Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Relay access denied;
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
elmar283
Guru
Guru


Joined: 06 Dec 2004
Posts: 316
Location: Haarlem, Netherlands

PostPosted: Fri Apr 12, 2013 5:11 pm    Post subject: Relay access denied; Reply with quote

For more then a year I have a mailserver running under Gentoo.
Today I noticed that I'm unable to send mail true smtp to mailaddresses outsite of my own domain.
The error message is:
Code:

Apr 12 18:59:04 ZaphodBeeblebrox postfix/smtpd[10669]: NOQUEUE: reject: RCPT from mail.elmarotter.eu[83.161.154.53]: 554 5.7.1 <elmar283ATgmail.com>: Relay access denied; from=<elmarATelmarotter.nl> to=<elmar283ATgmail.com> proto=ESMTP helo=<[192.168.0.16]>

(I changed @ to AT to avoid spam).

I don't know why this is happening.
The only thing I can think of is that somehow my ip isn't seen as an auth_destination in 'reject_unauth_destination'. But that is just a guess.

Under here I have some configs:
Code:

elmarotter@ZaphodBeeblebrox ~ $ cat /etc/postfix/main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = //usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mail.elmarotter.eu
mydomain = elmarotter.eu
myorigin = elmarotter.eu
inet_interfaces = all
mydestination = mail.elmarotter.eu, localhost.elmarotter.eu, elmarotter.eu
unknown_local_recipient_reject_code = 450
mynetworks = 192.168.0.0/24, 192.168.178.0/24, 127.0.0.0/8
home_mailbox = .maildir/
local_destination_concurrency_limit = 2
default_destination_concurrency_limit = 20
debug_peer_level = 2
debugger_command =
    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
    ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
readme_directory = no
home_mailbox = .maildir/

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =

smtpd_recipient_restrictions =
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_unauth_destination

smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/newkey.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

# na hier is nieuw, als mijn mailboxen niet meer werken haal ik de tekst hieronder weg
# Beging nieuwe tekst ->

alias_maps = mysql:/etc/postfix/mysql-aliases.cf
relocated_maps = mysql:/etc/postfix/mysql-relocated.cf

local_transport = local
local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname

virtual_transport = virtual
virtual_mailbox_domains = dwarsleeuwarden.nl, elmarotter.nl

virtual_minimum_uid = 1000

virtual_gid_maps = static:1001
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf

virtual_uid_maps = static:1001
virtual_mailbox_base = /
#virtual_mailbox_limit =

owner_request_special = no
recipient_delimiter = +

alias_maps  = mysql:/etc/postfix/mysql-aliases.cf
  hash:/var/lib/mailman/data/aliases,
  mysql:/etc/postfix/mysql-aliases.cf

virtual_alias_maps =
  hash:/var/lib/mailman/data/virtual-mailman,
  mysql:/etc/postfix/mysql-virtual.cf

#mailfitering starst here: Dus als de boel zo niet meer goed werkt dan hetgeen hieronder eerst in de prullenbak mieteren ;)

biff = no
empty_address_recipient = MAILER-DAEMON
queue_minfree = 120000000

content_filter = smtp-amavis:[127.0.0.1]:10024
#Equivalently when using lmtp:
#content_filter = lmtp-amavis:[127.0.0.1]:10024

# TRANSPORT MAP
#
# Insert text from sample-transport.cf if you need explicit routing.
#transport_maps = hash:/etc/postfix/transport

#relay_domains = $transport_maps

mailbox_command = /usr/bin/procmail -a "elmarotter.eu"
#mailbox_command = /usr/bin/procmail -a "elmarotter.nl"
#mailbox_command = /usr/bin/procmail


Code:

elmarotter@ZaphodBeeblebrox ~ $ ping -c 3 mail.elmarotter.eu
PING mail.elmarotter.eu (83.161.154.53) 56(84) bytes of data.
64 bytes from mail.elmarotter.eu (83.161.154.53): icmp_seq=1 ttl=63 time=46.8 ms
64 bytes from mail.elmarotter.eu (83.161.154.53): icmp_seq=2 ttl=63 time=46.3 ms

--- mail.elmarotter.eu ping statistics ---
3 packets transmitted, 2 received, 33% packet loss, time 2001ms
rtt min/avg/max/mdev = 46.333/46.600/46.868/0.343 ms


Code:

elmarotter@ZaphodBeeblebrox ~ $ cat /etc/postfix/master.cf
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#submission inet n       -       n       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
   -o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop  unix  -       n       n       -       -       pipe
#  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp      unix  -       n       n       -       -       pipe
#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail    unix  -       n       n       -       -       pipe
#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp     unix  -       n       n       -       -       pipe
#  flags=Fq. user=bsmtp argv=/usr/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix -       n       n       -       2       pipe
#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
#  ${nexthop} ${user} ${extension}
#
#mailman   unix  -       n       n       -       -       pipe
#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
#  ${nexthop} ${user}


# Hier begint mijn mailscan gededeelte. Dus als zo de boel niet meer werkt dan dit hieronder eerst weghalen.


smtp-amavis     unix -        -       n     -       2  smtp
  -o smtp_data_done_timeout=1200
  -o smtp_send_xforward_command=yes
#Equivalently when using lmtp:
#lmtp-amavis    unix -        -       n     -       2  lmtp
#   -o lmtp_data_done_timeout=1200
#   -o lmtp_send_xforward_command=yes

127.0.0.1:10024 inet n        -       n     -       -  smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_client_restrictions=
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=127.0.0.0/8
  -o strict_rfc821_envelopes=yes
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000

#If you want to use proxy filtering instead
#smtp            inet n         -       n      -       8 smtpd
# -o smtpd_proxy_filter=127.0.0.1:10024
# -o smtpd_client_connection_count_limit=4
#If you don't want to scan outgoing mail use this
#10.0.0.2:smtp   inet n         -       n       -      - smtpd
#-o content_filter=
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101

PostPosted: Fri Apr 12, 2013 5:31 pm    Post subject: Reply with quote

elmar283 ...

I updated postfix only a day or so ago to 2.10.0 and I did notice that when running dispatch-conf the following had been added to main.cf ... and which I subsequently merged with my current config.

Code:
smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination

As I don't see this in your main.cf, and taking the above error into account, this is probably the cause ... assuming of course you also updated postfix.

best ... khay
Back to top
View user's profile Send private message
elmar283
Guru
Guru


Joined: 06 Dec 2004
Posts: 316
Location: Haarlem, Netherlands

PostPosted: Fri Apr 12, 2013 5:46 pm    Post subject: Reply with quote

@khayyam: Shoudl I add that rule and delete:
Code:

smtpd_recipient_restrictions =
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_unauth_destination

Or should I just add it?
Back to top
View user's profile Send private message
elmar283
Guru
Guru


Joined: 06 Dec 2004
Posts: 316
Location: Haarlem, Netherlands

PostPosted: Fri Apr 12, 2013 5:59 pm    Post subject: Reply with quote

Now it works again, only not on squirrelmail:
Code:

connect from ZaphodBeeblebrox.elmarotter.eu[::1]
Apr 12 19:53:47 ZaphodBeeblebrox postfix/smtpd[13413]: NOQUEUE: reject: RCPT from ZaphodBeeblebrox.elmarotter.eu[::1]: 454 4.7.1 <elmar283ATgmail.com>: Relay access denied; from=<elmarATelmarotter.nl> to=<elmar283ATgmail.com> proto=ESMTP helo=<elmarotter.eu>

The strange thing is that it connects form my hostname.domain and not form mail.elmarotter.eu.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101

PostPosted: Sat Apr 13, 2013 8:23 am    Post subject: Reply with quote

elmar283 ...

probably as elmarotter.nl isn't in $mynetworks and/or the client isn't sasl authenticated ... see the section local_header_rewrite_clients in postfix config parameters.

HTH & best ... khay
Back to top
View user's profile Send private message
elmar283
Guru
Guru


Joined: 06 Dec 2004
Posts: 316
Location: Haarlem, Netherlands

PostPosted: Sat Apr 13, 2013 8:37 am    Post subject: Reply with quote

I have never had a domain in '$mynetworks' only networks (eg 192.168.178.0 and 192.168.0.0).
What do you mean with no sasl authentication?
As far as I know this lines make sure it is:
Code:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =

#smtpd_recipient_restrictions =
#  permit_sasl_authenticated,
#  permit_mynetworks,
#  reject_unauth_destination

smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination

smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/newkey.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

The point is that I had a perfect good working postfix until I updated to version 2.10.0
I can only guess it has something to do with that, because before the update everything worked just fine.
Back to top
View user's profile Send private message
dianthus
n00b
n00b


Joined: 04 Apr 2007
Posts: 5

PostPosted: Sat Apr 13, 2013 10:15 am    Post subject: Reply with quote

elmar283 wrote:

The point is that I had a perfect good working postfix until I updated to version 2.10.0
I can only guess it has something to do with that, because before the update everything worked just fine.


I would like to confirm that postfix 2.9.10 after the recent update stopped relaying on the submission port (587), although prior to the upgrade it worked fine for months. I could not figure our where the problem is, so I downgraded to 2.9.5 (still working).

It may have something to do with USE flags flags or a subtle change of configuration options.
Back to top
View user's profile Send private message
BrummBrumm
n00b
n00b


Joined: 04 Jan 2008
Posts: 58

PostPosted: Tue Apr 16, 2013 7:58 am    Post subject: Reply with quote

same here.
They mention changes to the relay policy in http://www.postfix.org/announcements/postfix-2.10.0.html and here: http://www.postfix.org/SMTPD_ACCESS_README.html

EDIT:

When i re-emerged postfix-2.10.0 i noticed following message:


* COMPATIBILITY: adding smtpd_relay_restrictions to main.cf
* to prevent inbound mail from unexpectedly bouncing.
* Specify an empty smtpd_relay_restrictions value to keep using
* smtpd_recipient_restrictions as before.


works for me :)
Back to top
View user's profile Send private message
dianthus
n00b
n00b


Joined: 04 Apr 2007
Posts: 5

PostPosted: Wed Apr 17, 2013 6:01 pm    Post subject: Reply with quote

BrummBrumm wrote:


When i re-emerged postfix-2.10.0 i noticed following message:


* COMPATIBILITY: adding smtpd_relay_restrictions to main.cf
* to prevent inbound mail from unexpectedly bouncing.
* Specify an empty smtpd_relay_restrictions value to keep using
* smtpd_recipient_restrictions as before.


works for me :)


You did my day, thank you :D
Back to top
View user's profile Send private message
Skymotz
n00b
n00b


Joined: 09 Sep 2006
Posts: 36

PostPosted: Fri May 03, 2013 4:33 am    Post subject: Reply with quote

oh my god,

it just took me 6,5 hours to find this post and it was exactly what I needed.

Thank you so much!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum