Local web applications can't send external e-mails [Postfix]

[dewced]

Hi everyone,
I am experiencing some issues with my SMTP server using ISPConfig. On external applications (Outlook, ...), SMTP is working fine, but when I try to use SMTP on a local web application (CRM System), it's not working. When I place the CRM on an external domain, SMTP is working fine...
I'll guess something isn't configured on my server, to handle 'local' SMTP?
I can send perfectly e-mails to local mailadresses on the server, but external is a problem..
Any advice would be appreciated.
Thanks

[dilberts_left_nut]

What do the logs say?

[dewced]

What do the logs say?

Hi,

This is the error I get in the application, when he tries to send a test e-mail to an external domain.
When I try e-mailaddresses on the server itself, it works..
Thanks

Message failed to send
Error Message: Response from Server
220 mail.xxx.be ESMTP Postfix (Debian/GNU)

250-mail.xxx.be
250-PIPELINING
250-SIZE
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

250 2.1.0 Ok

554 5.7.1 : Relay access denied

250 2.0.0 Ok

[dewced]

What do the logs say?

Hi,

This is the error I get in the application, when he tries to send a test e-mail to an external domain.
When I try e-mailaddresses on the server itself, it works..
Thanks

Message failed to send
Error Message: Response from Server
220 mail.xxx.be ESMTP Postfix (Debian/GNU)

250-mail.xxx.be
250-PIPELINING
250-SIZE
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

250 2.1.0 Ok

554 5.7.1 : Relay access denied

250 2.0.0 Ok

This is my main.cf file

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

append_dot_mydomain

readme_directory = /usr/share/doc/postfix

mtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

#smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf reject_unauth_destination
myhostname = mail.domain.be
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = domain.be, localhost, localhost.localdomain
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
inet_protocols = all
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet:127.0.0.1:10023
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf reject_rbl_client zen.spamhaus.org reject_unknown_client_hostname
smtpd_tls_security_level = may
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo
smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf permit_mynetworks
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = dovecot
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
smtp_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
smtpd_tls_auth_only = yes
smtp_tls_loglevel = 1
tls_ssl_options = NO_COMPRESSION
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem
message_size_limit = 0
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =

[reinob]

Code: Select all

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated check_recipient_access 

Unless the server connecting to the SMTP server belongs to the allowed networks (mynetworks) your only option is to use authenticated SMTP.

(EDIT: Note that your mynetworks = 127.0.0.0/8 [::1]/128, which means localhost. Your only option is authenticated SMTP).

After all, you don't want *anyone* from using your SMTP to send spam do you?
Just the slightest mistake, and you(r server) will be blacklisted before you can say "sasl" :)

[dewced]

Code: Select all

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated check_recipient_access 

Unless the server connecting to the SMTP server belongs to the allowed networks (mynetworks) your only option is to use authenticated SMTP.

(EDIT: Note that your mynetworks = 127.0.0.0/8 [::1]/128, which means localhost. Your only option is authenticated SMTP).

After all, you don't want *anyone* from using your SMTP to send spam do you?
Just the slightest mistake, and you(r server) will be blacklisted before you can say "sasl"

Thanks for your reply. I am using authenticated SMTP on the web application. The web application itself, is hosted on the same server of the SMTP.
It is just not relaying to external domeins (when using the smtp on the same server)..
When I try the SMTP on any PC, smartphone, it just works.
So it looks like the SMTP on localhost, is not relaying to external domeins?
Any advice on this? Thanks!

[dilberts_left_nut]

I am using authenticated SMTP on the web application.

What makes you think that?
It's clearly not working.

[dewced]

I am using authenticated SMTP on the web application.

What makes you think that?
It's clearly not working.

Oh yes, you're right..
In Outlook, SMTP works, using authenticated SMTP on port 587 - TLS..
So what can I do to fix the 'Relay Access Denied' error?

[dilberts_left_nut]

Allow relay access?

[dewced]

Allow relay access?

But when using SMTP on external environments, I need to authenticate + relaying works perfect.
It's just on the smtp server itself, on a web application hosted on same server, that he won't allow relaying?
SMTP-auth is indeed not working on localhost, but everything seems well configured?

[reinob]

Allow relay access?

But when using SMTP on external environments, I need to authenticate + relaying works perfect.
It's just on the smtp server itself, on a web application hosted on same server, that he won't allow relaying?
SMTP-auth is indeed not working on localhost, but everything seems well configured? :?:

Without having more details, I will assume that your local application is not connecting directly to postfix using port 25 but rather using the submission port (587).

Please check your master.cf and post the relevant lines concerning the submission service.
Mine has, among others:

Code: Select all

-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject

while in main.cf I have, for smtpd:

Code: Select all

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination,
        reject_rbl_client zen.spamhaus.org,
        check_policy_service unix:private/policyd-spf