ISPConfig SMTP AUTH fails after change IP address

Discussion in 'Installation/Configuration' started by tecnicom, Nov 21, 2006.

  1. tecnicom

    tecnicom New Member

    Hi. I installed ISPConfig with FC5 with the great Falko HowTos.
    Everything worked fine for a couple of months.
    The server use to have a public IP address.

    The ISP added an external Firewall and i have changed the Server IP
    address to an internal 192.168.0.7 address instead of the public.

    I made some changes on the named , httpd, hosts, resolv.conf files
    and others and almost everything worked fine
    but only the SMTP RELAY ACCESS IS NOT WORKING NOW as before
    when the users use outlook. (with squirrel and uebimiau is working ok)

    The sasl auth looks like working well and authenticate the user
    but now it is not allowing the relay.

    it looks like the SMTP AUTH connection works but is not saved or cached ???

    The maillog shows that outlook is trying to send the email before the Login and the Logout
    in the past logs was in the same order but in the second time the user try to send
    the email the connection was allowed.

    I will appreciate any help or hint.

    Regards.
    Adolfo Oviedo / Costa Rica
    ---------------------------

    I have changed the IP in ISPCONFIG -> Management --> Server -- Settings -> IP address

    -----------------------------
    SASL is working...

    [[email protected] log]# telnet localhost 25
    Trying 127.0.0.1...
    Connected to localhost.localdomain (127.0.0.1).
    Escape character is '^]'.
    220 dominios.com ESMTP Postfix
    ehlo localhost
    250-dominios.com
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-AUTH PLAIN LOGIN
    250-AUTH=PLAIN LOGIN
    250 8BITMIME

    -------------

    Here is the maillog .. the Login is allowed and

    Nov 20 22:53:29 dominios postfix/smtpd[21069]: connect from unknown[196.40.56.7]
    Nov 20 22:53:29 dominios postfix/smtpd[21069]: NOQUEUE: reject: RCPT from unknown[196.40.56.7]: 572 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<yyy>
    Nov 20 22:53:29 dominios postfix/smtpd[21069]: disconnect from unknown[196.40.56.7]
    Nov 20 22:53:29 dominios dovecot: pop3-login: Login: user=<web3_xxx>, method=PLAIN, rip=::ffff:196.40.56.7, lip=::ffff:192.168.0.7
    Nov 20 22:53:29 dominios dovecot: pop3(web3_xxx): Logout. top=0/0, retr=0/ del=0/0, size=0
    N

    ----------------
    this is the end of the main.cf

    virtual_maps = hash:/etc/postfix/virtusertable
    mydestination = /etc/postfix/local-host-names
    relay_domains = $mydestination
    append_at_myorigin = no

    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtpd_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    home_mailbox = Maildir/

    -------------
    I also tested adding this parameters with no luck

    #smtpd_sasl_type = dovecot
    #smtpd_sasl_path = private/auth
    #smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    #smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
    #smtpd_tls_session_cache_timeout = 3600
    #smtp_connection_cache_time_limit = 3600
    #smtp_connection_cache_on_demand = yes

    --------------
    the file /etc/sysconfig/saslauthd has
    MECH=pam
    --------------
    i checked and the domain is listed ok in /etc/postfix/local-host-names
    with www and without www

    ----------------
     
    Last edited: Nov 28, 2006
  2. falko

    falko Super Moderator ISPConfig Developer

    What's the output of
    Code:
    netstat -tap
    ? Did you enable "Server requires authentication." in your email client?

    What's the output of
    Code:
    postconf -d|grep mynetworks
    and
    Code:
    postconf -n|grep mynetworks
    ?
     
  3. tecnicom

    tecnicom New Member

    PostconfOutputs

    Hi Falko thanks for your great support.
    Hope i can contribute to the ISPconfig in some way in the near future.
    I have a good expertise in php and c++ programming.


    ------------------------------------------
    Regarding your questions.

    I saw that the postconf -d
    have a problem in mynetworks because there is not ',' between the subnets..
    How can i update the output for postconf -d ??
    mynetworks = 127.0.0.0/8 192.168.0.0/24

    the main.cf have it well with the ',' and the postconf -n shows
    mynetworks = 127.0.0.0/8, 192.168.0.0/24

    -----------------------------------------------------------

    Did you enable "Server requires authentication." in your email client?

    Sure...
    and everything was working great before changing the IP.

    Does pop-before-smtp works with the postfix configuration for ISPConfig ?

    ------------------------------------------------------------

    the output of netstat -tap is:

    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 *:mysql *:* LISTEN 2608/mysqld
    tcp 0 0 *:40847 *:* LISTEN 1435/rpc.statd
    tcp 0 0 *:sunrpc *:* LISTEN 1416/portmap
    tcp 0 0 *:ndmp *:* LISTEN 3454/perl
    tcp 0 0 *:hosts2-ns *:* LISTEN 3192/ispconfig_http
    tcp 0 0 dominios:domain *:* LISTEN 3426/named
    tcp 0 0 dominios:domain *:* LISTEN 3426/named
    tcp 0 0 dominios:domain *:* LISTEN 3426/named
    tcp 0 0 dominios:ipp *:* LISTEN 1657/cupsd
    tcp 0 0 *:smtp *:* LISTEN 3582/master
    tcp 0 0 dominios:rndc *:* LISTEN 3426/named
    tcp 0 0 *:imaps *:* LISTEN 1813/dovecot
    tcp 0 0 *:pop3s *:* LISTEN 1813/dovecot
    tcp 0 0 *:pop3 *:* LISTEN 1813/dovecot
    tcp 0 0 *:imap *:* LISTEN 1813/dovecot
    tcp 0 0 *:http *:* LISTEN 3326/httpd
    tcp 0 0 *:ftp *:* LISTEN 3443/proftpd: (acce
    tcp 0 0 *:ssh *:* LISTEN 1676/sshd
    tcp 0 0 ::1:rndc *:* LISTEN 3426/named
    tcp 0 0 *:https *:* LISTEN 3326/httpd

    ----------------
    postconf -d | grep mynetworks

    mynetworks = 127.0.0.0/8 192.168.0.0/24
    mynetworks_style = subnet
    parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
    smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
    smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

    ---------------------
    [[email protected] log]# postconf -n|grep mynetworks
    mynetworks = 127.0.0.0/8, 192.168.0.0/24
    smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

    --------------
    Thank you for any help.
     
    Last edited: Nov 28, 2006
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    New developers are alawys welcome :)

    postconf -d shows the defaults while postconf -n shows the current configuration used by postfix. I think the correct configuration will be without ",", so it might be better to remove it in main.cf and restart postfix.


    No. Pop before SMTP is not supported.


    Thats ok so far. Postfix is listening on all IP addresses.
     
  5. tecnicom

    tecnicom New Member

    Still.... Relay access denied

    I was playing the during all the night with several parameters like
    smtpd_sender_restrictions , smtpd_sender_restrictions with no luck.
    (i commented it at last)

    The Login with dovecot looks ok... but still with Relay access denied;

    I tried the mynetworks in the main.cf with and without comma
    but still the same problem
    i don't know why permit_sasl_authenticated,is not working....

    ----------------------------------------------------------------------
    This is a recent log... it is the same.

    Nov 28 03:53:03 dominios postfix/smtpd[18241]: connect from unknown[196.40.56.7]
    Nov 28 03:53:03 dominios postfix/smtpd[18241]: NOQUEUE: reject: RCPT from unknown[196.40.56.7]: 554 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<adolfo>
    Nov 28 03:53:03 dominios postfix/smtpd[18241]: disconnect from unknown[196.40.56.7]
    Nov 28 03:53:03 dominios dovecot: pop3-login: Login: user=<web3_xxx>, method=PLAIN, rip=::ffff:196.40.56.7, lip=::ffff:192.168.0.7
    Nov 28 03:53:03 dominios dovecot: pop3(web3_adolfo): Logout. top=0/0, retr=0/ del=0/0, size=0

    --------------------------------
    i think postconf -d (default) is not necesary...
    because it is overwrited by the current ???

    --------------------------------
    Here is all the output from postconf -n ?
    It's almost the same as the perfect setup fedora core 5

    alias_database = hash:/etc/aliases
    alias_maps = hash:/etc/aliases
    append_at_myorigin = no
    broken_sasl_auth_clients = yes
    command_directory = /usr/sbin
    config_directory = /etc/postfix
    daemon_directory = /usr/libexec/postfix
    debug_peer_level = 2
    html_directory = no
    inet_interfaces = all
    mailq_path = /usr/bin/mailq.postfix
    manpage_directory = /usr/share/man
    mydestination = /etc/postfix/local-host-names
    mynetworks = 192.168.0.0/24 127.0.0.0/8
    newaliases_path = /usr/bin/newaliases.postfix
    readme_directory = /usr/share/doc/postfix-2.2.8/README_FILES
    relay_domains = $mydestination
    sample_directory = /usr/share/doc/postfix-2.2.8/samples
    sendmail_path = /usr/sbin/sendmail.postfix
    setgid_group = postdrop
    smtp_tls_note_starttls_offer = yes
    smtp_use_tls = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_local_domain =
    smtpd_sasl_security_options = noanonymous
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_auth_only = no
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    smtpd_use_tls = yes
    tls_random_source = dev:/dev/urandom
    unknown_local_recipient_reject_code = 550

    ---------------------------------
    If i add manually my IP 196.40.56.7 to the mynetworks in the main.cf it works
    but i can't be all day adding the clients Ips and restarting... SMTP_AUTH have to do this work. !!!
    This is the correct log when the ip was added manually and the message sended ...

    Nov 28 04:21:26 dominios postfix/smtpd[21532]: connect from unknown[196.40.56.7]
    Nov 28 04:21:27 dominios postfix/smtpd[21532]: 26EB2D70717: client=unknown[196.40.56.7]
    Nov 28 04:21:27 dominios postfix/cleanup[21534]: 26EB2D70717: message-id=<[email protected]>
    Nov 28 04:21:27 dominios postfix/qmgr[21525]: 26EB2D70717: from=<[email protected]>, size=1345, nrcpt=1 (queue active)
    Nov 28 04:21:27 dominios postfix/smtpd[21532]: disconnect from unknown[196.40.56.7]
    Nov 28 04:21:27 dominios dovecot: pop3-login: Login: user=<web3_xxx>, method=PLAIN, rip=::ffff:196.40.56.7, lip=::ffff:192.168.0.7
    Nov 28 04:21:27 dominios dovecot: pop3(web3_xxx): Logout. top=0/0, retr=0/ del=0/0, size=0
    Nov 28 04:21:27 dominios postfix/smtp[21528]: 26EB2D70717: to=<[email protected]>, relay=mail.hotmail.com[195.40.56.6], delay=0, status=sent (250 2.0.0 kASAeQDQ030199 Message accepted for delivery)
    Nov 28 04:21:27 dominios postfix/qmgr[21525]: 26EB2D70717: removed

    -----------------

    Still with the same problem... !!!
     
    Last edited: Nov 28, 2006
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Which mailclient are you using? For me it looks like your mailclient does not send authentication informations, as it is logged as unknown:
    Please try another mailclient like thunderbird to see if the problem is related to the server or client.
     
  7. tecnicom

    tecnicom New Member

    Other mail clients have the same

    Thanks for the hint but no luck yet.
    I tried with outlook, netscape email and thunderbird with exactly the same results
    My server require authentication (server login user/pass) is active.

    Nov 28 04:47:47 dominios postfix/smtpd[22269]: connect from unknown[196.40.56.7]
    Nov 28 04:47:47 dominios postfix/smtpd[22269]: NOQUEUE: reject: RCPT from unknown[196.40.56.7]: 554 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<[adolfo]>
    Nov 28 04:47:48 dominios postfix/smtpd[22269]: lost connection after RCPT from unknown[196.40.56.7]
    Nov 28 04:47:48 dominios postfix/smtpd[22269]: disconnect from unknown[196.40.56.7]
     
    Last edited: Nov 28, 2006
  8. tecnicom

    tecnicom New Member

    Somebody knows why ???
    Another clue.... If i try from the same machine...
    telnet localhost 25 i receive:
    -------------------------------------------------------
    Trying 192.168.0.7...
    Connected to www.dominiostek.com (192.168.0.7).
    Escape character is '^]'.
    220 dominiostek.com ESMTP Postfix
    -------------------------------------------------------
    but if i try from an external machine telnet dominiostek.com 25 i just saw

    220 *****************************

    I don't know why ??? Is that ok ???
    -------------------------------------------------------

    Authenthication looks ok... because people receive emails but nobody can send...
    (at least i stay all day adding the IP in mynetworks !)

    I reviewed again the the file /etc/sysconfig/saslauthd has MECH=pam
    but i saw some forum messages for some people using MECH=shadow. Is that ok ?
     
    Last edited: Nov 28, 2006
  9. falko

    falko Super Moderator ISPConfig Developer

    Is 200.122.152.12 your server's public IP address? Because that's the IP address that dominiostek.com is pointing to.
     
  10. tecnicom

    tecnicom New Member

    Problem Solved. Thanks

    Yes Falko and thanks for everything....

    Hope i can contribute in the ISPConfig soon...
    maybe with some small php programming to start
    i have some expertise in php and c
    i think i have some ideas to add more features soon and share it...

    I solved the problem yesterday.
    I deleted all the postfix files main.cf and others
    and did a fresh postfix reinstall and it is working now.

    I will try to change this posts to make a small mini-Howto
    change IP with ISPCONFIG

    ISPConfig is great...
    i just saw some small problems by now:
    1 - when i delete a user don't delete everything
    from the mysql database etc....
    and cannot create it again with the same name
    2 - now it's not updating the named files and virtualusers
    when creating domains and users...
    (i am doing that manually)

    Regards

    Adolfo Oviedo / Costa Rica
    http://www.tecni.com
     
    Last edited: Nov 30, 2006
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats the intended behavoiur :) ISPConfig has a recycle bin like most modern desktop enviroment (Gnome, KDE, Windows, MacOS). If you empty the recycle bin, the records where removed from the database.

    Please have a look at the ISPConfig logfile /home/admispconfig/ispconfig/ispconfig.log for errors.
     

Share This Page