Loading ...
Sorry, an error occurred while loading the content.

Enabled SMTP AUTH but mails from external networks still being rejected

Expand Messages
  • Phill Edwards
    I have had a Postfix SMTP server on my LAN for a long time and it works really well for delivering my email via relayhost = smtp.example.com(replaced my
    Message 1 of 7 , Mar 28, 2012
    • 0 Attachment
      I have had a Postfix SMTP server on my LAN for a long time and it works really well for delivering my email via relayhost = smtp.example.com (replaced my actuals ISP's SMTP server here).

      I have now set up SMTP AUTH and it's working when sening emails from PCs on my LAN. But when I send emails from outside (eg from my mobile phone) I get these errors:

      Mar 29 00:04:32 zrf postfix/smtpd[624]: warning: xx.xxx.180.193: hostname paxx-xxx-180-193.pa.nsw.optusnet.com.au verification failed: Name or service not known
      Mar 29 00:04:32 zrf postfix/smtpd[624]: connect from unknown[xx.xxx.180.193]
      Mar 29 00:04:33 zrf postfix/smtpd[624]: NOQUEUE: reject: RCPT from unknown[xx.xxx.180.193]: 554 5.7.1 <unknown[xx.xxx.180.193]>: Client host rejected: Access denied; from=<me@...> to=<someone@...> proto=ESMTP helo=<paxx-xxx-180-193.pa.nsw.optusnet.com.au>
      Mar 29 00:04:33 zrf postfix/smtpd[624]: disconnect from unknown[xx.xxx.180.193]

      I thought I'd set main.cf up so that it would allow a connection from anywhere, but would ask for authentication. The authentication is working, but it's not allowing any connections from clients outside the local LAN. Any ideas why?

      Here are my settings as per postconf -n:
      alias_database = hash:/etc/aliases
      alias_maps = hash:/etc/aliases
      broken_sasl_auth_clients = yes
      command_directory = /usr/sbin
      config_directory = /etc/postfix
      daemon_directory = /usr/libexec/postfix
      data_directory = /var/lib/postfix
      debug_peer_level = 3
      delay_warning_time = 4h
      html_directory = no
      inet_interfaces = all
      inet_protocols = all
      mail_owner = postfix
      mailbox_command = /usr/bin/zarafa-dagent "$USER"
      mailbox_size_limit = 0
      mailbox_transport = zarafa: zarafa_destination_recipient_limit = 1
      mailq_path = /usr/bin/mailq.postfix
      manpage_directory = /usr/share/man
      message_size_limit = 30720000
      mydestination = $myhostname, localhost.$mydomain, localhost
      mydomain = yyy.home
      myhostname = xxx.yyy.home
      newaliases_path = /usr/bin/newaliases.postfix
      queue_directory = /var/spool/postfix
      readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
      relayhost = smtp.example.com
      sample_directory = /usr/share/doc/postfix-2.6.6/samples
      sendmail_path = /usr/sbin/sendmail.postfix
      setgid_group = postdrop
      smtp_generic_maps = hash:/etc/postfix/generic
      smtpd_client_restrictions = permit_mynetworks, reject
      smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_local_domain = $myhostname
      smtpd_sasl_security_options = noanonymous
      unknown_local_recipient_reject_code = 550

      Regards,
      Phill
    • Reindl Harald
      ... where do you see here any authentication try? connect - reject let me guess - this is a iPhone? these stupid phones are forgot randomly the auth setting,
      Message 2 of 7 , Mar 28, 2012
      • 0 Attachment
        Am 28.03.2012 15:31, schrieb Phill Edwards:
        > I have had a Postfix SMTP server on my LAN for a long time and it works really well for delivering my email via
        > relayhost = smtp.example.com <http://smtp.example.com> (replaced my actuals ISP's SMTP server here).
        >
        > I have now set up SMTP AUTH and it's working when sening emails from PCs on my LAN. But when I send emails from
        > outside (eg from my mobile phone) I get these errors:
        >
        > Mar 29 00:04:32 zrf postfix/smtpd[624]: warning: xx.xxx.180.193: hostname paxx-xxx-180-193.pa.nsw.optusnet.com.au
        > <http://paxx-xxx-180-193.pa.nsw.optusnet.com.au> verification failed: Name or service not known
        > Mar 29 00:04:32 zrf postfix/smtpd[624]: connect from unknown[xx.xxx.180.193]
        > Mar 29 00:04:33 zrf postfix/smtpd[624]: NOQUEUE: reject: RCPT from unknown[xx.xxx.180.193]: 554 5.7.1
        > <unknown[xx.xxx.180.193]>: Client host rejected: Access denied; from=<me@... <mailto:me@...>>
        > to=<someone@... <mailto:someone@...>> proto=ESMTP helo=<paxx-xxx-180-193.pa.nsw.optusnet.com.au
        > <http://paxx-xxx-180-193.pa.nsw.optusnet.com.au>>
        > Mar 29 00:04:33 zrf postfix/smtpd[624]: disconnect from unknown[xx.xxx.180.193]

        where do you see here any authentication try?
        connect -> reject

        let me guess - this is a iPhone?

        these stupid phones are forgot randomly the auth setting, do not
        inform the user about the problem and the winner was a iphone
        trying over 6 months to send the same message without authentication
        _____________________

        this is how a authentication looks like in maillog

        Mar 28 15:34:58 mail postfix/smtpd[28115]: connect from xxxxxx[10.0.0.xx]
        Mar 28 15:34:58 mail postfix/smtpd[28115]: 9340B91: client=xxxxxx[10.0.0.xx], sasl_method=PLAIN,
        sasl_username=c.piffl@...
        Mar 28 15:34:58 mail postfix/cleanup[987]: 9340B91: message-id=<07E64489-A24E-4952-9AE3-2EE943A3747C@...>
      • Reindl Harald
        ... if permit_sasl_authenticated is before restricitions the client can always authenticate, this is how the tings are working but the client has to be
        Message 3 of 7 , Mar 29, 2012
        • 0 Attachment
          Am 29.03.2012 12:08, schrieb Phill Edwards:
          >
          > Am 28.03.2012 15:31, schrieb Phill Edwards:
          > > I have had a Postfix SMTP server on my LAN for a long time and it works really well for delivering my email via
          > > relayhost = smtp.example.com <http://smtp.example.com> <http://smtp.example.com> (replaced my actuals ISP's
          > SMTP server here).
          > >
          > > I have now set up SMTP AUTH and it's working when sening emails from PCs on my LAN. But when I send emails from
          > > outside (eg from my mobile phone) I get these errors:
          > >
          > > Mar 29 00:04:32 zrf postfix/smtpd[624]: warning: xx.xxx.180.193: hostname
          > paxx-xxx-180-193.pa.nsw.optusnet.com.au <http://paxx-xxx-180-193.pa.nsw.optusnet.com.au>
          > > <http://paxx-xxx-180-193.pa.nsw.optusnet.com.au> verification failed: Name or service not known
          > > Mar 29 00:04:32 zrf postfix/smtpd[624]: connect from unknown[xx.xxx.180.193]
          > > Mar 29 00:04:33 zrf postfix/smtpd[624]: NOQUEUE: reject: RCPT from unknown[xx.xxx.180.193]: 554 5.7.1
          > > <unknown[xx.xxx.180.193]>: Client host rejected: Access denied; from=<me@... <mailto:me@...>
          > <mailto:me@... <mailto:me@...>>>
          > > to=<someone@... <mailto:someone@...> <mailto:someone@...
          > <mailto:someone@...>>> proto=ESMTP helo=<paxx-xxx-180-193.pa.nsw.optusnet.com.au
          > <http://paxx-xxx-180-193.pa.nsw.optusnet.com.au>
          > > <http://paxx-xxx-180-193.pa.nsw.optusnet.com.au>>
          > > Mar 29 00:04:33 zrf postfix/smtpd[624]: disconnect from unknown[xx.xxx.180.193]
          >
          > where do you see here any authentication try?
          > connect -> reject
          >
          >
          > I ran some tests on the LAN which showed up seccuessful authentivation attempts. This is a log of what happens when
          > a mobile phone tries to connect from outside the LAN. I'm assuming there are no authentication tries because the
          > client has been rejected due to network restrictions before even attempting any credentials are processed.
          >
          > let me guess - this is a iPhone?
          >
          > No, it's a Samsung Galaxy S II with K-9 Mail as the email client

          if "permit_sasl_authenticated" is before restricitions the client can always
          authenticate, this is how the tings are working

          but the client has to be configured for authentication
          sadly it is not default in most clients while if
          the MUA developers would be a little smarter they
          would activate it and use the same credentials as
          for incoming server which fits 99% of all setups

          P.S.: please do not reply offlist!
        • Phill Edwards
          ... Thanks, I ve removed this line altogether and it works now. ... Sorry but I don t have any idea what that means. Could you please explain a little further
          Message 4 of 7 , Mar 29, 2012
          • 0 Attachment
            > I have now set up SMTP AUTH and it's working when sening emails from PCs on
            > my LAN. But when I send emails from outside (eg from my mobile phone) I get
            > these errors:

            Hopefully it's as simple as fixing the smtpd restrictions:

            > smtpd_client_restrictions = permit_mynetworks, reject

            This is outright banning anybody outside mynetworks.

            Thanks, I've removed this line altogether and it works now.
             

            > smtpd_recipient_restrictions = permit_sasl_authenticated,
            > permit_mynetworks, check_relay_domains

            You'll want a reject_unauth_destination after these.


            Sorry but I don't have any idea what that means. Could you please explain a little further what I'm supposed to do here.

          • Phill Edwards
            if permit_sasl_authenticated is before restricitions the client can always ... Thaks for the info. ... Yes, I noticed that. I didn t mean to, but I find with
            Message 5 of 7 , Mar 29, 2012
            • 0 Attachment
              if "permit_sasl_authenticated" is before restricitions the client can always
              authenticate, this is how the tings are working

              Thaks for the info.
               


              P.S.: please do not reply offlist!

              Yes, I noticed that. I didn't mean to, but I find with this particular mailing list when I click reply it replies to the sender rather than the mailing list. I don't know why that is as I don't find the same problem with other mailing lists.
            • Brian Evans - Postfix List
              ... You are using the deprecated 1.x syntax of check_relay_domains. It is recommended to use reject_unauth_destination instead of check_relay_domains. Your
              Message 6 of 7 , Mar 29, 2012
              • 0 Attachment
                On 3/29/2012 6:56 AM, Phill Edwards wrote:
                >
                > > smtpd_recipient_restrictions = permit_sasl_authenticated,
                > > permit_mynetworks, check_relay_domains
                >
                > You'll want a reject_unauth_destination after these.
                >
                >
                > Sorry but I don't have any idea what that means. Could you please
                > explain a little further what I'm supposed to do here.
                >

                You are using the deprecated 1.x syntax of check_relay_domains.
                It is recommended to use reject_unauth_destination instead of
                check_relay_domains.

                Your mail log may even indicate this as a warning.

                Brian
              • Benny Pedersen
                ... missing permit_sasl_authenticated postfix do as you say :)
                Message 7 of 7 , Apr 3, 2012
                • 0 Attachment
                  Den 2012-03-28 15:31, Phill Edwards skrev:

                  > Mar 29 00:04:33 zrf postfix/smtpd[624]: NOQUEUE: reject: RCPT from
                  > unknown[xx.xxx.180.193]: 554 5.7.1 <unknown[xx.xxx.180.193]>: Client
                  > host rejected: Access denied; from=<me@... [3]>

                  > smtpd_client_restrictions = permit_mynetworks, reject

                  missing permit_sasl_authenticated

                  postfix do as you say :)
                Your message has been successfully submitted and would be delivered to recipients shortly.