Redmine

We are having trouble pipeing mail to postfix for incorporation into redmine (Works fine if we let postfix stuff it in a mailbox and fetch via IMAP).
The mail makes it through to redmine, but then is rejected with a 5.7.0 code.
Setup:

  ubuntu 24.04
  mysql 8.0.42
  redmine 5.1.9
  apache 2.4.58
  ruby 3.2.3
  rails 6.1.7.10
  postfix 3.8.6-1

I've backed off our normal security as follows:

The project is public
Administration/Settings:
  Authentication
    Authentication required:  No, allow anonymous access to public projects
    Autologin: disabled
  API
    Enable REST web service  <check>
  Incoming Emails
    Enable WS for incoming emails  <check>
    Incoming email WS API key: xxx        present in <redmine-root>/config/mail_key, mode -rw-r--r--
      matches key in mail_key

$ ls -l extra/mail_handler/rdm-mailhandler.rb
-rwxr-xr-x 1 redmine-test redmine-test 10376 Jul  7 21:05 extra/mail_handler/rdm-mailhandler.rb

The postfix aliases file has the following entry:

redmine-test:   "|/usr/local/rvm/rubies/ruby-3.2.3/bin/ruby /home/redmine-test/redmine-test/extra/mail_handler/rdm-mailhandler.rb --url https://localhost/redmine-test --key-file /home/redmine-test/redmine-test/config/mail_key --allow-override all --no-check-certificate" 

The postfix log shows the following:

postfix/local[831803]: 8E68D880F4: to=<redmine-test@example.com>, relay=local, delay=0.38, delays=0.04/0.01/0/0.33, dsn=5.7.0, status=bounced (permission denied. Command output: Request was denied by your Redmine server (401). )

I would appreciate any hints on how to get more diagnostic information.
Also, if I re-enable security by making the project private and setting the following:

Administration/Settings:
  Authentication
    Authentication required:  yes

is there some way to indicate the login password for the user? e.g. similar to the .htpasswd file for apache?