Relay access denied" for outbound mail to any external domain from trusted networks in PMG

[iprahem.mohamed]

Hello,
I'm using Proxmox Mail Gateway in front of an internal mail server (WHM/cPanel) to manage email sending and receiving.
Everything works fine for inbound mail. The problem is when sending outbound emails from my internal server to any external domain (e.g., Gmail, Hotmail, company.com). The following error appears in the logs or via telnet

• have added my mail servers/networks to the PMG trusted networks section.
• I reviewed main.cf and postconf to ensure:
  
  • mynetworks includes my mail server IPs/networks.
  • smtpd_recipient_restrictions starts with permit_mynetworks, followed by reject_unauth_destination.
• Testing sending via telnet from the internal mail server to PMG shows the same error unless I manually add the target external domain to PMG's Relay Domains.
• When I add the external domain to Relay Domains, sending succeeds.

The issue:
It's practically impossible to pre-add every external domain, as I support many clients reaching hundreds of destinations.


My questions:

1. Is there an official way or option in PMG to allow trusted networks to relay email to any external domain, without manually populating Relay Domains?
2. Is this a security policy by design, with no workaround except heavy customization or forwarding through an external SMTP relay?

Any help, official solution, or recommendation is appreciated.

---

 

[Stoiko Ivanov]

The following error appears in the logs or via telnet

The error is missing?

To relay mails from your internal server to the internet - you need to send them to the internal port of PMG - see:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#chapter_deployment

I hope this helps!

 

[iprahem.mohamed]

Thank you for your reply.


I have already followed the deployment steps mentioned in the documentation. My internal mail server is cPanel/WHM, and I did the following:

• Configured SPF, DKIM, and PTR correctly.
• Added my domain to Relay Domains.
• Added my internal server IP to Trusted Networks / My Networks.
• Pointed the outbound route on the cPanel server to the internal port of PMG as recommended.

However, PMG is still rejecting the outbound email. The log shows the following error
connect from serv.travelgatetours.com[154.41.209.25]
NOQUEUE: reject: RCPT from serv.travelgatetours.com[154.41.209.25]:
454 4.7.1 <ibrahim@mubasher.com.eg>: Relay access denied;
from=<test2@travelgatetours.com> to=<ibrahim@mubasher.com.eg> proto=ESMTP helo=<serv.travelgatetours.com>
disconnect from serv.travelgatetours.com[154.41.209.25]


So even with the IP in Trusted Networks and the domain in Relay Domains, PMG still denies the relay.


I’m looking to understand why the message is rejected despite the correct configuration, and whether there is any additional step required to allow trusted servers to relay to external domains without manually adding each destination.


Thanks in advance for any guidance

 

[Stoiko Ivanov]

try rebooting the PMG once (just in case some part of the config did not catch in time ) - if this does not help - please post the complete journal when sending an outbound mail fails.