Getting "Relay Access Denied", uable to receieve e-mail

Question

Level 1

0 points

Getting "Relay Access Denied", uable to receieve e-mail

Setting up new Mail Server (and new to the process)

Name registered with godaddy
Added MX record with them, all looks OK

Using www.dnsreport.com to validate all settings.

Set up Mail services in Server Admin to what appears to be correct, but whenevr I try and send any mail to my server, I am getting:

Jun 13 18:00:10 rama postfix/smtpd[15977]: NOQUEUE: reject: RCPT from unknown[206.105.123.3]: 554 <nibeck@mikenibeck.com>: Relay access denied; from=<Nibeck.Mike@PBGC.GOV> to=<nibeck@mikenibeck.com> proto=ESMTP helo=<mail2.pbgc.gov>

I suppose I'm missing something, but not sure if it's on my server or with godaddy.

_mike

Posted on Jun 13, 2006 3:08 PM

Reply

Answer 1

nibeck Author

Level 1

0 points

Jun 13, 2006 4:29 PM in response to nibeck

Here's the output of postconf

rama:~ nibeck$ postconf -n
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug peerlevel = 2
enable serveroptions = yes
html_directory = no
inet_interfaces = all
local recipientmaps =
luser_relay = postmaster
mail_owner = postfix
mailbox sizelimit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps rbldomains =
mydomain = mikenibeck.com
mydomain_fallback = localhost
myhostname = mail.mikenibeck.com
mynetworks = 127.0.0.1/32,192.168.1.0/24
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd clientrestrictions = permit_mynetworks reject rblclient sbl-xbl.spamhaus.org permit
smtpd tls_keyfile =
unknown local_recipient_rejectcode = 550

Reply

Answer 2

davidh

Level 4

1,896 points

Jun 13, 2006 5:55 PM in response to nibeck

Two main problems: You server is using RFC-1918 (aka "lan" or private IP) addressing http://www.faqs.org/rfcs/rfc1918.html

so you'll need to have an internal DNS server to answer for mikenibeck.com & mail.mikenibeck.com

What happens when you launch the Terminal and type:
dig mikenibeck.com
dig -x 192.168.1.x

where "x" is the actual number used for your server.

That config is a bit too sparse.
You'll want to add at least
smtpd clientrestrictions = permit_mynetworks permit saslauthenticated reject unauthdestination reject rblclient sbl-xbl.spamhaus.org

However, before doing so, you'll want to use Server Admin > Mail > Advanced, and enable all but Kerberos for authentication (for now at least).
Consider disabling "clear" but test this with any PC mail-client software - APOP is better than nothing but clear-text authentication is just asking to have accounts compromised.

Reply

Answer 3

nibeck Author

Level 1

0 points

Jun 13, 2006 6:16 PM in response to davidh

My name can resolve fine (mikenibeck.com and mail.mikenibeck.com). I am currently using godaddy for my DNS, as I wanted to avoid setting up local DNS unless I have to.

rama:~ nibeck$ dig mikenibeck.com

; <<>> DiG 9.2.2 <<>> mikenibeck.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28840
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mikenibeck.com. IN A

;; ANSWER SECTION:
mikenibeck.com. 3600 IN A 70.17.255.252

;; Query time: 103 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Jun 13 21:04:57 2006
;; MSG SIZE rcvd: 48

rama:~ nibeck$ dig -x 192.168.1.2

; <<>> DiG 9.2.2 <<>> -x 192.168.1.2
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27565
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;2.1.168.192.in-addr.arpa. IN PTR

;; Query time: 5 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Jun 13 21:13:05 2006
;; MSG SIZE rcvd: 42

I thought using the private addressing was OK, as long as you had SMTP Relay set up for the local networks (192.168.1.0/24)??

I will increase security after I get the basic setup working.

Thanks for the input.

_mike

Reply

Answer 4

davidh

Level 4

1,896 points

Jun 13, 2006 7:13 PM in response to nibeck

What's at 192.168.1.1 ?

You have to have something answering for 192.168.1.2
as 192.168.12. ≠ 70.17.255.252

It was meant to be helpful, and it's just one issue to be resolved, but from what you post it seems it already is/was 🙂

Reply

Answer 5

nibeck Author

Level 1

0 points

Jun 14, 2006 1:40 PM in response to davidh

192.168.1.1 is my router (airport extreme) that is doing NAT to my primary server (192.168.1.2).

70.17.255.252 is my perminent IP assign by ISP.

Again, this could be a real mess, as I'm new to this....

_mike

Reply

Answer 6

UptimeJeff

Level 4

3,479 points

Jun 14, 2006 8:08 PM in response to nibeck

You have nothing in mydestination

ServerAdmin:Mail:Settings:Advanced:Hosting

Add mikenibeck.com to local host aliases

Stop/Start mail service

Jeff

Reply

Answer 7

nibeck Author

Level 1

0 points

Jun 15, 2006 12:39 PM in response to UptimeJeff

Excellent! That did it, thanks all that helped!

Reply