[domain].net> proto=ESMTP helo=<mx1.riseup.net>
Jan 13 09:27:40 [hostname] postfix/smtpd[1016]: disconnect from mx1.riseup.net[198.252.153.129] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8

riseup.net is the email provider that I sent the message from for testing purposes. I also tried Gmail with the same outcome.

I've setup A/AAAA records for [hostname].[domain].net, as well as a MX record also for [hostname].[domain].net.

My /etc/hosts file looks as follows:

127.0.0.1   localhost.localdomain localhost
127.0.1.1   [hostname].[domain].net [hostname] # FQDN


# The following lines are desirable for IPv6 capable hosts
::1     localhost localhost.localdomain ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

#
1.1.1.1          [hostname].[domain].net [hostname] [domain].net www.[domain].net
11::11::11::11   [hostname].[domain].net [hostname] [domain].net www.[domain].net

The FQDN on the second line is required by my VPS provider to later setup rDNS and DKIM.

Here's my /etc/postfix/main.cf:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2



# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/[hostname].[domain].net/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/[hostname].[domain].net/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only=yes
smtp_tls_security_level=may
smtpd_tls_security_level=may
smtpd_sasl_security_options=noanonymous,noplaintext
smtpd_sasl_tls_security_options=noanonymous
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# Authentication
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth
smtpd_sasl_auth_enable=yes

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

# Restrictions
smtpd_helo_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        reject_unlisted_recipient,
        reject_unauth_destination
smtpd_sender_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain
smtpd_relay_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        defer_unauth_destination


myhostname = [hostname].[domain].net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydomain = [domain].net
myorigin = $mydomain
mydestination = $myhostname, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all


# Even more Restrictions and MTA params
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
#smtpd_etrn_restrictions = reject
#smtpd_reject_unlisted_sender = yes
#smtpd_reject_unlisted_recipient = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtp_always_send_ehlo = yes
#smtpd_hard_error_limit = 1
smtpd_timeout = 30s
smtp_helo_timeout = 15s
smtp_rcpt_timeout = 15s
smtpd_recipient_limit = 40
minimal_backoff_time = 180s
maximal_backoff_time = 3h

# Reply Rejection Codes
invalid_hostname_reject_code = 550
non_fqdn_reject_code = 550
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550

Is the relay access problem maybe related to the mail server domain being [hostname].[domain].net, but the user email address info@[domain].net?

Virtual users - currently only info - are setup in the MySQL database, which stores their username, encrypted password, and mail storage path. I haven't setup any aliases.

Any suggestions?

Thank you.

411
2 + 0
Score:1
avatar Server
jp flag
Esa Jokinen

Your mydestination only has the FQDN of your server ($myhostname), but not your domain. Try adding $mydomain, e.g.,

mydestination = $mydomain, $myhostname, localhost, localhost.localdomain

For virtual_alias_domains, you must specify every user in virtual_alias_maps, and for virtual_mailbox_domains in virtual_mailbox_maps; not just the [email protected].

Also, all your restrictions are missing the final permit.

From postconf(5) smtpd_client_restrictions:

permit

Permit the request. This restriction is useful at the end of a restriction list, to make the default policy explicit.

E.g.,

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_unlisted_recipient,
    reject_unauth_destination,
    permit
+ 3
St4rb0y avatar
pr flag
St4rb0y
This unfortunately didn't help! Same result - `relay access denied` - after adding the `permit`s and restarting Postfix.
0
Reply
jp flag
Esa Jokinen
I've added a couple more suggestions.
0
Reply
St4rb0y avatar
pr flag
St4rb0y
Thanks, I found the problem. Your suggestion about the virtual_mailbox_domains and _maps made me realize what I forgot! Adding `$mydomain` to `mydestination` was discouraged by Dovecot so I removed it.
0
Reply
Score:0
St4rb0y avatar Server
pr flag
St4rb0y

Since Postfix has to fish the virtual mailbox domains, virtual mailbox maps, and virtual aliases information from different tables from within a MySQL database (in my case), I needed to create and provide a configuration file for each one.

Changes made to /etc/postfix/main.cf:

mydestination = $myhostname, localhost

# ...

# Handling of local devlivery to Dovecot's LMTP, and telling it where to store mail
virtual_transport = lmtp:unix:private/dovecot-lmtp

# Virtual domains, users, and aliases
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,
        mysql:/etc/postfix/mysql-virtual-email2email.cf

All these config files have the same structure:

user = database_user
password = database_user_password
hosts = 127.0.0.1
dbname = database_name
query = MySQL query that gets the relevant information from a specific table
+ 1
jp flag
Esa Jokinen
BTW, your "Here's my /etc/postfix/main.cf:" was missing all the MySQL related configuration parameters as well as the MySQL config files. This would have been impossible to solve without this missing information.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.