I have a mail server (Postfix/Dovecot) set up with the following configuration: email goes to a local mailbox for each virtual user, and is also forwarded to a Google Apps address (e.g. user@domain.org.test-google-a.com).
This all works correctly and mail is delivered to the server mailbox & to Google.
However, a weird problem is showing up in the logs. After the server routes the mail, it then receives a connection from the Google Apps servers referencing the email they have just recieved – which it rejects as "Relay access denied". I'm not certain why this is happening and what sort of response Google is sending.
It's not a major issue, but I am intrigued as to what it is… I have a suspicion it is something really obvious I have overlooked, but my search-fu is eluding me!
Example (sanitised) mail log:
Mar 20 13:51:03 services postfix/pipe[15363]: 076BF13A005: to=<123@domain.org>, relay=dovecot, delay=0.93, delays=0.45/0.01/0/0.47, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar 20 13:51:04 services postfix/smtp[15364]: 076BF13A005: to=<123@domain.org.test-google-a.com>, orig_to=<123@domain.org>, relay=gmail-smtp-in.l.google.com[173.194.78.27]:25, delay=1.1, delays=0.45/0.01/0.09/0.57, dsn=2.0.0, status=sent (250 2.0.0 OK 1363787301 fu5si2128331wib.94 - gsmtp)
Mar 20 13:51:04 services postfix/qmgr[20596]: 076BF13A005: removed
Mar 20 13:51:05 services postfix/smtpd[15356]: connect from mail-la0-f69.google.com[209.85.215.69]
Mar 20 13:51:05 services postfix/smtpd[15356]: NOQUEUE: reject: RCPT from mail-la0-f69.google.com[209.85.215.69]: 554 5.7.1 <123@domain.org.test-google-a.com>: Relay access denied; from=<xyz@origin.com> to=<123@domain.org.test-google-a.com> proto=ESMTP helo=<mail-la0-f69.google.com>
Mar 20 13:51:05 services postfix/smtpd[15356]: disconnect from mail-la0-f69.google.com[209.85.215.69]
And postconf -n output:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases,hash:/var/lib/mailman/data/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mailman_destination_recipient_limit = 1
mydestination = (localservername), localhost.(localservername), www.$mydomain, localhost
mydomain = domain.org
myhostname = (localservername)
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 localhost
myorigin = /etc/mailname
owner_request_special = no
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_delay_reject = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
smtpd_tls_key_file = /etc/ssl/private/postfix.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,hash:/var/lib/mailman/data/virtual-mailman
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = dovecot
Best Answer
"connect from" indicates a client connection to your server. See this link for configuring client restrictions. Essentially, you've asked
postfixfor this behavior with:mail-la0-f69.google.com[209.85.215.69] is not in:
nor is it
sasl authenticated, causing it fallback to the final option,reject_unauth_destination.