PDA

View Full Version : Relay access denied when using SMTP to external recipients


Kamran Shah
10th October 2005, 13:59
Unable to send emails to any domains not hosted locally on this server via SMTP client. If I do the same using SMTP client I receive NDR and below message in my /var/log/maillog.

Oct 10 12:12:12 portal postfix/smtpd[9641]: NOQUEUE: reject: RCPT from gateway[195.xx.xx.xxx]: 554 <me@yahoo.com>: Relay access denied; from=<me@mydomain.com> to=<me@yahoo.com> proto=ESMTP helo=<Inbox>

Everything works fine if I use web mail client UebiMiau except UebiMiau translates internal emails to me@mydomain.com@myserverhostname.com. But at it lets me send emails to me@yahoo.com without any problem, see the log message below which works perfectly.

Oct 10 12:25:32 portal postfix/smtp[9943]: 78FFA485C8E: to=<me@yahoo.com>, relay=mx2.mail.yahoo.com[4.79.181.13], delay=23, status=sent (250 ok dirdel)

I have read few threads where people are facing this error "Relay access denied" but couldn't really find the resolution for my problem.

I have perfectly installed ISPConfig on FC4 without any problems. /etc/postfix/main.cf has following entry as per installation instruction. I have tried check_relay_domains appears same after restarting postfix.

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination

falko
10th October 2005, 14:38
Everything works fine if I use web mail client UebiMiau except UebiMiau translates internal emails to me@mydomain.com@myserverhostname.com. But at it lets me send emails to me@yahoo.com without any problem, see the log message below which works perfectly.

That's because you're on the system itself when you use webmail (the webmail program is running on the server).

In your email client you have to activate something like "Server needs authentication." for that mailbox.

Kamran Shah
10th October 2005, 16:24
That's because you're on the system itself when you use webmail (the webmail program is running on the server).

In your email client you have to activate something like "Server needs authentication." for that mailbox.

Any ideas what would be the fix, I have opened a separate thread for this issue as it doesn't relate to relaying http://www.howtoforge.com/forums/showthread.php?p=3952#post3952

falko
10th October 2005, 17:39
Did you enable "Server needs authentication" in your email client?

Kamran Shah
11th October 2005, 13:07
I was using my Pocket PC (Orange M2000 with WM2003SE) Email client and configuration worked for another free pop3/smtp server but not for this one I installed with ISPConfig.

After Falko's reply I realised it could be this client so tried on Outlook Express on my PC which worked perfectly so it is down to the client I have on my PPC.

If I enable Server Authentication on my PPC it would come up with connectivity error while without server authentication it worked for internal mail destinations.

I finally tweaked with my PPC client and found that Server information contains Incoming mail, Outgoing mail and Domain where I was adding the same domain name I wanted to get email working. After deleting domain from these tried again and it worked, not sure what this domain means and why is it here, can't see such thing in Outlook Express.

I was already impressed with Falko's knowledge from previous posts and knew he will fix it.

Although my webmail issue is still there, which is probably down to the UebiMiau settings which I can't find how to fix. I used the package to install from ispconfig.com but might try squirrilmail or any other client some other time.

caMi
10th September 2006, 16:09
I have had the same problems (Debian, also Web-FTP-Tool), here is "my" solution:

remove "localhost" in hosts-File (http://www.howtoforge.com/forums/showthread.php?t=2468&page=2#18)

Greetings
caMi

tonsai
27th November 2006, 18:10
Make sure you are authenticating to your 'outgoing' mail server and not the incoming.

torgnyw
21st December 2006, 23:26
Set mynetworks = 127.0.0.0/8, 192.168.1.0/24

My home network is 192.168.1.0 with netmask 255.255.255.0 (24 bit mask)
This worked fine for me. This setting sets what networks you allow to send mail trough your smtp server.

-Torgny

massimopasquali
10th January 2007, 14:01
hello

i have the same problem, but i have configurated postfix to authenticate the sender. So postfix to work fine fonaly i use this into my lan, but when i go out of my office and i to connect width my notebook by dialup internt connection i can't to send email to external at my domain, becouse i recived the error 554 relay access denied

what you think about my problem?

Bye!

falko
11th January 2007, 19:17
Did you enable "Server requires aurthentication" in your email client?
What's in /etc/postfix/main.cf (please strip out the comments)?

massimopasquali
12th January 2007, 08:59
this is my main.cf

command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
setgid_group = postdrop

append_dot_mydomain = no

smtp_banner = $myhostname ESMTP pasqualinformatica.com
biff = no

myhostname =smtp.pasqualinformatica.com

mydestination = $myhostname loalhost localhost.$mydomain

#relay_domains =
mynetworks = 127.0.0.1/8, 192.168.3.0/24

disable_vrfy_command = yes
smtpd_helo_required = yes


virtual_mailbox_base = /var/mail/vmail
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf

virtual_alias_domains = $virtual_alias_maps
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_alias_maps.cf

virtual_uid_maps = static:1008
virtual_gid_maps = static:1008

alias_maps = mysql:/etc/postfix/mysql-alis_maps.cf

smtpd_sender_restrictions = permit_sasl_authenticated,
permit_mynetworks

smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination


smtpd_sasl_auth_enable = yes
#smtpd_sasl_local_domain = yes
smtpd_sasl_security_options = noanonymous
smtp_sasl_password_maps = mysql:/etc/postfix/mysql_auth.conf
smtp_sender_login_maps = mysql:/etc/postfix/mysql_auth.conf

smtpd_pix_workaround_delay_time = 20s
smtpd_pix_workaround_threshold_time = 500s

#message_size_limit = 10240000
message_size_limit = 20240000
#message_size_limit = 3000000


can you look please? becouse I am becoming crazy

thanks

falko
13th January 2007, 15:13
Did you enable "Server requires authentication" in your email client?

massimopasquali
13th January 2007, 16:40
yes i do it

falko
14th January 2007, 18:39
And do you use the correct username and password in your email client?

What's the output of telnet localhost 25
ehlo localhost?

xionax
11th February 2007, 20:32
And do you use the correct username and password in your email client?

What's the output of telnet localhost 25
ehlo localhost?
I'm encountering the exact same problem.
The output is, for me:

anderith:~# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 anderith.rg-it.net ESMTP Postfix (Debian/GNU)
ehlo localhost
250-anderith.rg-it.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250 8BITMIME

- SMTP authentication is enabled
Postconf -n is:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
delay_warning_time = 4h
home_mailbox = Maildir/
inet_interfaces = all
mailbox_command =
mailbox_size_limit = 0
mydestination = /etc/postfix/local-host-names
myhostname = anderith.rg-it.net
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
recipient_delimiter = +
relayhost =
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

cat /etc/postfix/virtusertable:

anderith:~# cat /etc/postfix/virtusertable
###################################
#
# ISPConfig virtusertable Configuration File
# Version 1.0
#
###################################
support@www.rg-it.net web2_rgit
web2_rgit@www.rg-it.net web2_rgit
support@rg-it.net web2_rgit
web2_rgit@rg-it.net web2_rgit
support@rails.rg-it.net web2_rgit
web2_rgit@rails.rg-it.net web2_rgit
robert@www.xs4some.org web3_robert
web3_robert@www.xs4some.org web3_robert
robert@xs4some.org web3_robert
web3_robert@xs4some.org web3_robert
robert@xs4some.org..xs4some.org web3_robert
web3_robert@xs4some.org..xs4some.org web3_robert
robert@blog.xs4some.org web3_robert
web3_robert@blog.xs4some.org web3_robert
#### MAKE MANUAL ENTRIES BELOW THIS LINE! ####anderith:~#


cat /etc/postfix/local-host-names:

anderith:~# cat /etc/postfix/local-host-names
###################################
#
# ISPConfig local-host-names Configuration File
# Version 1.0
#
###################################
localhost
anderith.rg-it.net
localhost.anderith.rg-it.net
localhost.rg-it.net
localhost.localdomain
www.xerox.rg-it.net
www.rg-it.net
www.xs4some.org
xerox.rg-it.net
rg-it.net
rails.rg-it.net
xs4some.org
xs4some.org..xs4some.org
blog.xs4some.org
#### MAKE MANUAL ENTRIES BELOW THIS LINE! ####anderith:~#

Situation: I'm trying to send an email - from Outlook - to an @gmail.com address.
Internal (within my @xs4some.org domain) works OK, webmail works OK, telnet locally works ok, telnet externally doesn't work.
And ofcourse; from Outlook it doesn't work.

Some help is definitely appreciated. :)

edit:
Almost forgot to mention; I'm running Debian Sarge.

falko
12th February 2007, 15:06
Almost forgot to mention; I'm running Debian Sarge.
By reading the output of postconf -n, I assume you didn't follow the "Perfect Setup for Debian Sarge"? Please configure your Postfix as described here: http://www.howtoforge.com/perfect_setup_debian_sarge_p4

nevernamed
27th May 2007, 23:16
I seem to be having the same problem.
When I log into my webmail (squirrelmail) I can send mail no problem. I sent mail to my gmail and it got there. However, when I try to send mail through my thunderbird e-mail client I get the relay access denied error.
This is odd because I've had no problems with this system for about a month since I initially got it running. Does anybody have any idea what within my client could be causing the problem? Thanks!

falko
28th May 2007, 17:28
Did you enable "Server requires authentication." in your email client?

nevernamed
29th May 2007, 02:43
Yes I did. I just got home and I tried it again and I was able to send mail (to my gmail). This leads me to believe that it's just something now allowing me to send mail from outside of my network. Do you know what it might be? The only mail port that I have open is 993.... could that be the problem?

falko
30th May 2007, 16:11
"Server requires authentication." allows your mail client to use SMTP-AUTH which is required to send mails outside your server.

Port 993 is for IMAPS. For sending emails, port 25 (SMTP) must be open.

nevernamed
1st June 2007, 03:35
odd... I have port 25 open...

ThePFY
21st July 2007, 18:10
Hi

i have got postfix installed on fedora core 6 (I followed the Howto)
i can get e-mail out to my gmail address but when i reply i get the error message relay access denied when i try to reply from my g-mail account

NDR from gmail
Technical details of permanent failure:
PERM_FAILURE: SMTP Error (state 13): 554 5.7.1 <rjb@ramage.org.uk>: Relay access denied

----- Original message -----

Received: by 10.114.36.1 with SMTP id j1mr1494765waj.1185033628511;
Sat, 21 Jul 2007 09:00:28 -0700 (PDT)
Received: by 10.114.190.16 with HTTP; Sat, 21 Jul 2007 09:00:28 -0700 (PDT)
Message-ID: <f8927d890707210900q7e8c2b21qe8c503ec73a0aca5@mail. gmail.com>
Date: Sat, 21 Jul 2007 17:00:28 +0100
From: "Ryan Bryant" <ryan.bryant@gmail.com>
To: "Ryan John Bryant" <rjb@ramage.org.uk>
Subject: Re: Tester
In-Reply-To: <002001c7cbb0$3bdb2a10$6801a8c0@dreadnought>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_121565_8195519.1185033628354"
References: <002001c7cbb0$3bdb2a10$6801a8c0@dreadnought>


if you want / need any more info i will be glad to provide it and welcome and thank you for your support in advance
:)

falko
22nd July 2007, 17:47
Hi

i have got postfix installed on fedora core 6 (I followed the Howto)What tutorial exactly (URL)?
i can get e-mail out to my gmail address but when i reply i get the error message relay access denied when i try to reply from my g-mail account
What's the output of postconf -n? Do you use ISPConfig?

rusty
17th December 2007, 08:32
Did you enable "Server needs authentication" in your email client?

I have a similar issue. I can send mail from the server using command line (telnet), however using Outlook I get relay access denied. I have Outlook set to use authentication (same settings as incoming mailserver). I receive mail just fine in Outlook.

log: Dec 17 02:13:46 mail postfix/smtpd[10296]: NOQUEUE: reject: RCPT from static-12-134-58-18.verizon.net[12-134-58-18]: 554 5.7.1 <joe@aol.com>: Relay access denied; from=<rusty@domain.com> to=<joe@aol.com> proto=ESMTP helo=<computername>

Would you have any ideas? Thanks!

falko
18th December 2007, 15:56
I have a similar issue. I can send mail from the server using command line (telnet), however using Outlook I get relay access denied. I have Outlook set to use authentication (same settings as incoming mailserver). I receive mail just fine in Outlook.
Are you absolutely sure you checked the right option in Outlook? If so, what's in /etc/postfix/main.cf, and what's the output of
telnet localhost 25
and then ehlo localhost?

rusty
20th December 2007, 03:52
# telnet localhost 25
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host: Connection refused

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = domain.com
myhostname = mail.domain.com
mynetworks = 127.0.0.0/8
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
receive_override_options = no_address_mappings
recipient_delimiter = +
relayhost =
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject _unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.domain.com.crt
smtpd_tls_key_file = /etc/pki/tls/private/mail.domain.com.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/spool/postfix/mtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000




# dovecot -n
# 1.0.7: /etc/dovecot.conf
login_dir: /var/run/dovecot/login
login_executable(default): /usr/libexec/dovecot/imap-login
login_executable(imap): /usr/libexec/dovecot/imap-login
login_executable(pop3): /usr/libexec/dovecot/pop3-login
mail_location: maildir:/home/vmail/%d/%n
mail_executable(default): /usr/libexec/dovecot/imap
mail_executable(imap): /usr/libexec/dovecot/imap
mail_executable(pop3): /usr/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/lib64/dovecot/imap
mail_plugin_dir(imap): /usr/lib64/dovecot/imap
mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3
auth default:
passdb:
driver: sql
args: /etc/dovecot-mysql.conf
userdb:
driver: passwd
userdb:
driver: static
args: uid=5000 gid=5000 home=/home/vmail/%d/%n allow_all_users=yes
socket:
type: listen
client:
path: /var/spool/postfix/private/auth
mode: 432
user: postfix
group: postfix
master:
path: /var/run/dovecot/auth-master
mode: 384
user: vmail

rusty
20th December 2007, 06:05
I wanted to repost my output from postconf -n and dovecot -n because I'm not sure I was using my the latest main.cf and dovecot.conf files. Also I have the output from netstat -tap that doesn't show anything on port 25.

I hope someone can help me as I've been stuck at this point for a week. Thanks so much for your time and effort!

netstat -tap
tcp 0 0 localhost.localdomain:2208 *:* LISTEN 2639/hpiod
tcp 0 0 *:imaps *:* LISTEN 6975/dovecot
tcp 0 0 *:pop3s *:* LISTEN 6975/dovecot
tcp 0 0 localhost.localdomain:10025 *:* LISTEN 7058/master
tcp 0 0 *:rtps-dd-mt *:* LISTEN 3235/hptsvr
tcp 0 0 *:mysql *:* LISTEN 2821/mysqld
tcp 0 0 *:courierpassd *:* LISTEN 2701/xinetd
tcp 0 0 *:fcp-udp *:* LISTEN 2324/rpc.statd
tcp 0 0 *:7403 *:* LISTEN 3235/hptsvr
tcp 0 0 *:5900 *:* LISTEN 3485/vino-server
tcp 0 0 *:pop3 *:* LISTEN 6975/dovecot
tcp 0 0 localhost.local:dyna-access *:* LISTEN 2717/clamd
tcp 0 0 *:imap *:* LISTEN 6975/dovecot
tcp 0 0 localhost.localdomain:783 *:* LISTEN 2869/spamd.pid
tcp 0 0 *:sunrpc *:* LISTEN 2285/portmap
tcp 0 0 *:x11 *:* LISTEN 3401/X
tcp 0 0 *:ndmp *:* LISTEN 3291/perl
tcp 0 0 *:http *:* LISTEN 3006/httpd
tcp 0 0 *:ftp *:* LISTEN 3265/pure-ftpd (SER
tcp 0 0 *:ssh *:* LISTEN 2682/sshd
tcp 0 0 localhost.localdomain:ipp *:* LISTEN 2661/cupsd
tcp 0 0 *:https *:* LISTEN 3006/httpd
tcp 0 0 localhost.localdomain:2207 *:* LISTEN 2644/python

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = localhost
mydomain = domain.com
myhostname = mail.domain.com
mynetworks = 127.0.0.0/8
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
receive_override_options = no_address_mappings
recipient_delimiter = +
relayhost =
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject _unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/tls/smtpd.crt
smtpd_tls_key_file = /etc/postfix/tls/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/spool/postfix/mtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000

# dovecot -n
# 1.0.7: /etc/dovecot.conf
listen(default): *:143
listen(imap): *:143
listen(pop3): *:110
ssl_listen(default): *:993
ssl_listen(imap): *:993
ssl_listen(pop3): *:995
login_dir: /var/run/dovecot/login
login_executable(default): /usr/libexec/dovecot/imap-login
login_executable(imap): /usr/libexec/dovecot/imap-login
login_executable(pop3): /usr/libexec/dovecot/pop3-login
first_valid_uid: 5000
last_valid_uid: 5000
first_valid_gid: 5000
last_valid_gid: 5000
mail_location: maildir:/home/vmail/%d/%n
mail_executable(default): /usr/libexec/dovecot/imap
mail_executable(imap): /usr/libexec/dovecot/imap
mail_executable(pop3): /usr/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/lib64/dovecot/imap
mail_plugin_dir(imap): /usr/lib64/dovecot/imap
mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3
auth default:
passdb:
driver: sql
args: /etc/dovecot-mysql.conf
userdb:
driver: passwd
userdb:
driver: static
args: uid=5000 gid=5000 home=/home/vmail/%d/%n allow_all_users=yes
socket:
type: listen
client:
path: /var/spool/postfix/private/auth
mode: 432
user: postfix
group: postfix
master:
path: /var/run/dovecot/auth-master
mode: 384
user: vmail

rusty
20th December 2007, 06:56
Aha, I removed amavisd from main.cf and master.cf and uncommented
smtp inet n - n - - smtpd in master.cf
and now smtp is working. Unfortunately, I'm still stuck with this relay access denied message. I'll have to find out why the amavisd service fails to start, but still could use help on the relay access denied issue.

rusty
20th December 2007, 21:14
I think that my authentication issue may arise out of postfix or dovecot not being able to get the user name and password from mysql. I'm trying to understand how that process works so I can look in the right place.

It would be great if someone could explain how this part works. On the incoming side, there doesn't seem to be a problem with mysql.

I'm not sure whether I should look at dovecot or postfix for the problem. Dovecot is the SASL type. I've done a lot of reading on this, but there doesn't seem to be very specific info on what is actually happening when Outlook attempts to authenticate with the SMTP part of Postfix/Dovecot.

And I have questions about where I should look. Should I look in main.cf or master.cf? Or should I look at dovecot-mysql.conf or one of the mysql_virtual.....cf files? All this work is good for me as I'm learning alot, but I sure could use some help on this part.

Thanks,

Eric

falko
21st December 2007, 12:35
The relay access denied error has nothing to do with Dovecot - Dovecot is for fetching the emails from the server only. I think it's a problem with saslauthd.
Which distribution are you using? What's the output of ps aux | grep saslauthd?

rusty
22nd December 2007, 17:46
Thanks falco.

I'm on Centos 5 (64).

# ps aux | grep saslauthd
root 3138 0.0 0.0 40008 476 ? Ss 11:18 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3139 0.0 0.0 40008 264 ? S 11:18 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3140 0.0 0.0 40008 260 ? S 11:18 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3141 0.0 0.0 40008 260 ? S 11:18 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3143 0.0 0.0 40008 260 ? S 11:18 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3742 0.0 0.0 60252 720 pts/0 R+ 11:42 0:00 grep saslauthd

falko
23rd December 2007, 17:13
What's in /usr/lib64/sasl2/smtpd.conf? It should look like this:

pwcheck_method: saslauthd
mech_list: plain login

rusty
6th January 2008, 19:03
Sorry for the delay, I was away on vacation. I resolved the issue.

In Postfix 2.3 or later, one can use dovecot for sasl, which is what I was doing. Falko's comments about SASL helped me focus on that area and I found that PAM was not enabled in dovecot.conf

Thank you Falko!

Challenger
27th April 2008, 13:17
Hello all,

My problem is similar. I can connect when on my internal network through a variety of means, including IMAP and SMTP/POP, with and without TLS. However when I try to connect externally, I get 'relay denied' errors in my Postfix mail log as follows:

NOQUEUE: reject: RCPT from unknown[xxx.xxx.xxx.xxx <but see comment below>]: 554 5.7.1 <username1@in.access.table>: Relay access denied; from=<username2@in.access.table> to=<username1@in.access.table> proto=ESMTP helo=<Inbox>

(I have of course blanked out the IP address and changed the email addresses to show that I think they are checked)

Now, I'm not sure whether this is a Postfix configuration problem, or a sasl problem (I do not have a sasl2/smtpd.conf file that I can find anywhere on my system!), or indeed a NAT problem (see below). I have checked 'authenticate outgoing mail' on my client.

But here's the IP address discussion bit (possible NAT problem) as promised in the log entry: I have of course defined my networks and specified to permit them in Postfix's main.cf. However the error log suggests that Postfix might be rejecting on the IP address. It appears that it is seeing my public IP address from the public side of my router, not my local network IP address. I.E. my router might not be performing NAT properly. I.E. it is port forwarding, (Telnetting gets through fine) but not network address translating. Could this be (part of) the problem?

I hope you can help, I've been on this for weeks. I'm happy to post any config file snippets, log entries etc that you might need.

Thanks in advance,

Andy
:(

falko
28th April 2008, 21:46
Which distribution are you using? Did you enable "Server requires authentication" in your email client?

Challenger
29th April 2008, 00:28
Hi Falko, thanks for replying.

I'm using Ubuntu 7.10. Yes, I have checked "Server requires authentication" in my client - and specified to use SSL for both incoming and outgoing.

Andy

falko
29th April 2008, 16:46
What's in /etc/postfix/sasl/smtpd.conf and /etc/postfix/main.cf?

Does it work if you disable SSL?

Challenger
29th April 2008, 20:46
Hi again Falko,

Thanks for trying to help. I answer your questions in the order you asked them.

1. My /etc/postfix/sasl directory is completely empty! Might that be the problem!?

2. The non-comment bits of /etc/postfix/main.cf are (I've protected anything sensitive like: 'working access file'):

----------------------------------------------------------------
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

smtpd_tls_cert_file = 'a file'
smtpd_tls_key_file = 'another file'
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

alias_maps = hash:/etc/aliases
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +

smtp_sasl_auth_enable=yes
smtp_sasl_password_maps=hash:'working passwd file location'
smtp_sasl_security_options=

maximal_queue_lifetime = 1d
mydomain = pooh.boul.net
myorigin = pooh.boul.net
mydestination = pooh.boul.net, localhost.pooh.boul.net, localhost.boul.net, localhost
home_mailbox = Maildir/

mynetworks = 127.0.0.0/8, 192.168.1.0/24

relayhost = outbound.mailhop.org:2525
smtpd_delay_reject = no
smtpd_sender_restrictions = hash:'working access file', reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_mynetworks, check_client_access hash:'working access file', reject_unauth_destination
smtpd_helo_required = yes
relay_domains = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit_inet_interfaces
hash_queue_depth = 3
delay_warning_time = 1
--------------------------------------------------------

3. It doesn't work if I turn of SSL in the client; it makes no difference. As you can see from above, SSL isn't required, just nice to have. I haven't tried turning off SSL completely (i.e. commenting out the relevant lines completely in main.cf).

Any ideas?

Thanks,

Andy

falko
30th April 2008, 16:23
Which tutorial did you use to set up the system? Are you trying to use virtual users or system users?

Challenger
1st May 2008, 08:36
I didn't really use a tutorial as such. I installed packages then used help files to adjust out-of-the-box settings.

I am only interested in system users.

Thanks.

falko
2nd May 2008, 14:39
Please follow chapter 14 from http://www.howtoforge.com/perfect_server_ubuntu7.10_p5

This link might be interesting if you want to set up mail accounts on the command line: http://www.howtoforge.com/forums/showthread.php?t=2

Challenger
10th May 2008, 19:33
Hi Falko, and thanks for the pointer to the tutorial. I did as it suggested (but without the complete reinstall of postfix and procmail).

My /etc/postfix/main.cf and /etc/default/saslauthd are now the same as in the tutorial.

However I'm still having problems. My mail log file offers:

May 10 18:20:16 pooh postfix/smtpd[8139]: setting up TLS connection from unknown[xx.xx.xx.xx (real values removed)]
May 10 18:20:16 pooh postfix/smtpd[8139]: TLS connection established from unknown[xx.xx.xx.xx]: SSLv3 with cipher RC4-MD5 (128/128 bits)
May 10 18:20:16 pooh postfix/smtpd[8139]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
May 10 18:20:16 pooh postfix/smtpd[8139]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
May 10 18:20:16 pooh postfix/smtpd[8139]: warning: unknown[xx.xx.xx.xx]: SASL LOGIN authentication failed: authentication failure
May 10 18:20:17 pooh postfix/smtpd[8139]: warning: unknown[xx.xx.xx.xx]: SASL NTLM authentication failed: bad protocol / cancel
May 10 18:20:17 pooh postfix/smtpd[8139]: disconnect from unknown[xx.xx.xx.xx]

and of course my mail client reports that it is unable to send the message.

Any ideas? How / where should I have created the sasldb2 files / entries? Previously I have listed permitted users in an access file in the postfix directory (converted to .db format of course)...?

Andy

falko
11th May 2008, 23:07
What's in /etc/postfix/sasl/smtpd.conf, /etc/default/saslauthd, and /etc/postfix/main.cf?

Challenger
13th May 2008, 17:33
Hi Falko, and thanks again.

/etc/postfix/sasl/smtpd.conf contains:

--------------------------------------
pwcheck_method: saslauthd
mech_list: plain login
-----------------------------------------

/etc/default/saslauthd contains:

-------------------------------------
# This needs to be uncommented before saslauthd will be run automatically
# START=yes

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"

# MECHANISMS="pam"
# PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"

# Falko's settings below
#
# Settings for saslauthd daemon
#

# Should saslauthd run automatically on startup? (default: no)

START=yes

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c)
# See the saslauthd man page for information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
------------------------------------------------------------------


/etc/postfix/main.cf contrains:

-------------------------------------------------------------------------
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# TLS parameters [Falko: these just happen to be where my (self-generated) certs are. TLS has worked before]
smtpd_tls_cert_file = /etc/apache2/ssl.crt
# Following line added by Andy
smtpd_tls_key_file = /etc/apache2/ssl.key
# Following line added by Andy
# smtpd_tls_key_file=/etc/ssl/certs/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = pooh.boul.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
home_mailbox = Maildir/
mydestination = pooh.boul.net, localhost.pooh.boul.net, localhost.boul.net, localhost
relayhost =
mynetworks = 127.0.0.0/8, 192.168.1.0/24
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/ca.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
maximal_queue_lifetime = 1d
relayhost = outbound.mailhop.org:2525
smtpd_helo_required = yes
delay_warning_time = 1

# Following lines to end added by Andy
# smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd


# force authentication
# smtp_sasl_security_options = noanonymous
# be courteous ! (optional)
# smtp_helo_name = pooh.boul.net
# identify yourself (optional)
# smtpd_banner = Pooh Boul Mail

# maximal_queue_lifetime = 1d
# mydomain = pooh.boul.net
# myorigin = pooh.boul.net
# mydestination = pooh.boul.net, localhost.pooh.boul.net, localhost.boul.net, localhost
# home_mailbox = Maildir/

# relayhost = outbound.mailhop.org:2525
# smtpd_delay_reject = no
# smtpd_sender_restrictions = hash:/etc/postfix/access, reject_unknown_sender_domain
# smtpd_recipient_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/access, reject_unauth_destination
# smtpd_helo_required = yes
# relay_domains = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit_inet_interfaces
# hash_queue_depth = 3
# delay_warning_time = 1
---------------------------------------------------------------------

You can see there is a lot I have tried in main.cf, but I have commented out everything not in the tutorial.

Thanks again for your help,

Andy

falko
14th May 2008, 16:51
Looks ok. Can you restart saslauthd and Postfix?

IF that doesn't help, what's in /etc/postfix/master.cf?

Challenger
14th May 2008, 19:41
I've restarted Postfix, and entered the following to restart saslauthd:

> /etc/init.d/saslauthd restart
* To enable saslauthd, edit /etc/default/saslauthd and set START=yes

However, when checking the running processes, saslauthd doesn't appear. I don't think it's running. What have I done wrong!?

In case it's useful, master.cf is:
------------------------------------------------------------------
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ================================================== ========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_enforce_tls=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
#smtps inet n - - - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ================================================== ==================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ================================================== ==================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
--------------------------------------------------------------------


Thanks,

Andy

falko
15th May 2008, 19:43
Please make /etc/default/saslauthd look exactly as shown on http://www.howtoforge.com/perfect_server_ubuntu7.10_p5

Challenger
16th May 2008, 18:36
Hi again,

I have made it exactly the same as you suggested (I cut and pasted, and checked). I then restarted saslauthd and Postfix, but I have the same symptoms.

My Postfix log file gives:
-----------------------------------------------------------------
May 16 17:28:24 pooh postfix/smtpd[26512]: connect from unknown[xx.xx.xx.xx (hidden as this is my public ip address)]
May 16 17:28:25 pooh postfix/smtpd[26512]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
May 16 17:28:25 pooh postfix/smtpd[26512]: warning: unknown[xx.xx.xx.xx]: SASL LOGIN authentication failed: generic failure
May 16 17:28:25 pooh postfix/smtpd[26512]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
May 16 17:28:25 pooh postfix/smtpd[26512]: warning: unknown[xx.xx.xx.xx]: SASL LOGIN authentication failed: generic failure
May 16 17:28:25 pooh postfix/smtpd[26512]: disconnect from unknown[xx.xx.xx.xx]
----------------------------------------------------------------

Also, as I said before, checking running processes does not show that saslauthd is actually runnning anywhere (I checked all process owners, including root, myself, postfix and saslauthd).

And when I do a restart of saslauthd, using:

/etc/init.d/saslauthd restart

The command line returns:

* To enable saslauthd, edit /etc/default/saslauthd and set START=yes

(which of course I have done by making /etc/default/saslauthd exactly as you say)

I don't think the deamon is running at all, for some reason...?

Andy

falko
17th May 2008, 15:39
Did you do all changes as root or as a normal user?

What's in /etc/default/saslauthd now?

Challenger
18th May 2008, 11:32
Hi Falko,

Yes, all changes done as root. Permissions are as follows:

main.cf:
User: root
Group: root
Octal: 0644

smtpd.conf:
User: root
Group: root
Octal: 0644

saslauthd:
User: root
Group: root
Octal: 0744

saslauthd now contains:
------------------------------------------
#
# Settings for saslauthd daemon
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c)
# See the saslauthd man page for information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
-----------------------------------------------------------------

Thanks again,

Andy

falko
19th May 2008, 16:10
What's the output of updatedb
locate saslauthd?

Challenger
19th May 2008, 23:39
Hi again,

updatedb didn't report any output but took a while to complete.

locate saslauthd gives the following:
----------------------------------------
/etc/default/saslauthd
/etc/rc4.d/S20saslauthd
/etc/rc3.d/S20saslauthd
/etc/rc1.d/K20saslauthd
/etc/rc2.d/S20saslauthd
/etc/init.d/saslauthd
/etc/rc5.d/S20saslauthd
/usr/share/man/man8/saslauthd.8.gz
/usr/share/man/man8/testsaslauthd.8.gz
/usr/sbin/saslauthd
/usr/sbin/testsaslauthd
--------------------------------------

Thanks,

Andy

falko
20th May 2008, 23:44
Looks ok. What's in /etc/init.d/saslauthd?

mr_skot
21st May 2008, 03:46
I too am also having the same problems and am a noob when it comes to this.

Thank you for any help.

-Skot

--------------------------------------------------------

System: Redhat Linux Fedora 8

Tutorial: http://www.howtoforge.com/perfect_server_fedora7

Did not install ISPConfig, don't need it.

When I sent to my email address on my server I also get the 554 No Relay message.

From my Gmail to my linux box:

Delivery to the following recipient failed permanently:

name@server

Technical details of permanent failure:
PERM_FAILURE: Gmail tried to deliver your message, but it was rejected by the recipient domain. The error that the other server returned was: 554 554 5.7.1 <name@server>: Relay access denied. We recommend contacting the other email provider for further information about the cause of this error. Thanks for your continued support. (state 14)


Details from my mail log:

mtpd[25639]: connect from rv-out-0506.google.com[209.85.198.231]
May 20 19:41:10 mysystemname postfix/smtpd[25639]: NOQUEUE: reject: RCPT from rv-out-0506.google.com[209.85.198.231]: 554 5.7.1 <name@server>: Relay access denied; from=<mygmail@gmail.com> to=<name@server> proto=ESMTP helo=<rv-out-0506.google.com>
May 20 19:41:10 mysystemname postfix/smtpd[25639]: disconnect from rv-out-0506.google.com[209.85.198.231]



Here's all the info I can get (from this thread):

--------------------------------------------------
cat /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login

--------------------------------------------------

"Did you enable "Server requires authentication" in your email client?"

I was only trying to test sending an email TO this account from another, I was not trying to send an email using (through SMTP) this account.

--------------------------------------------------

cat /etc/postfix/sasl/smtpd.conf
cat: /etc/postfix/sasl/smtpd.conf: No such file or directory

--------------------------------------------------

cat /etc/postfix/main.cf (I left out all the commented code)

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
inet_interfaces = all
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.4.5/samples
readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination
mynetworks = 127.0.0.0/8
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_sasl_authenticated_header = yes
myhostname = <my.system.name>
home_mailbox = Maildir/
mailbox_command =

--------------------------------------------------

cd /etc/postfix/sasl
-bash: cd: /etc/postfix/sasl: No such file or directory

--------------------------------------------------

cd /etc/default/saslauthd
-bash: cd: /etc/default/saslauthd: No such file or directory

--------------------------------------------------

cat /etc/postfix/master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ================================================== ========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
smtp inet n - n - - smtpd
#submission inet n - n - - smtpd
# -o smtpd_enforce_tls=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# ================================================== ==================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ================================================== ==================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ================================================== ==================
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
#
# ================================================== ==================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# ================================================== ==================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ================================================== ==================
#
# Other external delivery methods.
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
# ${nexthop} ${user} ${extension}
#
#mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}

Challenger
21st May 2008, 09:05
/etc/init.d/saslauthd contains:

------------------------------------------------
#! /bin/sh
### BEGIN INIT INFO
# Provides: saslauthd
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: S 0 1 6
# Short-Description: saslauthd startup script
# Description: This script starts the saslauthd daemon. It is
# configured using the file /etc/default/saslauthd.
### END INIT INFO

# Author: Fabian Fagerholm <fabbe@debian.org>
#
# Based on previous work by Dima Barsky.

# Do NOT "set -e"

# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/usr/sbin:/usr/bin:/sbin:/bin
DESC="SASL Authentication Daemon"
NAME=saslauthd
DAEMON=/usr/sbin/$NAME
DAEMON_ARGS=""
SCRIPTNAME=/etc/init.d/$NAME
FALLBACK_RUN_DIR=/var/run/$NAME
EXIT_ERROR_CODE=1

# Exit if the daemon is not installed
test -x "$DAEMON" || exit 0

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

# Load the VERBOSE setting and other rcS variables
[ -f /etc/default/rcS ] && . /etc/default/rcS

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions

# Determine run directory and pid file location by looking for an -m option.
RUN_DIR=`echo "$OPTIONS" | xargs -n 1 echo | sed -n '/^-m$/{n;p}'`
if [ -z "$RUN_DIR" ]; then
# No run directory defined in defaults file, use fallback
RUN_DIR=$FALLBACK_RUN_DIR
fi
PIDFILE="/var/spool/postfix/var/run/${NAME}/saslauthd.pid"

# If the daemon is not enabled, give the user a warning and then exit,
# unless we are stopping the daemon
if [ "$START" != "yes" -a "$1" != "stop" ]; then
log_warning_msg "To enable $NAME, edit /etc/default/$NAME and set START=yes"
exit 0
fi

# If no mechanisms are defined, log this and exit
if [ -z "$MECHANISMS" ]; then
log_failure_msg "No mechanisms defined in /etc/default/$NAME," \
"not starting $NAME"
exit $EXIT_ERROR_CODE
fi

# If there are mechanism options defined, prepare them for use with the -O flag
if [ -n "$MECH_OPTIONS" ]; then
MECH_OPTIONS="-O $MECH_OPTIONS"
fi

# If there is a threads option defined, prepare it for use with the -n flag
if [ -n "$THREADS" ]; then
THREAD_OPTIONS="-n $THREADS"
fi

# Construct argument string
DAEMON_ARGS="$DAEMON_ARGS -a $MECHANISMS $MECH_OPTIONS $OPTIONS $THREAD_OPTIONS"

#
# Function that creates a directory with the specified
# ownership and permissions
#
createdir()
{
# $1 = user
# $2 = group
# $3 = permissions (octal)
# $4 = path to directory
# In the future, use -P/-Z to have SE Linux enhancement.
install -d --group="$2" --mode="$3" --owner="$1" "$4"
}

#
# Function that starts the daemon/service
#
do_start()
{
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started

if dpkg-statoverride --list $RUN_DIR > /dev/null; then
dir=`dpkg-statoverride --list $RUN_DIR`
fi
test -z "$dir" || createdir $dir

start-stop-daemon --start --quiet --pidfile $PIDFILE --name $NAME \
--exec $DAEMON --test > /dev/null \
|| return 1
start-stop-daemon --start --quiet --pidfile $PIDFILE --name $NAME \
--exec $DAEMON -- $DAEMON_ARGS \
|| return 2
# Add code here, if necessary, that waits for the process to be ready
# to handle requests from services started subsequently which depend
# on this one. As a last resort, sleep for some time.
}

#
# Function that stops the daemon/service
#
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 \
--pidfile $PIDFILE --name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently. A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 \
--exec $DAEMON
[ "$?" = 2 ] && return 2
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}

#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
#
# If the daemon can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE \
--name $NAME
return 0
}

case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
1) [ "$VERBOSE" != no ] && log_progress_msg "(already running)" && \
log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
1) [ "$VERBOSE" != no ] && log_progress_msg "(not running)" && \
log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
#reload|force-reload)
#
# If do_reload() is not implemented then leave this commented out
# and leave 'force-reload' as an alias for 'restart'.
#
#log_daemon_msg "Reloading $DESC" "$NAME"
#do_reload
#log_end_msg $?
#;;
restart|force-reload)
#
# If the "reload" option is implemented then remove the
# 'force-reload' alias
#
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
exit 3
;;
esac

:
-------------------------------------------------

Could it be a permissions / chroot jail problem?

Thanks,

Andy

falko
21st May 2008, 14:17
I think it could be a chroot problem, but I don't know why... :confused:

Challenger
24th May 2008, 08:55
Ok Falko, I'll keep trying and let you know if I make any progress...

Thanks,

Andy

Challenger
26th May 2008, 18:56
Hi Falko,

I think I might have fixed it.

Any saslauthd command was returning the following: 'could not chdir to: /var/run/saslauthd chdir: no such file or directory Check to make sure the directory exists and is writeable by the user this process runs as'

I therefore created the directory, set permissions for the user postfix, and restarted salsauthd and postfix.

This then gave the mail log error: 'SASL LOGIN authentication failed: authentication failure', which suggested that at least saslauthd was running now.

I then ran the command 'saslauthd -a shadow' to specify my login and password source, and it now seems to work.

Does all of this make sense? Have I opened any security loopholes here?

Thanks for all your help to get me this far.

Andy

falko
27th May 2008, 17:37
You should then specify
MECHANISMS="shadow"
in /etc/default/saslauthd.

Challenger
28th May 2008, 00:40
Thanks Falko,

I have another problem (not related to this) in that I think I am now getting lots of attempts to use my mail server as a relay. I have it locked down OK (tested using abuse.net) so the emails are NOT being relayed, but still the attempts seem to be draining resources. A sample from the log file shows:

----------------------------------------------------------------------------
May 27 23:18:28 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <NewYorkBusinessDevelopmentCorporation@pop-smtp1-f.bt.mail.vip.ird.yahoo.com>: Sender address rejected: Malformed DNS server reply; from=<NewYorkBusinessDevelopmentCorporation@pop-smtp1-f.bt.mail.vip.ird.yahoo.com> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:28 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <apkosten1955@aaretesaar.com>: Sender address rejected: Domain not found; from=<apkosten1955@aaretesaar.com> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:29 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <PfizerWebsiteProducts.Office0380@vipintcort.com>: Sender address rejected: Domain not found; from=<PfizerWebsiteProducts.Office0380@vipintcort.com> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:29 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <barberdi@math.univ-fcomte.fr>: Sender address rejected: Domain not found; from=<barberdi@math.univ-fcomte.fr> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:29 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <dratzlkq@mixmachine.demon.co.uk>: Sender address rejected: Domain not found; from=<dratzlkq@mixmachine.demon.co.uk> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:29 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <bigsfan@gmbuilding.com>: Sender address rejected: Domain not found; from=<bigsfan@gmbuilding.com> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:30 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <dglowski@ix.netcom.comm.com>: Sender address rejected: Domain not found; from=<dglowski@ix.netcom.comm.com> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:32 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <l.suarez_uf@isbc.on.ca>: Sender address rejected: Domain not found; from=<l.suarez_uf@isbc.on.ca> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:35 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <lgvesr@knoll21.fsnet.co.uk>: Sender address rejected: Domain not found; from=<lgvesr@knoll21.fsnet.co.uk> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:39 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <allenszto@huqtpssuuwhl.in>: Sender address rejected: Domain not found; from=<allenszto@huqtpssuuwhl.in> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:42 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <qgxszcvgn@hoptmail.co.uk>: Sender address rejected: Domain not found; from=<qgxszcvgn@hoptmail.co.uk> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:46 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <victor7276swane@hmsi-india.com>: Sender address rejected: Domain not found; from=<victor7276swane@hmsi-india.com> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:49 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <majordomo@smattorney.com>: Sender address rejected: Domain not found; from=<majordomo@smattorney.com> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:52 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <newsweb@threeswans.demon.co.uk>: Sender address rejected: Domain not found; from=<newsweb@threeswans.demon.co.uk> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:55 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <opjmbnax@sctimber.com.au>: Sender address rejected: Domain not found; from=<opjmbnax@sctimber.com.au> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
------------------------------------------------------------------------

Is this normal and simply a hazard of running a mail server, or is my server doing something it shouldn't be doing?

Thanks,

Andy

falko
28th May 2008, 22:05
That's normal. But this link might be interesting for you: http://www.howtoforge.com/block_spam_at_mta_level_postfix

Challenger
29th May 2008, 21:00
Thanks Falko

Challenger
3rd June 2008, 21:58
Hi again,

I thought all was fine, but not quite! I had to reboot the server, and on running up, the directory /var/run/saslauthd is not there! I had to manually recreat it for SASL to work.

Why is this happening?

Thanks for your help.

Andy

falko
4th June 2008, 19:55
Not sure why this is happening, but you could add the command to create that directory to /etc/rc.local.

Challenger
4th June 2008, 21:31
OK, good idea - whilst I try to figure out why.

Thanks,

Andy

bloodfilledwater
3rd January 2009, 20:30
I have the same issue. Can't send to external recipients via mail client. I did enable smtp authentication in the mail client, which has no effect. But if I have smtpd_recipient_restrictions = permit_mynetworks permit_inet_interfaces permit_sasl_authenticated defer than I can send out fine, but than I can't get mail. Mail bounces saying For <user@domain.com>, Site (domain/xxx.xxx.xxx.xxx) said: 450 4.3.2 <user@domain.com>: Recipient address rejected: Try again later. I can't remove "defer" from smtpd_recipient_restrictions or postfix will fail to start. Any ideas?

falko
4th January 2009, 12:44
What's in your mail log when you try to send a mail? What's in your main.cf? How did you set up your email account?

casler
9th January 2009, 20:15
I am having a very perplexing issue and it is a 554 5.7.1 <xxxxxx@yahoo.com>: Relay access denied error.

I have been using the ISPconfig software for well over a year flawlessly …….. my business requirements changed and with that came the following……

Cisco 871 router
PIX 506e firewall
Windows Small Business Server 2003

I was using a Linksys BEF VPN router and everything ran fine (users authenticated against the linux box everything was super) ….. email worked from both inside and outside the network….. I added and configured the Cisco appliances and the SBS but I want to use ISPconfig for email until I receive more static IPs from my ISP to configure exchange and webmail (and everything else with SBS2003)…. Trouble began when the SBS2003 wanted to take over DNS which I thought at the time was fine but now from outside the network I can’t send email to anyone outside of our domain (I get 554 5.7.1 error)….. I just pass requests from FE4 (PPOE connection) through to the firewall, utilize NAT on the firewall and just translate the same ports from the old Linksys box…. I did notice the /etc/resolve.conf had the old private router IP so I added my SBS there (still no avail)……not even sure where to start……

falko
10th January 2009, 13:07
Did you enable "Server requires authentication" in your email client?
What's in /etc/resolv.conf now?

lexthoonen
13th April 2009, 03:56
Hi,

I've got the same problem. Via none of the domains hosted on this particular server (ubuntu - ispconfig) can mail be sent.

Authentication is set to on, using the same login details as pop. And on pop, all mail comes in.

I've attached a file with a lot of the info that has been asked by Falko in this thread to other people with similar problems.

p.s. I've got another problem too, being the Bind server showing as offline (although everything seems to work okayish), I don't know if that can have anything to do with it... I thought it'd be better if I make that another topic but I'll first see what people who know think of it.

Thanks, lex


Log of my e-mail client:

connected to SMTP server
authenticating (plain)...
Server reports error. The response is: Error: authentication failed
authenticating (login)...
Server reports error. The response is: Error: authentication failed
WARNING: there were no compatible authentication mechanisms detected
sending message to lex@xxxx.nl
The last address submitted was <lex@xxxx.nl>: Relay access denied

(pop works fine)

casler
13th April 2009, 15:32
Lex,

I found I was having more of a hardware issue and it was resolved on my PIX box….. Cisco inherently forces the “fix up” in the running config….. The firewall was looking for RPC compliancy in the actual email trying to be relayed….. because the headers in the email didn’t comply….. PIX replaces log in information with XXXXXX….. The mail server (which my ISPconfig box) freaks out because there is no user XXXXXX….. and denies the relay….. I used the “no fixup smtp 25” command in the Cisco CLI (on the firewall) and the problem was immediately resolved…..

beeman
7th September 2009, 18:30
Hi I am running perfect setup Ubuntu 8.10 Postfix,ISP Config 2.2.29 and webmin 1.441 and have recently started receiving
"Warning: service httpd not running .." as well as" XXXX@XXXXX.co.uk' on 07/09/2009 11:30
554 5.7.1 <xxxxx@xxxxxx.co.uk>: Relay access denied"
Yes I have checked that 'My outgoing server is authenticated'
No I cannot restart Apache with sudo /etc/init.d/apache2 restart - it returns "install: invalid user `www-data'
apache2: bad user name www-data"

We run a small postfix setup and have been receiving a lot of spam lately so I tinkered with the main.cf - but even with the original one back I cannot restart the Apache server or stop the "relay access denied".

I assume the two 'problems' are related
Sorry if I am a bit wooly but i am not a computer pro!
Thanks

falko
8th September 2009, 14:01
Can you check if the user www-data is listed in /etc/passwd?

beeman
8th September 2009, 15:16
No not in /etc/passwd
Yes in /etc/passwd-
in /etc/passwd- it reads:- www-data:x:33:33:www-data:/var/www:/bin/sh

falko
9th September 2009, 15:33
I guess there's something wrong with /etc/passwd then. Make a backup of it and copy /etc/passwd- to /etc/passwd and try again. Do you still see any errors then?

beeman
9th September 2009, 16:58
It won't recognise a renaming of passwd-
"uid 1000 does not exist in the passwd file!"

passwd- has a lot fewer users in it. It does however have
www-data:x:33:33:www-data:/var/www:/bin/sh
and a line
nobody:x:655535:65534:nobody:/nonexistent:/bin/sh

the passwd file has on the other hand no www-data but does have
nobody:x:1002:100:nobody:/home/nobody:

What if I was to type in the missing lines www-data:x: ....etc into the passwd file?

falko
10th September 2009, 18:11
It won't recognise a renaming of passwd-
"uid 1000 does not exist in the passwd file!"Did you try this as root?


What if I was to type in the missing lines www-data:x: ....etc into the passwd file?You can do that as well.

tiscarabee
12th September 2009, 02:00
Hi Falko,

There is a long time :) Always using in prod the superb tuto for mail & mysql :
http://www.howtoforge.com/virtual_users_and_domains_with_postfix_debian_etch _p6

I'm "cooking" the migration from my actual production server (HELIOS) on a new server (SERAPHINE), under debian lenny. For tests, I'm using for the first time the transport table, for one of my domains (MYDOMAIN). But access is denied, said postfix's logs :

Sep 12 01:34:53 helios postfix/smtpd[27479]: NOQUEUE: reject: RCPT from mail-ew0-f221.google.com[209.85.219.221]: 554 5.7.1 <david@MYDOMAIN>: Relay access denied; from=<myAdress@gmail.com> to=<david@MYDOMAIN> proto=ESMTP h
elo=<mail-ew0-f221.google.com>

In the table, i've write this :
domain : MYDOMAIN
transport : smtp:[IP_LAN_LIKE_192.168...]
I've tried with transport : smtp:[IP_LAN_LIKE_192.168...]:25, same result.

But it work when I use an email account using HELIOS smtp.

An idea ?

Thanks in advance !

David

alexnbk
17th April 2010, 05:08
Hi, i´m having a similar problem, CentOS 5.4 with postfix, i can receive e-mail through the relay, I can send e-mail using telnet localhost 25, but when it com es to the e-mail coming from an exchange server to the world it says Relay ACcess Denied.

Well, it used to work fine till we had to reinstall the system, the owner did not had a backup of things, and i´m not a mail programmer, but they want me to fix it.

Here´s my main.cf and my master.cf

Main.cf

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
local_recipient_maps =
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination =
mydomain = xxxx.org.br
myhostname = xxx.xxx.org.br
mynetworks = 127.0.0.0/8, 201.xxx.xxx.xxx/24
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains = debug_peer_list, smtpd_access_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains = <domain1>, <domain2>, <domain3>
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_sender_restrictions = permit_mynetworks, reject_unauth_destination
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550


Master.cf

#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ================================================== ========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
smtp inet n - n - - smtpd
#submission inet n - n - - smtpd
# -o smtpd_enforce_tls=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_mynetworks
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_helo_restrictions=
-o smtpd_sender_rstrictions=
# -o smtpd_recipient_restrictions=permit_mynetworks, reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_ unknown_recipient_checks,no_milters
-o local_header_rewrite_clients=
-o smtpd_milters=
-o local_recipient_maps=
-o relay_recipient_maps=

#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
#local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# ================================================== ==================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ================================================== ==================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient


None of the previous solutions worked for me. Thanks for any heko I can get.

alexnbk
17th April 2010, 05:39
there was a configuration error between master and main.cf on the mynetworks
fixed it, now runs fine.

miththu
19th April 2010, 18:18
So postfix to work fine fonaly i use this into my lan, but when i go out of my office and i to connect width my notebook by dialup internt connection i can't to send email to external at my domain, becouse i recived the error 554 relay access denied

j.smith1981
21st July 2010, 14:02
Im having a much the same problem.

This is the error I am getting:

Jul 20 21:33:40 centos postfix/smtpd[13790]: NOQUEUE: reject: RCPT from unknown[192.168.0.3]: 554 <mygoogleemail@googlemail.com>: Relay access denied; from=<myuser@myserverdomain.com> to=<myuser@googlemail.com> proto=ESMTP helo=<hsjsmith01>

But when I try and send using my working computer (the one I work off to create solutions to things etc) it comes up with the above message, but when I tried going to send a test email to my gmail.com address from work, it works fine.

Can someone shed some light on as to why this should work and the one from my LAN doesnt?

Its kinda weird lol, any helps wonderfully appreciated though as usual!

Jeremy.

falko
22nd July 2010, 14:45
Please make sure that "Server requires authentication" is enabled in your email client.

j.smith1981
22nd July 2010, 15:24
Please make sure that "Server requires authentication" is enabled in your email client.

How come this didnt happen before?

Like previously I used to send out emails without having to do this, just curious really though not complaining (have always generally done that anyways so doesnt really bother me).

Anyways take care and thanks,
Jez

falko
23rd July 2010, 13:40
How come this didnt happen before?

If the client PC is listed in mynetworks in /etc/postfix/main.cf, then the client PC doesn't have to authenticate.

j.smith1981
23rd July 2010, 15:32
If the client PC is listed in mynetworks in /etc/postfix/main.cf, then the client PC doesn't have to authenticate.

Ahh ok, but (not that I have been making notes if I have or not being doing this lol), but did this start just happening or would it always have done?

Just out of interest.

Very informative though thanks falko, your a pure genius!

billykk
26th December 2010, 06:17
Dear All

I am a newbie of postfix .
now I have a mail server using Virtual Users And Domains With Postfix, Courier And MySQL (+ SMTP-AUTH, Quota, SpamAssassin, ClamAV) on Ubuntu 10.0.4.

First everything working fine if I using only a single domain(ex: primary.com) .
but after that I hosting a virtual domain (ex, myvirtual.com), myvirtual.com can revice email but can't send to outside world (and I got error msg like below )
Dec 26 11:34:35 mail postfix/smtpd[1741]: NOQUEUE: reject: RCPT from unknown[203.144.95.155]: 554 5.7.1 <billy@gmail.com>: Relay access denied; from=<XXX@myvirtual.com> to=<billy@gmail.com> proto=ESMTP helo=<BlueSky007>

any one please help me to resolve this problem .

I am looking forwards to hearing from you soon.
Thank you beforehand
:confused:

falko
27th December 2010, 21:10
Did you enable "Server requires authentication" in your email client?

kmullen
8th January 2011, 02:26
This server has been running for over 6 months with no issues. About 5 days ago my customers were no longer able to send emails.

Yes, they all have "My outbound server requires authentication", and have had since the beginning.

There have been no updates installed for about 2 months.

Used tutorial at http://www.howtoforge.com/perfect-server-ubuntu-10.10-maverick-meerkat-ispconfig-3

The Outlook Clients pass the "Send/Receive" test built into the client, but continue to receive Relay access denied.

Ubuntu Server 10.10
ISPConfig 3

falko
8th January 2011, 14:33
Are there any errors in your mail log (in the /var/log/ directory)?

kmullen
8th January 2011, 15:15
This is the mail.err log:

Jan 7 16:47:34 ISPCONFIG authdaemond: failed to connect to mysql server (server=localhost, userid=ispconfig): Can't connect to local MySQL server through s$
Jan 7 16:47:34 ISPCONFIG pop3d: authentication error: Input/output error
Jan 7 16:47:38 ISPCONFIG authdaemond: failed to connect to mysql server (server=localhost, userid=ispconfig): Can't connect to local MySQL server through s$
Jan 7 16:47:38 ISPCONFIG pop3d: authentication error: Input/output error
Jan 7 16:48:04 ISPCONFIG authdaemond: failed to connect to mysql server (server=localhost, userid=ispconfig): Can't connect to local MySQL server through s$
Jan 7 16:48:04 ISPCONFIG pop3d: authentication error: Input/output error
Jan 7 16:49:27 ISPCONFIG authdaemond: failed to connect to mysql server (server=localhost, userid=ispconfig): Can't connect to local MySQL server through s$
Jan 7 16:49:27 ISPCONFIG pop3d: authentication error: Input/output error
Jan 7 16:50:02 ISPCONFIG amavis[1031]: (01031-01) (!!)TROUBLE in process_request: connect_to_sql: unable to connect to any dataset at (eval 115) line 241, $
Jan 7 16:50:02 ISPCONFIG postfix/smtp[2377]: fatal: mysql:/etc/postfix/mysql-virtual_relaydomains.cf(0,lock|fold_fix): table lookup problem
Jan 7 16:50:03 ISPCONFIG postfix/error[2380]: fatal: mysql:/etc/postfix/mysql-virtual_relaydomains.cf(0,lock|fold_fix): table lookup problem
Jan 7 16:50:04 ISPCONFIG postfix/qmgr[1723]: fatal: mysql:/etc/postfix/mysql-virtual_relaydomains.cf(0,lock|fold_fix): table lookup problem
Jan 7 17:01:44 ISPCONFIG postfix/smtp[2884]: fatal: mysql:/etc/postfix/mysql-virtual_relaydomains.cf(0,lock|fold_fix): table lookup problem
Jan 7 17:01:45 ISPCONFIG postfix/error[2923]: fatal: mysql:/etc/postfix/mysql-virtual_relaydomains.cf(0,lock|fold_fix): table lookup problem
Jan 7 17:01:46 ISPCONFIG postfix/qmgr[2444]: fatal: mysql:/etc/postfix/mysql-virtual_relaydomains.cf(0,lock|fold_fix): table lookup problem
Jan 7 17:03:25 ISPCONFIG authdaemond: failed to connect to mysql server (server=localhost, userid=ispconfig): Can't connect to local MySQL server through s$
Jan 7 17:03:25 ISPCONFIG pop3d: authentication error: Input/output error
Jan 7 17:03:50 ISPCONFIG authdaemond: failed to connect to mysql server (server=localhost, userid=ispconfig): Can't connect to local MySQL server through s$
Jan 7 17:03:50 ISPCONFIG pop3d: authentication error: Input/output error
Jan 7 17:03:52 ISPCONFIG authdaemond: failed to connect to mysql server (server=localhost, userid=ispconfig): Can't connect to local MySQL server through s$
Jan 7 17:03:52 ISPCONFIG pop3d: authentication error: Input/output error
Jan 7 17:03:53 ISPCONFIG authdaemond: failed to connect to mysql server (server=localhost, userid=ispconfig): Can't connect to local MySQL server through s$
Jan 7 17:03:53 ISPCONFIG pop3d: authentication error: Input/output error
Jan 7 17:03:56 ISPCONFIG authdaemond: failed to connect to mysql server (server=localhost, userid=ispconfig): Can't connect to local MySQL server through s$
Jan 7 17:03:56 ISPCONFIG pop3d: authentication error: Input/output error
Jan 7 17:08:19 ISPCONFIG authdaemond: failed to connect to mysql server (server=localhost, userid=ispconfig): Can't connect to local MySQL server through s$
Jan 7 17:08:19 ISPCONFIG pop3d: authentication error: Input/output error
Jan 7 17:37:55 ISPCONFIG postfix/trivial-rewrite[2867]: fatal: proxy:mysql:/etc/postfix/mysql-virtual_domains.cf(0,lock|fold_fix): table lookup problem
Jan 7 17:37:57 ISPCONFIG postfix/trivial-rewrite[3538]: fatal: proxy:mysql:/etc/postfix/mysql-virtual_domains.cf(0,lock|fold_fix): table lookup problem

falko
9th January 2011, 19:51
What's the output of netstat -tap?

kmullen
9th January 2011, 20:06
root@ISPCONFIG:/# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost.localdo:10024 *:* LISTEN 962/amavisd (master
tcp 0 0 localhost.localdo:10025 *:* LISTEN 12356/master
tcp 0 0 *:mysql *:* LISTEN 3544/mysqld
tcp 0 0 *:submission *:* LISTEN 12356/master
tcp 0 0 localhost.localdo:spamd *:* LISTEN 974/spamd.pid
tcp 0 0 *:http-alt *:* LISTEN 1744/apache2
tcp 0 0 *:www *:* LISTEN 1744/apache2
tcp 0 0 *:ssmtp *:* LISTEN 12356/master
tcp 0 0 *:tproxy *:* LISTEN 1744/apache2
tcp 0 0 *:2323 *:* LISTEN 9173/sshd

kmullen
9th January 2011, 20:28
root@ISPCONFIG:/# netstat -top
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name Timer
^C
root@ISPCONFIG:/# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost.localdo:10024 *:* LISTEN 962/amavisd (master
tcp 0 0 localhost.localdo:10025 *:* LISTEN 12356/master
tcp 0 0 *:mysql *:* LISTEN 3544/mysqld
tcp 0 0 *:submission *:* LISTEN 12356/master
tcp 0 0 localhost.localdo:spamd *:* LISTEN 974/spamd.pid
tcp 0 0 *:http-alt *:* LISTEN 1744/apache2
tcp 0 0 *:www *:* LISTEN 1744/apache2
tcp 0 0 *:ssmtp *:* LISTEN 12356/master
tcp 0 0 *:tproxy *:* LISTEN 1744/apache2
tcp 0 0 *:2323 *:* LISTEN 9173/sshd
tcp 0 0 192.168.15.130:domain *:* LISTEN 822/named
tcp 0 0 ISPCONFIG.practi:domain *:* LISTEN 822/named
tcp 0 0 localhost.locald:domain *:* LISTEN 822/named
tcp 0 0 *:smtp *:* LISTEN 12356/master
tcp 0 0 localhost.localdoma:953 *:* LISTEN 822/named
tcp 0 0 *:https *:* LISTEN 1744/apache2
tcp 0 0 localhost.localdo:53859 localhost.localdo:mysql TIME_WAIT -
tcp 0 0 localhost.localdo:mysql localhost.localdo:53870 ESTABLISHED 3544/mysqld
tcp 0 0 localhost.localdo:53866 localhost.localdo:mysql ESTABLISHED 11936/error
tcp 0 0 localhost.localdo:53862 localhost.localdo:mysql ESTABLISHED 11927/smtp
tcp 0 0 localhost.localdo:53868 localhost.localdo:mysql ESTABLISHED 11941/error
tcp 0 0 localhost.localdo:mysql localhost.localdo:36076 ESTABLISHED 3544/mysqld
tcp 0 0 localhost.localdo:53858 localhost.localdo:mysql TIME_WAIT -
tcp 0 0 localhost.localdo:mysql localhost.localdo:53867 ESTABLISHED 3544/mysqld
tcp 0 52 ISPCONFIG.practica:2323 206.109.239.51:2927 ESTABLISHED 11865/sshd: adminis
tcp 0 0 localhost.localdo:53867 localhost.localdo:mysql ESTABLISHED 11939/error
tcp 0 0 localhost.localdo:53870 localhost.localdo:mysql ESTABLISHED 11937/error
tcp 0 0 localhost.localdo:53865 localhost.localdo:mysql ESTABLISHED 11928/smtp
tcp 0 0 localhost.localdo:40483 localhost.localdo:mysql ESTABLISHED 29964/amavisd (ch10
tcp 0 0 localhost.localdo:mysql localhost.localdo:40483 ESTABLISHED 3544/mysqld
tcp 0 0 localhost.localdo:mysql localhost.localdo:53865 ESTABLISHED 3544/mysqld
tcp 0 0 localhost.localdo:mysql localhost.localdo:53869 ESTABLISHED 3544/mysqld
tcp 0 0 localhost.localdo:mysql localhost.localdo:53868 ESTABLISHED 3544/mysqld
tcp 0 0 localhost.localdo:53863 localhost.localdo:mysql ESTABLISHED 11926/smtp
tcp 0 0 localhost.localdo:36076 localhost.localdo:mysql ESTABLISHED 6209/amavisd (ch4-a
tcp 0 0 localhost.localdo:53869 localhost.localdo:mysql ESTABLISHED 11929/smtp
tcp 0 0 localhost.localdo:mysql localhost.localdo:53863 ESTABLISHED 3544/mysqld
tcp 0 0 localhost.localdo:mysql localhost.localdo:53862 ESTABLISHED 3544/mysqld
tcp 0 0 localhost.localdo:mysql localhost.localdo:53864 ESTABLISHED 3544/mysqld
tcp6 0 0 [::]:imaps [::]:* LISTEN 1521/couriertcpd
tcp6 0 0 [::]:pop3s [::]:* LISTEN 1555/couriertcpd
tcp6 0 0 [::]:pop3 [::]:* LISTEN 1535/couriertcpd
tcp6 0 0 [::]:imap2 [::]:* LISTEN 1501/couriertcpd
tcp6 0 0 [::]:2323 [::]:* LISTEN 9173/sshd
tcp6 0 0 [::]:domain [::]:* LISTEN 822/named
tcp6 0 0 localhost:953 [::]:* LISTEN 822/named
getnameinfo failed
tcp6 0 0 ISPCONFIG.practic:imap2 [UNKNOWN]:5102 ESTABLISHED 10854/couriertls
getnameinfo failed
tcp6 0 0 ISPCONFIG.practic:imap2 [UNKNOWN]:58873 ESTABLISHED 12146/imapd
getnameinfo failed
tcp6 0 0 ISPCONFIG.practic:imap2 [UNKNOWN]:61655 ESTABLISHED 9639/couriertls
getnameinfo failed
tcp6 0 0 ISPCONFIG.practic:imap2 [UNKNOWN]:57854 ESTABLISHED 2669/imapd
getnameinfo failed
tcp6 0 0 ISPCONFIG.practica:pop3 [UNKNOWN]:64999 TIME_WAIT -

kmullen
10th January 2011, 02:41
This might be the problem.

Jan 9 19:10:03 ISPCONFIG postfix/smtp[12717]: 9D04220682: to=, relay=none, delay=0.12, delays=0.07/0.02/0.04/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=ISPCONFIG.familymullen.org type=A: Host not found)

"familymullen.org" was the name assigned to the server when I installed ISPCONFIG at home.

I have checked the following files and the hostname is correct.
/etc/hostname, /etc/hosts

The domain, familymullen.org is not hosted on this server.

falko
10th January 2011, 13:34
Can you check if all your mysql*.cf files in the /etc/postfix/ directory use the line
hosts = 127.0.0.1
instead of
hosts = localhost?

kmullen
10th January 2011, 14:16
All of the mysql*.cf files use the line:

Hosts = 127.0.0.1

Files checked:


root@ISPCONFIG:/# find -name mysql*.cf
./etc/postfix/mysql-virtual_mailboxes.cf
./etc/postfix/mysql-virtual_email2email.cf
./etc/postfix/mysql-virtual_domains.cf
./etc/postfix/mysql-virtual_relayrecipientmaps.cf
./etc/postfix/mysql-virtual_recipient.cf
./etc/postfix/mysql-virtual_relaydomains.cf
./etc/postfix/mysql-virtual_client.cf
./etc/postfix/mysql-virtual_transports.cf
./etc/postfix/mysql-virtual_forwardings.cf
./etc/postfix/mysql-virtual_sender.cf

falko
11th January 2011, 14:13
That's ok. Do you still have MySQL errors in your mail log?

Jan 9 19:10:03 ISPCONFIG postfix/smtp[12717]: 9D04220682: to=, relay=none, delay=0.12, delays=0.07/0.02/0.04/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=ISPCONFIG.familymullen.org type=A: Host not found)Please create an A record for ISPCONFIG.familymullen.org.

kmullen
11th January 2011, 14:46
I will do that but that domain is hosted on a different server at another location.

kmullen
11th January 2011, 14:54
Still seeing this.

Jan 10 19:38:23 ISPCONFIG postfix/smtpd[22472]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Jan 10 19:38:23 ISPCONFIG postfix/smtpd[22472]: warning: wsip-70-167-114-111.sd.sd.cox.net[70.167.114.111]: SASL LOGIN authentication failed: generic failure
Jan 10 19:38:33 ISPCONFIG postfix/smtpd[22460]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Jan 10 19:38:33 ISPCONFIG postfix/smtpd[22460]: warning: wsip-70-167-114-111.sd.sd.cox.net[70.167.114.111]: SASL LOGIN authentication failed: generic failure

Not seeing SQL error in mail.err log

falko
12th January 2011, 13:58
Please start saslauthd:
/etc/init.d/saslauthd start

Desp
18th January 2011, 19:00
Please some help before losing my mind ! :mad:
I have setup postfix with smtp/imap and using squirrelmail on ubuntu . The problem is that I cant send emails outside the box getting the error Relay access denied . have tested many ways to solve this problem with no luck , The only good thing that happend is that the error msg disapeard but the problem remained . I have added my Wan ip to my networks =
take a look at my main.cf + /etc/hosts and logs :

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = trinity.selman.us
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = selman.us, trinity.selman.us, localhost.selman.us, , localhost
relayhost =
mynetworks = 213.112.127.0/24, 127.0.0.0/8, 192.168.1.0/24 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
home_mailbox = Maildir/
mailbox_command =
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination # I guess here is the problem but how to solve it !!
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

/etc/hosts :

192.168.1.64 trinity.selman.us # Added by NetworkManager
127.0.0.1 localhost.localdomain localhost
::1 trinity localhost6.localdomain6 localhost6
127.0.1.1 trinity.selman.us
213.112.127.168 trinity.selman.us
213.112.127.168 selman.us
213.112.127.168 smtp.selman.us
213.112.127.168 webmail.selman.us
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

and mail.log

Jan 18 18:50:20 trinity postfix/qmgr[12712]: 2CBF44A16AF: from=<mahmoud@selman.us>, size=713, nrcpt=1 (queue active)
Jan 18 18:50:41 trinity postfix/smtp[13262]: connect to mx1.hotmail.com[65.55.37.104]:25: Connection timed out
Jan 18 18:51:02 trinity postfix/smtp[13262]: connect to mx2.hotmail.com[65.55.37.72]:25: Connection timed out
Jan 18 18:51:23 trinity postfix/smtp[13262]: connect to mx2.hotmail.com[65.54.188.110]:25: Connection timed out
Jan 18 18:51:44 trinity postfix/smtp[13262]: connect to mx1.hotmail.com[65.54.188.72]:25: Connection timed out
Jan 18 18:52:05 trinity postfix/smtp[13262]: connect to mx4.hotmail.com[65.55.92.184]:25: Connection timed out
Jan 18 18:52:05 trinity postfix/smtp[13262]: 2CBF44A16AF: to=<desp@live.com>, relay=none, delay=3351, delays=3246/0.01/105/0, dsn=4.4.1, status=deferred (connect to mx4.hotmail.com[65.55.92.184]:25: Connection timed out)

some more info:
root@trinity:~# dig selman.us mx

; <<>> DiG 9.7.1-P2 <<>> selman.us mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8061
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;selman.us. IN MX

;; ANSWER SECTION:
selman.us. 3600 IN MX 10 selman.us.
selman.us. 3600 IN MX 0 selman.us.

;; Query time: 143 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Tue Jan 18 18:58:46 2011
;; MSG SIZE rcvd: 59

root@trinity:~# cat /etc/resolv.conf
# Generated by NetworkManager
domain lan
search lan selman.us
nameserver 192.168.1.254
nameserver 195.54.122.199
nameserver 195.54.122.204
search selman.us

Thank you in advance !

Desp
19th January 2011, 13:59
Please some help before losing my mind ! :mad:
I have setup postfix with smtp/imap and using squirrelmail on ubuntu . The problem is that I cant send emails outside the box getting the error Relay access denied . have tested many ways to solve this problem with no luck , The only good thing that happend is that the error msg disapeard but the problem remained . I have added my Wan ip to my networks =
take a look at my main.cf + /etc/hosts and logs :

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = trinity.selman.us
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = selman.us, trinity.selman.us, localhost.selman.us, , localhost
relayhost =
mynetworks = 213.112.127.0/24, 127.0.0.0/8, 192.168.1.0/24 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
home_mailbox = Maildir/
mailbox_command =
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination # I guess here is the problem but how to solve it !!
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

/etc/hosts :

192.168.1.64 trinity.selman.us # Added by NetworkManager
127.0.0.1 localhost.localdomain localhost
::1 trinity localhost6.localdomain6 localhost6
127.0.1.1 trinity.selman.us
213.112.127.168 trinity.selman.us
213.112.127.168 selman.us
213.112.127.168 smtp.selman.us
213.112.127.168 webmail.selman.us
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

and mail.log

Jan 18 18:50:20 trinity postfix/qmgr[12712]: 2CBF44A16AF: from=<mahmoud@selman.us>, size=713, nrcpt=1 (queue active)
Jan 18 18:50:41 trinity postfix/smtp[13262]: connect to mx1.hotmail.com[65.55.37.104]:25: Connection timed out
Jan 18 18:51:02 trinity postfix/smtp[13262]: connect to mx2.hotmail.com[65.55.37.72]:25: Connection timed out
Jan 18 18:51:23 trinity postfix/smtp[13262]: connect to mx2.hotmail.com[65.54.188.110]:25: Connection timed out
Jan 18 18:51:44 trinity postfix/smtp[13262]: connect to mx1.hotmail.com[65.54.188.72]:25: Connection timed out
Jan 18 18:52:05 trinity postfix/smtp[13262]: connect to mx4.hotmail.com[65.55.92.184]:25: Connection timed out
Jan 18 18:52:05 trinity postfix/smtp[13262]: 2CBF44A16AF: to=<desp@live.com>, relay=none, delay=3351, delays=3246/0.01/105/0, dsn=4.4.1, status=deferred (connect to mx4.hotmail.com[65.55.92.184]:25: Connection timed out)

some more info:
root@trinity:~# dig selman.us mx

; <<>> DiG 9.7.1-P2 <<>> selman.us mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8061
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;selman.us. IN MX

;; ANSWER SECTION:
selman.us. 3600 IN MX 10 selman.us.
selman.us. 3600 IN MX 0 selman.us.

;; Query time: 143 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Tue Jan 18 18:58:46 2011
;; MSG SIZE rcvd: 59

root@trinity:~# cat /etc/resolv.conf
# Generated by NetworkManager
domain lan
search lan selman.us
nameserver 192.168.1.254
nameserver 195.54.122.199
nameserver 195.54.122.204
search selman.us

Thank you in advance !

ehlo trinity.selman.us
250-trinity.selman.us
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

falko
19th January 2011, 14:40
Does this happen just for Hotmail, or for all emails you send to remote servers?
You can search for Hotmail here on the forums, there are a lot of threads already about this.
Also, make sure that your server isn't blacklisted: http://mxtoolbox.com/blacklists.aspx

Desp
19th January 2011, 14:45
Does this happen just for Hotmail, or for all emails you send to remote servers?
You can search for Hotmail here on the forums, there are a lot of threads already about this.
Also, make sure that your server isn't blacklisted: http://mxtoolbox.com/blacklists.aspx

Thank you for your respond Falko , it happen for all emails outside my box .

Desp
19th January 2011, 19:21
Does this happen just for Hotmail, or for all emails you send to remote servers?
You can search for Hotmail here on the forums, there are a lot of threads already about this.
Also, make sure that your server isn't blacklisted: http://mxtoolbox.com/blacklists.aspx

It's blacklisted in 2 destinations :
SORBS-DUHL LISTED Dynamic IP Addresses See: Detail
Return codes were: 127.0.0.10 3600 234
Spamhaus-ZEN LISTED Detail
Return codes were: 127.0.0.11 900 265

could this be the problem, I have conacted them to remove my ip .

Desp
20th January 2011, 16:46
It's blacklisted in 2 destinations :
SORBS-DUHL LISTED Dynamic IP Addresses See: Detail
Return codes were: 127.0.0.10 3600 234
Spamhaus-ZEN LISTED Detail
Return codes were: 127.0.0.11 900 265

could this be the problem, I have conacted them to remove my ip .


Finaly I found the problem was with my ISP , they blocked port 25 from sending emails :confused: now I have to use their SMTP insted .
anyway I really thankfull for your help Falko .

klaipedaville
14th March 2013, 19:39
Set mynetworks = 127.0.0.0/8, 192.168.1.0/24

My home network is 192.168.1.0 with netmask 255.255.255.0 (24 bit mask)
This worked fine for me. This setting sets what networks you allow to send mail trough your smtp server.

-Torgny

I understand this post is a bit too old but I would like to say thank you to Torgny as his/her post gave me an idea. I had exactly the same problem and what saved me was entering my ISP's IP for "mynetworks" and it started to work. I am not sure though but it looks like my ISP has some slightly misconfigured parts in their Postfix. Could anyone also comment on IP for "mynetworks", please? Thanks!

hklcf
22nd March 2013, 12:10
[root@server ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 0
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = server.hklcf.homeip.net, localhost, localhost.localdomain
myhostname = server.hklcf.homeip.net
mynetworks = 127.0.0.0/8 [::1]/128
nested_header_checks = regexp:/etc/postfix/nested_header_checks
newaliases_path = /usr/bin/newaliases.postfix
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
receive_override_options = no_address_mappings
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
relayhost =
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_security_level = may
smtpd_use_tls = yes
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000


i can receive email but can't send out email...

klaipedaville
23rd March 2013, 06:38
I strongly suggest you study the mailbox_command in your configuration. If you have Procmail and it sounds you have it because you are on Ubuntu, you have to set this parameter first (it's absolutely mandatory to set) otherwise emails will not go anywhere.
Removing this parameter won't help, unless you remove entire Procmail.

The next option please, try setting your ISP's IP address in $mynetworks parameter and restart your posrfix. If it starts working then it will mean that either your ISP is not SASL authenticated or you have misconfigured your SASL. This simple test won't do any harm

Please some help before losing my mind ! :mad:
I dhave setup postfix with smtp/imap and using squirrelmail on ubuntu . The problem is that I cant send emails outside the box getting the error Relay access denied . have tested many ways to solve this problem with no luck , The only good thing that happend is that the error msg disapeard but the problem remained . I have added my Wan ip to my networks =
take a look at my main.cf + /etc/hosts and logs :

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = trinity.selman.us
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = selman.us, trinity.selman.us, localhost.selman.us, , localhost
relayhost =
mynetworks = 213.112.127.0/24, 127.0.0.0/8, 192.168.1.0/24 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
home_mailbox = Maildir/
mailbox_command =
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination # I guess here is the problem but how to solve it !!
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

/etc/hosts :

192.168.1.64 trinity.selman.us # Added by NetworkManager
127.0.0.1 localhost.localdomain localhost
::1 trinity localhost6.localdomain6 localhost6
127.0.1.1 trinity.selman.us
213.112.127.168 trinity.selman.us
213.112.127.168 selman.us
213.112.127.168 smtp.selman.us
213.112.127.168 webmail.selman.us
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

and mail.log

Jan 18 18:50:20 trinity postfix/qmgr[12712]: 2CBF44A16AF: from=<mahmoud@selman.us>, size=713, nrcpt=1 (queue active)
Jan 18 18:50:41 trinity postfix/smtp[13262]: connect to mx1.hotmail.com[65.55.37.104]:25: Connection timed out
Jan 18 18:51:02 trinity postfix/smtp[13262]: connect to mx2.hotmail.com[65.55.37.72]:25: Connection timed out
Jan 18 18:51:23 trinity postfix/smtp[13262]: connect to mx2.hotmail.com[65.54.188.110]:25: Connection timed out
Jan 18 18:51:44 trinity postfix/smtp[13262]: connect to mx1.hotmail.com[65.54.188.72]:25: Connection timed out
Jan 18 18:52:05 trinity postfix/smtp[13262]: connect to mx4.hotmail.com[65.55.92.184]:25: Connection timed out
Jan 18 18:52:05 trinity postfix/smtp[13262]: 2CBF44A16AF: to=<desp@live.com>, relay=none, delay=3351, delays=3246/0.01/105/0, dsn=4.4.1, status=deferred (connect to mx4.hotmail.com[65.55.92.184]:25: Connection timed out)

some more info:
root@trinity:~# dig selman.us mx

; <<>> DiG 9.7.1-P2 <<>> selman.us mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8061
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;selman.us. IN MX

;; ANSWER SECTION:
selman.us. 3600 IN MX 10 selman.us.
selman.us. 3600 IN MX 0 selman.us.

;; Query time: 143 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Tue Jan 18 18:58:46 2011
;; MSG SIZE rcvd: 59

root@trinity:~# cat /etc/resolv.conf
# Generated by NetworkManager
domain lan
search lan selman.us
nameserver 192.168.1.254
nameserver 195.54.122.199
nameserver 195.54.122.204
search selman.us

Thank you in advance !

slayt12
25th January 2014, 16:58
Make sure that
reject_unauth_destination
is not in your setup unless you have a map in
relay_domains

cristopher
14th May 2014, 18:10
Thanks for the information, It was really useful.