Postfix issue, Remote host said: 554 5.7.1 <email.address> : Relay access denied [RCPT_TO]

Need some help. About 5 days ago suddenly my postfix server stopped working, getting "Remote host said: 554 5.7.1 <email.address> : Relay access denied [RCPT_TO]" when I send to my domain from outside my network and I'm not blacklisted. No changes were made to the server but I'm not sure if an update caused it. The message comes from my IP, so I have to assume it is coming from my server or firewall (cisco isa500) and not outside of it. I can send out from my network, and I can send between users internally. I'm using a virtual mailbox setup.  Below is my main.conf scrubbed, and the domains that would usually be in mydestination are in the mysql database. The curious thing is that I see no bounces or NOQUEUES in my mail.log, nor any connections, like the mail isn't hitting my server yet the message comes from my external IP. I'm using no-ip to do port redirects to a non-standard port since I can't use port 25, and it has worked since I initially set it up until 5 days ago. I used Ivar Abrahamsen's guide when I initially set it up and have amavis, spamassassin, clamav etc running.

main.cf:
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = redzworld.com
mydestination =
relay_recipient_maps = mysql:/etc/postfix/mysql_relays.cf
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
relayhost = smtp-auth.no-ip.com:587
inet_interfaces = all
mynetworks_style = host
local_recipient_maps =
delay_warning_time = 4h
unknown_local_recipient_reject_code = 450
maximal_queue_lifetime = 7d
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s
smtp_helo_timeout = 60s
smtpd_recipient_limit = 16
smtpd_soft_error_limit = 3
smtpd_hard_error_limit = 12
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24
smtpd_sender_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org
smtpd_recipient_restrictions = reject_unauth_pipelining permit_mynetworks reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unauth_destination permit permit_sasl_authenticated permit_inet_interfaces reject_unknown_reverse_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
virtual_uid_maps = static:5010
virtual_gid_maps = static:5010
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_protocols = all
content_filter = amavis:[127.0.0.1]:10024
message_size_limit = 0
virtual_mailbox_limit = 0
html_directory = /usr/share/doc/postfix/html
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/smtp_sasl_password_map
smtpd_tls_security_level = may
delay_notice_recipient = redashi@redzworld.com
bounce_notice_recipient = redashi@redzworld.com
2bounce_notice_recipient = redashi@redzworld.com
error_notice_recipient = redashi@redzworld.com
smtpd_sasl_security_options = noanonymous noplaintext
debug_peer_list = redzworld.com
redashiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel HelgenbergerCommented:
Hello,

to break this down, please confirm these points:
- since five days postfix is denying relay access
- did install updates
- internal relay access is allowed, smtp is working
- you did not change the main.cf, esp. these parts:
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24
smtpd_sender_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org
smtpd_recipient_restrictions = reject_unauth_pipelining permit_mynetworks reject_non_fqdn_recipient reject_unknown_recipient_domain reject_unauth_destination permit permit_sasl_authenticated permit_inet_interfaces reject_unknown_reverse_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes

Open in new window


If all this is correct, then the problem may be out of your hands. The firewall does not interfere since you get connected to postfix, postfix just plain rejects the mail.

To troubleshoot this issue, I can only offer some things to test.
- Go to https://www.testexchangeconnectivity.com/ and do a inbound (and outbound, while you're there) SMTP test. Post the results if possible.
- Telnet into your mail host, try to send a mail
- Send a testmail, look in the mail logs for a clue or post them here for the time you send the mail
- Then, test removing some restrictions for testing:
soft_bounce = yes

Open in new window

Do restart postfix after that and send a mail from foreign domain. What are the results? If soft_bounce get this to work, it is a postfix issue and fixable, if not you have to contact your ISP.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
redashiAuthor Commented:
Thanks for the help, you pointed me in the right direction. I updated/refreshed my DNS zone from my DNS host provider after I saw output from the tool you suggested, and suddenly it started working. The only thing I can think of is my spam filter possibly wasn't able to do a reverse lookup and made it think it was a spammer trying to relay from an unknown domain. Just a wild guess. Thanks
0
redashiAuthor Commented:
Seemed to know what they were talking about, and the tool/troubleshooting tips got me on the right track.
0
Daniel HelgenbergerCommented:
Glad this helped! MSFT really did a great job with RCA; saved me hours of work as well. already.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.