Relay access denied

Question

Level 1

125 points

Relay access denied

Hi,

Ive been doing some research on this issue and I seem to be finding only the OPPOSITE of what I'm experinecing. I can send emails find but any email I send from another account returns the error "Relay access denied." I don't know how to fix this because it's my understanding that the server admin settings exist to prevent your server from being used to send unauthorized emails. Receiving should have nothing to do with these settings correct?

Thanks for any help.

Home: Dual 2Ghz PowerMac, 2 MacBooks, 2.66 GHz MacBook Pro, Mac OS X (10.6.3), Work: 10 PowerMac G5s, 18 Intel iMacs, 2 Intel XServes

Posted on Nov 27, 2010 9:09 AM

Reply

Answer 1

MrHoffman

Level 10

148,527 points

Nov 27, 2010 10:29 AM in response to Scott Howe

Usual guess: your clients are not authorized for access, or your mail server is misconfigured.

Has DNS (forward, reverse, MX) been verified as correct?

Is the server using the same name as the MX host?

What are the accounts settings differences between the two clients, if any?

Is the same network being used here for mail access from both clients?

What mail submission ports are you using from the clients?

The mail server might not be set to receive mail for the specified domain (if you're aiming mail at the server, and not a remote server), or the mail client might be configured to use port 25 and not an authenticated submission port.

Reply

Answer 2

Scott Howe Author

Level 1

125 points

Nov 27, 2010 11:48 AM in response to MrHoffman

The server is using macserver.sapowe.com as machine name and I set up am alias mail.sapowe.com to point to macserver.sapowe.com so Ive been using mail.sapowe.com for settings. Ive tried accessing my mail mainly from inside my network but through two outside hosted accounts, namely gmail and my work email. As far as I know DNS, reverse etc...is all ok. Comcast has repeatedly confirmed that my revese DNS is configured correctly.

One other weird thing that cropped up was I was getting emails saying they were from xxx@mail.sapowe.com or xxx@www.sapowe.com. This has never ocurred before.

Reply

Answer 3

MrHoffman

Level 10

148,527 points

Nov 27, 2010 12:51 PM in response to Scott Howe

How are your clients configured? These should be set to use authenticated submissions.
Remove the MX record for the macserver.sapowe.com box as a start.
Set the domain name to sapowe.com, the server name to mail.sapowe.com.
Post up the output from (should have asked this before) the +postconf -n+ command.
Also post up the relevant errors from your SMTP log when the relay gets rejected.

Reply

Answer 4

Scott Howe Author

Level 1

125 points

Nov 27, 2010 2:29 PM in response to MrHoffman

Here's the postconf

biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug peerlevel = 2
enable serveroptions = yes
header_checks = pcre:/etc/postfix/custom headerchecks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mail_owner = _postfix
mailbox sizelimit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps rbldomains =
message sizelimit = 0
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = sapowe.com
mydomain_fallback = localhost
myhostname = mail.sapowe.com
mynetworks = 10.1.10.1/8
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd clientrestrictions = permit_mynetworks permit saslauthenticated reject rblclient zen.spamhaus.org permit
smtpd enforcetls = no
smtpd helorequired = yes
smtpd helorestrictions = reject invalid_helohostname reject non_fqdn_helohostname
smtpd pw_server_securityoptions = gssapi,cram-md5
smtpd recipientrestrictions = permit saslauthenticated permit_mynetworks reject unauthdestination check policyservice unix:private/policy permit
smtpd sasl_authenable = yes
smtpd tlsCAfile = /etc/certificates/macserver.sapowe.com.F6CB094EA1F7F45E3C7EEE9E5CAAB3CF80D1739A .chain.pem
smtpd tls_certfile = /etc/certificates/macserver.sapowe.com.F6CB094EA1F7F45E3C7EEE9E5CAAB3CF80D1739A .cert.pem
smtpd tls_excludeciphers = SSLv2, aNULL, ADH, eNULL
smtpd tls_keyfile = /etc/certificates/macserver.sapowe.com.F6CB094EA1F7F45E3C7EEE9E5CAAB3CF80D1739A .key.pem
smtpd use_pwserver = yes
smtpd usetls = yes
tls randomsource = dev:/dev/urandom
unknown local_recipient_rejectcode = 550
virtual aliasmaps = $virtual_maps

Here's error that are repeating over and over:

Nov 27 17:27:50 macserver postfix/smtpd[21502]: fatal: non-null host address bits in "10.1.10.1/8", perhaps you should use "10.0.0.0/8" instead

Reply

Answer 5

MrHoffman

Level 10

148,527 points

Nov 27, 2010 3:08 PM in response to Scott Howe

Ok, there's the CIDR specification; fixing the error underneath that diagnostic. Get to this:

mynetworks = 10.0.0.0/8

And there's the open question of whether the clients are using an authenticated path; in general, mail clients should not connect to port 25.

I'd probably fix that permit on the end of the client restrictions.


$ sudo postconf -e smtpdclient_restrictions='permitmynetworks permitsaslauthenticated rejectrblclient zen.spamhaus.org reject'
$ sudo postfix reload

Reply

Answer 6

Scott Howe Author

Level 1

125 points

Nov 27, 2010 3:34 PM in response to MrHoffman

Im not sure what you mean by authenticated path. I have one client using mail set up through the auto setup. I believe it's using CRAM and the other is Entourage. Can you elaborate on what you mean here?

Thanks.

Message was edited by: Scott Howe

Reply

Answer 7

Scott Howe Author

Level 1

125 points

Nov 27, 2010 3:28 PM in response to Scott Howe

And by the way, this is just the default "Configure Mail Settings" auto setup through Mail Services in Server. Shouldnt that just work? Not to sound TOO stupid but....

Reply

Answer 8

MrHoffman

Level 10

148,527 points

Nov 27, 2010 4:28 PM in response to Scott Howe

A mail client connects to the server via IMAP (port 143) or POP (port 110) to read mail from the server into the client, and connects to and sends outgoing mail via an authenticated path, or via port 25.

If you're not specifying an SSL certificate or a username and password, then you're probably aiming at port 25, and that's often going to be a problem.

The authenticated paths are usually 465 or 587. Can also be ports 993 for IMAP SSL and 995 for POP SSL.

Here's a decent article on [SMTP|http://en.wikipedia.org/wiki/Simple Mail_TransferProtocol] and here's a [Tufts write-up on configuring various mail clients|http://uit.tufts.edu/downloads/ChangingSMTPPort25toPort465or587.pdf] (for their servers). The Tufts article shows a variety of clients. For this case, moving to port 587 with a username and password would be a reasonable target for sending mail.

You may choose to enable SSL at the server to protect your passwords, which means you'd then need to enable it at the clients.

[Apple well-known ports (TS1629)|http://support.apple.com/kb/ts1629]

Reply

Answer 9

Scott Howe Author

Level 1

125 points

Nov 27, 2010 4:29 PM in response to Scott Howe

Sorry again, but also, how do I fix that permit in the postconf file? Im not really good in terminal. Working on it.

Reply

Answer 10

MrHoffman

Level 10

148,527 points

Nov 27, 2010 4:31 PM in response to Scott Howe

Whether it should or not, you need to ensure your clients are compatible with your server, and you need to ensure the server configuration meets your requirements. There are a gazillion ways to configure mail and mail clients. And there's a whole genre around configuring for anti-spam; see the front-line anti-spam articles on that topic over at [TopicDesk|http://osx.topicdesk.com/content/category/4/18/62> for details.

Reply

Answer 11

MrHoffman

Level 10

148,527 points

Nov 27, 2010 4:35 PM in response to Scott Howe

How? Launch Terminal.app and enter the two commands I specified in an earlier reply, exactly as specified. You might want to Google around for some materials on this stuff, so that you can better learn and understand what you're doing with the server here.

Reply

Answer 12

Scott Howe Author

Level 1

125 points

Nov 27, 2010 4:47 PM in response to MrHoffman

Thanks Mr. Hoffman. As usual, an informative and enlightening discussion. I'll keep digging at it but now I can't even get my own clients to connect let alone get a relay access denied error. Ill check back in.

Reply

Answer 13

UptimeJeff

Level 4

3,479 points

Nov 27, 2010 5:12 PM in response to Scott Howe

I'm jumping in a little late here......... hopefully this helps...

Are you saying that mail send to your server with recipient address user@sapowe.com is rejected?

The domain "sapowe.com" is not listed as a local domain, so it would be considered a relay and thus refused. To fix this:

ServerAdmin/Mail/Settings/Advanced/Hosting/LocalHostAlias.
Add sapowe.com to that list.

Stop/start mail and you should be good.

Note- because your server is setup for greylisting, some email may be at first be delayed.... do a search for grey listing if you want to know more about this.

Jeff

Reply