[SOLVED]postfix doesn't accept incoming mail

[boudewijn]

Hi


I've been messing around with postfix for the last couple of days, and I ran into some kind of problem.
My mail will not get delivered, and postfix will NOT ehlo too.
But I can connect to the IP at port 25 (using telnet). The box is running gentoo on amd64.

This is my config:

Code: Select all

Password: 
mail boudewijn # cat /etc/postfix/main.cf  
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
mail_owner = postfix
myorigin = $myhostname
mydestination = $myhostname, localhost.$mydomain, tendam-bremer.nl
unknown_local_recipient_reject_code = 450
mynetworks_style = subnet
mynetworks = 127.0.0.0/8 192.168.1.0/24
mailbox_command = /usr/bin/procmail
debug_peer_level = 2
debugger_command =
        PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin:
                xxgdb = $daemon_directory/$process_name $process_id & sleep 5
                sendmail_path = /usr/sbin/sendmail
                newaliases_path = /usr/bin/newaliases
                mailq_path = /usr/bin/mailq
                setgid_group = postdrop
                manpage_directory = /usr/share/man
                readme_directory = /usr/share/doc/postfix-2.1.5-r2/readme
                default_destination_concurrency_limit = 2
                alias_database = hash:/etc/mail/aliases
                local_destination_concurrency_limit = 2
                alias_maps = hash:/etc/mail/aliases
                home_mailbox = .maildir/

masquerade_domains = tendam-bremer.nl




smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_client_restrictions = permit_sasl_authenticated, reject_unauth_destination



smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/ssl/postfix/server.key
smtpd_tls_cert_file = /etc/ssl/postfix/server.crt
smtpd_tls_CAfile = /etc/ssl/postfix/server.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

It will be used for a single domain only, so virtual hosting etc will not be an issue. The IP of the box is 192.168.1.2 so mynetworks should be fine. The portmapping is also well:

Code: Select all

Connection to tendam-bremer.nl closed.
bigmac:~ boudewijn$ telnet 
Display all 108 possibilities? (y or n)
bigmac:~ boudewijn$ telnet tendam-bremer.nl 25
Trying 62.59.177.186...
Connected to tendam-bremer.nl.
Escape character is '^]'.
EHLO tendam-bremer.nl

After sending the EHLO it seams to hang....

in messages, i find this:

Code: Select all

Jun 13 16:15:26 mail postfix/smtpd[5278]: smtpd_sasl_initialize: SASL config file is smtpd.conf
Jun 13 16:15:26 mail postfix/smtpd[5278]: fatal: SASL per-process initialization failed
Jun 13 16:15:27 mail postfix/master[4709]: warning: process /usr/lib/postfix/smtpd pid 5278 exit status 1
Jun 13 16:15:27 mail postfix/master[4709]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling

And the smtpd.conf (in /etc/sasl2) looks like this:

Code: Select all

mail boudewijn # cat /etc/sasl2/smtpd.conf 
# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.sasl,v 1.2 2004/07/18 03:26:56 dragonheart Exp $
pwcheck_method:saslauthd
mech_list : plain login

For the sake of completeness:

Code: Select all

mail boudewijn # cat /etc/conf.d/saslauthd 
SASLAUTH_MECH=shadow

SASL_RIMAP_HOSTNAME=""
SASL_TIME_OF_DAY_LOGIN_RESTRICTIONS=yes

SASLAUTHD_OPTS="-a ${SASLAUTH_MECH}"

mail boudewijn # 

Does anyone know what's wrong here? (I've restarted both saslauthd and postfix a few times).

[boudewijn]

nobody?

sorry for the brutal kick, but i'm getting quite sick of messing around with that piece of software for almost a whole week

[Drunkula]

Sorry. I can't help! I had Postfix setup for awhile with SASL but that was quite some time ago - and even then the SASL stuff was bewildering to me.

Perhaps the bump will get a useful bite this time.

[overkll]

You're main.cf looks strange to me so I checked something. At the top of the main.cf example file, there is a blurb:

# The general format of each line is: parameter = value. Lines
# that begin with whitespace continue the previous line. A value can
# contain references to other $names or ${name}s.

This being the case your "debugger_command=" line is including many seperate configuration parameters that should have * NO * whitespace in front of them. try removing the whitespace in that section, like so:

Code: Select all

debugger_command =
        PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin:
        xxgdb = $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
manpage_directory = /usr/share/man
readme_directory = /usr/share/doc/postfix-2.1.5-r2/readme
default_destination_concurrency_limit = 2
alias_database = hash:/etc/mail/aliases
local_destination_concurrency_limit = 2
alias_maps = hash:/etc/mail/aliases
home_mailbox = .maildir/ 

and issue a "postfix reload"

Hope this helps.

[boudewijn]

well i had som bite because of my kick \o/

Just tried sending an email to my account on the server:

Code: Select all

Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: mynetworks ~? debug_peer_list
Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: mynetworks ~? fast_flush_domains
Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: mynetworks ~? mynetworks
Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: relay_domains ~? debug_peer_list
Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: relay_domains ~? fast_flush_domains
Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: relay_domains ~? mynetworks
Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: relay_domains ~? permit_mx_backup_networks
Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: relay_domains ~? qmqpd_authorized_clients
Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: relay_domains ~? relay_domains
Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: permit_mx_backup_networks ~? debug_peer_list
Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: permit_mx_backup_networks ~? fast_flush_domains
Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: permit_mx_backup_networks ~? mynetworks
Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: permit_mx_backup_networks ~? permit_mx_backup_networks
Jun 14 22:53:15 mail postfix/smtpd[12037]: connect to subsystem private/proxymap
Jun 14 22:53:15 mail postfix/smtpd[12037]: send attr request = open
Jun 14 22:53:15 mail postfix/smtpd[12037]: send attr table = unix:passwd.byname
Jun 14 22:53:15 mail postfix/smtpd[12037]: send attr flags = 64
Jun 14 22:53:15 mail postfix/smtpd[12037]: private/proxymap socket: wanted attribute: status
Jun 14 22:53:15 mail postfix/smtpd[12037]: input attribute name: status
Jun 14 22:53:15 mail postfix/smtpd[12037]: input attribute value: 0
Jun 14 22:53:15 mail postfix/smtpd[12037]: private/proxymap socket: wanted attribute: flags
Jun 14 22:53:15 mail postfix/smtpd[12037]: input attribute name: flags
Jun 14 22:53:15 mail postfix/smtpd[12037]: input attribute value: 80
Jun 14 22:53:15 mail postfix/smtpd[12037]: private/proxymap socket: wanted attribute: (list terminator)
Jun 14 22:53:15 mail postfix/smtpd[12037]: input attribute name: (end)
Jun 14 22:53:15 mail postfix/smtpd[12037]: dict_proxy_open: connect to map=unix:passwd.byname status=0 server_flags=0120
Jun 14 22:53:15 mail postfix/smtpd[12037]: dict_open: proxy:unix:passwd.byname
Jun 14 22:53:15 mail postfix/smtpd[12037]: dict_open: hash:/etc/mail/aliases
Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: smtpd_access_maps ~? debug_peer_list
Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: smtpd_access_maps ~? fast_flush_domains
Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: smtpd_access_maps ~? mynetworks
Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: smtpd_access_maps ~? permit_mx_backup_networks
Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: smtpd_access_maps ~? qmqpd_authorized_clients
Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: smtpd_access_maps ~? relay_domains
Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: smtpd_access_maps ~? smtpd_access_maps
Jun 14 22:53:15 mail postfix/smtpd[12037]: smtpd_sasl_initialize: SASL config file is smtpd.conf
Jun 14 22:53:15 mail postfix/smtpd[12037]: fatal: SASL per-process initialization failed
Jun 14 22:53:16 mail postfix/master[12016]: warning: process /usr/lib/postfix/smtpd pid 12037 exit status 1
Jun 14 22:53:16 mail postfix/master[12016]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling

SASL still isn't working
I'm afraid I can't use postfix without it...

Is the space-on-begin-is-comment rule also valid for the SASL files?

[boudewijn]

another strange thing:

Code: Select all

bigmac:~ boudewijn$ telnet <domain> 25
Trying <IP>...
Connected to <domain>.
Escape character is '^]'.
EHLO <domain>

This is the output of telnet from outside... it timed out after the EHLO.
I just tried to connect to another server (just the same setup):

Code: Select all

bigmac:~ boudewijn$ telnet vbds.nl 25
Trying 82.92.214.58...
Connected to vbds.nl.
Escape character is '^]'.
220 mail.vbds.nl ESMTP Postfix
EHLO vbds.nl
250-mail.vbds.nl
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250 8BITMIME

Before having done anything in the telnet session, it gives a 220 code.... which the problematic setup does NOT do. (the working is gentoo, amd64 too and also using postfix).

[boudewijn]

/usr/sbin/postfix check did not return any errors.

and the postfinger output:

Code: Select all

postfinger - postfix configuration on Wed Jun 14 23:42:57 CEST 2006
version: 1.30

Warning: postfinger output may show private configuration information,
such as ip addresses and/or domain names which you do not want to show
to the public.  If this is the case it is your responsibility to modify
the output to hide this private information.  [Remove this warning with
the --nowarn option.]

--System Parameters--
mail_version = 2.2.5
hostname = mail
uname = Linux mail 2.6.15 #2 SMP Wed May 31 07:33:04 Local time zone must be set--see zic  x86_64 AMD Athlon(tm) 64 Processor 3200+ GNU/Linux

--Packaging information--

--main.cf non-default parameters--
broken_sasl_auth_clients = yes
default_destination_concurrency_limit = 2
home_mailbox = .maildir/
mailbox_command = /usr/bin/procmail
masquerade_domains = tendam-bremer.nl
mydestination = $myhostname, localhost.$mydomain, tendam-bremer.nl
mynetworks = 127.0.0.0/8 192.168.1.0/24
readme_directory = /usr/share/doc/postfix-2.1.5-r2/readme
smtpd_client_restrictions = permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_tls_CAfile = /etc/ssl/postfix/server.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/postfix/server.crt
smtpd_tls_key_file = /etc/ssl/postfix/server.key
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 450

--master.cf--
smtp      inet  n       -       n       -       -       smtpd -v
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

-- end of postfinger output --

postfinger can be found here: http://ftp.wl0.org/SOURCES/postfinger btw.

[Non_E]

Does it work without all that sasl stuff?

[boudewijn]

Does it work without all that sasl stuff?

how to turn it off?
(well that's not tough, but i should make sure there is some way to authenticate )

[overkll]

OK, I think I found another problem in your main.cf file.

Code: Select all

smtpd_client_restrictions = permit_sasl_authenticated, reject_unauth_destination

Try changing it to:

Code: Select all

smtpd_recipient_restrictions =
                    permit_mynetworks,
                    permit_sasl_authenticated,
                    reject_unauth_destination

The "smtpd_recipient_restrictions" may not sound like what you want, but it is the last smtpd restriction test, and performs all previous stage checks (helo, client, sender, and recipient) and is required. Here's a table straight from SMTP_ACCESS_README:

Code: Select all

The table below summarizes the purpose of each SMTP access restriction list.
All lists use the exact same syntax; they differ only in the time of evaluation
and in the effect of a REJECT or DEFER result.


    |Restriction list name         |Status  |Effect of REJECT or DEFER result|
    |                              |        |                                |
    |smtpd_client_restrictions     |Optional|Reject all client commands      |
    |                              |        |                                |
    |smtpd_helo_restrictions       |Optional|Reject HELO/EHLO information    |
    |                              |        |                                |
    |smtpd_sender_restrictions     |Optional|Reject MAIL FROM information    |
    |                              |        |                                |
    |smtpd_recipient_restrictions  |Required|Reject RCPT TO information      |
    |                              |        |                                |
    |smtpd_data_restrictions       |Optional|Reject DATA command             |
    |                              |        |                                |
    |smtpd_end_of_data_restrictions|Optional|Reject END-OF-DATA command      |
    |                              |        |                                |
    |smtpd_etrn_restrictions       |Optional|Reject ETRN command             |
    |                              |        |                                |

You were also missing "permit_mynetworks" I've changed the formating (added whitespace) just to make it easier to view the seperate options. Your format is correct as well.

I'd turn off SASL for now to test. The log you posted spits out:

Code: Select all

Jun 14 22:53:15 mail postfix/smtpd[12037]: fatal: SASL per-process initialization failed
Jun 14 22:53:16 mail postfix/master[12016]: warning: process /usr/lib/postfix/smtpd pid 12037 exit status 1
Jun 14 22:53:16 mail postfix/master[12016]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling 

Just comment out all the SASL lines in your main.cf file. If you still get the "bad command startup -- throttling" after disabling SASL, then there is still an error in your main.cf and/or master.cf file.

In general, one should try to change only a few parameters at a time then test. If it works, change a few more and test again. Keep repeating until postfix is setup like you want. If you try to do it all in one take, its difficult to pinpoint the problem.

There are many excellent links to postfix howtos at www.postfix.org for different setups. You should take a look at a few. Personally I've mixed and matched many options from different howtos over the years.

[boudewijn]

okay.

At first: thanks for helping me! This is one of the best things about the Gentoo community.

Second:

I removed all the SASL stuff and fixed the smtpd_client_restrictions. It seems to work now... I get a '220' when telnetting.
Would you please have a look at the sasl stuff too? (I just did, and can not find the problem).

[overkll]

okay.

At first: thanks for helping me! This is one of the best things about the Gentoo community.

You're welcome

Second:

I removed all the SASL stuff and fixed the smtpd_client_restrictions. It seems to work now... I get a '220' when telnetting.
Would you please have a look at the sasl stuff too? (I just did, and can not find the problem).

For Postfix:
Post your main.cf, master.cf, and error log.

SASL:
What program are you using for sasl? cyrus-sasl?
Post smtpd.conf and any other sasl config file you are using.

TLS/SSL:
Are you using TLS/SSL too?

How did you get to this current configuration? Did you use a guide? If so, which one?

Post the output of "emerge -pv postfix cyrus-sasl"

Post the output of "emerge --info" as well

[boudewijn]

Allright: I will use TLS or SSL in the future; it's a nice feature.
I'm using cyrus-sasl.

The guide: the one on gentoo-wiki.com (email system for the home network). I haven't used it before. My standard mail setup (about five boxes currently deployed... and stable as a rock) is from gentoo.org itself (the documentation\administration part).

saslauthd and smtpd.conf : please have a look at my start-posts. I don't mindd reposting them, although there might be people who are considering that being spam.

Installed versions:

Code: Select all

Calculating dependencies ...done!
[ebuild   R   ] dev-libs/cyrus-sasl-2.1.21-r2  
[ebuild   R   ] mail-mta/postfix-2.2.5  

Currently I'm not using any kind of SSL or TLS, the inbound mail is sent without SSL\TLS.
Outbound mail is done using mutt (just like the checking of my mailbox).

smtpd.conf:

Code: Select all

mail boudewijn # cat /usr/lib64/sasl2/smtpd.conf
# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.sasl,v 1.2 2004/07/18 03:26:56 dragonheart Exp $
pwcheck_method:saslauthd
mech_list : plain login
mail boudewijn # cat /etc/sasl2/smtpd.conf
# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.sasl,v 1.2 2004/07/18 03:26:56 dragonheart Exp $
pwcheck_method:saslauthd
mech_list : plain login

And the rest (please tell me if you need more):

Code: Select all

mail postfix # cat main.cf 
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
mail_owner = postfix
myorigin = $myhostname
mydestination = $myhostname, localhost.$mydomain, <domain>
unknown_local_recipient_reject_code = 450
mynetworks_style = subnet
mynetworks = 127.0.0.0/8 192.168.1.0/24
mailbox_command = /usr/bin/procmail
debug_peer_level = 2
debugger_command =
        PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin:
        xxgdb = $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
manpage_directory = /usr/share/man
readme_directory = /usr/share/doc/postfix-2.1.5-r2/readme
default_destination_concurrency_limit = 2
alias_database = hash:/etc/mail/aliases
local_destination_concurrency_limit = 2
alias_maps = hash:/etc/mail/aliases
home_mailbox = .maildir/

masquerade_domains = <domain>
#smtpd_sasl_auth_enable = yes
#smtpd_sasl_security_options = noanonymous
#smtpd_sasl_local_domain =
#broken_sasl_auth_clients = yes

smtpd_recipient_restrictions =
                    permit_mynetworks,
                    permit_sasl_authenticated,
                    reject_unauth_destination
                    smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/ssl/postfix/server.key
smtpd_tls_cert_file = /etc/ssl/postfix/server.crt
smtpd_tls_CAfile = /etc/ssl/postfix/server.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

mail postfix # grep -v '^#' master.cf 
smtp      inet  n       -       n       -       -       smtpd -v
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

Thanks btw, dude!


edit:
Connecting through telnet now results in normal output:

Code: Select all

bigmac:~ boudewijn$ telnet<domain> 25
Trying <IP>...
Connected to tendam-bremer.nl.
Escape character is '^]'.
220 mail.<domain> ESMTP Postfix
ehlo <domain>
250-mail.<domain>
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250 8BITMIME
^]
telnet> Connection closed.

[boudewijn]

hell.

I was just messing around a bit with mutt as user 'boudewijn' . Boudewijn is my unprivileged user on the box, and the mail for root is redirected to 'boudewijn' ( via an alias in /etc/mail/aliases).

There are about 12 new mails, all containing this (or some equivalent content):

Code: Select all

Return-Path: double-bounce@<domain>                                                                                                                   
X-Original-To: postmaster                                                                                                                                        
Delivered-To: root@mail.<domain>                                                                                                                              
Received: by mail.<domain>       (Postfix)                                                                                                                     
        id 5C8B19003A; Thu, 15 Jun 2006 22:19:37 +0200 (11mer.nl>                                                                                                    
                                                                                                                                                                 
Transcript of session follows.                                                                                                                                   
                                                                                                                                                                 
 Out: 220 mail.<domain> ESMTP Postfix                                                                                                                    
 In:  EHLO dionysos.<myowndomain>                                                                                                           
 Out: 250-mail.<domain>                                                                                                                          
 Out: 250-PIPELINING                                                                                                                                             
 Out: 250-SIZE 10240000                                                                                                                                          
 Out: 250-VRFY                                                                                                                                                   
 Out: 250-ETRN                                                                                                                                                   
 Out: 250 8BITMIME                                                                                                                                               
 In:  MAIL FROM:<boudewijn@<myowndomain>.nl> SIZE=739                                                                                                           
 Out: 250 Ok                                                                                                                                                     
 In:  RCPT TO:<boudewijn@<domain>.nl>                                                                                                                       
 Out: 451 Server configuration error                                                                                                                             
 In:  DATA                                                                                                                                                       
 Out: 554 Error: no valid recipients                                                                                                                             
 In:  RSET                                                                                                                                                       
 Out: 250 Ok                                                                                                                                                     
 In:  QUIT                                                                                                                                                       
 Out: 221 Bye                                                                                                                                                    
                                                                                                                                                                 

I've sent my mails (about 2) to : boudewijn@<domain>. Also telnetted a few times....

[overkll]

Allright: I will use TLS or SSL in the future; it's a nice feature.
I'm using cyrus-sasl.

Lets get sasl going first.

The guide: the one on gentoo-wiki.com (email system for the home network). I haven't used it before. My standard mail setup (about five boxes currently deployed... and stable as a rock) is from gentoo.org itself (the documentation\administration part).

Thought so. No offense to the authors at gentoo-wiki, but I've found most of the articles there inaccurate, incomplete, and/or out of date. Docs at gentoo.org are usually much better, but also get outdated from time to time.

saslauthd and smtpd.conf : please have a look at my start-posts. I don't mindd reposting them, although there might be people who are considering that being spam.

Just want to make sure nothing has changed.

Installed versions:

Code: Select all

Calculating dependencies ...done!
[ebuild   R   ] dev-libs/cyrus-sasl-2.1.21-r2  
[ebuild   R   ] mail-mta/postfix-2.2.5  

You forgot the -v option. I want to see which USE flags are enabled/disabled.

Currently I'm not using any kind of SSL or TLS, the inbound mail is sent without SSL\TLS.
Outbound mail is done using mutt (just like the checking of my mailbox).

smtpd.conf:

Code: Select all

mail boudewijn # cat /usr/lib64/sasl2/smtpd.conf
# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.sasl,v 1.2 2004/07/18 03:26:56 dragonheart Exp $
pwcheck_method:saslauthd
mech_list : plain login

mail boudewijn # cat /etc/sasl2/smtpd.conf
# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.sasl,v 1.2 2004/07/18 03:26:56 dragonheart Exp $
pwcheck_method:saslauthd
mech_list : plain login

Looks good so far...

And the rest (please tell me if you need more):

Code: Select all

mail postfix # cat main.cf 
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
mail_owner = postfix
myorigin = $myhostname
mydestination = $myhostname, localhost.$mydomain, <domain>
unknown_local_recipient_reject_code = 450
mynetworks_style = subnet
mynetworks = 127.0.0.0/8 192.168.1.0/24
mailbox_command = /usr/bin/procmail
debug_peer_level = 2
debugger_command =
        PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin:
        xxgdb = $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
manpage_directory = /usr/share/man
readme_directory = /usr/share/doc/postfix-2.1.5-r2/readme
default_destination_concurrency_limit = 2
alias_database = hash:/etc/mail/aliases
local_destination_concurrency_limit = 2
alias_maps = hash:/etc/mail/aliases
home_mailbox = .maildir/

masquerade_domains = <domain>
#smtpd_sasl_auth_enable = yes
#smtpd_sasl_security_options = noanonymous
#smtpd_sasl_local_domain =
#broken_sasl_auth_clients = yes

smtpd_recipient_restrictions =
                    permit_mynetworks,
                    permit_sasl_authenticated,
                    reject_unauth_destination
                    smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/ssl/postfix/server.key
smtpd_tls_cert_file = /etc/ssl/postfix/server.crt
smtpd_tls_CAfile = /etc/ssl/postfix/server.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

I don't see either "mydomain" or "myhostname". Thats a problem! Should be something like:

Code: Select all

mydomain = mydomain.nl
myhostname = mailserver.mydomain.nl

Also, you need to change your smtp_recipient_restrictions line to EXCLUDE "smtpd_use_tls = yes" That's not a restriction, its a parameter for TLS/SSL. Remember the whitespace line continuation I mentioned earlier? Jeetje!, Wat ben je aan doen? Graapje. Just kidding Also comment all the tls stuff for now. That section should appear like so:

Code: Select all

smtpd_recipient_restrictions =
                    permit_mynetworks,
                    permit_sasl_authenticated,
                    reject_unauth_destination

#smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
#smtpd_tls_key_file = /etc/ssl/postfix/server.key
#smtpd_tls_cert_file = /etc/ssl/postfix/server.crt
#smtpd_tls_CAfile = /etc/ssl/postfix/server.pem
#smtpd_tls_loglevel = 3
#smtpd_tls_received_header = yes
#smtpd_tls_session_cache_timeout = 3600s
#tls_random_source = dev:/dev/urandom

Code: Select all

mail postfix # grep -v '^#' master.cf 
smtp      inet  n       -       n       -       -       smtpd -v
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

Looks good. You didn't change anything in master.cf did you (except for the -v for logging)?

Thanks btw, dude!

You're welcome.

edit:
Connecting through telnet now results in normal output:

Code: Select all

bigmac:~ boudewijn$ telnet<domain> 25
Trying <IP>...
Connected to tendam-bremer.nl.
Escape character is '^]'.
220 mail.<domain> ESMTP Postfix
ehlo <domain>
250-mail.<domain>
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250 8BITMIME
^]
telnet> Connection closed.

This looks good.

Apply the changes to main.cf and test again (postfix reload). I think the error messages you are getting:

Code: Select all

Out: 451 Server configuration error

might be related to not having mydomain or myhostname in your main.cf. Check you mail log (/var/log/mail.log) for more specific errors.

Also, did you "postmap /etc/mail/aliases" after you added the root alias? If so, you should have a /etc/mail/aliases.db file.

"postfix check" probably wouldn't hurt either.

EDIT: Forgot to mention something.... This is an excellent guide to Postfix/sasl/tls. Step by step instructions including explaination and testing as you go. Though it is geared toward Redhat, the configuration and testing info is much better than I could ever do here. Suggest you check it out.

[boudewijn]

okay:

The aliases stuff: I did a newaliases. According to "postfix" by O'Reilly this should be enough. I'll run your command in a few minutes (can't hurt i presume).

You're dutch too? (according to: jeetje wat ben je aan het doen? )
Indeed, I've only changed the -v parameter....

About the wiki folks: most of the howto's does *not* work very well, I''m afraid. The gentoo.org stuff is really good indeed, but there's usually not enough (although in the virtual mail howto on gentoo.org, there are also some mistakes which I'll report soon).


edit:
Shouldn't mydomain and myhostname be extracted from hostname --fqdn if not specified otherwise?
I'll put hem in the config.

Also: mydestination is missing! This is a really valid reason for postfix to drop those emails, if I'm correct.

edit2: It IS in the config. I've been awake for too long :+

[overkll]

okay:

The aliases stuff: I did a newaliases. According to "postfix" by O'Reilly this should be enough. I'll run your command in a few minutes (can't hurt i presume).

newaliases is good enough, does the same.

You're dutch too? (according to: jeetje wat ben je aan het doen? )
Indeed, I've only changed the -v parameter....

Nope, American. Lived in Tilburg for about 4 years and learned Dutch.

About the wiki folks: most of the howto's does *not* work very well, I''m afraid. The gentoo.org stuff is really good indeed, but there's usually not enough (although in the virtual mail howto on gentoo.org, there are also some mistakes which I'll report soon).

Check out the link I added to my last post. It should be very helpful.

edit:
Shouldn't mydomain and myhostname be extracted from hostname --fqdn if not specified otherwise?
I'll put hem in the config.

Did it help? What about the "emerge -pv cyrus-sasl postfix" output? I'd still like to see the USE flags.

Also: mydestination is missing! This is a really valid reason for postfix to drop those emails, if I'm correct.

edit2: It IS in the config. I've been awake for too long :+

LOL, yes you have!

[boudewijn]

i'll check your link out tomorrow; had a very tough day today.

the emerge output:

Code: Select all

[ebuild   R   ] dev-libs/cyrus-sasl-2.1.21-r2  USE="berkdb crypt gdbm mysql pam ssl -authdaemond -java -kerberos -ldap -ntlm_unsupported_patch -postgres -sample -srp -urandom" 0 kB 
[ebuild   R   ] mail-mta/postfix-2.2.5  USE="mysql pam sasl ssl -hardened -ipv6 -ldap -mailwrapper -mbox -nis -postgres -vda" 0 kB 

About Tilburg; nice I live near it (near eindhoven)

[overkll]

You may want to re-emerge postfix with -mysql if you're not going to use mysql with it.

[boudewijn]

You may want to re-emerge postfix with -mysql if you're not going to use mysql with it.

okay I will, but is isn't necessary.

I was doubting whether I should deploy a DB based solution or not, and I chose for the 'simple' way. Just because it's about 5-10 adresses and 4 people all in the same domain.

[boudewijn]

inbound email still is not working:

Code: Select all

-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
72A86178ACD      739 Thu Jun 15 21:21:50  boudewijn@my_domain
(host mx2.domain2[IP] said: 451 Server configuration error (in reply to RCPT TO command))
                                         boudewijn@domain2

7EDDF3601AF      575 Wed Jun 14 22:52:41  boudewijn@my_domain
(host mx2.domain2[IP] said: 451 Server configuration error (in reply to RCPT TO command))
                                         boudewijn@domain2

E40BD179642      557 Fri Jun 16 00:20:39  boudewijn@my_domain
(host mx2.domain2[IP] said: 451 Server configuration error (in reply to RCPT TO command))
                                         boudewijn@domain2

3BBB4179657      571 Tue Jun 13 13:44:57  boudewijn@my_domain
(host mx2.domain2[IP] said: 451 Server configuration error (in reply to RCPT TO command))
                                         boudewijn@domain2

0F8EA178254      557 Fri Jun 16 19:45:36  boudewijn@my_domain
(host mx2.domain2[IP] said: 451 Server configuration error (in reply to RCPT TO command))
                                         boudewijn@domain2

11C7817901A     1021 Tue Jun 13 13:40:25  boudewijn@my_domain
(host mx2.domain2[IP] said: 451 Server configuration error (in reply to RCPT TO command))
                                         root@domain2

-- 6 Kbytes in 6 Requests.

my six sent mails are still queued on my own (working!) server.
boudewijn@my_domain is my mailadress.
I've removed the real IP for 'IP', and replaced the domain of the not correctly working server with 'domain2'.

After that I've fired up courier-imap, and fetched my mail from the boudewijn@domain2 mail-account. Authentication etc went fine.... the mail was downloaded correctly.

The mail-server has produced quite a lot of error mails, and forwarded them to my account. 6 mails at 18:03... 6 at 18:36.... 6 at 19:26.... 6 at 19:43.

etc.

The content of these mails is exactly the same (except for the time... doh).

Code: Select all

Transcript of session follows.

 Out: 220 mail.tendam-bremer.nl ESMTP Postfix
 In:  EHLO dionysos.<my_domain>
 Out: 250-mail.<domain>
 Out: 250-PIPELINING
 Out: 250-SIZE 10240000
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250 8BITMIME
 In:  MAIL FROM:<boudewijn@<my_domain>> SIZE=557
 Out: 250 Ok
 In:  RCPT TO:<boudewijn@<domain>>
 Out: 451 Server configuration error
 In:  DATA
 Out: 554 Error: no valid recipients
 In:  RSET
 Out: 250 Ok
 In:  QUIT
 Out: 221 Bye

The emails are sent to postmaster@<mail-server-domain>, and the subject is:

Postfix SMTP server: errors from <my own hostname+IP>

In /var/log/messages:

Code: Select all

Jun 16 20:16:23 mail postfix/smtpd[18476]: permit_auth_destination: boudewijn@<domain>
Jun 16 20:16:23 mail postfix/smtpd[18476]: ctable_locate: leave existing entry key boudewijn@<domain>
Jun 16 20:16:23 mail postfix/smtpd[18476]: generic_checks: name=reject_unauth_destination status=0
Jun 16 20:16:23 mail postfix/smtpd[18476]: generic_checks: name=smtpd_use_tls
Jun 16 20:16:23 mail postfix/smtpd[18476]: warning: unknown smtpd restriction: "smtpd_use_tls"
Jun 16 20:16:23 mail postfix/smtpd[18476]: NOQUEUE: reject: RCPT <MY IP>: 451 Server configuration error; from=<boudewijn@<my_domain>> to=<boudewijn@<domain>> proto=ESMTP helo=<dionysos.<my_domain>>

In the code segments, <my_domain> is my own working server-domain. <domain> is the domain of the not-that-good-working-server.



edit:

postfix check returns no errors.
the .cf files are named correctly and 644... so postfix should be able to read these.

[overkll]

Code: Select all

Jun 16 20:16:23 mail postfix/smtpd[18476]: warning: unknown smtpd restriction: "smtpd_use_tls"

Did you fix the " smtpd_recipient_restrictions = " line like I suggested earlier? Doesn't look like it. Remember "Jeetje, wat ben ja ann het doen?"

EDIT: I'll save you the search. You had:

Code: Select all

smtpd_recipient_restrictions =
                    permit_mynetworks,
                    permit_sasl_authenticated,
                    reject_unauth_destination
                    smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/ssl/postfix/server.key
smtpd_tls_cert_file = /etc/ssl/postfix/server.crt
smtpd_tls_CAfile = /etc/ssl/postfix/server.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

and it should be:

Code: Select all

smtpd_recipient_restrictions =
                    permit_mynetworks,
                    permit_sasl_authenticated,
                    reject_unauth_destination

#smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
#smtpd_tls_key_file = /etc/ssl/postfix/server.key
#smtpd_tls_cert_file = /etc/ssl/postfix/server.crt
#smtpd_tls_CAfile = /etc/ssl/postfix/server.pem
#smtpd_tls_loglevel = 3
#smtpd_tls_received_header = yes
#smtpd_tls_session_cache_timeout = 3600s
#tls_random_source = dev:/dev/urandom

[boudewijn]

it works now \o/
thanks a lot guys (if you were still living in the netherlands, i'd buy you a beer).


although the system is running, I'm still missing the TLS for SMTP features. And SASL too
Tonight (it's 11pm localtime) I'll try to get these features up and running too.

[boudewijn]

sasl seems dead.

TLS is working.
(just tested it).


What's a smart strategy to debug it?

[overkll]

it works now \o/
thanks a lot guys (if you were still living in the netherlands, i'd buy you a beer).

Make mine a Palm! hmm, lekker!

sasl seems dead.

TLS is working.
(just tested it).


What's a smart strategy to debug it?

First of all, shitcan all the wiki stuff. lol, just kidding. I've got sasl and tls working. Here's my config files for SASL:

/etc/conf.d/saslauthd:

Code: Select all

# Config file for /etc/init.d/saslauthd

# Initial (empty) options.
SASLAUTHD_OPTS=""

# Specify the authentications mechanism.
# *NOTE* For list see: saslauthd -v
# From 2.1.19, add "-r" to options for old behavior
# ie. reassemble user and realm to user@realm form.
# SASLAUTHD_OPTS="${SASLAUTH_MECH} -a pam -r"
SASLAUTHD_OPTS="${SASLAUTH_MECH} -a pam"

# Specify the hostname for remote IMAP server.
# *NOTE* Only needed if rimap auth mech is used.
#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -O localhost"

# Specify the number of worker processes to create.
#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -n 5"

# Enable credential cache, cache size, and timeout.
# *NOTE* Size is measured in kilobytes
#        Timeout is measured in seconds
#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -c -s 128 -t 30"

Nothing fancy, just the stock parameters included with gentoo's cyrus-sasl ebuild.

/etc/sasl2/smtpd.conf

Code: Select all

pwcheck_method:saslauthd
mech_list:plain login

I dont seem to need the other smtpd.conf that you have.

/etc/postfix/main.cf

Code: Select all

...

#####################
# SASL Authentication
#####################
smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

...

Don't forget you'll need saslauthd running and add it to the default runlevel. And of course, reload postfix after you update main.cf.

Code: Select all

/etc/init.d/saslauthd start
rc-update add saslauthd default
postfix reload