Relay Access Denied Postfix/Dovecot 554 5.7.1

Discussion in 'Server Operation' started by ADC IT, Mar 12, 2016.

  1. ADC IT

    ADC IT New Member

    Hi All,
    Could someone please point me in the right direction?
    I've followed this tutorial https://www.howtoforge.com/tutorial/perfect-server-debian-8-jessie-apache-bind-dovecot-ispconfig-3/
    I am able to send/receive email from localhost however external clients are unable to relay and they're given an error code of 554.5.7.1.
    Additionally I always check the box "Server Requires Authentication"

    My postconf -n:
    Telnet to localhost:
    Any help would be appreciated
     
  2. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    Is your smtp port firewalled? Did you try your telnet session from another server / your desktop?
    If connection itself is working, did you enable pop3 before smtp authentification? With SSL/TLS enabled?
    What's the /var/log/mail.info showing exactly?

    Just to sort out misunderstandings, do you want authentificated clients be able to relay mail using your postfix like <someclient> can use any <from> address?

    Edit: Please also post your master.cf
     
  3. ADC IT

    ADC IT New Member

    Hi,
    Yes i've forwarded the associated ports to the local machine through the firewall and successfully connected through telnet on port 25.
    I'm going to be hosting multiple email accounts from various domain names so I just need them to authenticate for their own domain/email.
    The contents of my /var/log/mail.info is:
     
  4. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    Aww, probably did edit my post lil too late.
    So you're behind a NAT? Just wanted to make sure your postfix/master.cf is setup properly.

    Did you also forward other mail specific ports like 110,143,587,993,995 ? You probably need to auth against dovecot either pop3(s) or imap(s) before attempting to send mail if connection is not from mynetworks sources.
     
  5. ADC IT

    ADC IT New Member

    I have all the ports correctly configured and i know its just a configuration error as i've had it before when using this tutorial but i cant remember how I managed to fix the issue.
     
  6. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    Hmm can't find anything wrong, what's your master.cf?
    You could try adding
    Code:
      -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    
    to your submission/smtps options list
     
  7. ADC IT

    ADC IT New Member

    Yes i've added this to the master.cf
     
  8. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    You did not uncomment
    #submission inet n - - - - smtpd
    which effectively sets the -o options valid for the smtp section.
     
    ADC IT likes this.
  9. ADC IT

    ADC IT New Member

    Excellent that's solved it!!!

    Many thanks indeed...
     
    ztk.me likes this.
  10. ADC IT

    ADC IT New Member

    Additionally and sorry to be a pain but when connecting using IMAP/SSL & SMTP/SSL to connect my outlook client, IMAP/SSL connects without fail but SMTP/SSL fails saying that the server does not support that encryption method.

    Any clues as to what that could be?
     
  11. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    hmm some guessing:
    Code:
    #this is missing, you might need to generate a new cert
    #smtpd_tls_CAfile = /etc/postfix/cacert.pem
    
    #enable some debug logging before we mess around with the certs
    smtpd_tls_loglevel = 3
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    
    First check if there are any issues by watching the mail.info with
    tail -f /var/log/mail.info
    when attempting to send using smtps.

    If there's no reason why it shouldn't work, try uncommenting the smtpd_tls_CAfile option and generate cert like:
    Code:
    openssl genrsa -des3 -out mail.domain.tld.key 2048
    chmod 600 mail.domain.tld.key
    openssl req -new -key mail.domain.tld.key -out mail.domain.tld.csr
    openssl x509 -req -days 365 -in mail.domain.tld.csr -signkey mail.domain.tld.key -out mail.domain.tld.crt
    openssl rsa -in mail.domain.tld.key -out mail.domain.tld.key.nopass
    mv mail.domain.tld.key.nopass mail.domain.tld.key
    openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
    chmod 600 mail.domain.tld.key
    chmod 600 cakey.pem
    
    
    taken from here.
     

Share This Page