smtp host : Relay access denied

[bluethundr]

I've just built a postfix server in amazon EC2 with an elastic IP. And I found that while I can connect to and send emails to my mail server when I telnet to localhost when I telnet to the external FQDN I get relay denied.

I'll first demonstrate success, then failure.

root@mail:~# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix (Ubuntu)
HELO mail.example.com
250 mail.example.com
MAIL FROM: <bluethundr@external.com>
250 2.1.0 Ok
RCPT TO: <bluethundr@example.com>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: Test to internal localhost
.
250 2.0.0 Ok: queued as B97CA24B8B
quit
[code]

And the logs confirm success:
[code]
Mar 15 19:27:35 mail postfix/smtpd[5294]: B97CA24B8B: client=localhost[127.0.0.1]
Mar 15 19:28:18 mail postfix/cleanup[5306]: B97CA24B8B: message-id=<20140315192735.B97CA24B8B@mail.example.com>
Mar 15 19:28:18 mail postfix/qmgr[5221]: B97CA24B8B: from=<bluethundr@external.com>, size=356, nrcpt=1 (queue active)
Mar 15 19:28:18 mail postfix/cleanup[5306]: AD51725096: message-id=<20140315192735.B97CA24B8B@mail.example.com>
Mar 15 19:28:18 mail amavis[3401]: (03401-09) Passed BAD-HEADER-1 {RelayedOutbound,Quarantined}, LOCAL [127.0.0.1]:58766 [127.0.0.1] <bluethundr@external.com> -> <bluethundr@example.com>, quarantine: W/badh-WyjD4kEQ4Mls, Queue-ID: B97CA24B8B, Message-ID: <20140315192735.B97CA24B8B@mail.example.com>, mail_id: WyjD4kEQ4Mls, Hits: -, size: 356, queued_as: AD51725096, 140 ms
Mar 15 19:28:18 mail postfix/smtp[5317]: B97CA24B8B: to=<bluethundr@example.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=51, delays=51/0.03/0/0.16, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as AD51725096)
Mar 15 19:28:18 mail postfix/qmgr[5221]: B97CA24B8B: removed

However, if I telnet to the externally available FQDN (from the mail server) I get a relay denied error:

root@mail:~# telnet mail.example.com 25
Trying xx.xx.xx.xx...
Connected to mail.example.com.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix (Ubuntu)
HELO mail.example.com
250 mail.example.com
MAIL FROM: <bluethundr@external.com>
250 2.1.0 Ok
RCPT TO: <bluethundr@example.com>
454 4.7.1 <bluethundr@example.com>: Relay access denied

In the logs when I try to telnet to the FQDN, I see this:

Mar 15 19:38:00 mail postfix/smtpd[5392]: NOQUEUE: reject: RCPT from unknown[xx.xx.xx.xx]: 454 4.7.1 <bluethundr@example.com>: Relay access denied; from=<bluethundr@external.com> to=<bluethundr@example.com> proto=SMTP helo=<mail.example.com>

I've done some googling on this, and often people do site this setting as a potential cause of this situation. Here's mine:

smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated,  reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit

Here is the output of postconf -n

root@mail:~# postconf -n

alias_database = hash:/etc/postfix/aliases

alias_maps = hash:/etc/postfix/aliases

append_dot_mydomain = no

biff = no

broken_sasl_auth_clients = no

config_directory = /etc/postfix

content_filter = amavis:[127.0.0.1]:10024

delay_warning_time = 4h

disable_vrfy_command = yes

inet_interfaces = all

local_recipient_maps =

mailbox_size_limit = 0

masquerade_domains = mail.example.com example.com !sub.dyndomain.com

masquerade_exceptions = root

maximal_backoff_time = 8000s

maximal_queue_lifetime = 7d

minimal_backoff_time = 1000s

mydestination =

myhostname = mail.example.com

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

mynetworks_style = host

myorigin = example.com

readme_directory = no

recipient_delimiter = +

relayhost =

smtp_helo_timeout = 60s

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

smtp_tls_note_starttls_offer = yes

smtp_tls_security_level = may

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)

smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl

smtpd_data_restrictions = reject_unauth_pipelining

smtpd_delay_reject = yes

smtpd_hard_error_limit = 12

smtpd_helo_required = yes

smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit

smtpd_recipient_limit = 16

smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

smtpd_sasl_auth_enable = yes

Another potential trouble area may be that I can't seem to telnet to port 25 remotely from my work station:

[me@home:~] #telnet mail.example.com 25

Trying xx.xx.xx.xx..

telnet: connect to address xx.xx.xx.xx: Operation timed out

telnet: Unable to connect to remote host

As mentioned this is an amazon EC2 instance, but I have opened up port 25 on the security groups and made sure that ufw (the ubuntu firewall) was not running on the instance.

I'd definitely appreciate your esteemed advice on this!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Apollo: “I will not serve under a man who questions my integrity.”

Adama: “And I won’t have an officer under my command who doesn’t have any.”


This is my public RSA key: F186197B
Key fingerprint = 4341 204A FC44 11E2 3F7D 2B00 AF72 A4E6 F186 197B
GPG me!!!

 

[bluethundr]

Hey all,

I fixed the problem with being able to access the FQDN of the mail host via telnet from the command line by editing mynetworks to contain the name of the mail host:

mynetworks = 127.0.0.0/8 mail.exmaple.com

But it appears that mail IS making its way to the mail server, but being rejected once it arrives.

Here's an example of a mail rejected from yahoo

Mar 16 02:27:58 mail postfix/smtpd[22335]: connect from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]

Mar 16 02:27:59 mail postfix/smtpd[22335]: Anonymous TLS connection established from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

Mar 16 02:27:59 mail postfix/smtpd[22335]: NOQUEUE: reject: RCPT from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]: 454 4.7.1 <bluethundr@example.com>: Relay access denied; from=<reg.gi3tqmjyge4dama-bluethundr=example.com@returns.bulk.external.com> to=<bluethundr@example.com> proto=ESMTP helo=<n11-vm3.bullet.mail.bf1.external.com>

Mar 16 02:27:59 mail postfix/smtpd[22335]: disconnect from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]

Mar 16 02:30:55 mail postfix/smtpd[22335]: connect from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]

Mar 16 02:30:55 mail postfix/smtpd[22335]: Anonymous TLS connection established from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

Mar 16 02:30:55 mail postfix/smtpd[22335]: NOQUEUE: reject: RCPT from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]: 454 4.7.1 <bluethundr@example.com>: Relay access denied; from=<reg.gi3tqmjyge4dama-bluethundr=example.com@returns.bulk.external.com> to=<bluethundr@example.com> proto=ESMTP helo=<n11-vm3.bullet.mail.bf1.external.com>

Mar 16 02:30:55 mail postfix/smtpd[22335]: disconnect from n11-vm3.bullet.mail.bf1.external.com[66.196.81.194]

Mar 16 02:31:41 mail postfix/smtpd[22335]: connect from nm48.bullet.mail.ne1.external.com[98.138.120.55]Mar 16 02:31:41 mail postfix/smtpd[22335]: NOQUEUE: reject: RCPT from nm48.bullet.mail.ne1.external.com[98.138.120.55]: 454 4.7.1 <bluethundr@example.com>: Relay access denied; from=<bluethundr609@external.com> to=<bluethundr@example.com> proto=SMTP helo=<nm48.bullet.mail.ne1.external.com>Mar 16 02:31:41 mail postfix/smtpd[22335]: disconnect from nm48.bullet.mail.ne1.external.com[98.138.120.55]

Mar 16 02:33:24 mail postfix/smtpd[22335]: connect from nm48.bullet.mail.ne1.external.com[98.138.120.55]

Mar 16 02:33:24 mail postfix/smtpd[22335]: NOQUEUE: reject: RCPT from nm48.bullet.mail.ne1.external.com[98.138.120.55]: 454 4.7.1 <bluethundr@example.com>: Relay access denied; from=<bluethundr609@external.com> to=<bluethundr@example.com> proto=SMTP helo=<nm48.bullet.mail.ne1.external.com>

Mar 16 02:33:24 mail postfix/smtpd[22335]: disconnect from nm48.bullet.mail.ne1.external.com[98.138.120.55]

And here's an example from gmail

Mar 16 02:23:20 mail postfix/smtpd[21652]: NOQUEUE: reject: RCPT from mail-la0-f48.google.com[209.85.215.48]: 454 4.7.1 <bluethundr@example.com>: Relay access denied; from=<bluethundr@external.com> to=<bluethundr@example.com> proto=ESMTP helo=<mail-la0-f48.google.com>

Mar 16 02:35:01 mail postfix/smtpd[22335]: NOQUEUE: reject: RCPT from mail-lb0-f177.google.com[209.85.217.177]: 454 4.7.1 <bluethundr@example.com>: Relay access denied; from=<bluethundr@external.com> to=<bluethundr@example.com> proto=ESMTP helo=<mail-lb0-f177.google.com>

OK, so it seems as if I'm in the home stretch! What do I need to alter in my postfix configuration to get this mail server rocking?


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Apollo: “I will not serve under a man who questions my integrity.”

Adama: “And I won’t have an officer under my command who doesn’t have any.”


This is my public RSA key: F186197B
Key fingerprint = 4341 204A FC44 11E2 3F7D 2B00 AF72 A4E6 F186 197B
GPG me!!!