I've been fighting with this problem a bit now. Google and RTFM have
been pretty kind to me, and I'm about 90% to having a solution implemented. I've gotten hung up on one little detail, and I find myself in need of some guidance. I run a RHEL5 server with postfix, clam, spamassassin, & dovecot. About a year or so ago I switched from Sendmail (which I had been running since 1995) to Postfix when I rebuilt my mail server, and it's been a pretty painless conversion. I have discovered a couple of mail servers on the net that will not accept mail from any customer at my ISP ("We're sorry, but the class B that you're coming from is in the MAPS database as being dynamically assigned, so bugger off!" Funny... I've paid for a block of static addresses for 3 years now from my ISP) so I've got to relay mail to a couple of specific domain through my ISP's mail server. Their server admin is a pretty decent guy and generally has a clue and I've got things mostly working. My ISP's mail server is doing non-encrypted SASL for outbound mail on an odd-ball port, (577) and only accepting connections from IP address space allocated to it's customers. In my main.cf I have this line: transport_maps = hash:/etc/postfix/transport in my /etc/postfix/transport I have these two lines: (host/domain names changed to protect the innocent) foo.com smtp:[smtp.my-isp.net]:577 .foo.com smtp:[smtp.my-isp.net]:577 and in /etc/postfix/sasl_password I have this: smtp.my-isp.net:577 MyUsernameHere:MyPasswordHere I have used postmap to hash the transport file and the sasl_password file. When I tail -f /var/log/maillog, and send a test e-mail to someone at foo.com, here's what I see: Sep 3 20:17:55 perrin postfix/smtp[25264]: certificate verification failed for mail.my-isp.net: num=20:unable to get local issuer certificate Sep 3 20:17:55 perrin postfix/smtp[25264]: certificate verification failed for mail.my-isp.net: num=27:certificate not trusted Sep 3 20:17:55 perrin postfix/smtp[25264]: certificate verification failed for mail.my-isp.net: num=21:unable to verify the first certificate Sep 3 20:17:55 perrin postfix/smtp[25264]: Server certificate could not be verified Sep 3 20:17:57 perrin postfix/smtp[25264]: 0CC783353FA: to=<[hidden email]>, relay=mail.southslope.net[167.142.226.73], delay=7, status=bounced (host mail.my-isp.net[167.42.226.73] said: 530 [hidden email] You must authenticate first (in reply to MAIL FROM command)) Sep 3 20:18:01 perrin postfix/cleanup[25211]: 4C44D3353FF: message-id=<[hidden email]> Sep 3 20:18:01 perrin postfix/qmgr[19404]: 4C44D3353FF: from=<>, size=2703, nrcpt=1 (queue active) Sep 3 20:18:01 perrin postfix/qmgr[19404]: 0CC783353FA: removed Sep 3 20:18:01 perrin postfix/local[25254]: 4C44D3353FF: to=<[hidden email]>, relay=local, delay=0, status=sent (delivered to mailbox) Sep 3 20:18:01 perrin postfix/qmgr[19404]: 4C44D3353FF: removed It looks a lot like it's not doing any sort of authentication when trying to connect to the ISP's mail server. Any suggestions? Feel free to suggest something that might seem painfully obvious to you, Thanks, - Micah -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
Micah wrote:
> I've been fighting with this problem a bit now. Google and RTFM have > been pretty kind to me, and I'm about 90% to having a solution > implemented. I've gotten hung up on one little detail, and I find > myself in need of some guidance. > > I run a RHEL5 server with postfix, clam, spamassassin, & dovecot. About > a year or so ago I switched from Sendmail (which I had been running > since 1995) to Postfix when I rebuilt my mail server, and it's been a > pretty painless conversion. I have discovered a couple of mail servers > on the net that will not accept mail from any customer at my ISP ("We're > sorry, but the class B that you're coming from is in the MAPS database > as being dynamically assigned, so bugger off!" Funny... I've paid for > a block of static addresses for 3 years now from my ISP) a block like what? $ host 207.32.43.6 6.43.32.207.in-addr.arpa domain name pointer perrin.blades.net. $ host 207.32.43.5 5.43.32.207.in-addr.arpa domain name pointer loial.blades.net. $ host 207.32.43.4 4.43.32.207.in-addr.arpa domain name pointer 4.43.32.207.sta.southslope.net. $ host 207.32.43.3 3.43.32.207.in-addr.arpa domain name pointer 3.43.32.207.sta.southslope.net. $ host 207.32.43.7 7.43.32.207.in-addr.arpa domain name pointer portasbestos.blades.net. $ host 207.32.43.8 8.43.32.207.in-addr.arpa domain name pointer 8.43.32.207.sta.southslope.net. $ host 207.32.43.9 9.43.32.207.in-addr.arpa domain name pointer 9.43.32.207.sta.southslope.net. that's a "generic" block. don't be surprised if it's all blocked. > so I've got to > relay mail to a couple of specific domain through my ISP's mail server. > Their server admin is a pretty decent guy and generally has a clue and > I've got things mostly working. My ISP's mail server is doing > non-encrypted SASL for outbound mail on an odd-ball port, (577) and only > accepting connections from IP address space allocated to it's customers. > > In my main.cf I have this line: > transport_maps = hash:/etc/postfix/transport > > in my /etc/postfix/transport I have these two lines: (host/domain names > changed to protect the innocent) > foo.com smtp:[smtp.my-isp.net]:577 > .foo.com smtp:[smtp.my-isp.net]:577 > > and in /etc/postfix/sasl_password I have this: > smtp.my-isp.net:577 MyUsernameHere:MyPasswordHere key mismatch. use [smtp.my-isp.net]:577 MyUsernameHere:MyPasswordHere oh, and where is 'postconf -n' output? |
On Thu, September 4, 2008 8:56 am, mouss wrote:
> Micah wrote: >> I've been fighting with this problem a bit now. Google and RTFM have >> been pretty kind to me, and I'm about 90% to having a solution >> implemented. I've gotten hung up on one little detail, and I find >> myself in need of some guidance. >> >> I run a RHEL5 server with postfix, clam, spamassassin, & dovecot. About >> a year or so ago I switched from Sendmail (which I had been running >> since 1995) to Postfix when I rebuilt my mail server, and it's been a >> pretty painless conversion. I have discovered a couple of mail servers >> on the net that will not accept mail from any customer at my ISP ("We're >> sorry, but the class B that you're coming from is in the MAPS database >> as being dynamically assigned, so bugger off!" Funny... I've paid for >> a block of static addresses for 3 years now from my ISP) > > a block like what? > > $ host 207.32.43.6 > 6.43.32.207.in-addr.arpa domain name pointer perrin.blades.net. > $ host 207.32.43.5 > 5.43.32.207.in-addr.arpa domain name pointer loial.blades.net. > $ host 207.32.43.4 > 4.43.32.207.in-addr.arpa domain name pointer > 4.43.32.207.sta.southslope.net. > $ host 207.32.43.3 > 3.43.32.207.in-addr.arpa domain name pointer > 3.43.32.207.sta.southslope.net. > $ host 207.32.43.7 > 7.43.32.207.in-addr.arpa domain name pointer portasbestos.blades.net. > $ host 207.32.43.8 > 8.43.32.207.in-addr.arpa domain name pointer > 8.43.32.207.sta.southslope.net. > $ host 207.32.43.9 > 9.43.32.207.in-addr.arpa domain name pointer > 9.43.32.207.sta.southslope.net. > > that's a "generic" block. don't be surprised if it's all blocked. <sigh sigh> Nope, I'm not surprised. It's not a big issue for most folks because my ISP services a fairly rural community and I'm probably the only customer not using their mail server. My ISP and I did contact MAPS and requested that they remove my static addresses from their lists, to which MAPS replied that they would be happy to just as soon as my ISP gave them a list of all customers and the IP addresses assigned to all customers. Umm..... no! Enough of the drama, back the the technical stuff. >> so I've got to >> relay mail to a couple of specific domain through my ISP's mail server. >> Their server admin is a pretty decent guy and generally has a clue and >> I've got things mostly working. My ISP's mail server is doing >> non-encrypted SASL for outbound mail on an odd-ball port, (577) and only >> accepting connections from IP address space allocated to it's customers. >> >> In my main.cf I have this line: >> transport_maps = hash:/etc/postfix/transport >> >> in my /etc/postfix/transport I have these two lines: (host/domain names >> changed to protect the innocent) >> foo.com smtp:[smtp.my-isp.net]:577 >> .foo.com smtp:[smtp.my-isp.net]:577 >> >> and in /etc/postfix/sasl_password I have this: >> smtp.my-isp.net:577 MyUsernameHere:MyPasswordHere > > > key mismatch. use > [smtp.my-isp.net]:577 MyUsernameHere:MyPasswordHere Excellent! thank you very much. This helped, and now I'm getting a different ("better" IMO) error in maillog: [root@perrin postfix]# Sep 4 09:49:05 perrin postfix/smtp[30978]: 45886335406: to=<[hidden email]>, relay=mail.southslope.net[167.142.226.73], delay=4, status=deferred (Authentication failed: SASL authentication failed; server mail.my-isp.net[167.42.226.73] said: 535 (515) incorrect password or account name) I have confirmed several times that the password and username in the sasl_passwords file is correct, and using Thunderbird or Evolution i can send e-mail directly through the ISP e-mail server just fine. That is a <TAB> between the [smtp.my-isp.net]:577 and the MyUsernameHere:MyPasswordHere portions, perhaps is needs to be just a space instead of <TAB>? > oh, and where is 'postconf -n' output? > I'd be happy to mail it to you (or anyone else interested in taking a look) off-list. Give me two shakes and it will be sitting in your inbox. Thanks again for your help on this! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
Micah wrote:
> > <sigh sigh> Nope, I'm not surprised. It's not a big issue for most folks > because my ISP services a fairly rural community and I'm probably the only > customer not using their mail server. My ISP and I did contact MAPS and > requested that they remove my static addresses from their lists, to which > MAPS replied that they would be happy to just as soon as my ISP gave them > a list of all customers and the IP addresses assigned to all customers. > Umm..... no! Enough of the drama, back the the technical stuff. > why do you (or your isp) talk to maps to all? May BL operators think they are gods on earth. If you give them weapons, they'll invade a lot of countries. Anyone using their services should know what it means and accept the consequences. (besides, see the silly TrandMicro patent attack against clamav...). > > [root@perrin postfix]# Sep 4 09:49:05 perrin postfix/smtp[30978]: > 45886335406: to=<[hidden email]>, > relay=mail.southslope.net[167.142.226.73], delay=4, status=deferred > (Authentication failed: SASL authentication failed; server > mail.my-isp.net[167.42.226.73] said: 535 (515) incorrect password or > account name) > > I have confirmed several times that the password and username in the > sasl_passwords file is correct, and using Thunderbird or Evolution i can > send e-mail directly through the ISP e-mail server just fine. That is a > <TAB> between the [smtp.my-isp.net]:577 and the > MyUsernameHere:MyPasswordHere portions, perhaps is needs to be just a > space instead of <TAB>? it doesn't matter. any space does. you'll need to check what is happening on this funny 557 port. see if there are other error logs (you may want to enable verbosity: -v...). |
Free forum by Nabble | Edit this page |