Need email server aid

[Preston Hagar]

On Wed, Apr 21, 2010 at 6:18 PM, Chuck Kuecker <ckuecker at ckent.org> wrote:
> smtpd_recipient_restrictions = reject_unknown_sender_domain,
> reject_unknown_recipient_domain,        reject_unauth_pipelining,
> permit_mynetworks,      permit_sasl_authenticated,      reject_unauth_destination
> smtpd_sasl_auth_enable = yes
> mail.log:
>
> Apr 21 17:01:40 ckenterprises postfix/smtpd[24088]: NOQUEUE: reject:
> RCPT from mail.ckent.org[66.254.194.29]: 554 5.7.1
> <addr at dest.com>: Relay access denied; from=<device at ckent.org>
> to=<addr at dest.com> proto=SMTP helo=<ckent.org>
> Apr 21 17:01:40 ckenterprises postfix/smtpd[24088]: disconnect from
>
>
> Chuck
>
> mail.ckent.org[66.254.194.29]
>


Others have had good suggestions and if you are already working them I
would continue, but I would see two things to try:

1st, in your smtpd_recipient_restrictions, put permit_mynetworks
first, followed by permit_sasl_authenticated.  I am sure I will get
blased by some for this, but if you can properly restrict your
"mynetworks" only to machines that should be sending email, then it
shouldn't be a real issue.  I guess you do have to worry about a virus
on a Windows machine sending out spam using your postfix machine.
Anyway, the main point here is that smtpd_recipient_restrictions is
processed in order.  The first rule that matches, wins, so it could be
that your email that is going wrong is matching one of the reject
rules before it even gets to the permit_mynetworks:

http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions

Secondly, (and I am pretty sure others have mentioned this), it looks
like your client is using the external IP for your mailserver.  If
they are on the same LAN, either just use the internal IP address for
the email server hostname (easy solution), or setup a split horizon
DNS server (much more complicated) that will resolve your mail
server's hostname to the internal IP for your LAN.

Hope this helps,

 Preston