554 5.7.1 relay access denied

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

554 5.7.1 relay access denied

Jeff Lacki

Im going out of my mind trying to get relaying working
for my users who want to use my domain as their smtp
outgoing server.

Ive setup SASL and TLS successfully (I believe).
I have the following:

relay_transport = hash:/etc/postfix/transport

and in transport I have:

.mydomain.com :

I see my test run connecting but then getting denied
for relaying:

Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: connect from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]
Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: setting up TLS connection from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]
Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: Anonymous TLS connection established from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: SSLv3 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: NOQUEUE: reject: RCPT from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: 554 5.7.1 <[hidden email]>: Relay access denied; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<[192.168.2.11]>
Feb 12 06:02:23 202010-1 postfix/smtpd[23305]: disconnect from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]

I appreciate your help.

Reply | Threaded
Open this post in threaded view
|

Re: 554 5.7.1 relay access denied

Wietse Venema
Jeff Lacki:

>
> Im going out of my mind trying to get relaying working
> for my users who want to use my domain as their smtp
> outgoing server.
>
> Ive setup SASL and TLS successfully (I believe).
> I have the following:
>
> relay_transport = hash:/etc/postfix/transport
>
> and in transport I have:
>
> .mydomain.com :
>
> I see my test run connecting but then getting denied
> for relaying:
>
> Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: connect from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]
> Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: setting up TLS connection from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]
> Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: Anonymous TLS connection established from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: SSLv3 with cipher DHE-RSA-AES256-SHA (256/256 bits)
> Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: NOQUEUE: reject: RCPT from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: 554 5.7.1 <[hidden email]>: Relay access denied; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<[192.168.2.11]>
> Feb 12 06:02:23 202010-1 postfix/smtpd[23305]: disconnect from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]
>
> I appreciate your help.

Then, follow the instructions in the mailing list welcome message.

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail

TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Thank you for using Postfix.
Reply | Threaded
Open this post in threaded view
|

Re: 554 5.7.1 relay access denied

Noel Jones-2
In reply to this post by Jeff Lacki
On 2/12/2010 12:18 AM, Jeff Lacki wrote:
> Im going out of my mind trying to get relaying working
> for my users who want to use my domain as their smtp
> outgoing server.
>
> Ive setup SASL and TLS successfully (I believe).
> I have the following:
>
> relay_transport = hash:/etc/postfix/transport

relay_transport must specify a transport name from master.cf,
NOT a map.  Remove the above setting.
http://www.postfix.org/postconf.5.html#relay_transport

Anyway, this setting controls outgoing mail for relay_domains.
  This doesn't appear to be something you need, so remove it.


>
> and in transport I have:
>
> .mydomain.com :

Remove this too.

>
> I see my test run connecting but then getting denied
> for relaying:
>
> Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: connect from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]
> Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: setting up TLS connection from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]
> Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: Anonymous TLS connection established from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: SSLv3 with cipher DHE-RSA-AES256-SHA (256/256 bits)
> Feb 12 06:02:21 202010-1 postfix/smtpd[23305]: NOQUEUE: reject: RCPT from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: 554 5.7.1<[hidden email]>: Relay access denied; from=<[hidden email]>  to=<[hidden email]>  proto=ESMTP helo=<[192.168.2.11]>
> Feb 12 06:02:23 202010-1 postfix/smtpd[23305]: disconnect from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]
>
> I appreciate your help.
>

No indication that the user authenticated.  When someone
authenticates you'll get a log line something like
Feb 12 09:24:06 mgate2 postfix/smtpd[93626]: E4E077978A8:
client=user.example.org[192.168.1.163], sasl_method=CRAM-MD5,
sasl_username=username

Test your SASL setup as described in
http://www.postfix.org/SASL_README.html#server_test
Make sure you use "smtpd_tls_auth_only = no" so you can test
unencrypted with telnet.

If you need more help, please see
http://www.postfix.org/DEBUG_README.html#mail

   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: 554 5.7.1 relay access denied

Jeff Lacki
In reply to this post by Jeff Lacki
> No indication that the user authenticated.  When someone
> authenticates you'll get a log line something like
> Feb 12 09:24:06 mgate2 postfix/smtpd[93626]: E4E077978A8:
> client=user.example.org[192.168.1.163], sasl_method=CRAM-MD5,
> sasl_username=username

Ive been looking at this for a couple days now, still having
problems.  Im getting the following now:

Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: connect from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: setting up TLS connection from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: TLS cipher list "ALL:+RC4:@STRENGTH"
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:before/accept initialization
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: looking up session 8B580343BBAB1CDFF37061B0F6
AADCBFAE2FC46F96A7BB40B0A73D14C60B7A23&s=44116 in smtpd cache
Feb 17 13:29:05 202010-1 postfix/tlsmgr[21554]: lookup smtpd session id=8B580343BBAB1CDFF37061B0F6AADCBFAE2FC46F96A7BB40B0A73D14C60B7A23&s=44116
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 read client hello B
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 write server hello A
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 write certificate A
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 write key exchange A
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 write server done A
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 flush data
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 read client key exchange A
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 read finished A
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 write change cipher spec A
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 write finished A
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 flush data
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: save session 4C77493FCAD703043FECE8FEC020E207
78D68D4E951E4EFAE169E18779AE884F&s=44116 to smtpd cache
Feb 17 13:29:05 202010-1 postfix/tlsmgr[21554]: put smtpd session id=4C77493FCAD703043FECE8FEC020E20778D68D4E951E4EFAE169E18779AE884F&s=44116 [data 127 by
tes]
Feb 17 13:29:05 202010-1 postfix/tlsmgr[21554]: write smtpd TLS cache entry 4C77493FCAD703043FECE8FEC020E20778D68D4E951E4EFAE169E18779AE884F&s=44116: time
=1266431345 [data 127 bytes]
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: Anonymous TLS connection established from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: TLS
v1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Feb 17 13:29:05 202010-1 dovecot: auth(default): client in: AUTH        2       PLAIN   service=smtp    nologin lip=204.12.98.91        rip=99.74.xxx.xxxr
esp=<hidden>
Feb 17 13:29:05 202010-1 dovecot: auth(default): passwd-file(jeff,99.74.xxx.xxx): lookup: user=jeff file=/etc/shadow
Feb 17 13:29:05 202010-1 dovecot: auth(default): client out: OK 2       user=jeff
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: NOQUEUE: reject: RCPT from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: 554 5.7.1 <jeep@ra
hul.net>: Relay access denied; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<[192.168.2.11]>
Feb 17 13:29:06 202010-1 postfix/smtpd[21553]: disconnect from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]

It appears (afaik) that Im authenticating from the log file above.
I also set 'smtpd_tls_auth_only = no' and manually tested the
authentication as working via telnet.

250-PIPELINING
250-SIZE 15000000
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
auth plain AGplZmYAYkhrb3FhMjI=
235 2.7.0 Authentication successful
quit
221 2.0.0 Bye

I still cant seem to get remote relay access (smtp relaying)
to work for single users ([hidden email]).  Ive used
mynetworks to relay for static ip's just fine, however I
need it to work with my users who can be located anywhere,
not just from a single static IP address.

Ive gone through the docs several times (and possibly
missed things), but as far as I can tell, Im suppossed to
use:

relay_recipient_maps = hash:/etc/postfix/relay_recipients
relay_domains = hash:/etc/postfix/relay_domains

to get this to work.  

relay_recipients contains:
        [hidden email]      ok

relay_domains contains:
        mydomain.com   relay

Sorry if this is getting old (it is for me also) :)
Im just trying to understand how this thing is suppossed
to work, especially so I dont become an open relay.

I appreciate your patience.
Jeff

Reply | Threaded
Open this post in threaded view
|

Re: 554 5.7.1 relay access denied

Bill Weiss-5
Jeff Lacki([hidden email])@Tue, Feb 16, 2010 at 10:37:24AM -0800:
(stuff)

> Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: NOQUEUE: reject: RCPT from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: 554 5.7.1 <jeep@ra
> hul.net>: Relay access denied; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<[192.168.2.11]>
> Feb 17 13:29:06 202010-1 postfix/smtpd[21553]: disconnect from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]
>
> It appears (afaik) that Im authenticating from the log file above.
> I also set 'smtpd_tls_auth_only = no' and manually tested the
> authentication as working via telnet.
>
> 250-PIPELINING
> 250-SIZE 15000000
> 250-ETRN
> 250-STARTTLS
> 250-AUTH PLAIN LOGIN
> 250-AUTH=PLAIN LOGIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> auth plain AGplZmYAYkhrb3FhMjI=
> 235 2.7.0 Authentication successful
> quit
> 221 2.0.0 Bye

I think you know this, but just in case: that password is trivially
decodable.  If it's a real one, go change it quick :)

> I still cant seem to get remote relay access (smtp relaying)
> to work for single users ([hidden email]).  Ive used
> mynetworks to relay for static ip's just fine, however I
> need it to work with my users who can be located anywhere,
> not just from a single static IP address.
>
> Ive gone through the docs several times (and possibly
> missed things), but as far as I can tell, Im suppossed to
> use:
>
> relay_recipient_maps = hash:/etc/postfix/relay_recipients
> relay_domains = hash:/etc/postfix/relay_domains
>
> to get this to work.  
>
> relay_recipients contains:
> [hidden email]      ok
>
> relay_domains contains:
> mydomain.com   relay

Do you have something like this in your main.cf:

smtpd_recipient_restrictions =
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    permit_mynetworks,
    permit_sasl_authenticated,

?

That "permit_sasl_authenticated" is what makes it work for my site.

Also, you're saying to allow relaying with a recipient of
"[hidden email]", but your test email is to "[hidden email]".  A =/= B.

How about some "postconf -n" output for us?  Apologies if you've sent it
before, but it sounds like you've been making some changes.

--
Bill Weiss
 
There are two ways to write error-free programs; only the third one
works.

Reply | Threaded
Open this post in threaded view
|

Re: 554 5.7.1 relay access denied

Noel Jones-2
In reply to this post by Jeff Lacki
On 2/16/2010 12:37 PM, Jeff Lacki wrote:

>> No indication that the user authenticated.  When someone
>> authenticates you'll get a log line something like
>> Feb 12 09:24:06 mgate2 postfix/smtpd[93626]: E4E077978A8:
>> client=user.example.org[192.168.1.163], sasl_method=CRAM-MD5,
>> sasl_username=username
>
> Ive been looking at this for a couple days now, still having
> problems.  Im getting the following now:
>
> Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: connect from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]
> Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: setting up TLS connection from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]
> Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: TLS cipher list "ALL:+RC4:@STRENGTH"
> Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:before/accept initialization
> Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: looking up session 8B580343BBAB1CDFF37061B0F6
> AADCBFAE2FC46F96A7BB40B0A73D14C60B7A23&s=44116 in smtpd cache
> Feb 17 13:29:05 202010-1 postfix/tlsmgr[21554]: lookup smtpd session id=8B580343BBAB1CDFF37061B0F6AADCBFAE2FC46F96A7BB40B0A73D14C60B7A23&s=44116
> Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 read client hello B
> Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 write server hello A
> Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 write certificate A
> Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 write key exchange A
> Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 write server done A
> Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 flush data
> Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 read client key exchange A
> Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 read finished A
> Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 write change cipher spec A
> Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 write finished A
> Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 flush data
> Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: save session 4C77493FCAD703043FECE8FEC020E207
> 78D68D4E951E4EFAE169E18779AE884F&s=44116 to smtpd cache
> Feb 17 13:29:05 202010-1 postfix/tlsmgr[21554]: put smtpd session id=4C77493FCAD703043FECE8FEC020E20778D68D4E951E4EFAE169E18779AE884F&s=44116 [data 127 by
> tes]
> Feb 17 13:29:05 202010-1 postfix/tlsmgr[21554]: write smtpd TLS cache entry 4C77493FCAD703043FECE8FEC020E20778D68D4E951E4EFAE169E18779AE884F&s=44116: time
> =1266431345 [data 127 bytes]
> Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: Anonymous TLS connection established from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: TLS
> v1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
> Feb 17 13:29:05 202010-1 dovecot: auth(default): client in: AUTH        2       PLAIN   service=smtp    nologin lip=204.12.98.91        rip=99.74.xxx.xxxr
> esp=<hidden>
> Feb 17 13:29:05 202010-1 dovecot: auth(default): passwd-file(jeff,99.74.xxx.xxx): lookup: user=jeff file=/etc/shadow
> Feb 17 13:29:05 202010-1 dovecot: auth(default): client out: OK 2       user=jeff
> Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: NOQUEUE: reject: RCPT from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: 554 5.7.1<jeep@ra
> hul.net>: Relay access denied; from=<[hidden email]>  to=<[hidden email]>  proto=ESMTP helo=<[192.168.2.11]>
> Feb 17 13:29:06 202010-1 postfix/smtpd[21553]: disconnect from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]
>
> It appears (afaik) that Im authenticating from the log file above.
> I also set 'smtpd_tls_auth_only = no' and manually tested the
> authentication as working via telnet.

I still don't see an authentication line from postfix.  Turn
off the TLS debug, you don't need it.

>
> 250-PIPELINING
> 250-SIZE 15000000
> 250-ETRN
> 250-STARTTLS
> 250-AUTH PLAIN LOGIN
> 250-AUTH=PLAIN LOGIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> auth plain AGplZmYAYkhrb3FhMjI=
> 235 2.7.0 Authentication successful
> quit
> 221 2.0.0 Bye

And did postfix log that this session authenticated?

After you authenticate you need to type in MAIL FROM and RCPT
TO commands to see if you get relaying denied or OK.  That
will tell you if the problem is your client or postfix.

and everyone knows that user/password now, so change it.

>
> I still cant seem to get remote relay access (smtp relaying)
> to work for single users ([hidden email]).  Ive used
> mynetworks to relay for static ip's just fine, however I
> need it to work with my users who can be located anywhere,
> not just from a single static IP address.
>
> Ive gone through the docs several times (and possibly
> missed things), but as far as I can tell, Im suppossed to
> use:
>
> relay_recipient_maps = hash:/etc/postfix/relay_recipients
> relay_domains = hash:/etc/postfix/relay_domains

No, relay_domains and relay_recipients_maps is to define
domains you are responsible for, nothing to do with sasl
authentication.


>
> to get this to work.
>
> relay_recipients contains:
> [hidden email]      ok
>
> relay_domains contains:
> mydomain.com   relay

Remove those settings.

>
> Sorry if this is getting old (it is for me also) :)
> Im just trying to understand how this thing is suppossed
> to work, especially so I dont become an open relay.
>
> I appreciate your patience.
> Jeff
>

Show your current "postconf -n".

   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: 554 5.7.1 relay access denied

Jeff Lacki
Noel Jones wrote:
>
> And did postfix log that this session authenticated?
No....and I think I see the problem, but not sure where it is.
When I telnet localhost 25 and authenticate I get:

Feb 17 15:19:42 202010-1 postfix/smtpd[23113]: connect from
localhost.localdomain[127.0.0.1]
Feb 17 15:20:12 202010-1 dovecot: auth(default): client in: AUTH        
2       plain   service=smtp    nologin lip=127.0.0.1   rip=127.0.0.1  
resp=<hidden>
Feb 17 15:20:12 202010-1 dovecot: auth(default):
passwd-file(jeff,127.0.0.1): lookup: user=jeff file=/etc/shadow
Feb 17 15:20:12 202010-1 dovecot: auth(default): client out: OK 2      
user=jeff

Feb 17 15:20:32 202010-1 postfix/smtpd[23113]: 4C4486581D2:
client=localhost.localdomain[127.0.0.1], sasl_method=plain,
sasl_username=jeff
Feb 17 15:20:44 202010-1 postfix/smtpd[23113]: disconnect from
localhost.localdomain[127.0.0.1]

Which appears to authenticate I believe.

But when I add MAIL FROM and RCPT TO
I dont see anything more and the telnet session just says 250 2.5.x Ok
for both.  It sounds like my relay issue could just be that Im not
authenticating properly....but unsure how to debug from here.

Earlier question about emails:

I have a server which has websites of users.
Those users have thier own virtual
domain names.  They also have local logins on the server
and will be setting up their pop emails to my server:
They also need an smtp server to use (I want it also to be
on my server, not their own for ease of use for them
to setup):

smtp.mydomain.com

So Im trying to validate them (Im assuming) by their login
name and their /etc/shadow password (CentOS).

>
> and everyone knows that user/password now, so change it.
Yeah, I read that and forgot, brain fried already.  Changed.
>
> Show your current "postconf -n".
alias_maps = hash:/etc/postfix/aliases
allow_percent_hack = yes
append_at_myorigin = yes
append_dot_mydomain = yes
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_transport = smtp
disable_vrfy_command = yes
ignore_mx_lookup_error = no
in_flow_delay = 1s
inet_interfaces = all
local_recipient_maps =
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mydestination = $myhostname, localhost.$mydomain $mydomain
myhostname = mydomain.com
mynetworks = 127.0.0.1
mynetworks_style = host
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
notify_classes = resource,software
parent_domain_matches_subdomains =
queue_directory = /var/spool/postfix
setgid_group = postdrop
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_skip_5xx_greeting = yes
smtp_skip_quit_response = yes
smtp_tls_note_starttls_offer = yes
smtpd_client_restrictions = permit_mynetworks,  check_client_access
hash:/etc/postfix/client_access
smtpd_data_restrictions = reject_unauth_pipelining,     permit
smtpd_hard_error_limit = 6
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,    check_client_access
hash:/etc/postfix/good_clients,     hash:/etc/post
fix/access,     hash:/etc/postfix/bad_ips,      
reject_unknown_helo_hostname,   reject_non_fqdn_hostname,       reject
_unauth_destination,    reject_unauth_pipelining,      
reject_invalid_hostname,        reject_unknown_hostname
smtpd_recipient_restrictions = permit_mynetworks,      
check_client_access hash:/etc/postfix/client_access,    permit
_sasl_authenticated,    reject_invalid_hostname,        
reject_non_fqdn_hostname,       reject_non_fqdn_sender, reject
_non_fqdn_recipient,    reject_unknown_sender_domain,  
reject_unknown_recipient_domain,        reject_unlisted_recipi
ent,    reject_unlisted_sender, reject_unauth_destination,      
reject_rbl_client opm.blitzed.org,      reject_rbl_cli
ent sbl.spamhaus.org,   reject_rbl_client cbl.abuseat.org,      
reject_rbl_client dnsbl.njabl.org,      reject_rbl_cli
ent dul.dnsbl.sorbs.net,        check_policy_service
inet:127.0.0.1:9998,       permit
smtpd_restriction_classes = restrictive, permissive
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_soft_error_limit = 4
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_always_issue_session_ids = no
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
virtual_alias_domains = anotherdomain.com
virtual_alias_maps = hash:/etc/postfix/virtual


Reply | Threaded
Open this post in threaded view
|

Re: 554 5.7.1 relay access denied

Noel Jones-2
On 2/16/2010 2:43 PM, Jeff Lacki wrote:

> Noel Jones wrote:
>>
>> And did postfix log that this session authenticated?
> No....and I think I see the problem, but not sure where it is.
> When I telnet localhost 25 and authenticate I get:
>
> Feb 17 15:19:42 202010-1 postfix/smtpd[23113]: connect from
> localhost.localdomain[127.0.0.1]
> Feb 17 15:20:12 202010-1 dovecot: auth(default): client in: AUTH 2 plain
> service=smtp nologin lip=127.0.0.1 rip=127.0.0.1 resp=<hidden>
> Feb 17 15:20:12 202010-1 dovecot: auth(default):
> passwd-file(jeff,127.0.0.1): lookup: user=jeff file=/etc/shadow
> Feb 17 15:20:12 202010-1 dovecot: auth(default): client out: OK 2 user=jeff
>
> Feb 17 15:20:32 202010-1 postfix/smtpd[23113]: 4C4486581D2:
> client=localhost.localdomain[127.0.0.1], sasl_method=plain,
> sasl_username=jeff
> Feb 17 15:20:44 202010-1 postfix/smtpd[23113]: disconnect from
> localhost.localdomain[127.0.0.1]
>
> Which appears to authenticate I believe.

Yes, authentication was successful above.

>> Show your current "postconf -n".
> local_recipient_maps =

This should be left at the default so that local recipients
are validated.  Otherwise you'll get loads of undeliverable
mail clogging your queue and will eventually get blacklisted
as a backscatter source.

Just remove it from your main.cf.

> smtpd_client_restrictions = permit_mynetworks, check_client_access
> hash:/etc/postfix/client_access

change "permit_mynetworks" to
"permit_mynetworks, permit_sasl_authenticated"

Do this for all your smtpd_*_restrictions entries.

> smtpd_data_restrictions = reject_unauth_pipelining, permit

This should really have "permit_mynetworks,
permit_sasl_authenticated" to prevent accidentally rejecting
mail from your own users.


> smtpd_hard_error_limit = 6
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks, check_client_access

again, "permit_mynetworks, permit_sasl_authenticated, "

> hash:/etc/postfix/good_clients, hash:/etc/post
> fix/access, hash:/etc/postfix/bad_ips, reject_unknown_helo_hostname,
> reject_non_fqdn_hostname, reject
> _unauth_destination, reject_unauth_pipelining, reject_invalid_hostname,
> reject_unknown_hostname
> smtpd_recipient_restrictions = permit_mynetworks, check_client_access

again, "permit_mynetworks, permit_sasl_authenticated, "

> hash:/etc/postfix/client_access, permit
> _sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname,
> reject_non_fqdn_sender, reject
> _non_fqdn_recipient, reject_unknown_sender_domain,

Nothing else jumps out at me as an error.  You might want to
review your list of RBLs and make sure they're all still active.


   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: 554 5.7.1 relay access denied

Jeff Lacki
In reply to this post by Jeff Lacki
That fixed it.  I knew it would be something
simple, in the end it usually is.

Thanks so much Noel!


Reply | Threaded
Open this post in threaded view
|

Re: 554 5.7.1 relay access denied

Jerry-124
On Tue, 16 Feb 2010 15:20:56 -0800 (PST)
Jeff Lacki <[hidden email]> replied:

>That fixed it.  I knew it would be something
>simple, in the end it usually is.

aka: Occam's razor

--
Jerry
[hidden email]

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

I'm so broke I can't even pay attention.