peneira redirecionada para e-mail estrangeiro recebe "Relay access denied"

Eu tenho um servidor de e-mail postfix com autenticação sql e quero implementar a peneira nele.

A peneira está funcionando bem, as regras que contêm 'fileinto' são executadas perfeitamente. Eu configurei uma regra no Sieve para redirecionar qualquer email contendo "redirecionamento" em um destino estrangeiro especificado. Então, praticamente um email vindo de [email protected] para o usuário local [email protected] deve ser redirecionado para [email protected] quando o assunto contiver "redirect"

if header :contains ["subject"] ["redirect"]  {redirect "[email protected]"; stop;}

quando eu testo, recebo a seguinte entrada de log

postfix/smtpd[32114]: NOQUEUE: reject: RCPT from mail.server.net[xx.xx.xx.xx]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail.server.net>

Como posso dizer ao postfix para permitir que o dovecot / sieve retransmita o email?

alguém pode dar uma dica?

postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
default_process_limit = 15
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
home_mailbox = mail/
inet_interfaces = all
mailbox_size_limit = 0
mydestination = mail.server.net, localhost
myhostname = mail.server.net
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_restrictions = reject_unknown_helo_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, reject_unknown_recipient_domain, reject_unverified_recipient, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, check_policy_service inet:127.0.0.1:10023
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_authenticated_sender_login_mismatch, reject_unknown_sender_domain
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
soft_bounce = no
virtual_alias_domains = mysql:/etc/postfix/mysql_virtual_alias_domains.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 512000000
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_transport = dovecot

dovecot -n

# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 3.2.0-4-amd64 x86_64 Debian 7.6
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
debug_log_path = /var/log/dovecot/dovecot.debug.log
disable_plaintext_auth = no
first_valid_gid = 99
first_valid_uid = 99
hostname = maxi.zp1.net
info_log_path = /var/log/mail.info
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
listen = xxx.xxx.xxx.xxx
log_path = /var/log/dovecot/dovecot.log
login_greeting = Dovecot ready, Sir.
mail_debug = yes
mail_gid = 99
mail_location = maildir:~/mail:LAYOUT=fs:INBOX=/var/vmail/%u/mail/
mail_plugins = acl
mail_uid = 99
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
namespace {
  location = maildir:/var/mail/public
  prefix = Public/
  separator = /
  subscriptions = no
  type = public
}
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
  type = private
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  acl = vfile
  acl_anyone = allow
  acl_shared_dict = file:/var/lib/dovecot/shared-mailboxes
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
  mail_log_fields = uid box from subject msgid size
  sieve = ~/.dovecot.sieve
  sieve_default = /var/lib/dovecot/sieve/default.sieve
  sieve_dir = ~/sieve
  sieve_global_dir = /var/lib/dovecot/sieve/global/
  sieve_max_actions = 64
  sieve_user_log = ~/.dovecot.sieve.log
}
postmaster_address = [email protected]
protocols = " imap sieve pop3"
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
  }
  unix_listener auth-userdb {
    group = postfix
    mode = 0666
    user = postfix
  }
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  service_count = 1
}
ssl_cert = </etc/dovecot/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.pem
submission_host = smtp.server.net
userdb {
  args = uid=vmail gid=vmail home=/var/vmail/%u
  driver = static
}
verbose_proctitle = yes
protocol lda {
  mail_plugins = acl sieve
}
protocol imap {
  mail_plugins = acl autocreate acl imap_acl
}
protocol sieve {
  mail_max_userip_connections = 10
}