Re: Relay host auth not working
On 7/12/2011 10:59 AM, Ron Garret wrote: >> Since this is a server to server relay of known/trusted systems, and >> assuming that 184.73.65.10 is static and won't change any time soon, why >> not simply add 184.73.65.10 to $mynetworks on secure.genesisgroup.info >> and forget the sasl auth junk? This should get the relaying working >> instantly with little or no pitfalls. > > That's a good idea. The reason I didn't do it this way is that I can't count > on the client IP remaining static. Darn cheap hosting. :( > Also, I like to understand how things work, and I don't like to admit defeat > :-) Good attitude. That's the spirit. -- Stan
Re: Relay host auth not working
On Jul 11, 2011, at 11:37 PM, Ron Garret wrote: > > On Jul 11, 2011, at 11:17 PM, Mike Morris wrote: > >> On 07/11/2011 10:12 PM, Ron Garret wrote: >>> >>> On Jul 11, 2011, at 9:31 PM, Stan Hoeppner wrote: >>> On 7/11/2011 8:12 PM, Ron Garret wrote: > I'm trying to set up a relay host with authentication according to these > instructions: > > http://anothersysadmin.wordpress.com/2009/02/06/postfix-as-relay-to-a-smtp-requiring-authentication/ > > but it's not working. I know my SMTP server is set up properly because I > can send mail using various other clients, but postfix is apparently not > even attempting to authorize. Here are the relevant lines from main.cf: > > relayhost = secure.genesisgroup.info > smtp_sasl_auth_enable = yes > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd > smtp_sasl_security_options = > > Here is a log excerpt from my server from a successful login from a > different client (python smtplib): > > Jul 11 17:59:57 vm01 postfix/smtpd[812]: connect from > ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] > Jul 11 17:59:58 vm01 postfix/smtpd[812]: A567C4CA949: > client=ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10], > sasl_method=LOGIN, sasl_username=XXX > > and here's the same thing when Postfix tries to connect between the same > two machines: > > Jul 11 18:00:26 vm01 postfix/smtpd[820]: connect from > ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] > Jul 11 18:00:26 vm01 postfix/smtpd[820]: NOQUEUE: reject: RCPT from > ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10]: 554 5.7.1 > : Relay access denied; > from= to= proto=ESMTP > helo= > > As you can see, postfix is not even attempting to authorize. > > What am I doing wrong? You're not telling us what you're attempting to accomplish for starters. >>> >>> Sorry, I thought that would be clear from the context. I'm trying to do >>> exactly what you say: >>> When you specify relayhost you're telling Postfix to forward all non local outbound mail to a gateway instead of delivering it directly to internet MX destinations. >>> >>> Yes, that is exactly what I'm trying to do. The reason is that mail sent >>> directly from an EC2 instance is usually flagged as spam by many mail >>> recipients because the reverse DNS doesn't resolve properly. >>> You're showing smtpd logging, but the relayhost parameter applies to smtp, not smtpd. Your logging shows a host connecting to your Postfix server, not your Postfix server connecting to secure.genesisgroup.info. >>> >>> >>> The log excerpts are taken from the postfix server on >>> secure.genesisgroup.info, which is the machine I want to use to relay >>> outbound mail from the EC2 instance. Sorry that wasn't clear. >>> Either you don't understand the relayhost parameter, or I simply don't understand your goal here, or probably both. >>> >>> >>> Well, I'm clearly missing something. But I don't think it's the relayhost >>> parameter. >>> >>> rg >>> >> >> As stated by Jeroen, supplying the list with the output of 'postconf -n' >> would be much more preferred than sending the entire output of >> 'postconf'. There is no need for people to wade through hundreds of >> lines that are configured for default values. > > Sorry, I'm still kinda new at this. > >> The server at secure.genesisgroup.info only advertises AUTH support >> after STARTTLS. Therefore, in order to successfully authenticate with >> that server from the client at 184.73.65.10, the following configuration >> changes will need to be made on 184.73.65.10: >> >> Configure smtp_tls_security_level and/or smtp_tls_policy_maps, using at >> least a setting of 'may'. This will allow the SMTP client to attempt >> STARTTLS connections with remote hosts. > > Ah. I thought SASL implied TLS, but I guess it doesn't. > > So I tried adding: > > smtp_sasl_security_options = auth > smtp_tls_security_level = may > > And now I get "unknown mail transport error" on the client side, and this on > the server side: Just for the record, this worked: smtp_sasl_security_options = noanonymous smtp_tls_security_level = may Thanks for all the responses! rg
Re: Relay host auth not working
On Jul 12, 2011, at 12:13 AM, Stan Hoeppner wrote: > On 7/12/2011 1:37 AM, Ron Garret wrote: >> >> On Jul 11, 2011, at 11:17 PM, Mike Morris wrote: > >>> Configure smtp_tls_security_level and/or smtp_tls_policy_maps, using at >>> least a setting of 'may'. This will allow the SMTP client to attempt >>> STARTTLS connections with remote hosts. >> >> Ah. I thought SASL implied TLS, but I guess it doesn't. >> >> So I tried adding: >> >> smtp_sasl_security_options = auth >> smtp_tls_security_level = may >> >> And now I get "unknown mail transport error" on the client side, and this on >> the server side: >> >> Jul 11 23:30:51 vm01 postfix/smtpd[22169]: connect from >> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] >> Jul 11 23:30:52 vm01 postfix/smtpd[22169]: lost connection after EHLO from >> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] >> Jul 11 23:30:52 vm01 postfix/smtpd[22169]: disconnect from >> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] >> >>> Set smtp_sasl_security_options = noanonymous (or whatever is >>> appropriate). The remote server at secure.genesisgroup.info advertises >>> the following: AUTH PLAIN DIGEST-MD5 CRAM-MD5 LOGIN >>> >>> Read the TLS_README and SASL_README files for more information. >> >> Will do. At least now I know where to look to make further progress. >> Thanks! > > Since this is a server to server relay of known/trusted systems, and > assuming that 184.73.65.10 is static and won't change any time soon, why > not simply add 184.73.65.10 to $mynetworks on secure.genesisgroup.info > and forget the sasl auth junk? This should get the relaying working > instantly with little or no pitfalls. That's a good idea. The reason I didn't do it this way is that I can't count on the client IP remaining static. Also, I like to understand how things work, and I don't like to admit defeat :-) rg
Re: Relay host auth not working
On 7/12/2011 1:37 AM, Ron Garret wrote: > > On Jul 11, 2011, at 11:17 PM, Mike Morris wrote: >> Configure smtp_tls_security_level and/or smtp_tls_policy_maps, using at >> least a setting of 'may'. This will allow the SMTP client to attempt >> STARTTLS connections with remote hosts. > > Ah. I thought SASL implied TLS, but I guess it doesn't. > > So I tried adding: > > smtp_sasl_security_options = auth > smtp_tls_security_level = may > > And now I get "unknown mail transport error" on the client side, and this on > the server side: > > Jul 11 23:30:51 vm01 postfix/smtpd[22169]: connect from > ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] > Jul 11 23:30:52 vm01 postfix/smtpd[22169]: lost connection after EHLO from > ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] > Jul 11 23:30:52 vm01 postfix/smtpd[22169]: disconnect from > ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] > >> Set smtp_sasl_security_options = noanonymous (or whatever is >> appropriate). The remote server at secure.genesisgroup.info advertises >> the following: AUTH PLAIN DIGEST-MD5 CRAM-MD5 LOGIN >> >> Read the TLS_README and SASL_README files for more information. > > Will do. At least now I know where to look to make further progress. Thanks! Since this is a server to server relay of known/trusted systems, and assuming that 184.73.65.10 is static and won't change any time soon, why not simply add 184.73.65.10 to $mynetworks on secure.genesisgroup.info and forget the sasl auth junk? This should get the relaying working instantly with little or no pitfalls. -- Stan
Re: Relay host auth not working
On Jul 11, 2011, at 11:17 PM, Mike Morris wrote: > On 07/11/2011 10:12 PM, Ron Garret wrote: >> >> On Jul 11, 2011, at 9:31 PM, Stan Hoeppner wrote: >> >>> On 7/11/2011 8:12 PM, Ron Garret wrote: I'm trying to set up a relay host with authentication according to these instructions: http://anothersysadmin.wordpress.com/2009/02/06/postfix-as-relay-to-a-smtp-requiring-authentication/ but it's not working. I know my SMTP server is set up properly because I can send mail using various other clients, but postfix is apparently not even attempting to authorize. Here are the relevant lines from main.cf: relayhost = secure.genesisgroup.info smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = Here is a log excerpt from my server from a successful login from a different client (python smtplib): Jul 11 17:59:57 vm01 postfix/smtpd[812]: connect from ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] Jul 11 17:59:58 vm01 postfix/smtpd[812]: A567C4CA949: client=ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10], sasl_method=LOGIN, sasl_username=XXX and here's the same thing when Postfix tries to connect between the same two machines: Jul 11 18:00:26 vm01 postfix/smtpd[820]: connect from ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] Jul 11 18:00:26 vm01 postfix/smtpd[820]: NOQUEUE: reject: RCPT from ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo= As you can see, postfix is not even attempting to authorize. What am I doing wrong? >>> >>> You're not telling us what you're attempting to accomplish for starters. >> >> Sorry, I thought that would be clear from the context. I'm trying to do >> exactly what you say: >> >>> When you specify relayhost you're telling Postfix to forward all non >>> local outbound mail to a gateway instead of delivering it directly to >>> internet MX destinations. >> >> Yes, that is exactly what I'm trying to do. The reason is that mail sent >> directly from an EC2 instance is usually flagged as spam by many mail >> recipients because the reverse DNS doesn't resolve properly. >> >>> You're showing smtpd logging, but the relayhost parameter applies to >>> smtp, not smtpd. Your logging shows a host connecting to your Postfix >>> server, not your Postfix server connecting to secure.genesisgroup.info. >> >> >> The log excerpts are taken from the postfix server on >> secure.genesisgroup.info, which is the machine I want to use to relay >> outbound mail from the EC2 instance. Sorry that wasn't clear. >> >>> Either you don't understand the relayhost parameter, or I simply don't >>> understand your goal here, or probably both. >> >> >> Well, I'm clearly missing something. But I don't think it's the relayhost >> parameter. >> >> rg >> > > As stated by Jeroen, supplying the list with the output of 'postconf -n' > would be much more preferred than sending the entire output of > 'postconf'. There is no need for people to wade through hundreds of > lines that are configured for default values. Sorry, I'm still kinda new at this. > The server at secure.genesisgroup.info only advertises AUTH support > after STARTTLS. Therefore, in order to successfully authenticate with > that server from the client at 184.73.65.10, the following configuration > changes will need to be made on 184.73.65.10: > > Configure smtp_tls_security_level and/or smtp_tls_policy_maps, using at > least a setting of 'may'. This will allow the SMTP client to attempt > STARTTLS connections with remote hosts. Ah. I thought SASL implied TLS, but I guess it doesn't. So I tried adding: smtp_sasl_security_options = auth smtp_tls_security_level = may And now I get "unknown mail transport error" on the client side, and this on the server side: Jul 11 23:30:51 vm01 postfix/smtpd[22169]: connect from ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] Jul 11 23:30:52 vm01 postfix/smtpd[22169]: lost connection after EHLO from ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] Jul 11 23:30:52 vm01 postfix/smtpd[22169]: disconnect from ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] > Set smtp_sasl_security_options = noanonymous (or whatever is > appropriate). The remote server at secure.genesisgroup.info advertises > the following: AUTH PLAIN DIGEST-MD5 CRAM-MD5 LOGIN > > Read the TLS_README and SASL_README files for more information. Will do. At least now I know where to look to make further progress. Thanks! rg
Re: Relay host auth not working
On 07/11/2011 10:12 PM, Ron Garret wrote: > > On Jul 11, 2011, at 9:31 PM, Stan Hoeppner wrote: > >> On 7/11/2011 8:12 PM, Ron Garret wrote: >>> I'm trying to set up a relay host with authentication according to these >>> instructions: >>> >>> http://anothersysadmin.wordpress.com/2009/02/06/postfix-as-relay-to-a-smtp-requiring-authentication/ >>> >>> but it's not working. I know my SMTP server is set up properly because I >>> can send mail using various other clients, but postfix is apparently not >>> even attempting to authorize. Here are the relevant lines from main.cf: >>> >>> relayhost = secure.genesisgroup.info >>> smtp_sasl_auth_enable = yes >>> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd >>> smtp_sasl_security_options = >>> >>> Here is a log excerpt from my server from a successful login from a >>> different client (python smtplib): >>> >>> Jul 11 17:59:57 vm01 postfix/smtpd[812]: connect from >>> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] >>> Jul 11 17:59:58 vm01 postfix/smtpd[812]: A567C4CA949: >>> client=ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10], >>> sasl_method=LOGIN, sasl_username=XXX >>> >>> and here's the same thing when Postfix tries to connect between the same >>> two machines: >>> >>> Jul 11 18:00:26 vm01 postfix/smtpd[820]: connect from >>> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] >>> Jul 11 18:00:26 vm01 postfix/smtpd[820]: NOQUEUE: reject: RCPT from >>> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10]: 554 5.7.1 >>> : Relay access denied; >>> from= to= proto=ESMTP >>> helo= >>> >>> As you can see, postfix is not even attempting to authorize. >>> >>> What am I doing wrong? >> >> You're not telling us what you're attempting to accomplish for starters. > > Sorry, I thought that would be clear from the context. I'm trying to do > exactly what you say: > >> When you specify relayhost you're telling Postfix to forward all non >> local outbound mail to a gateway instead of delivering it directly to >> internet MX destinations. > > Yes, that is exactly what I'm trying to do. The reason is that mail sent > directly from an EC2 instance is usually flagged as spam by many mail > recipients because the reverse DNS doesn't resolve properly. > >> You're showing smtpd logging, but the relayhost parameter applies to >> smtp, not smtpd. Your logging shows a host connecting to your Postfix >> server, not your Postfix server connecting to secure.genesisgroup.info. > > > The log excerpts are taken from the postfix server on > secure.genesisgroup.info, which is the machine I want to use to relay > outbound mail from the EC2 instance. Sorry that wasn't clear. > >> Either you don't understand the relayhost parameter, or I simply don't >> understand your goal here, or probably both. > > > Well, I'm clearly missing something. But I don't think it's the relayhost > parameter. > > rg > As stated by Jeroen, supplying the list with the output of 'postconf -n' would be much more preferred than sending the entire output of 'postconf'. There is no need for people to wade through hundreds of lines that are configured for default values. The server at secure.genesisgroup.info only advertises AUTH support after STARTTLS. Therefore, in order to successfully authenticate with that server from the client at 184.73.65.10, the following configuration changes will need to be made on 184.73.65.10: Configure smtp_tls_security_level and/or smtp_tls_policy_maps, using at least a setting of 'may'. This will allow the SMTP client to attempt STARTTLS connections with remote hosts. Set smtp_sasl_security_options = noanonymous (or whatever is appropriate). The remote server at secure.genesisgroup.info advertises the following: AUTH PLAIN DIGEST-MD5 CRAM-MD5 LOGIN Read the TLS_README and SASL_README files for more information. -Mike
Re: Relay host auth not working
On Jul 11, 2011, at 11:07 PM, Stan Hoeppner wrote: > On 7/12/2011 12:12 AM, Ron Garret wrote: >> >> On Jul 11, 2011, at 9:31 PM, Stan Hoeppner wrote: >> >>> On 7/11/2011 8:12 PM, Ron Garret wrote: I'm trying to set up a relay host with authentication according to these instructions: http://anothersysadmin.wordpress.com/2009/02/06/postfix-as-relay-to-a-smtp-requiring-authentication/ but it's not working. I know my SMTP server is set up properly because I can send mail using various other clients, but postfix is apparently not even attempting to authorize. Here are the relevant lines from main.cf: relayhost = secure.genesisgroup.info smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = Here is a log excerpt from my server from a successful login from a different client (python smtplib): Jul 11 17:59:57 vm01 postfix/smtpd[812]: connect from ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] Jul 11 17:59:58 vm01 postfix/smtpd[812]: A567C4CA949: client=ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10], sasl_method=LOGIN, sasl_username=XXX and here's the same thing when Postfix tries to connect between the same two machines: Jul 11 18:00:26 vm01 postfix/smtpd[820]: connect from ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] Jul 11 18:00:26 vm01 postfix/smtpd[820]: NOQUEUE: reject: RCPT from ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo= As you can see, postfix is not even attempting to authorize. What am I doing wrong? >>> >>> You're not telling us what you're attempting to accomplish for starters. >> >> Sorry, I thought that would be clear from the context. I'm trying to do >> exactly what you say: >> >>> When you specify relayhost you're telling Postfix to forward all non >>> local outbound mail to a gateway instead of delivering it directly to >>> internet MX destinations. >> >> Yes, that is exactly what I'm trying to do. The reason is that mail sent >> directly from an EC2 instance is usually flagged as spam by many mail >> recipients because the reverse DNS doesn't resolve properly. >> >>> You're showing smtpd logging, but the relayhost parameter applies to >>> smtp, not smtpd. Your logging shows a host connecting to your Postfix >>> server, not your Postfix server connecting to secure.genesisgroup.info. >> >> >> The log excerpts are taken from the postfix server on >> secure.genesisgroup.info, which is the machine I want to use to relay >> outbound mail from the EC2 instance. Sorry that wasn't clear. > > Ok, now the logging snippets make sense. I'm guessing you simply need > to add permit_sasl_authenticated to your smtpd_client_restrictions on > host secure.genesisgroup.info, or if you use the "everything under > smtpd_recipient_restrictions" main.cf style you'd do: > > smtpd_recipient_restrictions = >permit_mynetworks > permit_sasl_authenticated >reject_unauth_destination > ... No, that's not the problem. I already have exactly that on secure.genesisgroup.info. (See below.) And I have multiple clients successfully using that host for authenticated SMTP, including a python client running on the same machine that the non-working (in this respect) postfix is running on. > You provided 'postconf -d' instead of 'postconf -n', so it's impossible > for me to tell what your parameters actually are. "-d" simply shows the > Postfix defaults. Please provide 'postconf -n' so we can wrap this > thread up, assuming permit_sasl_authenticated doesn't fix the problem. Actually, it was postconf with no arguments. Here is postconf -n: [ron@domU-12-31-39-00-E6-ED:~]$ postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = localhost inet_protocols = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost mydomain = sunfire-offices.com myhostname = mail.sunfire-offices.com myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES relayhost = secure.genesisgroup.info sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = unknown_local_recipient_reject_code = 550 And just for completeness, here it is for secure.genesi
Re: Relay host auth not working
On 7/12/2011 1:09 AM, Ron Garret wrote: > > On Jul 11, 2011, at 11:03 PM, Jeroen Geilman wrote: > >> On 2011-07-12 07:12, Ron Garret wrote: >>> On Jul 11, 2011, at 9:31 PM, Stan Hoeppner wrote: >>> On 7/11/2011 8:12 PM, Ron Garret wrote: > I'm trying to set up a relay host with authentication according to these > instructions: > > http://anothersysadmin.wordpress.com/2009/02/06/postfix-as-relay-to-a-smtp-requiring-authentication/ > > but it's not working. I know my SMTP server is set up properly because I > can send mail using various other clients, but postfix is apparently not > even attempting to authorize. Here are the relevant lines from main.cf: >> >> No. >> Include the FULL output from postconf -n, > relayhost = secure.genesisgroup.info Wrong box. This output is from the EC2 box. We need to see 'postconf -n' from the box secure.genesisgroup.info. The permit_sasl_authenticated needs to be added to main.cf on secure.genesisgroup.info to allow the EC2 box to relay through it. But we'd like to confirm your current allowed relay settings, aka mynetworks, etc. -- Stan
Re: Relay host auth not working
On Jul 11, 2011, at 11:03 PM, Jeroen Geilman wrote: > On 2011-07-12 07:12, Ron Garret wrote: >> On Jul 11, 2011, at 9:31 PM, Stan Hoeppner wrote: >> >>> On 7/11/2011 8:12 PM, Ron Garret wrote: I'm trying to set up a relay host with authentication according to these instructions: http://anothersysadmin.wordpress.com/2009/02/06/postfix-as-relay-to-a-smtp-requiring-authentication/ but it's not working. I know my SMTP server is set up properly because I can send mail using various other clients, but postfix is apparently not even attempting to authorize. Here are the relevant lines from main.cf: > > No. > Include the FULL output from postconf -n, [ron@domU-12-31-39-00-E6-ED:~]$ postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = localhost inet_protocols = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost mydomain = sunfire-offices.com myhostname = mail.sunfire-offices.com myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES relayhost = secure.genesisgroup.info sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = unknown_local_recipient_reject_code = 550 > or, even better, the postfinger tool. Postfinger - Postfix Configuration on Tue Jul 12 06:08:45 UTC 2011 $Revision: 1.25 $ Warning: Postfinger output may show private configuration information, such as ip addresses and/or domain names which you do not want to show to the public. If this is the case it is your responsibility to modify the output to hide this private information. [Remove this warning with the --nowarn option.] --System Parameters-- mail_version = 2.6.6 hostname = domU-12-31-39-00-E6-ED uname = Linux domU-12-31-39-00-E6-ED 2.6.35.11-83.9.amzn1.x86_64 #1 SMP Sat Feb 19 23:42:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux --Packaging information-- looks like this postfix comes from a RPM package: postfix-2.6.6-2.8.amzn1.x86_64 --main.cf non-default parameters-- alias_maps = hash:/etc/aliases inet_interfaces = localhost inet_protocols = all mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydomain = sunfire-offices.com myhostname = mail.sunfire-offices.com myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES relayhost = secure.genesisgroup.info sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = --master.cf-- smtp inet n - n - - smtpd pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o smtp_fallback_relay= showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scacheunix - - n - 1 scache -- end of Postfinger output -- > We can only guess what you're doing wrong now. I did include the output from postconf at the end of my original message. rg
Re: Relay host auth not working
On 7/12/2011 12:12 AM, Ron Garret wrote: > > On Jul 11, 2011, at 9:31 PM, Stan Hoeppner wrote: > >> On 7/11/2011 8:12 PM, Ron Garret wrote: >>> I'm trying to set up a relay host with authentication according to these >>> instructions: >>> >>> http://anothersysadmin.wordpress.com/2009/02/06/postfix-as-relay-to-a-smtp-requiring-authentication/ >>> >>> but it's not working. I know my SMTP server is set up properly because I >>> can send mail using various other clients, but postfix is apparently not >>> even attempting to authorize. Here are the relevant lines from main.cf: >>> >>> relayhost = secure.genesisgroup.info >>> smtp_sasl_auth_enable = yes >>> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd >>> smtp_sasl_security_options = >>> >>> Here is a log excerpt from my server from a successful login from a >>> different client (python smtplib): >>> >>> Jul 11 17:59:57 vm01 postfix/smtpd[812]: connect from >>> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] >>> Jul 11 17:59:58 vm01 postfix/smtpd[812]: A567C4CA949: >>> client=ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10], >>> sasl_method=LOGIN, sasl_username=XXX >>> >>> and here's the same thing when Postfix tries to connect between the same >>> two machines: >>> >>> Jul 11 18:00:26 vm01 postfix/smtpd[820]: connect from >>> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] >>> Jul 11 18:00:26 vm01 postfix/smtpd[820]: NOQUEUE: reject: RCPT from >>> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10]: 554 5.7.1 >>> : Relay access denied; >>> from= to= proto=ESMTP >>> helo= >>> >>> As you can see, postfix is not even attempting to authorize. >>> >>> What am I doing wrong? >> >> You're not telling us what you're attempting to accomplish for starters. > > Sorry, I thought that would be clear from the context. I'm trying to do > exactly what you say: > >> When you specify relayhost you're telling Postfix to forward all non >> local outbound mail to a gateway instead of delivering it directly to >> internet MX destinations. > > Yes, that is exactly what I'm trying to do. The reason is that mail sent > directly from an EC2 instance is usually flagged as spam by many mail > recipients because the reverse DNS doesn't resolve properly. > >> You're showing smtpd logging, but the relayhost parameter applies to >> smtp, not smtpd. Your logging shows a host connecting to your Postfix >> server, not your Postfix server connecting to secure.genesisgroup.info. > > > The log excerpts are taken from the postfix server on > secure.genesisgroup.info, which is the machine I want to use to relay > outbound mail from the EC2 instance. Sorry that wasn't clear. Ok, now the logging snippets make sense. I'm guessing you simply need to add permit_sasl_authenticated to your smtpd_client_restrictions on host secure.genesisgroup.info, or if you use the "everything under smtpd_recipient_restrictions" main.cf style you'd do: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination ... You provided 'postconf -d' instead of 'postconf -n', so it's impossible for me to tell what your parameters actually are. "-d" simply shows the Postfix defaults. Please provide 'postconf -n' so we can wrap this thread up, assuming permit_sasl_authenticated doesn't fix the problem. -- Stan
Re: Relay host auth not working
On 2011-07-12 07:12, Ron Garret wrote: On Jul 11, 2011, at 9:31 PM, Stan Hoeppner wrote: On 7/11/2011 8:12 PM, Ron Garret wrote: I'm trying to set up a relay host with authentication according to these instructions: http://anothersysadmin.wordpress.com/2009/02/06/postfix-as-relay-to-a-smtp-requiring-authentication/ but it's not working. I know my SMTP server is set up properly because I can send mail using various other clients, but postfix is apparently not even attempting to authorize. Here are the relevant lines from main.cf: No. Include the FULL output from postconf -n, or, even better, the postfinger tool. We can only guess what you're doing wrong now. -- J.
Re: Relay host auth not working
On Jul 11, 2011, at 9:31 PM, Stan Hoeppner wrote: > On 7/11/2011 8:12 PM, Ron Garret wrote: >> I'm trying to set up a relay host with authentication according to these >> instructions: >> >> http://anothersysadmin.wordpress.com/2009/02/06/postfix-as-relay-to-a-smtp-requiring-authentication/ >> >> but it's not working. I know my SMTP server is set up properly because I >> can send mail using various other clients, but postfix is apparently not >> even attempting to authorize. Here are the relevant lines from main.cf: >> >> relayhost = secure.genesisgroup.info >> smtp_sasl_auth_enable = yes >> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd >> smtp_sasl_security_options = >> >> Here is a log excerpt from my server from a successful login from a >> different client (python smtplib): >> >> Jul 11 17:59:57 vm01 postfix/smtpd[812]: connect from >> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] >> Jul 11 17:59:58 vm01 postfix/smtpd[812]: A567C4CA949: >> client=ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10], >> sasl_method=LOGIN, sasl_username=XXX >> >> and here's the same thing when Postfix tries to connect between the same two >> machines: >> >> Jul 11 18:00:26 vm01 postfix/smtpd[820]: connect from >> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] >> Jul 11 18:00:26 vm01 postfix/smtpd[820]: NOQUEUE: reject: RCPT from >> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10]: 554 5.7.1 >> : Relay access denied; from= >> to= proto=ESMTP helo= >> >> As you can see, postfix is not even attempting to authorize. >> >> What am I doing wrong? > > You're not telling us what you're attempting to accomplish for starters. Sorry, I thought that would be clear from the context. I'm trying to do exactly what you say: > When you specify relayhost you're telling Postfix to forward all non > local outbound mail to a gateway instead of delivering it directly to > internet MX destinations. Yes, that is exactly what I'm trying to do. The reason is that mail sent directly from an EC2 instance is usually flagged as spam by many mail recipients because the reverse DNS doesn't resolve properly. > You're showing smtpd logging, but the relayhost parameter applies to > smtp, not smtpd. Your logging shows a host connecting to your Postfix > server, not your Postfix server connecting to secure.genesisgroup.info. The log excerpts are taken from the postfix server on secure.genesisgroup.info, which is the machine I want to use to relay outbound mail from the EC2 instance. Sorry that wasn't clear. > Either you don't understand the relayhost parameter, or I simply don't > understand your goal here, or probably both. Well, I'm clearly missing something. But I don't think it's the relayhost parameter. rg
Re: Relay host auth not working
On 7/11/2011 8:12 PM, Ron Garret wrote: > I'm trying to set up a relay host with authentication according to these > instructions: > > http://anothersysadmin.wordpress.com/2009/02/06/postfix-as-relay-to-a-smtp-requiring-authentication/ > > but it's not working. I know my SMTP server is set up properly because I can > send mail using various other clients, but postfix is apparently not even > attempting to authorize. Here are the relevant lines from main.cf: > > relayhost = secure.genesisgroup.info > smtp_sasl_auth_enable = yes > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd > smtp_sasl_security_options = > > Here is a log excerpt from my server from a successful login from a different > client (python smtplib): > > Jul 11 17:59:57 vm01 postfix/smtpd[812]: connect from > ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] > Jul 11 17:59:58 vm01 postfix/smtpd[812]: A567C4CA949: > client=ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10], > sasl_method=LOGIN, sasl_username=XXX > > and here's the same thing when Postfix tries to connect between the same two > machines: > > Jul 11 18:00:26 vm01 postfix/smtpd[820]: connect from > ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10] > Jul 11 18:00:26 vm01 postfix/smtpd[820]: NOQUEUE: reject: RCPT from > ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10]: 554 5.7.1 > : Relay access denied; from= > to= proto=ESMTP helo= > > As you can see, postfix is not even attempting to authorize. > > What am I doing wrong? You're not telling us what you're attempting to accomplish for starters. You're showing smtpd logging, but the relayhost parameter applies to smtp, not smtpd. Your logging shows a host connecting to your Postfix server, not your Postfix server connecting to secure.genesisgroup.info. When you specify relayhost you're telling Postfix to forward all non local outbound mail to a gateway instead of delivering it directly to internet MX destinations. Either you don't understand the relayhost parameter, or I simply don't understand your goal here, or probably both. -- Stan