Auth/relaying issues with 2.10.0

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Auth/relaying issues with 2.10.0

Jan Kohnert-2
Hi folks,

I have recently upgraded to 2.10.0 (gentoo) and now having some issues
with relaying authenticated users. I'm using dovecot sasl and according
to the logs auth works fine, but however postfix thinks I do not want to
relay stuff from authenticated users anymore...

Here's the log entry in debug mode:
----
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]: 250-mail.the-pojs.de
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]: 250-PIPELINING
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]: 250-SIZE 15728600
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]: 250-VRFY
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]: 250-ETRN
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]: 250-STARTTLS
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]:
250-ENHANCEDSTATUSCODES
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]: 250-8BITMIME
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]: 250 DSN
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: <
178-24-196-94-dynip.superkabel.de[178.24.196.94]: STARTTLS
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]: 220 2.0.0 Ready to
start TLS
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: send attr request
= seed
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: send attr size =
32
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: private/tlsmgr:
wanted attribute: status
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: input attribute
name: status
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: input attribute
value: 0
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: private/tlsmgr:
wanted attribute: seed
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: input attribute
name: seed
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: input attribute
value: pIK6HA04uWxAB+svbuTDcRA7kYsqxBKzn+7D798fAzI=
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: private/tlsmgr:
wanted attribute: (list terminator)
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: input attribute
name: (end)
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: Anonymous TLS
connection established from
178-24-196-94-dynip.superkabel.de[178.24.196.94]: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]:
xsasl_dovecot_server_create: SASL service=smtp, realm=(null)
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: name_mask:
noanonymous
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]:
xsasl_dovecot_server_connect: Connecting
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]:
xsasl_dovecot_server_connect: auth reply: VERSION?1?1
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]:
xsasl_dovecot_server_connect: auth reply: MECH?PLAIN?plaintext
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: name_mask:
plaintext
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]:
xsasl_dovecot_server_connect: auth reply: MECH?LOGIN?plaintext
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]: name_mask:
plaintext
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]:
xsasl_dovecot_server_connect: auth reply: SPID?30043
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]:
xsasl_dovecot_server_connect: auth reply: CUID?2
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]:
xsasl_dovecot_server_connect: auth reply:
COOKIE?d513800ca06dd779c5f87b04e2a572cd
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]:
xsasl_dovecot_server_connect: auth reply: DONE
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]:
xsasl_dovecot_server_mech_filter: keep mechanism: PLAIN
Jun  5 00:15:48 b079 postfix/submission/smtpd[30353]:
xsasl_dovecot_server_mech_filter: keep mechanism: LOGIN
Jun  5 00:15:55 b079 postfix/submission/smtpd[30353]: <
178-24-196-94-dynip.superkabel.de[178.24.196.94]: ehlo mail.the-pojs.de
Jun  5 00:15:55 b079 postfix/submission/smtpd[30353]: match_list_match:
178-24-196-94-dynip.superkabel.de: no match
Jun  5 00:15:55 b079 postfix/submission/smtpd[30353]: match_list_match:
178.24.196.94: no match
Jun  5 00:15:55 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]: 250-mail.the-pojs.de
Jun  5 00:15:55 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]: 250-PIPELINING
Jun  5 00:15:55 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]: 250-SIZE 15728600
Jun  5 00:15:55 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]: 250-VRFY
Jun  5 00:15:55 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]: 250-ETRN
Jun  5 00:15:55 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]: 250-AUTH PLAIN LOGIN
Jun  5 00:15:55 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]:
250-ENHANCEDSTATUSCODES
Jun  5 00:15:55 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]: 250-8BITMIME
Jun  5 00:15:55 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]: 250 DSN
Jun  5 00:16:07 b079 postfix/submission/smtpd[30353]: <
178-24-196-94-dynip.superkabel.de[178.24.196.94]: auth plain SECRET
Jun  5 00:16:07 b079 postfix/submission/smtpd[30353]:
xsasl_dovecot_server_first: sasl_method plain, init_response SECRET
Jun  5 00:16:07 b079 postfix/submission/smtpd[30353]:
xsasl_dovecot_handle_reply: auth reply: OK?1?user=jan
Jun  5 00:16:07 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]: 235 2.7.0
Authentication successful
Jun  5 00:16:07 b079 dovecot: imap-login: Aborted login (no auth
attempts in 0 secs): user=<>, rip=62.141.42.79, lip=62.141.42.79,
secured, session=<JYl9bVveJwA+jSpP>
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: <
178-24-196-94-dynip.superkabel.de[178.24.196.94]: mail from:
[hidden email]
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: extract_addr:
input: [hidden email]
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: smtpd_check_addr:
addr=[hidden email]
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: connect to
subsystem private/rewrite
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: send attr request
= rewrite
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: send attr rule =
local
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: send attr address
= [hidden email]
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: private/rewrite
socket: wanted attribute: flags
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: input attribute
name: flags
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: input attribute
value: 0
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: private/rewrite
socket: wanted attribute: address
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: input attribute
name: address
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: input attribute
value: [hidden email]
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: private/rewrite
socket: wanted attribute: (list terminator)
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: input attribute
name: (end)
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: rewrite_clnt:
local: [hidden email] -> [hidden email]
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: send attr request
= resolve
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: send attr sender
=
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: send attr address
= [hidden email]
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: private/rewrite
socket: wanted attribute: flags
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: input attribute
name: flags
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: input attribute
value: 0
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: private/rewrite
socket: wanted attribute: transport
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: input attribute
name: transport
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: input attribute
value: dovecot
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: private/rewrite
socket: wanted attribute: nexthop
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: input attribute
name: nexthop
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: input attribute
value: the-pojs.de
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: private/rewrite
socket: wanted attribute: recipient
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: input attribute
name: recipient
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: input attribute
value: [hidden email]
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: private/rewrite
socket: wanted attribute: flags
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: input attribute
name: flags
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: input attribute
value: 1024
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: private/rewrite
socket: wanted attribute: (list terminator)
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: input attribute
name: (end)
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: resolve_clnt: `'
-> `[hidden email]' -> transp=`dovecot' host=`the-pojs.de'
rcpt=`[hidden email]' flags= class=virtual
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: ctable_locate:
install entry key [hidden email]
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: extract_addr: in:
[hidden email], result: [hidden email]
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: send attr request
= rewrite
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: send attr rule =
local
Jun  5 00:16:23 b079 postfix/submission/smtpd[30353]: send attr address
= double-bounce
Jun  5 00:16:24 b079 postfix/submission/smtpd[30353]: private/rewrite
socket: wanted attribute: flags
Jun  5 00:16:24 b079 postfix/submission/smtpd[30353]: input attribute
name: flags
Jun  5 00:16:24 b079 postfix/submission/smtpd[30353]: input attribute
value: 0
Jun  5 00:16:24 b079 postfix/submission/smtpd[30353]: private/rewrite
socket: wanted attribute: address
Jun  5 00:16:24 b079 postfix/submission/smtpd[30353]: input attribute
name: address
Jun  5 00:16:24 b079 postfix/submission/smtpd[30353]: input attribute
value: [hidden email]
Jun  5 00:16:24 b079 postfix/submission/smtpd[30353]: private/rewrite
socket: wanted attribute: (list terminator)
Jun  5 00:16:24 b079 postfix/submission/smtpd[30353]: input attribute
name: (end)
Jun  5 00:16:24 b079 postfix/submission/smtpd[30353]: rewrite_clnt:
local: double-bounce -> [hidden email]
Jun  5 00:16:24 b079 postfix/submission/smtpd[30353]:
smtpd_check_rewrite: trying: permit_inet_interfaces
Jun  5 00:16:24 b079 postfix/submission/smtpd[30353]:
permit_inet_interfaces: 178-24-196-94-dynip.superkabel.de 178.24.196.94
Jun  5 00:16:24 b079 postfix/submission/smtpd[30353]: fsspace: .: block
size 4096, blocks free 2153140
Jun  5 00:16:24 b079 postfix/submission/smtpd[30353]:
smtpd_check_queue: blocks 4096 avail 2153140 min_free 0 msg_size_limit
15728600
Jun  5 00:16:24 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]: 250 2.1.0 Ok
Jun  5 00:16:34 b079 dovecot: imap-login: Aborted login (no auth
attempts in 0 secs): user=<>, rip=62.141.42.79, lip=62.141.42.79, TLS,
session=<1nEZb1veegA+jSpP>
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: <
178-24-196-94-dynip.superkabel.de[178.24.196.94]: rcpt to:
[hidden email]
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: extract_addr:
input: [hidden email]
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: smtpd_check_addr:
addr=[hidden email]
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: send attr request
= rewrite
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: send attr rule =
local
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: send attr address
= [hidden email]
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: private/rewrite
socket: wanted attribute: flags
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: input attribute
name: flags
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: input attribute
value: 0
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: private/rewrite
socket: wanted attribute: address
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: input attribute
name: address
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: input attribute
value: [hidden email]
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: private/rewrite
socket: wanted attribute: (list terminator)
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: input attribute
name: (end)
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: rewrite_clnt:
local: [hidden email] -> [hidden email]
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: send attr request
= resolve
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: send attr sender
=
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: send attr address
= [hidden email]
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: private/rewrite
socket: wanted attribute: flags
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: input attribute
name: flags
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: input attribute
value: 0
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: private/rewrite
socket: wanted attribute: transport
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: input attribute
name: transport
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: input attribute
value: smtp
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: private/rewrite
socket: wanted attribute: nexthop
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: input attribute
name: nexthop
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: input attribute
value: web.de
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: private/rewrite
socket: wanted attribute: recipient
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: input attribute
name: recipient
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: input attribute
value: [hidden email]
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: private/rewrite
socket: wanted attribute: flags
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: input attribute
name: flags
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: input attribute
value: 4096
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: private/rewrite
socket: wanted attribute: (list terminator)
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: input attribute
name: (end)
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: resolve_clnt: `'
-> `[hidden email]' -> transp=`smtp' host=`web.de'
rcpt=`[hidden email]' flags= class=default
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: ctable_locate:
install entry key [hidden email]
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: extract_addr: in:
[hidden email], result: [hidden email]
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: >>> START
Recipient address RESTRICTIONS <<<
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: generic_checks:
name=permit_mynetworks
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]:
permit_mynetworks: 178-24-196-94-dynip.superkabel.de 178.24.196.94
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: match_hostname:
178-24-196-94-dynip.superkabel.de ~? 127.0.0.0/8
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: match_hostaddr:
178.24.196.94 ~? 127.0.0.0/8
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: match_hostname:
178-24-196-94-dynip.superkabel.de ~? [::1]/128
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: match_hostaddr:
178.24.196.94 ~? [::1]/128
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: match_list_match:
178-24-196-94-dynip.superkabel.de: no match
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: match_list_match:
178.24.196.94: no match
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: generic_checks:
name=permit_mynetworks status=0
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: generic_checks:
name=reject_unauth_destination
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]:
reject_unauth_destination: [hidden email]
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]:
permit_auth_destination: [hidden email]
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: ctable_locate:
leave existing entry key [hidden email]
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: NOQUEUE: reject:
RCPT from 178-24-196-94-dynip.superkabel.de[178.24.196.94]: 454 4.7.1
<[hidden email]>: Relay access denied; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP helo=<mail.the-pojs.de>
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: generic_checks:
name=reject_unauth_destination status=2
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: >>> END Recipient
address RESTRICTIONS <<<
Jun  5 00:16:35 b079 postfix/submission/smtpd[30353]: >
178-24-196-94-dynip.superkabel.de[178.24.196.94]: 454 4.7.1
<[hidden email]>: Relay access denied
----

Here's the master.cf for submission:
----
submission inet n       -       n       -       -       smtpd -v
   -o syslog_name=postfix/submission
   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_reject_unlisted_recipient=no
   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
   -o milter_macro_daemon_name=ORIGINATING
----

And finally postconf -n
----
alias_maps = hash:/etc/postfix/aliases,
hash:/var/lib/mailman/data/aliases
allow_min_user = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_protocols = all
local_destination_concurrency_limit = 2
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 15728600
mime_header_checks = pcre:/etc/postfix/mime_header_checks
mydestination = localhost.$mydomain, $mydomain, kohni.$mydomain,
claudi.$mydomain, kohni-mobil.$mydomain
mydomain = jankoh.mooo.com
myhostname = mail.the-pojs.de
mynetworks = 127.0.0.0/8 [::1]/128
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_helo_name = the-pojs.de
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:/etc/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_multi_recipient_bounce,
permit_mynetworks, permit_sasl_authenticated, reject_unlisted_recipient,
reject_unauth_destination, reject_unauth_pipelining,
reject_invalid_hostname, reject_unknown_sender_domain, reject_rbl_client
zen.spamhaus.org, check_policy_service inet:127.0.0.1:10030
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/run/dovecot/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = hash:/etc/postfix/sasl_sender
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/cert.key
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
soft_bounce = yes
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_gid_maps = static:500
virtual_mailbox_base = /home/virtualmail
virtual_mailbox_domains = the-pojs.dyndns.org, the-pojs.de
virtual_mailbox_maps = ldap:/etc/postfix/virtual.cf
virtual_minimum_uid = 500
virtual_transport = dovecot
virtual_uid_maps = static:102
postconf: warning: /etc/postfix/main.cf: unused parameter:
dovecot_destination_recipient_limit=1
----

Any hint what I am missing? At the moment I can only send through
localhost…

Thanks a lot!


Regards Jan
Reply | Threaded
Open this post in threaded view
|

Re: Auth/relaying issues with 2.10.0

/dev/rob0
On Wed, Jun 05, 2013 at 01:08:09AM +0200, Jan Kohnert wrote:
> I have recently upgraded to 2.10.0 (gentoo) and now having some
> issues with relaying authenticated users. I'm using dovecot sasl
> and according to the logs auth works fine, but however postfix
> thinks I do not want to relay stuff from authenticated users
> anymore...

Yes. You probably missed the 2.10 release notes.

http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions

smtpd_relay_restrictions = permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination
--
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: Auth/relaying issues with 2.10.0

Jan Kohnert-2
In reply to this post by Jan Kohnert-2
Hi there again,

Am Mittwoch, 5. Juni 2013, 01:08:09 schrieb Jan Kohnert:
> I have recently upgraded to 2.10.0 (gentoo) and now having some issues
> with relaying authenticated users. I'm using dovecot sasl and according
> to the logs auth works fine, but however postfix thinks I do not want to
> relay stuff from authenticated users anymore...

just downgraded to 2.9.5 (identical config) and it works like a charm:
----
Jun  5 01:19:02 b079 postfix/smtpd[15165]: Anonymous TLS connection
established from 178-24-196-94-dynip.superkabel.de[178.24.196.94]: TLSv1.2
with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun  5 01:19:53 b079 postfix/smtpd[15165]: E6AA4CB9E1: client=178-24-196-94-
dynip.superkabel.de[178.24.196.94], sasl_method=plain, sasl_username=jan
----

The last line is never showing up in 2.10.0 (see log in OP).

postconf -n
----
alias_maps = hash:/etc/postfix/aliases, hash:/var/lib/mailman/data/aliases
allow_min_user = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
dovecot_destination_recipient_limit = 1
html_directory = no
inet_protocols = all
local_destination_concurrency_limit = 2
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 15728600
mime_header_checks = pcre:/etc/postfix/mime_header_checks
mydestination = localhost.$mydomain, $mydomain, kohni.$mydomain, claudi.
$mydomain, kohni-mobil.$mydomain
mydomain = jankoh.mooo.com
myhostname = mail.the-pojs.de
mynetworks = 127.0.0.0/8 [::1]/128
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_helo_name = the-pojs.de
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:/etc/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_multi_recipient_bounce, permit_mynetworks,
permit_sasl_authenticated, reject_unlisted_recipient,
reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname,
reject_unknown_sender_domain, reject_rbl_client zen.spamhaus.org,
check_policy_service inet:127.0.0.1:10030
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/run/dovecot/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = hash:/etc/postfix/sasl_sender
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/cert.key
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
soft_bounce = yes
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_gid_maps = static:500
virtual_mailbox_base = /home/virtualmail
virtual_mailbox_domains = the-pojs.dyndns.org, the-pojs.de
virtual_mailbox_maps = ldap:/etc/postfix/virtual.cf
virtual_minimum_uid = 500
virtual_transport = dovecot
virtual_uid_maps = static:102
----

master for submission:
----
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o content_filter=smtp-amavis:[127.0.0.1]:10026
  -o milter_macro_daemon_name=ORIGINATING
----

So either I made a config error, or I found a bug, or the gentoo folks are
doing something weird.

Any idea? For now I'll stay in 2.9.5…

--
MfG Jan

Reply | Threaded
Open this post in threaded view
|

Re: Auth/relaying issues with 2.10.0

Jan Kohnert-2
In reply to this post by /dev/rob0
Hi,

Am Dienstag, 4. Juni 2013, 18:24:23 schrieb /dev/rob0:

> On Wed, Jun 05, 2013 at 01:08:09AM +0200, Jan Kohnert wrote:
> > I have recently upgraded to 2.10.0 (gentoo) and now having some
> > issues with relaying authenticated users. I'm using dovecot sasl
> > and according to the logs auth works fine, but however postfix
> > thinks I do not want to relay stuff from authenticated users
> > anymore...
>
> Yes. You probably missed the 2.10 release notes.
>
> http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions
>
> smtpd_relay_restrictions = permit_mynetworks,
> permit_sasl_authenticated,
> reject_unauth_destination

That might cause the problem, I really missed that. I'll check that tomorrow
(it's half past one here, now), since a downgrade helped me making a hotfix…

Thanks!

--
MfG Jan

Reply | Threaded
Open this post in threaded view
|

Re: Auth/relaying issues with 2.10.0

Jan Kohnert-2
Hi again,

Am Mittwoch, 5. Juni 2013, 01:34:13 schrieb Jan Kohnert:

> Am Dienstag, 4. Juni 2013, 18:24:23 schrieb /dev/rob0:
> > On Wed, Jun 05, 2013 at 01:08:09AM +0200, Jan Kohnert wrote:
> > > I have recently upgraded to 2.10.0 (gentoo) and now having some
> > > issues with relaying authenticated users. I'm using dovecot sasl
> > > and according to the logs auth works fine, but however postfix
> > > thinks I do not want to relay stuff from authenticated users
> > > anymore...
> >
> > Yes. You probably missed the 2.10 release notes.
> >
> > http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions
> >
> > smtpd_relay_restrictions = permit_mynetworks,
> >
> > permit_sasl_authenticated,
> > reject_unauth_destination
>
> That might cause the problem, I really missed that. I'll check that tomorrow
> (it's half past one here, now), since a downgrade helped me making a
> hotfix…

couldn't wait, who needs sleep… :)

Things got fixes using your hint. Thanks a lot again!

Hint to myself:
I should read release notes more carefully.

--
MfG Jan

Reply | Threaded
Open this post in threaded view
|

Re: Auth/relaying issues with 2.10.0

Wietse Venema
Please file a bug report with your distribution.

Postfix 2.10 as distributed by me will add a backwards-compatibility
setting to main.cf, thusly:

    # postfix upgrade-configuration
        COMPATIBILITY: editing /etc/postfix/main.cf, overriding
        smtpd_relay_restrictions to prevent inbound mail from unexpectedly
        bouncing.  Specify an empty smtpd_relay_restrictions value to
        keep using smtpd_recipient_restrictions as before.

And the backwards compatible setting is:

    # postconf smtpd_relay_restrictions
    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

If your distributor has removed this backwards-compatibility safety
net, then please tell them that they are doing their users a disservice.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Auth/relaying issues with 2.10.0

Benny Pedersen-2
In reply to this post by /dev/rob0
/dev/rob0 skrev den 2013-06-05 01:24:

> http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions
>
> smtpd_relay_restrictions = permit_mynetworks,
> permit_sasl_authenticated,
> reject_unauth_destination

lets hope 2.11 have permit_sasl_authenticated in default config, so
many users here cant figure out the problems in 2.10 :)

--
senders that put my email into body content will deliver it to my own
trashcan, so if you like to get reply, dont do it
Reply | Threaded
Open this post in threaded view
|

Re: Auth/relaying issues with 2.10.0

Benny Pedersen-2
In reply to this post by Jan Kohnert-2
Jan Kohnert skrev den 2013-06-05 01:34:

> That might cause the problem, I really missed that. I'll check that
> tomorrow
> (it's half past one here, now), since a downgrade helped me making a
> hotfix…

such gentoo users :)

--
senders that put my email into body content will deliver it to my own
trashcan, so if you like to get reply, dont do it
Reply | Threaded
Open this post in threaded view
|

Re: Auth/relaying issues with 2.10.0

Benny Pedersen-2
In reply to this post by Jan Kohnert-2
Jan Kohnert skrev den 2013-06-05 01:47:

> I should read release notes more carefully.

same could go to maintainers of ebuilds or precompiled packages

--
senders that put my email into body content will deliver it to my own
trashcan, so if you like to get reply, dont do it
Reply | Threaded
Open this post in threaded view
|

Re: Auth/relaying issues with 2.10.0

Michael Orlitzky-2
In reply to this post by Wietse Venema
On 06/04/2013 08:51 PM, Wietse Venema wrote:

> Please file a bug report with your distribution.
>
> Postfix 2.10 as distributed by me will add a backwards-compatibility
> setting to main.cf, thusly:
>
>     # postfix upgrade-configuration
> COMPATIBILITY: editing /etc/postfix/main.cf, overriding
> smtpd_relay_restrictions to prevent inbound mail from unexpectedly
> bouncing.  Specify an empty smtpd_relay_restrictions value to
> keep using smtpd_recipient_restrictions as before.
>
> And the backwards compatible setting is:
>
>     # postconf smtpd_relay_restrictions
>     smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
>
> If your distributor has removed this backwards-compatibility safety
> net, then please tell them that they are doing their users a disservice.
>
> Wietse
>

Postfix 2.10 on Gentoo adds the safety net, but the package manager
won't automatically clobber files under /etc. You're supposed to run a
tool (etc-update) afterwards to merge any changes. I'm guessing that's
what got skipped here.

Reply | Threaded
Open this post in threaded view
|

Re: Auth/relaying issues with 2.10.0

Wietse Venema
Michael Orlitzky:

> On 06/04/2013 08:51 PM, Wietse Venema wrote:
> > Please file a bug report with your distribution.
> >
> > Postfix 2.10 as distributed by me will add a backwards-compatibility
> > setting to main.cf, thusly:
> >
> >     # postfix upgrade-configuration
> > COMPATIBILITY: editing /etc/postfix/main.cf, overriding
> > smtpd_relay_restrictions to prevent inbound mail from unexpectedly
> > bouncing.  Specify an empty smtpd_relay_restrictions value to
> > keep using smtpd_recipient_restrictions as before.
> >
> > And the backwards compatible setting is:
> >
> >     # postconf smtpd_relay_restrictions
> >     smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
> >
> > If your distributor has removed this backwards-compatibility safety
> > net, then please tell them that they are doing their users a disservice.
> >
> > Wietse
> >
>
> Postfix 2.10 on Gentoo adds the safety net, but the package manager
> won't automatically clobber files under /etc. You're supposed to run a
> tool (etc-update) afterwards to merge any changes. I'm guessing that's
> what got skipped here.

It's no good when this has to be run by a human operator. I'll
change the compiled-in default to:

    smtpd_relay_restrictions =
        permit_mynetworks permit_sasl_authenticated reject_unauth_destination

so that people can avoid the upgrade surprise.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Auth/relaying issues with 2.10.0

Benny Pedersen-2
In reply to this post by Wietse Venema
> If your distributor has removed this backwards-compatibility safety
> net, then please tell them that they are doing their users a
> disservice.

why is permit_sasl_authenticated missing in default 2.10 settings then
? (c code defaults)
Reply | Threaded
Open this post in threaded view
|

Re: Auth/relaying issues with 2.10.0

Wietse Venema
Benny Pedersen:
> > If your distributor has removed this backwards-compatibility safety
> > net, then please tell them that they are doing their users a
> > disservice.
>
> why is permit_sasl_authenticated missing in default 2.10 settings then
> ? (c code defaults)

This was discussed extensively on the list. Learn to search.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Auth/relaying issues with 2.10.0

Benny Pedersen-2
[hidden email] skrev den 2013-06-07 03:17:

> This was discussed extensively on the list. Learn to search.

or simply create a patch in c, more easy then read 10000 emails about
the big problem :)
Reply | Threaded
Open this post in threaded view
|

Re: Auth/relaying issues with 2.10.0

Jan Kohnert-2
In reply to this post by Michael Orlitzky-2
Hi,

Am Donnerstag, 6. Juni 2013, 20:06:48 schrieb Michael Orlitzky:
> Postfix 2.10 on Gentoo adds the safety net, but the package manager
> won't automatically clobber files under /etc. You're supposed to run a
> tool (etc-update) afterwards to merge any changes. I'm guessing that's
> what got skipped here.

well, I'm running Gentoo for nearly ten years now, and I know etc-update. I
just missed that change while merging the config files.

There definitely was no safty net in master.cf, but I have added lots of
config stuff at the end of main.cf, so if the safety net was put at the end of
that file by the Gentoo folks, the merge would probably have removed it, since
I wanted my changes to stay. :)

--
MfG Jan

Reply | Threaded
Open this post in threaded view
|

Re: Auth/relaying issues with 2.10.0

Charles Marcus
On 2013-06-07 2:56 AM, Jan Kohnert <[hidden email]> wrote:

> Am Donnerstag, 6. Juni 2013, 20:06:48 schrieb Michael Orlitzky:
>> Postfix 2.10 on Gentoo adds the safety net, but the package manager
>> won't automatically clobber files under /etc. You're supposed to run a
>> tool (etc-update) afterwards to merge any changes. I'm guessing that's
>> what got skipped here.
> well, I'm running Gentoo for nearly ten years now, and I know etc-update. I
> just missed that change while merging the config files.
>
> There definitely was no safty net in master.cf, but I have added lots of
> config stuff at the end of main.cf, so if the safety net was put at the end of
> that file by the Gentoo folks, the merge would probably have removed it, since
> I wanted my changes to stay. :)

Actually, I've been running gentoo for a long time too and I also got
bit by this. I'm not perfect, but I am always very careful about running
etc-update, and I swear I did not see this modification.

--

Best regards,

Charles