Relay access denied

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Relay access denied

wp.rauchholz
All goolging has not helped. I hope to find here the solution.
Thanks in advance for your help.

Wolfgang

* Background:
Getting error message: Relay access denied
The following command works fine: telenet localhost 25
The following command cretes above mentioned error message when entering
"rcpt to: email_address"

* Setup:
CENTOS 7.5 home server. Letsencrypt certificates
postfix-2.10.1-6.el7.x86_64


* Maillog:
Nov 28 12:22:15 home postfix/smtpd[12253]: disconnect from
localhost[127.0.0.1]
Nov 28 12:22:20 home postfix/smtps/smtpd[12360]: connect from
localhost[127.0.0.1]
Nov 28 12:22:40 home postfix/smtps/smtpd[12360]: NOQUEUE: reject: RCPT from
localhost[127.0.0.1]: 554 5.7.1 <[hidden email]>: Relay access
denied; from=<[hidden email]> to=<[hidden email]>
proto=SMTP

* ehlo localhost
[root@home postfix]# telnet localhost 465
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 host ESMTP Sendmail 2.1
ehlo localhost
250-home.wo-lar.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN


* postconf -n
content_filter = amavisfeed:[127.0.0.1]:10024
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = <DN>
myhostname = <FQDN>
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 <LAN/24>
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtp_use_tls = yes
smtpd_banner = host ESMTP Sendmail 2.1
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/<DN>/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_key_file = /etc/letsencrypt/live/<DN>/privkey.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_high_cipherlist =
ECDH+aRSA+AES256:ECDH+aRSA+AES128:AES256-SHA:AES128+EECDH:AES128+EDH
tls_preempt_cipherlist = yes
unknown_local_recipient_reject_code = 550




--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Relay access denied

Bill Cole-3
On 28 Nov 2018, at 6:49, wp.rauchholz wrote:

> [root@home postfix]# telnet localhost 465

That's abnormal. Port 465 is normally TLS-wrapped, so telnet should not
work for testing it. That it seemingly DOES work (at least to connect
and try mail...) means that you've done something unusual in master.cf.

Please provide the output of "postconf -Mf" so that we can see how that
port is configured.

Tangentially: all those customized "hardening" smtpd_tls_* settings you
have will result in your server receiving more mail over unencrypted
sessions, because many sending systems won't be able to live up to your
TLS standards and so will fall back to sending in the clear. This makes
your mail flow in aggregate much LESS secure.
Reply | Threaded
Open this post in threaded view
|

Re: Relay access denied

wp.rauchholz
Thanks for the taking this up.
Concerning hardening TLS settings; can you recommend a read / web page that is suitable for a home email server?
Thanks in advance

Here the podtconf -Mf output

smtp       inet  n       -       n       -       -       smtpd
amavisfeed unix  -       -       n       -       2       lmtp
    -o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes
    -o disable_dns_lookups=yes -o max_use=20
submission inet  n       -       n       -       -       smtpd
    -o syslog_name=postfix/submission -o smtpd_sasl_auth_enable=yes
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
    -o milter_macro_daemon_name=ORIGINATING
smtps      inet  n       -       n       -       -       smtpd
    -o syslog_name=postfix/smtps -o smtpd_sasl_auth_enable=yes
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
    -o milter_macro_daemon_name=ORIGINATING
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
spamassassin unix -      n       n       -       -       pipe
    flags=R user=spamd argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f
    ${sender} ${recipient}
127.0.0.1:10025 inet n   -       n       -       -       smtpd
    -o content_filter= -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions= -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes=
    -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
    -o local_header_rewrite_clients= -o smtpd_milters= -o local_recipient_maps=

Thanks, Wolfgang


On Wed, Nov 28, 2018 at 4:55 PM Bill Cole <[hidden email]> wrote:
On 28 Nov 2018, at 6:49, wp.rauchholz wrote:

> [root@home postfix]# telnet localhost 465

That's abnormal. Port 465 is normally TLS-wrapped, so telnet should not
work for testing it. That it seemingly DOES work (at least to connect
and try mail...) means that you've done something unusual in master.cf.

Please provide the output of "postconf -Mf" so that we can see how that
port is configured.

Tangentially: all those customized "hardening" smtpd_tls_* settings you
have will result in your server receiving more mail over unencrypted
sessions, because many sending systems won't be able to live up to your
TLS standards and so will fall back to sending in the clear. This makes
your mail flow in aggregate much LESS secure.


--

Wolfgang Rauchholz



Reply | Threaded
Open this post in threaded view
|

Re: Relay access denied

Viktor Dukhovni
> On Nov 28, 2018, at 3:47 PM, Wolfgang Paul Rauchholz <[hidden email]> wrote:
>
> Thanks for the taking this up.
> Concerning hardening TLS settings; can you recommend a read / web page that
> is suitable for a home email server?

Run with default Postfix settings.  They are good enough, worst case
exclude a cipher type or two, but don't redefine the low-level
"tls_*_cipherlist" parameters.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Relay access denied

Bill Cole-3
In reply to this post by wp.rauchholz
On 28 Nov 2018, at 15:47, Wolfgang Paul Rauchholz wrote:

> Thanks for the taking this up.
> Concerning hardening TLS settings; can you recommend a read / web page
> that
> is suitable for a home email server?

The TLS "readme" files in the Postfix distribution (and at
http://www.postfix.org/TLS_README.html and
http://www.postfix.org/FORWARD_SECRECY_README.html) cover what you need
to know.

The short version: Postfix default TLS cipher and protocol settings are
fine, for releases after 2015. For older versions, you may need to set
smtpd_tls_protocols and smtpd_tls_mandatory_protocols to "!SSLv2,
!SSLv3" which is the default in currently supported versions.

> Thanks in advance
>
> Here the podtconf -Mf output
>
> smtp       inet  n       -       n       -       -       smtpd
> amavisfeed unix  -       -       n       -       2       lmtp
>     -o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes
>     -o disable_dns_lookups=yes -o max_use=20
> submission inet  n       -       n       -       -       smtpd
>     -o syslog_name=postfix/submission -o smtpd_sasl_auth_enable=yes
>     -o
> smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
>     -o milter_macro_daemon_name=ORIGINATING

That's the 'submission' (port 587) daemon, which opens connections in
cleartext and supports the "STARTTLS" command to upgrade the connection
to TLS encryption (because your main config includes
"smtpd_tls_security_level = may"). To send mail through this daemon, you
MUST either be sending to a domain that Postfix is configured to accept
mail for (local, virtual, and relay domains) OR authenticate using SASL
first. Because of "smtpd_tls_auth_only = yes" in your main config, you
can only authenticate using SASL *after* using STARTTLS to negotiate a
TLS session.

> smtps      inet  n       -       n       -       -       smtpd
>     -o syslog_name=postfix/smtps -o smtpd_sasl_auth_enable=yes
>     -o
> smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
>     -o milter_macro_daemon_name=ORIGINATING

That's supposedly the 'smtps' (port 465) daemon, which *NORMALLY* would
have an additional configuration  override directive:

     -o smtpd_tls_wrappermode=yes

Which "wraps" the SMTP session in TLS encryption that is negotiated
immediately at connect time, rather than having clients connect in the
clear. As it stands, your 'submission' and 'smtps' daemons will behave
identically, except for listening on different ports and using different
syslog labels. There's no benefit in that, because any client using port
465 will expect the smtps 'wrappermode' behavior and any using port 587
will expect the configured cleartext/STARTTLS behavior.

Because you are overriding the default smtpd_recipient_restrictions with
a restriction list which only permits mail from authenticated senders or
to recipients in local and relay-authorized domains, your attempt to
send mail to a gmail.com address was rejected.

You were able to send through port 25 because by default,
smtpd_recipient_restrictions is empty (giving an implicit 'DUNNO'
result) and smtpd_relay_restrictions starts with 'permit_mynetworks'.
This lets the mail through because you are connection from the loopback,
which is included in your mynetworks setting.

I hope this helps. Good luck!

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: Relay access denied

wp.rauchholz
Thanks for help.
A lot to digest and read before doing changes to config.

Wolfgang

On Wed, Nov 28, 2018 at 11:26 PM Bill Cole <[hidden email]> wrote:
On 28 Nov 2018, at 15:47, Wolfgang Paul Rauchholz wrote:

> Thanks for the taking this up.
> Concerning hardening TLS settings; can you recommend a read / web page
> that
> is suitable for a home email server?

The TLS "readme" files in the Postfix distribution (and at
http://www.postfix.org/TLS_README.html and
http://www.postfix.org/FORWARD_SECRECY_README.html) cover what you need
to know.

The short version: Postfix default TLS cipher and protocol settings are
fine, for releases after 2015. For older versions, you may need to set
smtpd_tls_protocols and smtpd_tls_mandatory_protocols to "!SSLv2,
!SSLv3" which is the default in currently supported versions.

> Thanks in advance
>
> Here the podtconf -Mf output
>
> smtp       inet  n       -       n       -       -       smtpd
> amavisfeed unix  -       -       n       -       2       lmtp
>     -o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes
>     -o disable_dns_lookups=yes -o max_use=20
> submission inet  n       -       n       -       -       smtpd
>     -o syslog_name=postfix/submission -o smtpd_sasl_auth_enable=yes
>     -o
> smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
>     -o milter_macro_daemon_name=ORIGINATING

That's the 'submission' (port 587) daemon, which opens connections in
cleartext and supports the "STARTTLS" command to upgrade the connection
to TLS encryption (because your main config includes
"smtpd_tls_security_level = may"). To send mail through this daemon, you
MUST either be sending to a domain that Postfix is configured to accept
mail for (local, virtual, and relay domains) OR authenticate using SASL
first. Because of "smtpd_tls_auth_only = yes" in your main config, you
can only authenticate using SASL *after* using STARTTLS to negotiate a
TLS session.

> smtps      inet  n       -       n       -       -       smtpd
>     -o syslog_name=postfix/smtps -o smtpd_sasl_auth_enable=yes
>     -o
> smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
>     -o milter_macro_daemon_name=ORIGINATING

That's supposedly the 'smtps' (port 465) daemon, which *NORMALLY* would
have an additional configuration  override directive:

     -o smtpd_tls_wrappermode=yes

Which "wraps" the SMTP session in TLS encryption that is negotiated
immediately at connect time, rather than having clients connect in the
clear. As it stands, your 'submission' and 'smtps' daemons will behave
identically, except for listening on different ports and using different
syslog labels. There's no benefit in that, because any client using port
465 will expect the smtps 'wrappermode' behavior and any using port 587
will expect the configured cleartext/STARTTLS behavior.

Because you are overriding the default smtpd_recipient_restrictions with
a restriction list which only permits mail from authenticated senders or
to recipients in local and relay-authorized domains, your attempt to
send mail to a gmail.com address was rejected.

You were able to send through port 25 because by default,
smtpd_recipient_restrictions is empty (giving an implicit 'DUNNO'
result) and smtpd_relay_restrictions starts with 'permit_mynetworks'.
This lets the mail through because you are connection from the loopback,
which is included in your mynetworks setting.

I hope this helps. Good luck!

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole


--

Wolfgang Rauchholz



Reply | Threaded
Open this post in threaded view
|

Re: Relay access denied

wp.rauchholz
In reply to this post by Bill Cole-3
Got finally some time over the weekend...

I got a step further, but still one topic open.
It appears that I have configured an open relay server? When trying to send emails to my gmail account I get this error message:

  .... 550-5.7.1 [83.50.89.156] The IP you're using to send mail is not authorized to 550-5.7.1 send email directly to our servers. .....

I went thrgouh documentation on the web and assume it is my submission statement that makes it an open relay?

This is what I setup in main.cf. How do I need to harden this to close the open relay?
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_sasl_auth_enable=yes


smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_mynetworks, permit_auth_destination, permit_sasl_authenticated, reject, reject_unauth_destination
smtpd_use_tls = yes
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_cert_file = /etc/letsencrypt/live/<mydomain>/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/<mydomain>/privkey.pem
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
content_filter=smtp-amavis:[127.0.0.1]:10024


Wolfgang

On Wed, Nov 28, 2018 at 11:26 PM Bill Cole <[hidden email]> wrote:
On 28 Nov 2018, at 15:47, Wolfgang Paul Rauchholz wrote:

> Thanks for the taking this up.
> Concerning hardening TLS settings; can you recommend a read / web page
> that
> is suitable for a home email server?

The TLS "readme" files in the Postfix distribution (and at
http://www.postfix.org/TLS_README.html and
http://www.postfix.org/FORWARD_SECRECY_README.html) cover what you need
to know.

The short version: Postfix default TLS cipher and protocol settings are
fine, for releases after 2015. For older versions, you may need to set
smtpd_tls_protocols and smtpd_tls_mandatory_protocols to "!SSLv2,
!SSLv3" which is the default in currently supported versions.

> Thanks in advance
>
> Here the podtconf -Mf output
>
> smtp       inet  n       -       n       -       -       smtpd
> amavisfeed unix  -       -       n       -       2       lmtp
>     -o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes
>     -o disable_dns_lookups=yes -o max_use=20
> submission inet  n       -       n       -       -       smtpd
>     -o syslog_name=postfix/submission -o smtpd_sasl_auth_enable=yes
>     -o
> smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
>     -o milter_macro_daemon_name=ORIGINATING

That's the 'submission' (port 587) daemon, which opens connections in
cleartext and supports the "STARTTLS" command to upgrade the connection
to TLS encryption (because your main config includes
"smtpd_tls_security_level = may"). To send mail through this daemon, you
MUST either be sending to a domain that Postfix is configured to accept
mail for (local, virtual, and relay domains) OR authenticate using SASL
first. Because of "smtpd_tls_auth_only = yes" in your main config, you
can only authenticate using SASL *after* using STARTTLS to negotiate a
TLS session.

> smtps      inet  n       -       n       -       -       smtpd
>     -o syslog_name=postfix/smtps -o smtpd_sasl_auth_enable=yes
>     -o
> smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
>     -o milter_macro_daemon_name=ORIGINATING

That's supposedly the 'smtps' (port 465) daemon, which *NORMALLY* would
have an additional configuration  override directive:

     -o smtpd_tls_wrappermode=yes

Which "wraps" the SMTP session in TLS encryption that is negotiated
immediately at connect time, rather than having clients connect in the
clear. As it stands, your 'submission' and 'smtps' daemons will behave
identically, except for listening on different ports and using different
syslog labels. There's no benefit in that, because any client using port
465 will expect the smtps 'wrappermode' behavior and any using port 587
will expect the configured cleartext/STARTTLS behavior.

Because you are overriding the default smtpd_recipient_restrictions with
a restriction list which only permits mail from authenticated senders or
to recipients in local and relay-authorized domains, your attempt to
send mail to a gmail.com address was rejected.

You were able to send through port 25 because by default,
smtpd_recipient_restrictions is empty (giving an implicit 'DUNNO'
result) and smtpd_relay_restrictions starts with 'permit_mynetworks'.
This lets the mail through because you are connection from the loopback,
which is included in your mynetworks setting.

I hope this helps. Good luck!

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole


--

Wolfgang Rauchholz



Reply | Threaded
Open this post in threaded view
|

Re: Relay access denied

Wilfried.Essig@Essignetz.de
Hi Wolfgang,


i don`t think you have an open relay:
> smtpd_recipient_restrictions = permit_mynetworks, permit_auth_destination,> permit_sasl_authenticated, reject, reject_unauth_destination
But you have a dynamic IP-Address.
> host 83.50.89.156
> 156.89.50.83.in-addr.arpa domain name pointer 156.red-83-50-89.dynamicip.rima-tde.net.

Gmail doesn't like dynamic IPs very much.

Obviously you have a gmail account. I`d suggest to setup your postfix to
use authenticated smtp to port 587, using your gmail credentials.


Willi
Reply | Threaded
Open this post in threaded view
|

Re: Relay access denied

Wilfried.Essig@Essignetz.de
Am 03.12.18 um 19:57 schrieb Wolfgang Paul Rauchholz:
> Thank you for the help.
> But I might not have explained myself correctly. My plan is not to relay
> email from my home server via gmail.
> But I want to be able to send emails also to gmail accounts.

It's the same.

> How can I do that?

Didn't work the suggestions you got yesterday?


Willi

>
> Wolfgang
>
> On Mon, Dec 3, 2018 at 11:38 AM [hidden email] <
> [hidden email]> wrote:
>
>> Hi Wolfgang,
>>
>>
>> i don`t think you have an open relay:
>>> smtpd_recipient_restrictions = permit_mynetworks,
>> permit_auth_destination,> permit_sasl_authenticated, reject,
>> reject_unauth_destination
>> But you have a dynamic IP-Address.
>>> host 83.50.89.156
>>> 156.89.50.83.in-addr.arpa domain name pointer
>> 156.red-83-50-89.dynamicip.rima-tde.net.
>>
>> Gmail doesn't like dynamic IPs very much.
>>
>> Obviously you have a gmail account. I`d suggest to setup your postfix to
>> use authenticated smtp to port 587, using your gmail credentials.
>>
>>
>> Willi
>>
>
>