Postfix SMTP Auth to Dovecot Not Working -- HELP!

Discussion in 'Server Operation' started by Scratchpad, Apr 10, 2011.

  1. Scratchpad

    Scratchpad New Member

    Hello Everyone! First off, would love to say Thanks to everyone here at HowToForge! I have been a fan for a long time now and love the tutorials that are one here!

    This is the first time I have ever encountered an issue that I have been unable to solve by using the Tutorials and postings in the forum.

    Here is my issue.

    I have followed a number of tutorials to get my CentOS 5.4 32-bit up and running with Postfix and Dovecot using MySQL for virtual users and domains. I have everything working flawlessly (receiving emails from outside sources to my virtual users and domains and sending emails from localhost out to outside domains) except for sending email from non-trusted (anything other than localhost is untrusted). I keep getting:

    Code:
    Apr 10 14:13:26 srv postfix/smtpd[21895]: NOQUEUE: reject: RCPT from <MYISPDomain>[<MYISP-IPAddress>]: 554 5.7.1 <user@remote-example.com>: Relay access denied; from=<user@local-example.com> to=<user@remote-example.com> proto=ESMTP helo=<DESKTOP-PC>
    
    I am using Postfix, Cyrus-SASL, Dovecot, Amavisd, MySQL:

    Code:
    Installed Packages:
    amavisd-new.i386                        2.6.4-4.el5.rf                 installed
    cyrus-sasl.i386                         2.1.22-5.el5_4.3               installed
    cyrus-sasl-devel.i386                   2.1.22-5.el5_4.3               installed
    cyrus-sasl-gssapi.i386                  2.1.22-5.el5_4.3               installed
    cyrus-sasl-lib.i386                     2.1.22-5.el5_4.3               installed
    cyrus-sasl-md5.i386                     2.1.22-5.el5_4.3               installed
    cyrus-sasl-plain.i386                   2.1.22-5.el5_4.3               installed
    cyrus-sasl-sql.i386                     2.1.22-5.el5_4.3               installed
    dovecot.i386                        1.0.7-7.el5                        installed
    mysql.i386                             5.0.77-4.el5_5.5                installed
    mysql-devel.i386                       5.0.77-4.el5_5.5                installed
    mysql-server.i386                      5.0.77-4.el5_5.5                installed
    postfix.i386                          2:2.3.3-2.1                      installed
    
    Here is my postconf output:

    Code:
    [root@srv named]# postconf -a
    cyrus
    dovecot
    
    Code:
    [root@srv named]# postconf -A
    cyrus
    
    Code:
    [root@srv named]# postconf -m
    btree
    cidr
    environ
    hash
    ldap
    mysql
    nis
    pcre
    proxy
    regexp
    static
    unix
    
    Code:
    [root@srv named]# postconf -n
    alias_database = hash:/etc/aliases
    alias_maps = hash:/etc/aliases
    broken_sasl_auth_clients = yes
    command_directory = /usr/sbin
    config_directory = /etc/postfix
    content_filter = amavis:[127.0.0.1]:10024
    daemon_directory = /usr/libexec/postfix
    debug_peer_level = 2
    home_mailbox = Maildir/
    html_directory = no
    inet_interfaces = all
    mail_owner = postfix
    mailbox_command =
    mailq_path = /usr/bin/mailq.postfix
    manpage_directory = /usr/share/man
    mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
    myhostname = srv.local-example.com
    mynetworks = 127.0.0.0/8
    newaliases_path = /usr/bin/newaliases.postfix
    queue_directory = /var/spool/postfix
    readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
    receive_override_options = no_address_mappings
    sample_directory = /usr/share/doc/postfix-2.3.3/samples
    sendmail_path = /usr/sbin/sendmail.postfix
    setgid_group = postdrop
    smtp_tls_note_starttls_offer = yes
    smtp_use_tls = yes
    smtpd_banner = mail.local-example.com ESMTP
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_sasl_local_domain =
    smtpd_sasl_path = private/auth
    smtpd_sasl_security_options = noanonymous, noplaintext
    smtpd_sasl_tls_security_options = noanonymous
    smtpd_sasl_type = dovecot
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    smtpd_use_tls = yes
    tls_random_source = dev:/dev/urandom
    unknown_local_recipient_reject_code = 550
    virtual_alias_maps = mysql:$config_directory/mysql_virtual_alias_maps.cf
    virtual_gid_maps = static:12
    virtual_mailbox_base = /var/vmail
    virtual_mailbox_domains = mysql:$config_directory/mysql_virtual_domains_maps.cf
    virtual_mailbox_maps = mysql:$config_directory/mysql_virtual_mailbox_maps.cf
    virtual_minimum_uid = 150
    virtual_uid_maps = static:150
    
    Here is my Dovecot config:

    Code:
    [root@srv named]# dovecot -n
    # 1.0.7: /etc/dovecot.conf
    verbose_ssl: yes
    login_dir: /var/run/dovecot/login
    login_executable(default): /usr/libexec/dovecot/imap-login
    login_executable(imap): /usr/libexec/dovecot/imap-login
    login_executable(pop3): /usr/libexec/dovecot/pop3-login
    login_greeting: mail.local-example.com - Ready
    first_valid_uid: 150
    mail_location: maildir:/var/vmail/%d/%n
    mail_debug: yes
    mail_executable(default): /usr/libexec/dovecot/imap
    mail_executable(imap): /usr/libexec/dovecot/imap
    mail_executable(pop3): /usr/libexec/dovecot/pop3
    mail_plugin_dir(default): /usr/lib/dovecot/imap
    mail_plugin_dir(imap): /usr/lib/dovecot/imap
    mail_plugin_dir(pop3): /usr/lib/dovecot/pop3
    auth default:
      mechanisms: plain login
      user: vmail
      verbose: yes
      debug: yes
      debug_passwords: yes
      passdb:
        driver: sql
        args: /etc/dovecot-mysql.conf
      userdb:
        driver: sql
        args: /etc/dovecot-mysql.conf
      userdb:
        driver: prefetch
      socket:
        type: listen
        client:
          path: /var/spool/postfix/private/auth
          mode: 432
          user: postfix
          group: mail
    
    Here is what happens when you telnet to the SMTP port:

    Code:
    [root@srv named]# telnet localhost 25
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    220 mail.local-example.com ESMTP
    EHLO localhost
    250-mail.local-example.com
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-AUTH PLAIN LOGIN
    250-AUTH=PLAIN LOGIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    quit
    221 2.0.0 Bye
    Connection closed by foreign host.
    
    Here is the maillog output from start to finish of when sending an email from my Client Winblows Outlook client (user@local-example.com is my email account on the server which works when sent from a trusted network, and user@remote-example.com is the account on an outside provider i.e. gmail.com):

    Code:
    Apr 10 14:30:17 srv dovecot: auth(default): new auth connection: pid=26561
    Apr 10 14:30:18 srv dovecot: auth(default): client in: AUTH#0111#011PLAIN#011service=POP3#011secured#011lip=::ffff:<SERVER_IP_HERE>#011rip=::ffff:<CLIENT_IP_HERE>#011resp=<SERVER_RESP_KEY_HERE>
    Apr 10 14:30:18 srv dovecot: auth-worker(default): sql(user@local-example.com,::ffff:<CLIENT_IP_HERE>): query: SELECT username, password FROM mailbox WHERE username = 'user@local-example.com'
    Apr 10 14:30:18 srv dovecot: auth(default): client out: OK#0111#011user=user@local-example.com#011username=user@local-example.com
    Apr 10 14:30:18 srv dovecot: auth(default): master in: REQUEST#01118#01124454#0111
    Apr 10 14:30:18 srv dovecot: auth-worker(default): sql(user@local-example.com,::ffff:<CLIENT_IP_HERE>): SELECT '/var/vmail/local-example.com/user' as home, 'maildir:/var/vmail/local-example.com/user' as mail, 150 AS uid, 12 AS gid, concat('dirsize:storage=',quota) AS quota FROM mailbox WHERE username ='user@local-example.com' AND active ='1'
    Apr 10 14:30:18 srv dovecot: POP3(user@local-example.com): Effective uid=150, gid=12
    Apr 10 14:30:18 srv dovecot: POP3(user@local-example.com): maildir: data=/var/vmail/local-example.com/user
    Apr 10 14:30:18 srv dovecot: POP3(user@local-example.com): maildir: root=/var/vmail/local-example.com/user, index=/var/vmail/local-example.com/user, control=, inbox=
    Apr 10 14:30:18 srv dovecot: auth(default): master out: USER#01118#011user@local-example.com#011home=/var/vmail/local-example.com/user#011mail=maildir:/var/vmail/local-example.com/user#011uid=150#011gid=12#011quota=dirsize:storage=0
    Apr 10 14:30:18 srv dovecot: pop3-login: Login: user=<user@local-example.com>, method=PLAIN, rip=::ffff:<CLIENT_IP_HERE>, lip=::ffff:<SERVER_IP_HERE>, TLS
    Apr 10 14:30:18 srv dovecot: POP3(user@local-example.com): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
    Apr 10 14:30:18 srv dovecot: auth(default): new auth connection: pid=26565
    Apr 10 14:30:19 srv postfix/smtpd[26565]: connect from <CLIENT_DNS_HERE>[<CLIENT_IP_HERE>]
    Apr 10 14:30:19 srv postfix/smtpd[26565]: setting up TLS connection from <CLIENT_DNS_HERE>[<CLIENT_IP_HERE>]
    Apr 10 14:30:19 srv postfix/smtpd[26565]: TLS connection established from <CLIENT_DNS_HERE>[<CLIENT_IP_HERE>]: TLSv1 with cipher AES128-SHA (128/128 bits)
    Apr 10 14:30:19 srv postfix/smtpd[26565]: NOQUEUE: reject: RCPT from <CLIENT_DNS_HERE>[<CLIENT_IP_HERE>]: 554 5.7.1 <user@remote-example.com>: Relay access denied; from=<user@local-example.com> to=<user@remote-example.com> proto=ESMTP helo=<DESKTOP>
    Apr 10 14:30:22 srv postfix/smtpd[26565]: disconnect from <CLIENT_DNS_HERE>[<CLIENT_IP_HERE>]
    
    Here is a listing of permissions of the postfix directory:

    Code:
    [root@srv postfix]# pwd
    /var/spool/postfix
    [root@srv postfix]# ls -lh
    total 56K
    drwx------ 2 postfix root     4.0K Apr 10 13:11 active
    drwx------ 2 postfix root     4.0K Apr 10 04:46 bounce
    drwx------ 2 postfix root     4.0K Mar 27 15:03 corrupt
    drwx------ 5 postfix root     4.0K Apr  7 14:49 defer
    drwx------ 5 postfix root     4.0K Apr  7 14:49 deferred
    drwx------ 2 postfix root     4.0K Mar 27 15:03 flush
    drwx------ 2 postfix root     4.0K Mar 27 15:03 hold
    drwx------ 2 postfix root     4.0K Apr 10 13:11 incoming
    drwx-wx--- 2 postfix postdrop 4.0K Apr  9 15:53 maildrop
    drwxr-xr-x 2 root    root     4.0K Apr  9 16:27 pid
    drwx------ 2 postfix root     4.0K Apr 10 14:06 private
    drwx--x--- 2 postfix postdrop 4.0K Apr 10 10:47 public
    drwx------ 2 postfix root     4.0K Mar 27 15:03 saved
    drwx------ 2 postfix root     4.0K Mar 27 15:03 trace
    [root@srv postfix]# cd private/
    [root@srv private]# pwd
    /var/spool/postfix/private
    [root@srv private]# ls -lh
    total 0
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 amavis
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 anvil
    srw-rw---- 1 postfix mail    0 Apr 10 14:06 auth
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 bounce
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 bsmtp
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 cyrus
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 defer
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 discard
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 error
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 ifmail
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 lmtp
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 local
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 maildrop
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 old-cyrus
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 proxymap
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 relay
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 rewrite
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 scache
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 smtp
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 tlsmgr
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 trace
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 uucp
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 verify
    srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 virtual
    
    As stated previously, everything works except for the SMTP AUTH from a host from an untrusted network. No errors show up anywhere that I have found.

    If anybody can help, it would be greatly appreciated. I have a feeling I missed a small config setting for SASL in /etc/postfix/main.cf, but, for the life in my I haven't found it.

    Thanks.
     
  2. Scratchpad

    Scratchpad New Member

    Also, I just wanted to point out, if I add my client IP address to the trusted networks I have no problem and can send/receive email without any issues so the problem must have to do with postfix doing the SASL to Dovecot.
     
  3. Scratchpad

    Scratchpad New Member

    Ahh, this has really got me boggled.

    When I telnet in, I can authenticate using AUTH PLAIN, but, still get the relay access denied error....

    Code:
    [root@fox named]# telnet mail.local-example.com 25
    Connected to mail.local-example.com (xxx.xxx.xxx.xxx).
    Escape character is '^]'.
    220 mail.local-example.com ESMTP
    EHLO remote-client-example.com
    250-mail.local-example.com
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-AUTH PLAIN LOGIN
    250-AUTH=PLAIN LOGIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    AUTH PLAIN <CREDENTIALS_HERE_IN_BASE64>
    235 2.0.0 Authentication successful
    mail from:user@local-example.com
    250 2.1.0 Ok
    rcpt to:user@remote-example.com
    554 5.7.1 <user@remote-example.com>: Relay access denied
    quit
    221 2.0.0 Bye
    Connection closed by foreign host.
    
    With the following result in the maillog:

    Code:
    Apr 10 17:26:44 srv postfix/smtpd[17984]: connect from <CLIENT_DNS_ADDRESS>[<CLIENT_IP_ADDRESS>]
    Apr 10 17:26:51 srv dovecot: auth(default): client in: AUTH#0111#011PLAIN#011service=smtp#011resp=<CREDENTIALS_IN_BASE64>
    Apr 10 17:26:51 srv dovecot: auth-worker(default): sql(user@local-example.com): query: SELECT username, password FROM mailbox WHERE username = 'user@local-example.com'
    Apr 10 17:26:51 srv dovecot: auth(default): client out: OK#0111#011user=user@local-example.com#011username=user@local-example.com
    Apr 10 17:27:03 srv postfix/smtpd[17984]: NOQUEUE: reject: RCPT from <CLIENT_DNS_ADDRESS>[<CLIENT_IP_ADDRESS>]: 554 5.7.1 <user@remote-example.com>: Relay access denied; from=<user@local-example.com> to=<user@remote-example.com> proto ESMTP helo=<client.client-example.com>
    Apr 10 17:27:04 srv postfix/smtpd[17984]: disconnect from <CLIENT_DNS_ADDRESS>[<CLIENT_IP_ADDRESS>]
    
     
  4. Scratchpad

    Scratchpad New Member

    !!resolved!!

    Ahhhh, well after a few days of troubleshooting I have FINALLY found the problem!!!

    When I copied/pasted from Falko's excellent tutorial I must have made an error when inserting as I inserted:

    Code:
    smtpd_recipient_restriction = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
    
    and misspelled smtpd_recipient_restrictions leaving out the "S" as indicated above. I changed it to the following and everything worked as expected:

    Code:
    smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
    
    The tutorials with excellent, however, I got hit with a violent case of "PEBKAC" !!! :D

    Funny thing is, no errors were presented stating an incorrect setting. I ran:

    Code:
    postfix check
    
    which also reported nothing.
     
  5. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    If you use an SSH client such as PuTTY, you can copy & paste from the tutorial. This helps avoiding typos. :)
     
  6. Scratchpad

    Scratchpad New Member

    Thanks. Actually I did use PuTTy. However, I was copying & pasting from several different tutorials (from CentOS, to Debian, to Ubuntu, etc) to get my setup up and running that somewhere along the line that particular line got edited and input incorrectly.

    Hmm, maybe I should submit a tutorial on this this particular setup as they are hard to come by these days.

    I noticed Falko that you used to use Dovecot previously but switched to Courier. Any particular reason for this? Is there features Courier provides that Dovecot does not? or is it because you found Courier easier to integrate into ISPConfig? (which is a great product by the way, I use it for a couple of my other virtual servers that I host end-user stuff on).
     
  7. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Courier integrates better with ISPConfig. If you use Dovecot, there will be no mail traffic statistics. (But apart from that, both Courier and Dovecot work great!)
     

Share This Page