relay mail from one postfix server to another

Question

I'm attempting to use just 1 postfix instance to input ALL my outgoing mail. From there the goal is to relay it to my one of the many outbound postfix instances. I do this using round robin dns so it spreads the load throughout.

[mail client] --> (main instance) --> (outbound instance) = DOES NOT WORK
[mail client] --> (outbound instance) = Works Fine

Below is my relevant main.cf for the main input postfix instance:

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
relayhost = [mta-mx-1.outbounddomain.com]

and inside sasl_passwd:

[mta-mx-1.outbounddomain.com]              outbound_username:password

It should relay to mta-mx-1.outbounddomain.com using the username and password combination in sasl_passwd.

Below is the relevant main.cf for an outbound postfix instance:

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

I thought I could shovel all my mail through one server at full speed and let it relay evenly through all servers. The idea was to attempt to send mail through this group of loosely configured postfix instances. Then if/when anything fails, fallback_relay to a tighter configuration (ie: mta-mx-2.outbounddomain.com, etc).

When I tried to send mail from the mail client (tbird) through the main instance, I get relay access denied (554). It makes the connection to the outbound instance, but authentication never seems to take place. When I try to send mail directly without relaying first, using the same credentials, mail goes through just fine.

Is there something I'm missing? What is making it show relay access denied when sending from the main postfix instance and not when sending direct?

Answer 1

You didn't distinguish between smtpd and smtp. Your first "input instance" is in the role smtp while connecting to the "outbound instance" which is in the role smtpd. So smtpd_sasl_password_maps isn't used at all because of the "wrong role".