Unable to send emails to any domains not hosted locally on this server via SMTP client. If I do the same using SMTP client I receive NDR and below message in my /var/log/maillog.

Oct 10 12:12:12 portal postfix/smtpd[9641]: NOQUEUE: reject: RCPT from gateway[195.xx.xx.xxx]: 554 <me@yahoo.com>: Relay access denied; from=<me@mydomain.com> to=<me@yahoo.com> proto=ESMTP helo=<Inbox>

Everything works fine if I use web mail client UebiMiau except UebiMiau translates internal emails to me@mydomain.com@myserverhostname.com. But at it lets me send emails to me@yahoo.com without any problem, see the log message below which works perfectly.

Oct 10 12:25:32 portal postfix/smtp[9943]: 78FFA485C8E: to=<me@yahoo.com>, relay=mx2.mail.yahoo.com[4.79.181.13], delay=23, status=sent (250 ok dirdel)

I have read few threads where people are facing this error "Relay access denied" but couldn't really find the resolution for my problem.

I have perfectly installed ISPConfig on FC4 without any problems. /etc/postfix/main.cf has following entry as per installation instruction. I have tried check_relay_domains appears same after restarting postfix.

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination

Everything works fine if I use web mail client UebiMiau except UebiMiau translates internal emails to me@mydomain.com@myserverhostname.com. But at it lets me send emails to me@yahoo.com without any problem, see the log message below which works perfectly.

That's because you're on the system itself when you use webmail (the webmail program is running on the server).

In your email client you have to activate something like "Server needs authentication." for that mailbox.

That's because you're on the system itself when you use webmail (the webmail program is running on the server).

In your email client you have to activate something like "Server needs authentication." for that mailbox.

Any ideas what would be the fix, I have opened a separate thread for this issue as it doesn't relate to relaying http://www.howtoforge.com/forums/showthread.php?p=3952#post3952

Did you enable "Server needs authentication" in your email client?

I was using my Pocket PC (Orange M2000 with WM2003SE) Email client and configuration worked for another free pop3/smtp server but not for this one I installed with ISPConfig.

After Falko's reply I realised it could be this client so tried on Outlook Express on my PC which worked perfectly so it is down to the client I have on my PPC.

If I enable Server Authentication on my PPC it would come up with connectivity error while without server authentication it worked for internal mail destinations.

I finally tweaked with my PPC client and found that Server information contains Incoming mail, Outgoing mail and Domain where I was adding the same domain name I wanted to get email working. After deleting domain from these tried again and it worked, not sure what this domain means and why is it here, can't see such thing in Outlook Express.

I was already impressed with Falko's knowledge from previous posts and knew he will fix it.

Although my webmail issue is still there, which is probably down to the UebiMiau settings which I can't find how to fix. I used the package to install from ispconfig.com but might try squirrilmail or any other client some other time.

I have had the same problems (Debian, also Web-FTP-Tool), here is "my" solution:

remove "localhost" in hosts-File (http://www.howtoforge.com/forums/showthread.php?t=2468&page=2#18)

Greetings
caMi

Make sure you are authenticating to your 'outgoing' mail server and not the incoming.

Set mynetworks = 127.0.0.0/8, 192.168.1.0/24

My home network is 192.168.1.0 with netmask 255.255.255.0 (24 bit mask)
This worked fine for me. This setting sets what networks you allow to send mail trough your smtp server.

-Torgny

hello

i have the same problem, but i have configurated postfix to authenticate the sender. So postfix to work fine fonaly i use this into my lan, but when i go out of my office and i to connect width my notebook by dialup internt connection i can't to send email to external at my domain, becouse i recived the error 554 relay access denied

what you think about my problem?

Bye!

Did you enable "Server requires aurthentication" in your email client?
What's in /etc/postfix/main.cf (please strip out the comments)?

this is my main.cf

command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
setgid_group = postdrop

append_dot_mydomain = no

smtp_banner = $myhostname ESMTP pasqualinformatica.com
biff = no

myhostname =smtp.pasqualinformatica.com

mydestination = $myhostname loalhost localhost.$mydomain

#relay_domains =
mynetworks = 127.0.0.1/8, 192.168.3.0/24

disable_vrfy_command = yes
smtpd_helo_required = yes


virtual_mailbox_base = /var/mail/vmail
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf

virtual_alias_domains = $virtual_alias_maps
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_alias_maps.cf

virtual_uid_maps = static:1008
virtual_gid_maps = static:1008

alias_maps = mysql:/etc/postfix/mysql-alis_maps.cf

smtpd_sender_restrictions = permit_sasl_authenticated,
permit_mynetworks

smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination


smtpd_sasl_auth_enable = yes
#smtpd_sasl_local_domain = yes
smtpd_sasl_security_options = noanonymous
smtp_sasl_password_maps = mysql:/etc/postfix/mysql_auth.conf
smtp_sender_login_maps = mysql:/etc/postfix/mysql_auth.conf

smtpd_pix_workaround_delay_time = 20s
smtpd_pix_workaround_threshold_time = 500s

#message_size_limit = 10240000
message_size_limit = 20240000
#message_size_limit = 3000000


can you look please? becouse I am becoming crazy

thanks

Did you enable "Server requires authentication" in your email client?

yes i do it

And do you use the correct username and password in your email client?

What's the output of telnet localhost 25
ehlo localhost?

And do you use the correct username and password in your email client?

What's the output of telnet localhost 25
ehlo localhost?
I'm encountering the exact same problem.
The output is, for me:

anderith:~# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 anderith.rg-it.net ESMTP Postfix (Debian/GNU)
ehlo localhost
250-anderith.rg-it.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250 8BITMIME

- SMTP authentication is enabled
Postconf -n is:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
delay_warning_time = 4h
home_mailbox = Maildir/
inet_interfaces = all
mailbox_command =
mailbox_size_limit = 0
mydestination = /etc/postfix/local-host-names
myhostname = anderith.rg-it.net
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
recipient_delimiter = +
relayhost =
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

cat /etc/postfix/virtusertable:

anderith:~# cat /etc/postfix/virtusertable
###################################
#
# ISPConfig virtusertable Configuration File
# Version 1.0
#
###################################
support@www.rg-it.net web2_rgit
web2_rgit@www.rg-it.net web2_rgit
support@rg-it.net web2_rgit
web2_rgit@rg-it.net web2_rgit
support@rails.rg-it.net web2_rgit
web2_rgit@rails.rg-it.net web2_rgit
robert@www.xs4some.org web3_robert
web3_robert@www.xs4some.org web3_robert
robert@xs4some.org web3_robert
web3_robert@xs4some.org web3_robert
robert@xs4some.org..xs4some.org web3_robert
web3_robert@xs4some.org..xs4some.org web3_robert
robert@blog.xs4some.org web3_robert
web3_robert@blog.xs4some.org web3_robert
#### MAKE MANUAL ENTRIES BELOW THIS LINE! ####anderith:~#


cat /etc/postfix/local-host-names:

anderith:~# cat /etc/postfix/local-host-names
###################################
#
# ISPConfig local-host-names Configuration File
# Version 1.0
#
###################################
localhost
anderith.rg-it.net
localhost.anderith.rg-it.net
localhost.rg-it.net
localhost.localdomain
www.xerox.rg-it.net
www.rg-it.net
www.xs4some.org
xerox.rg-it.net
rg-it.net
rails.rg-it.net
xs4some.org
xs4some.org..xs4some.org
blog.xs4some.org
#### MAKE MANUAL ENTRIES BELOW THIS LINE! ####anderith:~#

Situation: I'm trying to send an email - from Outlook - to an @gmail.com address.
Internal (within my @xs4some.org domain) works OK, webmail works OK, telnet locally works ok, telnet externally doesn't work.
And ofcourse; from Outlook it doesn't work.

Some help is definitely appreciated. :)

edit:
Almost forgot to mention; I'm running Debian Sarge.

Almost forgot to mention; I'm running Debian Sarge.
By reading the output of postconf -n, I assume you didn't follow the "Perfect Setup for Debian Sarge"? Please configure your Postfix as described here: http://www.howtoforge.com/perfect_setup_debian_sarge_p4

I seem to be having the same problem.
When I log into my webmail (squirrelmail) I can send mail no problem. I sent mail to my gmail and it got there. However, when I try to send mail through my thunderbird e-mail client I get the relay access denied error.
This is odd because I've had no problems with this system for about a month since I initially got it running. Does anybody have any idea what within my client could be causing the problem? Thanks!

Did you enable "Server requires authentication." in your email client?

Yes I did. I just got home and I tried it again and I was able to send mail (to my gmail). This leads me to believe that it's just something now allowing me to send mail from outside of my network. Do you know what it might be? The only mail port that I have open is 993.... could that be the problem?

"Server requires authentication." allows your mail client to use SMTP-AUTH which is required to send mails outside your server.

Port 993 is for IMAPS. For sending emails, port 25 (SMTP) must be open.

odd... I have port 25 open...

Hi

i have got postfix installed on fedora core 6 (I followed the Howto)
i can get e-mail out to my gmail address but when i reply i get the error message relay access denied when i try to reply from my g-mail account

NDR from gmail
Technical details of permanent failure:
PERM_FAILURE: SMTP Error (state 13): 554 5.7.1 <rjb@ramage.org.uk>: Relay access denied

----- Original message -----

Received: by 10.114.36.1 with SMTP id j1mr1494765waj.1185033628511;
Sat, 21 Jul 2007 09:00:28 -0700 (PDT)
Received: by 10.114.190.16 with HTTP; Sat, 21 Jul 2007 09:00:28 -0700 (PDT)
Message-ID: <f8927d890707210900q7e8c2b21qe8c503ec73a0aca5@mail. gmail.com>
Date: Sat, 21 Jul 2007 17:00:28 +0100
From: "Ryan Bryant" <ryan.bryant@gmail.com>
To: "Ryan John Bryant" <rjb@ramage.org.uk>
Subject: Re: Tester
In-Reply-To: <002001c7cbb0$3bdb2a10$6801a8c0@dreadnought>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_121565_8195519.1185033628354"
References: <002001c7cbb0$3bdb2a10$6801a8c0@dreadnought>


if you want / need any more info i will be glad to provide it and welcome and thank you for your support in advance
:)

Hi

i have got postfix installed on fedora core 6 (I followed the Howto)What tutorial exactly (URL)?
i can get e-mail out to my gmail address but when i reply i get the error message relay access denied when i try to reply from my g-mail account
What's the output of postconf -n? Do you use ISPConfig?

Did you enable "Server needs authentication" in your email client?

I have a similar issue. I can send mail from the server using command line (telnet), however using Outlook I get relay access denied. I have Outlook set to use authentication (same settings as incoming mailserver). I receive mail just fine in Outlook.

log: Dec 17 02:13:46 mail postfix/smtpd[10296]: NOQUEUE: reject: RCPT from static-12-134-58-18.verizon.net[12-134-58-18]: 554 5.7.1 <joe@aol.com>: Relay access denied; from=<rusty@domain.com> to=<joe@aol.com> proto=ESMTP helo=<computername>

Would you have any ideas? Thanks!

I have a similar issue. I can send mail from the server using command line (telnet), however using Outlook I get relay access denied. I have Outlook set to use authentication (same settings as incoming mailserver). I receive mail just fine in Outlook.
Are you absolutely sure you checked the right option in Outlook? If so, what's in /etc/postfix/main.cf, and what's the output of
telnet localhost 25
and then ehlo localhost?

# telnet localhost 25
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host: Connection refused

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = domain.com
myhostname = mail.domain.com
mynetworks = 127.0.0.0/8
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
receive_override_options = no_address_mappings
recipient_delimiter = +
relayhost =
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject _unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.domain.com.crt
smtpd_tls_key_file = /etc/pki/tls/private/mail.domain.com.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/spool/postfix/mtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000




# dovecot -n
# 1.0.7: /etc/dovecot.conf
login_dir: /var/run/dovecot/login
login_executable(default): /usr/libexec/dovecot/imap-login
login_executable(imap): /usr/libexec/dovecot/imap-login
login_executable(pop3): /usr/libexec/dovecot/pop3-login
mail_location: maildir:/home/vmail/%d/%n
mail_executable(default): /usr/libexec/dovecot/imap
mail_executable(imap): /usr/libexec/dovecot/imap
mail_executable(pop3): /usr/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/lib64/dovecot/imap
mail_plugin_dir(imap): /usr/lib64/dovecot/imap
mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3
auth default:
passdb:
driver: sql
args: /etc/dovecot-mysql.conf
userdb:
driver: passwd
userdb:
driver: static
args: uid=5000 gid=5000 home=/home/vmail/%d/%n allow_all_users=yes
socket:
type: listen
client:
path: /var/spool/postfix/private/auth
mode: 432
user: postfix
group: postfix
master:
path: /var/run/dovecot/auth-master
mode: 384
user: vmail

I wanted to repost my output from postconf -n and dovecot -n because I'm not sure I was using my the latest main.cf and dovecot.conf files. Also I have the output from netstat -tap that doesn't show anything on port 25.

I hope someone can help me as I've been stuck at this point for a week. Thanks so much for your time and effort!

netstat -tap
tcp 0 0 localhost.localdomain:2208 *:* LISTEN 2639/hpiod
tcp 0 0 *:imaps *:* LISTEN 6975/dovecot
tcp 0 0 *:pop3s *:* LISTEN 6975/dovecot
tcp 0 0 localhost.localdomain:10025 *:* LISTEN 7058/master
tcp 0 0 *:rtps-dd-mt *:* LISTEN 3235/hptsvr
tcp 0 0 *:mysql *:* LISTEN 2821/mysqld
tcp 0 0 *:courierpassd *:* LISTEN 2701/xinetd
tcp 0 0 *:fcp-udp *:* LISTEN 2324/rpc.statd
tcp 0 0 *:7403 *:* LISTEN 3235/hptsvr
tcp 0 0 *:5900 *:* LISTEN 3485/vino-server
tcp 0 0 *:pop3 *:* LISTEN 6975/dovecot
tcp 0 0 localhost.local:dyna-access *:* LISTEN 2717/clamd
tcp 0 0 *:imap *:* LISTEN 6975/dovecot
tcp 0 0 localhost.localdomain:783 *:* LISTEN 2869/spamd.pid
tcp 0 0 *:sunrpc *:* LISTEN 2285/portmap
tcp 0 0 *:x11 *:* LISTEN 3401/X
tcp 0 0 *:ndmp *:* LISTEN 3291/perl
tcp 0 0 *:http *:* LISTEN 3006/httpd
tcp 0 0 *:ftp *:* LISTEN 3265/pure-ftpd (SER
tcp 0 0 *:ssh *:* LISTEN 2682/sshd
tcp 0 0 localhost.localdomain:ipp *:* LISTEN 2661/cupsd
tcp 0 0 *:https *:* LISTEN 3006/httpd
tcp 0 0 localhost.localdomain:2207 *:* LISTEN 2644/python

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = localhost
mydomain = domain.com
myhostname = mail.domain.com
mynetworks = 127.0.0.0/8
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
receive_override_options = no_address_mappings
recipient_delimiter = +
relayhost =
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject _unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/tls/smtpd.crt
smtpd_tls_key_file = /etc/postfix/tls/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/spool/postfix/mtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000

# dovecot -n
# 1.0.7: /etc/dovecot.conf
listen(default): *:143
listen(imap): *:143
listen(pop3): *:110
ssl_listen(default): *:993
ssl_listen(imap): *:993
ssl_listen(pop3): *:995
login_dir: /var/run/dovecot/login
login_executable(default): /usr/libexec/dovecot/imap-login
login_executable(imap): /usr/libexec/dovecot/imap-login
login_executable(pop3): /usr/libexec/dovecot/pop3-login
first_valid_uid: 5000
last_valid_uid: 5000
first_valid_gid: 5000
last_valid_gid: 5000
mail_location: maildir:/home/vmail/%d/%n
mail_executable(default): /usr/libexec/dovecot/imap
mail_executable(imap): /usr/libexec/dovecot/imap
mail_executable(pop3): /usr/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/lib64/dovecot/imap
mail_plugin_dir(imap): /usr/lib64/dovecot/imap
mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3
auth default:
passdb:
driver: sql
args: /etc/dovecot-mysql.conf
userdb:
driver: passwd
userdb:
driver: static
args: uid=5000 gid=5000 home=/home/vmail/%d/%n allow_all_users=yes
socket:
type: listen
client:
path: /var/spool/postfix/private/auth
mode: 432
user: postfix
group: postfix
master:
path: /var/run/dovecot/auth-master
mode: 384
user: vmail

Aha, I removed amavisd from main.cf and master.cf and uncommented
smtp inet n - n - - smtpd in master.cf
and now smtp is working. Unfortunately, I'm still stuck with this relay access denied message. I'll have to find out why the amavisd service fails to start, but still could use help on the relay access denied issue.

I think that my authentication issue may arise out of postfix or dovecot not being able to get the user name and password from mysql. I'm trying to understand how that process works so I can look in the right place.

It would be great if someone could explain how this part works. On the incoming side, there doesn't seem to be a problem with mysql.

I'm not sure whether I should look at dovecot or postfix for the problem. Dovecot is the SASL type. I've done a lot of reading on this, but there doesn't seem to be very specific info on what is actually happening when Outlook attempts to authenticate with the SMTP part of Postfix/Dovecot.

And I have questions about where I should look. Should I look in main.cf or master.cf? Or should I look at dovecot-mysql.conf or one of the mysql_virtual.....cf files? All this work is good for me as I'm learning alot, but I sure could use some help on this part.

Thanks,

Eric

The relay access denied error has nothing to do with Dovecot - Dovecot is for fetching the emails from the server only. I think it's a problem with saslauthd.
Which distribution are you using? What's the output of ps aux | grep saslauthd?

Thanks falco.

I'm on Centos 5 (64).

# ps aux | grep saslauthd
root 3138 0.0 0.0 40008 476 ? Ss 11:18 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3139 0.0 0.0 40008 264 ? S 11:18 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3140 0.0 0.0 40008 260 ? S 11:18 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3141 0.0 0.0 40008 260 ? S 11:18 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3143 0.0 0.0 40008 260 ? S 11:18 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3742 0.0 0.0 60252 720 pts/0 R+ 11:42 0:00 grep saslauthd

What's in /usr/lib64/sasl2/smtpd.conf? It should look like this:

pwcheck_method: saslauthd
mech_list: plain login

Sorry for the delay, I was away on vacation. I resolved the issue.

In Postfix 2.3 or later, one can use dovecot for sasl, which is what I was doing. Falko's comments about SASL helped me focus on that area and I found that PAM was not enabled in dovecot.conf

Thank you Falko!

Hello all,

My problem is similar. I can connect when on my internal network through a variety of means, including IMAP and SMTP/POP, with and without TLS. However when I try to connect externally, I get 'relay denied' errors in my Postfix mail log as follows:

NOQUEUE: reject: RCPT from unknown[xxx.xxx.xxx.xxx <but see comment below>]: 554 5.7.1 <username1@in.access.table>: Relay access denied; from=<username2@in.access.table> to=<username1@in.access.table> proto=ESMTP helo=<Inbox>

(I have of course blanked out the IP address and changed the email addresses to show that I think they are checked)

Now, I'm not sure whether this is a Postfix configuration problem, or a sasl problem (I do not have a sasl2/smtpd.conf file that I can find anywhere on my system!), or indeed a NAT problem (see below). I have checked 'authenticate outgoing mail' on my client.

But here's the IP address discussion bit (possible NAT problem) as promised in the log entry: I have of course defined my networks and specified to permit them in Postfix's main.cf. However the error log suggests that Postfix might be rejecting on the IP address. It appears that it is seeing my public IP address from the public side of my router, not my local network IP address. I.E. my router might not be performing NAT properly. I.E. it is port forwarding, (Telnetting gets through fine) but not network address translating. Could this be (part of) the problem?

I hope you can help, I've been on this for weeks. I'm happy to post any config file snippets, log entries etc that you might need.

Thanks in advance,

Andy
:(

Which distribution are you using? Did you enable "Server requires authentication" in your email client?

Hi Falko, thanks for replying.

I'm using Ubuntu 7.10. Yes, I have checked "Server requires authentication" in my client - and specified to use SSL for both incoming and outgoing.

Andy

What's in /etc/postfix/sasl/smtpd.conf and /etc/postfix/main.cf?

Does it work if you disable SSL?

Hi again Falko,

Thanks for trying to help. I answer your questions in the order you asked them.

1. My /etc/postfix/sasl directory is completely empty! Might that be the problem!?

2. The non-comment bits of /etc/postfix/main.cf are (I've protected anything sensitive like: 'working access file'):

----------------------------------------------------------------
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

smtpd_tls_cert_file = 'a file'
smtpd_tls_key_file = 'another file'
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

alias_maps = hash:/etc/aliases
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +

smtp_sasl_auth_enable=yes
smtp_sasl_password_maps=hash:'working passwd file location'
smtp_sasl_security_options=

maximal_queue_lifetime = 1d
mydomain = pooh.boul.net
myorigin = pooh.boul.net
mydestination = pooh.boul.net, localhost.pooh.boul.net, localhost.boul.net, localhost
home_mailbox = Maildir/

mynetworks = 127.0.0.0/8, 192.168.1.0/24

relayhost = outbound.mailhop.org:2525
smtpd_delay_reject = no
smtpd_sender_restrictions = hash:'working access file', reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_mynetworks, check_client_access hash:'working access file', reject_unauth_destination
smtpd_helo_required = yes
relay_domains = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit_inet_interfaces
hash_queue_depth = 3
delay_warning_time = 1
--------------------------------------------------------

3. It doesn't work if I turn of SSL in the client; it makes no difference. As you can see from above, SSL isn't required, just nice to have. I haven't tried turning off SSL completely (i.e. commenting out the relevant lines completely in main.cf).

Any ideas?

Thanks,

Andy

Which tutorial did you use to set up the system? Are you trying to use virtual users or system users?

I didn't really use a tutorial as such. I installed packages then used help files to adjust out-of-the-box settings.

I am only interested in system users.

Thanks.

Please follow chapter 14 from http://www.howtoforge.com/perfect_server_ubuntu7.10_p5

This link might be interesting if you want to set up mail accounts on the command line: http://www.howtoforge.com/forums/showthread.php?t=2

Hi Falko, and thanks for the pointer to the tutorial. I did as it suggested (but without the complete reinstall of postfix and procmail).

My /etc/postfix/main.cf and /etc/default/saslauthd are now the same as in the tutorial.

However I'm still having problems. My mail log file offers:

May 10 18:20:16 pooh postfix/smtpd[8139]: setting up TLS connection from unknown[xx.xx.xx.xx (real values removed)]
May 10 18:20:16 pooh postfix/smtpd[8139]: TLS connection established from unknown[xx.xx.xx.xx]: SSLv3 with cipher RC4-MD5 (128/128 bits)
May 10 18:20:16 pooh postfix/smtpd[8139]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
May 10 18:20:16 pooh postfix/smtpd[8139]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
May 10 18:20:16 pooh postfix/smtpd[8139]: warning: unknown[xx.xx.xx.xx]: SASL LOGIN authentication failed: authentication failure
May 10 18:20:17 pooh postfix/smtpd[8139]: warning: unknown[xx.xx.xx.xx]: SASL NTLM authentication failed: bad protocol / cancel
May 10 18:20:17 pooh postfix/smtpd[8139]: disconnect from unknown[xx.xx.xx.xx]

and of course my mail client reports that it is unable to send the message.

Any ideas? How / where should I have created the sasldb2 files / entries? Previously I have listed permitted users in an access file in the postfix directory (converted to .db format of course)...?

Andy

What's in /etc/postfix/sasl/smtpd.conf, /etc/default/saslauthd, and /etc/postfix/main.cf?

Hi Falko, and thanks again.

/etc/postfix/sasl/smtpd.conf contains:

--------------------------------------
pwcheck_method: saslauthd
mech_list: plain login
-----------------------------------------

/etc/default/saslauthd contains:

-------------------------------------
# This needs to be uncommented before saslauthd will be run automatically
# START=yes

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"

# MECHANISMS="pam"
# PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"

# Falko's settings below
#
# Settings for saslauthd daemon
#

# Should saslauthd run automatically on startup? (default: no)

START=yes

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c)
# See the saslauthd man page for information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
------------------------------------------------------------------


/etc/postfix/main.cf contrains:

-------------------------------------------------------------------------
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# TLS parameters [Falko: these just happen to be where my (self-generated) certs are. TLS has worked before]
smtpd_tls_cert_file = /etc/apache2/ssl.crt
# Following line added by Andy
smtpd_tls_key_file = /etc/apache2/ssl.key
# Following line added by Andy
# smtpd_tls_key_file=/etc/ssl/certs/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = pooh.boul.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
home_mailbox = Maildir/
mydestination = pooh.boul.net, localhost.pooh.boul.net, localhost.boul.net, localhost
relayhost =
mynetworks = 127.0.0.0/8, 192.168.1.0/24
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/ca.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
maximal_queue_lifetime = 1d
relayhost = outbound.mailhop.org:2525
smtpd_helo_required = yes
delay_warning_time = 1

# Following lines to end added by Andy
# smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd


# force authentication
# smtp_sasl_security_options = noanonymous
# be courteous ! (optional)
# smtp_helo_name = pooh.boul.net
# identify yourself (optional)
# smtpd_banner = Pooh Boul Mail

# maximal_queue_lifetime = 1d
# mydomain = pooh.boul.net
# myorigin = pooh.boul.net
# mydestination = pooh.boul.net, localhost.pooh.boul.net, localhost.boul.net, localhost
# home_mailbox = Maildir/

# relayhost = outbound.mailhop.org:2525
# smtpd_delay_reject = no
# smtpd_sender_restrictions = hash:/etc/postfix/access, reject_unknown_sender_domain
# smtpd_recipient_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/access, reject_unauth_destination
# smtpd_helo_required = yes
# relay_domains = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit_inet_interfaces
# hash_queue_depth = 3
# delay_warning_time = 1
---------------------------------------------------------------------

You can see there is a lot I have tried in main.cf, but I have commented out everything not in the tutorial.

Thanks again for your help,

Andy

Looks ok. Can you restart saslauthd and Postfix?

IF that doesn't help, what's in /etc/postfix/master.cf?

I've restarted Postfix, and entered the following to restart saslauthd:

> /etc/init.d/saslauthd restart
* To enable saslauthd, edit /etc/default/saslauthd and set START=yes

However, when checking the running processes, saslauthd doesn't appear. I don't think it's running. What have I done wrong!?

In case it's useful, master.cf is:
------------------------------------------------------------------
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ================================================== ========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_enforce_tls=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
#smtps inet n - - - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ================================================== ==================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ================================================== ==================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
--------------------------------------------------------------------


Thanks,

Andy

Please make /etc/default/saslauthd look exactly as shown on http://www.howtoforge.com/perfect_server_ubuntu7.10_p5

Hi again,

I have made it exactly the same as you suggested (I cut and pasted, and checked). I then restarted saslauthd and Postfix, but I have the same symptoms.

My Postfix log file gives:
-----------------------------------------------------------------
May 16 17:28:24 pooh postfix/smtpd[26512]: connect from unknown[xx.xx.xx.xx (hidden as this is my public ip address)]
May 16 17:28:25 pooh postfix/smtpd[26512]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
May 16 17:28:25 pooh postfix/smtpd[26512]: warning: unknown[xx.xx.xx.xx]: SASL LOGIN authentication failed: generic failure
May 16 17:28:25 pooh postfix/smtpd[26512]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
May 16 17:28:25 pooh postfix/smtpd[26512]: warning: unknown[xx.xx.xx.xx]: SASL LOGIN authentication failed: generic failure
May 16 17:28:25 pooh postfix/smtpd[26512]: disconnect from unknown[xx.xx.xx.xx]
----------------------------------------------------------------

Also, as I said before, checking running processes does not show that saslauthd is actually runnning anywhere (I checked all process owners, including root, myself, postfix and saslauthd).

And when I do a restart of saslauthd, using:

/etc/init.d/saslauthd restart

The command line returns:

* To enable saslauthd, edit /etc/default/saslauthd and set START=yes

(which of course I have done by making /etc/default/saslauthd exactly as you say)

I don't think the deamon is running at all, for some reason...?

Andy

Did you do all changes as root or as a normal user?

What's in /etc/default/saslauthd now?

Hi Falko,

Yes, all changes done as root. Permissions are as follows:

main.cf:
User: root
Group: root
Octal: 0644

smtpd.conf:
User: root
Group: root
Octal: 0644

saslauthd:
User: root
Group: root
Octal: 0744

saslauthd now contains:
------------------------------------------
#
# Settings for saslauthd daemon
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c)
# See the saslauthd man page for information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
-----------------------------------------------------------------

Thanks again,

Andy

What's the output of updatedb
locate saslauthd?

Hi again,

updatedb didn't report any output but took a while to complete.

locate saslauthd gives the following:
----------------------------------------
/etc/default/saslauthd
/etc/rc4.d/S20saslauthd
/etc/rc3.d/S20saslauthd
/etc/rc1.d/K20saslauthd
/etc/rc2.d/S20saslauthd
/etc/init.d/saslauthd
/etc/rc5.d/S20saslauthd
/usr/share/man/man8/saslauthd.8.gz
/usr/share/man/man8/testsaslauthd.8.gz
/usr/sbin/saslauthd
/usr/sbin/testsaslauthd
--------------------------------------

Thanks,

Andy

Looks ok. What's in /etc/init.d/saslauthd?

I too am also having the same problems and am a noob when it comes to this.

Thank you for any help.

-Skot

--------------------------------------------------------

System: Redhat Linux Fedora 8

Tutorial: http://www.howtoforge.com/perfect_server_fedora7

Did not install ISPConfig, don't need it.

When I sent to my email address on my server I also get the 554 No Relay message.

From my Gmail to my linux box:

Delivery to the following recipient failed permanently:

name@server

Technical details of permanent failure:
PERM_FAILURE: Gmail tried to deliver your message, but it was rejected by the recipient domain. The error that the other server returned was: 554 554 5.7.1 <name@server>: Relay access denied. We recommend contacting the other email provider for further information about the cause of this error. Thanks for your continued support. (state 14)


Details from my mail log:

mtpd[25639]: connect from rv-out-0506.google.com[209.85.198.231]
May 20 19:41:10 mysystemname postfix/smtpd[25639]: NOQUEUE: reject: RCPT from rv-out-0506.google.com[209.85.198.231]: 554 5.7.1 <name@server>: Relay access denied; from=<mygmail@gmail.com> to=<name@server> proto=ESMTP helo=<rv-out-0506.google.com>
May 20 19:41:10 mysystemname postfix/smtpd[25639]: disconnect from rv-out-0506.google.com[209.85.198.231]



Here's all the info I can get (from this thread):

--------------------------------------------------
cat /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login

--------------------------------------------------

"Did you enable "Server requires authentication" in your email client?"

I was only trying to test sending an email TO this account from another, I was not trying to send an email using (through SMTP) this account.

--------------------------------------------------

cat /etc/postfix/sasl/smtpd.conf
cat: /etc/postfix/sasl/smtpd.conf: No such file or directory

--------------------------------------------------

cat /etc/postfix/main.cf (I left out all the commented code)

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
inet_interfaces = all
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.4.5/samples
readme_directory = /usr/share/doc/postfix-2.4.5/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination
mynetworks = 127.0.0.0/8
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_sasl_authenticated_header = yes
myhostname = <my.system.name>
home_mailbox = Maildir/
mailbox_command =

--------------------------------------------------

cd /etc/postfix/sasl
-bash: cd: /etc/postfix/sasl: No such file or directory

--------------------------------------------------

cd /etc/default/saslauthd
-bash: cd: /etc/default/saslauthd: No such file or directory

--------------------------------------------------

cat /etc/postfix/master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ================================================== ========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
smtp inet n - n - - smtpd
#submission inet n - n - - smtpd
# -o smtpd_enforce_tls=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# ================================================== ==================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ================================================== ==================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ================================================== ==================
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
#
# ================================================== ==================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# ================================================== ==================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ================================================== ==================
#
# Other external delivery methods.
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
# ${nexthop} ${user} ${extension}
#
#mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}

/etc/init.d/saslauthd contains:

------------------------------------------------
#! /bin/sh
### BEGIN INIT INFO
# Provides: saslauthd
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: S 0 1 6
# Short-Description: saslauthd startup script
# Description: This script starts the saslauthd daemon. It is
# configured using the file /etc/default/saslauthd.
### END INIT INFO

# Author: Fabian Fagerholm <fabbe@debian.org>
#
# Based on previous work by Dima Barsky.

# Do NOT "set -e"

# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/usr/sbin:/usr/bin:/sbin:/bin
DESC="SASL Authentication Daemon"
NAME=saslauthd
DAEMON=/usr/sbin/$NAME
DAEMON_ARGS=""
SCRIPTNAME=/etc/init.d/$NAME
FALLBACK_RUN_DIR=/var/run/$NAME
EXIT_ERROR_CODE=1

# Exit if the daemon is not installed
test -x "$DAEMON" || exit 0

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

# Load the VERBOSE setting and other rcS variables
[ -f /etc/default/rcS ] && . /etc/default/rcS

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions

# Determine run directory and pid file location by looking for an -m option.
RUN_DIR=`echo "$OPTIONS" | xargs -n 1 echo | sed -n '/^-m$/{n;p}'`
if [ -z "$RUN_DIR" ]; then
# No run directory defined in defaults file, use fallback
RUN_DIR=$FALLBACK_RUN_DIR
fi
PIDFILE="/var/spool/postfix/var/run/${NAME}/saslauthd.pid"

# If the daemon is not enabled, give the user a warning and then exit,
# unless we are stopping the daemon
if [ "$START" != "yes" -a "$1" != "stop" ]; then
log_warning_msg "To enable $NAME, edit /etc/default/$NAME and set START=yes"
exit 0
fi

# If no mechanisms are defined, log this and exit
if [ -z "$MECHANISMS" ]; then
log_failure_msg "No mechanisms defined in /etc/default/$NAME," \
"not starting $NAME"
exit $EXIT_ERROR_CODE
fi

# If there are mechanism options defined, prepare them for use with the -O flag
if [ -n "$MECH_OPTIONS" ]; then
MECH_OPTIONS="-O $MECH_OPTIONS"
fi

# If there is a threads option defined, prepare it for use with the -n flag
if [ -n "$THREADS" ]; then
THREAD_OPTIONS="-n $THREADS"
fi

# Construct argument string
DAEMON_ARGS="$DAEMON_ARGS -a $MECHANISMS $MECH_OPTIONS $OPTIONS $THREAD_OPTIONS"

#
# Function that creates a directory with the specified
# ownership and permissions
#
createdir()
{
# $1 = user
# $2 = group
# $3 = permissions (octal)
# $4 = path to directory
# In the future, use -P/-Z to have SE Linux enhancement.
install -d --group="$2" --mode="$3" --owner="$1" "$4"
}

#
# Function that starts the daemon/service
#
do_start()
{
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started

if dpkg-statoverride --list $RUN_DIR > /dev/null; then
dir=`dpkg-statoverride --list $RUN_DIR`
fi
test -z "$dir" || createdir $dir

start-stop-daemon --start --quiet --pidfile $PIDFILE --name $NAME \
--exec $DAEMON --test > /dev/null \
|| return 1
start-stop-daemon --start --quiet --pidfile $PIDFILE --name $NAME \
--exec $DAEMON -- $DAEMON_ARGS \
|| return 2
# Add code here, if necessary, that waits for the process to be ready
# to handle requests from services started subsequently which depend
# on this one. As a last resort, sleep for some time.
}

#
# Function that stops the daemon/service
#
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 \
--pidfile $PIDFILE --name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently. A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 \
--exec $DAEMON
[ "$?" = 2 ] && return 2
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}

#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
#
# If the daemon can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE \
--name $NAME
return 0
}

case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
1) [ "$VERBOSE" != no ] && log_progress_msg "(already running)" && \
log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
1) [ "$VERBOSE" != no ] && log_progress_msg "(not running)" && \
log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
#reload|force-reload)
#
# If do_reload() is not implemented then leave this commented out
# and leave 'force-reload' as an alias for 'restart'.
#
#log_daemon_msg "Reloading $DESC" "$NAME"
#do_reload
#log_end_msg $?
#;;
restart|force-reload)
#
# If the "reload" option is implemented then remove the
# 'force-reload' alias
#
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
exit 3
;;
esac

:
-------------------------------------------------

Could it be a permissions / chroot jail problem?

Thanks,

Andy

I think it could be a chroot problem, but I don't know why... :confused:

Ok Falko, I'll keep trying and let you know if I make any progress...

Thanks,

Andy

Hi Falko,

I think I might have fixed it.

Any saslauthd command was returning the following: 'could not chdir to: /var/run/saslauthd chdir: no such file or directory Check to make sure the directory exists and is writeable by the user this process runs as'

I therefore created the directory, set permissions for the user postfix, and restarted salsauthd and postfix.

This then gave the mail log error: 'SASL LOGIN authentication failed: authentication failure', which suggested that at least saslauthd was running now.

I then ran the command 'saslauthd -a shadow' to specify my login and password source, and it now seems to work.

Does all of this make sense? Have I opened any security loopholes here?

Thanks for all your help to get me this far.

Andy

You should then specify
MECHANISMS="shadow"
in /etc/default/saslauthd.

Thanks Falko,

I have another problem (not related to this) in that I think I am now getting lots of attempts to use my mail server as a relay. I have it locked down OK (tested using abuse.net) so the emails are NOT being relayed, but still the attempts seem to be draining resources. A sample from the log file shows:

----------------------------------------------------------------------------
May 27 23:18:28 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <NewYorkBusinessDevelopmentCorporation@pop-smtp1-f.bt.mail.vip.ird.yahoo.com>: Sender address rejected: Malformed DNS server reply; from=<NewYorkBusinessDevelopmentCorporation@pop-smtp1-f.bt.mail.vip.ird.yahoo.com> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:28 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <apkosten1955@aaretesaar.com>: Sender address rejected: Domain not found; from=<apkosten1955@aaretesaar.com> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:29 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <PfizerWebsiteProducts.Office0380@vipintcort.com>: Sender address rejected: Domain not found; from=<PfizerWebsiteProducts.Office0380@vipintcort.com> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:29 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <barberdi@math.univ-fcomte.fr>: Sender address rejected: Domain not found; from=<barberdi@math.univ-fcomte.fr> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:29 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <dratzlkq@mixmachine.demon.co.uk>: Sender address rejected: Domain not found; from=<dratzlkq@mixmachine.demon.co.uk> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:29 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <bigsfan@gmbuilding.com>: Sender address rejected: Domain not found; from=<bigsfan@gmbuilding.com> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:30 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <dglowski@ix.netcom.comm.com>: Sender address rejected: Domain not found; from=<dglowski@ix.netcom.comm.com> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:32 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <l.suarez_uf@isbc.on.ca>: Sender address rejected: Domain not found; from=<l.suarez_uf@isbc.on.ca> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:35 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <lgvesr@knoll21.fsnet.co.uk>: Sender address rejected: Domain not found; from=<lgvesr@knoll21.fsnet.co.uk> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:39 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <allenszto@huqtpssuuwhl.in>: Sender address rejected: Domain not found; from=<allenszto@huqtpssuuwhl.in> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:42 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <qgxszcvgn@hoptmail.co.uk>: Sender address rejected: Domain not found; from=<qgxszcvgn@hoptmail.co.uk> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:46 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <victor7276swane@hmsi-india.com>: Sender address rejected: Domain not found; from=<victor7276swane@hmsi-india.com> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:49 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <majordomo@smattorney.com>: Sender address rejected: Domain not found; from=<majordomo@smattorney.com> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:52 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <newsweb@threeswans.demon.co.uk>: Sender address rejected: Domain not found; from=<newsweb@threeswans.demon.co.uk> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
May 27 23:18:55 pooh postfix/smtpd[24094]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 450 4.1.8 <opjmbnax@sctimber.com.au>: Sender address rejected: Domain not found; from=<opjmbnax@sctimber.com.au> to=<ask_me@localhost> proto=ESMTP helo=<pooh.boul.net>
------------------------------------------------------------------------

Is this normal and simply a hazard of running a mail server, or is my server doing something it shouldn't be doing?

Thanks,

Andy

That's normal. But this link might be interesting for you: http://www.howtoforge.com/block_spam_at_mta_level_postfix

Thanks Falko

Hi again,

I thought all was fine, but not quite! I had to reboot the server, and on running up, the directory /var/run/saslauthd is not there! I had to manually recreat it for SASL to work.

Why is this happening?

Thanks for your help.

Andy

Not sure why this is happening, but you could add the command to create that directory to /etc/rc.local.

OK, good idea - whilst I try to figure out why.

Thanks,

Andy

I have the same issue. Can't send to external recipients via mail client. I did enable smtp authentication in the mail client, which has no effect. But if I have smtpd_recipient_restrictions = permit_mynetworks permit_inet_interfaces permit_sasl_authenticated defer than I can send out fine, but than I can't get mail. Mail bounces saying For <user@domain.com>, Site (domain/xxx.xxx.xxx.xxx) said: 450 4.3.2 <user@domain.com>: Recipient address rejected: Try again later. I can't remove "defer" from smtpd_recipient_restrictions or postfix will fail to start. Any ideas?

What's in your mail log when you try to send a mail? What's in your main.cf? How did you set up your email account?

I am having a very perplexing issue and it is a 554 5.7.1 <xxxxxx@yahoo.com>: Relay access denied error.

I have been using the ISPconfig software for well over a year flawlessly …….. my business requirements changed and with that came the following……

Cisco 871 router
PIX 506e firewall
Windows Small Business Server 2003

I was using a Linksys BEF VPN router and everything ran fine (users authenticated against the linux box everything was super) ….. email worked from both inside and outside the network….. I added and configured the Cisco appliances and the SBS but I want to use ISPconfig for email until I receive more static IPs from my ISP to configure exchange and webmail (and everything else with SBS2003)…. Trouble began when the SBS2003 wanted to take over DNS which I thought at the time was fine but now from outside the network I can’t send email to anyone outside of our domain (I get 554 5.7.1 error)….. I just pass requests from FE4 (PPOE connection) through to the firewall, utilize NAT on the firewall and just translate the same ports from the old Linksys box…. I did notice the /etc/resolve.conf had the old private router IP so I added my SBS there (still no avail)……not even sure where to start……

Did you enable "Server requires authentication" in your email client?
What's in /etc/resolv.conf now?

Hi,

I've got the same problem. Via none of the domains hosted on this particular server (ubuntu - ispconfig) can mail be sent.

Authentication is set to on, using the same login details as pop. And on pop, all mail comes in.

I've attached a file with a lot of the info that has been asked by Falko in this thread to other people with similar problems.

p.s. I've got another problem too, being the Bind server showing as offline (although everything seems to work okayish), I don't know if that can have anything to do with it... I thought it'd be better if I make that another topic but I'll first see what people who know think of it.

Thanks, lex


Log of my e-mail client:

connected to SMTP server
authenticating (plain)...
Server reports error. The response is: Error: authentication failed
authenticating (login)...
Server reports error. The response is: Error: authentication failed
WARNING: there were no compatible authentication mechanisms detected
sending message to lex@xxxx.nl
The last address submitted was <lex@xxxx.nl>: Relay access denied

(pop works fine)

Lex,

I found I was having more of a hardware issue and it was resolved on my PIX box….. Cisco inherently forces the “fix up” in the running config….. The firewall was looking for RPC compliancy in the actual email trying to be relayed….. because the headers in the email didn’t comply….. PIX replaces log in information with XXXXXX….. The mail server (which my ISPconfig box) freaks out because there is no user XXXXXX….. and denies the relay….. I used the “no fixup smtp 25” command in the Cisco CLI (on the firewall) and the problem was immediately resolved…..

Hi I am running perfect setup Ubuntu 8.10 Postfix,ISP Config 2.2.29 and webmin 1.441 and have recently started receiving
"Warning: service httpd not running .." as well as" XXXX@XXXXX.co.uk' on 07/09/2009 11:30
554 5.7.1 <xxxxx@xxxxxx.co.uk>: Relay access denied"
Yes I have checked that 'My outgoing server is authenticated'
No I cannot restart Apache with sudo /etc/init.d/apache2 restart - it returns "install: invalid user `www-data'
apache2: bad user name www-data"

We run a small postfix setup and have been receiving a lot of spam lately so I tinkered with the main.cf - but even with the original one back I cannot restart the Apache server or stop the "relay access denied".

I assume the two 'problems' are related
Sorry if I am a bit wooly but i am not a computer pro!
Thanks

Can you check if the user www-data is listed in /etc/passwd?

No not in /etc/passwd
Yes in /etc/passwd-
in /etc/passwd- it reads:- www-data:x:33:33:www-data:/var/www:/bin/sh

I guess there's something wrong with /etc/passwd then. Make a backup of it and copy /etc/passwd- to /etc/passwd and try again. Do you still see any errors then?

It won't recognise a renaming of passwd-
"uid 1000 does not exist in the passwd file!"

passwd- has a lot fewer users in it. It does however have
www-data:x:33:33:www-data:/var/www:/bin/sh
and a line
nobody:x:655535:65534:nobody:/nonexistent:/bin/sh

the passwd file has on the other hand no www-data but does have
nobody:x:1002:100:nobody:/home/nobody:

What if I was to type in the missing lines www-data:x: ....etc into the passwd file?

It won't recognise a renaming of passwd-
"uid 1000 does not exist in the passwd file!"Did you try this as root?


What if I was to type in the missing lines www-data:x: ....etc into the passwd file?You can do that as well.

Hi Falko,

There is a long time :) Always using in prod the superb tuto for mail & mysql :
http://www.howtoforge.com/virtual_users_and_domains_with_postfix_debian_etch _p6

I'm "cooking" the migration from my actual production server (HELIOS) on a new server (SERAPHINE), under debian lenny. For tests, I'm using for the first time the transport table, for one of my domains (MYDOMAIN). But access is denied, said postfix's logs :

Sep 12 01:34:53 helios postfix/smtpd[27479]: NOQUEUE: reject: RCPT from mail-ew0-f221.google.com[209.85.219.221]: 554 5.7.1 <david@MYDOMAIN>: Relay access denied; from=<myAdress@gmail.com> to=<david@MYDOMAIN> proto=ESMTP h
elo=<mail-ew0-f221.google.com>

In the table, i've write this :
domain : MYDOMAIN
transport : smtp:[IP_LAN_LIKE_192.168...]
I've tried with transport : smtp:[IP_LAN_LIKE_192.168...]:25, same result.

But it work when I use an email account using HELIOS smtp.

An idea ?

Thanks in advance !

David