Postfix "relay access denied" for incoming mail?
Hi,
I'm attempting to setup a small mail server with Postfix, Dovecot, and MySQL (MariaDB), following this Linode guide. I've also configured SSL with Let's Encrypt. It's my second attempt, the previous one was unsuccessful using another non-Linode guide.
So far I haven't setup rDNS, DMARC, SPF, etc. - which I will still attempt later -, but sending emails with the mail
command already works great. They don't end up in spam or get rejected.
Receiving mail doesn't work! Here's the error message from /var/log/mail.log:
Jan 13 09:27:39 [hostname] postfix/smtpd[1016]: connect from mx1.riseup.net[198.252.153.129]
Jan 13 09:27:40 [hostname] postfix/smtpd[1016]: NOQUEUE: reject: RCPT from mx1.riseup.net[198.252.153.129]: 554 5.7.1 <info@[domain].net>: Relay access denied; from=<[user]@riseup.net> to=<info@[domain].net> proto=ESMTP helo=<mx1.riseup.net>
Jan 13 09:27:40 [hostname] postfix/smtpd[1016]: disconnect from mx1.riseup.net[198.252.153.129] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8
riseup.net is the email provider that I sent the message from for testing purposes. I also tried Gmail with the same outcome.
I've setup A/AAAA records for [hostname].[domain].net, as well as a MX record also for [hostname].[domain].net.
My /etc/hosts file looks as follows:
127.0.0.1 localhost.localdomain localhost
127.0.1.1 [hostname].[domain].net [hostname] # FQDN
# The following lines are desirable for IPv6 capable hosts
::1 localhost localhost.localdomain ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
#
1.1.1.1 [hostname].[domain].net [hostname] [domain].net www.[domain].net
11::11::11::11 [hostname].[domain].net [hostname] [domain].net www.[domain].net
The Linode guide doesn't specify the FQDN on the second line, but I already know that it's needed for later from an other Linode guide.
Here's my /etc/postfix/main.cf:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/[hostname].[domain].net/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/[hostname].[domain].net/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only=yes
smtp_tls_security_level=may
smtpd_tls_security_level=may
smtpd_sasl_security_options=noanonymous,noplaintext
smtpd_sasl_tls_security_options=noanonymous
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# Authentication
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth
smtpd_sasl_auth_enable=yes
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
# Restrictions
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unlisted_recipient,
reject_unauth_destination
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
defer_unauth_destination
myhostname = [hostname].[domain].net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydomain = [domain].net
myorigin = $mydomain
mydestination = $myhostname, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
# Even more Restrictions and MTA params
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
#smtpd_etrn_restrictions = reject
#smtpd_reject_unlisted_sender = yes
#smtpd_reject_unlisted_recipient = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtp_always_send_ehlo = yes
#smtpd_hard_error_limit = 1
smtpd_timeout = 30s
smtp_helo_timeout = 15s
smtp_rcpt_timeout = 15s
smtpd_recipient_limit = 40
minimal_backoff_time = 180s
maximal_backoff_time = 3h
# Reply Rejection Codes
invalid_hostname_reject_code = 550
non_fqdn_reject_code = 550
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
The Linode guide only puts "localhost" as mydestination, but I've tried that, too, with the same outcome.
It also defines "example.com" as myhostname, mydomain, and myorigin, which is confusing?
Is the relay access problem related to the mail server domain being [hostname].[domain].net, but the user email address info@[domain].net
?
Virtual users, currently only info
, are setup in the MySQL database, which stores their username, encrypted password, and mail storage path. I haven't setup any aliases.
Any suggestions?
Thank you.
1 Reply
✓ Best Answer
I found my error! I somehow forgot to add these lines to the /etc/postfix/main.cf:
# Handling of local devlivery to Dovecot's LMTP, and telling it where to store mail
virtual_transport = lmtp:unix:private/dovecot-lmtp
# Virtual domains, users, and aliases
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,
mysql:/etc/postfix/mysql-virtual-email2email.cf
I also needed to set mydestination = $myhostname, localhost
, instead of only localhost
.
The guide also contains an error. Under "Configuring Dovecot" under point 3, it proposes to set mail_privileged_group = mail
, but a couple of lines below, a group named vmail
is created. It should state mail_privileged_group = vmail
instead.