SMTP relay question using postfix

Posted on 2007-08-01
Last Modified: 2013-11-30
I am having trouble allowing access to my SMTP server for a remote site.  We are using postfix and have some rules setup to prevent relaying/spamming.  I have added this remote site as an OK in our smtpd_recipient_restrictions and smtpd_client_restrictions as well as listing their static IP in as an acceptable relay domain (relay_domains = $mydestination, $mynetworks, XXX.YYY.ZZZ.AAA).  The remote is getting an SMTP error (they can check mail successfully).
Question by:ryanbubu
    LVL 25

    Expert Comment

    relay_domains is the parameter for listing the domains the MTA relays for.  For example, may be hosted at the server, but may be a different division but you want to send it to the appropriate mail server. Ordinarily that mail will be dropped, by adding it to the relay_domains list, it allows that domain's email to traverse the MTA

    you are going purely for the smtdp_recipient_restrictions parameter here.  you should already have a permit_mynetworks in that list.  If so, just add the static IP of the site to the mynetworks parameter list, reload postfix and you should be fine

    Author Comment

    the mynetworks cannot hold their static IP because the mynetworks is setup for subnets (so that internal PCs do not need to be listed one by one).  we have added the IP to a 'clients' file with OK listed and we refer to this file in smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/clients

    this should accomplish your suggestion but the EU cannot connect.
    LVL 25

    Expert Comment

    add a /32 at the end of the static IP

    Author Comment

    did as you suggested and just heard back from the end-user; they still are receiving an SMTP rejection error.  other ideas?
    LVL 25

    Expert Comment

    need the and posted then as adding the <<ip address>>/32 to the mynetworks parameter should work.

    Author Comment

    by:ryanbubu (comments removed, sensitive data masked):

    queue_directory = /var/spool/postfix
    command_directory = /usr/sbin
    daemon_directory = /usr/libexec/postfix
    mail_owner = postfix
    myhostname =
    yorigin = $mydomain
    inet_interfaces = all
    mydestination = $myhostname, localhost.$mydomain, $mydomain,, mt,,,,
    unknown_local_recipient_reject_code = 450
    mynetworks_style = subnet
    mynetworks =, 204.TTT.ZZZ.240/29,,, 204.
    relay_domains = $mydestination, $mynetworks,
    virtual_maps = hash:/etc/postfix/virtual
    alias_maps = hash:/etc/postfix/aliases
    alias_maps = hash:/etc/postfix/aliases
    debug_peer_level = 2
    debugger_command =
             xxgdb $daemon_directory/$process_name $process_id & sleep 5
    sendmail_path = /usr/sbin/sendmail.postfix
    newaliases_path = /usr/bin/newaliases.postfix
    mailq_path = /usr/bin/mailq.postfix
    setgid_group = postdrop
    manpage_directory = /usr/share/man
    sample_directory = /usr/share/doc/postfix-2.0.16/samples
    readme_directory = /usr/share/doc/postfix-2.0.16/README_FILES
    alias_database = hash:/etc/postfix/aliases
    smtpd_recipient_restrictions = permit_mynetworks check_client_access hash:/etc/p
    ostfix/clients, check_sender_access hash:/etc/postfix/sender_access, reject_rbl_
    client, reject_rbl_client, reject_rbl_client op, reject_rbl_client, reject_rbl_client blackholes.w, reject_rbl_client, check_relay_domains, reject
    smtpd_client_restrictions = permit_mynetworks hash:/etc/postfix/sender_access, r
    smtpd_helo_restrictions = reject_invalid_hostname, reject_unknown_hostname, reje
    header_checks = regexp:/etc/postfix/spammers
    LVL 25

    Accepted Solution

    first, remove "" from relay_domains, not need
    also, lets try using the warn_if_reject to see which rule is rejecting it as I'm not 100% positive

    smtpd_client_restrictions = permit_mynetworks, hash:/etc/postfix/sender_access, warn_if_reject reject_unknown_client
    smtpd_helo_restrictions = warn_if_reject reject_invalid_hostname, warn_if_reject reject_unknown_hostname, warn_if_reject reject_non_fqdn_hostname

    i'm thinking their getting rejected because their public IP doesn't resolve to anything and/or the hostname they announce themselves as doesn't match the IP they are connecting as
    LVL 1

    Expert Comment

    Forced accept.

    EE Admin

    Featured Post

    Courses: Start Training Online With Pros, Today

    Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

    Join & Write a Comment

    What is Usenet? There are many different opinions on exactly what Usenet is an isn't. Many opinions are incorrect simply out of ignorance. The Wikipedia listing about Usenet does a good job of explaining it, so instead of repeating it all here I wi…
    Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now