Postfix SMTP help (554 Relay denied)

16 posts / 0 new
Last post
#1 Fri, 01/30/2009 - 11:45
fijatevos

Postfix SMTP help (554 Relay denied)

I've been having trouble sending mail. Unfortunately I had someone "help" me with the server before purchasing Virtualmin Pro and have not run the Postfix install script (not sure if it would be a good idea or not)

I have read the forums and eliminated some problems: - The sasl auth daemon was not running, now I started it and set it to run at boot. - I am using the Evolution email client and checked the "server requires authentication" box. Evolution will query the server to show supported authentication types - both PLAIN and LOGIN are supported, but I get this error when trying to send mail (receiving works fine, also sending and receiving from within webmin)

Jan 30 15:47:11 server postfix/smtpd[26112]: connect from unknown[200.91.116.183] Jan 30 15:47:17 server postfix/smtpd[26112]: NOQUEUE: reject: RCPT from unknown[200.91.116.183]: 554 5.7.1 <info@fijatevos.com>: Relay access denied; from=<russ@eltucan.co.cr> to=<info@fijatevos.com> proto=ESMTP helo=<[192.168.1.3]> Jan 30 15:47:17 server postfix/smtpd[26112]: disconnect from unknown[200.91.116.183]

the user is russ.tucan (no @ users as suggested) and I have listed the mail server as eltucan.co.cr

Thank you in advance for your most kind assistance.

Sat, 01/31/2009 - 17:09
andreychek

Howdy,

If you take a look in /etc/postfix/virtual, is there a line that looks like:

fijatevos.com fijatevos.com

Not having that line could cause the trouble you're seeing.

If it's not in there, go ahead and add it, then run:

postmap /etc/postfix/virtual

Then restart Postfix:

/etc/init.d/postfix restart

Thu, 02/12/2009 - 11:10 (Reply to #2)
fijatevos

This doesn't make sense, but I tried it anyway, in Evolution I get:

RCPT TO &lt;info@fijatevos.com&gt; failed: &lt;info@fijatevos.com&gt;: Recipient address rejected: User unknown in virtual alias table

It doesn't make sense, because I am sending to fijatevos.com from russ@eltucan.co.cr . If it had worked I would have to add every domain I want to send mail to, right?

But I think we're in the right place. I read the info in the /etc/postfix/virtual file and found this:
&quot; # /etc/postfix/virtual:
# virtual-alias.domain anything (right-hand content does not matter)
# postmaster@virtual-alias.domain postmaster
# user1@virtual-alias.domain address1
# user2@virtual-alias.domain address2, address3
#
# The virtual-alias.domain anything entry is required for a
# virtual alias domain. Without this entry, mail is rejected
# with &quot;relay access denied&quot;, or bounces with &quot;mail loops
# back to myself&quot;.

Which is what I'm getting
So at the end of the file I had this entry:
russ@eltucan.co.cr russ.tucan@fijatevos.co.cr

This looks wrong, but the others I tried didn't work either:
russ@eltucan.co.cr russ.tucan
russ@eltucan.co.cr russ-eltucan.co.cr

Here is an entry created by virtualmin for another user account on another domain
reserve@costaricacampers.com reserve.costaricacampers

Or maybe I am setting up the client wrong?

Thu, 02/12/2009 - 11:18 (Reply to #3)
Joe
Joe's picture

<div class='quote'>If it had worked I would have to add every domain I want to send mail to, right?</div>

If you are virtual hosting with Postfix this is simply the way it works. Virtualmin manages those entries for you...so you shouldn't be adding them manually unless Virtualmin wasn't there for the initial creation of the user.

Note that there are <i>other</i> ways to get Postfix to accept mail for virtual domains...but none of them are as clean as this way (and none are supported by Virtualmin, because they don't make sense in a large-scale hosting environment). I suspect if some of your domains mailboxes are working and others aren't, it's just that some of them were setup in Postfix main.cf in the relay_domains directive. (You'd want to remove those, and set things up properly in the virtual maps file.)

--

Check out the forum guidelines!

Fri, 02/13/2009 - 06:00 (Reply to #4)
fijatevos

Ok, I am confused. I backed up the mail folder in shell at /var/mail/russ.tucan, then I delete that user using the webmin account for the tucan domain. I have created a new account with the same name and different password. I get the welcome mail for the new account:
Your mailbox has been set up successfully as follows :

Email address: russ@eltucan.co.cr
POP3 login: russ.tucan
POP3 password: amrobear
SMTP server: mail.eltucan.co.cr
POP3 server: mail.eltucan.co.cr
FTP login: Disabled

But cannot send a test mail
RCPT TO &lt;info@fijatevos.com&gt; failed: &lt;info@fijatevos.com&gt;: Relay access denied

I went back and deleted the fijatevos.com and fijatevos.com line from the
/etc/postfix/virtual, That was what Joe meant, right?
&quot;Virtualmin manages those entries for you...so you shouldn't be adding them manually&quot;

Then remapped and restarted as inidicated in the other post.

So it seems that Postfix is not configured correctly to relay mail from users? I have been working at this off and on, so right now I think its better to make this priority. I can send and receive mail using the option in Virtualmin. I can receive mail using the Evolution client. I have set up some other users and accounts on this server, but all are forwards to other email addresses (they work normally).

So I am looking at (but not touching) the main.cf file - I have this setting:
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
below that line is a line commented out:
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
# mail.$mydomain, www.$mydomain, ftp.$mydomain

Maybe I am missing the second line? I can add that in Webmin and see.

I am looking at the relay_domains directive in main.cf I see this comment
# The default relay_domains value is $mydestination.

But the directive is commented:
#relay_domains = $mydestination

Is that it? Or maybe I should post the main.cf file?

It says - # Do not specify the names of virtual domains - those domains are
# specified elsewhere (see VIRTUAL_README).

Fri, 02/13/2009 - 06:08 (Reply to #5)
fijatevos

I went to SMPT Server Options in the Posfix Mail server module, I found the same relay_domains help text, so I saved the default settings,, but when I go back to main.cf in shell the directive is still commented:

#relay_domains = $mydestination

Fri, 02/13/2009 - 12:05 (Reply to #6)
Joe
Joe's picture

<div class='quote'>I went back and deleted the fijatevos.com and fijatevos.com line from the
/etc/postfix/virtual, That was what Joe meant, right?
&quot;Virtualmin manages those entries for you...so you shouldn't be adding them manually&quot;</div>

You left off part of that quote...the most important part, I think:

&quot;unless Virtualmin wasn't there for the initial creation of the user&quot;

Virtualmin can't create them if it wasn't working when you created the domain or setup the users, either because it wasn't installed yet, or because it wasn't configured correctly. Virtualmin does not (yet) have time travel or mind reading capabilities.

<div class='quote'>So I am looking at (but not touching) the main.cf file - I have this setting:
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
below that line is a line commented out:
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
# mail.$mydomain, www.$mydomain, ftp.$mydomain

Maybe I am missing the second line? I can add that in Webmin and see.</div>

No. You do <i>not</i> want mydestination to be where virtual domains are configured. Virtual domains should be configured in the virtual maps file <i>only</i>.

You do not want your virtual domains listed in relay_domains or mydestination (and actually, I guess mydestination is the directive I meant to mention the first time...it's been a while since I've setup postfix in the non-virtual maps way). I mentioned this stuff only because I assumed your system was incorrectly setup to use them instead of virtual maps. Do not go poking around and sticking stuff in those directives--you aren't using them for your virtual domains, at all.

The relevant configuration for virtual hosting in Postfix:

virtual_alias_maps = hash:/etc/postfix/virtual

That's it! If you have a bunch of extra stuff related to your virtual servers <i>anywhere</i> in main.cf, it is wrong. Everything related to your virtual domains goes in /etc/postfix/virtual (and, if Virtualmin is creating your domains for you, it will manage this file). And everything correctly configured in the virtual maps file becomes an acceptable destination.

Every virtually hosting domain needs a line like:

virtualmin.com virtualmin.com

In the virtual maps file. And every user needs a line like:

joe@virtualmin.com joe.virtualmin

Again, this is not something you should normally be creating manually--but if you're adding Virtualmin to a system with existing users, they do need to be setup correctly, or they won't work--Virtualmin isn't going to try to figure out what you were trying to do and fix incorrect configuration for you--it can't read your mind. ;-)

This is why we have an install script to setup the system for virtual hosting. There are a lot of steps, touching a lot of different software, and if you don't know how they all work, it's going to be complicated.

If this system isn't in production yet, you might want to start over with a freshly installed supported OS and run our install.sh script. It'll setup all of this stuff for you, and it will pretty much just work out of the box.

I'm kinda confused about what you're trying to do, and what you've done so far (I'm easily confused), so I'm having a hard time even telling you what to do to correct the old broken configuration and get to something sane. Starting from a fresh, default, Postfix configuration file is probably another good option. Or you could post your whole current postfix configuration (&quot;postconf -n&quot; will show just the non-default settings).

--

Check out the forum guidelines!

Fri, 02/13/2009 - 13:15
fijatevos

OK, I see why I was confused:

<div class='quote'>f you take a look in /etc/postfix/virtual, is there a line that looks like:
fijatevos.com fijatevos.com
Not having that line could cause the trouble you're seeing.</div>

Since fijatevos is the domain I am trying to send to, which is not relevant because it was meant to be a domain on the server.
<div class='quote'>Every virtually hosting domain needs a line like:
virtualmin.com virtualmin.com
In the virtual maps file. And every user needs a line like:
joe@virtualmin.com joe.virtualmin</div>

So now I get what was being said in the first post. That's positive! And each domain that has mail users set up does have a line like that plus additional lines. So virtualmin is working with the file.

Next is this :
<div class='quote'>The relevant configuration for virtual hosting in Postfix:
virtual_alias_maps = hash:/etc/postfix/virtual
</div>
I find that line in main.cf so no more fooling around there. I had also checked this main.cf with the main.cf.default I found in the /etc/postfix/virtual. Reading through both files I don't find anything that is not default. In any case below is the output from the postconf -n command.

I don't seem to very good at clearing up confusion lately (another story), but I'll give it a shot.

I do have some domains live on the server. eltucan.co.cr being one. They are using another server and domain for email, so I have been working on the site. However now I would like to move other domains over and need to have email clients working. So it becomes more pressing to figure this out. I am not married to Postfix, but I read it was good and secure - and decided to use it over the sendmail server.

So the current problem is that sending email from the server to another server works (if I use the view user mail module in webmin) And also receiving email to the account works, either in webmin or in the Evolution email client.

But sending SMTP doesn't work from the email client, I get a 554 relay denied error.

# posfconf -n
-bash: posfconf: command not found
[root@server postfix]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mailbox_command = /usr/bin/procmail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_sasl_auth_enable = yes
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual

Fri, 02/13/2009 - 13:23 (Reply to #8)
Joe
Joe's picture

<div class='quote'>So the current problem is that sending email from the server to another server works (if I use the view user mail module in webmin) And also receiving email to the account works, either in webmin or in the Evolution email client.

But sending SMTP doesn't work from the email client, I get a 554 relay denied error.</div>

So, this is a completely different problem. Has no relation at all to virtual maps.

Is saslauthd configured appropriately for authenticating to PAM or /etc/shadow, and is it running?

Is Postfix configured to allow SASL authenticated users?

If you are using @ in usernames (e.g. joe@virtualmin.com as the username) have you read the FAQ on @ in usernames and followed the instructions for configuring saslauthd to accept usernames of that format? (FAQ is here: http://www.virtualmin.com/documentation/id,frequently_asked_questions/#w... )

And, as always, we need to be seeing the maillog entries when things fail. That will pretty much always tell us wonderfully helpful things.

--

Check out the forum guidelines!

Fri, 02/13/2009 - 14:48 (Reply to #9)
fijatevos

I'll answer the questions I am sure of first.
No user names with @ (I did read the faq)

I searched the log for some failed attempts
Feb 13 04:02:23 server postfix/smtpd[24340]: NOQUEUE: reject: RCPT from localhost.localdomain[127.0.0.1]: 550 5.1.1 &lt;info@fijatevos.com&gt;: Recipient address rejected: User unknown in virtual alias table; from=&lt;root@server.fijatevos.co.cr&gt; to=&lt;info@fijatevos.com&gt; proto=ESMTP helo=&lt;server.fijatevos.co.cr&gt;

Feb 13 04:02:23 server sendmail[24086]: n1D92BGa024086: to=info@fijatevos.com, ctladdr=root (0/0), delay=00:00:12, xdelay=00:00:00, mailer=relay, pri=493911, relay=[127.0.0.1] [127.0.0.1], dsn=5.1.1, stat=User unknown

Feb 13 04:02:49 server postfix/smtpd[24340]: NOQUEUE: reject: RCPT from localhost.localdomain[127.0.0.1]: 550 5.1.1 &lt;info@fijatevos.com&gt;: Recipient address rejected: User unknown in virtual alias table; from=&lt;root@server.fijatevos.co.cr&gt; to=&lt;info@fijatevos.com&gt; proto=ESMTP helo=&lt;server.fijatevos.co.cr&gt;

Feb 13 04:02:49 server sendmail[28466]: n1D92noP028466: to=info@fijatevos.com, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=35294, relay=[127.0.0.1] [127.0.0.1], dsn=5.1.1, stat=User unknown

+++++++++ latest one
Feb 13 10:24:20 server postfix/smtpd[17985]: NOQUEUE: reject: RCPT from unknown[201.196.57.169]: 554 5.7.1 &lt;info@fijatevos.com&gt;: Relay access denied; from=&lt;russ@eltucan.co.cr&gt; to=&lt;info@fijatevos.com&gt; proto=ESMTP helo=&lt;[192.168.1.3]&gt;
Feb 13 10:24:38 server postfix/smtpd[17985]: NOQUEUE: reject: RCPT from unknown[201.196.57.169]: 554 5.7.1 &lt;info@fijatevos.com&gt;: Relay access denied; from=&lt;russ@eltucan.co.cr&gt; to=&lt;info@fijatevos.com&gt; proto=ESMTP helo=&lt;[192.168.1.3]&gt;

Fri, 02/13/2009 - 14:53 (Reply to #10)
fijatevos

The SASL daemon is running, I had done that before. But definitely not sure that it is configured properly. In Virtualmin running processes I see:
13705 root Jan30 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
13706 root Jan30 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
13707 root Jan30 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
13708 root Jan30 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
13710 root Jan30 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam

Fri, 02/13/2009 - 14:59 (Reply to #11)
fijatevos

&quot;Is Postfix configured to allow SASL authenticated users?&quot;

I'm not sure either. I go to Postfix Module, then look at possibilities, let's try Authentication.
First option is Enable SASL SMTP authentication? Yes
Wait, could it be in SMTP relaying restrictions?
SMTP relaying restrictions -
- Allow connections from same network, checked
- Allow connections from this system, not checked
- Reject clients with no reverse hostname, not checked
Allow authenticated clients, not checked
Reject email to other domains, checked
Allow only relay domains, not checked
Allow domains this system is a backup MX for, not checked

I'll take a stab in the dark - reject email to other domains should not be checked?

Fri, 02/13/2009 - 15:06 (Reply to #12)
fijatevos

I checked allow authenicated clients and unchecked reject email to other domains. This helps a bit, the email was not rejected. But it didn't go out either.

Sat, 09/05/2009 - 12:25
redistributer

For anyone still trying to figure this out, I suggest looking into your spf record in your DNS settings. This was my issue.

by default virtualmin adds an entry that looks like this

domain.com. IN TXT "v=spf1 a mx a:domain.com ip4:0.0.0.0 ?all"

by adding a more generalized record like the one below, I was able to make the server work

domain.net. IN TXT "v=spf1 mx -all"

We are also using full domain name usernames with the @domain.com prefix in our domain By following the rules to add the -r flag as stated in the FAQ we were able to get the saslauthd to recognize full user@domain.com usernames, and delivery is working like a charm, no issues there

in /etc/sysconfig/saslauthd add FLAGS=-r

Also your ISP might be blocking port 25 (like mine was) so nothing goes out 25 (AT&T) testing from a location with a dedicated T1 or an insecure type connection like the cable companies use are your best bet to see if this is your issue.

Other than that I am very pleased with the robust and quick setups now, I was using 4 different servers to do the same task and a bunch of shell scripts I wrote, now I have a friendly interface that does all the rough stuff for me, IT'S AWESOME - VIRTUALMIN RULES!!

Fri, 11/13/2009 - 00:33
dhawal.thakar

Hi , I am using virtualmin 3.73.gpl GPL I have created one virtual server with mail users.

But the problem is, I cant download the emails from thunderbird client. Even I can see my all emails from squirrel webmail.

Any idea ?

Thanks in advance.

Sat, 11/14/2009 - 08:57
andreychek

Howdy,

Do you get an error of some sort when you try to download them? Do any problems show up in the logs?

-Eric

Topic locked