Trying to resolve Client host rejected: Access denied errors

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Trying to resolve Client host rejected: Access denied errors

David Drum
Hello everyone,

I am recently no longer able to send mail out from my postfix server. Receiving email works fine. Connecting via IMAPS from Mail.app and sending either to a local recipient or to an external recipient is rejected with:

Jun 11 20:35:05 grover postfix/submission/smtpd[11782]: NOQUEUE: reject: RCPT from subscriber-dhcp-cgn-#-191-7-1.ISP.net[#.191.7.1]: 554 5.7.1 <subscriber-dhcp-cgn-#-191-7-1.ISP.net[#.191.7.1]>: Client host rejected: Access denied; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<[10.5.19.6]>

Jun 11 20:45:32 grover postfix/submission/smtpd[12054]: NOQUEUE: reject: RCPT from subscriber-dhcp-cgn-#-191-7-1.ISP.net[#.191.7.1]: 554 5.7.1 <subscriber-dhcp-cgn-#-191-7-1.ISP.net[#.191.7.1]>: Client host rejected: Access denied; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<[10.5.19.6]>

I've been through so many Google searches and how-tos nothing is making sense any more. I throw myself on the mercy of the Postfix gods. I very much appreciate your time.

# /root/bin/postfinger --all --nowarn
postfinger - postfix configuration on Tue Jun 11 21:33:18 CDT 2019
version: 1.30

--System Parameters--
mail_version = 3.3.0
hostname = grover
uname = Linux grover 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

--Packaging information--
looks like this postfix comes from deb package: postfix-3.3.0-1ubuntu0.2

--Mailbox locking methods--
flock fcntl dotlock

--Supported Lookup tables--
btree cidr environ fail hash inline internal memcache nis pipemap proxy randmap regexp socketmap sqlite static tcp texthash unionmap unix

--main.cf non-default parameters--
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
disable_vrfy_command = yes
home_mailbox = Maildir/
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/conf.d/01-mail-stack-delivery.conf -m "${EXTENSION}"
mailbox_size_limit = 0
message_size_limit = 20971520
mydestination = bigbird.com lists.bigbird.com localhost.localdomain localhost
myhostname = grover.bigbird.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.16.0.0/16 #.191.4.0/22
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = permit_tls_all_clientcerts, reject_unauth_pipelining
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unverified_recipient, check_client_access regexp:/etc/postfix/rbl_override, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client b.barracudacentral.org, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/bigbird.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/bigbird.com/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
tls_high_cipherlist = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256:NULL-SHA256
tls_preempt_cipherlist = yes
virtual_alias_domains = codecats.us
virtual_alias_maps = hash:/etc/postfix/virtual

--master.cf--
submission inet n       -       n       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
 -o syslog_name=postfix/smtps
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o milter_macro_daemon_name=ORIGINATING
smtp       inet  n       -       y       -       -       smtpd
pickup     fifo  n       -       y       60      1       pickup
cleanup    unix  n       -       y       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       y       1000?   1       tlsmgr
rewrite    unix  -       -       y       -       -       trivial-rewrite
bounce     unix  -       -       y       -       0       bounce
defer      unix  -       -       y       -       0       bounce
trace      unix  -       -       y       -       0       bounce
verify     unix  -       -       y       -       1       verify
flush      unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp       unix  -       -       y       -       -       smtp
relay      unix  -       -       y       -       -       smtp
showq      unix  n       -       y       -       -       showq
error      unix  -       -       y       -       -       error
retry      unix  -       -       y       -       -       error
discard    unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp       unix  -       -       y       -       -       lmtp
anvil      unix  -       -       y       -       1       anvil
scache     unix  -       -       y       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
 flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
 flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
 flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
 flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
 flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
 flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
 ${nexthop} ${user}

--Specific file and directory permissions--
drwx-wx--T 2 postfix postdrop 4096 Oct 22  2018 /var/spool/postfix/maildrop
drwx--s--- 2 postfix postdrop 4096 Jun 11 21:31 /var/spool/postfix/public
total 0
srw-rw-rw- 1 postfix postdrop 0 Jun 11 21:31 cleanup
srw-rw-rw- 1 postfix postdrop 0 Jun 11 21:31 flush
prw--w--w- 1 postfix postdrop 0 Jun 11 21:32 pickup
prw--w--w- 1 postfix postdrop 0 Jun 11 21:31 qmgr
srw-rw-rw- 1 postfix postdrop 0 Jun 11 21:31 showq
drwx------ 2 postfix root 4096 Jun 11 21:31 /var/spool/postfix/private
total 0
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 anvil
srw-rw-rw- 1 root    root    0 Jun 11 12:23 auth
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 bounce
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 bsmtp
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 defer
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 discard
srw-rw---- 1 postfix postfix 0 Jun 11 12:23 dovecot-auth
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 error
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 ifmail
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 lmtp
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 local
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 maildrop
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 mailman
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 proxymap
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 proxywrite
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 relay
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 retry
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 rewrite
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 scache
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 scalemail-backend
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 smtp
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 tlsmgr
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 trace
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 uucp
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 verify
srw-rw-rw- 1 postfix postfix 0 Jun 11 21:31 virtual
-r-xr-sr-x 1 root postdrop 14456 Oct 11  2018 /usr/sbin/postdrop
-r-xr-sr-x 1 root postdrop 22600 Oct 11  2018 /usr/sbin/postqueue

--Library dependencies--
/usr/lib/postfix/sbin/smtpd:
       linux-vdso.so.1 (0x00007ffe9af16000)
       libpostfix-master.so => /usr/lib/postfix/libpostfix-master.so (0x00007f30e869a000)
       libpostfix-tls.so => /usr/lib/postfix/libpostfix-tls.so (0x00007f30e8481000)
       libpostfix-dns.so => /usr/lib/postfix/libpostfix-dns.so (0x00007f30e827a000)
       libpostfix-global.so => /usr/lib/postfix/libpostfix-global.so (0x00007f30e8035000)
       libpostfix-util.so => /usr/lib/postfix/libpostfix-util.so (0x00007f30e7df2000)
       libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007f30e7bd7000)
       libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f30e79b8000)
       libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f30e75c7000)
       libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f30e733a000)
       libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f30e6e70000)
       libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f30e6c55000)
       libdb-5.3.so => /usr/lib/x86_64-linux-gnu/libdb-5.3.so (0x00007f30e68ac000)
       libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007f30e6692000)
       libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f30e648e000)
       libicuuc.so.60 => /usr/lib/x86_64-linux-gnu/libicuuc.so.60 (0x00007f30e60d7000)
       /lib64/ld-linux-x86-64.so.2 (0x00007f30e8ade000)
       libicudata.so.60 => /usr/lib/x86_64-linux-gnu/libicudata.so.60 (0x00007f30e452e000)
       libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f30e41a5000)
       libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f30e3e07000)
       libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f30e3bef000)
-- end of postfinger output --

# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Tue Jun 11 21:33:56 CDT 2019
version: 1.0.4
mode: server-side SMTP AUTH

-- basics --
Postfix: 3.3.0
System: Ubuntu 18.04.2 LTS \n \l

-- smtpd is linked to --
       libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007f185c4a5000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/bigbird.com/fullchain.pem
smtpd_tls_ciphers = medium
smtpd_tls_key_file = /etc/letsencrypt/live/bigbird.com/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes


-- listing of /usr/lib/sasl2 --
total 24
drwxr-xr-x  2 root root  4096 Sep 23  2018 .
drwxr-xr-x 81 root root 12288 Mar  7 20:30 ..
-rw-r--r--  1 root root     4 May  6  2017 berkeley_db.active
-rw-r--r--  1 root root     4 Feb  5  2018 berkeley_db.txt

-- listing of /etc/postfix/sasl --
total 12
drwxr-xr-x 2 root root 4096 Jun 11 21:23 .
drwxr-xr-x 6 root root 4096 Jun 11 21:33 ..
-rw-r--r-- 1 root root   49 Jun 11 21:23 smtpd.conf




-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN


-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
submission inet n       -       n       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
 -o syslog_name=postfix/smtps
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o milter_macro_daemon_name=ORIGINATING
smtp       inet  n       -       y       -       -       smtpd
pickup     fifo  n       -       y       60      1       pickup
cleanup    unix  n       -       y       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       y       1000?   1       tlsmgr
rewrite    unix  -       -       y       -       -       trivial-rewrite
bounce     unix  -       -       y       -       0       bounce
defer      unix  -       -       y       -       0       bounce
trace      unix  -       -       y       -       0       bounce
verify     unix  -       -       y       -       1       verify
flush      unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp       unix  -       -       y       -       -       smtp
relay      unix  -       -       y       -       -       smtp
showq      unix  n       -       y       -       -       showq
error      unix  -       -       y       -       -       error
retry      unix  -       -       y       -       -       error
discard    unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp       unix  -       -       y       -       -       lmtp
anvil      unix  -       -       y       -       1       anvil
scache     unix  -       -       y       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
 flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
 flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
 flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
 flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
 flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
 flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
 ${nexthop} ${user}

-- mechanisms on localhost --

-- end of saslfinger output --

Regards,

David Drum
[hidden email]
--
"Penultimate."  Ooh!  Second-best word ever!--Frazz

Reply | Threaded
Open this post in threaded view
|

Re: Trying to resolve Client host rejected: Access denied errors

Matus UHLAR - fantomas
On 12.06.19 08:36, David Drum wrote:
>I am recently no longer able to send mail out from my postfix server.
> Receiving email works fine.  Connecting via IMAPS from Mail.app and
> sending either to a local recipient or to an external recipient is
> rejected with:

out from your postfix server?  This looks like you have problems sending out
to your postfix server

>Jun 11 20:35:05 grover postfix/submission/smtpd[11782]: NOQUEUE: reject: RCPT from subscriber-dhcp-cgn-#-191-7-1.ISP.net[#.191.7.1]: 554 5.7.1 <subscriber-dhcp-cgn-#-191-7-1.ISP.net[#.191.7.1]>: Client host rejected: Access denied; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<[10.5.19.6]>

and this looks like your client IP is rejected.

>submission inet n       -       n       -       -       smtpd
> -o syslog_name=postfix/submission
> -o smtpd_tls_security_level=encrypt
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> -o milter_macro_daemon_name=ORIGINATING

and this looks like your mail client did not authenticate to postfix.


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?
Reply | Threaded
Open this post in threaded view
|

Re: Trying to resolve Client host rejected: Access denied errors

David Drum
Matus UHLAR wrote:

> out from your postfix server?  This looks like you have problems sending out to your postfix server

Yes, that is a better way to phrase it.

> and this looks like your client IP is rejected.

Why would it be, when I am coming from mynetworks? In any case, given that

> and this looks like your mail client did not authenticate to postfix.

I have double-checked my Mail.app client configuration and password. I still cannot send mail from my client to postfix for delivery locally or remotely. Is there anything about my postfix configuration telling it not to prompt clients for credentials? How would I go about fixing it?

Regards,

David Drum
[hidden email]
--
"Penultimate."  Ooh!  Second-best word ever!--Frazz

Reply | Threaded
Open this post in threaded view
|

Re: Trying to resolve Client host rejected: Access denied errors

Bill Cole-3
On 12 Jun 2019, at 20:28, David Drum wrote:

> Matus UHLAR wrote:
>
>> out from your postfix server?  This looks like you have problems
>> sending out to your postfix server
>
> Yes, that is a better way to phrase it.
>
>> and this looks like your client IP is rejected.
>
> Why would it be, when I am coming from mynetworks? In any case, given
> that
>
>> and this looks like your mail client did not authenticate to postfix.
>
> I have double-checked my Mail.app client configuration and password. I
> still cannot send mail from my client to postfix for delivery locally
> or remotely. Is there anything about my postfix configuration telling
> it not to prompt clients for credentials? How would I go about fixing
> it?
I don't see anything that should be causing the rejection other than the
possible lack of SASL authentication.

Since you're using Mail.app, you can get a detailed log of a test mail
submission session with the "Connection Doctor" feature. That log will
show whether you are getting the right responses to EHLO from Postfix
before and after TLS establishment that would tell Mail.app to try to
authenticate. The log should look something like the attached example.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)

toaster.scconsult.com-BCC6BA8C-5AB1-47AA-9B22-3AF232F1DFB5.txt (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Trying to resolve Client host rejected: Access denied errors

Matus UHLAR - fantomas
In reply to this post by David Drum
>Matus UHLAR wrote:
>> and this looks like your client IP is rejected.

On 12.06.19 19:28, David Drum wrote:
>Why would it be, when I am coming from mynetworks? In any case, given that

That's because requiring sasl authentication means you require it
unconditionally.

Ports 465 and 587 should both require authentication unconditionally, no
matter if you send mail to the inside and from mynetworks.

>> and this looks like your mail client did not authenticate to postfix.
>
>I have double-checked my Mail.app client configuration and password.

and, does it use the login/password? It should be visible in configuration
and postfix logs:

Jun 13 02:04:28 mail postfix/smtps/smtpd[12069]: AA8B71C00BE: client=xxx.xx[1.2.3.4], sasl_method=PLAIN, sasl_username=redacted

> I
> still cannot send mail from my client to postfix for delivery locally or
> remotely.  Is there anything about my postfix configuration telling it not
> to prompt clients for credentials?  How would I go about fixing it?

you should try and fix SASL authentication.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.