554 5.7.1 Relay access denied - cant send mails

Question

I tried to upgrade debian from 10 to 11 and the everything got messed up. Im trying to fix postfix. I can receive emails but cant send. I get the error "554 5.7.1 Relay access denied"

My postfix configuration:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

inet_interfaces = all
inet_protocols = all
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = my.host.name.com, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
recipient_delimiter = +
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_relay_restrictions = permit_sasl_authenticated
allow_percent_hack = no
smtpd_sasl_authenticated_header = yes

Dovecot configuration:

# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol

dict {
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
#expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}

# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf

# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf

auth_mechanisms = plain login
disable_plaintext_auth = no
mail_location = maildir:~/Maildir
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = pam
}
protocols = " imap pop3"
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = </usr/share/dovecot/dh.pem
ssl_key = </etc/dovecot/private/dovecot.key
userdb {
driver = passwd
}

/var/log/mail.log

May 12 01:05:52 ns3777770 postfix/smtpd[33135]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 12 01:05:58 ns3777770 postfix/smtpd[33174]: connect from unknown[45.129.14.128]
May 12 01:06:00 ns3777770 postfix/smtpd[32936]: connect from unknown[45.129.14.173]
May 12 01:06:05 ns3777770 postfix/smtpd[33174]: warning: unknown[45.129.14.128]: SASL LOGIN authentication failed: authentication failure, [email protected]
May 12 01:06:05 ns3777770 postfix/smtpd[33174]: disconnect from unknown[45.129.14.128] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 12 01:06:07 ns3777770 postfix/smtpd[32936]: warning: unknown[45.129.14.173]: SASL LOGIN authentication failed: authentication failure, [email protected]
May 12 01:06:07 ns3777770 postfix/smtpd[32936]: disconnect from unknown[45.129.14.173] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
May 12 01:06:08 ns3777770 postfix/qmgr[996]: EC1FBE0428: from=<[email protected]>, size=1827, nrcpt=1 (queue active)
May 12 01:06:09 ns3777770 postfix/smtp[33224]: EC1FBE0428: host mx00.mail.com[74.208.5.20] refused to talk to me: 554-mail.com (mxgmxus010) Nemesis ESMTP Service not available 554-No SMTP service 554-Bad DNS PTR resource record. 554 For>
May 12 01:06:09 ns3777770 postfix/smtp[33224]: EC1FBE0428: to=<[email protected]>, relay=mx01.mail.com[74.208.5.22]:25, delay=258426, delays=258425/0.04/1/0, dsn=4.0.0, status=deferred (host mx01.mail.com[74.208.5.22] refused to t>
May 12 01:06:13 ns3777770 postfix/smtpd[33135]: connect from unknown[45.129.14.128]
May 12 01:06:16 ns3777770 postfix/anvil[1120]: statistics: max connection rate 5/60s for (smtp:45.129.14.128) at May 12 00:56:49
May 12 01:06:16 ns3777770 postfix/anvil[1120]: statistics: max connection count 1 for (smtp:45.129.14.128) at May 12 00:56:19
May 12 01:06:16 ns3777770 postfix/anvil[1120]: statistics: max cache size 3 at May 12 00:59:02

--------
May 13 05:50:57 ns3777770 postfix/smtpd[12345]: connect from unknown[138.135.223.27]
May 13 05:50:57 ns3777770 postfix/smtpd[12345]: NOQUEUE: reject: RCPT from unknown[138.135.223.27]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<DESKTOP7>
May 13 05:50:58 ns3777770 postfix/smtpd[45467]: lost connection after AUTH from unknown[149.41.235.50]

Im getting the 554 error in outlook, right after sending the mail, it comes back to me, we couldnt deliver your message to the following mails.. 554 relay access denied... This could be seen at May 13 logs, I put May 12 logs as well, maybe it can help... Mails with "random" are not on my server, I guess hackers are trying to login as well...

ldd /usr/sbin/postfix output:

        linux-vdso.so.1 (0x00006asd0)
        libpostfix-global.so => /usr/lib/postfix/libpostfix-global.so (0x00006asd4000)
        libpostfix-util.so => /usr/lib/postfix/libpostfix-util.so (0x000068asda8b000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x000068asd5d000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x0000685d5asd000)
        libdb-5.3.so => /usr/lib/x86_64-linux-gnu/libdb-5.3.so (0x000asdd516c9000)
        libnsl.so.2 => /usr/lib/x86_64-linux-gnu/libnsl.so.2 (0x00006asde000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x000068asd6a6000)
        libicuuc.so.67 => /usr/lib/x86_64-linux-gnu/libicuuc.so.67 (0x00asdd514bd000)
        /lib64/ld-linux-x86-64.so.2 (0x0000685dasd00)
        libtirpc.so.3 => /lib/x86_64-linux-gnu/libtirpc.so.3 (0x0000685dasd000)
        libicudata.so.67 => /usr/lib/x86_64-linux-gnu/libicudata.so.67 (0x000asdf974000)
        libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x000068asd000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x0000685d4asd)
        libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x0000685dasd00)
        libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x000asd5f4000)
        libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 (0x000068asd000)
        libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 (0x00006asd4ea000)
        libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x000068asde4000)
        libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 (0xasdf4d3000)
        libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 (0x00006asdc000)
        libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x0000685asd2000)

I dont see any sasl on the output does this mean postfix is running without sasl?

EHLO output from telnet to port 25:

EHLO mydomain.com
250-ns3132324.ip-34-45-43.eu
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING

I appreciate any help!

Answer 1

The line

May 12 01:06:09 ns3777770 postfix/smtp[33224]: EC1FBE0428: host mx00.mail.com[74.208.5.20] refused to talk to me: 554-mail.com (mxgmxus010) Nemesis ESMTP Service not available 554-No SMTP service 554-Bad DNS PTR resource record. 554 For>

was cut at the end, but it shows enough for us to see what happens. The IP address your mail server was connecting from has invalid PTR (reverse DNS) record. You have to ask your IP address owner (e.g. hosting provider or ISP) to set up the record for you, and provide a valid value to them. (Likely the cut-out continuation of the line was containing the precise IP that was used and that is needing the PTR record.)

See here for details, how all the DNS and other configuration should be made consistent for email to work the best.

---

The other 544 error was issued by your server:

May 13 05:50:57 ns3777770 postfix/smtpd[12345]: NOQUEUE: reject: RCPT from unknown[138.135.223.27]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<DESKTOP7>

That client was attempting to send mail outside without authentication (e.g. to relay their mail but hadn't first confirmed who they are), and was denied access. Looks like misconfigured or rogue client.

---

Speaking of authentication, the other log record hint at you had enabled authentication on the default smtpd service on the port 25. Don't do that. Clients should be served by the dedicated submission service, and only that service should support authentication. That service can be enabled in master.cf; there are two variants (commented-out in the stock configuration file), smtps which uses static TLS on the port 465 and submission which is expected to have STARTTLS command enabled and listens at port 587. Use either of them or both (won't hurt) and disable authentication on port 25; it should be dedicated to accepting mail from other servers which will never authenticate to you.

Answer 2

After verbose logging we were able to identify the problem

in /etc/postfix/sasl/smptd.conf

saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux

was missing.