Docs / Email Servers / Troubleshooting 550 Relay Access Denied Errors

Troubleshooting 550 Relay Access Denied Errors

By Admin · Mar 15, 2026 · Updated Apr 23, 2026 · 648 views · 4 min read

The "550 5.7.1 Relay access denied" error is one of the most common SMTP issues, occurring when a mail server refuses to relay (forward) a message. This error means the server received your message but will not deliver it to the intended recipient. This guide covers all causes and solutions for this error in Postfix, Exim, and general SMTP scenarios.

Understanding Relay Access

An SMTP server "relays" when it accepts a message destined for a domain it does not directly manage. Open relays (servers that relay for anyone) are exploited by spammers, so modern mail servers restrict relay access to:

  • Authenticated users (SMTP AUTH)
  • Trusted networks (mynetworks)
  • Local domains (the server's own domains)

Common Causes and Fixes

1. Client Not Authenticated

The most common cause — your email client is not using SMTP authentication:

# Email client settings should be:
Outgoing server (SMTP): mail.example.com
Port: 587 (submission) or 465 (SMTPS)
Security: STARTTLS (587) or SSL/TLS (465)
Authentication: Required (LOGIN or PLAIN)
Username: user@example.com
Password: your-password

# Test authentication
swaks --to external@gmail.com --from user@example.com \
    --server mail.example.com --port 587 \
    --auth LOGIN --auth-user user@example.com \
    --tls

2. Postfix: mynetworks Misconfigured

# Check current mynetworks
postconf mynetworks

# Ensure your sending IP is included
# /etc/postfix/main.cf
mynetworks = 127.0.0.0/8 [::1]/128 10.0.0.0/24

# If sending from a dynamic IP, use SMTP AUTH instead of mynetworks

# Reload after changes
sudo systemctl reload postfix

3. Recipient Domain Not in relay_domains

# If Postfix should accept mail for a domain but returns relay denied:
postconf mydestination
postconf relay_domains
postconf virtual_mailbox_domains

# The domain must be in one of:
# mydestination — local delivery
# virtual_mailbox_domains — virtual mailbox delivery
# relay_domains — relay to backend server

# Example: add missing domain
# /etc/postfix/main.cf
virtual_mailbox_domains = example.com, example.org, missing-domain.com
sudo systemctl reload postfix

4. Restriction Order Issue

# Postfix evaluates restrictions in order — a reject before permit_sasl_authenticated blocks auth users

# WRONG (rejects before checking auth):
smtpd_recipient_restrictions =
    reject_unauth_destination,
    permit_sasl_authenticated

# CORRECT (check auth first):
smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination

5. SASL Authentication Not Configured

# Check if SASL is enabled in Postfix
postconf smtpd_sasl_auth_enable
# Should be: yes

# Check SASL configuration
postconf smtpd_sasl_type
postconf smtpd_sasl_path

# For Dovecot SASL:
# /etc/postfix/main.cf
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous

# Verify Dovecot auth socket exists
ls -la /var/spool/postfix/private/auth

6. Submission Port (587) Not Configured

# /etc/postfix/master.cf — ensure submission is enabled
submission inet n       -       y       -       -       smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_auth_only=yes
    -o smtpd_reject_unlisted_recipient=no
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING

Debugging Steps

# 1. Check mail logs for the exact error
grep "Relay access denied" /var/log/mail.log | tail -20

# 2. Test with swaks
swaks --to external@gmail.com --from user@example.com --server mail.example.com --port 587 --auth LOGIN --auth-user user@example.com --tls 2>&1

# 3. Check Postfix configuration
postconf -n | grep -E "mynetworks|relay_domains|sasl|recipient_restrictions"

# 4. Verify from remote server
telnet mail.example.com 25
EHLO test
MAIL FROM:
RCPT TO:
# If you get 550 here, the server correctly rejects unauthenticated relay

# 5. Test with authentication on port 587
openssl s_client -connect mail.example.com:587 -starttls smtp
EHLO test
AUTH LOGIN
# (provide base64-encoded credentials)

Relay Access for Applications

# Applications sending email through your server have several options:

# Option 1: Add application server IP to mynetworks
mynetworks = 127.0.0.0/8 10.0.0.50/32

# Option 2: Use SMTP authentication in the application
# PHP example:
$transport = (new Swift_SmtpTransport('mail.example.com', 587, 'tls'))
    ->setUsername('app@example.com')
    ->setPassword('AppPassword');

# Option 3: Use a dedicated submission port with restricted access
# /etc/postfix/master.cf
10025 inet n - n - - smtpd
    -o mynetworks=10.0.0.0/24
    -o smtpd_recipient_restrictions=permit_mynetworks,reject

Best Practices

  • Always require authentication for relay — never add external IPs to mynetworks unless absolutely necessary
  • Use port 587 (submission) for authenticated sending, not port 25
  • Order Postfix restrictions correctly: permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
  • Test after every configuration change with swaks
  • Check both mail logs and Postfix configuration when troubleshooting
  • For applications, prefer SMTP AUTH over IP-based relay permissions

Was this article helpful?

Related Articles