Loading ...
Sorry, an error occurred while loading the content.

250283Re: Relay Access Denied when sending mail to an outside domain

Expand Messages
  • Big Pizzle
    Feb 28, 2009
    • 0 Attachment
      This might be of some use, I turned on MySQL logging for all queries.

      Postfix calls to these three files (I'll include their contents as well and have omitted sensitive information):

      mysql_virtual_domains_maps.cf

      user = USER
      password = PASSWORD
      hosts = localhost
      dbname = DBNAME
      query          = SELECT domain FROM domain WHERE domain='%u'


      mysql_virtual_alias_maps.cf

      user = USER
      password = PASSWORD
      hosts = localhost
      dbname = DBNAME
      query           = SELECT goto FROM alias WHERE address='%s' AND active = '1'


      mysql_virtual_mailbox_maps.cf

      user = USER
      password = PASSWORD
      hosts = localhost
      dbname = DBNAME
      query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'


      I've run all the queries from the MySQL CLI and get results when I query a valid username, email address, or domain.

      After turning on MySQL logging, and trying to use Outlook Express to send a mail to a gmail account, this is what my /var/log/mysql-query.log looks like:

      090228 21:08:22      13 Connect     USER@localhost on DBNAME
                           13 Query       SELECT goto FROM alias WHERE address='yyy.com' AND active = '1'
                           14 Connect     USER@localhost on DBNAME
                           14 Query       SELECT domain FROM domain WHERE domain='yyy.com'
                           13 Query       SELECT goto FROM alias WHERE address='gmail.com' AND active = '1'
                           14 Query       SELECT domain FROM domain WHERE domain='gmail.com'


      My /usr/lib/sasl2/smtpd.conf looks like this:

      pwcheck_method: saslauthd
      mech_list: PLAIN LOGIN

      I have saslauthd started, however all the documentation I read on how to install Postfix, Dovecot, MySQL, and SASL never mentioned starting it up.  I've tested both with it started and with it not.


      What in the world am I overlooking?  Any suggestions?








      On Sat, Feb 28, 2009 at 6:16 PM, Big Pizzle <bigpizzle@...> wrote:


      On Sat, Feb 28, 2009 at 12:15 PM, Sahil Tandon <sahil@...> wrote:
      On Sat, 28 Feb 2009, Big Pizzle wrote:

      > On Sat, Feb 28, 2009 at 11:47 AM, Sahil Tandon <sahil@...> wrote:
      >
      > > On Sat, 28 Feb 2009, Big Pizzle wrote:
      > >
      > > > Hi all,
      > > >
      > > > I've just set up Postfix 2.3.3 to authenticate against a MySQL database
      > > to
      > > > support Virtual Domains, and I'm able to send mail to any domain which
      > > > Postfix knows about, but when I send an e-mail to an outside address such
      > > as
      > > > hotmail, yahoo, etc. I get the following error message in the logs:
      > > >
      > > > Feb 27 22:09:52 juter1 postfix/smtpd[27104]: NOQUEUE: reject: RCPT from
      > > > h-68-167-178-13.snid.cod.net[xx.xxx.xxx.xx]: 554 5.7.1 <
      > > someemail@...>:
      > > > Relay access denied; from=<plum@...> to=<someemail@...>
      > > > proto=SMTP helo=<homebase>
      > >
      > > If you're going to obfuscate the IP, at least take care to similarly cloak
      > > your client's hostname!
      > >
      > > % host h-68-167-178-13.snid.cod.net
      > > h-68-167-178-13.snid.cod.net has address 82.98.86.161
      > >
      >
      > Thanks, but that isn't my IP - guess I did a pretty good job eh?  If you
      > want me to point out WHERE you can find my IP, it's in the first portion of
      > that hostname - cod.net isn't my provider.  :)

      Why obfuscate your *covad* IP when it is in the hostname?

      > > > Here are my main.cf configs:
      > >
      > > Instead, follow the directions in the DBEUG_README, and paste the output of
      > > 'postconf -n'.
      >
      >
      > alias_maps =
      > broken_sasl_auth_clients = yes
      > command_directory = /usr/sbin
      > config_directory = /etc/postfix
      > daemon_directory = /usr/libexec/postfix
      > debug_peer_level = 2
      > disable_vrfy_command = yes
      > html_directory = no
      > inet_interfaces = localhost, $myhostname

      $myhostname is not an interface.  See:
      http://www.postfix.org/postconf.5.html#inet_interfaces

      > invalid_hostname_reject_code = 450
      > local_transport = virtual
      > mail_owner = postfix
      > mailq_path = /usr/bin/mailq.postfix
      > manpage_directory = /usr/share/man
      > maps_rbl_reject_code = 450
      > mydestination = $myhostname, localhost.$mydomain, localhost
      > myhostname = xxx.yyy.com
      > mynetworks = 127.0.0.0/8
      > newaliases_path = /usr/bin/newaliases.postfix
      > non_fqdn_reject_code = 450
      > queue_directory = /var/spool/postfix
      > readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
      > sample_directory = /usr/share/doc/postfix-2.3.3/samples
      > sendmail_path = /usr/sbin/sendmail.postfix
      > setgid_group = postdrop
      > show_user_unknown_table_name = no
      > smtpd_helo_required = yes
      > smtpd_recipient_restrictions = permit_mynetworks
      > permit_sasl_authenticated         reject_unauth_destination
      > smtpd_sasl_auth_enable = yes
      > smtpd_sasl_exceptions_networks = $mynetworks
      > smtpd_sasl_local_domain = $myhostname
      > smtpd_sasl_path = /var/spool/postfix/private/auth
      > smtpd_sasl_security_options = noanonymous
      > smtpd_sasl_type = dovecot
      > unknown_local_recipient_reject_code = 550
      > virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
      > virtual_gid_maps = static:10000
      > virtual_mailbox_base = /home/vmail
      > virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
      > virtual_mailbox_maps = proxy:mysql:/etc/postfix/
      > mysql_virtual_mailbox_maps.cf
      > virtual_minimum_uid = 10000
      > virtual_transport = virtual
      > virtual_uid_maps = static:10000
      >
      > > > When telnetting to port 25, and issuing the EHLO command, I get the
      > > > following:
      > > >
      > > > 250-jupiter1.national.com
      > > > 250-PIPELINING
      > > > 250-SIZE 10240000
      > > > 250-ETRN
      > > > 250-ENHANCEDSTATUSCODES
      > > > 250-8BITMIME
      > > > 250 DSN
      > > >
      > > > I don't see anywhere where it shows what authentication mechanism I am
      > > > using.  Could this be the issue?  I want people to be required to
      > > > authenticate if they are going to be sending mail from this server to
      > > > external addresses.  'My Server Requires Authentication' is checked in my
      > > > mail client.
      > >
      > > Your server appears configured to support SASL but not TLS (following EHLO,
      > > it does not announce STARTTLS support to the SMTP client).  You need to
      > > show
      > > your postconf output, specifically the smtpd_mumble_restrictions, which is
      > > where you can require SASL authentication to relay mail externally.  From
      > > your question, I suspect you are conflating SASL and TLS.  See:
      > > http://www.postfix.org/TLS_README.html
      > > http://www.postfix.org/SASL_README.html
      >
      >
      > It was my understanding that TLS was for secure connections - do I need TLS
      > as well in order for SASL to work?

      Nay, but don't look for special announcements after EHLO to tell you that the
      server supports SASL.  Testing SASL setup on the server is documented in the
      link I pasted above.  Here it is again, this time with a specific section:
      http://www.postfix.org/SASL_README.html#server_test

      --
      Sahil Tandon <sahil@...>


      Thanks for the link Sahil.  I've run sasl2-sample-server and sasl2-sample-client, here are the outputs from both (I made a few changes, adding TLS per mouss' suggestion but I'm sitll getting relay access denied).  Here's a quick legend as to what means what:

      xxx = hostname
      yyy.com = domain name
      fff.com = one of the virtual domains hosted on the xxx.yyy.com machine.


      sasl2-sample-server:
      [root@xxx postfix]# sasl2-sample-server
      trying 2, 1, 6
      trying 10, 1, 6
      socket: Address family not supported by protocol
      accepted new connection
      send: {9}
      ANONYMOUS
      recv: {9}
      ANONYMOUS
      recv: {1}
      Y
      recv: {32}
      user@...@xxx
      successful authentication 'anonymous'
      closing connection
      accepted new connection
      send: {9}
      ANONYMOUS
      recv: {9}
      ANONYMOUS
      recv: {1}
      Y
      recv: {12}
      ger@xxx
      successful authentication 'anonymous'
      closing connection



      sasl2-sample-client:
      [root@xxx sample]# sasl2-sample-client localhost
      receiving capability list... recv: {9}
      ANONYMOUS
      ANONYMOUS
      please enter an authorization id: user@...
      send: {9}
      ANONYMOUS
      send: {1}
      Y
      send: {32}
      user@...@xxx
      successful authentication
      closing connection
      [root@xxx sample]# sasl2-sample-client localhost
      receiving capability list... recv: {9}
      ANONYMOUS
      ANONYMOUS
      please enter an authorization id: ger
      send: {9}
      ANONYMOUS
      send: {1}
      Y
      send: {12}
      ger@xxx
      successful authentication
      closing connection


      This is what I see in the logs:
      Feb 28 17:45:09 xxx sasl2-sample-server: sql_select option missing
      Feb 28 17:45:09 xxx sasl2-sample-server: auxpropfunc error no mechanism available
      Feb 28 17:45:09 xxx sasl2-sample-server: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql


      I notice that it's attaching @xxx to whatever username I enter - could that be (one of) the issue(s) at hand? 


      I'm using Dovecot's SASL mechanism inside Postfix.  I will post my dovecot.conf configuration as well as the output of postfix -n below:

      /etc/dovecot.conf:

      protocols = imap pop3
      disable_plaintext_auth = no

      mail_location = maildir:/var/mail/%d/%u
      first_valid_uid = 10000
      last_valid_uid = 10000
      maildir_copy_with_hardlinks = yes

      protocol imap {
        imap_client_workarounds = outlook-idle delay-newmail
      }

      protocol pop3 {
        pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
      }

      protocol lda {
        postmaster_address = postmaster@...
        log_path = /var/log/dovecot-deliver.log
        info_log_path = /var/log/dovecot-deliver.log
      }

      auth default {
        mechanisms = plain login

        passdb sql {

          args = /etc/dovecot/sql.conf
        }

        userdb passwd {
        }

        userdb sql {

          args = /etc/dovecot/sql.conf
        }

        userdb prefetch {
        }

        user = root

        socket listen {
          master {
            path = /var/run/dovecot/auth-master
            mode = 0600
            user = vmail
            group = vmail
          }
          client {
            path = /var/spool/postfix/private/auth
            mode = 0660
            user = postfix
            group = postfix
          }
        }
      }

      dict {
      }

      plugin {
      }





      postfix -n output:


      alias_maps =
      broken_sasl_auth_clients = yes
      command_directory = /usr/sbin
      config_directory = /etc/postfix
      daemon_directory = /usr/libexec/postfix
      debug_peer_level = 2
      disable_vrfy_command = yes
      html_directory = no
      inet_interfaces = all

      invalid_hostname_reject_code = 450
      local_transport = virtual
      mail_owner = postfix
      mailq_path = /usr/bin/mailq.postfix
      manpage_directory = /usr/share/man
      maps_rbl_reject_code = 450
      mydestination = $myhostname, localhost.$mydomain, localhost
      myhostname = xxx.yyy.com
      mynetworks = 127.0.0.0/8
      newaliases_path = /usr/bin/newaliases.postfix
      non_fqdn_reject_code = 450
      queue_directory = /var/spool/postfix
      readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
      sample_directory = /usr/share/doc/postfix-2.3.3/samples
      sendmail_path = /usr/sbin/sendmail.postfix
      setgid_group = postdrop
      show_user_unknown_table_name = no
      smtp_use_tls = no

      smtpd_helo_required = yes
      smtpd_recipient_restrictions = permit_mynetworks,     permit_sasl_authenticated, reject_unauth_destination
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_path = private/auth
      smtpd_sasl_type = dovecot
      smtpd_tls_auth_only = no
      smtpd_tls_cert_file = /usr/local/ssl/xxx.yyy.com.crt
      smtpd_tls_key_file = /usr/local/ssl/xxx.yyy.com.key
      smtpd_tls_loglevel = 1
      smtpd_tls_received_header = yes
      smtpd_tls_session_cache_database = btree:/etc/postfix/tls_smtpd_scache
      smtpd_use_tls = yes

      unknown_local_recipient_reject_code = 550
      virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
      virtual_gid_maps = static:10000
      virtual_mailbox_base = /home/vmail
      virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
      virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
      virtual_minimum_uid = 10000
      virtual_transport = virtual
      virtual_uid_maps = static:10000



      my /etc/postfix/master.cf has the following:
      smtp      inet  n       -       n       -       -       smtpd
      smtps     inet  n       -       n       -       -       smtpd
        -o smtpd_sasl_auth_enable=yes


      Here's a telnet output to port 25:
      xxx:~#  telnet xxx.yyy.com 25
      Trying 123.123.123.123...
      Connected to xxx.
      Escape character is '^]'.
      220 xxx.yyy.com ESMTP Postfix
      ehlo local
      250-xxx.yyy.com

      250-PIPELINING
      250-SIZE 10240000
      250-ETRN
      250-STARTTLS
      250-AUTH PLAIN LOGIN
      250-AUTH=PLAIN LOGIN

      250-ENHANCEDSTATUSCODES
      250-8BITMIME
      250 DSN
      quit
      221 2.0.0 Bye
      Connection closed by foreign host.
      Exit 1



      Dovecot works just fine - I'm able to telnet to port 110 and authenticate with a legitimate username and password (using user@... as the username).

      Thanks for all the help.  Hopefully someone can see something I can't.

    • Show all 8 messages in this topic