Postfix Relay access Denied

I have tried for 2 weeks to fix this and am loosing the will to live so any help will be gratefully received.

Postfix and Dovecot are running on my Centos 5 box. Sending and receiving emails using Usermin works fine and I can also connect to the server using Eudora and Outlook to receive emails from the server.

However I cannot send mail from Outlook or Eudora no-matter what setting I use in the â

I’ve tryed to manually configure of postfix… but with no sucess…

readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
virtual_alias_maps = hash:/etc/postfix/virtual
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

Is your mail client configured to use SMTP authentication when sending? This is required.

If not, you’ll need to enable it–the username and password are the same as your POP/IMAP login.

If so, then we’ll need to see the /var/log/maillog during a failed send attempt.


now i have it like this

readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
mynetworks =
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
home_mailbox = Maildir/
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
virtual_alias_maps = hash:/etc/postfix/virtual

this is what i get from mailog…

and after putting authentication im SMTP, using the same login and passd, e cannot send, as it does not allow me to "login" ??

Jun 26 03:26:27 hosting postfix/smtpd[2762]: warning: unknown[]: SASL PLAIN authentication failed: authentication failure
Jun 26 03:26:28 hosting postfix/smtpd[2762]: disconnect from unknown[]
Jun 26 03:26:48 hosting dovecot: pop3-login: Login: user=<>, method=PLAIN, rip=::ffff:, lip=::ffff:, TLS
Jun 26 03:26:48 hosting postfix/smtpd[3098]: connect from unknown[]
Jun 26 03:26:49 hosting dovecot: POP3( Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
Jun 26 03:26:49 hosting postfix/smtpd[3098]: NOQUEUE: reject: RCPT from unknown[]: 554 5.7.1 <>: Relay access denied; from=<> to=<> proto=ESMTP helo=<IBM.lan>
Jun 26 03:26:49 hosting postfix/smtpd[3098]: disconnect from unknown[]
Jun 26 03:26:49 hosting postfix/smtpd[2762]: connect from unknown[]
Jun 26 03:26:49 hosting postfix/smtpd[2762]: NOQUEUE: reject: RCPT from unknown[]: 554 5.7.1 <>: Relay access denied; from=<> to=<> proto=ESMTP helo=<IBM.lan>
Jun 26 03:26:49 hosting postfix/smtpd[2762]: disconnect from unknown[]

And then i get a message obx saying… unable to authenticate in SMTP server… please introduce the password for the user X.

I’ve reset the passd usin webmin already, and nothing :frowning:

I give up

i’ve put outlook express and evolution trying to autenticate… and nothing…

Hey Filipe,

Looks like maybe you’re using @ in usernames. There’s a FAQ about this.

If your OS has a reasonably new version of saslauthd, you have to pass it a parameter to tell it to accept names like this (it’s generally a problematic choice and quite a few pieces of software will fight against it).

Edit the file /etc/sysconfig/saslauthd on Red Hat based systems or /etc/default/saslauthd on Debian based systems. Add the "-r" option to either the "FLAGS" line on RH based systems or the "PARAMS" or "OPTIONS" line on Debian based systems. Restart saslauthd, and give it another try.

This will be automatically added during installation in the next release of the virtualmin-base package–I’ve had to do a bit of digging to figure out which versions of saslauthd are effected (the rest would be confused by the -r option).

Hello JOE

Well… i decided to REinstall the hole server again… a fresh new installation of Centos 5 64bit, SELinux disable and straight to “wget— your script”… It is installing everything from the scracth. nice to see all the hard work to be done with one script. Howevere, i’ve made two things first.
First: vi /etc/hosts , in order to define the IP’s and various hostnames.
Second: i’ve had virtual IP address (2) so i can use them for the future as NS1 and NS2 of my domain and server, as well as NS service for my clients.

As for now… the script install runs smoth… :slight_smile:
I’ll cath this post up, wit new upcomming events :slight_smile:

But i need a help on here to go in order not to get AGAIN the relay access denied.

I’ll try to connect using SMTP autentication… but must i go somehere else and change something ??? (one more thing… the SMTP authentication should be plain?)

Thanks Filipe

By the way… the last instalation was made by myself using
" " that is for ISPconfig… and then i’ve put virtualmin GPL, and then upgraded to Virtualmin PRO.

maybe it was so messy, that the server confused… or me!!!

then again… thanks

Hey Filipe,

Yes, when you use @ in the username on CentOS 5, a change is needed to /etc/sysconfig/saslauthd. This will be fixed in the next release of virtualmin-base, but right now, you’ll need to edit /etc/sysconfig/saslauthd, find the line that starts with FLAGS=, and add “-r”. So, you’d make it:


The quotes might not be necessary, but they shouldn’t hurt anything. If you don’t use @ in usernames, you don’t need to do this step.

Oh, yeah, regarding the HowtoForge article…yeah, a Virtualmin system is not entirely consonant with the way they set things up in that example. It’s not a bad article–a lot of valid advice is to be found there–but there are a few technical differences in the way Virtualmin works vs. the way ISPConfig works (I’ve never used ISPConfig…I only guess based on a glance over that article).

I should probably write up some similar articles for Virtualmin GPL on HowtoForge. We’ve started hearing from quite a few people who go through that process before settling on Virtualmin (either GPL or Professional), to get all of the features they need or want. Might as well save folks some time, and allow them to start with Virtualmin, even if they want to stick to only Open Source tools.

Hello Joe

Thanks for the replyes.

The reinstalation went ok, but the importation of CPANEL accounts did not went quite well, we me having to knock down some mailboxes and rebuilding them from the scracth.

I’ll do that FLAGS="-r" thing…

But now i have a another problem:

for example. We have configure an email like

to connect to that via webmail squirrelmail or outlook, we use teste.emotions for pop and SMTP authentication.

what happen’s is, I send an email to from gmail account. I goes well, e reply to it, and in the gmail account i receive an email not from, but from When making a reply to this last email, the gmail , and other programs, i receive the following:

This is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:

Technical details of permanent failure:
PERM_FAILURE: SMTP Error (state 13): 550 5.1.1 <>: Recipient address rejected: User unknown in virtual alias table

----- Original message -----

Received: by with SMTP id o5mr430934anf.1182961757403;
Wed, 27 Jun 2007 09:29:17 -0700 (PDT)
Received: by with HTTP; Wed, 27 Jun 2007 09:29:17 -0700 (PDT)
Message-ID: <>
Date: Wed, 27 Jun 2007 17:29:17 +0100
From: "Filipe L" <>
To: "" <>
Subject: Re: boa tarde 2 vindo do webmail emotion
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: multipart/alternative;
References: <>

Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


On 6/27/07, <> wrote:
> boa tarde 2 vindo do webmail emotion

----- Message truncated -----

Meaning that the emails that are getting out of the server are getting a mask on top of the. is mail email… in the gmail i receive like the sender would be, . The patern is name.surname.domain@domain.tld instead of name.surname@domain.tld , because that’s how the mail account is configured.

Anything to do with the FLAGS thing???


Hello Joe,

After the FLAGS thing, ive tryied to login with via webmail and no can do… :frowning:

I’ve went reading the man file for the sasl and saw this


 -r      Combine the realm with the login (with an '@' sign in between).
         e.g.  login: &quot;foo&quot; realm: &quot;bar&quot; will get passed as login:
         &quot;foo@bar&quot;.  Note that the realm will still be passed, which may lead to unexpected behavior.


This behavior gave me and my clients this error on the login page…
It is here bellow:

ERROR: Could not complete request.
Query: LIST "" "Sent"
Reason Given: Internal error occurred. Refer to server log for more information. [2007-06-27 22:00:25]

So, the FLAG’s option did not worked out on webmail… Still don’t know how it will behave with send the emails…

Hey Filipe,

Maybe I’d better drop in and straighten all of this out for you. :wink:

Looks like a combination of a few quirks of using @ in usernames. Some webmail clients need extra modules installed to get the logins and outgoing stuff right, some need canonical maps to be setup (Virtualmin can do that for you, but I don’t think we enable it by default, as @ in usernames isn’t really a good idea on a lot of levels). It’s all pretty easy to fix, but it’s hard to guess at exactly which combination of components you’re dealing with here and remember exactly what needs to be done for any given combination of software. If I’m looking at it, I can probably get it fixed in a couple of minutes.

If you’ll send over the IP and login details to I can take a look right away.


I ve sent you de access for the server via email.

I’m here on this side to make whatever tests that are needed…

Hello Joe,

So, any news? Can I help on this side?


Hey Filipe,

It’s underway. It’s not at all @ in username issues. You’re not using @ in usernames (at least not in the domain I’m looking at). That’s good. Easier to figure things out and fix them. :wink:

Ok, Usermin webmail is fixed. The defaults are apparently being left to the sendmail settings on install! I can’t believe we haven’t heard lots of complaining about this! It’s kind of irritating, isn’t it? :wink:

I’m checking out SMTP auth and such now. Will let you know what I figure out.


The flags stuff was written by me like you proposed…
the server had a reboot after that, made by me. at, i can enter with filipe.lacerda@lusolabs com the email client, squirrelmail, instaled via your scripts.

Are you sugesting also that users should use usermin webmail?
i think its access is port 20000 right?