transport and sasl_password question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

transport and sasl_password question

Micah-20
I've been fighting with this problem a bit now. Google and RTFM have
been pretty kind to me, and I'm about 90% to having a solution
implemented.   I've gotten hung up on one little detail, and I find
myself in need of some guidance.

I run a RHEL5 server with postfix, clam, spamassassin, & dovecot. About
a year or so ago I switched from Sendmail (which I had been running
since 1995)  to Postfix when I rebuilt my mail server, and it's been a
pretty painless conversion.  I have discovered a couple of mail servers
on the net that will not accept mail from any customer at my ISP ("We're
sorry, but the class B that you're coming from is in the MAPS database
as being dynamically assigned, so bugger off!"    Funny... I've paid for
a block of static addresses for 3 years now from my ISP)  so I've got to
relay mail to a couple of specific domain through my ISP's mail server.  
Their server admin is a pretty decent guy and generally has a clue and
I've got things mostly working.  My ISP's mail server is doing
non-encrypted SASL for outbound mail on an odd-ball port, (577) and only
accepting connections from IP address space allocated to it's customers.

In my main.cf I have this line:
transport_maps = hash:/etc/postfix/transport

in my /etc/postfix/transport I have these two lines:  (host/domain names
changed to protect the innocent)
foo.com      smtp:[smtp.my-isp.net]:577
.foo.com      smtp:[smtp.my-isp.net]:577

and in /etc/postfix/sasl_password  I have this:
smtp.my-isp.net:577 MyUsernameHere:MyPasswordHere

I have used postmap to hash the transport file and the sasl_password
file.   When I tail -f /var/log/maillog, and send a test e-mail to
someone at foo.com, here's what I see:


Sep  3 20:17:55 perrin postfix/smtp[25264]: certificate verification
failed for mail.my-isp.net: num=20:unable to get local issuer certificate
Sep  3 20:17:55 perrin postfix/smtp[25264]: certificate verification
failed for mail.my-isp.net: num=27:certificate not trusted
Sep  3 20:17:55 perrin postfix/smtp[25264]: certificate verification
failed for mail.my-isp.net: num=21:unable to verify the first certificate
Sep  3 20:17:55 perrin postfix/smtp[25264]: Server certificate could not
be verified
Sep  3 20:17:57 perrin postfix/smtp[25264]: 0CC783353FA:
to=<[hidden email]>, relay=mail.southslope.net[167.142.226.73],
delay=7, status=bounced (host mail.my-isp.net[167.42.226.73] said: 530
[hidden email] You must authenticate first (in reply to MAIL FROM command))
Sep  3 20:18:01 perrin postfix/cleanup[25211]: 4C44D3353FF:
message-id=<[hidden email]>
Sep  3 20:18:01 perrin postfix/qmgr[19404]: 4C44D3353FF: from=<>,
size=2703, nrcpt=1 (queue active)
Sep  3 20:18:01 perrin postfix/qmgr[19404]: 0CC783353FA: removed
Sep  3 20:18:01 perrin postfix/local[25254]: 4C44D3353FF:
to=<[hidden email]>, relay=local, delay=0, status=sent (delivered to
mailbox)
Sep  3 20:18:01 perrin postfix/qmgr[19404]: 4C44D3353FF: removed


It looks a lot like it's not doing any sort of authentication when
trying to connect to the ISP's mail server.   Any suggestions?  Feel
free to suggest something that might seem painfully obvious to you,

Thanks,
   - Micah

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Reply | Threaded
Open this post in threaded view
|

Re: transport and sasl_password question

mouss-2
Micah wrote:

> I've been fighting with this problem a bit now. Google and RTFM have
> been pretty kind to me, and I'm about 90% to having a solution
> implemented.   I've gotten hung up on one little detail, and I find
> myself in need of some guidance.
>
> I run a RHEL5 server with postfix, clam, spamassassin, & dovecot. About
> a year or so ago I switched from Sendmail (which I had been running
> since 1995)  to Postfix when I rebuilt my mail server, and it's been a
> pretty painless conversion.  I have discovered a couple of mail servers
> on the net that will not accept mail from any customer at my ISP ("We're
> sorry, but the class B that you're coming from is in the MAPS database
> as being dynamically assigned, so bugger off!"    Funny... I've paid for
> a block of static addresses for 3 years now from my ISP)

a block like what?

$ host 207.32.43.6
6.43.32.207.in-addr.arpa domain name pointer perrin.blades.net.
$ host 207.32.43.5
5.43.32.207.in-addr.arpa domain name pointer loial.blades.net.
$ host 207.32.43.4
4.43.32.207.in-addr.arpa domain name pointer 4.43.32.207.sta.southslope.net.
$ host 207.32.43.3
3.43.32.207.in-addr.arpa domain name pointer 3.43.32.207.sta.southslope.net.
$ host 207.32.43.7
7.43.32.207.in-addr.arpa domain name pointer portasbestos.blades.net.
$ host 207.32.43.8
8.43.32.207.in-addr.arpa domain name pointer 8.43.32.207.sta.southslope.net.
$ host 207.32.43.9
9.43.32.207.in-addr.arpa domain name pointer 9.43.32.207.sta.southslope.net.

that's a "generic" block. don't be surprised if it's all blocked.

> so I've got to
> relay mail to a couple of specific domain through my ISP's mail server.  
> Their server admin is a pretty decent guy and generally has a clue and
> I've got things mostly working.  My ISP's mail server is doing
> non-encrypted SASL for outbound mail on an odd-ball port, (577) and only
> accepting connections from IP address space allocated to it's customers.
>
> In my main.cf I have this line:
> transport_maps = hash:/etc/postfix/transport
>
> in my /etc/postfix/transport I have these two lines:  (host/domain names
> changed to protect the innocent)
> foo.com      smtp:[smtp.my-isp.net]:577
> .foo.com      smtp:[smtp.my-isp.net]:577
>
> and in /etc/postfix/sasl_password  I have this:
> smtp.my-isp.net:577 MyUsernameHere:MyPasswordHere


key mismatch. use
[smtp.my-isp.net]:577   MyUsernameHere:MyPasswordHere


oh, and where is 'postconf -n' output?
Reply | Threaded
Open this post in threaded view
|

Re: transport and sasl_password question

Micah-20
On Thu, September 4, 2008 8:56 am, mouss wrote:

> Micah wrote:
>> I've been fighting with this problem a bit now. Google and RTFM have
>> been pretty kind to me, and I'm about 90% to having a solution
>> implemented.   I've gotten hung up on one little detail, and I find
>> myself in need of some guidance.
>>
>> I run a RHEL5 server with postfix, clam, spamassassin, & dovecot. About
>> a year or so ago I switched from Sendmail (which I had been running
>> since 1995)  to Postfix when I rebuilt my mail server, and it's been a
>> pretty painless conversion.  I have discovered a couple of mail servers
>> on the net that will not accept mail from any customer at my ISP ("We're
>> sorry, but the class B that you're coming from is in the MAPS database
>> as being dynamically assigned, so bugger off!"    Funny... I've paid for
>> a block of static addresses for 3 years now from my ISP)
>
> a block like what?
>
> $ host 207.32.43.6
> 6.43.32.207.in-addr.arpa domain name pointer perrin.blades.net.
> $ host 207.32.43.5
> 5.43.32.207.in-addr.arpa domain name pointer loial.blades.net.
> $ host 207.32.43.4
> 4.43.32.207.in-addr.arpa domain name pointer
> 4.43.32.207.sta.southslope.net.
> $ host 207.32.43.3
> 3.43.32.207.in-addr.arpa domain name pointer
> 3.43.32.207.sta.southslope.net.
> $ host 207.32.43.7
> 7.43.32.207.in-addr.arpa domain name pointer portasbestos.blades.net.
> $ host 207.32.43.8
> 8.43.32.207.in-addr.arpa domain name pointer
> 8.43.32.207.sta.southslope.net.
> $ host 207.32.43.9
> 9.43.32.207.in-addr.arpa domain name pointer
> 9.43.32.207.sta.southslope.net.
>
> that's a "generic" block. don't be surprised if it's all blocked.

<sigh sigh>  Nope, I'm not surprised.  It's not a big issue for most folks
because my ISP services a fairly rural community and I'm probably the only
customer not using their mail server. My ISP and I did contact MAPS and
requested that they remove my static addresses from their lists, to which
MAPS replied that they would be happy to just as soon as my ISP gave them
a list of all customers and the IP addresses assigned to all customers.
Umm..... no!  Enough of the drama, back the the technical stuff.

>> so I've got to
>> relay mail to a couple of specific domain through my ISP's mail server.
>> Their server admin is a pretty decent guy and generally has a clue and
>> I've got things mostly working.  My ISP's mail server is doing
>> non-encrypted SASL for outbound mail on an odd-ball port, (577) and only
>> accepting connections from IP address space allocated to it's customers.
>>
>> In my main.cf I have this line:
>> transport_maps = hash:/etc/postfix/transport
>>
>> in my /etc/postfix/transport I have these two lines:  (host/domain names
>> changed to protect the innocent)
>> foo.com      smtp:[smtp.my-isp.net]:577
>> .foo.com      smtp:[smtp.my-isp.net]:577
>>
>> and in /etc/postfix/sasl_password  I have this:
>> smtp.my-isp.net:577 MyUsernameHere:MyPasswordHere
>
>
> key mismatch. use
> [smtp.my-isp.net]:577   MyUsernameHere:MyPasswordHere

Excellent!  thank you very much.  This helped, and now I'm getting a
different ("better"  IMO)  error in maillog:

[root@perrin postfix]# Sep  4 09:49:05 perrin postfix/smtp[30978]:
45886335406: to=<[hidden email]>,
relay=mail.southslope.net[167.142.226.73], delay=4, status=deferred
(Authentication failed: SASL authentication failed; server
mail.my-isp.net[167.42.226.73] said: 535 (515) incorrect password or
account name)

I have confirmed several times that the password and username in the
sasl_passwords file is correct, and using Thunderbird or Evolution i can
send e-mail directly through the ISP e-mail server just fine. That is a
<TAB> between the [smtp.my-isp.net]:577  and the
MyUsernameHere:MyPasswordHere portions, perhaps is needs to be just a
space instead of <TAB>?


> oh, and where is 'postconf -n' output?
>

I'd be happy to mail it to you (or anyone else interested in taking a
look) off-list. Give me two shakes and it will be sitting in your inbox.


Thanks again for your help on this!



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Reply | Threaded
Open this post in threaded view
|

Re: transport and sasl_password question

mouss-2
Micah wrote:
>
> <sigh sigh>  Nope, I'm not surprised.  It's not a big issue for most folks
> because my ISP services a fairly rural community and I'm probably the only
> customer not using their mail server. My ISP and I did contact MAPS and
> requested that they remove my static addresses from their lists, to which
> MAPS replied that they would be happy to just as soon as my ISP gave them
> a list of all customers and the IP addresses assigned to all customers.
> Umm..... no!  Enough of the drama, back the the technical stuff.
>

why do you (or your isp) talk to maps to all? May BL operators think
they are gods on earth. If you give them weapons, they'll invade a lot
of countries. Anyone using their services should know what it means and
accept the consequences. (besides, see the silly TrandMicro patent
attack against clamav...).

>
> [root@perrin postfix]# Sep  4 09:49:05 perrin postfix/smtp[30978]:
> 45886335406: to=<[hidden email]>,
> relay=mail.southslope.net[167.142.226.73], delay=4, status=deferred
> (Authentication failed: SASL authentication failed; server
> mail.my-isp.net[167.42.226.73] said: 535 (515) incorrect password or
> account name)
>
> I have confirmed several times that the password and username in the
> sasl_passwords file is correct, and using Thunderbird or Evolution i can
> send e-mail directly through the ISP e-mail server just fine. That is a
> <TAB> between the [smtp.my-isp.net]:577  and the
> MyUsernameHere:MyPasswordHere portions, perhaps is needs to be just a
> space instead of <TAB>?

it doesn't matter. any space does.

you'll need to check what is happening on this funny 557 port. see if
there are other error logs (you may want to enable verbosity: -v...).