3. Postfix package - relay access denied

Postfix package - relay access denied

  • D

    Hi there,

    I recently installed the postfix package and configured it in a real quick-and-dirty way.

    Just added the following configuration variables:

    • Listen Interfaces: loopback, LAN, OPT1 (NAT from external CARP-IP to localhost:25)
    • Custom main.cf: myhostname, smtp_helo_name (seem to be ignored totally)
    • Domains: 2 domains (domainA.tld, domainB.tld), both backed with the same mailserver IP
    • Recipients: tried it with nothing configured and manually configured in these ways => domainA.tld OK, domainB.tld OK, @domainA.tld OK, @domainB.tld OK, username@domainA.tld OK, username@domainB.tld OK
    • AccessLists: mynetworks (local network and one CIDR I can trust)
    • Antispam: Header Verification Basic

    But I always get an "relay access denied"-error.

    <snip>telnet aa.bb.cc.dd 25
    Trying aa.bb.cc.dd…
    Connected to aa.bb.cc.dd.
    Escape character is '^]'.
    220 <wrong hostname="">ESMTP Postfix
    helo host.domain.tld
    250 <wrong hostname="">mail from: user@domain.tld
    250 2.1.0 Ok
    rcpt to: username@domainA.tld
    554 5.7.1 username@domaina.tld: Relay access denied
    quit
    221 2.0.0 Bye
    Connection closed by foreign host.

    What am I doing wrong? Maybe I'm actually blind... ;-)

    Thanks for any advice.

    Best regards, Tim/username@domaina.tld</wrong></wrong></snip>

    0

  • Include your internal smtp servers on MyNetworks field at package Access List tab.

    0
  • D

    Hi,

    thanks for your answer. That's what I already tried, but had no success. :-(

    Any other idea?

    Regards, Tim

    0

  • The wrong SMTP info was just a telnet sample or an error you are getting always?

    Enable postfix logging and check if it alerts any missing/wrong configuration.

    0
  • D

    Hi there,

    I just enabled the logging to /var/log/maillog but the file stays empty. Even after a stop and start of the service.

    Here's my main.cf:

    #main.cf\
#Part of the Postfix package for pfSense
#Copyright (C) 2010 Erik Fonnesbeck
#Copyright (C) 2011 Marcello Coutinho
#All rights reserved.
#DO NOT EDIT THIS FILE

mynetworks = /usr/local/etc/postfix/mynetwork_table
mynetworks_style = host
myhostname=smtp-in.domain.tld
smtp_helo_name=smtp-in.domain.tld
relay_domains = domainA.tld domainB.tld
transport_maps = hash:/usr/local/etc/postfix/transport
local_recipient_maps =
relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipients
mydestination =
mynetworks_style = host
message_size_limit = 10240000
default_process_limit = 100
#Just reject after helo,sender,client,recipient tests
smtpd_delay_reject = yes

# Don't talk to mail systems that don't know their own hostname.
smtpd_helo_required = yes
smtpd_helo_restrictions = 

smtpd_sender_restrictions = reject_unknown_sender_domain,
				permit

# Allow connections from specified local clients and rbl check everybody else if rbl check are set.
smtpd_client_restrictions = permit_mynetworks,
				reject_unauth_destination,
				check_sender_access hash:/usr/local/etc/postfix/sender_access,
				check_client_access pcre:/usr/local/etc/postfix/cal_pcre,
				check_client_access cidr:/usr/local/etc/postfix/cal_cidr
				permit

# Whitelisting: local clients may specify any destination domain.
#,
smtpd_recipient_restrictions = permit_mynetworks, 
				reject_unauth_destination,
				check_sender_access hash:/usr/local/etc/postfix/sender_access,
				check_client_access pcre:/usr/local/etc/postfix/cal_pcre,
				check_client_access cidr:/usr/local/etc/postfix/cal_cidr,
				reject_spf_invalid_sender,
				permit

postscreen_access_list = permit_mynetworks,
			cidr:/usr/local/etc/postfix/cal_cidr
postscreen_dnsbl_action= enforce
postscreen_blacklist_action= enforce

    Any idea?

    Regards, Tim

    0

  • smtp port is listening but no mail is going through postfix?

    Do you have a nat rule on same port forwarding it direct to internal mail server?

    Or are you on nanobsd?

    0
  • D

    Hi,

    as I said before, connection is established to the postfix running on the pfSense. There's only one NAT-rule from CARP-IP:25 to localhost:25 for using a virtual IP. The virtual IP isn't used in another way.

    I'm running it on an amd64 system.

    Regards, Tim

    0
  • L

    what version of pfsense are you using? if it 2.1_x64, you need to copy /usr/local/etc/postfix files to /usr/pbi/postfix-amd64/etc/postfix as the config reads from the old location. you can see where the config file is reading in main.cf. it's the first line above #main.cf\ and is most likely /usr/local/etc/postfix/main.cf
    you will need to do this every time you do an upgrade until marcelloc does the fix

    I also had issues until i placed 2,6s into the greet time under antispam.

    see here:
    http://forum.pfsense.org/index.php/topic,50519.0.html

    0
  • D

    Thanks, that did the trick! :-)

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy