I've just built a postfix server in amazon EC2 with an elastic IP. And I found that while I can connect to and send emails to my mail server when I telnet to localhost when I telnet to the external FQDN I get relay denied.
I'll first demonstrate success, then failure.
root@mail:~# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix (Ubuntu)
HELO mail.example.com
250 mail.example.com
MAIL FROM: <bluethundr@external.com>
250 2.1.0 Ok
RCPT TO: <bluethundr@example.com>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: Test to internal localhost
.
250 2.0.0 Ok: queued as B97CA24B8B
quit
[code]
And the logs confirm success:
[code]
Mar 15 19:27:35 mail postfix/smtpd[5294]: B97CA24B8B: client=localhost[127.0.0.1]
Mar 15 19:28:18 mail postfix/cleanup[5306]: B97CA24B8B: message-id=<20140315192735.B97CA24B8B@mail.example.com>
Mar 15 19:28:18 mail postfix/qmgr[5221]: B97CA24B8B: from=<bluethundr@external.com>, size=356, nrcpt=1 (queue active)
Mar 15 19:28:18 mail postfix/cleanup[5306]: AD51725096: message-id=<20140315192735.B97CA24B8B@mail.example.com>
Mar 15 19:28:18 mail amavis[3401]: (03401-09) Passed BAD-HEADER-1 {RelayedOutbound,Quarantined}, LOCAL [127.0.0.1]:58766 [127.0.0.1] <bluethundr@external.com> -> <bluethundr@example.com>, quarantine: W/badh-WyjD4kEQ4Mls, Queue-ID: B97CA24B8B, Message-ID: <20140315192735.B97CA24B8B@mail.example.com>, mail_id: WyjD4kEQ4Mls, Hits: -, size: 356, queued_as: AD51725096, 140 ms
Mar 15 19:28:18 mail postfix/smtp[5317]: B97CA24B8B: to=<bluethundr@example.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=51, delays=51/0.03/0/0.16, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as AD51725096)
Mar 15 19:28:18 mail postfix/qmgr[5221]: B97CA24B8B: removed
However, if I telnet to the externally available FQDN (from the mail server) I get a relay denied error:
root@mail:~# telnet mail.example.com 25
Trying xx.xx.xx.xx...
Connected to mail.example.com.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix (Ubuntu)
HELO mail.example.com
250 mail.example.com
MAIL FROM: <bluethundr@external.com>
250 2.1.0 Ok
RCPT TO: <bluethundr@example.com>
454 4.7.1 <bluethundr@example.com>: Relay access denied
In the logs when I try to telnet to the FQDN, I see this:
Mar 15 19:38:00 mail postfix/smtpd[5392]: NOQUEUE: reject: RCPT from unknown[54.85.41.178]: 454 4.7.1 <bluethundr@example.com>: Relay access denied; from=<bluethundr@external.com> to=<bluethundr@example.com> proto=SMTP helo=<mail.example.com>
I've done some googling on this, and often people do site this setting as a potential cause of this situation. Here's mine:
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit
Here is the output of postconf -n
root@mail:~# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = no
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
delay_warning_time = 4h
disable_vrfy_command = yes
inet_interfaces = all
local_recipient_maps =
mailbox_size_limit = 0
masquerade_domains = mail.example.com example.com !sub.dyndomain.com
masquerade_exceptions = root
maximal_backoff_time = 8000s
maximal_queue_lifetime = 7d
minimal_backoff_time = 1000s
mydestination =
myhostname = mail.example.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks_style = host
myorigin = example.com
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_helo_timeout = 60s
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_hard_error_limit = 12
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_recipient_limit = 16
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
Another potential trouble area may be that I can't seem to telnet to port 25 remotely from my work station:
[me@home:~] #telnet mail.example.com 25
Trying xx.xx.xx.xx..
telnet: connect to address xx.xx.xx.xx: Operation timed out
telnet: Unable to connect to remote host
As mentioned this is an amazon EC2 instance, but I have opened up port 25 on the security groups and made sure that ufw (the ubuntu firewall) was not running on the instance.
I'd definitely appreciate your esteemed advice on this!
