Postfix/SMTPD – Relay Access Denied When Sending Outside Network

outlookpostfixsmtpd

I asked a very similar question some 4 or 5 months ago, but haven't tracked down a suitable answer. I decided to post a new question so that I can …
a) Post updated info
b) post my most current postconf -n output

When a user sends mail from inside the network (via webmail) to email addresses both inside and outside the network, the email is delivered. When a user with an email account on the system sends mail from outside the network, using the server as the relay, to addresses inside the network, the email is delivered.

But [sometimes] when a user connects via SMTPD to send email to an external address, a Relay Access Denied error is returned:

Feb 25 19:33:49 myers postfix/smtpd[8044]: NOQUEUE: reject: RCPT from host-68-169-158-182.WISOLT2.epbfi.com[68.169.158.182]: 554 5.7.1 <host-68-169-158-182.WISOLT2.epbfi.com[68.169.158.182]>: Client host rejected: Access denied; from=<me@my-domain.com> to=<me@gmail.com> proto=ESMTP helo=<my-computer-name>
Feb 25 19:33:52 myers postfix/smtpd[8044]: disconnect from host-68-169-158-182.WISOLT2.epbfi.com[68.169.158.182]

Sending this through Microsoft Outlook 2003 generates the above log. However, sending through my iPhone, with the exact same settings, goes through fine:

Feb 25 19:37:18 myers postfix/qmgr[3619]: A2D861302C9: from=<me@my-domain.com>, size=1382, nrcpt=1 (queue active)
Feb 25 19:37:18 myers amavis[2799]: (02799-09) FWD via SMTP: <me@my-domain.com> -> <me@gmail.com>,BODY=7BIT 250 2.0.0 Ok, id=02799-09, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A2D861302C9
Feb 25 19:37:18 myers amavis[2799]: (02799-09) Passed CLEAN, [68.169.158.182] [68.169.158.182] <me@my-domain.com> -> <me@gmail.com>, Message-ID: <C14ABC90-D288-4C9C-801B-EBFE0DDF57E8@my-domain.com>, mail_id: yMLvzVQJloFV, Hits: -9.607, size: 897, queued_as: A2D861302C9, 6283 ms
Feb 25 19:37:18 myers postfix/lmtp[8752]: 2ED3A1302C8: to=<me@gmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=6.6, delays=0.25/0.01/0.19/6.1, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=02799-09, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A2D861302C9)
Feb 25 19:37:18 myers postfix/qmgr[3619]: 2ED3A1302C8: removed

Outgoing Settings on Outlook 2003 match the settings on my iPhone:
SMTP server: mail.my-domain.com
Username: My full email address
Uses SSL
Server Port 587

Now, here's postconf -n. I realize the "My Networks" Parameter is a bit nasty. I have these IP addresses in here for just this reason, as others have been complaining of this problem too:

alias_database = hash:/etc/postfix/aliases
alias_maps = $alias_database
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 20480000
mydestination = $myhostname, localhost, localhost.$mydomain
mydomain = my-domain.com
myhostname = myers.my-domain.com
mynetworks = 127.0.0.0/8, 74.125.113.27, 74.125.82.49, 74.125.79.27, 209.85.161.0/24, 209.85.214.0/24, 209.85.216.0/24, 209.85.212.0/24, 209.85.160.0/24
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_bind_address = my-primary-server's IP address
smtpd_banner = mail.my-domain.com
smtpd_helo_required = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/mailserver/postfix.pem
smtpd_tls_key_file = /etc/ssl/mailserver/private/postfix.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = no
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 554
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_minimum_uid = 5000
virtual_transport = dovecot
virtual_uid_maps = static:5000

If anyone has any ideas and can help me finally solve this issue once and for all, I'd be eternally grateful.

Best Answer

My issue was not in the postfix configuration file at all. The issue was in Dovecot's authentication. There's a section like this in /etc/dovecot.conf:

auth default {
  # Space separated list of wanted authentication mechanisms:
  # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi
  # NOTE: See also disable_plaintext_auth setting.
mechanisims = 

[snip]

}

My issue was that mechanisms was only set to plain, when it also needed "login", like this:

auth default {
mechanisms = plain login

[snip]
}

This issue has honestly been alluding me for months, but I have no solved it - and I have a working cert now too!

Related Topic