This discussion is locked
Scott Howe

Q: Relay access denied

Hi,

Ive been doing some research on this issue and I seem to be finding only the OPPOSITE of what I'm experinecing. I can send emails find but any email I send from another account returns the error "Relay access denied." I don't know how to fix this because it's my understanding that the server admin settings exist to prevent your server from being used to send unauthorized emails. Receiving should have nothing to do with these settings correct?

Thanks for any help.

Home: Dual 2Ghz PowerMac, 2 MacBooks, 2.66 GHz MacBook Pro, Mac OS X (10.6.3), Work: 10 PowerMac G5s, 18 Intel iMacs, 2 Intel XServes

Posted on Nov 27, 2010 9:09 AM

Close

Q: Relay access denied

  • All replies
  • Helpful answers

Page 1 Next
  • by MrHoffman,

    MrHoffman MrHoffman Nov 27, 2010 10:29 AM in response to Scott Howe
    Level 6 (15,637 points)
    Mac OS X
    Nov 27, 2010 10:29 AM in response to Scott Howe
    Usual guess: your clients are not authorized for access, or your mail server is misconfigured.

    Has DNS (forward, reverse, MX) been verified as correct?

    Is the server using the same name as the MX host?

    What are the accounts settings differences between the two clients, if any?

    Is the same network being used here for mail access from both clients?

    What mail submission ports are you using from the clients?

    The mail server might not be set to receive mail for the specified domain (if you're aiming mail at the server, and not a remote server), or the mail client might be configured to use port 25 and not an authenticated submission port.
  • by Scott Howe,

    Scott Howe Scott Howe Nov 27, 2010 11:48 AM in response to MrHoffman
    Level 1 (125 points)
    Nov 27, 2010 11:48 AM in response to MrHoffman
    The server is using macserver.sapowe.com as machine name and I set up am alias mail.sapowe.com to point to macserver.sapowe.com so Ive been using mail.sapowe.com for settings. Ive tried accessing my mail mainly from inside my network but through two outside hosted accounts, namely gmail and my work email. As far as I know DNS, reverse etc...is all ok. Comcast has repeatedly confirmed that my revese DNS is configured correctly.

    One other weird thing that cropped up was I was getting emails saying they were from xxx@mail.sapowe.com or xxx@www.sapowe.com. This has never ocurred before.
  • by MrHoffman,

    MrHoffman MrHoffman Nov 27, 2010 12:51 PM in response to Scott Howe
    Level 6 (15,637 points)
    Mac OS X
    Nov 27, 2010 12:51 PM in response to Scott Howe
    How are your clients configured? These should be set to use authenticated submissions.
    Remove the MX record for the macserver.sapowe.com box as a start.
    Set the domain name to sapowe.com, the server name to mail.sapowe.com.
    Post up the output from (should have asked this before) the +postconf -n+ command.
    Also post up the relevant errors from your SMTP log when the relay gets rejected.
  • by Scott Howe,

    Scott Howe Scott Howe Nov 27, 2010 2:29 PM in response to MrHoffman
    Level 1 (125 points)
    Nov 27, 2010 2:29 PM in response to MrHoffman
    Here's the postconf


    biff = no
    command_directory = /usr/sbin
    config_directory = /etc/postfix
    content_filter = smtp-amavis:[127.0.0.1]:10024
    daemon_directory = /usr/libexec/postfix
    debugpeerlevel = 2
    enableserveroptions = yes
    header_checks = pcre:/etc/postfix/customheaderchecks
    html_directory = /usr/share/doc/postfix/html
    inet_interfaces = all
    mail_owner = _postfix
    mailboxsizelimit = 0
    mailbox_transport = dovecot
    mailq_path = /usr/bin/mailq
    manpage_directory = /usr/share/man
    mapsrbldomains =
    messagesizelimit = 0
    mydestination = $myhostname, localhost.$mydomain, localhost
    mydomain = sapowe.com
    mydomain_fallback = localhost
    myhostname = mail.sapowe.com
    mynetworks = 10.1.10.1/8
    newaliases_path = /usr/bin/newaliases
    queue_directory = /private/var/spool/postfix
    readme_directory = /usr/share/doc/postfix
    recipient_delimiter = +
    relayhost =
    sample_directory = /usr/share/doc/postfix/examples
    sendmail_path = /usr/sbin/sendmail
    setgid_group = _postdrop
    smtpdclientrestrictions = permit_mynetworks permitsaslauthenticated rejectrblclient zen.spamhaus.org permit
    smtpdenforcetls = no
    smtpdhelorequired = yes
    smtpdhelorestrictions = rejectinvalid_helohostname rejectnon_fqdn_helohostname
    smtpdpw_server_securityoptions = gssapi,cram-md5
    smtpdrecipientrestrictions = permitsaslauthenticated permit_mynetworks rejectunauthdestination checkpolicyservice unix:private/policy permit
    smtpdsasl_authenable = yes
    smtpdtlsCAfile = /etc/certificates/macserver.sapowe.com.F6CB094EA1F7F45E3C7EEE9E5CAAB3CF80D1739A .chain.pem
    smtpdtls_certfile = /etc/certificates/macserver.sapowe.com.F6CB094EA1F7F45E3C7EEE9E5CAAB3CF80D1739A .cert.pem
    smtpdtls_excludeciphers = SSLv2, aNULL, ADH, eNULL
    smtpdtls_keyfile = /etc/certificates/macserver.sapowe.com.F6CB094EA1F7F45E3C7EEE9E5CAAB3CF80D1739A .key.pem
    smtpduse_pwserver = yes
    smtpdusetls = yes
    tlsrandomsource = dev:/dev/urandom
    unknownlocal_recipient_rejectcode = 550
    virtualaliasmaps = $virtual_maps


    Here's error that are repeating over and over:

    Nov 27 17:27:50 macserver postfix/smtpd[21502]: fatal: non-null host address bits in "10.1.10.1/8", perhaps you should use "10.0.0.0/8" instead
  • by MrHoffman,

    MrHoffman MrHoffman Nov 27, 2010 3:08 PM in response to Scott Howe
    Level 6 (15,637 points)
    Mac OS X
    Nov 27, 2010 3:08 PM in response to Scott Howe
    Ok, there's the CIDR specification; fixing the error underneath that diagnostic. Get to this:
    mynetworks = 10.0.0.0/8


    And there's the open question of whether the clients are using an authenticated path; in general, mail clients should not connect to port 25.

    I'd probably fix that permit on the end of the client restrictions.

    $ sudo postconf -e smtpdclient_restrictions='permitmynetworks permitsaslauthenticated rejectrblclient zen.spamhaus.org reject'
    $ sudo postfix reload
  • by Scott Howe,

    Scott Howe Scott Howe Nov 27, 2010 3:34 PM in response to MrHoffman
    Level 1 (125 points)
    Nov 27, 2010 3:34 PM in response to MrHoffman
    Im not sure what you mean by authenticated path. I have one client using mail set up through the auto setup. I believe it's using CRAM and the other is Entourage. Can you elaborate on what you mean here?

    Thanks.

    Message was edited by: Scott Howe
  • by Scott Howe,

    Scott Howe Scott Howe Nov 27, 2010 3:28 PM in response to Scott Howe
    Level 1 (125 points)
    Nov 27, 2010 3:28 PM in response to Scott Howe
    And by the way, this is just the default "Configure Mail Settings" auto setup through Mail Services in Server. Shouldnt that just work? Not to sound TOO stupid but....
  • by MrHoffman,

    MrHoffman MrHoffman Nov 27, 2010 4:28 PM in response to Scott Howe
    Level 6 (15,637 points)
    Mac OS X
    Nov 27, 2010 4:28 PM in response to Scott Howe
    A mail client connects to the server via IMAP (port 143) or POP (port 110) to read mail from the server into the client, and connects to and sends outgoing mail via an authenticated path, or via port 25.

    If you're not specifying an SSL certificate or a username and password, then you're probably aiming at port 25, and that's often going to be a problem.

    The authenticated paths are usually 465 or 587. Can also be ports 993 for IMAP SSL and 995 for POP SSL.

    Here's a decent article on [SMTP|http://en.wikipedia.org/wiki/SimpleMail_TransferProtocol] and here's a [Tufts write-up on configuring various mail clients|http://uit.tufts.edu/downloads/ChangingSMTPPort25toPort465or587.pdf] (for their servers). The Tufts article shows a variety of clients. For this case, moving to port 587 with a username and password would be a reasonable target for sending mail.

    You may choose to enable SSL at the server to protect your passwords, which means you'd then need to enable it at the clients.

    [Apple well-known ports (TS1629)|http://support.apple.com/kb/ts1629]
  • by Scott Howe,

    Scott Howe Scott Howe Nov 27, 2010 4:29 PM in response to Scott Howe
    Level 1 (125 points)
    Nov 27, 2010 4:29 PM in response to Scott Howe
    Sorry again, but also, how do I fix that permit in the postconf file? Im not really good in terminal. Working on it.
  • by MrHoffman,

    MrHoffman MrHoffman Nov 27, 2010 4:31 PM in response to Scott Howe
    Level 6 (15,637 points)
    Mac OS X
    Nov 27, 2010 4:31 PM in response to Scott Howe
    Whether it should or not, you need to ensure your clients are compatible with your server, and you need to ensure the server configuration meets your requirements. There are a gazillion ways to configure mail and mail clients. And there's a whole genre around configuring for anti-spam; see the front-line anti-spam articles on that topic over at [TopicDesk|http://osx.topicdesk.com/content/category/4/18/62> for details.
  • by MrHoffman,

    MrHoffman MrHoffman Nov 27, 2010 4:35 PM in response to Scott Howe
    Level 6 (15,637 points)
    Mac OS X
    Nov 27, 2010 4:35 PM in response to Scott Howe
    How? Launch Terminal.app and enter the two commands I specified in an earlier reply, exactly as specified. You might want to Google around for some materials on this stuff, so that you can better learn and understand what you're doing with the server here.
  • by Scott Howe,

    Scott Howe Scott Howe Nov 27, 2010 4:47 PM in response to MrHoffman
    Level 1 (125 points)
    Nov 27, 2010 4:47 PM in response to MrHoffman
    Thanks Mr. Hoffman. As usual, an informative and enlightening discussion. I'll keep digging at it but now I can't even get my own clients to connect let alone get a relay access denied error. Ill check back in.
  • by UptimeJeff,

    UptimeJeff UptimeJeff Nov 27, 2010 5:12 PM in response to Scott Howe
    Level 4 (3,477 points)
    Nov 27, 2010 5:12 PM in response to Scott Howe
    I'm jumping in a little late here......... hopefully this helps...

    Are you saying that mail send to your server with recipient address user@sapowe.com is rejected?

    The domain "sapowe.com" is not listed as a local domain, so it would be considered a relay and thus refused. To fix this:

    ServerAdmin/Mail/Settings/Advanced/Hosting/LocalHostAlias.
    Add sapowe.com to that list.

    Stop/start mail and you should be good.

    Note- because your server is setup for greylisting, some email may be at first be delayed.... do a search for grey listing if you want to know more about this.

    Jeff
  • by Scott Howe,

    Scott Howe Scott Howe Nov 28, 2010 7:08 AM in response to UptimeJeff
    Level 1 (125 points)
    Nov 28, 2010 7:08 AM in response to UptimeJeff
    Thanks, now Im able to receive from and to internally from my same address but still nothing from outside.
Page 1 Next