0

I've got a mail server (mail.mydomain.com) that has a relay set up as such:

/etc/postfix/main.cf:

# Smarthost
relayhost = [smtpcorp.com]:2525
smtp_sasl_password_maps = hash:/etc/postfix/smtpcorp_passwd

So any of my users using mail.mydomain.com as their SMTP server will basically authenticate with their own username and password (the same they use for dovecot) and they get relayed to smtpcorp.com which has its own username/password they never see. This works great.

However, when mail.mydomain.com runs cron scripts and tries to email root, which is aliased to my email address, it fails because there's no authentication going on.

Jul 27 08:34:06 mail postfix/smtp[5058]: D37641FA98: to=<xxx@xxx.com>, relay=smtpcorp.com[207.58.147.66]:2525, delay=0.96, delays=0/0/0.86/0.1, dsn=5.0.0, status=bounced (host smtpcorp.com[207.58.147.66] said: 550 Relay denied for unauthenticated sender (in reply to RCPT TO command))

How can I exempt localhost and mail.mydomain.com from either:

  1. Having to use the SMTP smart relay at all
  2. Or simply not being required to use SASL authentication to use the smart relay

/etc/aliases:

mailer-daemon: postmaster
postmaster: root

root: me@xxx.com

If I remove the root alias, mail delivery works fine, but I want the alias there so that it will forward and get delivered so my regular mail client can access it via dovecot.

Server info: Debian 7.5, postfix 2.9.6

Output of postconf -n:

alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
enable_original_recipient = no
header_checks = regexp:/etc/postfix/header_checks
inet_interfaces = all
mailbox_size_limit = 0
maximal_backoff_time = 8000s
maximal_queue_lifetime = 7d
minimal_backoff_time = 1000s
mydestination = mail.myvps.com, localhost.localdomain, localhost
myhostname = mail.myvps.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks_style = host
myorigin = /etc/hostname
readme_directory = no
recipient_delimiter = +
smtp_helo_timeout = 60s
smtp_sasl_password_maps = hash:/etc/postfix/smtpcorp_passwd
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions =
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_hard_error_limit = 12
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_hostname, permit
smtpd_recipient_limit = 16
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_soft_error_limit = 3
smtpd_tls_CAfile = /etc/ssl/mail.myvps.com/ca-bundle
smtpd_tls_cert_file = /etc/ssl/mail.myvps.com/crt
smtpd_tls_key_file = /etc/ssl/mail.myvps.com/key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 450
virtual_alias_maps = mysql:/etc/postfix/vimb/virtual_alias_maps.cf
virtual_gid_maps = static:8
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = mysql:/etc/postfix/vimb/virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/vimb/virtual_mailbox_maps.cf
virtual_transport = dovecot
virtual_uid_maps = static:150
CaptSaltyJack
  • 638
  • 2
  • 13
  • 36
  • 1
    This is the expected behaviour. Only non-local mails are sent to `relayhost`. Since you are forwarding the mail to `me@xxx.com`, where `xxx.com` is non-local domain, `relayhost` is used for delivery. Why cant you setup authentication for `me@xxx.com` in your `smtp_sasl_password_maps`? – clement Jul 28 '14 at 16:11
  • I'm not sure how to do that. I don't know the format of the `smtp_sasl_password_maps` hash file. Right now it just contains the SMTP user/pass for my `smtpcorp.com` account. How do I add a specific destination (`me@xxx.com`) in there? – CaptSaltyJack Jul 28 '14 at 18:13
  • I guess I don't understand. If I try to use command line mail to send to, e.g., `steve@gmail.com`, it fails, saying I'm an unauthenticated sender. Even though the hash file is correct and contains the username/password for the `smtpcorp.com` relay. – CaptSaltyJack Jul 28 '14 at 18:21

1 Answers1

1

You can exclude xxx@xxx.com to using relayhost by setting empty relay host in transport_maps

#main.cf
transport_maps = hash:/etc/postfix/transport

#/etc/postfix/transport
xxx@xxx.com     smtp:
masegaloeh
  • 18,236
  • 10
  • 57
  • 106