Bootstrap FreeKB - Postfix (Email) - Resolve error '454 4.7.1 Relay access denied' when attempting to send a Postfix email
Postfix (Email) - Resolve error '454 4.7.1 Relay access denied' when attempting to send a Postfix email
Updated:   |  Postfix (Email) articles

When attempting to send an email using a Postfix email server, error 454 4.7.1 <username@example.com>: Relay access denied appears. This error can appear in a variety of different applications, such as a telnet session, OpenSSL session, or in Mozilla Thunderbird, just to name a few. Here is an example of the error in a telnet session.

[root@server1 ]# telnet mail.example.com 25
Trying 192.168.0.2
Connected to mail.example.com.
Escape character is '^]'.
220 mail.example.com
EHLO example.com
220-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: test@example.com
250 2.1.0 OK
rcpt to: username@example.com
454 4.7.1 <username@example.com>: Relay access denied

 

Lets assume you have the following configuration in your /etc/postfix/main.cf file. With this configuration, a client will be permitted access to send emails using the Postfix server if the connection is authenticated (permit_sasl_authenticated) or if the client is using a computer that is part of permit_mynetworks.  Notice the prior example has 250-AUTH PLAIN LOGIN. This does not mean the connection was authenticated.

If mynetworks_style is host, when using telnet or OpenSSL on the Postfix email itself, there is no need to authenticate. However, if using any other computer, authentication is required. 

If mynetworks_style is subnet, every computer in the subnet would be allowed to connect to the Postifx server without authentication. It is best to resist the temptation to use subnet. Instead, it is best to use host and learn how to implement authorization.

mynetworks_style             = host

smtpd_recipient_restrictions = permit_sasl_authenticated,
                               permit_mynetworks,
                               reject_unauth_destination

 

Let's assume $mynetworks is 127.0.0.1, and a client computer in the network is being used. In this scenario, the client must authenticate to the Postfix server. To authenticate, we will use root's username and password. When authenticating, we will need to use root's password in Base64 encoded format. Use the following command to determine the Base64 version of root's password. The reason we use root and roots password is because /etc/dovecot/dovecot.conf is configured with user root.

[root@server ~]# perl -MMIME::Base64 -e \ 'print encode_base64("\0root\0roots_password");'
AHRlc3QAdGVzdDEyMzQ=

 

To authenticate, type AUTH LOGIN password in telnet.

[root@server1 ]# telnet mail.example.com 25
Trying 192.168.0.2
Connected to mail.example.com.
Escape character is '^]'.
220 mail.example.com
EHLO example.com
220-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN AHRlc3QAdGVzdDEyMzQ=
235 2.0.0 Authentication successful

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 3a480f in the box below so that we can be sure you are a human.