Postfix SMTP Auth to Dovecot Not Working -- HELP!

Hello Everyone! First off, would love to say Thanks to everyone here at HowToForge! I have been a fan for a long time now and love the tutorials that are one here!

This is the first time I have ever encountered an issue that I have been unable to solve by using the Tutorials and postings in the forum.

Here is my issue.

I have followed a number of tutorials to get my CentOS 5.4 32-bit up and running with Postfix and Dovecot using MySQL for virtual users and domains. I have everything working flawlessly (receiving emails from outside sources to my virtual users and domains and sending emails from localhost out to outside domains) except for sending email from non-trusted (anything other than localhost is untrusted). I keep getting:

Code:

Apr 10 14:13:26 srv postfix/smtpd[21895]: NOQUEUE: reject: RCPT from <MYISPDomain>[<MYISP-IPAddress>]: 554 5.7.1 <user@remote-example.com>: Relay access denied; from=<user@local-example.com> to=<user@remote-example.com> proto=ESMTP helo=<DESKTOP-PC>

I am using Postfix, Cyrus-SASL, Dovecot, Amavisd, MySQL:

Code:

Installed Packages:
amavisd-new.i386                        2.6.4-4.el5.rf                 installed
cyrus-sasl.i386                         2.1.22-5.el5_4.3               installed
cyrus-sasl-devel.i386                   2.1.22-5.el5_4.3               installed
cyrus-sasl-gssapi.i386                  2.1.22-5.el5_4.3               installed
cyrus-sasl-lib.i386                     2.1.22-5.el5_4.3               installed
cyrus-sasl-md5.i386                     2.1.22-5.el5_4.3               installed
cyrus-sasl-plain.i386                   2.1.22-5.el5_4.3               installed
cyrus-sasl-sql.i386                     2.1.22-5.el5_4.3               installed
dovecot.i386                        1.0.7-7.el5                        installed
mysql.i386                             5.0.77-4.el5_5.5                installed
mysql-devel.i386                       5.0.77-4.el5_5.5                installed
mysql-server.i386                      5.0.77-4.el5_5.5                installed
postfix.i386                          2:2.3.3-2.1                      installed

Here is my postconf output:

Code:

[root@srv named]# postconf -a
cyrus
dovecot

Code:

[root@srv named]# postconf -A
cyrus

Code:

[root@srv named]# postconf -m
btree
cidr
environ
hash
ldap
mysql
nis
pcre
proxy
regexp
static
unix

Code:

[root@srv named]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox_command =
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
myhostname = srv.local-example.com
mynetworks = 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
receive_override_options = no_address_mappings
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = mail.local-example.com ESMTP
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:$config_directory/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:12
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = mysql:$config_directory/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:$config_directory/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 150
virtual_uid_maps = static:150

Here is my Dovecot config:

Code:

[root@srv named]# dovecot -n
# 1.0.7: /etc/dovecot.conf
verbose_ssl: yes
login_dir: /var/run/dovecot/login
login_executable(default): /usr/libexec/dovecot/imap-login
login_executable(imap): /usr/libexec/dovecot/imap-login
login_executable(pop3): /usr/libexec/dovecot/pop3-login
login_greeting: mail.local-example.com - Ready
first_valid_uid: 150
mail_location: maildir:/var/vmail/%d/%n
mail_debug: yes
mail_executable(default): /usr/libexec/dovecot/imap
mail_executable(imap): /usr/libexec/dovecot/imap
mail_executable(pop3): /usr/libexec/dovecot/pop3
mail_plugin_dir(default): /usr/lib/dovecot/imap
mail_plugin_dir(imap): /usr/lib/dovecot/imap
mail_plugin_dir(pop3): /usr/lib/dovecot/pop3
auth default:
  mechanisms: plain login
  user: vmail
  verbose: yes
  debug: yes
  debug_passwords: yes
  passdb:
    driver: sql
    args: /etc/dovecot-mysql.conf
  userdb:
    driver: sql
    args: /etc/dovecot-mysql.conf
  userdb:
    driver: prefetch
  socket:
    type: listen
    client:
      path: /var/spool/postfix/private/auth
      mode: 432
      user: postfix
      group: mail

Here is what happens when you telnet to the SMTP port:

Code:

[root@srv named]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.local-example.com ESMTP
EHLO localhost
250-mail.local-example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

Here is the maillog output from start to finish of when sending an email from my Client Winblows Outlook client (user@local-example.com is my email account on the server which works when sent from a trusted network, and user@remote-example.com is the account on an outside provider i.e. gmail.com):

Code:

Apr 10 14:30:17 srv dovecot: auth(default): new auth connection: pid=26561
Apr 10 14:30:18 srv dovecot: auth(default): client in: AUTH#0111#011PLAIN#011service=POP3#011secured#011lip=::ffff:<SERVER_IP_HERE>#011rip=::ffff:<CLIENT_IP_HERE>#011resp=<SERVER_RESP_KEY_HERE>
Apr 10 14:30:18 srv dovecot: auth-worker(default): sql(user@local-example.com,::ffff:<CLIENT_IP_HERE>): query: SELECT username, password FROM mailbox WHERE username = 'user@local-example.com'
Apr 10 14:30:18 srv dovecot: auth(default): client out: OK#0111#011user=user@local-example.com#011username=user@local-example.com
Apr 10 14:30:18 srv dovecot: auth(default): master in: REQUEST#01118#01124454#0111
Apr 10 14:30:18 srv dovecot: auth-worker(default): sql(user@local-example.com,::ffff:<CLIENT_IP_HERE>): SELECT '/var/vmail/local-example.com/user' as home, 'maildir:/var/vmail/local-example.com/user' as mail, 150 AS uid, 12 AS gid, concat('dirsize:storage=',quota) AS quota FROM mailbox WHERE username ='user@local-example.com' AND active ='1'
Apr 10 14:30:18 srv dovecot: POP3(user@local-example.com): Effective uid=150, gid=12
Apr 10 14:30:18 srv dovecot: POP3(user@local-example.com): maildir: data=/var/vmail/local-example.com/user
Apr 10 14:30:18 srv dovecot: POP3(user@local-example.com): maildir: root=/var/vmail/local-example.com/user, index=/var/vmail/local-example.com/user, control=, inbox=
Apr 10 14:30:18 srv dovecot: auth(default): master out: USER#01118#011user@local-example.com#011home=/var/vmail/local-example.com/user#011mail=maildir:/var/vmail/local-example.com/user#011uid=150#011gid=12#011quota=dirsize:storage=0
Apr 10 14:30:18 srv dovecot: pop3-login: Login: user=<user@local-example.com>, method=PLAIN, rip=::ffff:<CLIENT_IP_HERE>, lip=::ffff:<SERVER_IP_HERE>, TLS
Apr 10 14:30:18 srv dovecot: POP3(user@local-example.com): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
Apr 10 14:30:18 srv dovecot: auth(default): new auth connection: pid=26565
Apr 10 14:30:19 srv postfix/smtpd[26565]: connect from <CLIENT_DNS_HERE>[<CLIENT_IP_HERE>]
Apr 10 14:30:19 srv postfix/smtpd[26565]: setting up TLS connection from <CLIENT_DNS_HERE>[<CLIENT_IP_HERE>]
Apr 10 14:30:19 srv postfix/smtpd[26565]: TLS connection established from <CLIENT_DNS_HERE>[<CLIENT_IP_HERE>]: TLSv1 with cipher AES128-SHA (128/128 bits)
Apr 10 14:30:19 srv postfix/smtpd[26565]: NOQUEUE: reject: RCPT from <CLIENT_DNS_HERE>[<CLIENT_IP_HERE>]: 554 5.7.1 <user@remote-example.com>: Relay access denied; from=<user@local-example.com> to=<user@remote-example.com> proto=ESMTP helo=<DESKTOP>
Apr 10 14:30:22 srv postfix/smtpd[26565]: disconnect from <CLIENT_DNS_HERE>[<CLIENT_IP_HERE>]

Here is a listing of permissions of the postfix directory:

Code:

[root@srv postfix]# pwd
/var/spool/postfix
[root@srv postfix]# ls -lh
total 56K
drwx------ 2 postfix root     4.0K Apr 10 13:11 active
drwx------ 2 postfix root     4.0K Apr 10 04:46 bounce
drwx------ 2 postfix root     4.0K Mar 27 15:03 corrupt
drwx------ 5 postfix root     4.0K Apr  7 14:49 defer
drwx------ 5 postfix root     4.0K Apr  7 14:49 deferred
drwx------ 2 postfix root     4.0K Mar 27 15:03 flush
drwx------ 2 postfix root     4.0K Mar 27 15:03 hold
drwx------ 2 postfix root     4.0K Apr 10 13:11 incoming
drwx-wx--- 2 postfix postdrop 4.0K Apr  9 15:53 maildrop
drwxr-xr-x 2 root    root     4.0K Apr  9 16:27 pid
drwx------ 2 postfix root     4.0K Apr 10 14:06 private
drwx--x--- 2 postfix postdrop 4.0K Apr 10 10:47 public
drwx------ 2 postfix root     4.0K Mar 27 15:03 saved
drwx------ 2 postfix root     4.0K Mar 27 15:03 trace
[root@srv postfix]# cd private/
[root@srv private]# pwd
/var/spool/postfix/private
[root@srv private]# ls -lh
total 0
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 amavis
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 anvil
srw-rw---- 1 postfix mail    0 Apr 10 14:06 auth
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 bounce
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 bsmtp
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 cyrus
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 defer
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 discard
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 error
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 ifmail
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 lmtp
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 local
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 maildrop
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 old-cyrus
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 proxymap
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 relay
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 rewrite
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 scache
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 smtp
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 tlsmgr
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 trace
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 uucp
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 verify
srw-rw-rw- 1 postfix postfix 0 Apr 10 10:47 virtual

As stated previously, everything works except for the SMTP AUTH from a host from an untrusted network. No errors show up anywhere that I have found.

If anybody can help, it would be greatly appreciated. I have a feeling I missed a small config setting for SASL in /etc/postfix/main.cf, but, for the life in my I haven't found it.

Thanks.

 

Also, I just wanted to point out, if I add my client IP address to the trusted networks I have no problem and can send/receive email without any issues so the problem must have to do with postfix doing the SASL to Dovecot.

 

Ahh, this has really got me boggled.

When I telnet in, I can authenticate using AUTH PLAIN, but, still get the relay access denied error....

Code:

[root@fox named]# telnet mail.local-example.com 25
Connected to mail.local-example.com (xxx.xxx.xxx.xxx).
Escape character is '^]'.
220 mail.local-example.com ESMTP
EHLO remote-client-example.com
250-mail.local-example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN <CREDENTIALS_HERE_IN_BASE64>
235 2.0.0 Authentication successful
mail from:user@local-example.com
250 2.1.0 Ok
rcpt to:user@remote-example.com
554 5.7.1 <user@remote-example.com>: Relay access denied
quit
221 2.0.0 Bye
Connection closed by foreign host.

With the following result in the maillog:

Code:

Apr 10 17:26:44 srv postfix/smtpd[17984]: connect from <CLIENT_DNS_ADDRESS>[<CLIENT_IP_ADDRESS>]
Apr 10 17:26:51 srv dovecot: auth(default): client in: AUTH#0111#011PLAIN#011service=smtp#011resp=<CREDENTIALS_IN_BASE64>
Apr 10 17:26:51 srv dovecot: auth-worker(default): sql(user@local-example.com): query: SELECT username, password FROM mailbox WHERE username = 'user@local-example.com'
Apr 10 17:26:51 srv dovecot: auth(default): client out: OK#0111#011user=user@local-example.com#011username=user@local-example.com
Apr 10 17:27:03 srv postfix/smtpd[17984]: NOQUEUE: reject: RCPT from <CLIENT_DNS_ADDRESS>[<CLIENT_IP_ADDRESS>]: 554 5.7.1 <user@remote-example.com>: Relay access denied; from=<user@local-example.com> to=<user@remote-example.com> proto ESMTP helo=<client.client-example.com>
Apr 10 17:27:04 srv postfix/smtpd[17984]: disconnect from <CLIENT_DNS_ADDRESS>[<CLIENT_IP_ADDRESS>]

 

!!resolved!!

Ahhhh, well after a few days of troubleshooting I have FINALLY found the problem!!!

When I copied/pasted from Falko's excellent tutorial I must have made an error when inserting as I inserted:

Code:

smtpd_recipient_restriction = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

and misspelled smtpd_recipient_restrictions leaving out the "S" as indicated above. I changed it to the following and everything worked as expected:

Code:

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

The tutorials with excellent, however, I got hit with a violent case of "PEBKAC" !!!

Funny thing is, no errors were presented stating an incorrect setting. I ran:

Code:

postfix check

which also reported nothing.

 

If you use an SSH client such as PuTTY, you can copy & paste from the tutorial. This helps avoiding typos.

 

Thanks. Actually I did use PuTTy. However, I was copying & pasting from several different tutorials (from CentOS, to Debian, to Ubuntu, etc) to get my setup up and running that somewhere along the line that particular line got edited and input incorrectly.

Hmm, maybe I should submit a tutorial on this this particular setup as they are hard to come by these days.

I noticed Falko that you used to use Dovecot previously but switched to Courier. Any particular reason for this? Is there features Courier provides that Dovecot does not? or is it because you found Courier easier to integrate into ISPConfig? (which is a great product by the way, I use it for a couple of my other virtual servers that I host end-user stuff on).

 

Courier integrates better with ISPConfig. If you use Dovecot, there will be no mail traffic statistics. (But apart from that, both Courier and Dovecot work great!)