Postfix relay access denied when sending from external mail client

Question

I know this has been asked before, but I tried the other andswers and still get the same error.

Server error: '554 5.7.1: Relay access denied'

postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = mydomain.com
myhostname = mail.mydomain.com
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
unknown_local_recipient_reject_code = 550

and added

    smtpd_relay_restrictions =
    permit_mynetworks
    defer_unauth_destination

Do you get the error when sending to your own domain, or only when sending from an external client to an external address? — Jenny D, Dec 16 '13 at 10:42
Then it does what it should and what you've configured it to do. — Jenny D, Dec 16 '13 at 10:50
Hang on, I'm giving you an answer but it takes some time to write... — Jenny D, Dec 16 '13 at 10:54

Jenny D · Accepted Answer · 2013-12-16T11:31:21.717

If your server were to allow you to relay email from any IP on the internet to any domain on the internet, it would take approximately 0.5 nanoseconds before a spammer would start abusing it to spam the world. This would be very bad indeed.

So, in order to use it as a relay, you need to set up some sort of authentication mechanism. The most common method is called SASL; another one would be to use SSL/TLS certificates (which you could issue yourself) or to setup an SSH tunnel or stunnel.

The main advantage of SASL is that it should work with any computer, even if you don't own or completely control that computer. The advantage to TLS/SSH/stunnel is that the connection is more secure - but it requires a little more work on the client side.

You could also add your own IP address to the list of IPs allowed to relay.

If you choose to go with SASL, start by reading the postfix SASL documentation.

If you choose to go with SSL/TLS certificates, start by treading the postfix TLS documentation.

If you want to add your IP address to the networks allowd to relay, you should add the IP address to the "mynetworks" line in the configuration. If there isn't such a line, add it. The normal values would be something like

mynetworks = 127.0.0.0/24,1.2.3.4/32

where 1.2.3.4 is the actual IP address of the computer you want to relay from. There's more information at the postfix site

Thanks for the reply. Could I temporarily add my own ip and if so where would I add it? — Frank Astin, Dec 16 '13 at 11:05
Oh yes, I didn't add that solution because it's likely to be a bother if you keep changing addresses. I'm adding it to the anser. — Jenny D, Dec 16 '13 at 11:16
I wish you luck. (You're in a maze of twisty little SSL certificates, all alike :-) — Jenny D, Dec 16 '13 at 11:39

Postfix relay access denied when sending from external mail client

1 Answers1