Postfix can't receive emails from external domains

Discussion in 'Server Operation' started by ansabhailte, Sep 10, 2012.

  1. ansabhailte

    ansabhailte New Member

    I'm no expert, but telnetting port 587 returns STARTTLS. Isn't that an encryption protocol?
     
  2. ansabhailte

    ansabhailte New Member

    So in trying to troubleshoot where things are failing, I have lined up the following:

    Email goes from -> to:

    Gmail --> Goldenoakit.com (MX DNS) --> Firewall (IPtables, 587) --> SASL --> Postfix --> MySQL --> vmail folder --> SpamAssassin/Amavis/ClamAV

    Does this look right?

    If so, then everything from Postfix through ClamAV work fine because I can send mail locally. And everything from Gmail to firewall work fine because I can telnet and run an ehlo. That is why I am led to believe that it is a SASL issue. That, and the error report I posted earlier about not being able to auth SASL-PAM-MySQL. When I run testsaslauthd with the user mail_admin it fails. That is the user account that is being used to auth, correct?
     
  3. gscales

    gscales New Member

    Mine returns the same thing. It also returns 250-AUTH LOGIN PLAIN, right?
     
  4. ansabhailte

    ansabhailte New Member

    Yes. But my mail client is configured to use STARTTLS and it pulls from the server just fine (My client's, however, is using PLAIN.)

    But the problem is somewhere in the authentication, I would think, whether that's SASL, PAM, or something with MySQL. The problem is that I just can't pinpoint it, and if I did, I'm not sure I'd know exactly how to fix it.
     
  5. gscales

    gscales New Member

    "When I run testsaslauthd with the user mail_admin it fails. That is the user account that is being used to auth, correct? "

    mail_admin is the database user name that is used by SASL to get into the MySQL database "mail" to find the user %u at domain %r.

    if you type "mysql -u mail_admin -p" ... it should prompt you for a password. Copy and paste the value from the smtpd.conf and it should log you in. Type "show databases;" and one of them should be "mail". Type "use mail;" and it should switch to the mail database.
     
  6. gscales

    gscales New Member

    If you went on with the above, you could type something like "select * users;" and it would give you a list of the users you have set up in mysql. My point is, that when you are using the userid=mail_admin ... that is NOT being authenticated by SASL, but by mysqld. So testsaslauthd will fail on that userid ...
     
  7. ansabhailte

    ansabhailte New Member

    Yes, I've done that. What I'm asking is what user account is being used to auth with saslauthd? Is it the email address user (josh@goldenoakit.com) or is it root or something? Because the only users that can pass testsaslauthd are root and josh (aka local UNIX users.) To put it in other words, if these email accounts need to authenticate with SASL in order to receive email, and the only accounts that can pass the auth are local UNIX accounts, where is the break there? Why aren't the accounts defined in MySQL able to authenticate with SASL over port 587?
     
  8. ansabhailte

    ansabhailte New Member

    Ok. Let's try a different approach. Why, when I try to send an email from Gmail to an address hosted on my server, do I not get any errors or notices in mail.log or anything? Does that show where it's failing?
     
  9. gscales

    gscales New Member

    I'm not real familiar with testsaslauthd, so pardon my ignorance. What is being authenticated through postfix is the user@domainName stored in the MySQL database mail table user. You are testing ID's in the Unix user table which is unrelated because you are using "virtual" users (ie stored in a mysql db).
     
  10. gscales

    gscales New Member

    Well, it at least shows that the failure, misconfiguration, or whatever is messing up is ahead of what is doing the logging ...
     
  11. ansabhailte

    ansabhailte New Member

    Gotcha.

    Now how can we test where the emails are failing?
     
  12. gscales

    gscales New Member

    Ok, let me ask this: Can you set up a user that is defined in your mysql database in a client like Thunderbird or Outlook, and log in?
     
  13. ansabhailte

    ansabhailte New Member

    Yes, I have created 12 user accounts (email addresses) and can log in fine. They can receive emails from any of the other 11 emails, and they can send email to anybody (gmail, yahoo, etc) I can do this from Thunderbird, Outlook, and Squirrelmail (local)
     
  14. gscales

    gscales New Member

    I'm just going to throw this out there: if you can set up a user (any) user that is defined in your database, log in via a MUA (mail user agent) like TBird or Outlook, and send an email anywhere ... you can eliminate authentication as your problem.
     
  15. ansabhailte

    ansabhailte New Member

    Alright. Could it be my MX records? I checked them and I didn't notice anything out of place.
     
  16. gscales

    gscales New Member

    Then, unless I'm missing something, you've hit all the points where authentication comes into play. Authentication as a problem should be eliminated (that's a good thing!)
     
  17. ansabhailte

    ansabhailte New Member

    Just confirmed that my MX record is set up properly.

    Also the port is open in iptables.

    And again, I can telnet 587 from anywhere and run an ehlo.

    Auth is working.

    I can receive mail from all local addresses.

    For the life of me I can't figure out where it's breaking.
     
  18. gscales

    gscales New Member

    Didn't see anything out of place either ...
     
  19. gscales

    gscales New Member

    Actually, when I built a server, I had this exact same problem until I set

    inet_interfaces = all

    But you already have that set ...
     
  20. gscales

    gscales New Member

    Also, if you were to specify mynetworks the way I have it, it would look like:

    mynetworks = 127.0.0.0/8 [::1]/128 [173.255.254.114]

    Not sure if that will help, but my reasoning was that I needed to allow incoming not only from localhost, but from the IP that I'm attached to (I changed the IP to yours ...)
     

Share This Page