Mail "access denied" error after update to 1.7

csteaderman · July 10, 2025, 6:52pm

Is there an ETA for this fix?

Wait, maybe I’m having a different issue after upgrading to 1.7.0 this morning.

All external email is currently being rejected at our server.

554 5.7.1 : Recipient address rejected: access denied

mrmarkuz · July 10, 2025, 6:55pm

No, sorry.
In the meanwhile you could revert to the working 1.6.4:

Relay error after update mail node to 1.7.0

As alternative workaround, if further issues occur, the specific Mail update to 1.7 it can be temporarily be reverted the Postfix container version 1.6.4, by editing the MAIL_POSTFIX_IMAGE= line in theenvironment file, for example with
runagent -m mail1
sed -i 's|^MAIL_POSTFIX_IMAGE=.*$|MAIL_POSTFIX_IMAGE=ghcr.io/nethserver/mail-postfix:1.6.4|' environment
systemctl --user restart postfix # image download may require some time
Version 1.7 differs from 1.6 only in Postfix configuration templates.

EDIT:

Are you using user forwards? Are you using relay rules?

csteaderman · July 10, 2025, 7:21pm

No relay rules. No forward rules defined in the Mailboxes setttings.

csteaderman · July 10, 2025, 7:25pm

I had already updated to Version 1.7.1-dev.2 (didn’t fix the issue). Reverting via the provided command does not resolve the issue. All email from external servers is being rejected.

554 5.7.1 : Recipient address rejected: access denied

From mail1 log:
2025-07-10T14:24:03-05:00 [1:mail1:postfix/smtpd] NOQUEUE: reject: RCPT from mail-oo1-f41.google.com[209.85.161.41]: 554 5.7.1 <charlies@poliac.com>: Recipient address rejected: access denied; from=<csteaderman@gmail.com> to=<charlies@poliac.com> proto=ESMTP helo=<mail-oo1-f41.google.com>

csteaderman · July 10, 2025, 7:34pm

Is there a formal method to completely revert to the previous version of the Mail App?

mrmarkuz · July 10, 2025, 7:40pm

It could be another issue, I checked your domain and there was no DNS or MX records found, see Network Tools: DNS,IP,Email

csteaderman · July 10, 2025, 7:44pm

Wrong domain. You checked pollac.com, should be poliac.com.

csteaderman · July 10, 2025, 7:45pm

Checking my logs, this problem started right after I upgraded to 1.7.0 this morning.

mrmarkuz · July 10, 2025, 7:47pm

I’m going to test reverting…

Are you using the same name for your LDAP or AD domain?

csteaderman · July 10, 2025, 7:49pm

Yes. I have two entries in Domains and Users. One is the internal AD domain name (burnsville.local) and the other is the public name (poliac.com). Both point to the same AD.

mrmarkuz · July 10, 2025, 7:58pm

I checked reverting as explained above and it worked on my side.

Could you please check the running mail containers:

runagent -m mail1 podman ps

csteaderman · July 10, 2025, 8:02pm

CONTAINER ID  IMAGE                                        COMMAND     CREATED         STATUS         PORTS       NAMES
7f9f02cd64b4  ghcr.io/nethserver/mail-clamav:1.7.1-dev.2               42 minutes ago  Up 42 minutes              clamav
fe6594083c67  ghcr.io/nethserver/mail-rspamd:1.7.1-dev.2               42 minutes ago  Up 42 minutes              rspamd
eaf1466babb7  ghcr.io/nethserver/mail-postfix:1.7.1-dev.2              42 minutes ago  Up 42 minutes              postfix
7dbf05460f79  ghcr.io/nethserver/mail-dovecot:1.7.1-dev.2              42 minutes ago  Up 41 minutes              dovecot

mrmarkuz · July 10, 2025, 8:07pm

It seems reverting didn’t work on your side as the postfix container still uses 1.7.1-dev.2

Enter the app environment:

runagent -m mail1

Change the postfix version:

sed -i 's|^MAIL_POSTFIX_IMAGE=.*$|MAIL_POSTFIX_IMAGE=ghcr.io/nethserver/mail-postfix:1.6.4|' environment

Your could also edit the environment file manually:

vi environment

There should be a line like this in the environment file:

MAIL_POSTFIX_IMAGE=ghcr.io/nethserver/mail-postfix:1.6.4

Restart postfix:

systemctl --user restart postfix

Check containers: (there should be postfix 1.6.4)

podman ps

Exit app environment

exit

csteaderman · July 10, 2025, 8:11pm

That worked. Not sure what I missed when I thought I reverted previously, but we are back in business. Thanks for your support.

davidep · July 10, 2025, 9:29pm

Please, share (or send me in PM) the output of this command:

api-cli run module/mail1/list-domains | jq

It can help us to reproduce your issue.

csteaderman · July 10, 2025, 10:35pm

[
  {
    "domain": "burnsville.local",
    "addusers": true,
    "addgroups": false,
    "catchall": null,
    "bccaddr": null,
    "description": ""
  },
  {
    "domain": "poliac.com",
    "addusers": false,
    "addgroups": false,
    "catchall": null,
    "bccaddr": null,
    "description": ""
  }
]

davidep · July 11, 2025, 7:25am

Is “charlies” defined in the Addresses page? What are its destinations?

Did you change addusers flags recently?

mrmarkuz · July 11, 2025, 8:26am

I think I could reproduce the issue.

When

User domain is the same as the mail domain
Addusers is NOT set for the mail domain
An alias address is created for the mail domain (I tried internal samba user destination and external destination)

then the mail is rejected:

2025-07-11T09:47:34+02:00 [1:mail1:postfix/smtpd] NOQUEUE: reject: RCPT from mail-ed1-f43.google.com[209.85.208.43]: 554 5.7.1 <markus@ad.domain.tld>: Recipient address rejected: access denied;

If addusers is enabled it’s working but without addusers and an alias address it doesn’t work when the user domain is the same as the mail domain.

davidep · July 11, 2025, 8:46am

Ok good news

Could you split this thread and file the bug, please?

No, sorry, it’s not for now, we’ll address it in 2/4 weeks. Meanwhile version 1.7+ remains quarantined.

csteaderman · July 11, 2025, 12:32pm

Is “charlies” defined in the Addresses page? What are its destinations?

Did you change addusers flags recently?

Since I didn’t know that there was an addusers flag, I didn’t make a change on purpose.