• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 526
  • Last Modified:

SMTP relay question using postfix

I am having trouble allowing access to my SMTP server for a remote site.  We are using postfix and have some rules setup to prevent relaying/spamming.  I have added this remote site as an OK in our smtpd_recipient_restrictions and smtpd_client_restrictions as well as listing their static IP in as an acceptable relay domain (relay_domains = $mydestination, $mynetworks, XXX.YYY.ZZZ.AAA).  The remote is getting an SMTP error (they can check mail successfully).
  • 4
  • 3
1 Solution
relay_domains is the parameter for listing the domains the MTA relays for.  For example, example.com may be hosted at the server, but example2.com may be a different division but you want to send it to the appropriate mail server. Ordinarily that example2.com mail will be dropped, by adding it to the relay_domains list, it allows that domain's email to traverse the MTA

you are going purely for the smtdp_recipient_restrictions parameter here.  you should already have a permit_mynetworks in that list.  If so, just add the static IP of the site to the mynetworks parameter list, reload postfix and you should be fine
ryanbubuAuthor Commented:
the mynetworks cannot hold their static IP because the mynetworks is setup for subnets (so that internal PCs do not need to be listed one by one).  we have added the IP to a 'clients' file with OK listed and we refer to this file in smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/clients

this should accomplish your suggestion but the EU cannot connect.
add a /32 at the end of the static IP
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

ryanbubuAuthor Commented:
did as you suggested and just heard back from the end-user; they still are receiving an SMTP rejection error.  other ideas?
need the main.cf and master.cf posted then as adding the <<ip address>>/32 to the mynetworks parameter should work.
ryanbubuAuthor Commented:
main.cf (comments removed, sensitive data masked):

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
myhostname = euryale.bmxxxxx.net
yorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, $mydomain, mtblxxxxx.com, mt
xxxxxx.com, pbxxxx.net, lowelxxxxxx.com, nligxxxxx.com, nligxxxxx.com
unknown_local_recipient_reject_code = 450
mynetworks_style = subnet
mynetworks =, 204.TTT.ZZZ.240/29,,, 204.
relay_domains = $mydestination, $mynetworks,
virtual_maps = hash:/etc/postfix/virtual
alias_maps = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
debug_peer_level = 2
debugger_command =
         xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.0.16/samples
readme_directory = /usr/share/doc/postfix-2.0.16/README_FILES
alias_database = hash:/etc/postfix/aliases
smtpd_recipient_restrictions = permit_mynetworks check_client_access hash:/etc/p
ostfix/clients, check_sender_access hash:/etc/postfix/sender_access, reject_rbl_
client relays.ordb.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client op
m.blitzed.org, reject_rbl_client dnsbl.njabl.org, reject_rbl_client blackholes.w
irehub.net, reject_rbl_client list.dsbl.org, check_relay_domains, reject
smtpd_client_restrictions = permit_mynetworks hash:/etc/postfix/sender_access, r
smtpd_helo_restrictions = reject_invalid_hostname, reject_unknown_hostname, reje
header_checks = regexp:/etc/postfix/spammers
first, remove "" from relay_domains, not need
also, lets try using the warn_if_reject to see which rule is rejecting it as I'm not 100% positive

smtpd_client_restrictions = permit_mynetworks, hash:/etc/postfix/sender_access, warn_if_reject reject_unknown_client
smtpd_helo_restrictions = warn_if_reject reject_invalid_hostname, warn_if_reject reject_unknown_hostname, warn_if_reject reject_non_fqdn_hostname

i'm thinking their getting rejected because their public IP doesn't resolve to anything and/or the hostname they announce themselves as doesn't match the IP they are connecting as
Forced accept.

EE Admin
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now