# Postfix relay denied from email clients only



## murias (Feb 7, 2013)

Unfortunately I believe I have had this issue once before, maybe about 2 years ago, but never documented the fix anywhere.  I have a Dovecot, Postfix setup, running on FreeBSD 9.1.

The server can receive and send emails.  Users are able to login and receive email to their email clients, roundcube can without any issues send email to locally hosted domains, and all other domains on the internet.  The issue arrises with users using a mail client to send email.  The server will accept their email if it is for a locally hosted domain, but will not, relay any mail to lets say gmail for example, or any other domain.  Postfix simply will not accept the email from the user.  This is all that is found in regards to those connections in the maillog:


```
Feb  6 13:28:39 ogham postfix/smtpd[77982]: connect from 50-0-142-120.dsl.dynamic.sonic.net[50.0.142.120]
Feb  6 13:28:39 ogham postfix/smtpd[77982]: NOQUEUE: reject: RCPT from 50-0-142-120.dsl.dynamic.sonic.net[50.0.142.120]: 554 5.7.1 <murias.oceallagh@gmail.com>: Relay access denied; from=<dave@orangediesel.com> to=<murias.oceallagh@gmail.com> proto=ESMTP helo=<[192.168.1.101]>
```

Postconf output is as follows:

```
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydestination = localhost.$mydomain, localhost
mynetworks = 127.0.0.0/8, 10.0.1.0/28
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relay_domains = proxy:mysql:/usr/local/etc/postfix/mysql_relay_domains_maps.cf
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl-xbl.spamhaus.org
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/ssl/postfix/smtpd.pem
smtpd_tls_cert_file = /etc/ssl/postfix/smtpd.pem
smtpd_tls_key_file = /etc/ssl/postfix/smtpd.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:125
virtual_mailbox_base = /usr/local/virtual
virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 51200000
virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailboxes_maps.cf
virtual_minimum_uid = 125
virtual_transport = virtual
virtual_uid_maps = static:125
```

Have made many attempts at getting this squared away, and even compared the main.cf to that of another server I manage, and honestly cannot find the difference.
Hoping another set of  eyes could shed some light onto what I am missing.

Thanx a bunch.
Murias


----------



## xtaz (Feb 7, 2013)

Well the IP address that is trying to send the mail is 50.0.142.120, which is not in the list of mynetworks so it's rejected. It looks like they are supposed to login via SASL authenticated via dovecot, however there are no log lines that suggest this is happening. On my similarly configured postfix/dovecot server I get log lines saying that SASL authentication is successful. They are probably trying to submit mail without a username/password configured in the client?

The other possibility is postfix is only offering SASL to users encrypted with TLS/SSL, there are also no log lines that suggest the client is connecting over TLS/SSL so it's probably not being offered the chance to authenticate.

I can't tell for sure without comparing your configuration to my own to see what the differences are, but one of those two would be my first thoughts based on the log you have pasted. For example here are my log lines when trying something similar:


```
Feb  7 09:33:14 tao postfix/submission/smtpd[51863]: connect from unknown[213.205.234.xxx]
Feb  7 09:33:17 tao postfix/submission/smtpd[51863]: Anonymous TLS connection established
from unknown[213.205.234.xxx]: TLSv1 with cipher AES128-SHA (128/128 bits)
Feb  7 09:33:18 tao postfix/submission/smtpd[51863]: A9B37209BB67:
client=unknown[213.205.234.xxx], sasl_method=PLAIN, sasl_username=xxxx
Feb  7 09:33:19 tao postfix/cleanup[51867]: A9B37209BB67: message-id=<8F0400D0-B6D3-4AE9-93C3-35FCCC4521DC@xxxx.co.uk>
Feb  7 09:33:19 tao postfix/qmgr[58733]: A9B37209BB67: from=<xxxx@xxxx.co.uk>, size=642,
nrcpt=1 (queue active)
Feb  7 09:33:21 tao postfix/smtp[51868]: Trusted TLS connection established to
cluster3.eu.messagelabs.com[85.158.139.3]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Feb  7 09:33:21 tao postfix/smtp[51868]: A9B37209BB67: to=<xxxx@xxxx.co.uk>,
relay=cluster3.eu.messagelabs.com[85.158.139.3]:25, delay=3, delays=1.3/0.18/1.4/0.2,
dsn=2.0.0, status=sent (250 ok 1360229601 qp 30499 server-15.tower-90.messagelabs.com!1360229601!2251128!1)
Feb  7 09:33:21 tao postfix/qmgr[58733]: A9B37209BB67: removed
Feb  7 09:34:20 tao postfix/submission/smtpd[51863]: disconnect from unknown[213.205.234.xxx]
```

And here are my config lines:


```
#TLS
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
#smtp_tls_key_file = /usr/local/etc/ssl/client.key
#smtp_tls_cert_file = /usr/local/etc/ssl/client.pem
smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtpd_tls_key_file = /usr/local/etc/ssl/mail.key
smtpd_tls_cert_file = /usr/local/etc/ssl/mail.pem
smtpd_tls_CAfile = /usr/local/etc/ssl/ca-chain.pem
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtp_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

#SASL
smtpd_tls_auth_only = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,..... (lots more follows this)
```


----------

