Loading ...
Sorry, an error occurred while loading the content.

Allowing relay from IP subnet

Expand Messages
  • Andy Smith
    Hi, I have the simple requirement to allow email relay from other local machines to a (Mac OS X) postfix server. This is so I can send emails from shell
    Message 1 of 4 , Mar 4, 2013
    • 0 Attachment
      Hi,

      I have the simple requirement to allow email relay from other local
      machines to a (Mac OS X) postfix server. This is so I can send emails
      from shell scripts running on any of the local machines from this
      office. So my wish is that I can relay mails from any machine in
      subnet 192.168.16.0/24 without authentication to some external email
      address.

      I've spent a couple of hours on this and I must be missing something,
      or have something wrong as Ive not been able to achieve this simple
      config. My understanding is that normally just setting the mynetworks
      correctly should be sufficent but I still just get relay denied errors.

      My config is:

      biff = no
      command_directory = /usr/sbin
      config_directory = /Library/Server/Mail/Config/postfix
      daemon_directory = /usr/libexec/postfix
      data_directory = /Library/Server/Mail/Data/mta
      debug_peer_level = 2
      debug_peer_list = 192.168.16.19 192.168.16.141
      debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
      xxgdb $daemon_directory/$process_name $process_id & sleep 5
      dovecot_destination_recipient_limit = 1
      html_directory = /usr/share/doc/postfix/html
      imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred
      inet_interfaces = all
      inet_protocols = all
      mail_owner = _postfix
      mailbox_size_limit = 0
      mailbox_transport =
      mailq_path = /usr/bin/mailq
      manpage_directory = /usr/share/man
      message_size_limit = 104857600
      mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
      mydomain_fallback = localhost
      mynetworks = 127.0.0.0/8, [::1]/128, 192.168.16.0/24
      newaliases_path = /usr/bin/newaliases
      queue_directory = /Library/Server/Mail/Data/spool
      readme_directory = /usr/share/doc/postfix
      recipient_delimiter = +
      relay_domains = dms.cat
      sample_directory = /usr/share/doc/postfix/examples
      sendmail_path = /usr/sbin/sendmail
      setgid_group = _postdrop
      smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit
      smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
      smtpd_tls_ciphers = medium
      smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
      tls_random_source = dev:/dev/urandom
      unknown_local_recipient_reject_code = 550
      use_sacl_cache = yes


      The postfix logs when attempting to send unauthenticated mail is:

      Mar 4 12:33:52 server.domain.com postfix/smtpd[7340]: connect from
      unknown[192.168.16.19]
      Mar 4 12:33:52 server.domain.com postfix/smtpd[7340]: NOQUEUE:
      reject: RCPT from unknown[192.168.16.19]: 554 5.7.1 <asmith@...>:
      Relay access denied; from=<root@...> to=<asmith@...>
      proto=ESMTP helo=<iMac-de-Ana-Bru-2.domain.com>
      Mar 4 12:33:52 server.domain.com postfix/smtpd[7340]: disconnect from
      unknown[192.168.16.19]



      Can anyone help me out? I've checked through the documentation and
      read through quite a few forums, I'm left with the understanding that
      smtpd_client_restrictions = permit_mynetworks
      permit_sasl_authenticated permit should be sufficient but it doesnt
      work. I also tried adding the smtpd_recipient_restrictions config line
      as this wasn't present initially, but this made no difference.

      thanks in advance for any tips,

      thanks, Andy.
    • jeffrey j donovan
      ... Greetings what version of osx server ? if osx 10.7 or higher and you have included the ServerApp there are two mail configs; One is for the System One
      Message 2 of 4 , Mar 4, 2013
      • 0 Attachment
        On Mar 4, 2013, at 9:03 AM, Andy Smith <asmith@...> wrote:

        > Hi,
        >
        > I have the simple requirement to allow email relay from other local machines to a (Mac OS X) postfix server.

        > <snip>
        > mynetworks = 127.0.0.0/8, [::1]/128, 192.168.16.0/24
        > <sniP>
        >
        > thanks in advance for any tips,
        >
        > thanks, Andy.

        Greetings

        what version of osx server ? if osx 10.7 or higher and you have included the " ServerApp " there are two mail configs;

        One is for the System
        One is for the ServerApp. The setting are located in /Library/Server/Mail/config/postfix

        -j
      • Andy Smith
        ... Thanks for your reply Jeffrey! Yes there it is in my original post: config_directory = /Library/Server/Mail/Config/postfix I guess this means that the
        Message 3 of 4 , Mar 4, 2013
        • 0 Attachment
          Quoting jeffrey j donovan <donovan@...>:

          >
          > what version of osx server ? if osx 10.7 or higher and you have
          > included the " ServerApp " there are two mail configs;
          >
          > One is for the System
          > One is for the ServerApp. The setting are located in
          > /Library/Server/Mail/config/postfix


          Thanks for your reply Jeffrey! Yes there it is in my original post:

          config_directory = /Library/Server/Mail/Config/postfix

          I guess this means that the Library folder takes presidence over all
          the config in /etc? Anyway, Im going to give it a test but looks like
          this was my issue,

          thanks a lot, Andy.
        • Viktor Dukhovni
          ... If this were your configuration, logs for connections from these clients would be verbose. Are they? ... This is an Apple-specific customization, make sure
          Message 4 of 4 , Mar 4, 2013
          • 0 Attachment
            On Mon, Mar 04, 2013 at 03:03:03PM +0100, Andy Smith wrote:

            > debug_peer_list = 192.168.16.19 192.168.16.141

            If this were your configuration, logs for connections from these
            clients would be verbose. Are they?

            > imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred

            This is an Apple-specific customization, make sure it is appropriate
            for your site.

            > mynetworks = 127.0.0.0/8, [::1]/128, 192.168.16.0/24

            This is generally sufficient to permit hosts in 192.168.16.0/24 to
            relay, with no further non-default settings.

            > smtpd_client_restrictions =
            > permit_mynetworks
            > permit_sasl_authenticated
            > permit

            This is pointless, it is equivalent to the default:

            smtpd_client_restrictions =

            Just remove this setting from main.cf.

            > smtpd_recipient_restrictions =
            > permit_mynetworks,
            > reject_unauth_destination

            This is the default setting, just remove this from main.cf (don't
            set it empty, rather don't assign any value at all, e.g. comment
            it out).

            > smtpd_tls_ciphers = medium
            > tls_random_source = dev:/dev/urandom

            These are harmless, but pointless unless you enable TLS via
            "-o ..." options in master.cf.

            > smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL

            You should not customize cipher exclusion for no reason. The
            defaults work better.

            Are there any "smtpd -o ..." options in master.cf?

            > use_sacl_cache = yes

            Apple-specific, find out what it does.

            > Mar 4 12:33:52 server.domain.com postfix/smtpd[7340]: connect from
            > unknown[192.168.16.19]
            > Mar 4 12:33:52 server.domain.com postfix/smtpd[7340]: NOQUEUE:
            > reject: RCPT from unknown[192.168.16.19]: 554 5.7.1
            > <asmith@...>: Relay access denied; from=<root@...>
            > to=<asmith@...> proto=ESMTP helo=<iMac-de-Ana-Bru-2.domain.com>
            > Mar 4 12:33:52 server.domain.com postfix/smtpd[7340]: disconnect
            > from unknown[192.168.16.19]

            No evidence of debug logging, likely your Postfix is not using
            the main.cf file you're showing.

            > I'm left with the understanding
            > that smtpd_client_restrictions = permit_mynetworks
            > permit_sasl_authenticated permit should be sufficient but it doesnt
            > work.

            This setting has no effect at all.

            > I also tried adding the smtpd_recipient_restrictions config
            > line as this wasn't present initially, but this made no difference.

            This is the default, and permits clients in mynetworks. So likely
            your server is using a different main.cf file.

            --
            Viktor.
          Your message has been successfully submitted and would be delivered to recipients shortly.