Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Email bounced ... Relay Access Denied ... DNS error suspected

Posted on 2011-09-07
23
316 Views
Last Modified: 2012-05-12
Sending *to* my domain from GMail, I get:

Delivery to the following recipient failed permanently:

    Daniel@mydomain.com

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 554 554 5.7.1 <Daniel@mydomain.com>: Relay access denied (state 14).

Open in new window


We got to the conclusion that "the mx dns entry points to a server that is not recognizing the destination domain as one of  [its] own."

So, how do I tell the server that, in fact, that destination *is* one of its own?

If my IP resolves to MyOtherDomain.com but MyDomain.com is also there ... how do I tell the server that both are OK?

Thanks!
0
Comment
Question by:Daniel Wilson
  • 14
  • 8
23 Comments
 
LVL 13

Expert Comment

by:Govvy
ID: 36497929
Create SPF records for each domain:

http://old.openspf.org/dns.html
0
 
LVL 21

Assisted Solution

by:Papertrip
Papertrip earned 500 total points
ID: 36498077
So first off this is not an SPF issue since he is sending *to* his domain, not from it.

Depending on what mail server software you are running, you need to enable something along the lines of a relay_domain list and put your domain in there.

I say something along those lines because it depends on which software you are running.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36498108
Or, if that server is the final destination (it has your mailbox), then something along the lines of my_domains would need to have your domain in it.

What are you running on the receiving server?
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 32

Author Comment

by:Daniel Wilson
ID: 36498169
OK, I'm reading that, but still confused.

I added this, to no avail:

mydomain.com.      IN      TXT      "v=spf1 a mx ptr a:mail.myotherdomain.com mx:mail.myotherdomain.com ip4:222.111.111.555 -all"

(domain names & IP's made up)

Where did I mess this up?

Thanks.
0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 36498183
I'm running Ubuntu, Bind, Postfix, and Dovecot.

Thanks!
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36498198
Aside from the fact that this is not an SPF issue, I have some suggestions for what your SPF record should look like.

 "v=spf1 ip4:222.111.111.555 ~all"

If you have a server besides that one sending mails, then add another ip4: entry.  That is all you need.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36498213
0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 36498703
I have multiple domains on this server.  Does that change the SPF requirements?
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36498765
Here is how SPF works.

The receiving server takes the sending servers IP along with the domain in the envelope MAIL FROM, queries that domain for a TXT record, looks for one that starts with v=spf1, and checks to see if the IP is listed.

So the only requirement is that you put a record containing servers that send mail for a domain into that domains zone file.  I suggest using only ip4 modifiers in the syntax.
0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 36498840
Here's my /etc/postfix/main.cf file (domain names & IP's substituted).

What should I be putting in for mydestination ?

Thanks!
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no
#myorigin = /etc/mailname
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
myhostname = localhost
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = 
mailbox_size_limit = 0
recipient_delimiter = +
inet_protocols = ipv4
home_mailbox = Maildir/
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 123.123.123.0/24 123.123.123.15

virtual_mailbox_domains = myotherdomain.com mydomain.com
virtual_mailbox_base = /home/vmail
virtual_mailbox_maps = hash:/etc/postfix/vmaps
virtual_minimum_uid = 1000
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_transport = virtual
maildrop_recipient_limit = 1

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
          reject_unauth_destination, permit

allow_untrusted_routing = yes
smtpd_sasl_auth_enable = yes
#smtpd_sasl_security_options =
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth-client

myorigin = /etc/mailname
inet_interfaces = all
relayhost =

Open in new window

0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36499015
Glad you pasted that.  Curious about the virtual domains, because this does change things a bit.  Do you have a need for specific users to be able to receive mail from say only mydomain.com and not myotherdomain.com ?
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36499127
Do you have a need for specific users to be able to receive mail from say only mydomain.com and not myotherdomain.com ?

Woops said this a lil backwards, I meant receive mail AT only mydomain.com and not myotherdomain.com
0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 36499217
Yes, Daniel@MyDomain.com may be different from Daniel@MyOtherDomain.com

I think that *is* what's messing things up for me!
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36499283
Comment out 'mydestination' and try again.

I'm not 100% certain that is what we want in the long run but try it anyways.  Did you have anything set for that before?
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36499288
Also do you have your mailbox maps all set up?
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36499354
Oh I was so focused on the virtual domains that I overlooked something more high level --

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

Open in new window


I think that right there be your problem.

Change this to no and test, ignore the mydestinations thing I mentioned.

smtpd_use_tls=yes

Open in new window


Oh just noticed also you have 2 lines for 'smtpd_recipient_restrictions'.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36499383
Man I really wish there was an edit feature for my replies...

Pasted the wrong config line.  Give me a few and I'll write up a reply in notepad where I can look it over 10 times before hitting submit :p

In the meantime let me know how your virtual maps are looking.
0
 
LVL 32

Author Comment

by:Daniel Wilson
ID: 36499423
OK, changing smtpd_use_tls to no instead of yes

Also, commenting out one of the smtpd_recipient_restrictions lines.

The test message hasn't bounced yet ... but neither has it showed up ... I guess I'll wait & see.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36499443
Scratch everything I said.  I'm so used to being able to edit my posts that sometimes I don't take the time to proof read them that well.

Ignore everything I said except for the duplicate lines, and add 'permit_auth_destination' to smtpd_recipient_restrictions
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36507612
@DanielWilson were you able to add 'permit_auth_destination' ?  Did it work?  I'm more than happy to continue troubleshooting this issue
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36547157
Hi Daniel,

Any luck?
0
 
LVL 32

Accepted Solution

by:
Daniel Wilson earned 0 total points
ID: 36904079
Sorry, I dropped this, Papertrip.

It turned out that there was a missing Newline in main.cf.

Grrrr!
0
 
LVL 32

Author Closing Comment

by:Daniel Wilson
ID: 36935189
Someone outside of EE found the problem ... but Papertrip steered away from one wrong idea & I appreciate that.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Automapping, a wonderful feature with Exchange 2010 (SP2 onwards I believe), allows additional/Shared mailboxes that a user has access to be automatically mapped on Outlook client, simplifying the process by adding them while Outlook launches. Ho…
Import PST to Exchange using Power Shell new-mailboximportrequest command, you can simply import the PST file into Exchange mailbox or archived. To know How to import PST into Exchange  2013 read the complete article.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question