I have set up a Postfix Mailserver, outgoing mail is being sent through a smarthost/relayhost which requires authentification. That works great, internal clients can send to foreign recipients though this relayhost.
However, when an external mail for a local, non-existent user arrives at the server, postfix tries to send a non-delivery notification to the sender. This mail is also sent through the relayhost obviously, but it fails with error 554 5.7.1 : Relay access denied
This gets logged to the mail.log:
Nov 9 10:26:42 mail postfix/local[5051]: 6568CC1383: to=<test@mydomain.com>, relay=local, delay=0.13, delays=0.02/0.02/0/0.09, dsn=5.1.1, status=bounced (unknown user: "test")
Nov 9 10:26:42 mail postfix/cleanup[5045]: 85DF9BFECD: message-id=<20131109092642.85DF9BFECD@mail.mydomain.com>
Nov 9 10:26:42 mail postfix/qmgr[4912]: 85DF9BFECD: from=<>, size=3066, nrcpt=1 (queue active)
Nov 9 10:26:42 mail postfix/bounce[5052]: 6568CC1383: sender non-delivery notification: 85DF9BFECD
Nov 9 10:26:42 mail postfix/qmgr[4912]: 6568CC1383: removed
Nov 9 10:26:43 mail postfix/smtp[5053]: 85DF9BFECD: to=<xyz@somebody.com>, relay=mail.provider.com[168.84.25.111]:587, delay=0.48, delays=0.02/0.01/0.26/0.18, dsn=5.7.1, status=bounced (host mail.provider.com[168.84.25.111] said: 554 5.7.1 <xyz@somebody.com>: Relay access denied (in reply to RCPT TO command))
Nov 9 10:26:43 mail postfix/qmgr[4912]: 85DF9BFECD: removed
According to this error, I suppose that postfix does not login at the relayhost when sending those bounces. Why? Normal outgoing mail works just fine.
This is how my main.cf looks like: http://pastebin.com/Uu1Dryxy
And of course /etc/postfix/sasl_password contains the correct credentials for the relayhost.
Thanks in advance!
Best Answer
Bounce messages intentionally do not have a sender address. This is to prevent email loops. Sending email without an address has been used to send spam, intentionally or not. If your relay requires you to provide credentials before sending to verify the sender, it will not be able to verify the sender for bounce messages.
You can avoid the issue of not being able to send out bounce messages after accepting the message by bouncing the message before accepting it. Bouncing a message after receipt is a source of backscatter spam. It is common for spam to have faked source addresses. By accepting the message before bouncing it, you will be spamming the faked address rather than rejecting the incoming message.
One way to avoid backscatter spam, is to use BATV (bounce address tag validation). This adds a signed value to the return path. Only legitimate bounce messages should have this signature, so other bounces from the Internet can be ignored.
EDIT: It is no longer unusual to quietly drop emails to invalid addresses. This prevents the receiving system from being classified as a spam source when it sends backscatter spam. Postfix accepts all recipients by default, and is therefore prone to producing backscatter spam. If possible, I would recommend enabling recipient verofication. I prefer Exim, which rejects mail for unknown recipients by default.