HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (
-   Server Operation (
-   -   postfix virtual users and authentication problems (

CopalFreak 9th May 2011 21:43

postfix virtual users and authentication problems
I have been trying to get postfix up and going with virtual users and am having a very hard time with it. I have posted in various forums on the web to no avail, but I am hoping somebody here can help.

I can receive mail fine.
In my maillog, when I try to SEND an email from an email client(or webmail), several things are happening.


NOQUEUE: reject: connect from localhost: client host rejected : access denied; proto=SMTP

xsasl_dovecot_server_connect: Connecting
warning: SASL: Connect to private/auth failed: Permission denied
fatal: no SASL authentication mechanisms

There is another post that is ALMOST like this, but the solutions there did not help. Originally I was not getting this error, just a 'client access denied' from my IP address, but after trying to fix it via instructions from the other post, this started happening. Following the example from a post for THIS problem made things worse and I could no longer receive emails.
I started over from scratch and now have it to this point.

I am not sure what I need to post...entire and (pretty long)

postconf -a says

postconf -A says nothing (empty)
(which I am sure is part of the problem, but not sure what to do about it)

postconf -d | grep nis says

alias_maps = hash:/etc/aliases, nis:mail.aliases
lmtp_sasl_mechanism_filter =

..which is odd.. alias_maps is for 'local delivery' correct?
Since I am using virtual users (from mysql), I would think it should be something like :

local_transport = virtual
alias_maps = proxy:mysql:/etc/postfix/

..which is exactly what I currently have in my /etc/postfix/

Any help would be appreciated.

falko 10th May 2011 01:46

What's the output of

postconf -n

Which tutorial (URL) did you use?

CopalFreak 10th May 2011 02:07

thank you for responding.
i used several different tutorials and resources. Started out with one, had problems I couldn't solve, went to another. Been working on this for a while so its hard to pin down just one.
and a ton posts in various forums.

At this point I am considering trying to remove all traces of postfix and dovecot and starting over..again..just to have a 'clean slate'.
Good idea or bad idea?

output of postconf -n

alias_database =
alias_maps = proxy:mysql:/etc/postfix/
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
debug_peer_level = 1
default_privs = mail
disable_vrfy_command = yes
inet_interfaces = localhost, $myhostname
invalid_hostname_reject_code = 450
local_transport = virtual
maps_rbl_reject_code = 450
mydestination = localhost.$mydomain, localhost, $myhostname
myhostname =
mynetworks = /etc/postfix/mynetworks
non_fqdn_reject_code = 450
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps $virtual_login_maps
smtp_sasl_security_options = noanonymous
smtp_sasl_type = doovecot
smtp_tls_CAfile = /etc/postfix/DigiCertCA.pem
smtp_tls_cert_file = /etc/postfix/mail_rockhouseinc_com.pem
smtp_tls_key_file = /etc/postfix/mail_rockhouseinc_com.key
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtpd_data_restrictions = reject_unauth_pipelining,        reject_multi_recipient_bounce,        permit
smtpd_delay_reject = no
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,        permit_sasl_authenticated,        reject_unauth_destination,        reject_invalid_helo_hostname,        warn_if_reject reject_non_fqdn_helo_hostname,        warn_if_reject reject_unknown_helo_hostname,        warn_if_reject reject_unknown_client,        reject_non_fqdn_sender,        reject_non_fqdn_recipient,        reject_unknown_sender_domain,        reject_unknown_recipient_domain,        reject_rbl_client,        reject_rbl_client,        reject_rbl_client,        reject_rbl_client,        reject_rbl_client,        reject_rbl_client,        reject_rbl_client,        reject_rbl_client,        reject_rbl_client,        reject_rbl_client,        warn_if_reject reject_rhsbl_sender,        warn_if_reject reject_rhsbl_sender,        warn_if_reject reject_rhsbl_sender,        warn_if_reject reject_rhsbl_sender,        warn_if_reject reject_rhsbl_sender,        permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/DigiCertCA.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/postfix/mail_rockhouseinc_com.pem
smtpd_tls_dh1024_param_file = $config_directory/dh_1024.pem
smtpd_tls_dh512_param_file = $config_directory/dh_512.pem
smtpd_tls_key_file = /etc/postfix/mail_rockhouseinc_com.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
virtual_alias_maps = proxy:mysql:/etc/postfix/
virtual_gid_maps = static:202
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/
virtual_mailbox_maps = proxy:mysql:/etc/postfix/
virtual_minimum_uid = 202
virtual_transport = dovecot
virtual_uid_maps = static:202

Here is what I am attempting:
email will be stored in /var/vmail/{domain}/{user}
can be accessed by VIRTUAL users (from mysql) via https(webmail) and/or email client which should be using some sort of encryption..but I want the passwords for the virtual users stored in mysql to be 'plaintext' (for the moment).

Thanks a ton for your help!!

falko 10th May 2011 02:43


Originally Posted by CopalFreak (Post 256635)
At this point I am considering trying to remove all traces of postfix and dovecot and starting over..again..just to have a 'clean slate'.
Good idea or bad idea?

Yes, I think that's the best you can do. I suggest you try this tutorial:

CopalFreak 10th May 2011 03:01

That tutorial seems to use courier rather than dovecot.
Is couurier more robust? (going to have 300+ virtual users and some might be getting upwards of 50 emails per day and probably won't manage them correctly. I chose dovecot because of the advanced individualized quota and auto-pruning+notification features it supposedly has)

Also, it uses encrypted passwords instead of plaintext.
I wanted to start out with plaintext passwords in mysql because I am going to need to be able to retrieve them at first. (once I setup all the users, I have to know what password to setup for their email client). I could make a separate list or db, but that's same same security risk.
Isn't there a way to have a setting that it can be PLAIN, and then just change the setting to use encryption, and then encrypt the passwords once I have verified that it's all working correctly?

It starts out with an alias file rather than virtual users in mysql, and then goes to mysql..once completed (IF it works), is it ok to delete virtual.db (and referenced to it)?


CopalFreak 10th May 2011 22:24


Originally Posted by falko (Post 256639)
Yes, I think that's the best you can do. I suggest you try this tutorial:

OK.. following your tutorial..almost there.. (i think)
..modified a bit for dovecot though.

Getting a silly error..I suspect because of something I did towards the beginning of the tutorial that was for Courier.


warning: request for unapproved table: "unix:passwd.byname" approve this table for proxymap access list proxy:unix:oasswd.byname in

but I am using it should not be looking for that..
in my, I DO have proxy_read_maps

alias_maps = proxy:mysql:/etc/postfix/
virtual_alias_domains = proxy:mysql:/etc/postfix/
virtual_mailbox_domains = proxy:mysql:/etc/postfix/
virtual_login_maps = proxy:mysql:/etc/postfix/
virtual_mailbox_maps = proxy:mysql:/etc/postfix/
virtual_alias_maps = proxy:mysql:/etc/postfix/

mydestination = $myhostname $mynetworks $alias_maps $virtual_mailbox_domains $virtual_login_maps $virtual_mailbox_maps $virtual_alias_maps
proxy_read_maps = $mydestination

One weird things I DID do was in the mysql_virtual files

hosts = unix:/var/run/mysql/mysql.sock,
I did that because I was getting other errors...not sure it helped though.

Any ideas what is causing this? (and maybe how to fix)?


falko 11th May 2011 14:16

I think it's better to use Courier because I didn't test this setup with Dovecot, and I've never had any problems with Courier.

All times are GMT +2. The time now is 23:52.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.