How to Fix Postfix “Relay Access Denied” Error for External Email Delivery


3 views

The "Relay Access Denied" error (SMTP 554) occurs when Postfix refuses to relay mail to external domains, typically due to incorrect network restrictions or authentication settings. In your case, while internal domain emails work, external delivery fails with:

NOQUEUE: reject: RCPT from company.university.edu[111.111.11.11]: 
554 5.7.1 : Relay access denied

Your current main.cf shows two critical limitations:

  1. mynetworks = 127.0.0.0/8 only allows localhost relaying
  2. Missing proper SASL authentication for remote clients

1. Network Whitelisting

For LAN access (quick fix):

# /etc/postfix/main.cf
mynetworks = 127.0.0.0/8, 192.168.1.0/24  # Add your LAN subnet
mynetworks_style = subnet

2. SASL Authentication

For secure external access (recommended):

# Install SASL packages
sudo apt-get install libsasl2-modules sasl2-bin

# Configure Postfix
postconf -e "smtpd_sasl_type = dovecot"
postconf -e "smtpd_sasl_path = private/auth"
postconf -e "smtpd_sasl_auth_enable = yes"
postconf -e "smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination"

3. Dovecot Integration (Example)

Create /etc/dovecot/conf.d/10-auth.conf:

service auth {
    unix_listener /var/spool/postfix/private/auth {
        mode = 0660
        user = postfix
        group = postfix
    }
}

Check real-time logs:

tail -f /var/log/mail.log | grep -E 'smtpd|auth'

Test SMTP authentication:

telnet mail.domain.com 25
EHLO client.example.com
AUTH PLAIN BASE64_ENCODED_CREDENTIALS

Final main.cf essentials:

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_tls_security_level = may

The Postfix SMTP server is rejecting external email delivery with error 554 5.7.1 <email@gmail.com>: Relay access denied because of improper relay configuration. This typically occurs when:

  • The client IP isn't in mynetworks
  • SASL authentication isn't properly configured
  • relay_domains isn't set for external domains

The current configuration shows several potential problems:

mynetworks = 127.0.0.0/8
mynetworks_style = host
mydestination = localhost, company

This restricts relaying to only localhost and the company domain, blocking external domains like gmail.com.

To properly configure Postfix for both internal and external mail relay:

# Update network restrictions
mynetworks = 127.0.0.0/8, 192.168.0.0/24, [public-ip]/32
mynetworks_style = subnet

# Enable SASL authentication properly
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous,noplaintext

# Configure relay permissions
smtpd_relay_restrictions = 
    permit_mynetworks,
    permit_sasl_authenticated,
    defer_unauth_destination

# Add TLS configuration (corrected from original)
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level = may

After making changes, test with:

postfix reload
tail -f /var/log/mail.log

Then attempt to send an external email while monitoring logs. You should see SASL authentication succeed before the relay attempt.

If problems persist, check:

  • SELinux/apparmor permissions on auth socket
  • Firewall rules blocking port 587 (submission)
  • Correct Dovecot SASL configuration
# Sample dovecot.conf SASL excerpt
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}