John King wrote:
> All,
>
> I am simply trying to setup a postfix server solution (Fedora 9 is the OS) to
> where I can host email for multiple email domains - similar to an ISP setup.
>
> I am quite familiar and comfortable with setting up most of the postfix
> elements and am setting them up using the virtual mailbox method where the
> mailboxes are located at /var/spool/vmail/domainname
>
> I can send email to all of the mailboxes but as soon as I try or a user tries
> to send email from their locations / iphones or wherever, the dreaded
> relay_denied errors start to happen.
>
> I am employing different setups based on this need from different
> documentation I have found and am now at the point where the errors state do
> not list domain xyz in both virtual_mailbox_domains and relay_domains.
>
> I need to know which elements of main.cf I need to change to accomodate what
> I am trying to achieve
>
>
You do not show a log example.
The following advice is generalized because I don't know *what* rejected
the message.
> here is the result of my postconf -n
>
[snip]
> mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
> $nowsolweb1.com
>
Typo on "$nowsolweb1.com"? I also hope that it is not in your
virtual_mailbox_domains
[snip]
> relay_domains = hash:/etc/postfix/relay_domains
No relay_recipient_maps? You can be a BackScatter source if you do not
list who is valid.
> smtpd_recipient_restrictions = reject_non_fqdn_sender
> reject_unknown_sender_domain reject_rbl_client cbl.abuseat.org
> reject_rbl_client zen.spamhaus.org reject_rbl_client list.dsbl.org
> reject_rbl_client bl.spamcop.net reject_rbl_client dul.dnsbl.sorbs.net
> reject_rbl_client ipwhois.rfc-ignorant.org reject_rhsbl_sender
> dsn.rfc-ignorant.org reject_unverified_recipient
> permit_sasl_authenticated permit_mynetworks
> reject_unauth_destination check_policy_service inet:127.0.0.1:2501
>
Generally, this will deny lots of mail with the RBL checks coming before:
a) seeing if the mail is even yours (reject_unauth_destination)
b) if the clients authenticated
c) if it is in your network (a bit silly really)
Also, cbl is included in zen and dsbl.org is dead.
In addition, probing blindly with reject_unverified_recipient can get
you blacklisted.
Suggest:
smtpd_recipient_restrictions =
check_recipient_access hash:/path/to/file,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service inet:127.0.0.1:2501,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dul.dnsbl.sorbs.net,
reject_rbl_client ipwhois.rfc-ignorant.org,
reject_rhsbl_sender dsn.rfc-ignorant.org
Note: rfc-ignorant.org is seen by some as a bit too strict. It is
better to score it.
/path/to/file:
#put your virtual_mailbox domains in here
example.com reject_unverified_recipient
