Loading ...
Sorry, an error occurred while loading the content.

Re: Can't auth to postfix using a secondary server

Expand Messages
  • /dev/rob0
    ... That s a multi-line non-Postfix-looking rejection. Find the correlated smtpd(8) log line from A and show it. Lose the munging. ... This would have fixed
    Message 1 of 5 , Jul 27 9:03 AM
    • 0 Attachment
      On Fri, Jul 27, 2012 at 01:24:12PM +0100, Nicolás wrote:
      > El 26/07/2012 15:52, /dev/rob0 escribió:
      > >On Thu, Jul 26, 2012 at 01:45:54PM +0100, Nicolás wrote:
      > >>El 23/07/2012 12:13, Nicolás escribió:
      > >>>I have a server with postfix with virtual users (using MySQL),
      > >>>it's working ok, let's call it A. I also have a secondary server,
      > >>>which I want to use to send mails even outside my local network,
      > >>>let's call it B. So I'm trying to configure B to relay through A
      > >>>to send e-mails. The problem is I have SMTP auth enabled on A and
      > >>>I'm missing something at the config of B because I get this error:
      > >>>
      > >>>
      > [ ... ]

      Somewhere in the cut part was this log line:

      > >Jul 23 11:50:41 mail postfix/smtp[9912]: D7429100B65:
      > >to=<root@...>, relay=mydomain.es[X.X.X.X.]:25,
      > >delay=0.39, delays=0.09/0/0.22/0.08, dsn=5.0.0, status=bounced
      > >(host mydomain.es[X.X.X.X.] said: 550-Please turn on SMTP
      > >Authentication in your mail client, or login to the 550-IMAP/POP3
      > >server before sending your message. 550-85.155.X.X.X.X
      > >(mail.mydomain.es) [X.X.X.X]:60006 is 550 not permitted to relay
      > >through this server without authentication. (in reply to RCPT TO
      > >command))

      That's a multi-line non-Postfix-looking rejection. Find the
      correlated smtpd(8) log line from A and show it. Lose the munging.

      > >Either add the un-munged IP address of B to A's mynetworks, or
      > >configure B to authenticate at A. SOHO_README has the excerpt from
      > >SASL_README which describes the latter. BASIC_CONFIGURATION_README
      > >covers the former.
      > >
      > >If B has a dynamic IP address, the former choice is generally not
      > >ideal. But you can do what I did: connect both sites via a VPN
      > >tunnel, relay through the tunnel, and put the tunnel's address in
      > >mynetworks.
      > Yes, that's my fault as I didn't post my mynetworks line. The B
      > server has a static private IP address, so I added the private range
      > to it.
      > mynetworks =

      This would have fixed the relay failure, if in fact you were
      attempting relay through A.

      > I'm pasting my postconf -n at the end of the mail with the changes
      > you adviced me.

      > >>>smtpd_sasl_auth_enable = yes
      > >>>smtpd_sasl_authenticated_header = yes
      > >>>smtpd_sasl_security_options = noanonymous
      > >It appears that you are using Cyrus SASL. (Why? What imapd are
      > >you using?) Did you set it up properly?
      > I'm not using Cyrus SASL. My postfix is integrated with Dovecot
      > so that's my imapd.

      Apparently you ARE using Cyrus SASL. What is "postconf
      smtpd_sasl_type" showing on A?

      Do note that if B is going to authenticate at A, it must have Cyrus
      SASL, because that is the only supported means of client SASL in

      > >>>2) Whole B main.cf config:
      > >>>
      > >>>config_directory = /etc/postfix
      > >>>relayhost =
      > >And is the IP address you munged out above? Why? If both
      > >hosts are on the same LAN, why not just use A directly? Why do you
      > >think you need B?
      > That IP address if the server's. Both (server and client) machines
      > are on the same LAN but the reason why I'm using B is because B has
      > a bug-tracker installed on it sending mails on each update event.
      > So I want to have it on a separate machine from A, because A is
      > just the mail server and I would like to keep it that way, that's
      > why I'm trying to relay B mails through A. That's the only idea I
      > had, if you see any better solution I'll be glad to hear it.

      Typically a nullclient implementation is simpler to set up, with
      fewer moving parts and chances for disaster. There are lots of them
      available. I don't have any to specifically recommend; maybe someone
      else will?

      > Finally my postconf -n, after changes:

      > mynetworks =

      > smtpd_recipient_restrictions = check_recipient_access
      > hash:/etc/postfix/valid_recipients, reject_sender_login_mismatch,
      > permit_mynetworks, permit_sasl_authenticated, reject_rbl_client
      > zen.spamhaus.org, check_policy_service unix:private/policy-spf,
      > reject_unauth_destination

      These should permit relaying. Again, that "check_recipient_access
      hash:/etc/postfix/valid_recipients" looks like trouble.

      > smtpd_sasl_auth_enable = yes
      > smtpd_sasl_authenticated_header = yes
      > smtpd_sasl_security_options = noanonymous

      smtpd_sasl_type is at the default. So is smtpd_sasl_path. Unless
      overridden at compile time, Cyrus SASL is the default.

      > transport_maps = mysql:/etc/postfix/mysql-virtual_transport.cf

      Why are you using transport_maps? Things turn ugly when
      transport_maps are unavailable, so it's generally not recommended to
      have transport_maps in mysql. In fact, IME transport_maps are widely
      misunderstood and overused. Most sites should not need them.
      http://rob0.nodns4.us/ -- system administration and consulting
      Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
    Your message has been successfully submitted and would be delivered to recipients shortly.