Loading ...
Sorry, an error occurred while loading the content.
 

Re: Postfix will not use authentication

Expand Messages
  • Wietse Venema
    Gregorics Tamas: [ Charset UTF-8 unsupported, converting... ] ... Yes. Instead of cut-and-paste main.cf, use postconf -n command output. There is a reason
    Message 1 of 12 , Apr 30, 2009
      Gregorics Tamas:
      [ Charset UTF-8 unsupported, converting... ]
      > Hi,
      >
      > I want to set up a relayhost for my local mail server, but for some reason
      > my postfix will not try to authenticate with the relay server.
      >
      > I have these packages installed:
      >
      > libsasl2
      > libsasl2-2
      > libsasl2-modules
      >
      > main.cf
      > relayhost = mail.relay.host
      > smtp_sasl_auth_enable = yes
      > smtp_sasl_security_options = noanonymous
      > smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
      > smtp_cname_overrides_servername = no
      >
      >
      > sasl_password:
      > mail.relay.host user@...:password
      >
      >
      > If I send a mail the relay server rejects it with a no relaying allowed
      > error. I checked it with tcpdump, and there is no authentication in the
      > outgoing smtp session.
      >
      > With the same settings a different server can use the same relay server.
      >
      > Any ideas?

      Yes.

      Instead of cut-and-paste main.cf, use "postconf -n" command output.
      There is a reason why the mailing list instructions ask for this.
    • Gregorics Tamás
      ... Sorry, here is the output: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory =
      Message 2 of 12 , Apr 30, 2009
        Wietse Venema wrote:
        > Gregorics Tamas:
        > [ Charset UTF-8 unsupported, converting... ]
        >
        >> Hi,
        >>
        >> I want to set up a relayhost for my local mail server, but for some reason
        >> my postfix will not try to authenticate with the relay server.
        >>
        >> I have these packages installed:
        >>
        >> libsasl2
        >> libsasl2-2
        >> libsasl2-modules
        >>
        >> main.cf
        >> relayhost = mail.relay.host
        >> smtp_sasl_auth_enable = yes
        >> smtp_sasl_security_options = noanonymous
        >> smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
        >> smtp_cname_overrides_servername = no
        >>
        >>
        >> sasl_password:
        >> mail.relay.host user@...:password
        >>
        >>
        >> If I send a mail the relay server rejects it with a no relaying allowed
        >> error. I checked it with tcpdump, and there is no authentication in the
        >> outgoing smtp session.
        >>
        >> With the same settings a different server can use the same relay server.
        >>
        >> Any ideas?
        >>
        >
        > Yes.
        >
        > Instead of cut-and-paste main.cf, use "postconf -n" command output.
        > There is a reason why the mailing list instructions ask for this.
        >
        >
        Sorry, here is the output:

        alias_database = hash:/etc/aliases
        alias_maps = hash:/etc/aliases
        append_dot_mydomain = no
        biff = no
        config_directory = /etc/postfix
        content_filter = smtp-amavis:[127.0.0.1]:10024
        inet_interfaces = all
        inet_protocols = ipv4
        mailbox_command = procmail -a "$EXTENSION"
        mailbox_size_limit = 0
        message_size_limit = 10485760
        mydestination = ***.hu, debian.***.hu, localhost.***.hu, localhost
        myhostname = ***.hu
        mynetworks = 192.168.0.0/16, 127.0.0.0/8
        myorigin = /etc/mailname
        recipient_delimiter = +
        relayhost = mail.t-online.hu
        smtp_data_xfer_timeout = 1000s
        smtp_sasl_auth_enable = yes
        smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
        smtp_sasl_security_options = noanonymous
        smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
        smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
        smtpd_hard_error_limit = 10
        smtpd_helo_required = yes
        smtpd_helo_restrictions = reject_invalid_hostname
        smtpd_policy_service_max_idle = 900s
        smtpd_policy_service_timeout = 240s
        smtpd_recipient_restrictions = permit_mynetworks,
        reject_unauth_destination, reject_unauth_pipelining,
        check_recipient_access hash:/etc/postfix/roleaccount_exceptions,
        check_policy_service inet:127.0.0.1:12525
        smtpd_sender_restrictions = reject_non_fqdn_sender,
        reject_unknown_sender_domain
        smtpd_soft_error_limit = 8
        smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
        smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
        smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
        smtpd_use_tls = yes
      • Wietse Venema
        ... Does this command: $ postmap -q mail.t-online.hu hash:/etc/postfix/sasl_password Produce the expected output? There is no need to post your username or
        Message 3 of 12 , Apr 30, 2009
          Gregorics Tamás:
          > > Yes.
          > >
          > > Instead of cut-and-paste main.cf, use "postconf -n" command output.
          > > There is a reason why the mailing list instructions ask for this.
          > >
          > >
          > Sorry, here is the output:
          >
          ...
          > relayhost = mail.t-online.hu
          > smtp_sasl_auth_enable = yes
          > smtp_sasl_password_maps = hash:/etc/postfix/sasl_password

          Does this command:

          $ postmap -q mail.t-online.hu hash:/etc/postfix/sasl_password

          Produce the expected output? There is no need to post
          your username or password to the mailing list.

          Wietse
        • Ivan Stepaniuk
          ... I don t see anything wrong with this. check the output of #postmap -q your.relay.tld hash:/etc/postfix/sasl_password to see if your file has the right
          Message 4 of 12 , Apr 30, 2009
            Gregorics Tamás wrote:
            > recipient_delimiter = +
            > relayhost = mail.t-online.hu
            > smtp_data_xfer_timeout = 1000s
            > smtp_sasl_auth_enable = yes
            > smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
            > smtp_sasl_security_options = noanonymous

            I don't see anything wrong with this.

            check the output of
            #postmap -q your.relay.tld hash:/etc/postfix/sasl_password
            to see if your file has the right syntax.

            check if you don't need to specify an auth method, like the following:
            smtp_sasl_mechanism_filter = plain, login

            If you didn't yet, I would also try to configure that relay on your mail
            client to see if your login information is OK and you are allowed to do
            what you want trough this relay.
            my 2 cents.

            --
            Iván Stepaniuk
          • Gregorics Tamás
            ... Yes, I get the username and password. -- Tisztelettel: Gregorics Tamás Szervízmunkatárs M&M Computer Kft. 7623 Pécs, Mártírok u.42. Tel.:
            Message 5 of 12 , Apr 30, 2009
              Wietse Venema wrote:
              > Gregorics Tam�s:
              >
              >>> Yes.
              >>>
              >>> Instead of cut-and-paste main.cf, use "postconf -n" command output.
              >>> There is a reason why the mailing list instructions ask for this.
              >>>
              >>>
              >>>
              >> Sorry, here is the output:
              >>
              >>
              > ...
              >
              >> relayhost = mail.t-online.hu
              >> smtp_sasl_auth_enable = yes
              >> smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
              >>
              >
              > Does this command:
              >
              > $ postmap -q mail.t-online.hu hash:/etc/postfix/sasl_password
              >
              > Produce the expected output? There is no need to post
              > your username or password to the mailing list.
              >
              > Wietse
              >
              >
              Yes, I get the username and password.

              --
              Tisztelettel:

              Gregorics Tamás

              Szervízmunkatárs
              M&M Computer Kft.
              7623 Pécs, Mártírok u.42.
              Tel.: +36-72/516-517
              Fax: +36-72/516-522
              Mobil: +36-30-747-6553
              e-mail: tamas.gregorics@...

              http://www.mmcomputer.hu
            • Wietse Venema
              ... Now you can turn on verbose logging: # postconf -e debug_peer_list = mail.t-online.hu # postfix reload Try sending mail, post logs, and replace username,
              Message 6 of 12 , Apr 30, 2009
                Gregorics Tamás:
                > > Does this command:
                > >
                > > $ postmap -q mail.t-online.hu hash:/etc/postfix/sasl_password
                > >
                > > Produce the expected output? There is no need to post
                > > your username or password to the mailing list.
                > >
                > Yes, I get the username and password.

                Now you can turn on verbose logging:

                # postconf -e "debug_peer_list = mail.t-online.hu"
                # postfix reload

                Try sending mail, post logs, and replace username, password, and other
                confidential stuff by XXX. Don't word-wrap the logs into destruction.

                Wietse
              • Gregorics Tamas
                On Thu, 30 Apr 2009 11:02:53 -0400 (EDT), wietse@porcupine.org (Wietse ... Here is the verbose log: May 2 20:18:17 xxxxx postfix/smtp[6383]:
                Message 7 of 12 , May 2, 2009
                  On Thu, 30 Apr 2009 11:02:53 -0400 (EDT), wietse@... (Wietse
                  Venema) wrote:
                  > Gregorics Tamás:
                  >> > Does this command:
                  >> >
                  >> > $ postmap -q mail.t-online.hu hash:/etc/postfix/sasl_password
                  >> >
                  >> > Produce the expected output? There is no need to post
                  >> > your username or password to the mailing list.
                  >> >
                  >> Yes, I get the username and password.
                  >
                  > Now you can turn on verbose logging:
                  >
                  > # postconf -e "debug_peer_list = mail.t-online.hu"
                  > # postfix reload
                  >
                  > Try sending mail, post logs, and replace username, password, and other
                  > confidential stuff by XXX. Don't word-wrap the logs into destruction.
                  >
                  > Wietse

                  Here is the verbose log:

                  May 2 20:18:17 xxxxx postfix/smtp[6383]: < mail.t-online.hu[84.2.44.3]:
                  220 *******************************************************
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: > mail.t-online.hu[84.2.44.3]:
                  HELO xxx.hu
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: < mail.t-online.hu[84.2.44.3]:
                  250 mail01a.mail.t-online.hu
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: server features: 0x1040 size 0
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: > mail.t-online.hu[84.2.44.3]:
                  MAIL FROM:<mcdouglas@...>
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: < mail.t-online.hu[84.2.44.3]:
                  250 2.1.0 Ok
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: > mail.t-online.hu[84.2.44.3]:
                  RCPT TO:<mcd@...>
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: < mail.t-online.hu[84.2.44.3]:
                  554 5.7.1 <mcd@...>: Relay access denied
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: connect to subsystem
                  private/bounce
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: send attr nrequest = 0
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: send attr flags = 0
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: send attr queue_id = C0AEC45C2DA
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: send attr original_recipient =
                  mcd@...
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: send attr recipient = mcd@...
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: send attr offset = 504
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: send attr dsn_orig_rcpt =
                  rfc822;mcd@...
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: send attr notify_flags = 0
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: send attr status = 5.7.1
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: send attr diag_type = smtp
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: send attr diag_text = 554 5.7.1
                  <mcd@...>: Relay access denied
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: send attr mta_type = dns
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: send attr mta_mname =
                  mail.t-online.hu
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: send attr action = failed
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: send attr reason = host
                  mail.t-online.hu[84.2.44.3] said: 554 5.7.1 <mcd@...>: Relay access
                  denied (in reply to RCPT TO command)
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: private/bounce socket: wanted
                  attribute: status
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: input attribute name: status
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: input attribute value: 0
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: private/bounce socket: wanted
                  attribute: (list terminator)
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: input attribute name: (end)
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: C0AEC45C2DA: to=<mcd@...>,
                  relay=mail.t-online.hu[84.2.44.3]:25, delay=0.62,
                  delays=0.25/0.03/0.11/0.24, dsn=5.7.1, status=bounced (host
                  mail.t-online.hu[84.2.44.3] said: 554 5.7.1 <mcd@...>: Relay access
                  denied (in reply to RCPT TO command))
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: > mail.t-online.hu[84.2.44.3]:
                  RSET
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: < mail.t-online.hu[84.2.44.3]:
                  250 2.0.0 Ok
                  May 2 20:18:17 xxxxx postfix/smtp[6383]: > mail.t-online.hu[84.2.44.3]:
                  QUIT
                • mouss
                  ... borked proxy/router/firewall. ... with HELO, there is no smtp extensions, and thus no authentication. for extended smtp, EHLO is needed instead of HELO.
                  Message 8 of 12 , May 2, 2009
                    Gregorics Tamas a écrit :
                    > On Thu, 30 Apr 2009 11:02:53 -0400 (EDT), wietse@... (Wietse
                    > Venema) wrote:
                    >> Gregorics Tamás:
                    >>>> Does this command:
                    >>>>
                    >>>> $ postmap -q mail.t-online.hu hash:/etc/postfix/sasl_password
                    >>>>
                    >>>> Produce the expected output? There is no need to post
                    >>>> your username or password to the mailing list.
                    >>>>
                    >>> Yes, I get the username and password.
                    >> Now you can turn on verbose logging:
                    >>
                    >> # postconf -e "debug_peer_list = mail.t-online.hu"
                    >> # postfix reload
                    >>
                    >> Try sending mail, post logs, and replace username, password, and other
                    >> confidential stuff by XXX. Don't word-wrap the logs into destruction.
                    >>
                    >> Wietse
                    >
                    > Here is the verbose log:
                    >
                    > May 2 20:18:17 xxxxx postfix/smtp[6383]: < mail.t-online.hu[84.2.44.3]:
                    > 220 *******************************************************

                    borked proxy/router/firewall.

                    > May 2 20:18:17 xxxxx postfix/smtp[6383]: > mail.t-online.hu[84.2.44.3]:
                    > HELO xxx.hu

                    with HELO, there is no smtp extensions, and thus no authentication.

                    for extended smtp, EHLO is needed instead of HELO.

                    from here:

                    $ telnet mail.t-online.hu 25
                    Trying 84.2.46.3...
                    Connected to mail.t-online.hu.
                    Escape character is '^]'.
                    220 mail01d.mail.t-online.hu ESMTP You must authenticate before sending mail
                    EHLO imlil.netoyen.net
                    250-mail01d.mail.t-online.hu
                    250-PIPELINING
                    250-SIZE 26214400
                    250-VRFY
                    250-ETRN
                    250-STARTTLS
                    250-AUTH LOGIN PLAIN
                    250-AUTH=LOGIN PLAIN
                    250-ENHANCEDSTATUSCODES
                    250-8BITMIME
                    250 DSN
                    QUIT
                    221 2.0.0 Bye


                    so the broken gateway is between you and t-online, probably on your
                    side. if you have a PIX, disable the smtp f*up "feature" (something like
                    “no fixup protocol smtp 25”). if it's something else, find out what is...

                    > [snip]
                  • Gregorics Tamas
                    ... Thank you very much! Indeed I had a PIX515 (8.0(2)) as a gateway. As soon as I disabled esmtp inspection everything worked perfectly.
                    Message 9 of 12 , May 2, 2009
                      On Sat, 02 May 2009 20:37:01 +0200, mouss <mouss@...> wrote:
                      > Gregorics Tamas a écrit :
                      >> On Thu, 30 Apr 2009 11:02:53 -0400 (EDT), wietse@... (Wietse
                      >> Venema) wrote:
                      >>> Gregorics Tamás:
                      >>>>> Does this command:
                      >>>>>
                      >>>>> $ postmap -q mail.t-online.hu hash:/etc/postfix/sasl_password
                      >>>>>
                      >>>>> Produce the expected output? There is no need to post
                      >>>>> your username or password to the mailing list.
                      >>>>>
                      >>>> Yes, I get the username and password.
                      >>> Now you can turn on verbose logging:
                      >>>
                      >>> # postconf -e "debug_peer_list = mail.t-online.hu"
                      >>> # postfix reload
                      >>>
                      >>> Try sending mail, post logs, and replace username, password, and other
                      >>> confidential stuff by XXX. Don't word-wrap the logs into destruction.
                      >>>
                      >>> Wietse
                      >>
                      >> Here is the verbose log:
                      >>
                      >> May 2 20:18:17 xxxxx postfix/smtp[6383]: < mail.t-online.hu[84.2.44.3]:
                      >> 220 *******************************************************
                      >
                      > borked proxy/router/firewall.
                      >
                      >> May 2 20:18:17 xxxxx postfix/smtp[6383]: > mail.t-online.hu[84.2.44.3]:
                      >> HELO xxx.hu
                      >
                      > with HELO, there is no smtp extensions, and thus no authentication.
                      >
                      > for extended smtp, EHLO is needed instead of HELO.
                      >
                      > from here:
                      >
                      > $ telnet mail.t-online.hu 25
                      > Trying 84.2.46.3...
                      > Connected to mail.t-online.hu.
                      > Escape character is '^]'.
                      > 220 mail01d.mail.t-online.hu ESMTP You must authenticate before sending
                      > mail
                      > EHLO imlil.netoyen.net
                      > 250-mail01d.mail.t-online.hu
                      > 250-PIPELINING
                      > 250-SIZE 26214400
                      > 250-VRFY
                      > 250-ETRN
                      > 250-STARTTLS
                      > 250-AUTH LOGIN PLAIN
                      > 250-AUTH=LOGIN PLAIN
                      > 250-ENHANCEDSTATUSCODES
                      > 250-8BITMIME
                      > 250 DSN
                      > QUIT
                      > 221 2.0.0 Bye
                      >
                      >
                      > so the broken gateway is between you and t-online, probably on your
                      > side. if you have a PIX, disable the smtp f*up "feature" (something like
                      > “no fixup protocol smtp 25”). if it's something else, find out what
                      > is...
                      >
                      >> [snip]


                      Thank you very much!
                      Indeed I had a PIX515 (8.0(2)) as a gateway. As soon as I disabled esmtp
                      inspection everything worked perfectly.
                    Your message has been successfully submitted and would be delivered to recipients shortly.