Postfix does not authenticate to relayhost

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix does not authenticate to relayhost

Florian Lindner
Hello,

I run two postfix servers. One on my server, which just runs fine and is used to sent mail directly. The other one on my local machine which should relay mail to other one. Problem is that the desktop MTA does not seem to authenticate to its relayhost:

The server says:

May 15 22:10:04 venus postfix/smtpd[20438]: connect from host[x.x.x]
May 15 22:10:04 venus postfix/smtpd[20438]: NOQUEUE: reject: RCPT from host[x.x.x]: 450 4.1.8 <[hidden email]>: Sender address rejected: Domain not found; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<horus.localdomain>

xgm.de is local to the server. Of course it's right about domain not found, but my relay settings should allow that is sasl_authenticated:

smtpd_relay_restrictions =
                        permit_mynetworks,
                        permit_sasl_authenticated,
                        reject_unauth_destination

smtpd_sender_restrictions =
                          permit_mynetworks,
                          permit_sasl_authenticated,
                          reject_non_fqdn_sender,
                          reject_unknown_sender_domain,
                          permit

on the local site it says just the same error message, nothing error like else.

Local configuration is

% postconf -n
[...]
mynetworks_style = host
relayhost = [venus.centershock.net]
smtp_sasl_password_maps = hash:/etc/postfix/relay
smtp_sasl_security_options = noanonymous
smtpd_tls_security_level = encrypt

# cat relay
venus.centershock.net [hidden email]:passwd

and of course "postmap hash:/etc/postfix/relay" ran without errors.

What could be wrong here?

Thanks!
Florian




Reply | Threaded
Open this post in threaded view
|

Re: Postfix does not authenticate to relayhost

Bastian Blank-3
On Tue, May 15, 2018 at 10:17:40PM +0200, Florian Lindner wrote:
> relayhost = [venus.centershock.net]
> venus.centershock.net [hidden email]:passwd

'[venus.centershock.net]' != 'venus.centershock.net'.  The name needs to
match in full.

Bastian

--
A Vulcan can no sooner be disloyal than he can exist without breathing.
                -- Kirk, "The Menagerie", stardate 3012.4
Reply | Threaded
Open this post in threaded view
|

Re: Postfix does not authenticate to relayhost

Benny Pedersen-2
In reply to this post by Florian Lindner
Florian Lindner skrev den 2018-05-15 22:17:

> May 15 22:10:04 venus postfix/smtpd[20438]: connect from host[x.x.x]
> May 15 22:10:04 venus postfix/smtpd[20438]: NOQUEUE: reject: RCPT from
> host[x.x.x]: 450 4.1.8 <[hidden email]>: Sender address
> rejected: Domain not found; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP helo=<horus.localdomain>

> What could be wrong here?

its a dns problem to solve, not postfix

# /etc/hosts

127.0.0.1 horus.localdomain horus
Reply | Threaded
Open this post in threaded view
|

Re: Postfix does not authenticate to relayhost

Florian Lindner
In reply to this post by Bastian Blank-3


Am 15.05.2018 um 22:26 schrieb Bastian Blank:
> On Tue, May 15, 2018 at 10:17:40PM +0200, Florian Lindner wrote:
>> relayhost = [venus.centershock.net]
>> venus.centershock.net [hidden email]:passwd
>
> '[venus.centershock.net]' != 'venus.centershock.net'.  The name needs to
> match in full.

Sorry, I tried several permutation of with and without [] and seemed to have lost track.

I have changed it to:

# cat relay
[venus.centershock.net] [hidden email]:passwd

and rerun postmap.

However, it's still the same error message.

Best Thanks,
Florian
Reply | Threaded
Open this post in threaded view
|

Re: Postfix does not authenticate to relayhost

Florian Lindner
In reply to this post by Benny Pedersen-2


Am 15.05.2018 um 22:29 schrieb Benny Pedersen:

> Florian Lindner skrev den 2018-05-15 22:17:
>
>> May 15 22:10:04 venus postfix/smtpd[20438]: connect from host[x.x.x]
>> May 15 22:10:04 venus postfix/smtpd[20438]: NOQUEUE: reject: RCPT from
>> host[x.x.x]: 450 4.1.8 <[hidden email]>: Sender address
>> rejected: Domain not found; from=<[hidden email]>
>> to=<[hidden email]> proto=ESMTP helo=<horus.localdomain>
>
>> What could be wrong here?
>
> its a dns problem to solve, not postfix
>
> # /etc/hosts
>
> 127.0.0.1 horus.localdomain horus

I understand why there is the Domain not found for horus.localdomain, but not why it blocks the delivery, given my
sender_restriction and relay_restrictions.

Thanks,
Florian
Reply | Threaded
Open this post in threaded view
|

Re: Postfix does not authenticate to relayhost

Viktor Dukhovni
In reply to this post by Florian Lindner


> On May 15, 2018, at 4:17 PM, Florian Lindner <[hidden email]> wrote:
>
> relayhost = [venus.centershock.net]
> smtp_sasl_password_maps = hash:/etc/postfix/relay
> smtp_sasl_security_options = noanonymous
> smtpd_tls_security_level = encrypt
>
> # cat relay
> venus.centershock.net [hidden email]:passwd

I see no SASL support at the relayhost.

posttls-finger: Connected to venus.centershock.net[188.68.38.242]:25
posttls-finger: < 220 venus.centershock.net ESMTP Postfix (Debian/GNU)
posttls-finger: > EHLO amnesiac
posttls-finger: < 250-venus.centershock.net
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 100000000
posttls-finger: < 250-VRFY
posttls-finger: < 250-ETRN
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250 SMTPUTF8
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: Untrusted TLS connection established to venus.centershock.net[188.68.38.242]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
posttls-finger: > EHLO amnesiac
posttls-finger: < 250-venus.centershock.net
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 100000000
posttls-finger: < 250-VRFY
posttls-finger: < 250-ETRN
posttls-finger: < 250-AUTH PLAIN LOGIN
posttls-finger: < 250-AUTH=PLAIN LOGIN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250 SMTPUTF8
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix does not authenticate to relayhost

Benny Pedersen-2
Viktor Dukhovni skrev den 2018-05-15 23:15:

>> On May 15, 2018, at 4:17 PM, Florian Lindner <[hidden email]>
>> wrote:
>>
>> relayhost = [venus.centershock.net]
>> smtp_sasl_password_maps = hash:/etc/postfix/relay
>> smtp_sasl_security_options = noanonymous
>> smtpd_tls_security_level = encrypt
>>
>> # cat relay
>> venus.centershock.net [hidden email]:passwd
>
> I see no SASL support at the relayhost.
>
> posttls-finger: Connected to venus.centershock.net[188.68.38.242]:25

port 25 should not provide auth senders

add a transportmap to relay host and do not use port 25 in the transport
map

> posttls-finger: < 250-STARTTLS

okay for tls

> posttls-finger: < 250 SMTPUTF8

wish how i can make that works with postfixadmin using idn in sql,
postfix miss to convert utf8 to idn so its only one map to check in
backend, else one needs 2 maps one for idn and one for utf8

> posttls-finger: < 250-AUTH PLAIN LOGIN
> posttls-finger: < 250-AUTH=PLAIN LOGIN

should not be provided in port 25
Reply | Threaded
Open this post in threaded view
|

Re: Postfix does not authenticate to relayhost

Viktor Dukhovni
In reply to this post by Florian Lindner


> On May 15, 2018, at 4:17 PM, Florian Lindner <[hidden email]> wrote:
>
> % postconf -n
> [...]
> mynetworks_style = host
> relayhost = [venus.centershock.net]
> smtp_sasl_password_maps = hash:/etc/postfix/relay
> smtp_sasl_security_options = noanonymous
> smtpd_tls_security_level = encrypt

Note, that last setting should be "smtp_tls_security_level"...

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix does not authenticate to relayhost

Viktor Dukhovni
In reply to this post by Benny Pedersen-2


> On May 15, 2018, at 5:30 PM, Benny Pedersen <[hidden email]> wrote:
>
> ort 25 should not provide auth senders
>
> add a transportmap to relay host and do not use port 25 in the transport map

There's no need for transport entries.  Just setting "relayhost' is enough.
The relayhost setting can include a port number if desired:

  http://www.postfix.org/postconf.5.html#relayhost

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix does not authenticate to relayhost

Matus UHLAR - fantomas
In reply to this post by Florian Lindner
On 15.05.18 22:17, Florian Lindner wrote:
>May 15 22:10:04 venus postfix/smtpd[20438]: NOQUEUE: reject: RCPT from host[x.x.x]: 450 4.1.8 <[hidden email]>: Sender address rejected: Domain not found; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<horus.localdomain>
>
>smtpd_sender_restrictions =
>                          permit_mynetworks,
>                          permit_sasl_authenticated,
>                          reject_non_fqdn_sender,
>                          reject_unknown_sender_domain,
>                          permit

>What could be wrong here?

>Am 15.05.2018 um 22:29 schrieb Benny Pedersen:
>> its a dns problem to solve, not postfix
>>
>> # /etc/hosts
>>
>> 127.0.0.1 horus.localdomain horus

Benny, 127.0.0.1 should always resolve to "localhost" (surprises can happen
otherwise).
That's why debian puts local host name with IP 127.0.1.1 to /etc/hosts.


On 15.05.18 23:12, Florian Lindner wrote:
>I understand why there is the Domain not found for horus.localdomain, but not why it blocks the delivery, given my
>sender_restriction and relay_restrictions.

you have reject_unknown_sender_domain in sender restrictions.

your DNS servers don't apparently know "horus.localdomain"
you should better configure proper sender address in source address.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fucking windows! Bring Bill Gates! (Southpark the movie)
Reply | Threaded
Open this post in threaded view
|

Re: Postfix does not authenticate to relayhost

Florian Lindner
Am 16.05.2018 um 15:24 schrieb Matus UHLAR - fantomas:

> On 15.05.18 22:17, Florian Lindner wrote:
>> May 15 22:10:04 venus postfix/smtpd[20438]: NOQUEUE: reject: RCPT from host[x.x.x]: 450 4.1.8
>> <[hidden email]>: Sender address rejected: Domain not found; from=<[hidden email]>
>> to=<[hidden email]> proto=ESMTP helo=<horus.localdomain>
>>
>> smtpd_sender_restrictions =
>>                          permit_mynetworks,
>>                          permit_sasl_authenticated,
>>                          reject_non_fqdn_sender,
>>                          reject_unknown_sender_domain,
>>                          permit
>
>> What could be wrong here?

> On 15.05.18 23:12, Florian Lindner wrote:
>> I understand why there is the Domain not found for horus.localdomain, but not why it blocks the delivery, given my
>> sender_restriction and relay_restrictions.
>
> you have reject_unknown_sender_domain in sender restrictions.
>
> your DNS servers don't apparently know "horus.localdomain"
> you should better configure proper sender address in source address.

But there is also permit_sasl_authenticated positioned before reject_unknown_sender_domain. The sending MTA should
authenticate to the relay host.

I am pretty sure that the problem is not the relay host, but the sending machine. The relay host venus.centershock works just fine as an SMTP drop off with the usual clients, but the sending postix doesn't even try to authenticate.

Thanks,
Florian



Reply | Threaded
Open this post in threaded view
|

Re: Postfix does not authenticate to relayhost

Christian Kivalo
On 2018-05-16 20:41, Florian Lindner wrote:

> Am 16.05.2018 um 15:24 schrieb Matus UHLAR - fantomas:
>> On 15.05.18 22:17, Florian Lindner wrote:
>>> May 15 22:10:04 venus postfix/smtpd[20438]: NOQUEUE: reject: RCPT
>>> from host[x.x.x]: 450 4.1.8
>>> <[hidden email]>: Sender address rejected: Domain not
>>> found; from=<[hidden email]>
>>> to=<[hidden email]> proto=ESMTP helo=<horus.localdomain>
>>>
>>> smtpd_sender_restrictions =
>>>                          permit_mynetworks,
>>>                          permit_sasl_authenticated,
>>>                          reject_non_fqdn_sender,
>>>                          reject_unknown_sender_domain,
>>>                          permit
>>
>>> What could be wrong here?
>
>> On 15.05.18 23:12, Florian Lindner wrote:
>>> I understand why there is the Domain not found for horus.localdomain,
>>> but not why it blocks the delivery, given my
>>> sender_restriction and relay_restrictions.
>>
>> you have reject_unknown_sender_domain in sender restrictions.
>>
>> your DNS servers don't apparently know "horus.localdomain"
>> you should better configure proper sender address in source address.
>
> But there is also permit_sasl_authenticated positioned before
> reject_unknown_sender_domain. The sending MTA should
> authenticate to the relay host.
>
> I am pretty sure that the problem is not the relay host, but the
> sending machine. The relay host venus.centershock works just fine as
> an SMTP drop off with the usual clients, but the sending postix
> doesn't even try to authenticate.
Complete postconf -n output from both hosts would help here so just a
shot in the dark based on a config snippet from your first message:

> Local configuration is
>
> % postconf -n
> [...]
> mynetworks_style = host
> relayhost = [venus.centershock.net]
> smtp_sasl_password_maps = hash:/etc/postfix/relay
> smtp_sasl_security_options = noanonymous
> smtpd_tls_security_level = encrypt

In your local config have you set smtp_sasl_auth_enable = yes ?

> Thanks,
> Florian

--
  Christian Kivalo
Reply | Threaded
Open this post in threaded view
|

Re: Postfix does not authenticate to relayhost

Matus UHLAR - fantomas
In reply to this post by Florian Lindner
>> On 15.05.18 22:17, Florian Lindner wrote:
>>> May 15 22:10:04 venus postfix/smtpd[20438]: NOQUEUE: reject: RCPT from host[x.x.x]: 450 4.1.8
>>> <[hidden email]>: Sender address rejected: Domain not found; from=<[hidden email]>
>>> to=<[hidden email]> proto=ESMTP helo=<horus.localdomain>
>>>
>>> smtpd_sender_restrictions =
>>>                          permit_mynetworks,
>>>                          permit_sasl_authenticated,
>>>                          reject_non_fqdn_sender,
>>>                          reject_unknown_sender_domain,
>>>                          permit
>>
>>> What could be wrong here?

>> On 15.05.18 23:12, Florian Lindner wrote:
>>> I understand why there is the Domain not found for horus.localdomain, but not why it blocks the delivery, given my
>>> sender_restriction and relay_restrictions.

>Am 16.05.2018 um 15:24 schrieb Matus UHLAR - fantomas:
>> you have reject_unknown_sender_domain in sender restrictions.
>>
>> your DNS servers don't apparently know "horus.localdomain"
>> you should better configure proper sender address in source address.

On 16.05.18 20:41, Florian Lindner wrote:
>But there is also permit_sasl_authenticated positioned before reject_unknown_sender_domain. The sending MTA should
>authenticate to the relay host.

as viktor noted, SASL is apparently does announced:
https://marc.info/?l=postfix-users&m=152641898826644&w=2

I would recomment putting reject_unknown_sender_domain BEFORE
permit_sasl_authenticated - othersiwe you must map ALL unknown domain names
to something that works, otherwise you get rejects.

>I am pretty sure that the problem is not the relay host, but the sending
> machine.  The relay host venus.centershock works just fine as an SMTP drop
> off with the usual clients, but the sending postix doesn't even try to
> authenticate.

yes, the sending machine is the problem. It uses nonexistent domain in mail
from:
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
Reply | Threaded
Open this post in threaded view
|

Re: Postfix does not authenticate to relayhost

Benny Pedersen-2
In reply to this post by Matus UHLAR - fantomas
Matus UHLAR - fantomas skrev den 2018-05-16 15:24:

>> Am 15.05.2018 um 22:29 schrieb Benny Pedersen:
>>> its a dns problem to solve, not postfix
>>>
>>> # /etc/hosts
>>>
>>> 127.0.0.1 horus.localdomain horus
>
> Benny, 127.0.0.1 should always resolve to "localhost" (surprises can
> happen
> otherwise). That's why debian puts local host name with IP 127.0.1.1
> to /etc/hosts.

127.0.0.1 horus.localdomain horus localhost.localdomain localhost
::1 horus.localdomain horus localhost.localdomain localhost

but thats only used if there is no real dns server on localhost, if
there is localdomain must be served in real dns server running on
localhost
Reply | Threaded
Open this post in threaded view
|

Re: Postfix does not authenticate to relayhost

Florian Lindner
In reply to this post by Christian Kivalo
Ok, I think I got it.

Problem was probably a mismatch in the port between the setting in relay_host and the password map. Sorry, for bothering
you with what was my fault.

Best,
Florian
Reply | Threaded
Open this post in threaded view
|

Re: Postfix does not authenticate to relayhost

Matus UHLAR - fantomas
In reply to this post by Benny Pedersen-2
>>>Am 15.05.2018 um 22:29 schrieb Benny Pedersen:
>>>>its a dns problem to solve, not postfix
>>>>
>>>># /etc/hosts
>>>>
>>>>127.0.0.1 horus.localdomain horus

>Matus UHLAR - fantomas skrev den 2018-05-16 15:24:
>>Benny, 127.0.0.1 should always resolve to "localhost" (surprises
>>can happen
>>otherwise). That's why debian puts local host name with IP 127.0.1.1
>>to /etc/hosts.

On 17.05.18 00:42, Benny Pedersen wrote:
>127.0.0.1 horus.localdomain horus localhost.localdomain localhost
>::1 horus.localdomain horus localhost.localdomain localhost

the "localhost" should be the first, so 127.0.0.1 maps to "localhost"
- not anything else.

>but thats only used if there is no real dns server on localhost, if
>there is localdomain must be served in real dns server running on
>localhost

"localhost", not localdomain - the same as above applies.
(and 127.in-addr.arpa of course).

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.