Loading ...
Sorry, an error occurred while loading the content.

Relay Access Denied when sending mail to an outside domain

Expand Messages
  • Big Pizzle
    Hi all, I ve just set up Postfix 2.3.3 to authenticate against a MySQL database to support Virtual Domains, and I m able to send mail to any domain which
    Message 1 of 8 , Feb 28, 2009
    View Source
    • 0 Attachment
      Hi all,

      I've just set up Postfix 2.3.3 to authenticate against a MySQL database to support Virtual Domains, and I'm able to send mail to any domain which Postfix knows about, but when I send an e-mail to an outside address such as hotmail, yahoo, etc. I get the following error message in the logs:

      Feb 27 22:09:52 juter1 postfix/smtpd[27104]: NOQUEUE: reject: RCPT from h-68-167-178-13.snid.cod.net[xx.xxx.xxx.xx]: 554 5.7.1 <someemail@...>: Relay access denied; from=<plum@...> to=<someemail@...> proto=SMTP helo=<homebase>

      Here are my main.cf configs:



      queue_directory = /var/spool/postfix
      command_directory = /usr/sbin
      daemon_directory = /usr/libexec/postfix
      mail_owner = postfix
      mydestination = $myhostname, localhost.$mydomain
      unknown_local_recipient_reject_code = 550
      alias_maps =
      debug_peer_level = 2
      debugger_command =
               PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
               xxgdb $daemon_directory/$process_name $process_id & sleep 5
      sendmail_path = /usr/sbin/sendmail.postfix
      newaliases_path = /usr/bin/newaliases.postfix
      mailq_path = /usr/bin/mailq.postfix
      setgid_group = postdrop
      html_directory = no
      manpage_directory = /usr/share/man
      sample_directory = /usr/share/doc/postfix-2.3.3/samples
      readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES

      #LOCAL SETTINGS
      myhostname = xx.yyy.com
      inet_interfaces = localhost, $myhostname
      mydestination = $myhostname, localhost.$mydomain, localhost
      show_user_unknown_table_name = no
      local_transport = virtual

      #VIRTUAL DOMAINS START
      virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
      virtual_mailbox_base = /home/vmail
      virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
      virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
      virtual_minimum_uid = 10000
      virtual_uid_maps = static:10000
      virtual_gid_maps = static:10000
      virtual_transport = virtual
      #VIRTUAL DOMAINS END

      #SASL PART START
      smtpd_sasl_auth_enable = yes
      broken_sasl_auth_clients = yes
      smtpd_sasl_type = dovecot
      smtpd_sasl_path = /var/spool/postfix/private/auth
      smtpd_sasl_local_domain = $myhostname
      smtpd_sasl_exceptions_networks = $mynetworks
      smtpd_sasl_security_options = noanonymous
      #SASL PART END

      smtpd_helo_required = yes
      disable_vrfy_command = yes
      non_fqdn_reject_code = 450
      invalid_hostname_reject_code = 450
      maps_rbl_reject_code = 450



      When telnetting to port 25, and issuing the EHLO command, I get the following:

      250-jupiter1.national.com
      250-PIPELINING
      250-SIZE 10240000
      250-ETRN
      250-ENHANCEDSTATUSCODES
      250-8BITMIME
      250 DSN

      I don't see anywhere where it shows what authentication mechanism I am using.  Could this be the issue?  I want people to be required to authenticate if they are going to be sending mail from this server to external addresses.  'My Server Requires Authentication' is checked in my mail client.

      I've searched Google, I've read so many articles and for some reason I can't seem to find a fix to my issue.

      Could someone point me in the right direction and let me know what I'm missing from my configs?

      Please let me know if I need to supply more information, as I would be more than happy to.

      Thanks in advance!


    • Sahil Tandon
      ... If you re going to obfuscate the IP, at least take care to similarly cloak your client s hostname! % host h-68-167-178-13.snid.cod.net
      Message 2 of 8 , Feb 28, 2009
      View Source
      • 0 Attachment
        On Sat, 28 Feb 2009, Big Pizzle wrote:

        > Hi all,
        >
        > I've just set up Postfix 2.3.3 to authenticate against a MySQL database to
        > support Virtual Domains, and I'm able to send mail to any domain which
        > Postfix knows about, but when I send an e-mail to an outside address such as
        > hotmail, yahoo, etc. I get the following error message in the logs:
        >
        > Feb 27 22:09:52 juter1 postfix/smtpd[27104]: NOQUEUE: reject: RCPT from
        > h-68-167-178-13.snid.cod.net[xx.xxx.xxx.xx]: 554 5.7.1 <someemail@...>:
        > Relay access denied; from=<plum@...> to=<someemail@...>
        > proto=SMTP helo=<homebase>

        If you're going to obfuscate the IP, at least take care to similarly cloak
        your client's hostname!

        % host h-68-167-178-13.snid.cod.net
        h-68-167-178-13.snid.cod.net has address 82.98.86.161

        > Here are my main.cf configs:

        Instead, follow the directions in the DBEUG_README, and paste the output of
        'postconf -n'.

        > When telnetting to port 25, and issuing the EHLO command, I get the
        > following:
        >
        > 250-jupiter1.national.com
        > 250-PIPELINING
        > 250-SIZE 10240000
        > 250-ETRN
        > 250-ENHANCEDSTATUSCODES
        > 250-8BITMIME
        > 250 DSN
        >
        > I don't see anywhere where it shows what authentication mechanism I am
        > using. Could this be the issue? I want people to be required to
        > authenticate if they are going to be sending mail from this server to
        > external addresses. 'My Server Requires Authentication' is checked in my
        > mail client.

        Your server appears configured to support SASL but not TLS (following EHLO,
        it does not announce STARTTLS support to the SMTP client). You need to show
        your postconf output, specifically the smtpd_mumble_restrictions, which is
        where you can require SASL authentication to relay mail externally. From
        your question, I suspect you are conflating SASL and TLS. See:
        http://www.postfix.org/TLS_README.html
        http://www.postfix.org/SASL_README.html

        --
        Sahil Tandon <sahil@...>
      • Big Pizzle
        ... Thanks, but that isn t my IP - guess I did a pretty good job eh? If you want me to point out WHERE you can find my IP, it s in the first portion of that
        Message 3 of 8 , Feb 28, 2009
        View Source
        • 0 Attachment
          On Sat, Feb 28, 2009 at 11:47 AM, Sahil Tandon <sahil@...> wrote:
          On Sat, 28 Feb 2009, Big Pizzle wrote:

          > Hi all,
          >
          > I've just set up Postfix 2.3.3 to authenticate against a MySQL database to
          > support Virtual Domains, and I'm able to send mail to any domain which
          > Postfix knows about, but when I send an e-mail to an outside address such as
          > hotmail, yahoo, etc. I get the following error message in the logs:
          >
          > Feb 27 22:09:52 juter1 postfix/smtpd[27104]: NOQUEUE: reject: RCPT from
          > h-68-167-178-13.snid.cod.net[xx.xxx.xxx.xx]: 554 5.7.1 <someemail@...>:
          > Relay access denied; from=<plum@...> to=<someemail@...>
          > proto=SMTP helo=<homebase>

          If you're going to obfuscate the IP, at least take care to similarly cloak
          your client's hostname!

          % host h-68-167-178-13.snid.cod.net
          h-68-167-178-13.snid.cod.net has address 82.98.86.161


          Thanks, but that isn't my IP - guess I did a pretty good job eh?  If you want me to point out WHERE you can find my IP, it's in the first portion of that hostname - cod.net isn't my provider.  :)
           

          > Here are my main.cf configs:

          Instead, follow the directions in the DBEUG_README, and paste the output of
          'postconf -n'.

          alias_maps =
          broken_sasl_auth_clients = yes
          command_directory = /usr/sbin
          config_directory = /etc/postfix
          daemon_directory = /usr/libexec/postfix
          debug_peer_level = 2
          disable_vrfy_command = yes
          html_directory = no
          inet_interfaces = localhost, $myhostname
          invalid_hostname_reject_code = 450
          local_transport = virtual
          mail_owner = postfix
          mailq_path = /usr/bin/mailq.postfix
          manpage_directory = /usr/share/man
          maps_rbl_reject_code = 450
          mydestination = $myhostname, localhost.$mydomain, localhost
          myhostname = xxx.yyy.com
          mynetworks = 127.0.0.0/8
          newaliases_path = /usr/bin/newaliases.postfix
          non_fqdn_reject_code = 450
          queue_directory = /var/spool/postfix
          readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
          sample_directory = /usr/share/doc/postfix-2.3.3/samples
          sendmail_path = /usr/sbin/sendmail.postfix
          setgid_group = postdrop
          show_user_unknown_table_name = no
          smtpd_helo_required = yes
          smtpd_recipient_restrictions = permit_mynetworks         permit_sasl_authenticated         reject_unauth_destination
          smtpd_sasl_auth_enable = yes
          smtpd_sasl_exceptions_networks = $mynetworks
          smtpd_sasl_local_domain = $myhostname
          smtpd_sasl_path = /var/spool/postfix/private/auth
          smtpd_sasl_security_options = noanonymous
          smtpd_sasl_type = dovecot
          unknown_local_recipient_reject_code = 550
          virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
          virtual_gid_maps = static:10000
          virtual_mailbox_base = /home/vmail
          virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
          virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
          virtual_minimum_uid = 10000
          virtual_transport = virtual
          virtual_uid_maps = static:10000
           


          > When telnetting to port 25, and issuing the EHLO command, I get the
          > following:
          >
          > 250-jupiter1.national.com
          > 250-PIPELINING
          > 250-SIZE 10240000
          > 250-ETRN
          > 250-ENHANCEDSTATUSCODES
          > 250-8BITMIME
          > 250 DSN
          >
          > I don't see anywhere where it shows what authentication mechanism I am
          > using.  Could this be the issue?  I want people to be required to
          > authenticate if they are going to be sending mail from this server to
          > external addresses.  'My Server Requires Authentication' is checked in my
          > mail client.

          Your server appears configured to support SASL but not TLS (following EHLO,
          it does not announce STARTTLS support to the SMTP client).  You need to show
          your postconf output, specifically the smtpd_mumble_restrictions, which is
          where you can require SASL authentication to relay mail externally.  From
          your question, I suspect you are conflating SASL and TLS.  See:
          http://www.postfix.org/TLS_README.html
          http://www.postfix.org/SASL_README.html

          It was my understanding that TLS was for secure connections - do I need TLS as well in order for SASL to work?


          --
          Sahil Tandon <sahil@...>

        • Sahil Tandon
          ... Why obfuscate your *covad* IP when it is in the hostname? ... $myhostname is not an interface. See: http://www.postfix.org/postconf.5.html#inet_interfaces
          Message 4 of 8 , Feb 28, 2009
          View Source
          • 0 Attachment
            On Sat, 28 Feb 2009, Big Pizzle wrote:

            > On Sat, Feb 28, 2009 at 11:47 AM, Sahil Tandon <sahil@...> wrote:
            >
            > > On Sat, 28 Feb 2009, Big Pizzle wrote:
            > >
            > > > Hi all,
            > > >
            > > > I've just set up Postfix 2.3.3 to authenticate against a MySQL database
            > > to
            > > > support Virtual Domains, and I'm able to send mail to any domain which
            > > > Postfix knows about, but when I send an e-mail to an outside address such
            > > as
            > > > hotmail, yahoo, etc. I get the following error message in the logs:
            > > >
            > > > Feb 27 22:09:52 juter1 postfix/smtpd[27104]: NOQUEUE: reject: RCPT from
            > > > h-68-167-178-13.snid.cod.net[xx.xxx.xxx.xx]: 554 5.7.1 <
            > > someemail@...>:
            > > > Relay access denied; from=<plum@...> to=<someemail@...>
            > > > proto=SMTP helo=<homebase>
            > >
            > > If you're going to obfuscate the IP, at least take care to similarly cloak
            > > your client's hostname!
            > >
            > > % host h-68-167-178-13.snid.cod.net
            > > h-68-167-178-13.snid.cod.net has address 82.98.86.161
            > >
            >
            > Thanks, but that isn't my IP - guess I did a pretty good job eh? If you
            > want me to point out WHERE you can find my IP, it's in the first portion of
            > that hostname - cod.net isn't my provider. :)

            Why obfuscate your *covad* IP when it is in the hostname?

            > > > Here are my main.cf configs:
            > >
            > > Instead, follow the directions in the DBEUG_README, and paste the output of
            > > 'postconf -n'.
            >
            >
            > alias_maps =
            > broken_sasl_auth_clients = yes
            > command_directory = /usr/sbin
            > config_directory = /etc/postfix
            > daemon_directory = /usr/libexec/postfix
            > debug_peer_level = 2
            > disable_vrfy_command = yes
            > html_directory = no
            > inet_interfaces = localhost, $myhostname

            $myhostname is not an interface. See:
            http://www.postfix.org/postconf.5.html#inet_interfaces

            > invalid_hostname_reject_code = 450
            > local_transport = virtual
            > mail_owner = postfix
            > mailq_path = /usr/bin/mailq.postfix
            > manpage_directory = /usr/share/man
            > maps_rbl_reject_code = 450
            > mydestination = $myhostname, localhost.$mydomain, localhost
            > myhostname = xxx.yyy.com
            > mynetworks = 127.0.0.0/8
            > newaliases_path = /usr/bin/newaliases.postfix
            > non_fqdn_reject_code = 450
            > queue_directory = /var/spool/postfix
            > readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
            > sample_directory = /usr/share/doc/postfix-2.3.3/samples
            > sendmail_path = /usr/sbin/sendmail.postfix
            > setgid_group = postdrop
            > show_user_unknown_table_name = no
            > smtpd_helo_required = yes
            > smtpd_recipient_restrictions = permit_mynetworks
            > permit_sasl_authenticated reject_unauth_destination
            > smtpd_sasl_auth_enable = yes
            > smtpd_sasl_exceptions_networks = $mynetworks
            > smtpd_sasl_local_domain = $myhostname
            > smtpd_sasl_path = /var/spool/postfix/private/auth
            > smtpd_sasl_security_options = noanonymous
            > smtpd_sasl_type = dovecot
            > unknown_local_recipient_reject_code = 550
            > virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
            > virtual_gid_maps = static:10000
            > virtual_mailbox_base = /home/vmail
            > virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
            > virtual_mailbox_maps = proxy:mysql:/etc/postfix/
            > mysql_virtual_mailbox_maps.cf
            > virtual_minimum_uid = 10000
            > virtual_transport = virtual
            > virtual_uid_maps = static:10000
            >
            > > > When telnetting to port 25, and issuing the EHLO command, I get the
            > > > following:
            > > >
            > > > 250-jupiter1.national.com
            > > > 250-PIPELINING
            > > > 250-SIZE 10240000
            > > > 250-ETRN
            > > > 250-ENHANCEDSTATUSCODES
            > > > 250-8BITMIME
            > > > 250 DSN
            > > >
            > > > I don't see anywhere where it shows what authentication mechanism I am
            > > > using. Could this be the issue? I want people to be required to
            > > > authenticate if they are going to be sending mail from this server to
            > > > external addresses. 'My Server Requires Authentication' is checked in my
            > > > mail client.
            > >
            > > Your server appears configured to support SASL but not TLS (following EHLO,
            > > it does not announce STARTTLS support to the SMTP client). You need to
            > > show
            > > your postconf output, specifically the smtpd_mumble_restrictions, which is
            > > where you can require SASL authentication to relay mail externally. From
            > > your question, I suspect you are conflating SASL and TLS. See:
            > > http://www.postfix.org/TLS_README.html
            > > http://www.postfix.org/SASL_README.html
            >
            >
            > It was my understanding that TLS was for secure connections - do I need TLS
            > as well in order for SASL to work?

            Nay, but don't look for special announcements after EHLO to tell you that the
            server supports SASL. Testing SASL setup on the server is documented in the
            link I pasted above. Here it is again, this time with a specific section:
            http://www.postfix.org/SASL_README.html#server_test

            --
            Sahil Tandon <sahil@...>
          • mouss
            ... look at the dovecot side (whether plaintext is allowed, which mechanisms are enabled, ... etc). anyway, better enable TLS. plaintext over TLS is safe and
            Message 5 of 8 , Feb 28, 2009
            View Source
            • 0 Attachment
              Big Pizzle a écrit :
              > [snip]
              > 250-jupiter1.national.com <http://250-jupiter1.national.com>
              > 250-PIPELINING
              > 250-SIZE 10240000
              > 250-ETRN
              > 250-ENHANCEDSTATUSCODES
              > 250-8BITMIME
              > 250 DSN
              >

              look at the dovecot side (whether plaintext is allowed, which mechanisms
              are enabled, ... etc).

              anyway, better enable TLS. plaintext over TLS is safe and simple.

              > [snip]
            • Big Pizzle
              ... Thanks for the link Sahil. I ve run sasl2-sample-server and sasl2-sample-client, here are the outputs from both (I made a few changes, adding TLS per
              Message 6 of 8 , Feb 28, 2009
              View Source
              • 0 Attachment
                On Sat, Feb 28, 2009 at 12:15 PM, Sahil Tandon <sahil@...> wrote:
                On Sat, 28 Feb 2009, Big Pizzle wrote:

                > On Sat, Feb 28, 2009 at 11:47 AM, Sahil Tandon <sahil@...> wrote:
                >
                > > On Sat, 28 Feb 2009, Big Pizzle wrote:
                > >
                > > > Hi all,
                > > >
                > > > I've just set up Postfix 2.3.3 to authenticate against a MySQL database
                > > to
                > > > support Virtual Domains, and I'm able to send mail to any domain which
                > > > Postfix knows about, but when I send an e-mail to an outside address such
                > > as
                > > > hotmail, yahoo, etc. I get the following error message in the logs:
                > > >
                > > > Feb 27 22:09:52 juter1 postfix/smtpd[27104]: NOQUEUE: reject: RCPT from
                > > > h-68-167-178-13.snid.cod.net[xx.xxx.xxx.xx]: 554 5.7.1 <
                > > someemail@...>:
                > > > Relay access denied; from=<plum@...> to=<someemail@...>
                > > > proto=SMTP helo=<homebase>
                > >
                > > If you're going to obfuscate the IP, at least take care to similarly cloak
                > > your client's hostname!
                > >
                > > % host h-68-167-178-13.snid.cod.net
                > > h-68-167-178-13.snid.cod.net has address 82.98.86.161
                > >
                >
                > Thanks, but that isn't my IP - guess I did a pretty good job eh?  If you
                > want me to point out WHERE you can find my IP, it's in the first portion of
                > that hostname - cod.net isn't my provider.  :)

                Why obfuscate your *covad* IP when it is in the hostname?

                > > > Here are my main.cf configs:
                > >
                > > Instead, follow the directions in the DBEUG_README, and paste the output of
                > > 'postconf -n'.
                >
                >
                > alias_maps =
                > broken_sasl_auth_clients = yes
                > command_directory = /usr/sbin
                > config_directory = /etc/postfix
                > daemon_directory = /usr/libexec/postfix
                > debug_peer_level = 2
                > disable_vrfy_command = yes
                > html_directory = no
                > inet_interfaces = localhost, $myhostname

                $myhostname is not an interface.  See:
                http://www.postfix.org/postconf.5.html#inet_interfaces

                > invalid_hostname_reject_code = 450
                > local_transport = virtual
                > mail_owner = postfix
                > mailq_path = /usr/bin/mailq.postfix
                > manpage_directory = /usr/share/man
                > maps_rbl_reject_code = 450
                > mydestination = $myhostname, localhost.$mydomain, localhost
                > myhostname = xxx.yyy.com
                > mynetworks = 127.0.0.0/8
                > newaliases_path = /usr/bin/newaliases.postfix
                > non_fqdn_reject_code = 450
                > queue_directory = /var/spool/postfix
                > readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
                > sample_directory = /usr/share/doc/postfix-2.3.3/samples
                > sendmail_path = /usr/sbin/sendmail.postfix
                > setgid_group = postdrop
                > show_user_unknown_table_name = no
                > smtpd_helo_required = yes
                > smtpd_recipient_restrictions = permit_mynetworks
                > permit_sasl_authenticated         reject_unauth_destination
                > smtpd_sasl_auth_enable = yes
                > smtpd_sasl_exceptions_networks = $mynetworks
                > smtpd_sasl_local_domain = $myhostname
                > smtpd_sasl_path = /var/spool/postfix/private/auth
                > smtpd_sasl_security_options = noanonymous
                > smtpd_sasl_type = dovecot
                > unknown_local_recipient_reject_code = 550
                > virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
                > virtual_gid_maps = static:10000
                > virtual_mailbox_base = /home/vmail
                > virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
                > virtual_mailbox_maps = proxy:mysql:/etc/postfix/
                > mysql_virtual_mailbox_maps.cf
                > virtual_minimum_uid = 10000
                > virtual_transport = virtual
                > virtual_uid_maps = static:10000
                >
                > > > When telnetting to port 25, and issuing the EHLO command, I get the
                > > > following:
                > > >
                > > > 250-jupiter1.national.com
                > > > 250-PIPELINING
                > > > 250-SIZE 10240000
                > > > 250-ETRN
                > > > 250-ENHANCEDSTATUSCODES
                > > > 250-8BITMIME
                > > > 250 DSN
                > > >
                > > > I don't see anywhere where it shows what authentication mechanism I am
                > > > using.  Could this be the issue?  I want people to be required to
                > > > authenticate if they are going to be sending mail from this server to
                > > > external addresses.  'My Server Requires Authentication' is checked in my
                > > > mail client.
                > >
                > > Your server appears configured to support SASL but not TLS (following EHLO,
                > > it does not announce STARTTLS support to the SMTP client).  You need to
                > > show
                > > your postconf output, specifically the smtpd_mumble_restrictions, which is
                > > where you can require SASL authentication to relay mail externally.  From
                > > your question, I suspect you are conflating SASL and TLS.  See:
                > > http://www.postfix.org/TLS_README.html
                > > http://www.postfix.org/SASL_README.html
                >
                >
                > It was my understanding that TLS was for secure connections - do I need TLS
                > as well in order for SASL to work?

                Nay, but don't look for special announcements after EHLO to tell you that the
                server supports SASL.  Testing SASL setup on the server is documented in the
                link I pasted above.  Here it is again, this time with a specific section:
                http://www.postfix.org/SASL_README.html#server_test

                --
                Sahil Tandon <sahil@...>


                Thanks for the link Sahil.  I've run sasl2-sample-server and sasl2-sample-client, here are the outputs from both (I made a few changes, adding TLS per mouss' suggestion but I'm sitll getting relay access denied).  Here's a quick legend as to what means what:

                xxx = hostname
                yyy.com = domain name
                fff.com = one of the virtual domains hosted on the xxx.yyy.com machine.


                sasl2-sample-server:
                [root@xxx postfix]# sasl2-sample-server
                trying 2, 1, 6
                trying 10, 1, 6
                socket: Address family not supported by protocol
                accepted new connection
                send: {9}
                ANONYMOUS
                recv: {9}
                ANONYMOUS
                recv: {1}
                Y
                recv: {32}
                user@...@xxx
                successful authentication 'anonymous'
                closing connection
                accepted new connection
                send: {9}
                ANONYMOUS
                recv: {9}
                ANONYMOUS
                recv: {1}
                Y
                recv: {12}
                ger@xxx
                successful authentication 'anonymous'
                closing connection



                sasl2-sample-client:
                [root@xxx sample]# sasl2-sample-client localhost
                receiving capability list... recv: {9}
                ANONYMOUS
                ANONYMOUS
                please enter an authorization id: user@...
                send: {9}
                ANONYMOUS
                send: {1}
                Y
                send: {32}
                user@...@xxx
                successful authentication
                closing connection
                [root@xxx sample]# sasl2-sample-client localhost
                receiving capability list... recv: {9}
                ANONYMOUS
                ANONYMOUS
                please enter an authorization id: ger
                send: {9}
                ANONYMOUS
                send: {1}
                Y
                send: {12}
                ger@xxx
                successful authentication
                closing connection


                This is what I see in the logs:
                Feb 28 17:45:09 xxx sasl2-sample-server: sql_select option missing
                Feb 28 17:45:09 xxx sasl2-sample-server: auxpropfunc error no mechanism available
                Feb 28 17:45:09 xxx sasl2-sample-server: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql


                I notice that it's attaching @xxx to whatever username I enter - could that be (one of) the issue(s) at hand? 


                I'm using Dovecot's SASL mechanism inside Postfix.  I will post my dovecot.conf configuration as well as the output of postfix -n below:

                /etc/dovecot.conf:

                protocols = imap pop3
                disable_plaintext_auth = no
                mail_location = maildir:/var/mail/%d/%u
                first_valid_uid = 10000
                last_valid_uid = 10000
                maildir_copy_with_hardlinks = yes

                protocol imap {
                  imap_client_workarounds = outlook-idle delay-newmail
                }

                protocol pop3 {
                  pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
                }

                protocol lda {
                  postmaster_address = postmaster@...
                  log_path = /var/log/dovecot-deliver.log
                  info_log_path = /var/log/dovecot-deliver.log
                }

                auth default {
                  mechanisms = plain login

                  passdb sql {
                    args = /etc/dovecot/sql.conf
                  }

                  userdb passwd {
                  }

                  userdb sql {
                    args = /etc/dovecot/sql.conf
                  }

                  userdb prefetch {
                  }

                  user = root

                  socket listen {
                    master {
                      path = /var/run/dovecot/auth-master
                      mode = 0600
                      user = vmail
                      group = vmail
                    }
                    client {
                      path = /var/spool/postfix/private/auth
                      mode = 0660
                      user = postfix
                      group = postfix
                    }
                  }
                }

                dict {
                }

                plugin {
                }





                postfix -n output:

                alias_maps =
                broken_sasl_auth_clients = yes
                command_directory = /usr/sbin
                config_directory = /etc/postfix
                daemon_directory = /usr/libexec/postfix
                debug_peer_level = 2
                disable_vrfy_command = yes
                html_directory = no
                inet_interfaces = all
                invalid_hostname_reject_code = 450
                local_transport = virtual
                mail_owner = postfix
                mailq_path = /usr/bin/mailq.postfix
                manpage_directory = /usr/share/man
                maps_rbl_reject_code = 450
                mydestination = $myhostname, localhost.$mydomain, localhost
                myhostname = xxx.yyy.com
                mynetworks = 127.0.0.0/8
                newaliases_path = /usr/bin/newaliases.postfix
                non_fqdn_reject_code = 450
                queue_directory = /var/spool/postfix
                readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
                sample_directory = /usr/share/doc/postfix-2.3.3/samples
                sendmail_path = /usr/sbin/sendmail.postfix
                setgid_group = postdrop
                show_user_unknown_table_name = no
                smtp_use_tls = no
                smtpd_helo_required = yes
                smtpd_recipient_restrictions = permit_mynetworks,     permit_sasl_authenticated, reject_unauth_destination
                smtpd_sasl_auth_enable = yes
                smtpd_sasl_path = private/auth
                smtpd_sasl_type = dovecot
                smtpd_tls_auth_only = no
                smtpd_tls_cert_file = /usr/local/ssl/xxx.yyy.com.crt
                smtpd_tls_key_file = /usr/local/ssl/xxx.yyy.com.key
                smtpd_tls_loglevel = 1
                smtpd_tls_received_header = yes
                smtpd_tls_session_cache_database = btree:/etc/postfix/tls_smtpd_scache
                smtpd_use_tls = yes
                unknown_local_recipient_reject_code = 550
                virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
                virtual_gid_maps = static:10000
                virtual_mailbox_base = /home/vmail
                virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
                virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
                virtual_minimum_uid = 10000
                virtual_transport = virtual
                virtual_uid_maps = static:10000



                my /etc/postfix/master.cf has the following:
                smtp      inet  n       -       n       -       -       smtpd
                smtps     inet  n       -       n       -       -       smtpd
                  -o smtpd_sasl_auth_enable=yes


                Here's a telnet output to port 25:
                xxx:~#  telnet xxx.yyy.com 25
                Trying 123.123.123.123...
                Connected to xxx.
                Escape character is '^]'.
                220 xxx.yyy.com ESMTP Postfix
                ehlo local
                250-xxx.yyy.com
                250-PIPELINING
                250-SIZE 10240000
                250-ETRN
                250-STARTTLS
                250-AUTH PLAIN LOGIN
                250-AUTH=PLAIN LOGIN
                250-ENHANCEDSTATUSCODES
                250-8BITMIME
                250 DSN
                quit
                221 2.0.0 Bye
                Connection closed by foreign host.
                Exit 1



                Dovecot works just fine - I'm able to telnet to port 110 and authenticate with a legitimate username and password (using user@... as the username).

                Thanks for all the help.  Hopefully someone can see something I can't.
              • Big Pizzle
                This might be of some use, I turned on MySQL logging for all queries. Postfix calls to these three files (I ll include their contents as well and have omitted
                Message 7 of 8 , Feb 28, 2009
                View Source
                • 0 Attachment
                  This might be of some use, I turned on MySQL logging for all queries.

                  Postfix calls to these three files (I'll include their contents as well and have omitted sensitive information):

                  mysql_virtual_domains_maps.cf

                  user = USER
                  password = PASSWORD
                  hosts = localhost
                  dbname = DBNAME
                  query          = SELECT domain FROM domain WHERE domain='%u'


                  mysql_virtual_alias_maps.cf

                  user = USER
                  password = PASSWORD
                  hosts = localhost
                  dbname = DBNAME
                  query           = SELECT goto FROM alias WHERE address='%s' AND active = '1'


                  mysql_virtual_mailbox_maps.cf

                  user = USER
                  password = PASSWORD
                  hosts = localhost
                  dbname = DBNAME
                  query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'


                  I've run all the queries from the MySQL CLI and get results when I query a valid username, email address, or domain.

                  After turning on MySQL logging, and trying to use Outlook Express to send a mail to a gmail account, this is what my /var/log/mysql-query.log looks like:

                  090228 21:08:22      13 Connect     USER@localhost on DBNAME
                                       13 Query       SELECT goto FROM alias WHERE address='yyy.com' AND active = '1'
                                       14 Connect     USER@localhost on DBNAME
                                       14 Query       SELECT domain FROM domain WHERE domain='yyy.com'
                                       13 Query       SELECT goto FROM alias WHERE address='gmail.com' AND active = '1'
                                       14 Query       SELECT domain FROM domain WHERE domain='gmail.com'


                  My /usr/lib/sasl2/smtpd.conf looks like this:

                  pwcheck_method: saslauthd
                  mech_list: PLAIN LOGIN

                  I have saslauthd started, however all the documentation I read on how to install Postfix, Dovecot, MySQL, and SASL never mentioned starting it up.  I've tested both with it started and with it not.


                  What in the world am I overlooking?  Any suggestions?








                  On Sat, Feb 28, 2009 at 6:16 PM, Big Pizzle <bigpizzle@...> wrote:


                  On Sat, Feb 28, 2009 at 12:15 PM, Sahil Tandon <sahil@...> wrote:
                  On Sat, 28 Feb 2009, Big Pizzle wrote:

                  > On Sat, Feb 28, 2009 at 11:47 AM, Sahil Tandon <sahil@...> wrote:
                  >
                  > > On Sat, 28 Feb 2009, Big Pizzle wrote:
                  > >
                  > > > Hi all,
                  > > >
                  > > > I've just set up Postfix 2.3.3 to authenticate against a MySQL database
                  > > to
                  > > > support Virtual Domains, and I'm able to send mail to any domain which
                  > > > Postfix knows about, but when I send an e-mail to an outside address such
                  > > as
                  > > > hotmail, yahoo, etc. I get the following error message in the logs:
                  > > >
                  > > > Feb 27 22:09:52 juter1 postfix/smtpd[27104]: NOQUEUE: reject: RCPT from
                  > > > h-68-167-178-13.snid.cod.net[xx.xxx.xxx.xx]: 554 5.7.1 <
                  > > someemail@...>:
                  > > > Relay access denied; from=<plum@...> to=<someemail@...>
                  > > > proto=SMTP helo=<homebase>
                  > >
                  > > If you're going to obfuscate the IP, at least take care to similarly cloak
                  > > your client's hostname!
                  > >
                  > > % host h-68-167-178-13.snid.cod.net
                  > > h-68-167-178-13.snid.cod.net has address 82.98.86.161
                  > >
                  >
                  > Thanks, but that isn't my IP - guess I did a pretty good job eh?  If you
                  > want me to point out WHERE you can find my IP, it's in the first portion of
                  > that hostname - cod.net isn't my provider.  :)

                  Why obfuscate your *covad* IP when it is in the hostname?

                  > > > Here are my main.cf configs:
                  > >
                  > > Instead, follow the directions in the DBEUG_README, and paste the output of
                  > > 'postconf -n'.
                  >
                  >
                  > alias_maps =
                  > broken_sasl_auth_clients = yes
                  > command_directory = /usr/sbin
                  > config_directory = /etc/postfix
                  > daemon_directory = /usr/libexec/postfix
                  > debug_peer_level = 2
                  > disable_vrfy_command = yes
                  > html_directory = no
                  > inet_interfaces = localhost, $myhostname

                  $myhostname is not an interface.  See:
                  http://www.postfix.org/postconf.5.html#inet_interfaces

                  > invalid_hostname_reject_code = 450
                  > local_transport = virtual
                  > mail_owner = postfix
                  > mailq_path = /usr/bin/mailq.postfix
                  > manpage_directory = /usr/share/man
                  > maps_rbl_reject_code = 450
                  > mydestination = $myhostname, localhost.$mydomain, localhost
                  > myhostname = xxx.yyy.com
                  > mynetworks = 127.0.0.0/8
                  > newaliases_path = /usr/bin/newaliases.postfix
                  > non_fqdn_reject_code = 450
                  > queue_directory = /var/spool/postfix
                  > readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
                  > sample_directory = /usr/share/doc/postfix-2.3.3/samples
                  > sendmail_path = /usr/sbin/sendmail.postfix
                  > setgid_group = postdrop
                  > show_user_unknown_table_name = no
                  > smtpd_helo_required = yes
                  > smtpd_recipient_restrictions = permit_mynetworks
                  > permit_sasl_authenticated         reject_unauth_destination
                  > smtpd_sasl_auth_enable = yes
                  > smtpd_sasl_exceptions_networks = $mynetworks
                  > smtpd_sasl_local_domain = $myhostname
                  > smtpd_sasl_path = /var/spool/postfix/private/auth
                  > smtpd_sasl_security_options = noanonymous
                  > smtpd_sasl_type = dovecot
                  > unknown_local_recipient_reject_code = 550
                  > virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
                  > virtual_gid_maps = static:10000
                  > virtual_mailbox_base = /home/vmail
                  > virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
                  > virtual_mailbox_maps = proxy:mysql:/etc/postfix/
                  > mysql_virtual_mailbox_maps.cf
                  > virtual_minimum_uid = 10000
                  > virtual_transport = virtual
                  > virtual_uid_maps = static:10000
                  >
                  > > > When telnetting to port 25, and issuing the EHLO command, I get the
                  > > > following:
                  > > >
                  > > > 250-jupiter1.national.com
                  > > > 250-PIPELINING
                  > > > 250-SIZE 10240000
                  > > > 250-ETRN
                  > > > 250-ENHANCEDSTATUSCODES
                  > > > 250-8BITMIME
                  > > > 250 DSN
                  > > >
                  > > > I don't see anywhere where it shows what authentication mechanism I am
                  > > > using.  Could this be the issue?  I want people to be required to
                  > > > authenticate if they are going to be sending mail from this server to
                  > > > external addresses.  'My Server Requires Authentication' is checked in my
                  > > > mail client.
                  > >
                  > > Your server appears configured to support SASL but not TLS (following EHLO,
                  > > it does not announce STARTTLS support to the SMTP client).  You need to
                  > > show
                  > > your postconf output, specifically the smtpd_mumble_restrictions, which is
                  > > where you can require SASL authentication to relay mail externally.  From
                  > > your question, I suspect you are conflating SASL and TLS.  See:
                  > > http://www.postfix.org/TLS_README.html
                  > > http://www.postfix.org/SASL_README.html
                  >
                  >
                  > It was my understanding that TLS was for secure connections - do I need TLS
                  > as well in order for SASL to work?

                  Nay, but don't look for special announcements after EHLO to tell you that the
                  server supports SASL.  Testing SASL setup on the server is documented in the
                  link I pasted above.  Here it is again, this time with a specific section:
                  http://www.postfix.org/SASL_README.html#server_test

                  --
                  Sahil Tandon <sahil@...>


                  Thanks for the link Sahil.  I've run sasl2-sample-server and sasl2-sample-client, here are the outputs from both (I made a few changes, adding TLS per mouss' suggestion but I'm sitll getting relay access denied).  Here's a quick legend as to what means what:

                  xxx = hostname
                  yyy.com = domain name
                  fff.com = one of the virtual domains hosted on the xxx.yyy.com machine.


                  sasl2-sample-server:
                  [root@xxx postfix]# sasl2-sample-server
                  trying 2, 1, 6
                  trying 10, 1, 6
                  socket: Address family not supported by protocol
                  accepted new connection
                  send: {9}
                  ANONYMOUS
                  recv: {9}
                  ANONYMOUS
                  recv: {1}
                  Y
                  recv: {32}
                  user@...@xxx
                  successful authentication 'anonymous'
                  closing connection
                  accepted new connection
                  send: {9}
                  ANONYMOUS
                  recv: {9}
                  ANONYMOUS
                  recv: {1}
                  Y
                  recv: {12}
                  ger@xxx
                  successful authentication 'anonymous'
                  closing connection



                  sasl2-sample-client:
                  [root@xxx sample]# sasl2-sample-client localhost
                  receiving capability list... recv: {9}
                  ANONYMOUS
                  ANONYMOUS
                  please enter an authorization id: user@...
                  send: {9}
                  ANONYMOUS
                  send: {1}
                  Y
                  send: {32}
                  user@...@xxx
                  successful authentication
                  closing connection
                  [root@xxx sample]# sasl2-sample-client localhost
                  receiving capability list... recv: {9}
                  ANONYMOUS
                  ANONYMOUS
                  please enter an authorization id: ger
                  send: {9}
                  ANONYMOUS
                  send: {1}
                  Y
                  send: {12}
                  ger@xxx
                  successful authentication
                  closing connection


                  This is what I see in the logs:
                  Feb 28 17:45:09 xxx sasl2-sample-server: sql_select option missing
                  Feb 28 17:45:09 xxx sasl2-sample-server: auxpropfunc error no mechanism available
                  Feb 28 17:45:09 xxx sasl2-sample-server: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql


                  I notice that it's attaching @xxx to whatever username I enter - could that be (one of) the issue(s) at hand? 


                  I'm using Dovecot's SASL mechanism inside Postfix.  I will post my dovecot.conf configuration as well as the output of postfix -n below:

                  /etc/dovecot.conf:

                  protocols = imap pop3
                  disable_plaintext_auth = no

                  mail_location = maildir:/var/mail/%d/%u
                  first_valid_uid = 10000
                  last_valid_uid = 10000
                  maildir_copy_with_hardlinks = yes

                  protocol imap {
                    imap_client_workarounds = outlook-idle delay-newmail
                  }

                  protocol pop3 {
                    pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
                  }

                  protocol lda {
                    postmaster_address = postmaster@...
                    log_path = /var/log/dovecot-deliver.log
                    info_log_path = /var/log/dovecot-deliver.log
                  }

                  auth default {
                    mechanisms = plain login

                    passdb sql {

                      args = /etc/dovecot/sql.conf
                    }

                    userdb passwd {
                    }

                    userdb sql {

                      args = /etc/dovecot/sql.conf
                    }

                    userdb prefetch {
                    }

                    user = root

                    socket listen {
                      master {
                        path = /var/run/dovecot/auth-master
                        mode = 0600
                        user = vmail
                        group = vmail
                      }
                      client {
                        path = /var/spool/postfix/private/auth
                        mode = 0660
                        user = postfix
                        group = postfix
                      }
                    }
                  }

                  dict {
                  }

                  plugin {
                  }





                  postfix -n output:


                  alias_maps =
                  broken_sasl_auth_clients = yes
                  command_directory = /usr/sbin
                  config_directory = /etc/postfix
                  daemon_directory = /usr/libexec/postfix
                  debug_peer_level = 2
                  disable_vrfy_command = yes
                  html_directory = no
                  inet_interfaces = all

                  invalid_hostname_reject_code = 450
                  local_transport = virtual
                  mail_owner = postfix
                  mailq_path = /usr/bin/mailq.postfix
                  manpage_directory = /usr/share/man
                  maps_rbl_reject_code = 450
                  mydestination = $myhostname, localhost.$mydomain, localhost
                  myhostname = xxx.yyy.com
                  mynetworks = 127.0.0.0/8
                  newaliases_path = /usr/bin/newaliases.postfix
                  non_fqdn_reject_code = 450
                  queue_directory = /var/spool/postfix
                  readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
                  sample_directory = /usr/share/doc/postfix-2.3.3/samples
                  sendmail_path = /usr/sbin/sendmail.postfix
                  setgid_group = postdrop
                  show_user_unknown_table_name = no
                  smtp_use_tls = no

                  smtpd_helo_required = yes
                  smtpd_recipient_restrictions = permit_mynetworks,     permit_sasl_authenticated, reject_unauth_destination
                  smtpd_sasl_auth_enable = yes
                  smtpd_sasl_path = private/auth
                  smtpd_sasl_type = dovecot
                  smtpd_tls_auth_only = no
                  smtpd_tls_cert_file = /usr/local/ssl/xxx.yyy.com.crt
                  smtpd_tls_key_file = /usr/local/ssl/xxx.yyy.com.key
                  smtpd_tls_loglevel = 1
                  smtpd_tls_received_header = yes
                  smtpd_tls_session_cache_database = btree:/etc/postfix/tls_smtpd_scache
                  smtpd_use_tls = yes

                  unknown_local_recipient_reject_code = 550
                  virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
                  virtual_gid_maps = static:10000
                  virtual_mailbox_base = /home/vmail
                  virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
                  virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
                  virtual_minimum_uid = 10000
                  virtual_transport = virtual
                  virtual_uid_maps = static:10000



                  my /etc/postfix/master.cf has the following:
                  smtp      inet  n       -       n       -       -       smtpd
                  smtps     inet  n       -       n       -       -       smtpd
                    -o smtpd_sasl_auth_enable=yes


                  Here's a telnet output to port 25:
                  xxx:~#  telnet xxx.yyy.com 25
                  Trying 123.123.123.123...
                  Connected to xxx.
                  Escape character is '^]'.
                  220 xxx.yyy.com ESMTP Postfix
                  ehlo local
                  250-xxx.yyy.com

                  250-PIPELINING
                  250-SIZE 10240000
                  250-ETRN
                  250-STARTTLS
                  250-AUTH PLAIN LOGIN
                  250-AUTH=PLAIN LOGIN

                  250-ENHANCEDSTATUSCODES
                  250-8BITMIME
                  250 DSN
                  quit
                  221 2.0.0 Bye
                  Connection closed by foreign host.
                  Exit 1



                  Dovecot works just fine - I'm able to telnet to port 110 and authenticate with a legitimate username and password (using user@... as the username).

                  Thanks for all the help.  Hopefully someone can see something I can't.

                • mouss
                  ... you are using dovecot auth, so cyrus stuff is irrelevant. ... so now you have the AUTH lines in the response to EHLO, which you did not have before. do a
                  Message 8 of 8 , Mar 1, 2009
                  View Source
                  • 0 Attachment
                    Big Pizzle a écrit :
                    > [snip]
                    > *I notice that it's attaching @xxx to whatever username I enter - could
                    > that be (one of) the issue(s) at hand? *
                    >

                    you are using dovecot auth, so cyrus stuff is irrelevant.

                    > [snip]
                    > Here's a telnet output to port 25:
                    > xxx:~# telnet xxx.yyy.com <http://xxx.yyy.com> 25
                    > Trying 123.123.123.123...
                    > Connected to xxx.
                    > Escape character is '^]'.
                    > 220 xxx.yyy.com <http://xxx.yyy.com> ESMTP Postfix
                    > ehlo local
                    > 250-xxx.yyy.com <http://250-xxx.yyy.com>
                    > 250-PIPELINING
                    > 250-SIZE 10240000
                    > 250-ETRN
                    > 250-STARTTLS
                    > 250-AUTH PLAIN LOGIN
                    > 250-AUTH=PLAIN LOGIN
                    > 250-ENHANCEDSTATUSCODES
                    > 250-8BITMIME
                    > 250 DSN
                    > quit
                    > 221 2.0.0 Bye
                    > Connection closed by foreign host.
                    > Exit 1
                    >

                    so now you have the AUTH lines in the response to EHLO, which you did
                    not have before.

                    do a test with Thunderbird and see if it works. once it works, test with
                    outlook.

                    > [snip]
                  Your message has been successfully submitted and would be delivered to recipients shortly.