Re: [gentoo-user] Postfix question about auth and blocklists...
On 2010-05-27 1:06 PM, Brandon Vargo wrote: You mentioned in your first mail that you use Dovecot. The easiest way to setup SASL for Postfix is to have Postfix authenticate against Dovecot, +1, with one caveat - it doesn't work in client mode, only server mode... I also recommend adding the following option to main.cf if your clients support TLS encryption, which will not allow authentication over unencrypted connections: smtpd_tls_auth_only = yes This is deprecated... Ror the submission port you should use: smtpd_tls_security_level = encrypt and for opportunistic TLS on port 25: smtpd_tls_security_level = may
Re: [gentoo-user] Postfix question about auth and blocklists...
On 26/05/2010 20:32, Brandon Vargo wrote: I hope the above helps. Thank you very much... that was very informative. Unfortunately, I now discover I fibbed when I said I had SASL auth set up - I only thought I had... When I correctly configure thunderbird, I get the following postfix messages in the log: May 27 17:06:20 ken postfix/smtpd[19973]: connect from ur.shic.co.uk[10.0.1.253] May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL authentication failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=5 May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL authentication failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=5 May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL authentication failure: no secret in database May 27 17:06:20 ken postfix/smtpd[19973]: warning: ur.shic.co.uk[10.0.1.253]: SASL CRAM-MD5 authentication failed: authentication failure May 27 17:06:20 ken postfix/smtpd[19973]: NTLM server step 1 May 27 17:06:20 ken postfix/smtpd[19973]: client flags: 8207 May 27 17:06:20 ken postfix/smtpd[19973]: NTLM server step 2 May 27 17:06:20 ken postfix/smtpd[19973]: client user: myusername May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL authentication failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=5 May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL authentication failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=5 May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL authentication failure: no secret in database May 27 17:06:20 ken postfix/smtpd[19973]: warning: ur.shic.co.uk[10.0.1.253]: SASL NTLM authentication failed: authentication failure I'm sure I'm doing something silly - because googling the first warning just gives me this bug http://bugs.gentoo.org/show_bug.cgi?id=299390, which doesn't seem to fit. I have this installed: $ eix mail-mta/postfix [I] mail-mta/postfix Available versions: 2.6.5 ~2.6.6 {cdb dovecot-sasl hardened ipv6 ldap mbox mysql nis pam postgres sasl selinux ssl vda} Installed versions: 2.6.5(09:08:29 05/27/10)(ipv6 pam sasl ssl -cdb -dovecot-sasl -hardened -ldap -mbox -mysql -nis -postgres -selinux -vda) Homepage:http://www.postfix.org/ Description: A fast and secure drop-in replacement for sendmail. If I alter thunderbird to not use secure authentication, I get the following instead. May 27 17:14:26 ken postfix/smtpd[20115]: connect from ur.shic.co.uk[10.0.1.253] May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL authentication problem: unknown password verifier May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL authentication failure: Password verification failed May 27 17:14:26 ken postfix/smtpd[20115]: warning: ur.shic.co.uk[10.0.1.253]: SASL PLAIN authentication failed: no mechanism available May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL authentication problem: unknown password verifier May 27 17:14:26 ken postfix/smtpd[20115]: warning: ur.shic.co.uk[10.0.1.253]: SASL LOGIN authentication failed: no mechanism available Which seems quite strange. My /etc/sasl2/smtpd.conf is the default for gentoo - i.e. it contains the single config line: pwcheck_method:pam I don't care if I use PAM or something else - as long as it lets me authenticate. In the medium term, it would be best if neither IMAP nor SMTP passwords had any relation to my system password (not that I allow remote logins unsing it) - but, for the time being, I just want it to let me authenticate and send from my phone. By any chance can anyone give me any further clues?
Re: [gentoo-user] Postfix question about auth and blocklists...
On Thu, 2010-05-27 at 17:24 +0100, Steve wrote: On 26/05/2010 20:32, Brandon Vargo wrote: I hope the above helps. Thank you very much... that was very informative. Unfortunately, I now discover I fibbed when I said I had SASL auth set up - I only thought I had... When I correctly configure thunderbird, I get the following postfix messages in the log: May 27 17:06:20 ken postfix/smtpd[19973]: connect from ur.shic.co.uk[10.0.1.253] May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL authentication failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=5 May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL authentication failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=5 May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL authentication failure: no secret in database May 27 17:06:20 ken postfix/smtpd[19973]: warning: ur.shic.co.uk[10.0.1.253]: SASL CRAM-MD5 authentication failed: authentication failure May 27 17:06:20 ken postfix/smtpd[19973]: NTLM server step 1 May 27 17:06:20 ken postfix/smtpd[19973]: client flags: 8207 May 27 17:06:20 ken postfix/smtpd[19973]: NTLM server step 2 May 27 17:06:20 ken postfix/smtpd[19973]: client user: myusername May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL authentication failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=5 May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL authentication failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=5 May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL authentication failure: no secret in database May 27 17:06:20 ken postfix/smtpd[19973]: warning: ur.shic.co.uk[10.0.1.253]: SASL NTLM authentication failed: authentication failure I'm sure I'm doing something silly - because googling the first warning just gives me this bug, which doesn't seem to fit. I have this installed: $ eix mail-mta/postfix [I] mail-mta/postfix Available versions: 2.6.5 ~2.6.6 {cdb dovecot-sasl hardened ipv6 ldap mbox mysql nis pam postgres sasl selinux ssl vda} Installed versions: 2.6.5(09:08:29 05/27/10)(ipv6 pam sasl ssl -cdb -dovecot-sasl -hardened -ldap -mbox -mysql -nis -postgres -selinux -vda) Homepage:http://www.postfix.org/ Description: A fast and secure drop-in replacement for sendmail. If I alter thunderbird to not use secure authentication, I get the following instead. May 27 17:14:26 ken postfix/smtpd[20115]: connect from ur.shic.co.uk[10.0.1.253] May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL authentication problem: unknown password verifier May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL authentication failure: Password verification failed May 27 17:14:26 ken postfix/smtpd[20115]: warning: ur.shic.co.uk[10.0.1.253]: SASL PLAIN authentication failed: no mechanism available May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL authentication problem: unknown password verifier May 27 17:14:26 ken postfix/smtpd[20115]: warning: ur.shic.co.uk[10.0.1.253]: SASL LOGIN authentication failed: no mechanism available Which seems quite strange. My /etc/sasl2/smtpd.conf is the default for gentoo - i.e. it contains the single config line: pwcheck_method:pam I don't care if I use PAM or something else - as long as it lets me authenticate. In the medium term, it would be best if neither IMAP nor SMTP passwords had any relation to my system password (not that I allow remote logins unsing it) - but, for the time being, I just want it to let me authenticate and send from my phone. By any chance can anyone give me any further clues? You mentioned in your first mail that you use Dovecot. The easiest way to setup SASL for Postfix is to have Postfix authenticate against Dovecot, assuming that you want the same usernames and passwords for both. Recompile mail-mta/postfix with the dovecot-sasl USE flag enabled. Then, add the following to Postfix's configuration file after commenting/removing the other SASL lines: smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth Then, in dovecot's configuration file, add the following to the auth default section: socket listen { client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix } } Adjust the path, user, and group as appropriate. The user and group should be set to whatever user postfix is running under. Note that private/auth in the path corresponds to the smtpd_sasl_path setting in Postfix. Restart Dovecot and then Postfix. I also recommend adding the following option to main.cf if your clients support TLS encryption, which will not allow authentication over unencrypted connections: smtpd_tls_auth_only = yes See http://www.postfix.org/SASL_README.html for other SASL mechanisms, if you do not use or do not want to use Dovecot. Regards, Brandon Vargo
[gentoo-user] Postfix question about auth and blocklists...
On a gentoo mailserver, I'm running Postfix 2.6.5 - and, having followed some howto or other, quite a long time ago, I have this section at the end of my main.cf: -- smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_sender, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client list.dsbl.org, reject_rbl_client bl.spamcop.net, reject_unknown_sender_domain, reject_rhsbl_sender bogusmx.rfc-ignorant.org -- While it might not be optimal, it worked extremely well for a long time. The block lists were a godsend as I receive(d) quite a lot of spam which had threatened to bog down spamassassin. For ages, I just used my ISP's SMTP server to send, and only received on my own. I've bought a smart phone (an HTC HD2 on Windows Mobile 6.5) and need to use it to access my email on this server - both via mobile and Wi-Fi connectivity. The IMAP(s) side works OK for my inbox (after a few dovecot tweaks) - and, after a setting up SASL, I can now send email from my phone via my own SMTP server, which gateways this to my ISP... all secured by a complex password. So far, so good - and I can send email from home over Wi-Fi from my phone. The problem arises elsewhere... where I'm not connected to my local (W)LAN (i.e. where I'm not in permit_mynetworks) - where the phone reports: -- The server returned the following error message: 554 5.7.1 Service unavailable; Client host 149.254.48.170 blocked using sbl-xbl.spamhouse.org; http://www.spamhous.org/query/bl?ip=149.254.48.170 -- The block comes as no surprise as 149.254.48.170 isn't exclusively under my control - and, likely, is a vector for lots of spam - now mobile data services are cheap and difficult to trace. What I didn't expect is for my connection to be rejected even though I had the right username and password. So... the questions: * How can I alter the configuration to process email from blocked locations if and only if the client authenticates? * How can I verify that SMTP auth has been done (when connecting from my LAN) - it would be a disaster if I inadvertently created an open relay. (I don't think I have - but better safe than sorry, etc.) Thanks in advance for any replies...
Re: [gentoo-user] Postfix question about auth and blocklists...
On Wed, 2010-05-26 at 15:40 +0100, Steve wrote: On a gentoo mailserver, I'm running Postfix 2.6.5 - and, having followed some howto or other, quite a long time ago, I have this section at the end of my main.cf: -- smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_sender, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client list.dsbl.org, reject_rbl_client bl.spamcop.net, reject_unknown_sender_domain, reject_rhsbl_sender bogusmx.rfc-ignorant.org -- While it might not be optimal, it worked extremely well for a long time. The block lists were a godsend as I receive(d) quite a lot of spam which had threatened to bog down spamassassin. For ages, I just used my ISP's SMTP server to send, and only received on my own. I've bought a smart phone (an HTC HD2 on Windows Mobile 6.5) and need to use it to access my email on this server - both via mobile and Wi-Fi connectivity. The IMAP(s) side works OK for my inbox (after a few dovecot tweaks) - and, after a setting up SASL, I can now send email from my phone via my own SMTP server, which gateways this to my ISP... all secured by a complex password. So far, so good - and I can send email from home over Wi-Fi from my phone. The problem arises elsewhere... where I'm not connected to my local (W)LAN (i.e. where I'm not in permit_mynetworks) - where the phone reports: -- The server returned the following error message: 554 5.7.1 Service unavailable; Client host 149.254.48.170 blocked using sbl-xbl.spamhouse.org; http://www.spamhous.org/query/bl?ip=149.254.48.170 -- The block comes as no surprise as 149.254.48.170 isn't exclusively under my control - and, likely, is a vector for lots of spam - now mobile data services are cheap and difficult to trace. What I didn't expect is for my connection to be rejected even though I had the right username and password. So... the questions: * How can I alter the configuration to process email from blocked locations if and only if the client authenticates? * How can I verify that SMTP auth has been done (when connecting from my LAN) - it would be a disaster if I inadvertently created an open relay. (I don't think I have - but better safe than sorry, etc.) Thanks in advance for any replies... You want to split your rules between smtpd_recipient_restrictions, smtpd_sender_restrictions, and smtpd_client_restrictions. The first will apply rules to the recipient address, controlling the destinations to which the mail server will send mail. The second will apply rules to the sender address. The third will restrict who is allowed to connect to your mail server in the first place. By default, smtpd_recipient_restrictions permits mynetworks and rejects unauthorized recipients, smtp_sender_restrictions permits everything, and smtpd_client_restrictions allows all connections. In all, the first restriction that matches is applied. What you want it something closer to this: smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client list.dsbl.org, reject_rbl_client bl.spamcop.net, reject_rhsbl_sender bogusmx.rfc-ignorant.org smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sender_restrictons = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain Note that I have not tested this exact configuration, but I have something similar on my mail server. This configuration will allow all mail from your local network and any authenticated client. If neither of these conditions are met, the remote client is blocked if they are on one of the DNS block lists, the sender address is not known, or the mail is addressed to an unauthorized destination. If the client is on the local network or authenticated, none of the other rules will apply. You can of course test the rules by using one of the many mail relay testing websites or simply connecting from outside your network with and without using authentication. For more information on these rules, look at the postfix documentation, which is quite comprehensive: * http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions * http://www.postfix.org/postconf.5.html#smtpd_client_restrictions * http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions You might also want to take a look at smtpd_helo_restrictions and smtpd_data_restrictions for further tuning. Also, note that spamhaus recommends zen.spamhaus.org instead of sbl-xbl.spamhaus.org. The former is more comprehensive while the latter is geared only toward exploits. Do not include both, as zen includes sbl-xbl. For more in-depth information, you probably want to ask the
Re: [gentoo-user] Postfix Question
Hi there, Sorry to be so long replying - I've been busy with work haven't been reading the list. In case you're still having problems - and for the benefit of teh Googles - it looks to me like mail.ipr.edu may be doing clever greylisting stuff. If I telnet in and - giving a legitimate from: address - try sending a message to [EMAIL PROTECTED] then it tells me to try again later. If I try sending one to [EMAIL PROTECTED] I get user unknown (in fact, I think there is no MX record for abulafia.ipr.edu). I don't know for sure whether things have changed at mail.ipr.edu in the last week, but maybe it's rejecting the mail because the from: address is invalid. I would try changing the from: address set by Joomba. Stroller. On 11 Apr 2008, at 20:31, Jason Messerschmitt wrote: Thanks for your response. Here is the output of my telnet test. I guess I'm really not sure what to make of it. The bolded text is of some concern to me. pc130:~ admin$ telnet mail.ipr.edu 25 Trying 66.226.64.2... Connected to mail.ipr.edu. Escape character is '^]'. 220 pro.abac.com ESMTP Sendmail 8.14.1/8.14.1; Fri, 11 Apr 2008 12:27:30 -0700 (PDT) helo abulafia.ipr.edu 250 pro.abac.com Hello 75-146-145-253- stlouispark.mn.minn.hfc.comcastbusiness.net [75.146.145.253] (may be forged), pleased to meet you mail from:[EMAIL PROTECTED] 250 2.1.0 [EMAIL PROTECTED] Sender ok rcpt to:[EMAIL PROTECTED] 550 5.1.1 [EMAIL PROTECTED] User unknown Thanks again. I'm not necessarily looking for someone to give me the answer, as it were, but if I could get some help looking in the right direction I would be very appreciative. Best to you, Jason On Fri, Apr 11, 2008 at 12:50 AM, Stroller [EMAIL PROTECTED] wrote: It's kinda difficult to help with this, without knowing what the A- Plus server is seeing. An unsanitised copy of the bounce message would probably show the problem. Does it definitely show the correct email address of a user for which A-Plus has a mailbox? Can you reproduce the problem telnetting to the A-Plus MX server on port 25? http://www.yuki-onna.co.uk/email/smtp.html http://www.simplescripts.de/smtp-check-port-25-telnet-command.htm Stroller On 10 Apr 2008, at 19:44, Jason Messerschmitt wrote: I guess I'll dip my toes in here and admit that I can't figure this out. Synopsis: I've setup Postfix to be a mail out only smtp server. I just want it for our Joomla based web pages and our helpdesk to be able to mail to users from the local server. The problem is this: I can mail to any domain (gmail, hotmail, yahoo, etc) without problem, but I can't receive mail directly through our A-plus based mail (the worst!). What happens is that A-plus' server rejects the user as unkown even though I know it is correct. What really gets my goat is that after that message is returned to my server it is then delivered to the A-plus server and thusly shows up in my webmail and email client. Below are my configs. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Postfix Question
Stroller, Thanks for getting back to me on this. My original intent was to only send mail from abulafia, not receive it from outside (of course it can be delivered locally). Is it still necessary to have an MX record made for abulafia? Maybe I'll go ahead and give that a try. Joomla has always had a valid address as far as mail.ipr.edu is concerned, but is from an address that doesn't exist locally on abulafia- matter? In my experience this from address hasn't mattered. Unfortunately in joomla I can't use an smtp server with ssl and a-plus requires it. If I could this whole mess could be avioded- I'm not a mail man as it were. -jason On Fri, Apr 18, 2008 at 4:52 AM, Stroller [EMAIL PROTECTED] wrote: Hi there, Sorry to be so long replying - I've been busy with work haven't been reading the list. In case you're still having problems - and for the benefit of teh Googles - it looks to me like mail.ipr.edu may be doing clever greylisting stuff. If I telnet in and - giving a legitimate from: address - try sending a message to [EMAIL PROTECTED] then it tells me to try again later. If I try sending one to [EMAIL PROTECTED] I get user unknown (in fact, I think there is no MX record for abulafia.ipr.edu). I don't know for sure whether things have changed at mail.ipr.edu in the last week, but maybe it's rejecting the mail because the from: address is invalid. I would try changing the from: address set by Joomba. Stroller. On 11 Apr 2008, at 20:31, Jason Messerschmitt wrote: Thanks for your response. Here is the output of my telnet test. I guess I'm really not sure what to make of it. The bolded text is of some concern to me. pc130:~ admin$ telnet mail.ipr.edu 25 Trying 66.226.64.2... Connected to mail.ipr.edu. Escape character is '^]'. 220 pro.abac.com ESMTP Sendmail 8.14.1/8.14.1; Fri, 11 Apr 2008 12:27:30 -0700 (PDT) helo abulafia.ipr.edu 250 pro.abac.com Hello 75-146-145-253- stlouispark.mn.minn.hfc.comcastbusiness.net [75.146.145.253] (may be forged), pleased to meet you mail from:[EMAIL PROTECTED] [EMAIL PROTECTED] 250 2.1.0 [EMAIL PROTECTED] Sender ok rcpt to:[EMAIL PROTECTED] [EMAIL PROTECTED] 550 5.1.1 [EMAIL PROTECTED] User unknown Thanks again. I'm not necessarily looking for someone to give me the answer, as it were, but if I could get some help looking in the right direction I would be very appreciative. Best to you, Jason On Fri, Apr 11, 2008 at 12:50 AM, Stroller [EMAIL PROTECTED] wrote: It's kinda difficult to help with this, without knowing what the A-Plus server is seeing. An unsanitised copy of the bounce message would probably show the problem. Does it definitely show the correct email address of a user for which A-Plus has a mailbox? Can you reproduce the problem telnetting to the A-Plus MX server on port 25? http://www.yuki-onna.co.uk/email/smtp.html http://www.simplescripts.de/smtp-check-port-25-telnet-command.htm Stroller On 10 Apr 2008, at 19:44, Jason Messerschmitt wrote: I guess I'll dip my toes in here and admit that I can't figure this out. Synopsis: I've setup Postfix to be a mail out only smtp server. I just want it for our Joomla based web pages and our helpdesk to be able to mail to users from the local server. The problem is this: I can mail to any domain (gmail, hotmail, yahoo, etc) without problem, but I can't receive mail directly through our A-plus based mail (the worst!). What happens is that A-plus' server rejects the user as unkown even though I know it is correct. What really gets my goat is that after that message is returned to my server it is then delivered to the A-plus server and thusly shows up in my webmail and email client. Below are my configs. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Postfix Question
Thanks for your response. Here is the output of my telnet test. I guess I'm really not sure what to make of it. The bolded text is of some concern to me. pc130:~ admin$ telnet mail.ipr.edu 25 Trying 66.226.64.2... Connected to mail.ipr.edu. Escape character is '^]'. 220 pro.abac.com ESMTP Sendmail 8.14.1/8.14.1; Fri, 11 Apr 2008 12:27:30 -0700 (PDT) helo abulafia.ipr.edu 250 pro.abac.com Hello 75-146-145-253-stlouispark.mn.minn.hfc.comcastbusiness.net [75.146.145.253] (may be forged), pleased to meet you mail from:[EMAIL PROTECTED] [EMAIL PROTECTED] 250 2.1.0 [EMAIL PROTECTED] Sender ok rcpt to:[EMAIL PROTECTED] [EMAIL PROTECTED] 550 5.1.1 [EMAIL PROTECTED] User unknown Thanks again. I'm not necessarily looking for someone to give me the answer, as it were, but if I could get some help looking in the right direction I would be very appreciative. Best to you, Jason On Fri, Apr 11, 2008 at 12:50 AM, Stroller [EMAIL PROTECTED] wrote: It's kinda difficult to help with this, without knowing what the A-Plus server is seeing. An unsanitised copy of the bounce message would probably show the problem. Does it definitely show the correct email address of a user for which A-Plus has a mailbox? Can you reproduce the problem telnetting to the A-Plus MX server on port 25? http://www.yuki-onna.co.uk/email/smtp.html http://www.simplescripts.de/smtp-check-port-25-telnet-command.htm Stroller On 10 Apr 2008, at 19:44, Jason Messerschmitt wrote: I guess I'll dip my toes in here and admit that I can't figure this out. Synopsis: I've setup Postfix to be a mail out only smtp server. I just want it for our Joomla based web pages and our helpdesk to be able to mail to users from the local server. The problem is this: I can mail to any domain (gmail, hotmail, yahoo, etc) without problem, but I can't receive mail *directly* through our A-plus based mail (the worst!). What happens is that A-plus' server rejects the user as unkown even though I know it is correct. What really gets my goat is that after that message is returned to my server it is then delivered to the A-plus server and thusly shows up in my webmail and email client. Below are my configs.
[gentoo-user] Postfix Question
I guess I'll dip my toes in here and admit that I can't figure this out. Synopsis: I've setup Postfix to be a mail out only smtp server. I just want it for our Joomla based web pages and our helpdesk to be able to mail to users from the local server. The problem is this: I can mail to any domain (gmail, hotmail, yahoo, etc) without problem, but I can't receive mail * directly* through our A-plus based mail (the worst!). What happens is that A-plus' server rejects the user as unkown even though I know it is correct. What really gets my goat is that after that message is returned to my server it is then delivered to the A-plus server and thusly shows up in my webmail and email client. Below are my configs. Postfix: #soft_bounce = no queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/lib64/postfix mail_owner = postfix #default_privs = nobody myhostname = abulafia.ipr.edu #myhostname = virtual.domain.tld mydomain = ipr.edu myorigin = $myhostname #myorigin = $mydomain inet_interfaces = all #proxy_interfaces = #proxy_interfaces = 1.2.3.4 mydestination = $myhostname, localhost.$mydomain, localhost #local_recipient_maps = unix:passwd.byname $alias_maps #local_recipient_maps = proxy:unix:passwd.byname $alias_maps #local_recipient_maps = unknown_local_recipient_reject_code = 450 mynetworks_style = host mynetworks = 168.100.189.0/28, 127.0.0.0/8 #relay_domains = $mydestination #relayhost = mail.ipr.edu #relayhost = smtp.comcast.net #relay_recipient_maps = hash:/etc/postfix/relay_recipients #in_flow_delay = 1s #alias_maps = dbm:/etc/aliases #alias_maps = hash:/etc/aliases #alias_maps = hash:/etc/aliases, nis:mail.aliases #alias_maps = netinfo:/aliases #alias_database = dbm:/etc/aliases #alias_database = dbm:/etc/mail/aliases #alias_database = hash:/etc/aliases #alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases #home_mailbox = Mailbox #home_mailbox = Maildir/ #mail_spool_directory = /var/mail #mail_spool_directory = /var/spool/mail #mailbox_command = /some/where/procmail #mailbox_command = /some/where/procmail -a $EXTENSION #mailbox_transport = lmtp:unix:/file/name #mailbox_transport = cyrus #fallback_transport = lmtp:unix:/file/name #fallback_transport = cyrus #fallback_transport = #luser_relay = [EMAIL PROTECTED] #luser_relay = [EMAIL PROTECTED] #luser_relay = admin+$local #header_checks = regexp:/etc/postfix/header_checks #fast_flush_domains = $relay_domains #smtpd_banner = $myhostname ESMTP $mail_name #smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) #local_destination_concurrency_limit = 2 #default_destination_concurrency_limit = 20 debug_peer_level = 2 #debug_peer_list = 127.0.0.1 #debug_peer_list = some.domain debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id sleep 5 sendmail_path = /usr/sbin/sendmail newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq setgid_group = postdrop html_directory = /usr/share/doc/postfix-2.4.5/html manpage_directory = /usr/share/man sample_directory = /etc/postfix readme_directory = /usr/share/doc/postfix-2.4.5/readme home_mailbox = .maildir/