Postscript Final steps: Relay access denied

We have successfully navigated the many rivers of setting up a website and mail server with SSL/TLS but one:Relay access denied for outgoing mail to external addressee from an offsite client through our own Postfix SMTP server. Everything else works great.

Any ideas? Details below.

Thank you, Andy

  We have Postfix Version: 3.2.0-1.4 under opensuse Leap 42.3. Other relevants include Dovecot  2.2.31 (65cde28)

**• Receive** mail (Dovecot) works under all options at both internal (**lavarre**) and external (**spectre**) sites.

• **Send** mail from internal and external clients tested with: 
telnet 587


openssl s_client -connect -starttls smtp

(it fails if **-starttls** tag is not included: **No peer certificate...**)

• Send mail from internal (within the server) to both internal and external addressees works.
• Send mail from external clients to internal addressees (****) works.
• Send mail from external clients to external addressees suffers **Relay access denied**.

We have done the following with **/etc/postfix/**:
• Created     **/etc/postfix/sender_access** with **postmap** to explicitly *include* as authorized senders:****
• Updated the line
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access

to use that access database.

• Commented out

to preclude restrictions on addressees

• Not found 

• Commented out 
relayhost = 

The only thing that works to date is to explicitly add our external IP address to mynetworks:
mynetworks = ****,,

but even that doesn't work with the Evolution email client:
[INDENT=2]"Bad authentication response from server."

So I would deeply appreciate help in sorting this last bit out... 

Thanks again.

Relaying is controller by smtpd_relay_restrictions which defaults to local networks and authenticated users. Controlling relaying based on who client pretends to be will result in widely open relay as anyone can put anything in SEND FROM line.


Believe the configuration you want to set up is described in the following link

General configuration limitations as described by arvidjaar in the following documentation