554 5.7.1 relay access denied
in [Postfix]
|
Prev: load balancing among mail servers
Next: helo_access
From: Jeff Lacki on 16 Feb 2010 15:43 Noel Jones wrote: > > And did postfix log that this session authenticated? No....and I think I see the problem, but not sure where it is. When I telnet localhost 25 and authenticate I get: Feb 17 15:19:42 202010-1 postfix/smtpd[23113]: connect from localhost.localdomain[127.0.0.1] Feb 17 15:20:12 202010-1 dovecot: auth(default): client in: AUTH 2 plain service=smtp nologin lip=127.0.0.1 rip=127.0.0.1 resp=<hidden> Feb 17 15:20:12 202010-1 dovecot: auth(default): passwd-file(jeff,127.0.0.1): lookup: user=jeff file=/etc/shadow Feb 17 15:20:12 202010-1 dovecot: auth(default): client out: OK 2 user=jeff Feb 17 15:20:32 202010-1 postfix/smtpd[23113]: 4C4486581D2: client=localhost.localdomain[127.0.0.1], sasl_method=plain, sasl_username=jeff Feb 17 15:20:44 202010-1 postfix/smtpd[23113]: disconnect from localhost.localdomain[127.0.0.1] Which appears to authenticate I believe. But when I add MAIL FROM and RCPT TO I dont see anything more and the telnet session just says 250 2.5.x Ok for both. It sounds like my relay issue could just be that Im not authenticating properly....but unsure how to debug from here. Earlier question about emails: I have a server which has websites of users. Those users have thier own virtual domain names. They also have local logins on the server and will be setting up their pop emails to my server: They also need an smtp server to use (I want it also to be on my server, not their own for ease of use for them to setup): smtp.mydomain.com So Im trying to validate them (Im assuming) by their login name and their /etc/shadow password (CentOS). > > and everyone knows that user/password now, so change it. Yeah, I read that and forgot, brain fried already. Changed. > > Show your current "postconf -n". alias_maps = hash:/etc/postfix/aliases allow_percent_hack = yes append_at_myorigin = yes append_dot_mydomain = yes body_checks = regexp:/etc/postfix/body_checks broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 default_transport = smtp disable_vrfy_command = yes ignore_mx_lookup_error = no in_flow_delay = 1s inet_interfaces = all local_recipient_maps = mail_owner = postfix mail_spool_directory = /var/spool/mail mydestination = $myhostname, localhost.$mydomain $mydomain myhostname = mydomain.com mynetworks = 127.0.0.1 mynetworks_style = host myorigin = $myhostname newaliases_path = /usr/bin/newaliases.postfix notify_classes = resource,software parent_domain_matches_subdomains = queue_directory = /var/spool/postfix setgid_group = postdrop smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = smtp_skip_5xx_greeting = yes smtp_skip_quit_response = yes smtp_tls_note_starttls_offer = yes smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/client_access smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_hard_error_limit = 6 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/good_clients, hash:/etc/post fix/access, hash:/etc/postfix/bad_ips, reject_unknown_helo_hostname, reject_non_fqdn_hostname, reject _unauth_destination, reject_unauth_pipelining, reject_invalid_hostname, reject_unknown_hostname smtpd_recipient_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/client_access, permit _sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject _non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unlisted_recipi ent, reject_unlisted_sender, reject_unauth_destination, reject_rbl_client opm.blitzed.org, reject_rbl_cli ent sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dnsbl.njabl.org, reject_rbl_cli ent dul.dnsbl.sorbs.net, check_policy_service inet:127.0.0.1:9998, permit smtpd_restriction_classes = restrictive, permissive smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = reject_unknown_sender_domain smtpd_soft_error_limit = 4 smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_always_issue_session_ids = no smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 virtual_alias_domains = anotherdomain.com virtual_alias_maps = hash:/etc/postfix/virtual
From: Noel Jones on 16 Feb 2010 16:57 On 2/16/2010 2:43 PM, Jeff Lacki wrote: > Noel Jones wrote: >> >> And did postfix log that this session authenticated? > No....and I think I see the problem, but not sure where it is. > When I telnet localhost 25 and authenticate I get: > > Feb 17 15:19:42 202010-1 postfix/smtpd[23113]: connect from > localhost.localdomain[127.0.0.1] > Feb 17 15:20:12 202010-1 dovecot: auth(default): client in: AUTH 2 plain > service=smtp nologin lip=127.0.0.1 rip=127.0.0.1 resp=<hidden> > Feb 17 15:20:12 202010-1 dovecot: auth(default): > passwd-file(jeff,127.0.0.1): lookup: user=jeff file=/etc/shadow > Feb 17 15:20:12 202010-1 dovecot: auth(default): client out: OK 2 user=jeff > > Feb 17 15:20:32 202010-1 postfix/smtpd[23113]: 4C4486581D2: > client=localhost.localdomain[127.0.0.1], sasl_method=plain, > sasl_username=jeff > Feb 17 15:20:44 202010-1 postfix/smtpd[23113]: disconnect from > localhost.localdomain[127.0.0.1] > > Which appears to authenticate I believe. Yes, authentication was successful above. >> Show your current "postconf -n". > local_recipient_maps = This should be left at the default so that local recipients are validated. Otherwise you'll get loads of undeliverable mail clogging your queue and will eventually get blacklisted as a backscatter source. Just remove it from your main.cf. > smtpd_client_restrictions = permit_mynetworks, check_client_access > hash:/etc/postfix/client_access change "permit_mynetworks" to "permit_mynetworks, permit_sasl_authenticated" Do this for all your smtpd_*_restrictions entries. > smtpd_data_restrictions = reject_unauth_pipelining, permit This should really have "permit_mynetworks, permit_sasl_authenticated" to prevent accidentally rejecting mail from your own users. > smtpd_hard_error_limit = 6 > smtpd_helo_required = yes > smtpd_helo_restrictions = permit_mynetworks, check_client_access again, "permit_mynetworks, permit_sasl_authenticated, " > hash:/etc/postfix/good_clients, hash:/etc/post > fix/access, hash:/etc/postfix/bad_ips, reject_unknown_helo_hostname, > reject_non_fqdn_hostname, reject > _unauth_destination, reject_unauth_pipelining, reject_invalid_hostname, > reject_unknown_hostname > smtpd_recipient_restrictions = permit_mynetworks, check_client_access again, "permit_mynetworks, permit_sasl_authenticated, " > hash:/etc/postfix/client_access, permit > _sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, > reject_non_fqdn_sender, reject > _non_fqdn_recipient, reject_unknown_sender_domain, Nothing else jumps out at me as an error. You might want to review your list of RBLs and make sure they're all still active. -- Noel Jones
From: Jeff Lacki on 16 Feb 2010 18:20 That fixed it. I knew it would be something simple, in the end it usually is. Thanks so much Noel!
From: Jerry on 17 Feb 2010 06:40 On Tue, 16 Feb 2010 15:20:56 -0800 (PST) Jeff Lacki <jeep(a)rahul.net> replied: >That fixed it. I knew it would be something >simple, in the end it usually is. aka: Occam's razor -- Jerry postfix.user(a)yahoo.com TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html I'm so broke I can't even pay attention.
|
Pages: 1 Prev: load balancing among mail servers Next: helo_access |