Re: Can't auth to postfix using a secondary server
- On Fri, Jul 27, 2012 at 01:24:12PM +0100, Nicolás wrote:
> El 26/07/2012 15:52, /dev/rob0 escribió:Somewhere in the cut part was this log line:
> >On Thu, Jul 26, 2012 at 01:45:54PM +0100, Nicolás wrote:
> >>El 23/07/2012 12:13, Nicolás escribió:
> >>>I have a server with postfix with virtual users (using MySQL),
> >>>it's working ok, let's call it A. I also have a secondary server,
> >>>which I want to use to send mails even outside my local network,
> >>>let's call it B. So I'm trying to configure B to relay through A
> >>>to send e-mails. The problem is I have SMTP auth enabled on A and
> >>>I'm missing something at the config of B because I get this error:
> [ ... ]
> >Jul 23 11:50:41 mail postfix/smtp: D7429100B65:That's a multi-line non-Postfix-looking rejection. Find the
> >to=<root@...>, relay=mydomain.es[X.X.X.X.]:25,
> >delay=0.39, delays=0.09/0/0.22/0.08, dsn=5.0.0, status=bounced
> >(host mydomain.es[X.X.X.X.] said: 550-Please turn on SMTP
> >Authentication in your mail client, or login to the 550-IMAP/POP3
> >server before sending your message. 550-85.155.X.X.X.X
> >(mail.mydomain.es) [X.X.X.X]:60006 is 550 not permitted to relay
> >through this server without authentication. (in reply to RCPT TO
correlated smtpd(8) log line from A and show it. Lose the munging.
> >Either add the un-munged IP address of B to A's mynetworks, orThis would have fixed the relay failure, if in fact you were
> >configure B to authenticate at A. SOHO_README has the excerpt from
> >SASL_README which describes the latter. BASIC_CONFIGURATION_README
> >covers the former.
> >If B has a dynamic IP address, the former choice is generally not
> >ideal. But you can do what I did: connect both sites via a VPN
> >tunnel, relay through the tunnel, and put the tunnel's address in
> Yes, that's my fault as I didn't post my mynetworks line. The B
> server has a static private IP address, so I added the private range
> to it.
> mynetworks = 127.0.0.0/8 192.168.0.0/24
attempting relay through A.
> I'm pasting my postconf -n at the end of the mail with the changesApparently you ARE using Cyrus SASL. What is "postconf
> you adviced me.
> >>>smtpd_sasl_auth_enable = yes
> >>>smtpd_sasl_authenticated_header = yes
> >>>smtpd_sasl_security_options = noanonymous
> >It appears that you are using Cyrus SASL. (Why? What imapd are
> >you using?) Did you set it up properly?
> I'm not using Cyrus SASL. My postfix is integrated with Dovecot
> so that's my imapd.
smtpd_sasl_type" showing on A?
Do note that if B is going to authenticate at A, it must have Cyrus
SASL, because that is the only supported means of client SASL in
> >>>2) Whole B main.cf config:Typically a nullclient implementation is simpler to set up, with
> >>>config_directory = /etc/postfix
> >>>relayhost = 192.168.0.14
> >And 192.168.0.14 is the IP address you munged out above? Why? If both
> >hosts are on the same LAN, why not just use A directly? Why do you
> >think you need B?
> That IP address if the server's. Both (server and client) machines
> are on the same LAN but the reason why I'm using B is because B has
> a bug-tracker installed on it sending mails on each update event.
> So I want to have it on a separate machine from A, because A is
> just the mail server and I would like to keep it that way, that's
> why I'm trying to relay B mails through A. That's the only idea I
> had, if you see any better solution I'll be glad to hear it.
fewer moving parts and chances for disaster. There are lots of them
available. I don't have any to specifically recommend; maybe someone
> Finally my postconf -n, after changes:These should permit relaying. Again, that "check_recipient_access
> mynetworks = 127.0.0.0/8 192.168.0.0/24
> smtpd_recipient_restrictions = check_recipient_access
> hash:/etc/postfix/valid_recipients, reject_sender_login_mismatch,
> permit_mynetworks, permit_sasl_authenticated, reject_rbl_client
> zen.spamhaus.org, check_policy_service unix:private/policy-spf,
hash:/etc/postfix/valid_recipients" looks like trouble.
> smtpd_sasl_auth_enable = yessmtpd_sasl_type is at the default. So is smtpd_sasl_path. Unless
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_security_options = noanonymous
overridden at compile time, Cyrus SASL is the default.
> transport_maps = mysql:/etc/postfix/mysql-virtual_transport.cfWhy are you using transport_maps? Things turn ugly when
transport_maps are unavailable, so it's generally not recommended to
have transport_maps in mysql. In fact, IME transport_maps are widely
misunderstood and overused. Most sites should not need them.
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: