Relay access denied when using SMTP to external recipients

[rusty]

Thanks falco.

I'm on Centos 5 (64).

# ps aux | grep saslauthd
root 3138 0.0 0.0 40008 476 ? Ss 11:18 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3139 0.0 0.0 40008 264 ? S 11:18 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3140 0.0 0.0 40008 260 ? S 11:18 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3141 0.0 0.0 40008 260 ? S 11:18 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3143 0.0 0.0 40008 260 ? S 11:18 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 3742 0.0 0.0 60252 720 pts/0 R+ 11:42 0:00 grep saslauthd

[falko]

What's in /usr/lib64/sasl2/smtpd.conf? It should look like this:

Code:

pwcheck_method: saslauthd
mech_list: plain login

[rusty]

Sorry for the delay, I was away on vacation. I resolved the issue.

In Postfix 2.3 or later, one can use dovecot for sasl, which is what I was doing. Falko's comments about SASL helped me focus on that area and I found that PAM was not enabled in dovecot.conf

Thank you Falko!

[Challenger]

Hello all,

My problem is similar. I can connect when on my internal network through a variety of means, including IMAP and SMTP/POP, with and without TLS. However when I try to connect externally, I get 'relay denied' errors in my Postfix mail log as follows:

NOQUEUE: reject: RCPT from unknown[xxx.xxx.xxx.xxx <but see comment below>]: 554 5.7.1 <username1@in.access.table>: Relay access denied; from=<username2@in.access.table> to=<username1@in.access.table> proto=ESMTP helo=<Inbox>

(I have of course blanked out the IP address and changed the email addresses to show that I think they are checked)

Now, I'm not sure whether this is a Postfix configuration problem, or a sasl problem (I do not have a sasl2/smtpd.conf file that I can find anywhere on my system!), or indeed a NAT problem (see below). I have checked 'authenticate outgoing mail' on my client.

But here's the IP address discussion bit (possible NAT problem) as promised in the log entry: I have of course defined my networks and specified to permit them in Postfix's main.cf. However the error log suggests that Postfix might be rejecting on the IP address. It appears that it is seeing my public IP address from the public side of my router, not my local network IP address. I.E. my router might not be performing NAT properly. I.E. it is port forwarding, (Telnetting gets through fine) but not network address translating. Could this be (part of) the problem?

I hope you can help, I've been on this for weeks. I'm happy to post any config file snippets, log entries etc that you might need.

Thanks in advance,

Andy

[falko]

Which distribution are you using? Did you enable "Server requires authentication" in your email client?

[Challenger]

Hi Falko, thanks for replying.

I'm using Ubuntu 7.10. Yes, I have checked "Server requires authentication" in my client - and specified to use SSL for both incoming and outgoing.

Andy

[falko]

What's in /etc/postfix/sasl/smtpd.conf and /etc/postfix/main.cf?

Does it work if you disable SSL?

[Challenger]

Hi again Falko,

Thanks for trying to help. I answer your questions in the order you asked them.

1. My /etc/postfix/sasl directory is completely empty! Might that be the problem!?

2. The non-comment bits of /etc/postfix/main.cf are (I've protected anything sensitive like: 'working access file'):

----------------------------------------------------------------
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

smtpd_tls_cert_file = 'a file'
smtpd_tls_key_file = 'another file'
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

alias_maps = hash:/etc/aliases
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +

smtp_sasl_auth_enable=yes
smtp_sasl_password_maps=hash:'working passwd file location'
smtp_sasl_security_options=

maximal_queue_lifetime = 1d
mydomain = pooh.boul.net
myorigin = pooh.boul.net
mydestination = pooh.boul.net, localhost.pooh.boul.net, localhost.boul.net, localhost
home_mailbox = Maildir/

mynetworks = 127.0.0.0/8, 192.168.1.0/24

relayhost = outbound.mailhop.org:2525
smtpd_delay_reject = no
smtpd_sender_restrictions = hash:'working access file', reject_unknown_sender_domain
smtpd_recipient_restrictions = permit_mynetworks, check_client_access hash:'working access file', reject_unauth_destination
smtpd_helo_required = yes
relay_domains = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit_inet_interfaces
hash_queue_depth = 3
delay_warning_time = 1
--------------------------------------------------------

3. It doesn't work if I turn of SSL in the client; it makes no difference. As you can see from above, SSL isn't required, just nice to have. I haven't tried turning off SSL completely (i.e. commenting out the relevant lines completely in main.cf).

Any ideas?

Thanks,

Andy

[falko]

Which tutorial did you use to set up the system? Are you trying to use virtual users or system users?

[Challenger]

I didn't really use a tutorial as such. I installed packages then used help files to adjust out-of-the-box settings.

I am only interested in system users.

Thanks.