Hi all, I'm getting relay access denied when my main web server attempts to relay mail through my main mail server to outside domains. The web server also functions as a secondary MX (and this seems to work). Here is the main mail server configuration:
[root@home ~]# postconf -nf
address_verify_map = btree:$data_directory/verify_cache
alias_database = $alias_maps
alias_maps = hash:/etc/aliases, hash:/usr/local/mailman/data/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo
cont;
echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
>$config_directory/$process_name.$process_id.log & sleep 5
fast_flush_domains = $relay_domains
header_checks = pcre:/usr/local/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
in_flow_delay = 1s
inet_interfaces = 127.0.0.1, [::1], 10.8.0.1, 50.250.218.162,
[2001:470:67:119::4]
inet_protocols = ipv4, ipv6
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
local_destination_concurrency_limit = 2
mail_owner = postfix
mailbox_command_maps = hash:/usr/local/etc/postfix/mailbox_commands
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 20971520
mydestination = localhost, localhost.$mydomain, cybernude.org,
mail.cybernude.org, munich.cybernude.org, vegan.cybernude.org,
www.cybernude.org, disunitedstates.com, mail.disunitedstates.com,
munich.disunitedstates.com, vegan.disunitedstates.com,
www.disunitedstates.com, disunitedstates.org, mail.disunitedstates.org,
munich.disunitedstates.org, vegan.disunitedstates.org,
www.disunitedstates.org, greybeard95a.com, mail.greybeard95a.com,
munich.greybeard95a.com, vegan.greybeard95a.com, www.greybeard95a.com,
n4rky.me, mail.n4rky.me, munich.n4rky.me, vegan.n4rky.me, www.n4rky.me,
parts-unknown.org, mail.parts-unknown.org, munich.parts-unknown.org,
www.parts-unknown.org, vegan.parts-unknown.org, n4rky.parts-unknown.org,
carolb.parts-unknown.org, home.parts-unknown.org, humansci.org,
home.humansci.org, mail.humansci.org, vegan.humansci.org,
www.humansci.org,
humanscience.institute, home.humanscience.institute,
mail.humanscience.institute, vegan.humanscience.institute,
www.humanscience.institute, reykjavik.parts-unknown.org,
reykjavik2.parts-unknown.org
mydomain = parts-unknown.org
myhostname = mail.parts-unknown.org
mynetworks = 127.0.0.0/8, [::1]/128, 192.168.1.0/24, 10.8.0.0/16,
50.250.218.0/28, [2001:470:67:119::]/64
mynetworks_style = subnet
myorigin = $myhostname
newaliases_path = /usr/local/bin/newaliases
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_bare_newline_action = enforce
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:$config_directory/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net
psbl.surriel.com
bl.mailspike.net swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
queue_run_delay = 200s
readme_directory = /usr/local/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_bind_address = 50.250.218.162
smtp_tls_ciphers = medium
smtp_tls_key_file = /var/www/ssl/home-2015-03-23/privateKey.key
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_use_tls = yes
smtpd_authorized_verp_clients = $mynetworks
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions =
permit_mynetworks,permit_sasl_authenticated,check_reverse_client_hostname_access
pcre:/etc/postfix/fqrdns.pcre
smtpd_command_filter = pcre:/etc/postfix/append_verp.pcre
smtpd_peername_lookup = no
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,check_sender_access
hash:/etc/postfix/sender_access,reject_unauth_destination,reject_rbl_client
zen.spamhaus.org,reject_rbl_client bl.spamcop.net,check_policy_service
unix:private/spf-policy
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_recipient_access
hash:/usr/local/etc/postfix/restrict
smtpd_tls_auth_only = yes
smtpd_tls_cert_file =
/var/www/ssl/home-2015-03-23/ssl-concatenated-w-key.crt
smtpd_tls_dh1024_param_file = /usr/local/etc/ssl/dhparams.pem
smtpd_tls_eecdh_grade = strong | ultra
smtpd_tls_loglevel = 3
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, ADH, DES,
RC4, MD5,
PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_security_level = may
spf-policy_time_limit = 3600
tls_eecdh_strong_curve = prime256v1
tls_eecdh_ultra_curve = secp384r1
unknown_local_recipient_reject_code = 550
Here is the configuration on the web server:
address_verify_map = btree:$data_directory/verify_cache
alias_database = $alias_maps
alias_maps = hash:/etc/aliases, hash:/usr/local/mailman/data/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo
cont;
echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
>$config_directory/$process_name.$process_id.log & sleep 5
fast_flush_domains = $relay_domains
header_checks = pcre:/usr/local/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
in_flow_delay = 1s
inet_interfaces = 127.0.0.1, [::1], 50.250.218.164
inet_protocols = ipv4, ipv6
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
local_destination_concurrency_limit = 2
mail_owner = postfix
mailbox_command_maps = hash:/usr/local/etc/postfix/mailbox_commands
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 20971520
mydestination = localhost, localhost.$mydomain
mydomain = parts-unknown.org
myhostname = vegan.parts-unknown.org
mynetworks = 127.0.0.0/8, [::1]/128, 192.168.1.0/24, 10.8.0.0/16,
50.250.218.0/28, [2001:470:67:2b5::]/64
mynetworks_style = subnet
myorigin = $myhostname
newaliases_path = /usr/local/bin/newaliases
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_bare_newline_action = enforce
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:$config_directory/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net
psbl.surriel.com
bl.mailspike.net swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
queue_run_delay = 200s
readme_directory = /usr/local/share/doc/postfix
recipient_delimiter = +
relay_domains = cybernude.org, mail.cybernude.org, munich.cybernude.org,
vegan.cybernude.org, www.cybernude.org, disunitedstates.com,
mail.disunitedstates.com, munich.disunitedstates.com,
vegan.disunitedstates.com, www.disunitedstates.com, disunitedstates.org,
mail.disunitedstates.org, munich.disunitedstates.org,
vegan.disunitedstates.org, www.disunitedstates.org, greybeard95a.com,
mail.greybeard95a.com, munich.greybeard95a.com, vegan.greybeard95a.com,
www.greybeard95a.com, n4rky.me, mail.n4rky.me, munich.n4rky.me,
vegan.n4rky.me, www.n4rky.me, parts-unknown.org, mail.parts-unknown.org,
munich.parts-unknown.org, www.parts-unknown.org,
vegan.parts-unknown.org,
n4rky.parts-unknown.org, carolb.parts-unknown.org,
home.parts-unknown.org,
humansci.org, home.humansci.org, mail.humansci.org, vegan.humansci.org,
www.humansci.org, humanscience.institute, home.humanscience.institute,
mail.humanscience.institute, vegan.humanscience.institute,
www.humanscience.institute, humanscienceinstitute.org,
home.humanscienceinstitute.org, mail.humanscienceinstitute.org,
vegan.humascienceinstitute.org, www.humanscienceinstitute.org,
humanscienceinstitute.com, home.humanscienceinstitute.com,
mail.humanscienceinstitute.com, vegan.humascienceinstitute.com,
www.humanscienceinstitute.com, reykjavik.parts-unknown.org,
reykjavik2.parts-unknown.org
relayhost = mail.parts-unknown.org
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_bind_address = 50.250.218.164
smtp_bind_address6 = 2001:470:67:2b5::4
smtp_tls_ciphers = medium
smtp_tls_key_file = /var/www/ssl/vegan-2015-03-24/privateKey.key
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions =
permit_mynetworks,permit_sasl_authenticated,check_reverse_client_hostname_access
pcre:/etc/postfix/fqrdns.pcre
smtpd_peername_lookup = no
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,check_sender_access
hash:/etc/postfix/sender_access,reject_unauth_destination,reject_rbl_client
zen.spamhaus.org,reject_rbl_client bl.spamcop.net,check_policy_service
unix:private/spf-policy
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_recipient_access
hash:/usr/local/etc/postfix/restrict
smtpd_tls_auth_only = yes
smtpd_tls_cert_file =
/var/www/ssl/vegan-2015-03-24/ssl-concatenated-w-key.crt
smtpd_tls_dh1024_param_file = /usr/local/etc/ssl/dhparams.pem
smtpd_tls_eecdh_grade = strong | ultra
smtpd_tls_loglevel = 3
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, ADH, DES,
RC4, MD5,
PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_security_level = may
spf-policy_time_limit = 3600
tls_eecdh_strong_curve = prime256v1
tls_eecdh_ultra_curve = secp384r1
unknown_local_recipient_reject_code = 550
A sample log entry on the web server (with email address obscured):
May 25 07:52:18 vegan postfix/smtp[33049]: 17457F040DA9:
to=<x...@gmail.com>, relay=mail.parts-unknown.org[50.250.218.162]:25,
delay=241020, delays=241020/0.04/0.59/0.02, dsn=4.7.1, status=deferred
(host mail.parts-unknown.org[50.250.218.162] said: 454 4.7.1
<x...@gmail.com>: Relay access denied (in reply to RCPT TO command))
The corresponding entry on the mail server:
May 25 07:52:18 home postfix/smtpd[55825]: NOQUEUE: reject: RCPT from
unknown[50.250.218.164]: 454 4.7.1 <x...@gmail.com>: Relay access
denied; from=<w...@vegan.parts-unknown.org> to=<x...@gmail.com>
proto=ESMTP helo=<vegan.
parts-unknown.org>
Both systems are FreeBSD, running postfix from the port, version
postfix-3.1.1,1.
What other information do I need to supply? What is wrong?
Thanks!
--
David Benfell, Ph.D.
benf...@parts-unknown.org
signature.asc
Description: OpenPGP digital signature
