How to Fix Postfix Relay to Office365 “Client Does Not Have Permissions” Error


2 views

When configuring Postfix to relay emails through Office365, many administrators encounter the frustrating error:

550 5.7.1 Client does not have permissions to send as this sender

This occurs because Office365 enforces strict sender address matching between:

  • The MAIL FROM envelope address (SMTP protocol level)
  • The From: header address (message content level)
  • The authenticated SMTP username

Here's the complete working configuration that solves this issue:

# /etc/postfix/main.cf
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
relayhost = [smtp.office365.com]:587

# Critical sender rewriting
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sender_canonical_classes = envelope_sender,header_sender
smtp_generic_maps = hash:/etc/postfix/generic

Create these mapping files to ensure consistent sender addresses:

# /etc/postfix/sender_canonical
/.+/    youruser@yourdomain.com

# /etc/postfix/generic
@localhost   youruser@yourdomain.com
root@yourhostname   youruser@yourdomain.com
www-data@yourhostname   youruser@yourdomain.com

After creating these files, run:

postmap /etc/postfix/sender_canonical
postmap /etc/postfix/generic
systemctl restart postfix

For PHP applications using mail(), ensure proper header configuration:

// Recommended PHP.ini setting
sendmail_path = "/usr/sbin/sendmail -t -i -f youruser@yourdomain.com"

// Alternative PHP code solution
$headers = [
    'From' => 'Your Name <youruser@yourdomain.com>',
    'Reply-To' => 'youruser@yourdomain.com',
    'Return-Path' => 'youruser@yourdomain.com'
];
mail($to, $subject, $message, $headers, "-f youruser@yourdomain.com");

Add these to main.cf for strict header validation:

header_checks = regexp:/etc/postfix/header_checks

Then create /etc/postfix/header_checks with:

/^From:.*/ REPLACE From: Your Name <youruser@yourdomain.com>
/^Return-Path:.*/ REPLACE Return-Path: <youruser@yourdomain.com>

When setting up Postfix to relay emails through Office365, many administrators encounter authentication and sender validation issues. The specific error message you're seeing:

550 5.7.1 Client does not have permissions to send as this sender

indicates Office365's strict requirement that the authenticated user must match the sender address in both the SMTP envelope and message headers.

Here's a complete working configuration that addresses the sender rewriting requirement:

# /etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no

# SMTP Relay to Office365
relayhost = [smtp.office365.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

# Sender Rewriting
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps = hash:/etc/postfix/sender_canonical

# Security restrictions
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
mynetworks = 127.0.0.0/8 [::1]/128

The sender_canonical file must include all possible sender addresses that need rewriting:

# /etc/postfix/sender_canonical
@localhost           authenticated@yourdomain.com
root                authenticated@yourdomain.com
www-data            authenticated@yourdomain.com
nobody              authenticated@yourdomain.com

And the SASL credentials file:

# /etc/postfix/sasl_passwd
[smtp.office365.com]:587 authenticated@yourdomain.com:YourPassword

After making these changes, run these commands:

postmap /etc/postfix/sender_canonical
postmap /etc/postfix/sasl_passwd
chmod 600 /etc/postfix/sasl_passwd*
systemctl restart postfix

Test with a simple email:

echo "Test email" | mail -s "Postfix Test" recipient@example.com

If you still experience issues:

  1. Check mail logs: tail -f /var/log/mail.log
  2. Verify SASL authentication: swaks --server smtp.office365.com:587 --auth LOGIN --auth-user authenticated@yourdomain.com
  3. Test sender rewriting: postmap -q "root" hash:/etc/postfix/sender_canonical

For PHP applications, ensure your php.ini has:

sendmail_path = /usr/sbin/sendmail -t -i -f authenticated@yourdomain.com

This provides a fallback when the application doesn't specify a sender address.