[GH-ISSUE #607] [SelfHosted] 454 4.7.1 Relay access denied #999

Closed
opened 2026-03-14 11:25:54 +03:00 by kerem · 8 comments
Owner

Originally created by @andre-paulo98 on GitHub (Mar 3, 2024).
Original GitHub issue: https://github.com/anonaddy/anonaddy/issues/607

Hey there!

Tried selfhosting Addy and I'm running into an issue with sending the verification emails.

Here's /var/log/mail.log:

Mar  3 01:33:30 mail postfix/smtpd[2430]: connect from mail.mydomain.com[x.y.z.w]
Mar  3 01:33:30 mail postfix/smtpd[2430]: Anonymous TLS connection established from mail.mydomain.com[x.y.z.w]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
Mar  3 01:33:30 mail postfix/smtpd[2430]: NOQUEUE: reject: RCPT from mail.mydomain.com[x.y.z.w]: 454 4.7.1 <test-abcdefghj@srv1.mail-tester.com>: Relay access denied; from=<b_gq2dkmdepbvxiolwmfyq_mvtdinzshaywm@mydomain.com> to=<test-abcdefghj@srv1.mail-tester.com> proto=ESMTP helo=<mail.mydomain.com>
Mar  3 01:33:31 mail postfix/smtpd[2431]: connect from mail.mydomain.com[x.y.z.w]
Mar  3 01:33:31 mail postfix/smtpd[2431]: Anonymous TLS connection established from mail.mydomain.com[x.y.z.w]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
Mar  3 01:33:31 mail postfix/smtpd[2431]: NOQUEUE: reject: RCPT from mail.mydomain.com[x.y.z.w]: 454 4.7.1 <test-abcdefghj@srv1.mail-tester.com>: Relay access denied; from=<b_gj4xcmtonq2xsmbxpf2q_gfswkzrzgjqtq@mydomain.com> to=<test-abcdefghj@srv1.mail-tester.com> proto=ESMTP helo=<mail.mydomain.com>
Mar  3 01:33:31 mail postfix/smtpd[2433]: connect from mail.mydomain.com[x.y.z.w]
Mar  3 01:33:31 mail postfix/smtpd[2433]: Anonymous TLS connection established from mail.mydomain.com[x.y.z.w]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
Mar  3 01:33:31 mail postfix/smtpd[2433]: NOQUEUE: reject: RCPT from mail.mydomain.com[x.y.z.w]: 454 4.7.1 <test-abcdefghj@srv1.mail-tester.com>: Relay access denied; from=<b_gy3wcolmgrzxq23gmn4q_hbsdknbzgyyti@mydomain.com> to=<test-abcdefghj@srv1.mail-tester.com> proto=ESMTP helo=<mail.mydomain.com>

I'm trying to send the verification email to https://www.mail-tester.com/ without much success.
I tried to send a email with the command echo "body of the email" | mail -s "subject" "test-abcdefghj@srv1.mail-tester.com" and it works just fine:

Mar  3 01:38:08 mail postfix/pickup[1892]: 65BB340C39: uid=0 from=<root>
Mar  3 01:38:08 mail postfix/cleanup[2473]: 65BB340C39: message-id=<20240303013808.65BB340C39@mail.mydomain.com>
Mar  3 01:38:08 mail postfix/qmgr[1893]: 65BB340C39: from=<root@mydomain.com>, size=462, nrcpt=1 (queue active)
Mar  3 01:38:08 mail postfix/smtp[2474]: Trusted TLS connection established to reception.mail-tester.com[94.23.206.89]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar  3 01:38:09 mail postfix/smtp[2474]: 65BB340C39: to=<test-abcdefghj@srv1.mail-tester.com>, relay=reception.mail-tester.com[94.23.206.89]:25, delay=0.94, delays=0.17/0.02/0.31/0.45, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3198FA0A6B)
Mar  3 01:38:09 mail postfix/qmgr[1893]: 65BB340C39: removed
my .env
APP_NAME=addy.mydomain.com
APP_ENV=production
APP_KEY=secret
APP_DEBUG=false
APP_LOG_LEVEL=debug
# The URL of the addy.io instance, can be anything you like e.g. https://aa.example.com, or just https://example.com, if using a non-standard port you must include it e.g. https://example.test:8000. Do not include a trailing slash '/'
APP_URL=https://addy.mydomain.com

LOG_CHANNEL=stack

DB_CONNECTION=mysql
DB_HOST=localhost
DB_PORT=3306
DB_DATABASE=anonaddy_database
DB_USERNAME=anonaddy
DB_PASSWORD=password

BROADCAST_DRIVER=log
CACHE_DRIVER=redis
QUEUE_CONNECTION=redis
SESSION_DRIVER=redis
SESSION_LIFETIME=10080
SESSION_SECURE_COOKIE=true
SAME_SITE_COOKIES=lax

REDIS_CLIENT=phpredis
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=password
REDIS_PORT=6379

# The from name to be used for outgoing email notifications from addy.io
MAIL_FROM_NAME=Addy
# The from address to be used for outgoing email notifications from addy.io
MAIL_FROM_ADDRESS=mailer@mydomain.com
MAIL_DRIVER=smtp
MAIL_HOST=mail.mydomain.com
MAIL_PORT=25
MAIL_ENCRYPTION=tls
MAIL_EHLO_DOMAIN=mail.mydomain.com
MAIL_VERIFY_PEER=true

# The SMTP FROM address to be used if the alias address cannot be, e.g. for a custom domain that is not verified for sending
ANONADDY_RETURN_PATH=mailer@mydomain.com
# This allows you to receive emails as a catch-all at the apex domain e.g. *@example.com
ANONADDY_ADMIN_USERNAME=user-addy
ANONADDY_ENABLE_REGISTRATION=false
ANONADDY_DOMAIN=mydomain.com
ANONADDY_HOSTNAME=mail.mydomain.com
ANONADDY_DNS_RESOLVER=127.0.0.1
ANONADDY_ALL_DOMAINS=mydomain.com
# Used for verifying custom domains and variable envelope return paths, can be anything e.g. 64U64QcpgWHAZPyr4nN58kDGvwj9TkKMGyuXcjMFA7CdhTDy2f
ANONADDY_SECRET=password
# Number of emails that can be forwarded through the service per hour by any one user
ANONADDY_LIMIT=200
# Monthly bandwidth limit, default 100MB
ANONADDY_BANDWIDTH_LIMIT=104857600
# Limit on how many new aliases can be created per hour, default 100
ANONADDY_NEW_ALIAS_LIMIT=100
# Limit on the number of additional usernames that can be added, default 10
ANONADDY_ADDITIONAL_USERNAME_LIMIT=10
# Fingerprint of the private key that you generated on the server to be used to sign encrypted forwarded emails
ANONADDY_SIGNING_KEY_FINGERPRINT=
# This is only needed if you will be adding any custom domains. If you do not need it then leave it blank. ANONADDY_DKIM_SIGNING_KEY=/etc/opendkim/keys/example.com/default.private
ANONADDY_DKIM_SIGNING_KEY=/var/lib/rspamd/dkim/mydomain.com.default.key
ANONADDY_DKIM_SELECTOR=default

Thanks in advance!

Originally created by @andre-paulo98 on GitHub (Mar 3, 2024). Original GitHub issue: https://github.com/anonaddy/anonaddy/issues/607 Hey there! Tried selfhosting Addy and I'm running into an issue with sending the verification emails. Here's `/var/log/mail.log`: ``` Mar 3 01:33:30 mail postfix/smtpd[2430]: connect from mail.mydomain.com[x.y.z.w] Mar 3 01:33:30 mail postfix/smtpd[2430]: Anonymous TLS connection established from mail.mydomain.com[x.y.z.w]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 Mar 3 01:33:30 mail postfix/smtpd[2430]: NOQUEUE: reject: RCPT from mail.mydomain.com[x.y.z.w]: 454 4.7.1 <test-abcdefghj@srv1.mail-tester.com>: Relay access denied; from=<b_gq2dkmdepbvxiolwmfyq_mvtdinzshaywm@mydomain.com> to=<test-abcdefghj@srv1.mail-tester.com> proto=ESMTP helo=<mail.mydomain.com> Mar 3 01:33:31 mail postfix/smtpd[2431]: connect from mail.mydomain.com[x.y.z.w] Mar 3 01:33:31 mail postfix/smtpd[2431]: Anonymous TLS connection established from mail.mydomain.com[x.y.z.w]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 Mar 3 01:33:31 mail postfix/smtpd[2431]: NOQUEUE: reject: RCPT from mail.mydomain.com[x.y.z.w]: 454 4.7.1 <test-abcdefghj@srv1.mail-tester.com>: Relay access denied; from=<b_gj4xcmtonq2xsmbxpf2q_gfswkzrzgjqtq@mydomain.com> to=<test-abcdefghj@srv1.mail-tester.com> proto=ESMTP helo=<mail.mydomain.com> Mar 3 01:33:31 mail postfix/smtpd[2433]: connect from mail.mydomain.com[x.y.z.w] Mar 3 01:33:31 mail postfix/smtpd[2433]: Anonymous TLS connection established from mail.mydomain.com[x.y.z.w]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 Mar 3 01:33:31 mail postfix/smtpd[2433]: NOQUEUE: reject: RCPT from mail.mydomain.com[x.y.z.w]: 454 4.7.1 <test-abcdefghj@srv1.mail-tester.com>: Relay access denied; from=<b_gy3wcolmgrzxq23gmn4q_hbsdknbzgyyti@mydomain.com> to=<test-abcdefghj@srv1.mail-tester.com> proto=ESMTP helo=<mail.mydomain.com> ``` I'm trying to send the verification email to https://www.mail-tester.com/ without much success. I tried to send a email with the command `echo "body of the email" | mail -s "subject" "test-abcdefghj@srv1.mail-tester.com"` and it works just fine: ``` Mar 3 01:38:08 mail postfix/pickup[1892]: 65BB340C39: uid=0 from=<root> Mar 3 01:38:08 mail postfix/cleanup[2473]: 65BB340C39: message-id=<20240303013808.65BB340C39@mail.mydomain.com> Mar 3 01:38:08 mail postfix/qmgr[1893]: 65BB340C39: from=<root@mydomain.com>, size=462, nrcpt=1 (queue active) Mar 3 01:38:08 mail postfix/smtp[2474]: Trusted TLS connection established to reception.mail-tester.com[94.23.206.89]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Mar 3 01:38:09 mail postfix/smtp[2474]: 65BB340C39: to=<test-abcdefghj@srv1.mail-tester.com>, relay=reception.mail-tester.com[94.23.206.89]:25, delay=0.94, delays=0.17/0.02/0.31/0.45, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3198FA0A6B) Mar 3 01:38:09 mail postfix/qmgr[1893]: 65BB340C39: removed ``` <details> <summary>my .env</summary> ``` APP_NAME=addy.mydomain.com APP_ENV=production APP_KEY=secret APP_DEBUG=false APP_LOG_LEVEL=debug # The URL of the addy.io instance, can be anything you like e.g. https://aa.example.com, or just https://example.com, if using a non-standard port you must include it e.g. https://example.test:8000. Do not include a trailing slash '/' APP_URL=https://addy.mydomain.com LOG_CHANNEL=stack DB_CONNECTION=mysql DB_HOST=localhost DB_PORT=3306 DB_DATABASE=anonaddy_database DB_USERNAME=anonaddy DB_PASSWORD=password BROADCAST_DRIVER=log CACHE_DRIVER=redis QUEUE_CONNECTION=redis SESSION_DRIVER=redis SESSION_LIFETIME=10080 SESSION_SECURE_COOKIE=true SAME_SITE_COOKIES=lax REDIS_CLIENT=phpredis REDIS_HOST=127.0.0.1 REDIS_PASSWORD=password REDIS_PORT=6379 # The from name to be used for outgoing email notifications from addy.io MAIL_FROM_NAME=Addy # The from address to be used for outgoing email notifications from addy.io MAIL_FROM_ADDRESS=mailer@mydomain.com MAIL_DRIVER=smtp MAIL_HOST=mail.mydomain.com MAIL_PORT=25 MAIL_ENCRYPTION=tls MAIL_EHLO_DOMAIN=mail.mydomain.com MAIL_VERIFY_PEER=true # The SMTP FROM address to be used if the alias address cannot be, e.g. for a custom domain that is not verified for sending ANONADDY_RETURN_PATH=mailer@mydomain.com # This allows you to receive emails as a catch-all at the apex domain e.g. *@example.com ANONADDY_ADMIN_USERNAME=user-addy ANONADDY_ENABLE_REGISTRATION=false ANONADDY_DOMAIN=mydomain.com ANONADDY_HOSTNAME=mail.mydomain.com ANONADDY_DNS_RESOLVER=127.0.0.1 ANONADDY_ALL_DOMAINS=mydomain.com # Used for verifying custom domains and variable envelope return paths, can be anything e.g. 64U64QcpgWHAZPyr4nN58kDGvwj9TkKMGyuXcjMFA7CdhTDy2f ANONADDY_SECRET=password # Number of emails that can be forwarded through the service per hour by any one user ANONADDY_LIMIT=200 # Monthly bandwidth limit, default 100MB ANONADDY_BANDWIDTH_LIMIT=104857600 # Limit on how many new aliases can be created per hour, default 100 ANONADDY_NEW_ALIAS_LIMIT=100 # Limit on the number of additional usernames that can be added, default 10 ANONADDY_ADDITIONAL_USERNAME_LIMIT=10 # Fingerprint of the private key that you generated on the server to be used to sign encrypted forwarded emails ANONADDY_SIGNING_KEY_FINGERPRINT= # This is only needed if you will be adding any custom domains. If you do not need it then leave it blank. ANONADDY_DKIM_SIGNING_KEY=/etc/opendkim/keys/example.com/default.private ANONADDY_DKIM_SIGNING_KEY=/var/lib/rspamd/dkim/mydomain.com.default.key ANONADDY_DKIM_SELECTOR=default ``` </details> Thanks in advance!
kerem closed this issue 2026-03-14 11:25:59 +03:00
Author
Owner

@willbrowningme commented on GitHub (Mar 13, 2024):

Is this issue the same when sending to all email addresses or just the ones on mail-tester?

<!-- gh-comment-id:1994550410 --> @willbrowningme commented on GitHub (Mar 13, 2024): Is this issue the same when sending to all email addresses or just the ones on mail-tester?
Author
Owner

@andre-paulo98 commented on GitHub (Mar 13, 2024):

Seems like all email addresses (I tried outlook and gmail)

<!-- gh-comment-id:1995379332 --> @andre-paulo98 commented on GitHub (Mar 13, 2024): Seems like all email addresses (I tried outlook and gmail)
Author
Owner

@willbrowningme commented on GitHub (Mar 15, 2024):

What do you have set for:

myhostname = 
mydomain = 
virtual_mailbox_domains = 

mynetworks = 

in your /etc/postfix/main.cf file?

<!-- gh-comment-id:1999357319 --> @willbrowningme commented on GitHub (Mar 15, 2024): What do you have set for: ``` myhostname = mydomain = virtual_mailbox_domains = mynetworks = ``` in your `/etc/postfix/main.cf` file?
Author
Owner

@andre-paulo98 commented on GitHub (Mar 15, 2024):

What do you have set for:

myhostname = 
mydomain = 
virtual_mailbox_domains = 

mynetworks = 

in your /etc/postfix/main.cf file?

myhostname = mail.mydomain.com
mydomain = mydomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname

mydestination = localhost.mydomain.com, localhost

virtual_transport = anonaddy:
virtual_mailbox_domains = $mydomain, unsubscribe.$mydomain, mysql:/etc/postfix/mysql-virtual-alias-domains-and-subdomains.cf

relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
<!-- gh-comment-id:2000337298 --> @andre-paulo98 commented on GitHub (Mar 15, 2024): > What do you have set for: > > ``` > myhostname = > mydomain = > virtual_mailbox_domains = > > mynetworks = > ``` > > in your `/etc/postfix/main.cf` file? ``` myhostname = mail.mydomain.com mydomain = mydomain.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = localhost.mydomain.com, localhost virtual_transport = anonaddy: virtual_mailbox_domains = $mydomain, unsubscribe.$mydomain, mysql:/etc/postfix/mysql-virtual-alias-domains-and-subdomains.cf relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 ```
Author
Owner

@andre-paulo98 commented on GitHub (Mar 15, 2024):

I also just checked the files mentioned and they are all -rw-r--r-- instead of /etc/postfix/mysql-virtual-alias-domains-and-subdomains.cf which is -rw-r----- 1 root postfix

<!-- gh-comment-id:2000341392 --> @andre-paulo98 commented on GitHub (Mar 15, 2024): I also just checked the files mentioned and they are all `-rw-r--r--` instead of `/etc/postfix/mysql-virtual-alias-domains-and-subdomains.cf` which is `-rw-r----- 1 root postfix`
Author
Owner

@willbrowningme commented on GitHub (Mar 15, 2024):

Try adding your server's IP address to the end of mynetworks and then restarting Postfix.

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 x.y.z/32

Where x.y.z is your IPv4 address, you may also need to add the IPv6 if you have that enabled.

<!-- gh-comment-id:2000408568 --> @willbrowningme commented on GitHub (Mar 15, 2024): Try adding your server's IP address to the end of `mynetworks` and then restarting Postfix. ``` mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 x.y.z/32 ``` Where x.y.z is your IPv4 address, you may also need to add the IPv6 if you have that enabled.
Author
Owner

@andre-paulo98 commented on GitHub (Mar 15, 2024):

That seems to have worked.
Added both IPv4 and IPv6 to that seemed to fix it.

Is this just saying what the IPs are allowed to send emails?

<!-- gh-comment-id:2000469443 --> @andre-paulo98 commented on GitHub (Mar 15, 2024): That seems to have worked. Added both IPv4 and IPv6 to that seemed to fix it. Is this just saying what the IPs are allowed to send emails?
Author
Owner

@willbrowningme commented on GitHub (Mar 16, 2024):

Check the "What clients to relay mail from" section here for more details - https://www.postfix.org/BASIC_CONFIGURATION_README.html

<!-- gh-comment-id:2001920488 --> @willbrowningme commented on GitHub (Mar 16, 2024): Check the "What clients to relay mail from" section here for more details - [https://www.postfix.org/BASIC_CONFIGURATION_README.html](https://www.postfix.org/BASIC_CONFIGURATION_README.html)
Sign in to join this conversation.
No labels
bug
pull-request
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/anonaddy#999
No description provided.