How to Fix Postfix “Relay Access Denied” Error When Sending External Emails


2 views

When you encounter the "Relay access denied" error in Postfix, it means your mail server is refusing to relay messages to external domains. This is actually a security feature - by default, Postfix only allows relaying for authenticated users or from trusted networks.

From your main.cf file, I notice several relevant settings:

mynetworks = 127.0.0.0/8
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

The key issue here is that your mynetworks only includes localhost (127.0.0.0/8), which explains why:

  • Internal mail between user1@example.com and user2@example.com works
  • Receiving from external domains (like Gmail) works
  • Sending to external domains fails

Here are three approaches to solve this:

Option 1: Enable SMTP Authentication

Ensure your clients authenticate when sending mail. Your configuration already supports SASL auth via Dovecot:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

Test authentication with:

telnet your.server.com 25
EHLO example.com
AUTH LOGIN
[base64-encoded username]
[base64-encoded password]

Option 2: Expand mynetworks Carefully

If you need to allow specific IPs to relay without auth (not recommended for security):

mynetworks = 127.0.0.0/8, 192.168.1.0/24, 203.0.113.5

Option 3: Add Additional Relay Controls

For more granular control, modify smtpd_recipient_restrictions:

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    check_client_access hash:/etc/postfix/access,
    reject

Then create /etc/postfix/access:

gmail.com     OK
yahoo.com     OK

Compile with:

postmap /etc/postfix/access

Check your mail logs in real-time:

tail -f /var/log/maillog | grep postfix

Test your configuration:

postconf -n
postfix check

Remember to reload Postfix after changes:

systemctl reload postfix

Be extremely cautious when modifying relay settings. An open relay can quickly get your server blacklisted. Always prefer SMTP authentication over IP-based relay permissions.

For production environments, consider adding these security measures:

smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname

When configuring a Postfix mail server, one of the most common issues administrators face is the relay access denied error when attempting to send emails to external domains. This typically indicates your Postfix server is properly rejecting mail relay attempts that don't meet your configured security policies.

In your specific case, while internal mail delivery works fine (user1@example.com to user2@example.com) and receiving from external domains works, sending to external addresses like Gmail fails with:

NOQUEUE: reject: RCPT from unknown[(Server's IP)]: 454 4.7.1 : Relay access denied

The issue stems from your smtpd_recipient_restrictions settings in main.cf. Your current configuration:

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

This means Postfix will only allow relaying if:

  • The client IP matches mynetworks (127.0.0.0/8 in your case)
  • The client successfully authenticates via SASL
  • Otherwise, it rejects unauthorized destinations

First, verify if your SMTP authentication is working properly:

telnet yourserver.com 25
EHLO example.com
AUTH LOGIN
[Base64-encoded username]
[Base64-encoded password]
MAIL FROM: user1@example.com
RCPT TO: user@gmail.com

If authentication succeeds but you still get the relay error, we need to modify the restrictions.

Add permit_sasl_authenticated before reject_unauth_destination:

smtpd_recipient_restrictions = 
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination

Ensure your Dovecot SASL authentication is properly set up in /etc/postfix/master.cf:

submission inet n - n - - smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

Verify your settings with:

postconf -n | grep smtpd_recipient_restrictions
postconf -n | grep mynetworks
postconf -n | grep smtpd_sasl_

After making changes, remember to reload Postfix:

systemctl reload postfix

Here's a tested configuration that works for both internal and external mail delivery:

# /etc/postfix/main.cf
smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_unauth_destination

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

smtpd_relay_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    defer_unauth_destination

Check your mail logs in real-time during testing:

tail -f /var/log/maillog | grep postfix/smtpd

For more detailed debugging, increase the log level:

# /etc/postfix/main.cf
debug_peer_level = 2
debug_peer_list = example.com
smtpd_verbose = yes