Postfix, SASL, MySQL Issues

Question

Ok, a recent Gentoo upgrade for Postfix/Cyrus SASL/MySQL packages broke something. I'm at my wits end, no idea what the problem is.

main.cf

# local settings. Remember any domain you want treated as virtual can not be your origin or in mydestination.
myhostname = mail.darqflare.com
mydomain = darqflare.com
myorigin = $myhostname
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks_style = subnet
mynetworks = 127.0.0.0/8, 208.110.162.213

# attachement filtering, optional
#mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp

# Size settings, optional
#message_size_limit= 112400000
#mailbox_size_limit = 224800000

# SASL settings
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = 

# TLS stuff
smtpd_use_tls = no
#smtpd_tls_key_file = /etc/postfix/newkey.pem
#smtpd_tls_cert_file = /etc/postfix/newcert.pem
#smtpd_tls_CAfile = /etc/postfix/cacert.pem
#smtpd_tls_loglevel = 3 #### change to 0 after everything works
#smtpd_tls_received_header = yes
#smtpd_tls_session_cache_timeout = 3600s
#tls_random_source = dev:/dev/urandom

# transport Stuff, optional
#transport_maps = hash:/etc/postfix/transport
#relay_domains = $transport_maps

# virtual stuff. We're going to punt and make all virtual mail users use the same UID:GID of Postfix.
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:207
virtual_mailbox_base = /var/vmail/
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 112400000
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 207
virtual_transport = virtual
virtual_uid_maps = static:207

smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        permit_inet_interfaces
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client bl.spamcop.net
        reject_rbl_client dsn.rfc-ignorant.org
        #check_client_access hash:/etc/postfix/access
        #check_client_access mysql:/etc/postfix/mysql-access.cf
        reject_unauth_destination

        ##reject_non_fqdn_recipient
        ##reject_non_fqdn_sender
        #reject_unknown_recipient_domain
        #permit_mynetworks
        #permit_sasl_authenticated
        ##check_policy_service inet:127.0.0.1:2501, needed for sqlgrey and optional
        #reject_unauth_destination
        #permit

# additional spam fighting checks, optional
#smtpd_helo_restrictions = reject_unknown_helo_hostname
#smtpd_sender_restrictions = reject_unknown_sender_domain
#smtpd_data_restrictions = reject_unauth_pipelining
#readme_directory = /usr/share/doc/postfix-2.6.5/readme
#sample_directory = /etc/postfix
#sendmail_path = /usr/sbin/sendmail
#html_directory = /usr/share/doc/postfix-2.6.5/html
##setgid_group = postdrop
#command_directory = /usr/sbin
#manpage_directory = /usr/share/man
#daemon_directory = //usr/lib/postfix
#newaliases_path = /usr/bin/newaliases

# mailq_path: The full pathname of the Postfix mailq command.  This
# is the Sendmail-compatible mail queue listing command.
# 
#mailq_path = /usr/bin/mailq
#queue_directory = /var/spool/postfix
#mail_owner = postfix
#data_directory = /var/lib/postfix

master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       25       smtpd
        -o content_filter=scan:[127.0.0.1]:10025
#submission inet n       -       n       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop  unix  -       n       n       -       -       pipe
#  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp      unix  -       n       n       -       -       pipe
#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail    unix  -       n       n       -       -       pipe
#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp     unix  -       n       n       -       -       pipe
#  flags=Fq. user=bsmtp argv=/usr/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix -       n       n       -       2       pipe
#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
#  ${nexthop} ${user} ${extension}
#
#mailman   unix  -       n       n       -       -       pipe
#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
#  ${nexthop} ${user}

# AV scan filter (used by content_filter)
scan      unix  -       -       n       -       -      smtp
        -o smtp_send_xforward_command=yes
        -o smtp_enforce_tls=no

# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet  n -       n       -       -      smtpd
        -o content_filter=spamfilter:dummy
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks_style=host
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8

# Spam filtering
spamfilter unix - n n - - pipe
  flags=Rq user=spamfilter argv=/usr/local/bin/spamfilter.sh -f ${sender} -- ${recipient}

All four MySQL Postfix config files:

# you only need this if you plan to act as a backup mx for various domains.
user = *
password = *
hosts = localhost
dbname = postfix
query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '1' AND active = '1'
user = *
password = *
hosts = localhost
dbname = postfix
query = SELECT goto FROM alias WHERE address='%s' AND active = '1'
user = *
password = *
hosts = localhost
dbname = postfix
query = SELECT domain FROM domain WHERE domain='%s' AND active = '1'
user = *
password = *
hosts = localhost
dbname = postfix
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'

SASL's smtpd.conf

pwcheck_method:authdaemond

When using a local webmail client residing on the server, sending via SMTP is fine. However using clients not on the server, it times out.

netstat -tulp | grep sm

tcp        0      0 *:smtp                  *:*                     LISTEN      15982/master

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  vortex               anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:mysql 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:rndc 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:rndc 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:pop3 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imap 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request state NEW,RELATED,ESTABLISHED 
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

telnet mail.darqflare.com 25 just times out. Nothing in the server's logs. Thanks for the help everybody.

Can you provide some logfiles? i.e. restart postfix and try telnet at port 25. Post the output of the postfix log file from the point of the restart to the end. — sebokopter, Jun 07 '11 at 21:14
Here's the log: **bold**Jun 10 12:40:40 vortex postfix/postfix-script[7310]: stopping the Postfix mail system Jun 10 12:40:40 vortex postfix/master[15982]: terminating on signal 15 Jun 10 12:40:40 vortex postfix/postfix-script[7391]: starting the Postfix mail system Jun 10 12:40:40 vortex postfix/master[7392]: daemon started -- version 2.7.4, configuration /etc/postfix**bold** Nothing was entered in the log when I tried "telnet 208.110.162.213 25" — Robert F.P. Ludwick, Jun 10 '11 at 19:42

score 2 · Answer 1 · answered Jun 10 '11 at 20:11

2

Out of all the maddening things... It turns out my ISP is likely silently blocking outbound SMTP on my network at home. Unbelievable.

Sorry for the useless question now. Just a cautionary tale it seems...

answered Jun 10 '11 at 20:11

Robert F.P. Ludwick

29
3

This is actually the "new normal" for home ISP service. They are trying to "protect" you from becoming a spam/bot relay (read that as: they are protecting their revenue streams by making you pay more for "business grade" access) – Avery Payne Mar 20 '14 at 19:35

kashani · Answer 2 · 2011-06-07T08:11:51.840

0

Look at your log files for possible problems. Postfix is pretty good about logging problems. Also make sure that Mysql is running and so is cyrus-sasl. Out of the three daemons Cyrus-sasl tends to give the most problems after any upgrade.

I just noticed that you're using Courier's authdaemon as well. You'll need to make sure that is running as well.

My other suggestion is post to gentoo-server@ or gentoo-user. You'd get help much much faster.

Lastly, thanks for using my how-to to build your server. I hope it's been working well for you.

edited Jun 07 '11 at 08:11

answered Jun 07 '11 at 05:48

kashani

3,922
19
18

All daemons are running. Postfix isn't even logging an SMTP connection when it comes from outside the box. And thanks for the how-to. :) – Robert F.P. Ludwick Jun 09 '11 at 06:05

Postfix, SASL, MySQL Issues

2 Answers2

Linked