Hi, A few months ago I had an issue with my server being used to send a lot of spam. I followed the instructions here (howtoforge.com/hardening-postfix-for-ispconfig-3) and the issue has gone away, however since then I'm not able to send external emails. Receiving is fine, sending emails between local users is fine, but sending to external hosts gives: Code: Sep 29 17:11:40 myserverhostname postfix/smtpd[24480]: connect from localhost[127.0.0.1] Sep 29 17:11:40 myserverhostname postfix/smtpd[24480]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 454 4.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost> Sep 29 17:11:40 myserverhostname amavis[18196]: (18196-09) Negative SMTP resp. to DATA: 554 5.5.1 Error: no valid recipients Sep 29 17:11:40 myserverhostname postfix/smtpd[24480]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=4/6 Sep 29 17:11:40 myserverhostname amavis[18196]: (18196-09) (!)AK7a4uyPCQmx FWD from <[email protected]> -> <[email protected]>, BODY=7BIT 454 4.7.1 from MTA(smtp:[127.0.0.1]:10027): 454 4.7.1 <[email protected]>: Relay access denied Sep 29 17:11:40 myserverhostname amavis[18196]: (18196-09) Blocked MTA-BLOCKED {TempFailedOutbound}, ORIGINATING LOCAL [::1]:59740 <[email protected]> -> <[email protected]>, Queue-ID: CB119B832C1, Message-ID: <[email protected]>, mail_id: AK7a4uyPCQmx, Hits: -0.998, size: 4924, dkim_new=default:domainmyserverhosts.co.uk, 5380 ms Sep 29 17:11:40 myserverhostname postfix/smtp[24477]: CB119B832C1: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=6.2, delays=0.78/0/0.01/5.4, dsn=4.7.1, status=deferred (host 127.0.0.1[127.0.0.1] said: 454 4.7.1 id=18196-09 - Temporary MTA failure on relaying, from MTA(smtp:[127.0.0.1]:10027): 454 4.7.1 <[email protected]>: Relay access denied (in reply to end of DATA command)) Sending to a local alias to the same address as above works. That is, if I create an alias for `[email protected]` to `[email protected]`, the email goes through with no issues. Here is my postconf -n: Code: alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases append_dot_mydomain = no biff = no body_checks = regexp:/etc/postfix/body_checks broken_sasl_auth_clients = yes compatibility_level = 2 content_filter = amavis:[127.0.0.1]:10024 dovecot_destination_recipient_limit = 1 greylisting = check_policy_service inet:127.0.0.1:10023 header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/share/doc/postfix/html inet_interfaces = all inet_protocols = all mailbox_size_limit = 0 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 message_size_limit = 0 mime_header_checks = regexp:/etc/postfix/mime_header_checks mydestination = serverhostname.net, localhost, localhost.localdomain myhostname = ipaddressreverselookupaddress mynetworks = 127.0.0.0/8 [::1]/128 myorigin = /etc/mailname nested_header_checks = regexp:/etc/postfix/nested_header_checks owner_request_special = no postscreen_greet_action = enforce proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps readme_directory = /usr/share/doc/postfix receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf smtp_tls_exclude_ciphers = RC4, aNULL smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_client_message_rate_limit = 100 smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf smtpd_relay_restrictions = permit_sasl_authenticated defer_unauth_destination smtpd_restriction_classes = greylisting smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_exclude_ciphers = RC4, aNULL smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes strict_rfc821_envelopes = yes transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf virtual_alias_domains = virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf virtual_mailbox_base = /var/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_transport = dovecot virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf I've spend weeks trying to work this out. Thank you in advance!
I would say your e-mail setup is wrong somehow. I do not know what is wrong. But there is link in my signature to tutorial on setting up e-mail on ISPConfig, Compare what you have done to that tutorial, and read the testing instructions.
That tutorial really needs a warning label or even removed, it was quite dated a few years back when I first looked at it, and is almost entirely unneeded now, if not harmful in places (though to be fair, I have not read through the comments recently, maybe they update things more). The one good recommendation it has is running postscreen, but the configuration is very incomplete and doesn't come with any warning that you better ensure your customers are sending on port 465 or 587 (though someone did mention it in the comments). It may sound obvious, but undo the changes you made, including (especially) the changes to master.cf. Ensure your clients send on port 465 or 587 and use authentication. If still stuck, post your current main.cf and master.cf at the time, and the error message you are getting when trying to send then, if different.
Hi, I replaced master.cf and main.cf with their defaults (from /usr/share/postfix) and redid the changes to master.cf from the Perfect Server guide. I then ran php -q update.php and reconfigured services. The mailqueue cleared almost immediately (before I had a chance to empty it! I'm not looking forward to the expected phone calls and emails - "why do I have five copies of an email from a month ago"! ) and sending seems to work now. @Jesse Norell Clients were always using TLS on port 465. @Taleman I've had a look at the link in your signature. My server has two static IPs. One is just for inbound connections and the other is for outbound. On the inbound IP I have port 25, 465 etc open. On the outbound IP I have no open ports. I've set the hostname in postfix to the rDNS for the outbound connection. Does this sound like an issue? I used `mail-tester.com` to test how my emails are coming out and when the rDNS was set correctly, I got "HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1)". When the hostname was set to `myhostname.localhost` I got "Your IP address myip is associated with the domain correctrDNS. Nevertheless your message appears to be sent from myhostname.localhost. You may want to change your pointer (PTR type) DNS record and the host name of your server to the same value.". Should I use the correct rDNS? I'm just worried about spam now. Before using the "Mail hardening guide", I had a huge problem with my server being an open relay. mxtoolbox says that my server "may be an open relay", but I'm pretty certain it isn't and that's fine. Should I be worried? Thank you!
If you followed the perfect server guide, then your server is definitely not an open-relay, so you should not worry about that. Some open relay testers give wrong results when you enter an email address that is hosted on that server as they can not differentiate that the email which they were able to send was not relayed but delivered locally instead. So in case that you use an open relay tester that requests an email address for the test, use an email that's not on the server like a gmail address.
