Link to home
Start Free TrialLog in
Avatar of hyperion8
hyperion8

asked on

Recipient address rejected: Relay access denied. How do I fix this?

I have a Fedora Core 7 server using Postfix SMTP server I am getting the following error when I try to send an email via an email client (thunderbird/outlook):

The mail server responded 5.7.1: Recipient address rejected: Relay access denied.

I can receive mail fine, just not send.  In email client I have selected authentication for outgoing using full email address as username.

Below is the output of my main.cf and master.cf as well as the output of the maillog when I attempt to send a message.

Can anyone help me fix this error so I can send mail? Thanks!
Output of tail -f /var/log/maillog:
 
Mar 29 18:15:53 ip-72-167-163-127 postfix/smtpd[11644]: warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled in
Mar 29 18:15:53 ip-72-167-163-127 postfix/smtpd[11644]: connect from 216-164-169-108.c3-0.tlg-ubr4.atw-tlg.pa.cable.rcn.com[216.164.169.108]
Mar 29 18:15:53 ip-72-167-163-127 postfix/smtpd[11644]: setting up TLS connection from 216-164-169-108.c3-0.tlg-ubr4.atw-tlg.pa.cable.rcn.com[216.164.169.108]
Mar 29 18:15:55 ip-72-167-163-127 postfix/smtpd[11644]: Anonymous TLS connection established from 216-164-169-108.c3-0.tlg-ubr4.atw-tlg.pa.cable.rcn.com[216.164.169.108]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Mar 29 18:15:55 ip-72-167-163-127 postfix/smtpd[11644]: warning: support for restriction "check_relay_domains" will be removed from Postfix; use "reject_unauth_destination" instead
Mar 29 18:15:55 ip-72-167-163-127 postfix/smtpd[11644]: NOQUEUE: reject: RCPT from 216-164-169-108.c3-0.tlg-ubr4.atw-tlg.pa.cable.rcn.com[216.164.169.108]: 554 5.7.1 <[email address]>: Recipient address rejected: Relay access denied; from=<[email address]> to=<[email address]> proto=ESMTP helo=<[127.0.0.1]>
Mar 29 18:15:57 ip-72-167-163-127 postfix/smtpd[11644]: disconnect from 216-164-169-108.c3-0.tlg-ubr4.atw-tlg.pa.cable.rcn.com[216.164.169.108]
 
 
main.cf
 
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
 
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5
 
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.6/samples
readme_directory = /usr/share/doc/postfix-2.3.6/README_FILES
smtpd_sasl_local_domain = 
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_inet_interfaces permit_sasl_authenticated check_relay_domains
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_sasl_authenticated_header = yes
relayhost = k2smtpout.secureserver.net
myorigin = $mydomain
smtpd_use_tls = yes
smtpd_sasl_auth_enable = yes
 
 
master.cf
 
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd -o content_filter=spamassassin
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       nqmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
spamassassin
          unix  -       n       n       -       -       pipe
  user=nobody argv=/usr/bin/spamc -f
                   -e /usr/sbin/sendmail.postfix 
                   -oi -f ${sender} ${recipient}
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
discard   unix  -       -       n       -       -       discard
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
retry     unix  -       -       n       -       -       error
proxywrite unix -       -       n       -       1       proxymap

Open in new window

Avatar of cohenphil
cohenphil
Flag of Canada image

i've been monitoring both your questions.
Can you confirm ps saslauthd has been started (wax | grep saslauthd.)

You should get a result similar to
942?      S    1:07 /usr/sbin/saslauthd -m /var/run/saslauthd/mux  -a shadow

Could you also repost your entire main.cf  with comments included(im trying to work out if you just have bad formatting or your actually missing some Varibals , its a little hard to follow :) )

eg. in this config your missing "mydomain" yet on line 48 you reference myorigin = $mydomain (however in your other question [https://www.experts-exchange.com/questions/23278991/Postfix-SMTP-server-refusing-outside-connections.html]
you have mydomain defined on line3 ?? -- which should just be your FQDN i might add.)
then you should define your host name using myhostname = mail.[mydomain.net]

once again in this config i dont see mynetworks?.... Maybe i should wait until i get the current config :) however i'll keep posting whilst its fresh in my mind

Now for your SASL config.. firstly try and keep it all together (makes it easy to diag and refer to incase you need to check the config - rather than me(you) having to scroll up and down looking for all your settings. Whilst im at it, are you sure your line 33 is correct?
i think it should read: smtpd_sasl_local_domain = $myhostname

So formatted nicely it should read..
# ENABLE SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes

Now i also dont see any section for relay_domains  (maybe you have it commented out so Its not posted..? either way please paste this below  "relay_domains = "
smtpd_recipient_restrictions =  permit_sasl_authenticated,  permit_mynetworks, check_relay_domains

Ok now save and reload postfix.

Try again and let me know your results... (dont forget to give me your complete main.cf

cCheers,
Phil

p.s Do i get points for both questions if i solve it :)



Avatar of hyperion8
hyperion8

ASKER

Thanks for your response. Yes I have changed the config since my first post, sorry!  It looks like the service is started.

9340       root       /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 2
9341       root       /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 2

I made the changes you suggested but got the same error.  Here is the entire main.cf.
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
 
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5
 
mydomain = ip-72-167-163-127.ip.secureserver.net
hostname = mail.pharmati.net
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.6/samples
readme_directory = /usr/share/doc/postfix-2.3.6/README_FILES
 
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
relay_domains = 
smtpd_recipient_restrictions =  permit_sasl_authenticated,  permit_mynetworks, check_relay_domains
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_sasl_authenticated_header = yes
relayhost = k2smtpout.secureserver.net
myorigin = $mydomain
smtpd_use_tls = yes

Open in new window

have you added your credentials to /etc/postfix/sasl_passwd ?

say your  username is hyperion and your password is secretpass.

open /etc/postfix/sasl_passwd and add your credentials. so when you have saved it check it was cat

cat /etc/postfix/sasl_passwd
you should get
k2smtpout.secureserver.net      hyperion:secretpass
Oh yeah whoops you'll need to enable sasl server auth support too!!!

add the following!

# SASL SERVERS AUTH
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
and of course RELOAD postfix!! with: postfix reload

Try again :)
Ok, I'll give that a try, but why would I want to put my password in there? I want the authentication to be checked when a user logs in through smtp.
ok still getting that 5.7.1 error after trying that.
here is what the log is saying when I try to send an email
Mar 29 22:47:15 ip-72-167-163-127 postfix/smtpd[15708]: connect from 216-164-169-108.c3-0.tlg-ubr4.atw-tlg.pa.cable.rcn.com[216.164.169.108]
Mar 29 22:47:15 ip-72-167-163-127 postfix/smtpd[15708]: setting up TLS connection from 216-164-169-108.c3-0.tlg-ubr4.atw-tlg.pa.cable.rcn.com[216.164.169.108]
Mar 29 22:47:15 ip-72-167-163-127 postfix/smtpd[15708]: Anonymous TLS connection established from 216-164-169-108.c3-0.tlg-ubr4.atw-tlg.pa.cable.rcn.com[216.164.169.108]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Mar 29 22:47:16 ip-72-167-163-127 postfix/smtpd[15708]: NOQUEUE: reject: RCPT from 216-164-169-108.c3-0.tlg-ubr4.atw-tlg.pa.cable.rcn.com[216.164.169.108]: 554 5.7.1 <[email address]>: Recipient address rejected: Relay access denied; from=<[email address]> to=<[email address]> proto=ESMTP helo=<[127.0.0.1]>
Mar 29 22:47:17 ip-72-167-163-127 postfix/smtpd[15708]: disconnect from 216-164-169-108.c3-0.tlg-ubr4.atw-tlg.pa.cable.rcn.com[216.164.169.108]

Open in new window

please change mydomain = ip-72-167-163-127.ip.secureserver.net
 to
mydomain = pharmati.net

and directly under it to MYhostname instead of just hostname

I've got to hit the hay - im buggered.. (i'll pick this up in the morn) sorry

cheers,phil
ok ill give that a try. thanks for all your help so far.
ok same result after doing that.  I tried this, I added a domain name in the relay_domains line, such as

relay_domains = gmail.com

When I do that, I am able to send an email to a gmail address.

So how do I set relay_domains to allow ALL/ANY domains?
and setting it to "relay_domains = all" doesnt work
nor does leaving it blank
the reason you're not able to relay is that your still not authenticating.

when I connect to your server via telnet I dont see any
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
S: 250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI

which is displayed when your server offers the use of SMTP AUTH .

Im thinking SASL isnt configured correctly still!

please post config again :)
ok heres the latest. I made some changes since last time, just trying different things.
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
 
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5
 
mydomain = pharmati.net
myhostname = mail.pharmati.net
inet_interfaces = all
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.6/samples
readme_directory = /usr/share/doc/postfix-2.3.6/README_FILES
smtp_sasl_auth_enable = yes
#smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
#smtp_sasl_security_options =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
mydestination = $myhostname, localhost.$mydomain, $mydomain, mail.$mydomain, www.$mydomain, ftp.$mydomain, csns01.$mydomain
relay_domains = $inet_interfaces, $myhostname, $mydestination, gmail.com
smtpd_recipient_restrictions =  permit_sasl_authenticated, permit_mynetworks, check_relay_domains
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_sender_restrictions = permit
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_sasl_authenticated_header = yes
relayhost = k2smtpout.secureserver.net
myorigin = $mydomain
smtpd_use_tls = yes

Open in new window

one thing i forgot to ask: what are you trying to authenticate your users against? LDAP ,System accounts, an mySql db etc?

since  I just noticed your saslauthd is running with PAM. (/usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 2 )  
have you configured smtpd.conf with the following contents:
pwcheck_method: pam

then in your main.cf add
smtpd_sasl_path = smtpd

also, please hash out line 26. smtp_sasl_auth_enable = yes (you have it above on line 23

alternatively since saslauthd is running as root lets try configuring it to use shadow
Can you oince again edit smtpd.conf with the following contents:
pwcheck_method: saslauthd

and launch saslauthd like this
/usr/sbin/saslauthd -m /var/run/saslauthd/  -a shadow
 reload postfix and try again

Sorry about all the config changes.. I think your system is running 1/2 one auth method and 1/2 another :)

any chance of remote access ;)
Ok lets get back to basics and make sure saslauthd is working
you should also be able to test your saslauthd with
testsaslauthd -u username -p password

you should get
 0: OK "Success."

please advise if this workss.
Im just trying to authenticate them based on their email address/password for their email account. I made all the changes you suggested and still getting the relay error. How can I send you info for remote access? Dont want to post it here.
and when I did the testsaslauthd, I did get 0: OK "Success."
check my profile for a link to contact me. Pass it through there and i'll take a look

Glad the testsaslauth is working.

I'm about to head into work for a while so I might have to get back to you in a bit.. Lets hope we can nut this one out within the next 24hrs.

Cheers,
Phil
ok ill send over the info. thanks for all your help.
ASKER CERTIFIED SOLUTION
Avatar of cohenphil
cohenphil
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial