Relay access denied on VPS (error 554 5.7.1)

Question

I'm trying to figure out how to solve a problem on my VPS, maybe you can help me :D

Long story short: this is the first time I operate on a Bare Metal VPS, and I'm trying to setup the mail server.

After a couple of tries I manage to setup the service, but, I can only send emails between the two domains and from this domains to an external mail, but cannot receive. (domain1 and domain2 are managed on the VPS)

Mail from domain1 to domain2 - OK
Mail from domain2 to domain1 - OK
Mail from both theese domains to another mail (e.g. info@blabla.com) - OK
Mail from external domain (e.g. info@blabla.com) to domain1 or domain2 - 554 5.7.1 Relay access denied

So far I have understood (I think that's it) that there is a problem with the SASL Auth, but I can't figured how to resolve this.

I'm running Ubuntu 22.04, with Plesk (Postfix and Dovecot as mail services), the Relay in the Plesk Mail server settings in set on Auth with SMTP

Attached below the config files (I have not made any changes)

/etc/postfix/main.cf

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/postfix.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
myhostname = vps-1032f104.vps.ovh.net
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination =  localhost.vps.ovh.net, localhost, localhost.localdomain
relayhost =
mynetworks =
mailbox_size_limit = 0
recipient_delimiter =
inet_interfaces = all
inet_protocols = all
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = , hash:/var/spool/postfix/plesk/transport
tls_server_sni_maps = hash:/var/spool/postfix/plesk/certs
smtpd_use_tls = yes
smtp_use_tls = no
disable_vrfy_command = yes
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
authorized_flush_users =
authorized_mailq_users =
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
#smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:30
virtual_gid_maps = static:31
smtpd_milters = , inet:127.0.0.1:12768
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
message_size_limit = 10240000
virtual_mailbox_limit = 0
smtputf8_enable = no
recipient_canonical_maps = tcp:127.0.0.1:12346
recipient_canonical_classes = envelope_recipient,header_recipient
tls_preempt_cipherlist = yes
tls_medium_cipherlist = EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH:!kDH
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_protocols = TLSv1.2 TLSv1.3
smtpd_tls_dh1024_param_file = /opt/psa/etc/dhparams2048.pem
smtpd_tls_mandatory_protocols = TLSv1.2 TLSv1.3
smtpd_tls_ciphers = medium

etc/postfix/master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
# Choose one: enable submission for loopback clients only, or for any client.
#127.0.0.1:submission inet n -   y       -       -       smtpd
#submission inet n       -       y       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
# Choose one: enable smtps for loopback clients only, or for any client.
#127.0.0.1:smtps inet n  -       y       -       -       smtpd
#smtps     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
cleanup   unix  n       -       y       -       0       cleanup
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe flags=R user=list:list argv=/usr/lib/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}

plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser argv=/usr/lib/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames -q ${queue_id}
127.0.0.1:12346 inet n n n - - spawn user=popuser:popuser argv=/usr/lib/plesk-9.0/postfix-srs
pickup fifo n - y 60 1 pickup
qmgr fifo n - n 1 1 qmgr
smtps inet n - y - - smtpd -o smtpd_tls_wrappermode=yes

submission inet n - y - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination


plesk_saslauthd unix y y y - 1 plesk_saslauthd status=5 listen=6 dbpath=/plesk/passwd.db

plesk-51.83.43.67- unix - - n - - smtp -o smtp_bind_address=51.83.43.67 -o smtp_bind_address6= -o smtp_address_preference=ipv4

/var/log/maillog (for the last test mail I just send)

Sep  8 11:21:48 vps-1032f104 postfix/smtpd[1535575]: warning: hostname annoying.medyamol.com does not resolve to address 141.98.11.113: Name or service not known
Sep  8 11:21:48 vps-1032f104 postfix/smtpd[1535575]: connect from unknown[141.98.11.113]
Sep  8 11:21:49 vps-1032f104 plesk_saslauthd[1535682]: listen=6, status=5, dbpath='/plesk/passwd.db', keypath='/plesk/passwd_db_key', chroot=1, unprivileged=1
Sep  8 11:21:49 vps-1032f104 plesk_saslauthd[1535682]: privileges set to (113:122) (effective 113:122)
Sep  8 11:21:49 vps-1032f104 plesk_saslauthd[1535682]: failed mail authentication attempt for user 'admin' (password len=11)
Sep  8 11:21:49 vps-1032f104 postfix/smtpd[1535575]: warning: unknown[141.98.11.113]: SASL LOGIN authentication failed: authentication failure
Sep  8 11:21:50 vps-1032f104 postfix/smtpd[1535575]: disconnect from unknown[141.98.11.113] ehlo=1 auth=0/1 quit=1 commands=2/3

postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
append_dot_mydomain = no
authorized_flush_users =
authorized_mailq_users =
biff = no
compatibility_level = 3.6
disable_vrfy_command = yes
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mailman_destination_recipient_limit = 1
message_size_limit = 10240000
mydestination = localhost.vps.ovh.net, localhost, localhost.localdomain
myhostname = vps-1032f104.vps.ovh.net
mynetworks =
myorigin = /etc/mailname
plesk_virtual_destination_recipient_limit = 1
readme_directory = no
recipient_canonical_classes = envelope_recipient,header_recipient
recipient_canonical_maps = tcp:127.0.0.1:12346
recipient_delimiter =
relayhost =
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
smtp_send_xforward_command = yes
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = no
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_milters = , inet:127.0.0.1:12768
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_tls_cert_file = /etc/postfix/postfix.pem
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /opt/psa/etc/dhparams2048.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = TLSv1.2 TLSv1.3
smtpd_tls_protocols = TLSv1.2 TLSv1.3
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtputf8_enable = no
tls_medium_cipherlist = EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH:!kDH
tls_preempt_cipherlist = yes
tls_server_sni_maps = hash:/var/spool/postfix/plesk/certs
transport_maps = , hash:/var/spool/postfix/plesk/transport
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_gid_maps = static:31
virtual_mailbox_base = /var/qmail/mailnames
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_mailbox_limit = 0
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
virtual_transport = plesk_virtual
virtual_uid_maps = static:30

Sasl Status

● saslauthd.service - LSB: saslauthd startup script
     Loaded: loaded (/etc/init.d/saslauthd; generated)
     Active: active (exited) since Thu 2022-09-08 09:35:31 UTC; 1h 42min ago
       Docs: man:systemd-sysv-generator(8)
        CPU: 23ms

Sep 08 09:35:31 vps-1032f104 systemd[1]: Starting LSB: saslauthd startup script>
Sep 08 09:35:31 vps-1032f104 saslauthd[1530583]:  * To enable saslauthd, edit />
Sep 08 09:35:31 vps-1032f104 systemd[1]: Started LSB: saslauthd startup script.

Are theese configs correct?

I'm just a Front End Dev thrown into the world of servers, help me with this struggle please :D

Thank's!

---- Update ----

postconf -d | grep restrictions give me this result:

proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps $smtpd_client_restrictions $smtpd_helo_restrictions $smtpd_sender_restrictions $smtpd_relay_restrictions $smtpd_recipient_restrictions $address_verify_sender_dependent_default_transport_maps $address_verify_sender_dependent_relayhost_maps $address_verify_transport_maps $fallback_transport_maps $lmtp_discard_lhlo_keyword_address_maps $lmtp_pix_workaround_maps $lmtp_sasl_password_maps $lmtp_tls_policy_maps $mailbox_command_maps $mailbox_transport_maps $postscreen_discard_ehlo_keyword_address_maps $rbl_reply_maps $sender_dependent_default_transport_maps $sender_dependent_relayhost_maps $smtp_discard_ehlo_keyword_address_maps $smtp_pix_workaround_maps $smtp_sasl_password_maps $smtp_tls_policy_maps $smtpd_discard_ehlo_keyword_address_maps $smtpd_milter_maps $virtual_gid_maps $virtual_uid_maps $local_login_sender_maps $postscreen_reject_footer_maps $smtpd_reject_footer_maps $tls_server_sni_maps
smtpd_client_restrictions =
smtpd_data_restrictions =
smtpd_end_of_data_restrictions =
smtpd_etrn_restrictions =
smtpd_helo_restrictions =
smtpd_recipient_restrictions =
smtpd_relay_before_recipient_restrictions = ${{$compatibility_level} <level {3.6} ? {no} : {yes}}
smtpd_relay_restrictions = ${{$compatibility_level} <level {1} ? {} : {permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}}
smtpd_sender_restrictions =

Is it possible that some other directives override the restrictions protocols?

score 1 · Answer 1 · answered Sep 08 '22 at 12:47

The problem is not in SASL auth. For a basic mail server setup which can send and receive mail using local mail client (local==running on the server itself, eg. mutt or some webmail), you don't need SASL auth at all. SASL auth is for mail submission by remote mail clients that connect over SMTP to submission ports. Currently, you have submission services disabled in your master.cf, so SASL auth is of no use for you.

The reason why you are getting the error message is that you haven't defined your domains (domain1 and domain2) as local to the mail server. The mail server needs to know which domains it should handle mail for. Something is wrong with either your virtual_mailbox_domains or virtual_mailbox_maps parameter (or both). Because you didn't provide the contents of the files referenced in these parameters, I can't tell exactly what is wrong, but the comma at the beginning of virtual_mailbox_maps parameter seems suspicious to me. It should be removed. However, this doesn't have to be the actual problem.

What actually happens is that the server doesn't know that domain1 and domain2 are its local domains and considers them to be external ones. So it assumes that the external sender (from blabla.com) wants to send mail to external domains through your mail server, which is called relaying and is normally prohibited by mail server configuration (unless you send the mail from trusted clients that are expected to use this server for mail submission).

Please read very carefully the description of both parameters here: http://www.postfix.org/postconf.5.html#virtual_mailbox_domains and based on that description correct the values of these parameters and/or contents of files referenced by these parameters.

Aside from this, I see other issues with your config file. Generally, it is too long and overcomplicated and probably includes a lot of features that you don't need at all (at least at the beginning). I guess they were added by Plesk. I'm not a fan of any automated tools to configure a mail server. You can use an automated tool only after you are able to manually configure the server and can verify that the tool generates only configuration statements that are actually necessary, and not some random garbage (which often is the case).

One should always start with a (manually created) simplest configuration possible to get the working service, and then gradually add enhancements later.

You use transport_maps and sender_dependent_default_transport_maps. Transport maps are an advanced feature that is usually used in quite complicated mail server setups, where you need to send mail to different domains via different specific methods. They are usually completely unnecessary in a simple mailserver setup. I don't know what is the contents of the files referred to in both parameters, so it's hard for me to decide if they are actually used and how, but this seems to be one of the overcomplications of your setup. BTW. transport_maps also has unnecessary comma at the beginning, which I suggest to get rid of.
Another advanced things you use - there is some milter defined in smtpd_milters (also an unnecessary comma at the beginning of this parameter, remove it) and some address canonicalization service defined in recipient_canonical_maps - the latter is a pretty advanced thing. What are these services doing?
You use both smtp_tls_security_level and smtp_use_tls. Both parameters refer to the same functionality so only one of them is necessary. Also you use contradicting values here: smtp_tls_security_level tells the server to use TLS on outgoing connections, and smtp_use_tls tells to not use it. Use only smtp_tls_security_level as the other parameter is old and deprecated.
The same applies for smtpd_tls_security_level and smtpd_use_tls (only here you use consistent values for both) which control incoming connections. Use the first one only.
Don't use SASL auth on regular mail server port (remove the line smtpd_sasl_auth_enable = yes or change it to no). It should be enabled explicitly only on submission ports (which you didn't enable in your master.cf). Also, if you plan to use SASL auth, you should probably define the authenticator service to be used (using smtpd_sasl_type and smtpd_sasl_path).
Also, unless you really know what you're doing and have a real reason for it, it is not recommended to mess up with default TLS parameter settings. Especially requiring only TLSv1.2 and TLSv1.3 protocols both on incoming and outgoing connections may cause fallback to sending the mail not encrypted at all. Remove smtpd_tls_mandatory_ciphers, smtpd_tls_mandatory_protocols, smtpd_tls_protocols, tls_medium_cipherlist and tls_preempt_cipherlist and just let Postfix use its default values. They are reasonable. Use of smtp_tls_session_cache_database is also NOT recommended with current versions of Postfix.

But the main thing you need to fix are virtual_mailbox_domains and/or virtual_mailbox_maps because that's why you get the error.

Hello Raj, and thank's for the well-explained answer. I'm gonna dive into it :D — PhilFiddler, Sep 08 '22 at 13:16

Relay access denied on VPS (error 554 5.7.1)

1 Answers1