1 (edited by broth 2019-12-12 20:13:33)

Topic: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.0
- Deployed with iRedMail Easy or the downloadable installer? downloadable installed
- Linux/BSD distribution name and version: Ubuntu Server 18.04 (all updates)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): nginx
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello Zhang!

I created a new server installation with iRedMail, added a domain and configured:

Relay received email to:   smtp:[10.xx.xx.xx]
Relay without verifying local recipients: checked

Graylisting is turned off globally.

Now when sending an email message to the server for the relay-domain, mail.log shows

Dec 12 12:47:15 mx0 postfix/smtpd[5081]: connect from delivery.mtaroutes.com[185.201.17.200]
Dec 12 12:47:16 mx0 postfix/smtpd[5081]: Anonymous TLS connection established from delivery.mtaroutes.com[185.201.17.200]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Dec 12 12:47:16 mx0 postfix/smtpd[5081]: NOQUEUE: reject: RCPT from delivery.mtaroutes.com[185.201.17.200]: 554 5.7.1 <test@relay-domain.de>: Relay access denied; from=<xxx@xxx.de> to=<test@relay-domain.de> proto=ESMTP helo=<delivery.mtaroutes.com>
Dec 12 12:47:17 mx0 postfix/smtpd[5081]: disconnect from delivery.mtaroutes.com[185.201.17.200] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=5/7

Why?

I have a similar server at a customer running for the same task (iRedMail 0.9.8) and its working fine.

vmail.domains looks the same in SQL when comparing both servers.

Any idea what might be wrong?


Thanks!
Best regards,
Bernhard

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

Could you show me the SQL record of this domain in "vmail.domain" table? (you can replace the real domain name by "example.com" or other fake domain names)

USE vmail;
SELECT * FROM domain WHERE domain="your-domain.com" LIMIT 1 \G

Use the "\G" instead of ";" for easier reading.

3 (edited by broth 2019-12-13 13:43:44)

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

Thanks for your quick reply!

From the non-working fresh iRedMail 1.0 installation:

MariaDB [vmail]> SELECT * FROM domain WHERE domain="example.com" LIMIT 1 \G
*************************** 1. row ***************************
     domain: example.com
description: xxx xxx xxx xxx
disclaimer: NULL
    aliases: 0
  mailboxes: 0
  maillists: 0
   maxquota: 0
      quota: 0
  transport: smtp:[10.xx.xx.xx]
   backupmx: 1
   settings: default_language:en_US;default_user_quota:1024;timezone:Europe/Berlin;
    created: 2019-12-12 11:40:03
   modified: 2019-12-12 11:40:10
    expired: 9999-12-31 00:00:00
     active: 1
1 row in set (0.00 sec)

MariaDB [vmail]>

I cross checked the SQL statements from proxy:mysql:/etc/postfix/mysql/relay_domains.cf and it returns correctly the domain.



To compare from a working iRedMail 0.98 installation:



mysql> SELECT * FROM domain WHERE domain="example.com" LIMIT 1 \G
*************************** 1. row ***************************
     domain: example.com
description:
disclaimer: NULL
    aliases: 0
  mailboxes: 0
  maillists: 0
   maxquota: 0
      quota: 0
  transport: smtp:[10.xx.xx.xx]
   backupmx: 1
   settings: default_user_quota:1024;
    created: 2018-07-02 13:34:26
   modified: 2018-07-30 11:57:42
    expired: 9999-12-31 00:00:00
     active: 1
1 row in set (0.00 sec)

mysql>

4

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

Have you received my coffee tips? ;-)

5

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

Could you try the solution in this fix?
https://forum.iredmail.org/post71917.html#p71917

6

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

Thanks but this looks to be dovecot, right?

In my case the problem looks to be pure postfix as iRedMail is used only as Email Proxy.

7 (edited by CrashXRU 2019-12-17 19:23:31)

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

if you installed the beta version or the first version of December 9, then the solution is simple
faced the same problem yesterday the solution was simple
Open Dovecot config file dovecot.conf
find the plugin {} block and add 3 new parameters:

plugin {
    ...
    # Used by quota-status service.
    quota_status_success = DUNNO
    quota_status_nouser = DUNNO
    quota_status_overquota = "552 5.2.2 Mailbox is full"
    ...
}

or disable this line
postfix/main.cf in block smtpd_recipient_restrictions =

#    check_policy_service inet:127.0.0.1:12340

8

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

Thanks for your contribution!

I downloaded and installed iRedMail 1.0 on December 12.
dovecot.conf does have the required configuration lines set.

netstat -lnp shows the service properly listening:

tcp        0      0 127.0.0.1:12340         0.0.0.0:*               LISTEN      797/dovecot         

IMHO this might not be the cause of my problem.

9

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

Could you please show me output of "postconf -n" command on both servers?

10

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

Here you go:

postconf_nonwork_iRed1.0.txt

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
biff = no
body_checks = pcre:/etc/postfix/body_checks.pcre
command_directory = /usr/sbin
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
enable_original_recipient = no
header_checks = pcre:/etc/postfix/header_checks
inet_interfaces = all
inet_protocols = all
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
mail_owner = postfix
mailbox_size_limit = 26214400
mailq_path = /usr/bin/mailq
message_size_limit = 26214400
mlmmj_destination_recipient_limit = 1
mydestination = $myhostname, localhost, localhost.localdomain
mydomain = mx0.customer.example.com
myhostname = mx0.customer.example.com
mynetworks = 127.0.0.1 [::1] 10.xx.xx.xx/32 94.xx.xx.xx/32 10.xx.xx.0/24
myorigin = mx0.customer.example.com
newaliases_path = /usr/bin/newaliases
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 b.barracudacentral.org=127.0.0.2*2
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_whitelist_threshold = -2
postscreen_greet_action = drop
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
queue_directory = /var/spool/postfix
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination proxy:mysql:/etc/postfix/mysql/relay_domains.cf
relayhost = [smtpout.mtaroutes.com]:587
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp-amavis_destination_recipient_limit = 1
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_security_level = may
smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated check_helo_access pcre:/etc/postfix/helo_access.pcre reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unlisted_recipient check_policy_service inet:127.0.0.1:7777 permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service inet:127.0.0.1:12340
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_exceptions_networks = 94.230.50.135/32
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = reject_non_fqdn_sender reject_unlisted_sender permit_mynetworks permit_sasl_authenticated check_sender_access pcre:/etc/postfix/sender_access.pcre reject_unknown_sender_domain
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem
smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_security_level = may
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf proxy:mysql:/etc/postfix/mysql/transport_maps_maillist.cf proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf proxy:mysql:/etc/postfix/mysql/catchall_maps.cf proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

postconf_working_iRed0.9.8

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
biff = no
body_checks = pcre:/etc/postfix/body_checks.pcre
command_directory = /usr/sbin
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
header_checks = pcre:/etc/postfix/header_checks
inet_interfaces = all
inet_protocols = all
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
mail_owner = postfix
mailbox_size_limit = 26214400
mailq_path = /usr/bin/mailq
message_size_limit = 26214400
mlmmj_destination_recipient_limit = 1
mydestination = $myhostname, localhost, localhost.localdomain
mydomain = mx0.customer.example.com
myhostname = mx0.customer.example.com
mynetworks = 127.0.0.1 [::1] 10.xx.xx.xx/32 94.xx.xx.xx/32 192.168.xx.0/24
myorigin = mx0.customer.example.com
newaliases_path = /usr/bin/newaliases
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 b.barracudacentral.org=127.0.0.2*2
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_whitelist_threshold = -2
postscreen_greet_action = drop
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
queue_directory = /var/spool/postfix
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination proxy:mysql:/etc/postfix/mysql/relay_domains.cf
relayhost = [smtpout.mtaroutes.com]:587
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp-amavis_destination_recipient_limit = 1
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_security_level = may
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated check_helo_access pcre:/etc/postfix/helo_access.pcre reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unlisted_recipient check_policy_service inet:127.0.0.1:7777 permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_exceptions_networks = 94.230.50.135/32
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = reject_unknown_sender_domain reject_non_fqdn_sender reject_unlisted_sender permit_mynetworks permit_sasl_authenticated check_sender_access pcre:/etc/postfix/sender_access.pcre
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem
smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_security_level = may
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf proxy:mysql:/etc/postfix/mysql/transport_maps_maillist.cf proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf proxy:mysql:/etc/postfix/mysql/catchall_maps.cf proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

I am still wondering what I might have been doing wrong.

Thanks!

11

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

What is the dovecot quota checking service doing for relay domains?
I have the option "Relay without verifying local recipients" set.

There will be no local IMAP mailboxes on the server.

12

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

Here is a simple telnet SMTP test. Immediately when entering "RCPT TO" is denies relay access.

test@test01:~/Downloads$ telnet 10.xx.xx.xx 25
Trying 10.xx.xx.xx...
Connected to 10.xx.xx.xx.
Escape character is '^]'.
220 mx0.xx.xx ESMTP Postfix
EHLO mail.existinghostname.com
250-mx0.xx.xx
250-PIPELINING
250-SIZE 26214400
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
MAIL FROM:<my@email.address>
250 2.1.0 Ok
RCPT TO:<test@example.com>
554 5.7.1 <test@example.com>: Relay access denied
QUIT
221 2.0.0 Bye
Connection closed by foreign host.

13

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

The only one difference is "check_policy_service inet:127.0.0.1:12340".
Does the relay work if you remove this restriction rule in /etc/postfix/main.cf?

14

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

No change when removing that line.

Even when leaving

smtpd_recipient_restrictions =

empty, it does not work.

When adding example.com to "mydestination" the system reports "Recipient address rejected: User unknown in local recipient table"


Where do I need to enable debugging in order to get details about where the rejection occurs?


I found a difference in "mysql/virtual_mailbox_domains.cf":

Working box:

query       = SELECT domain FROM domain WHERE domain='%s' AND backupmx=0 AND active=1 UNION SELECT alias_domain.alias_domain FROM alias_domain,domain WHERE alias_domain.alias_domain='%s' AND alias_domain.active=1 AND alias_domain.target_domain=domain.domain AND domain.active=1 AND domain.backupmx=0

Non-Working box:

query       = (SELECT domain FROM domain WHERE domain='%s' AND backupmx=0 AND active=1 LIMIT 1) UNION (SELECT alias_domain.alias_domain FROM alias_domain,domain WHERE alias_domain.alias_domain='%s' AND alias_domain.active=1 AND alias_domain.target_domain=domain.domain AND domain.active=1 AND domain.backupmx=0 LIMIT 1)

Is that change documented in the upgrade guides? I can't remember.



I check mariadb query log. Following queries have been done when trying to send telnet email:

191223  8:38:28       37 Connect    vmail@localhost as anonymous on vmail
           37 Query    SELECT maillists.transport FROM maillists,domain WHERE maillists.address='*' AND maillists.active=1 AND maillists.domain = domain.domain AND domain.active=1
           38 Connect    vmail@localhost as anonymous on vmail
           38 Query    SELECT transport FROM domain WHERE domain='*' AND active=1 LIMIT 1
           37 Query    SELECT maillists.transport FROM maillists,domain WHERE maillists.address='*' AND maillists.active=1 AND maillists.domain = domain.domain AND domain.active=1
           38 Query    SELECT transport FROM domain WHERE domain='*' AND active=1 LIMIT 1
           39 Connect    vmail@localhost as anonymous on vmail
           39 Query    (SELECT domain FROM domain WHERE domain='senderdomain.com' AND backupmx=0 AND active=1 LIMIT 1) UNION (SELECT alias_domain.alias_domain FROM alias_domain,domain WHERE alias_domain.alias_domain='senderdomain.com' AND alias_domain.active=1 AND alias_domain.target_domain=domain.domain AND domain.active=1 AND domain.backupmx=0 LIMIT 1)
           40 Connect    vmail@localhost as anonymous on vmail
           40 Query    SELECT relayhost FROM sender_relayhost WHERE account='\"<>\"' LIMIT 1
           40 Query    SELECT relayhost FROM sender_relayhost WHERE account='<>' LIMIT 1
           41 Connect    vmail@localhost as anonymous on vmail
           41 Query    SELECT mailbox.transport FROM mailbox,domain WHERE mailbox.username='test@senderdomain.com' AND mailbox.domain='senderdomain.com' AND mailbox.domain=domain.domain AND mailbox.transport<>'' AND mailbox.active=1 AND mailbox.enabledeliver=1 AND domain.backupmx=0 AND domain.active=1
           37 Query    SELECT maillists.transport FROM maillists,domain WHERE maillists.address='test@senderdomain.com' AND maillists.active=1 AND maillists.domain = domain.domain AND domain.active=1
           38 Query    SELECT transport FROM domain WHERE domain='test@senderdomain.com' AND active=1 LIMIT 1
           37 Query    SELECT maillists.transport FROM maillists,domain WHERE maillists.address='senderdomain.com' AND maillists.active=1 AND maillists.domain = domain.domain AND domain.active=1
           38 Query    SELECT transport FROM domain WHERE domain='senderdomain.com' AND active=1 LIMIT 1
           37 Query    SELECT maillists.transport FROM maillists,domain WHERE maillists.address='.de' AND maillists.active=1 AND maillists.domain = domain.domain AND domain.active=1
           38 Query    SELECT transport FROM domain WHERE domain='.de' AND active=1 LIMIT 1
191223  8:38:29       39 Query    (SELECT domain FROM domain WHERE domain='example.com' AND backupmx=0 AND active=1 LIMIT 1) UNION (SELECT alias_domain.alias_domain FROM alias_domain,domain WHERE alias_domain.alias_domain='example.com' AND alias_domain.active=1 AND alias_domain.target_domain=domain.domain AND domain.active=1 AND domain.backupmx=0 LIMIT 1)
           40 Query    SELECT relayhost FROM sender_relayhost WHERE account='test@senderdomain.com' LIMIT 1
           40 Query    SELECT relayhost FROM sender_relayhost WHERE account='@senderdomain.com' LIMIT 1
           41 Query    SELECT mailbox.transport FROM mailbox,domain WHERE mailbox.username='test@example.com' AND mailbox.domain='example.com' AND mailbox.domain=domain.domain AND mailbox.transport<>'' AND mailbox.active=1 AND mailbox.enabledeliver=1 AND domain.backupmx=0 AND domain.active=1
           37 Query    SELECT maillists.transport FROM maillists,domain WHERE maillists.address='test@example.com' AND maillists.active=1 AND maillists.domain = domain.domain AND domain.active=1
           38 Query    SELECT transport FROM domain WHERE domain='test@example.com' AND active=1 LIMIT 1
           37 Query    SELECT maillists.transport FROM maillists,domain WHERE maillists.address='example.com' AND maillists.active=1 AND maillists.domain = domain.domain AND domain.active=1
           38 Query    SELECT transport FROM domain WHERE domain='example.com' AND active=1 LIMIT 1
           39 Query    (SELECT domain FROM domain WHERE domain='senderdomain.com' AND backupmx=0 AND active=1 LIMIT 1) UNION (SELECT alias_domain.alias_domain FROM alias_domain,domain WHERE alias_domain.alias_domain='senderdomain.com' AND alias_domain.active=1 AND alias_domain.target_domain=domain.domain AND domain.active=1 AND domain.backupmx=0 LIMIT 1)
           40 Query    SELECT relayhost FROM sender_relayhost WHERE account='test@example.com' LIMIT 1
           40 Query    SELECT relayhost FROM sender_relayhost WHERE account='@example.com' LIMIT 1
           41 Query    SELECT mailbox.transport FROM mailbox,domain WHERE mailbox.username='test@senderdomain.com' AND mailbox.domain='senderdomain.com' AND mailbox.domain=domain.domain AND mailbox.transport<>'' AND mailbox.active=1 AND mailbox.enabledeliver=1 AND domain.backupmx=0 AND domain.active=1
           37 Query    SELECT maillists.transport FROM maillists,domain WHERE maillists.address='test@senderdomain.com' AND maillists.active=1 AND maillists.domain = domain.domain AND domain.active=1
           38 Query    SELECT transport FROM domain WHERE domain='test@senderdomain.com' AND active=1 LIMIT 1
           37 Query    SELECT maillists.transport FROM maillists,domain WHERE maillists.address='senderdomain.com' AND maillists.active=1 AND maillists.domain = domain.domain AND domain.active=1
           38 Query    SELECT transport FROM domain WHERE domain='senderdomain.com' AND active=1 LIMIT 1
           37 Query    SELECT maillists.transport FROM maillists,domain WHERE maillists.address='.de' AND maillists.active=1 AND maillists.domain = domain.domain AND domain.active=1
           38 Query    SELECT transport FROM domain WHERE domain='.de' AND active=1 LIMIT 1
           42 Connect    vmail@localhost as anonymous on vmail
           42 Query    SELECT forwardings.forwarding FROM forwardings,domain WHERE forwardings.address='test@senderdomain.com' AND forwardings.domain=domain.domain AND forwardings.active=1 AND domain.backupmx=0 AND domain.active=1
           43 Connect    vmail@localhost as anonymous on vmail
           43 Query    SELECT forwardings.forwarding FROM forwardings,alias_domain,domain WHERE alias_domain.alias_domain='senderdomain.com' AND forwardings.address=CONCAT('test', '@', alias_domain.target_domain) AND alias_domain.target_domain=domain.domain AND forwardings.active=1 AND alias_domain.active=1 AND domain.backupmx=0
           44 Connect    vmail@localhost as anonymous on vmail
           44 Query    SELECT forwardings.forwarding FROM forwardings,domain WHERE forwardings.address='senderdomain.com' AND 'test' NOT LIKE '%+%' AND forwardings.address=domain.domain AND forwardings.active=1 AND domain.active=1 AND domain.backupmx=0
           45 Connect    vmail@localhost as anonymous on vmail
           45 Query    SELECT forwardings.forwarding FROM forwardings,alias_domain,domain WHERE alias_domain.alias_domain='senderdomain.com' AND forwardings.address=alias_domain.target_domain AND alias_domain.target_domain=domain.domain AND forwardings.active=1 AND alias_domain.active=1
           42 Query    SELECT forwardings.forwarding FROM forwardings,domain WHERE forwardings.address='@senderdomain.com' AND forwardings.domain=domain.domain AND forwardings.active=1 AND domain.backupmx=0 AND domain.active=1
           45 Query    SELECT forwardings.forwarding FROM forwardings,alias_domain,domain WHERE alias_domain.alias_domain='senderdomain.com' AND forwardings.address=alias_domain.target_domain AND alias_domain.target_domain=domain.domain AND forwardings.active=1 AND alias_domain.active=1

15

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

broth wrote:

I found a difference in "mysql/virtual_mailbox_domains.cf":

Does it work if you revert this file to the one on old iRedMail release?

16

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

I copied the files but the result is the same.

Is there any easy way to debug postfix and find out why it denies the message?
Verbose mode is an option but the amount of logs are overwhelming.

17

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

Try to add "debug_peer_list = <ip>" in /etc/postfix/main.cf, then send testing email from this IP address to trigger verbose log.

18

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

Thanks for the hint.

I collected plenty of debug informations.

How may I share it to you without disclosure of sensitive informations in the forum?

I think the key problem is there:

Feb  3 08:26:14 mx0 postfix/smtpd[23033]: generic_checks: name=reject_unauth_destination
Feb  3 08:26:14 mx0 postfix/smtpd[23033]: reject_unauth_destination: test@example.com
Feb  3 08:26:14 mx0 postfix/smtpd[23033]: permit_auth_destination: test@example.com
Feb  3 08:26:14 mx0 postfix/smtpd[23033]: ctable_locate: leave existing entry key my@email.address?test@example.com
Feb  3 08:26:14 mx0 postfix/smtpd[23033]: NOQUEUE: reject: RCPT from gw1.xxxx.net[80.xx.xx.xx]: 554 5.7.1 <test@example.com>: Relay access denied; from=<my@email.address> to=<test@example.com> proto=SMTP helo=<mail.rzmuc.net>
Feb  3 08:26:14 mx0 postfix/smtpd[23033]: generic_checks: name=reject_unauth_destination status=2
Feb  3 08:26:14 mx0 postfix/smtpd[23033]: >>> END Recipient address RESTRICTIONS <<<
Feb  3 08:26:14 mx0 postfix/smtpd[23033]: > gw1.xxxx.net[80.xx.xx.xx]: 554 5.7.1 <test@example.com>: Relay access denied


Am I right that reject_unauth_destination is hitting?

19 (edited by broth 2020-02-03 15:56:26)

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

Note:

Instead of relay I configured backup MX with the internal IP of the exchange server.

In the secion "Relay" it's set automatically to "relay:[10.xx.xx.xx]:25"

Unfortunately when performing a SMTP test with telnet, I get again "Relay access denied"

20

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

Dear Broth,

Does this fix your issue?
https://docs.iredmail.org/upgrade.iredm … snt-work_1

21 (edited by broth 2020-02-03 18:46:43)

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

Dear Zhang,

THANK YOU! Yes this did the trick.
I cross-checked the working installation and there is actually a "%s"

So "%d" is wrong and does help.


BTW: While testing I noticed a weird behaviour when activating the option "Mark as backup MX" but leaving "Primary MX" empty:

1. " Profile has been updated." success message is shown
2. Checkbox "Mark as backup MX" is reverted to be un-checked
3. "Relay received email to" is set to default "dovecot" (my custom setting gets lost!)

There should be a warning or error message if "Primary MX" is empty.
Other settings should not be altered unless input is valid.

Thanks!

Best regards,
Bernhard

22

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

broth wrote:

BTW: While testing I noticed a weird behaviour when activating the option "Mark as backup MX" but leaving "Primary MX" empty:

Sounds like a bug of iRedAdmin-Pro. Could you reply with the real values you set in this "Backup MX" page so that i can reproduce the issue and fix it?

23

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

ZhangHuangbin wrote:

Sounds like a bug of iRedAdmin-Pro. Could you reply with the real values you set in this "Backup MX" page so that i can reproduce the issue and fix it?

Just enable "Mark as backup MX" but leave the field "Primary MX" empty.
When saving, it shows a success message but some settings are overwritten. The checkbox "Mark as backup MX" is getting unchecked afterwards.

24

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

broth wrote:

Just enable "Mark as backup MX" but leave the field "Primary MX" empty.
When saving, it shows a success message but some settings are overwritten. The checkbox "Mark as backup MX" is getting unchecked afterwards.

Currently, if you enable this domain as backup mx, iRedAdmin-Pro requires you to specify the primary mx.

So you want to let Postfix query DNS records to get the primary MX? In this case, the input field should be the backup mx domain name. I will update iRedAdmin-Pro to set this automatically.

25

Re: New iRedMail 1.0 install with 1 relay domain => "Relay access denied"?

ZhangHuangbin wrote:

So you want to let Postfix query DNS records to get the primary MX? In this case, the input field should be the backup mx domain name. I will update iRedAdmin-Pro to set this automatically.

Done. The primary mx will be set to same domain name ("relay:<domain>") in upcoming iRedAdmin-Pro release.