The dread "relay access denied" error
I've been trying to avoid asking this question since "relay access denied" problems are usually pretty silly configuration errors that I should pick up. But I've been staring at this for three days and I'm stumped.
Once again here's the scenario. I set up mailman3 on Ubuntu 24.04 and it's running without a hitch, particularly now that I added the appropriate archival commands. I decided to create a backup on an older server of mine running Ubuntu 22.04. The setup is almost identical except for domain names. Unfortunately, in the second setup, I'm getting "relay access denied" to senders/recipients outside the host domain. Things go fine to list members on the local machine. Mailman is successfully sending admin mail to mailman@bill-oliver.com Mail not using mailman works fine.
The domain where everything works is billoblog.com.
The domain I'm setting up is bill-oliver.com
Here's the error in syslog (mirrored in mail.log) on bill-oliver.com trying to talk to list members oliver@billoblog.com and billo@billoblog.com::
Nov 1 21:24:52 mail postfix/smtpd[10193]: NOQUEUE: reject: RCPT from 162-144-108-19.bluehost.com[162.144.108.19]: 454 4.7.1 <oliver@billoblog.com>: Relay access denied; from=<tradfp-bounces+oliver=billoblog.com@bill-oliver.com> to=<oliver@billoblog.com> proto=ESMTP helo=<162-144-108- 19.bluehost.com> Nov 1 21:24:52 mail postfix/smtpd[10193]: disconnect from 162-144-108- 19.bluehost.com[162.144.108.19] ehlo=1 mail=2 rcpt=1/2 data=1 rset=1 quit=1 commands=7/8 Nov 1 21:24:52 mail postfix/smtpd[10193]: connect from 162-144-108- 19.bluehost.com[162.144.108.19] Nov 1 21:24:52 mail postfix/smtpd[10193]: NOQUEUE: reject: RCPT from 162-144-108-19.bluehost.com[162.144.108.19]: 454 4.7.1 <billo@billoblog.com>: Relay access denied; from=<tradfp-bounces+billo=billoblog.com@bill-oliver.com> to=<billo@billoblog.com> proto=ESMTP helo=<162-144-108-19.bluehost.com> Nov 1 21:24:52 mail postfix/smtpd[10193]: disconnect from 162-144-108- 19.bluehost.com[162.144.108.19] ehlo=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=4/5 Nov 1 21:25:48 mail dovecot: auth-worker(10954): Debug: conn unix:auth- worker (pid=10903,uid=116): Disconnected: Connection closed (fd=-1) Nov 1 21:25:48 mail dovecot: auth-worker(10954): Debug: mysql(localhost): Connection finished (queries=1, slow queries=0) Nov 1 21:27:28 mail dovecot: auth: Debug: mysql: Connection finished (queries=0, slow queries=0)
FYI, 162-144-108-19.bluehost.com is my ip address and bluehost.com is the VPS vendor. I don't know why that pops up, since the domain is bill-oliver.com. I assume it's VPS-related magic.
Here are similar errors in /opt/mailman/mm/var/logs/smtp.log:
Nov 01 21:22:46 2024 (1573) Available AUTH mechanisms: LOGIN(builtin) PLAIN(builtin) Nov 01 21:22:46 2024 (1573) Peer: ('162.144.108.19', 51476) Nov 01 21:22:46 2024 (1573) ('162.144.108.19', 51476) handling connection Nov 01 21:22:46 2024 (1573) ('162.144.108.19', 51476) >> b'LHLO mail.bill-oliver.com' Nov 01 21:22:46 2024 (1573) ('162.144.108.19', 51476) >> b'MAIL FROM:<billo@billoblog.com> SIZE=1486 BODY=8BITMIME' Nov 01 21:22:46 2024 (1573) ('162.144.108.19', 51476) sender: billo@billoblog.com Nov 01 21:22:46 2024 (1573) ('162.144.108.19', 51476) >> b'RCPT TO:<tradfp@lists.bill-oliver.com>' Nov 01 21:22:46 2024 (1573) ('162.144.108.19', 51476) recip: tradfp@lists.bill-oliver.com Nov 01 21:22:46 2024 (1573) ('162.144.108.19', 51476) >> b'DATA' Nov 01 21:22:46 2024 (1573) ('162.144.108.19', 51476) >> b'QUIT' Nov 01 21:22:46 2024 (1573) ('162.144.108.19', 51476) connection lost Nov 01 21:22:46 2024 (1573) ('162.144.108.19', 51476) Connection lost during _handle_client() Nov 01 21:22:48 2024 (1574) <cbacd3866ebdfeeb706993996ba84e67f7db5ad9.camel@billoblog.com> recipients refused: {'oliver@billoblog.com': (454, b'4.7.1 <oliver@billoblog.com>: Relay access denied')} Nov 01 21:22:48 2024 (1574) <cbacd3866ebdfeeb706993996ba84e67f7db5ad9.camel@billoblog.com> recipients refused: {'billo@billoblog.com': (454, b'4.7.1 <billo@billoblog.com>: Relay access denied')} Nov 01 21:22:48 2024 (1574) <cbacd3866ebdfeeb706993996ba84e67f7db5ad9.camel@billoblog.com> smtp to tradfp@bill-oliver.com for 2 recips, completed in 0.27154111862182617 seconds Nov 01 21:22:48 2024 (1574) <cbacd3866ebdfeeb706993996ba84e67f7db5ad9.camel@billoblog.com> post to tradfp@bill-oliver.com from billo@billoblog.com, 1448 bytes, 2 failures Nov 01 21:22:48 2024 (1574) <cbacd3866ebdfeeb706993996ba84e67f7db5ad9.camel@billoblog.com> delivery to oliver@billoblog.com failed with code 454, b'4.7.1 <oliver@billoblog.com>: Relay access denied' Nov 01 21:22:48 2024 (1574) <cbacd3866ebdfeeb706993996ba84e67f7db5ad9.camel@billoblog.com> delivery to billo@billoblog.com failed with code 454, b'4.7.1 <billo@billoblog.com>: Relay access denied' Nov 01 21:24:11 2024 (1574) <173051065026.1640.13931339026208387550@162-144-108-19.bluehost.com> smtp to tradfp@bill-oliver.com for 1 recips, completed in 0.24669885635375977 seconds Nov 01 21:24:11 2024 (1574) <173051065026.1640.13931339026208387550@162-144-108-19.bluehost.com> post to tradfp@bill-oliver.com from tradfp-request@bill-oliver.com, 1222 bytes
I have gone over my main.cf and master.cf a zillion times. Worse, I've compared them with the same files in the setup that works, and I can't find a significant error) though things are in a slightly different order. I don't know if I'm missing something big or am just a poor proofreader.
Any ideas would be appreciated.
Here's the obligatory main.cf and master.cf in /etc/postfix. I use dovecot and virtual domains and virtual mailboxex administered using postfixadmin.
Here's the main.cf:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no
# appending .domain is the MUA's job. append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on # fresh installs. compatibility_level = 3.6
#Enable TLS Encryption when Postfix receives incoming emails smtpd_tls_cert_file=/etc/letsencrypt/live/mail.bill- oliver.com/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/mail.bill- oliver.com/privkey.pem smtpd_tls_security_level=may smtpd_tls_loglevel = 1 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#Enable TLS Encryption when Postfix sends outgoing emails smtp_tls_CApath=/etc/ssl/certs smtp_tls_security_level = may smtp_tls_loglevel = 1 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
transport_maps = hash:/opt/mailman/mm/var/data/postfix_lmtp local_recipient_maps = hash:/opt/mailman/mm/var/data/postfix_lmtp relay_domains = hash:/opt/mailman/mm/var/data/postfix_domains
myhostname = mail.bill-oliver.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = $myhostname, localhost.$mydomain, localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mail.bill- oliver.com bill-oliver.com lists.bill-oliver.com virtual_mailbox_limit = 0 mailbox_size_limit = 0 message_size_limit = 0
recipient_delimiter = + inet_interfaces = all inet_protocols = ipv4
#Enforce TLSv1.3 or TLSv1.2 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
mailbox_transport = lmtp:unix:private/dovecot-lmtp smtputf8_enable = no
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.c f hash:/opt/mailman/mm/var/data/postfix_vmap #virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_base = /var/vmail virtual_minimum_uid = 2000 virtual_uid_maps = static:2000 virtual_gid_maps = static:2000
policyd-spf_time_limit = 3600 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policyd-spf
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
# Milter configuration milter_default_action = accept milter_protocol = 6 smtpd_milters = local:opendkim/opendkim.sock non_smtpd_milters = $smtpd_milters
unknown_local_recipient_reject_code = 550
###########################################
Here's the master.cf (comments deleted) :
smtp inet n - y - - smtpd
submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=no -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticate d,reject -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth
smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticate d,reject -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth
pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - y - 0 bounce verify unix - - y - 1 verify flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp relay unix - - y - - smtp -o syslog_name=postfix/$service_name
showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil scache unix - - y - 1 scache postlog unix-dgram n - n - 1 postlogd
uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
policyd-spf unix - n n - 0 spawn user=policyd-spf argv=/usr/bin/policyd-spf
Thanks,
billo
On 11/1/24 19:07, Bill Oliver wrote:
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mail.bill- oliver.com bill-oliver.com lists.bill-oliver.com
I suspect this is the issue. mynetworks is a list of network addresses or network/netmask patterns. Domain names don't work. set
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 162.144.108.19
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Sat, 2024-11-02 at 16:48 -0700, Mark Sapiro wrote:
On 11/1/24 19:07, Bill Oliver wrote:
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mail.bill- oliver.com bill-oliver.com lists.bill-oliver.com
I suspect this is the issue. mynetworks is a list of network addresses or network/netmask patterns. Domain names don't work. set
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 162.144.108.19
Doh. That was exactly it. Thanks. There's another 20 hours of my life I'll never get back again... I ended up having to add my explicit IP address, but I dropped the names and it worked. Now it's running like a charm.
Thank you so much.
billo
participants (2)
-
Bill Oliver
-
Mark Sapiro