On Sat, Feb 28, 2009 at 12:15 PM, Sahil Tandon <[email protected]> wrote:
> On Sat, 28 Feb 2009, Big Pizzle wrote: > > > On Sat, Feb 28, 2009 at 11:47 AM, Sahil Tandon <[email protected]> wrote: > > > > > On Sat, 28 Feb 2009, Big Pizzle wrote: > > > > > > > Hi all, > > > > > > > > I've just set up Postfix 2.3.3 to authenticate against a MySQL > database > > > to > > > > support Virtual Domains, and I'm able to send mail to any domain > which > > > > Postfix knows about, but when I send an e-mail to an outside address > such > > > as > > > > hotmail, yahoo, etc. I get the following error message in the logs: > > > > > > > > Feb 27 22:09:52 juter1 postfix/smtpd[27104]: NOQUEUE: reject: RCPT > from > > > > h-68-167-178-13.snid.cod.net[xx.xxx.xxx.xx]: 554 5.7.1 < > > > [email protected]>: > > > > Relay access denied; from=<[email protected]> to=<[email protected]> > > > > proto=SMTP helo=<homebase> > > > > > > If you're going to obfuscate the IP, at least take care to similarly > cloak > > > your client's hostname! > > > > > > % host h-68-167-178-13.snid.cod.net > > > h-68-167-178-13.snid.cod.net has address 82.98.86.161 > > > > > > > Thanks, but that isn't my IP - guess I did a pretty good job eh? If you > > want me to point out WHERE you can find my IP, it's in the first portion > of > > that hostname - cod.net isn't my provider. :) > > Why obfuscate your *covad* IP when it is in the hostname? > > > > > Here are my main.cf configs: > > > > > > Instead, follow the directions in the DBEUG_README, and paste the > output of > > > 'postconf -n'. > > > > > > alias_maps = > > broken_sasl_auth_clients = yes > > command_directory = /usr/sbin > > config_directory = /etc/postfix > > daemon_directory = /usr/libexec/postfix > > debug_peer_level = 2 > > disable_vrfy_command = yes > > html_directory = no > > inet_interfaces = localhost, $myhostname > > $myhostname is not an interface. See: > http://www.postfix.org/postconf.5.html#inet_interfaces > > > invalid_hostname_reject_code = 450 > > local_transport = virtual > > mail_owner = postfix > > mailq_path = /usr/bin/mailq.postfix > > manpage_directory = /usr/share/man > > maps_rbl_reject_code = 450 > > mydestination = $myhostname, localhost.$mydomain, localhost > > myhostname = xxx.yyy.com > > mynetworks = 127.0.0.0/8 > > newaliases_path = /usr/bin/newaliases.postfix > > non_fqdn_reject_code = 450 > > queue_directory = /var/spool/postfix > > readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES > > sample_directory = /usr/share/doc/postfix-2.3.3/samples > > sendmail_path = /usr/sbin/sendmail.postfix > > setgid_group = postdrop > > show_user_unknown_table_name = no > > smtpd_helo_required = yes > > smtpd_recipient_restrictions = permit_mynetworks > > permit_sasl_authenticated reject_unauth_destination > > smtpd_sasl_auth_enable = yes > > smtpd_sasl_exceptions_networks = $mynetworks > > smtpd_sasl_local_domain = $myhostname > > smtpd_sasl_path = /var/spool/postfix/private/auth > > smtpd_sasl_security_options = noanonymous > > smtpd_sasl_type = dovecot > > unknown_local_recipient_reject_code = 550 > > virtual_alias_maps = proxy:mysql:/etc/postfix/ > mysql_virtual_alias_maps.cf > > virtual_gid_maps = static:10000 > > virtual_mailbox_base = /home/vmail > > virtual_mailbox_domains = mysql:/etc/postfix/ > mysql_virtual_domains_maps.cf > > virtual_mailbox_maps = proxy:mysql:/etc/postfix/ > > mysql_virtual_mailbox_maps.cf > > virtual_minimum_uid = 10000 > > virtual_transport = virtual > > virtual_uid_maps = static:10000 > > > > > > When telnetting to port 25, and issuing the EHLO command, I get the > > > > following: > > > > > > > > 250-jupiter1.national.com > > > > 250-PIPELINING > > > > 250-SIZE 10240000 > > > > 250-ETRN > > > > 250-ENHANCEDSTATUSCODES > > > > 250-8BITMIME > > > > 250 DSN > > > > > > > > I don't see anywhere where it shows what authentication mechanism I > am > > > > using. Could this be the issue? I want people to be required to > > > > authenticate if they are going to be sending mail from this server to > > > > external addresses. 'My Server Requires Authentication' is checked > in my > > > > mail client. > > > > > > Your server appears configured to support SASL but not TLS (following > EHLO, > > > it does not announce STARTTLS support to the SMTP client). You need to > > > show > > > your postconf output, specifically the smtpd_mumble_restrictions, which > is > > > where you can require SASL authentication to relay mail externally. > From > > > your question, I suspect you are conflating SASL and TLS. See: > > > http://www.postfix.org/TLS_README.html > > > http://www.postfix.org/SASL_README.html > > > > > > It was my understanding that TLS was for secure connections - do I need > TLS > > as well in order for SASL to work? > > Nay, but don't look for special announcements after EHLO to tell you that > the > server supports SASL. Testing SASL setup on the server is documented in > the > link I pasted above. Here it is again, this time with a specific section: > http://www.postfix.org/SASL_README.html#server_test > > -- > Sahil Tandon <[email protected]> > Thanks for the link Sahil. I've run sasl2-sample-server and sasl2-sample-client, here are the outputs from both (I made a few changes, adding TLS per mouss' suggestion but I'm sitll getting relay access denied). Here's a quick legend as to what means what: xxx = hostname yyy.com = domain name fff.com = one of the virtual domains hosted on the xxx.yyy.com machine. sasl2-sample-server: [r...@xxx postfix]# sasl2-sample-server trying 2, 1, 6 trying 10, 1, 6 socket: Address family not supported by protocol accepted new connection send: {9} ANONYMOUS recv: {9} ANONYMOUS recv: {1} Y recv: {32} [email protected]@xxx successful authentication 'anonymous' closing connection accepted new connection send: {9} ANONYMOUS recv: {9} ANONYMOUS recv: {1} Y recv: {12} g...@xxx successful authentication 'anonymous' closing connection sasl2-sample-client: [r...@xxx sample]# sasl2-sample-client localhost receiving capability list... recv: {9} ANONYMOUS ANONYMOUS please enter an authorization id: [email protected] send: {9} ANONYMOUS send: {1} Y send: {32} [email protected]@xxx successful authentication closing connection [r...@xxx sample]# sasl2-sample-client localhost receiving capability list... recv: {9} ANONYMOUS ANONYMOUS please enter an authorization id: ger send: {9} ANONYMOUS send: {1} Y send: {12} g...@xxx successful authentication closing connection This is what I see in the logs: Feb 28 17:45:09 xxx sasl2-sample-server: sql_select option missing Feb 28 17:45:09 xxx sasl2-sample-server: auxpropfunc error no mechanism available Feb 28 17:45:09 xxx sasl2-sample-server: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql *I notice that it's attaching @xxx to whatever username I enter - could that be (one of) the issue(s) at hand? * I'm using Dovecot's SASL mechanism inside Postfix. I will post my dovecot.conf configuration as well as the output of postfix -n below: /etc/dovecot.conf: protocols = imap pop3 disable_plaintext_auth = no mail_location = maildir:/var/mail/%d/%u first_valid_uid = 10000 last_valid_uid = 10000 maildir_copy_with_hardlinks = yes protocol imap { imap_client_workarounds = outlook-idle delay-newmail } protocol pop3 { pop3_client_workarounds = outlook-no-nuls oe-ns-eoh } protocol lda { postmaster_address = [email protected] log_path = /var/log/dovecot-deliver.log info_log_path = /var/log/dovecot-deliver.log } auth default { mechanisms = plain login passdb sql { args = /etc/dovecot/sql.conf } userdb passwd { } userdb sql { args = /etc/dovecot/sql.conf } userdb prefetch { } user = root socket listen { master { path = /var/run/dovecot/auth-master mode = 0600 user = vmail group = vmail } client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix } } } dict { } plugin { } postfix -n output: alias_maps = broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 disable_vrfy_command = yes html_directory = no inet_interfaces = all invalid_hostname_reject_code = 450 local_transport = virtual mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maps_rbl_reject_code = 450 mydestination = $myhostname, localhost.$mydomain, localhost myhostname = xxx.yyy.com mynetworks = 127.0.0.0/8 newaliases_path = /usr/bin/newaliases.postfix non_fqdn_reject_code = 450 queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop show_user_unknown_table_name = no smtp_use_tls = no smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_tls_auth_only = no smtpd_tls_cert_file = /usr/local/ssl/xxx.yyy.com.crt smtpd_tls_key_file = /usr/local/ssl/xxx.yyy.com.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/etc/postfix/tls_smtpd_scache smtpd_use_tls = yes unknown_local_recipient_reject_code = 550 virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:10000 virtual_mailbox_base = /home/vmail virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/ mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 10000 virtual_transport = virtual virtual_uid_maps = static:10000 my /etc/postfix/master.cf has the following: smtp inet n - n - - smtpd smtps inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes Here's a telnet output to port 25: xxx:~# telnet xxx.yyy.com 25 Trying 123.123.123.123... Connected to xxx. Escape character is '^]'. 220 xxx.yyy.com ESMTP Postfix ehlo local 250-xxx.yyy.com 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host. Exit 1 Dovecot works just fine - I'm able to telnet to port 110 and authenticate with a legitimate username and password (using [email protected] as the username). Thanks for all the help. Hopefully someone can see something I can't.
