Postfix Relay Access Denied, was working, no changes

postfixsmtp

an old time problem that I just can't seem to trace down to the cause.

I'm getting 

Jun 24 16:23:05 mail postfix/smtpd[1496]: connect from mail-qk0-f174.google.com[209.85.220.174]
Jun 24 16:23:05 mail postfix/smtpd[1496]: NOQUEUE: reject: RCPT from mail-qk0-f174.google.com[209.85.220.174]: 554 5.7.1 <dan@devexnj.us>: Relay access denied; from=<user@gmail.com> to=<user@myserver.com> proto=ESMTP helo=<mail-qk0-f174.google.com>
Jun 24 16:23:05 mail postfix/smtpd[1496]: disconnect from mail-qk0-f174.google.com[209.85.220.174] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=5/7

And all incoming mail from non-localhost is getting rejected. My postfix main.cf can be found below. I have tried various options for the smtp settings, but I can't stop inbound mail from being rejected. Strangely, I haven't changed any settings and it was working just fine the other day.

All help is appreciate.

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no

# Basic configuration
# myhostname =
alias_maps = texthash:/etc/aliases
alias_database = texthash:/etc/aliases
mydestination =
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64 46.33.82.220/32
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.mailserver.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.mailserver.com/privkey.pem
#smtpd_tls_CAfile=
#smtp_tls_CAfile=
smtpd_tls_security_level = may
smtpd_use_tls=yes
smtp_tls_security_level = may
smtp_tls_loglevel = 1
tls_ssl_options = NO_COMPRESSION
tls_high_cipherlist=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
smtpd_tls_CApath = /etc/ssl/certs
smtp_tls_CApath = /etc/ssl/certs

# Settings to prevent SPAM early
smtpd_helo_required = yes
smtpd_delay_reject = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf,
    reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain,
    reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, check_policy_service inet:127.0.0.1:10023
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain

# SASL
smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes

# Mail directory
virtual_transport = lmtp:unix:/var/run/dovecot/lmtp
virtual_mailbox_domains = /etc/postfix/vhost
virtual_mailbox_maps = texthash:/etc/postfix/vmailbox
virtual_alias_maps = texthash:/etc/postfix/virtual

# Additional option for filtering
content_filter = smtp-amavis:[127.0.0.1]:10024

# Milters used by DKIM
milter_protocol = 6
milter_default_action = accept
dkim_milter = inet:localhost:8891
dmarc_milter = inet:localhost:8893
smtpd_milters = $dkim_milter,$dmarc_milter
non_smtpd_milters = $dkim_milter

# SPF policy settings
policyd-spf_time_limit = 3600
myhostname = mail.mailserver.com
mydomain = mailserver.com

Best Answer

554 5.7.1 <dan@devexnj.us>: Relay access denied;

This error message suggests the devexnj.us is not within mydestionation, virtual_alias_domains or virtual_mailbox_domains; the address is not handled locally, as it tries to relay instead.

From the configuration we can see that:

  1. The mydestination is forced empty; no $mydomain here. This might be on purpose, so there's probably nothing wrong with that.
  2. virtual_mailbox_domains = /etc/postfix/vhost causes that you must have the domain listed in vhost plus the address listed in virtual_mailbox_maps = texthash:/etc/postfix/vmailbox. (The default setting of virtual_mailbox_domains would require only the latter.)
  3. virtual_alias_maps = texthash:/etc/postfix/virtual with the default virtual_alias_domains = $virtual_alias_maps would work if the address was listed in virtual.

If you have the address correctly in either of the 2. or 3., this may be the cause:

texthash (read-only)

A table that produces similar results as hash: files, except that you don't have to run the postmap(1) command before you can use the file, and that texthash: does not detect changes after the file is read. The lookup table name is texthash:filename, where the file name is taken literally; no suffix is appended.

So you have either

  • removed the address and restarted Postfix later, causing the change to take affect only now or
  • you have added the address but the change hasn't been applied because the file was already read before the change.

Check these files and restart when they are ok. I'd recommend using hash: instead of texthash: because that way you don't need to restart Postfix, but postmap alone is enough for applying the changes.

Related Topic