Postfix: relay access denied

Question

I never got my SMTP service working, now i'm ready to try again.

The server is a FreeBSD 8.1-RELEASE-p1, postfix was installed as part of the Webmin/Virtualmin install.sh

I have read Postfix Virtual Domain Hosting Howto, but haven't had any luck putting the pieces together.

# postconf -n
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
html_directory = /usr/local/share/doc/postfix
mail_owner = postfix
mailbox_command = /usr/bin/procmail
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydestination = caesar.wulffit.dk, localhost.wulffit.dk, localhost, wulffit.dk, mail.wulffit.dk
mydomain = wulffit.dk
myhostname = caesar.wulffit.dk
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual

This is maillog output my most recent try to send an email.

# tail -n 1000 /var/log/maillog | grep 194.255.38.237
Jan 19 18:33:30 caesar dovecot: imap-login: Login: user=<philip-espersen>, method=PLAIN, rip=194.255.38.237, lip=194.255.38.233, TLS
Jan 19 18:33:47 caesar postfix/smtpd[63803]: warning: 194.255.38.237: address not listed for hostname dominos.dk
Jan 19 18:33:47 caesar postfix/smtpd[63803]: connect from unknown[194.255.38.237]
Jan 19 18:33:47 caesar postfix/smtpd[63803]: 86DA2DA80C: client=unknown[194.255.38.237]
Jan 19 18:33:47 caesar postfix/smtpd[63803]: disconnect from unknown[194.255.38.237]
Jan 19 18:33:48 caesar postfix/smtp[63815]: 97199DA85F: to=<Philip@dominos.dk>, relay=mail.dominos.dk[194.255.38.237]:25, delay=0.96, delays=0/0.01/0.01/0.94, dsn=2.6.0, status=sent (250 2.6.0  <20110119173347.97199DA85F@caesar.wulffit.dk> Queued mail for delivery)
Jan 19 18:34:02 caesar postfix/smtpd[63803]: warning: 194.255.38.237: address not listed for hostname dominos.dk
Jan 19 18:34:02 caesar postfix/smtpd[63803]: connect from unknown[194.255.38.237]
Jan 19 18:34:02 caesar postfix/smtpd[63803]: NOQUEUE: reject: RCPT from unknown[194.255.38.237]: 554 5.7.1 <philip@dominos.dk>: Relay access denied; from=<philip@espersen.me> to=<philip@dominos.dk> proto=SMTP helo=<[127.0.0.1]>
Jan 19 18:34:07 caesar postfix/smtpd[63803]: disconnect from unknown[194.255.38.237]
Jan 19 18:34:21 caesar postfix/smtpd[63803]: warning: 194.255.38.237: address not listed for hostname dominos.dk
Jan 19 18:34:21 caesar postfix/smtpd[63803]: connect from unknown[194.255.38.237]
Jan 19 18:34:21 caesar postfix/smtpd[63803]: 25FABDA80C: client=unknown[194.255.38.237]
Jan 19 18:34:21 caesar postfix/smtpd[63803]: disconnect from unknown[194.255.38.237]
Jan 19 18:38:20 caesar postfix/anvil[63805]: statistics: max connection rate 3/60s for (smtp:194.255.38.237) at Jan 19 18:34:21
Jan 19 18:38:20 caesar postfix/anvil[63805]: statistics: max connection count 1 for (smtp:194.255.38.237) at Jan 19 18:33:47
Jan 19 18:47:46 caesar postfix/smtpd[64139]: warning: 194.255.38.237: address not listed for hostname dominos.dk
Jan 19 18:47:46 caesar postfix/smtpd[64139]: connect from unknown[194.255.38.237]
Jan 19 18:47:46 caesar postfix/smtpd[64139]: NOQUEUE: reject: RCPT from unknown[194.255.38.237]: 554 5.7.1 <philip@dominos.dk>: Relay access denied; from=<philip@espersen.me> to=<philip@dominos.dk> proto=SMTP helo=<[127.0.0.1]>
Jan 19 18:47:47 caesar postfix/smtpd[64139]: disconnect from unknown[194.255.38.237]

/usr/local/lib/sasl2/smtpd.conf

# cat /usr/local/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login

score 1 · Answer 1 · answered Jan 19 '11 at 18:43

1

So what are you triying to do here, have the mail for dominos.dk in the server or use that server for relaying mail from users for that domain?

If this is the destination server for dominos.dk you need to add that to mydestinations, otherwise what if you want to do is permit relay on authenticated users just by configuring cyrus-sasl properly should do the trick

answered Jan 19 '11 at 18:43

lynxman

9,397
3
25
28

What i'm trying to du is simply just to send a test email from my private mail, philip@espersen.me, to my work mail philip@dominos.dk. Using mail.espersen.me as the SMTP. The server we're talking about here, is mail server for espersen.me - I'm able to recieve mail, it's just sending it that is a problem. – Phliplip Jan 19 '11 at 18:49
Alright, so then you need to either have your internal IPs on "mynetworks" so they're allowed to relay or authenticate before sending, any of those will do exactly what you want, let me know if you need more detailed info, I can add it in another answer – lynxman Jan 19 '11 at 18:51
I wish to be able to use mail.espersen.me as SMTP, but mail-users (ie. the other hosted domains) must auth first, when using SMTP server. – Phliplip Jan 19 '11 at 18:52
So then the best would be to use auth for yourself as well, it's the laziest way to get the job done and also you'll be testing the authentication for your other users and will be able to detect any problems with it quickly – lynxman Jan 19 '11 at 18:53
That was the plan, sorry if it was not clear :) But how do i config postfix for that? I have posted the postconf in the question, if you need output of any other files i will supply with pleasure ;) – Phliplip Jan 19 '11 at 19:01
So postfix is setup already since you have the `permit_sasl_authenticated` option in place, now you just need to setup the SASL subsystem to authenticate for postfix, I can't remember where exactly FreeBSD puts the sasl config files but they should be in somewhere like `/usr/local/lib/sasl2/Sendmail.conf` (even for postfix that's the right file). Then make sure that you use your preferred authentication method there, it's just a question of trial and failure and thankfully SASL is quite verbose about it. – lynxman Jan 19 '11 at 19:06
I have no sendmail.conf at that location (or anywhere else), the folder exists though. I have a smtpd.conf file in that folder, i have updated the question with the content of the file. – Phliplip Jan 19 '11 at 19:15
Ah there you go, that's the one you need. So it's using saslauthd by default, that's even easier, you just need to edit saslauthd.conf to choose your preferred authentication method and start the daemon – lynxman Jan 19 '11 at 19:18
Just checked my /rc.d dir, i have 2 startup scripts for postfix (./postfix and ./postfix.sh) could this be a problem? – Phliplip Jan 19 '11 at 19:18
Don't think so, as said, authentication depends on saslauthd entirely so you need to have that running in order for it to work – lynxman Jan 19 '11 at 19:19
Ok, i have no saslauthd.conf.. I'm off for a 45 minutes drive.. i'll be back when i get home. – Phliplip Jan 19 '11 at 19:21
Grr that happens sometimes, you can get an example easily from the man page of saslauthd.conf, otherwise here's a one one-liner one that can be useful for you `pwcheck: shadow` – lynxman Jan 19 '11 at 19:25
Happy to report that the server now receives and sends email :) I'm a happy panda now! Will post an answer with the solution, but all credit should go to lynxman and brent! – Phliplip Jan 19 '11 at 21:04

score 1 · Answer 2 · answered Jan 19 '11 at 19:28

smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination

So you've set to either allow SASL authenticated users or users that are part of "mynetworks". Your configuration lists

mynetworks_style = host

Which means only the local host is allowed when unauthenticated. If you know the source of relay traffic you could instead define

mynetworks = 127.0.0.0/8 x.x.x.x/x

Where x.x.x.x/x is equal to the subnet of the relayer (e.g., 192.168.1.0/24).

For authentication you need to have either Dovecot SASL or Cyrus SASL installed and built into Postfix. You can check if either are available with postconf -a. Which you use is up to you but be sure that the backend you want to use for user/password database (e.g., LDAP, *SQL, etc) is available for the SASL implementation).

See here for further details on configuration: http://www.postfix.org/SASL_README.html

`postconf -a` outputs cyrus, dovecot in that order `postconf -A` outputs only cyrus — Phliplip, Jan 19 '11 at 20:01
Happy to report that the server now receives and sends email :) I'm a happy panda now! Will post an answer with the solution, but all credit should go to lynxman and brent! — Phliplip, Jan 19 '11 at 21:10

score 0 · Accepted Answer · answered Jan 19 '11 at 21:32

Problem solved.

It all came down to saslauth was not proper configured, in postfix/main.cf

# postconf -n
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
html_directory = /usr/local/share/doc/postfix
mail_owner = postfix
mailbox_command = /usr/bin/procmail
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydestination = caesar.wulffit.dk, localhost.wulffit.dk, localhost, wulffit.dk, mail.wulffit.dk
mydomain = wulffit.dk
myhostname = caesar.wulffit.dk
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_type = dovecot
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual

Where these lines are the most important

virtual_alias_maps = hash:/etc/postfix/virtual
smtpd_sasl_type = dovecot
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination
smtpd_sasl_path = /var/run/dovecot/auth-client
broken_sasl_auth_clients = yes

I have also made changes in /usr/local/etc/dovecot.conf adding user and group to auth default section

auth default {  
  socket listen {
    client {
      path = /var/spool/postfix/private/auth
      mode = 0660
      user = postfix
      group = postfix
    }
  } 
  mechanisms = plain login
}

Don't know if it's important but i did # touch /usr/local/etc/saslauthd.conf

Restart dovecot and postfix

# /usr/local/etc/rc.d/dovecot restart
# /usr/local/etc/rc.d/postfix restart

I have probably done loads of other things, before today. Something may have put me in the right direction, something in the wrong direction. Anyhow, it works now :)

Postfix: relay access denied

3 Answers3