byteserv.io

Log in

Fixing Postfix “Relay access denied”

Written by

Michael Estes

in

One of the earliest self-hosted services I set up was a Nextcloud personal cloud server. I set it up directly on the server machine, no docker containers, no snap package, just a straight LAMP stack with Ubuntu Server GNU/Linux, Apache web server, PHP, and MariaDB. Around the same time I also setup Postfix to send out email notifications regarding upgrades and such.

More recently, I have setup several docker services for things like Gitea and Vaultwarden. These services run on the same server as the Nextcloud instance, but I initially had trouble getting them to work with Postfix to send out email notifications. When I started to dig into it, I found that my mail logs in /var/log/mail.log were reporting the following error when receiving a connection from my container based services:

NOQUEUE: reject: RCPT from unknown[172.18.0.2]: 454 4.7.1 <user@email.com>: Relay access denied; from=<noreply@domain.com> to=<user@email.com> proto=ESMTP helo=<hostname>

As it turns out, the default Postfix configuration only allows email submissions from certain loopback network addresses. Docker containers (at least on Linux systems) communicate with the host via a network in an RFC1918 Class B private network address space, hence the 172.18.0.2 IP address above.

Postfix determines what networks to accept email submissions from via the mynetworks parameter in /etc/postfix/main.cf. By default this parameter has the following contents:

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

127.0.0.0/8 is a reserved address space in IPv4 for loopback addresses. Similarly, ::1/128 is the IPv6 loopback address. Clearly, the RFC1918 Class B private network address space does not fall into the above. Since private network traffic is not routable via the public internet, there are few security concerns to simply adding the whole Class B address space to the mynetworks parameter. If you are on a large corporate network or in a similar situation, more precautions might be warranted to ensure your Postfix server does not accept spurious submissions. Changing the mynetworks parameter and restarting the Postfix server did the trick for me.

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.16.0.0/12

Michael Estes

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts