SMTP Protocol Returned a Permanent Error 554 5.7.1

[paul.maechler]

I do use Port 25 for external and 26 for internal.
I did also add LAN 10.0.0.0/8 and DMZ 151.xxx.236.192/27 to NETWORKS und "Configuration: Mail Proxy".
My PMG (v8.20) has 151.xxx.236.196 and my Mailserver 151.xxx.236.202
When I send a mail to "gmail.com" from Mailserver to PMG (Port 26) I do receive a "Relay access denied" error.
I need to add "gmail.com" to "Relay Domains" to make it work. In my opinion, this should not be necessary.

What I'm doing wrong ?

Please help.
Thanks
Paul

 

[paul.maechler]

Mar 21 16:33:26 mail postfix/smtpd[2146451]: connect from x2.suxeed.com[151.248.236.202]
Mar 21 16:33:26 mail postfix/smtpd[2146451]: Anonymous TLS connection established from x2.suxeed.com[151.248.236.202]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 21 16:33:26 mail postfix/smtpd[2146451]: NOQUEUE: reject: RCPT from x2.suxeed.com[151.248.236.202]: 554 5.7.1 <paul.maechler@gmail.com>: Relay access denied; from=<paul.maechler@pmi.ch> to=<paul.maechler@gmail.com> proto=ESMTP helo=<x2.suxeed.com>
Mar 21 16:33:26 mail postfix/smtpd[2146451]: disconnect from x2.suxeed.com[151.248.236.202] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8

 

[Stoiko Ivanov]

I need to add "gmail.com" to "Relay Domains" to make it work. In my opinion, this should not be necessary.

No this is not necessary, and you should not do that (else PMG would send mails from anybody to gmail.com)

Is the mail from x2.suxeed.com[151.248.236.202] using the internal port 26?

 

[paul.maechler]

Yes we forward some Domains (not all) to 151.248.236.196:26 which is the public IP of the PMG.
But this is not working because of this relay blocking.

What is wrong ?

HCL Domino Server

24.03.2025 09:51:33 Router: No messages transferred to 151.248.236.196:26 (host 151.248.236.196:26) via SMTP: Remote system no longer responding
24.03.2025 09:51:33 Router: Transferring mail to domain 151.248.236.196:26 (host 151.248.236.196:26 [151.248.236.196]) via SMTP
24.03.2025 09:51:33 Router: No messages transferred to 151.248.236.196:26 (host 151.248.236.196:26) via SMTP
24.03.2025 09:51:33 Router: Error transferring message 0030A9D1 via SMTP to 151.248.236.196:26 OF505137D480E715F ONC1258C57:0030A9D1 554 5.7.1 <sinalungo@gmx.ch>: Relay access denied

PMG

2025-03-24T09:51:33.240136+01:00 mail postfix/smtpd[39885]: connect from x2.suxeed.com[151.248.236.202]
2025-03-24T09:51:33.275602+01:00 mail postfix/smtpd[39885]: Anonymous TLS connection established from x2.suxeed.com[151.248.236.202]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2025-03-24T09:51:33.279097+01:00 mail postfix/smtpd[39885]: NOQUEUE: reject: RCPT from x2.suxeed.com[151.248.236.202]: 554 5.7.1 <sinalungo@gmx.ch>: Relay access denied; from=<paul.maechler@pmi.ch> to=<sinalungo@gmx.ch> proto=ESMTP helo=<x2.suxeed.com>
2025-03-24T09:51:33.279306+01:00 mail postfix/smtpd[39885]: using backwards-compatible default setting smtpd_relay_before_recipient_restrictions=no to reject recipient "sinalungo@gmx.ch" from client "x2.suxeed.com[151.248.236.202]"
2025-03-24T09:51:33.296628+01:00 mail postfix/smtpd[39885]: disconnect from x2.suxeed.com[151.248.236.202] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8

 

[Stoiko Ivanov]

Hm - I'd expect the mail to be accepted..
* do you have any modifications in place (e.g. adaptations of the postfix config (in /etc/pmg/templates), firewall,NAT rules on the PMG? (`iptables-save -nvL` `nft list ruleset`)?

Just to rule out any glitches - did you reboot after adapting the configuration?

 

[paul.maechler]

Do you want access to our PMG ?

 

[paul.maechler]

Any news ? Need your help to fix that problem.

 

[Stoiko Ivanov]

the outputs of :
* `ls /etc/pmg/templates/`
* `nft list ruleset`
* `iptables -nvL`
and a reboot would still help in seeing where the issue might be.

 

[paul.maechler]

root@mail:/# ls /etc/pmg/templates/
ls: cannot access '/etc/pmg/templates/': No such file or directory
root@mail:/#


root@mail:/# nft list ruleset
root@mail:/#


root@mail:/# iptables -nvL
-bash: iptables: command not found
root@mail:

 

[paul.maechler]

We are blocked. Need support urgently now.
Without adding all the re-routed domains is relaying still blocked by PMG.
I do have second PMG (v7.3). Same Problem there.

 

[Stoiko Ivanov]

We are blocked. Need support urgently now.

If you have a subscription of level Basic or above - open a ticket at https://my.proxmox.com - there you'll get responses within a certain time frame - help in this forum is on a best-effort basis.

else please share (in code-tags):
* contents of /etc/postfix/main.cf
* contents of /etc/postfix/master.cf
* `pmgconfig dump`
* some recent logs from PMG showing the error you're seeing.

I hope this helps!