Postfix package - relay access denied



  • Hi there,

    I recently installed the postfix package and configured it in a real quick-and-dirty way.

    Just added the following configuration variables:

    • Listen Interfaces: loopback, LAN, OPT1 (NAT from external CARP-IP to localhost:25)
    • Custom main.cf: myhostname, smtp_helo_name (seem to be ignored totally)
    • Domains: 2 domains (domainA.tld, domainB.tld), both backed with the same mailserver IP
    • Recipients: tried it with nothing configured and manually configured in these ways => domainA.tld OK, domainB.tld OK, @domainA.tld OK, @domainB.tld OK, username@domainA.tld OK, username@domainB.tld OK
    • AccessLists: mynetworks (local network and one CIDR I can trust)
    • Antispam: Header Verification Basic

    But I always get an "relay access denied"-error.

    <snip>telnet aa.bb.cc.dd 25
    Trying aa.bb.cc.dd…
    Connected to aa.bb.cc.dd.
    Escape character is '^]'.
    220 <wrong hostname="">ESMTP Postfix
    helo host.domain.tld
    250 <wrong hostname="">mail from: user@domain.tld
    250 2.1.0 Ok
    rcpt to: username@domainA.tld
    554 5.7.1 username@domaina.tld: Relay access denied
    quit
    221 2.0.0 Bye
    Connection closed by foreign host.

    What am I doing wrong? Maybe I'm actually blind... ;-)

    Thanks for any advice.

    Best regards, Tim/username@domaina.tld</wrong></wrong></snip>



  • Include your internal smtp servers on MyNetworks field at package Access List tab.



  • Hi,

    thanks for your answer. That's what I already tried, but had no success. :-(

    Any other idea?

    Regards, Tim



  • The wrong SMTP info was just a telnet sample or an error you are getting always?

    Enable postfix logging and check if it alerts any missing/wrong configuration.



  • Hi there,

    I just enabled the logging to /var/log/maillog but the file stays empty. Even after a stop and start of the service.

    Here's my main.cf:

    #main.cf\
    #Part of the Postfix package for pfSense
    #Copyright (C) 2010 Erik Fonnesbeck
    #Copyright (C) 2011 Marcello Coutinho
    #All rights reserved.
    #DO NOT EDIT THIS FILE
    
    mynetworks = /usr/local/etc/postfix/mynetwork_table
    mynetworks_style = host
    myhostname=smtp-in.domain.tld
    smtp_helo_name=smtp-in.domain.tld
    relay_domains = domainA.tld domainB.tld
    transport_maps = hash:/usr/local/etc/postfix/transport
    local_recipient_maps =
    relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients
    mydestination =
    mynetworks_style = host
    message_size_limit = 10240000
    default_process_limit = 100
    #Just reject after helo,sender,client,recipient tests
    smtpd_delay_reject = yes
    
    # Don't talk to mail systems that don't know their own hostname.
    smtpd_helo_required = yes
    smtpd_helo_restrictions = 
    
    smtpd_sender_restrictions = reject_unknown_sender_domain,
    				permit
    
    # Allow connections from specified local clients and rbl check everybody else if rbl check are set.
    smtpd_client_restrictions = permit_mynetworks,
    				reject_unauth_destination,
    				check_sender_access hash:/usr/local/etc/postfix/sender_access,
    				check_client_access pcre:/usr/local/etc/postfix/cal_pcre,
    				check_client_access cidr:/usr/local/etc/postfix/cal_cidr
    				permit
    
    # Whitelisting: local clients may specify any destination domain.
    #,
    smtpd_recipient_restrictions = permit_mynetworks, 
    				reject_unauth_destination,
    				check_sender_access hash:/usr/local/etc/postfix/sender_access,
    				check_client_access pcre:/usr/local/etc/postfix/cal_pcre,
    				check_client_access cidr:/usr/local/etc/postfix/cal_cidr,
    				reject_spf_invalid_sender,
    				permit
    
    postscreen_access_list = permit_mynetworks,
    			cidr:/usr/local/etc/postfix/cal_cidr
    postscreen_dnsbl_action= enforce
    postscreen_blacklist_action= enforce
    

    Any idea?

    Regards, Tim



  • smtp port is listening but no mail is going through postfix?

    Do you have a nat rule on same port forwarding it direct to internal mail server?

    Or are you on nanobsd?



  • Hi,

    as I said before, connection is established to the postfix running on the pfSense. There's only one NAT-rule from CARP-IP:25 to localhost:25 for using a virtual IP. The virtual IP isn't used in another way.

    I'm running it on an amd64 system.

    Regards, Tim



  • what version of pfsense are you using? if it 2.1_x64, you need to copy /usr/local/etc/postfix files to /usr/pbi/postfix-amd64/etc/postfix as the config reads from the old location. you can see where the config file is reading in main.cf. it's the first line above #main.cf\ and is most likely /usr/local/etc/postfix/main.cf
    you will need to do this every time you do an upgrade until marcelloc does the fix

    I also had issues until i placed 2,6s into the greet time under antispam.

    see here:
    http://forum.pfsense.org/index.php/topic,50519.0.html



  • Thanks, that did the trick! :-)


Locked