Email System For The Home Network - Version 2.1

[tjh]

I love this guide... but I have a strange problem...

I have three machines on my network... #1 is my email server, #2 is a gentoo linux client, and #3 is a WIndows XP client.

I can send email great from my linux client. But from the windows client I always receive the TLS error #454: "TLS not available due to temporary reason"

Why can I access it fine from my linux machine but not from windows? I have tried using telnet from both client hosts. I use 'ehlo foo' and then 'starttls'. this works from my linux client but not from my windows telnet client.

Any ideas????

Thanks...

[Dillinger]

Alright well after chaning all the $myhostname $mydomain to just dillinger.homelinux.org and adding mydomain = dillinger.homelinux.org and my hostname = dillinger.homelinux.org I'm able to send at recieve email on the server. Also had to change the net/mask to 192.168.0.0/24 instead of 192.168.0.1/24. Great guide man, it worked out great once I figured out a couple of my own mistakes!

[anil_et]

Hi
I have followed your howto untill 3.4 to setup a mail server just enable my webserver to email passwords to users.
I was unable to do it because my ISP is blocking port 25 with the previous setup.
Now even after I followed the guide I could send mails only to internal addresses, I could send mails to myname@myisp.com. When I try someone@hotmail.com I get the following error

Feb 15 23:37:23 puppy postfix/smtp[12444]: connect to mx3.hotmail.com[65.54.253.99]: Connection timed out (port 25)
Feb 15 23:37:46 puppy postfix/smtp[12262]: connect to mx1.hotmail.com[65.54.166.99]: Connection timed out (port 25)
Feb 15 23:37:46 puppy postfix/smtp[12262]: 7728747168: to=<myname@hotmail.com>, relay=none, delay=1603, status=deferred (connect to mx1.hotmail.com[65.54.166.99]: Connection timed out)
Feb 15 23:37:53 puppy postfix/smtp[12444]: connect to mx2.hotmail.com[65.54.190.7]: Connection timed out (port 25)

Here is my main.cf file

root@puppy anil # grep -v "^#" /etc/postfix/main.cf | sed '/./,/^$/!d'
queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

myorigin = $myhostname

mydestination = $myhostname, localhost.$mydomain $mydomain

unknown_local_recipient_reject_code = 450

mynetworks_style = subnet

mynetworks = 127.0.0.0/8 192.168.0.0/24



mailbox_command = /usr/bin/procmail



debug_peer_level = 2

debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.0.18/sample

readme_directory = /usr/share/doc/postfix-2.0.18/readme
default_destination_concurrency_limit = 2
alias_database = hash:/etc/mail/aliases
local_destination_concurrency_limit = 2
alias_maps = hash:/etc/mail/aliases
home_mailbox = .maildir/

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_client_restrictions = permit_sasl_authenticated, reject

smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/ssl/postfix/server.key
smtpd_tls_cert_file = /etc/ssl/postfix/server.crt
smtpd_tls_CAfile = /etc/ssl/postfix/server.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpass
smtp_sasl_security_options = noanonymous

Any idea where I went wrong
Anil

[Woolong]

beowulf:
After solving the problem with sasl, my postfix relays msg for "internal" clients perfectly. However, it refuses to relay for "external" clients. It will only work if I add the external client's IP to "mynetworks", but this approach doesn't work for me because some external clients don't have static IP.

Here is my /etc/postfix/main.cf

Code: Select all

inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain $mydomain
unknown_local_recipient_reject_code = 550
mynetworks = 127.0.0.0/8 10.0.9.0/24
smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_client_restrictions = permit_sasl_authenticated,reject
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/ssl/postfix/server.key
smtpd_tls_cert_file = /etc/ssl/postfix/server.crt
smtpd_tls_CAfile = /etc/ssl/postfix/server.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Since sasl is doing authentication, is there a way to tell postfix to relay for "untrusted" clients?

[Woolong]

beowulf:
To relay to an ISP, I just found out that you also need this line in /etc/postfix/main.cf:

Code: Select all

relayhost = [smtp.of.isp]

note:You need to include [] to avoid mx look up

In my case, it's relayhost = [smtp.mail.yahoo.com]

[anil_et]

Hi

To relay to an ISP, I just found out that you also need this line in /etc/postfix/main.cf:

Code: Select all

 relayhost = [smtp.of.isp] 

That solved my problems
I have tried to set the

Code: Select all

relaydomain = smtp.of.isp

before without success
Now everything works perfectly
Thankyou for sharing your discovery!!!!

[axxackall]

beowulf:
To relay to an ISP, I just found out that you also need this line in /etc/postfix/main.cf:

Code: Select all

relayhost = [smtp.of.isp]

note:You need to include [] to avoid mx look up

In my case, it's relayhost = [smtp.mail.yahoo.com]

Can it be a list of upstream servers? Let's say, if one of them is down it could be good to have another one for backup in the list. Just like MX records serve downstream, but in the opposite direction. Is it possible?

[Woolong]

axxackall:
I don't know if you can specify multiple hosts. I guess in that case, just comment out "relayhost" to send directly.

You might want to check out transport. Do a "man transport".

[axxackall]

axxackall:
I don't know if you can specify multiple hosts. I guess in that case, just comment out "relayhost" to send directly.

You might want to check out transport. Do a "man transport".

Actually my question was about the host behind the firewall that cannot send directly, but only through one of gateway-smtp servers.

I am going to check docs for transport options.

[Woolong]

I just found this, dunno if it helps:

Code: Select all

# The fallback_relay parameter specifies zero or more hosts or domains
# to hand off mail to if a message destination is not found, or if a
# destination is unreachable.
fallback_relay = [smtp.of.isp]

[axxackall]

I just found this, dunno if it helps:

Code: Select all

# The fallback_relay parameter specifies zero or more hosts or domains
# to hand off mail to if a message destination is not found, or if a
# destination is unreachable.
fallback_relay = [smtp.of.isp]

Excelent! Thank you! The problem is solved.

[Woolong]

beowulf:
For postfix to relay mails from "untrusted" clients, meaning relaying mails from clients not on the local network.

Code: Select all

smtpd_client_restrictions = permit_sasl_authenticated,permit_mynetworks, reject_unauth_destination
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks, reject_unauth_destination

Your guide needs to include "smtpd_recipient_restrictions"!

[john5211]

beowulf:
For postfix to relay mails from "untrusted" clients, meaning relaying mails from clients not on the local network.

Code: Select all

smtpd_client_restrictions = permit_sasl_authenticated,permit_mynetworks, reject_unauth_destination
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks, reject_unauth_destination

I think you actually have to be careful which of these lines you include ... in my setup, I want to be able to relay from external clients (not "untrusted", I don't think ... then you would be an open relay, right?) AND recieve mail directly to postfix (i.e. via an MX record). To get that combintation, I had to use:

Code: Select all

#smtpd_client_restrictions = permit_sasl_authenticated,permit_mynetworks, reject_unauth_destination
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks, reject_unauth_destination

Leaving the client_restrictions in place actually restricts who is allowed to send mail *into* the network (at least as I understand it) ... so uncommenting that line effectively meant no one could send me mail at my domain unless they could authenticate against sasl (i.e. me).

John

[Woolong]

I think you actually have to be careful which of these lines you include ... in my setup, I want to be able to relay from external clients (not "untrusted", I don't think ... then you would be an open relay, right?)

I was being too brief. I used "untrusted" because the client's IP is not in "mynetworks". I also assumed sasl authentication is used, so it's not an open relay. This is how you have an open relay:

Code: Select all

smtpd_client_restrictions = permit
smtpd_recipient_restrictions = permit

Leaving the client_restrictions in place actually restricts who is allowed to send mail *into* the network (at least as I understand it) ... so uncommenting that line effectively meant no one could send me mail at my domain unless they could authenticate against sasl (i.e. me).

You are right, "smtpd_client_restrictions" states who postfix relays mail from, and your setup works too. However, it works because the default behavior is permit, not reject. Here is an experiment you can run:

Code: Select all

smtpd_client_restrictions = reject

And you'll see even as mail passes sasl authentication, postfix will still refuse relaying. I feel more comfortable to see my settings being explicit.

Code: Select all

smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination
smtpd_client_restrictions = permit_sasl_authenticated,reject_unauth_destination

[john5211]

I apologize, it was I who was too brief ... I certainly didn't mean to imply that your setup was facilitating an open relay.

Anwyay, my main point was that the line:

Code: Select all

smtpd_client_restrictions = permit_sasl_authenticated,permit_mynetworks, reject_unauth_destination

will prohibit any mail from a server who cannot authenticate against sasl from entering your network, so that if you are trying to recieve mail 'directly from the internet' (i.e. not from an account at your ISP) for delivery to a local account, it will be rejected. Of course, if that's not what you're trying to do then it doesn't matter whether or not you include it.

John

[Woolong]

will prohibit any mail from a server who cannot authenticate against sasl from entering your network, so that if you are trying to recieve mail 'directly from the internet' (i.e. not from an account at your ISP) for delivery to a local account, it will be rejected. Of course, if that's not what you're trying to do then it doesn't matter whether or not you include it.

john5211:
To my understanding, "smtpd_client_restrictions" either permits or rejects clients that try to send mail *to* postfix. That's it.

Code: Select all

smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination
smtpd_client_restrictions = permit_sasl_authenticated,reject_unauth_destination

You are right, it allows mail relaying for sasl authenticated clients. In reality, it doesn't make any difference if you comment it out because the default behavior is "permit". Hypothetically speaking, if the next version of postfix changes the default behavior to reject, without explicitly stating "permit_sasl_authenticated", *all* clients will get "access_deny". Therefore, it's safer to tell postfix to always permit_sasl_authenticated clients.

[john5211]

Well, maybe I have something else misconfigured, but I don't think so ...

When I uncomment the smtpd_client_restrictions line, I can no longer send mail to myself from external addresses (trust me on this, it took me forever to figure out what was wrong). An example to make sure we are talking about the same thing:

Let's say my domain name here at home is john.com, and that I am using an account at work to try to email myself. Also assume that the smtpd_client_restrictions flag is set as in any of your examples. From my work account (or any other account not routed through my local network), if I try to send a mail to john@john.com, it bounces back with an 'access denied' error, presumably because it cannot autheticate against sasl. Removing the smptd_client_restrictions line fixes the problem, and <address>@john.com can recieve mail from the outside world (as long as <address> is a valid email address, of course ).

This is a completely seperate issue from trying to relay mail from a client that happens to be outside the network ... In that case smtpd_client_restrictions does add an extra layer of security (although it's not really needed). I only mentioned it because it took me a while to figure out why I couldn't recieve mail using my FQDN.

Of course, I could be missing the boat completely, in which case anyone out there should feel free to set me strait .

John

[dan2003]

Thanks for the great howto.

Unfortunatly i'm having some dificulies .. i sem to becursed in this aspect !

I'm having a similar problem to john. I can send emails no problem. Even to yahoo (tho it comes in as bulk).

I cannot for the life of me make it receive.

I get a postamster message form the account i try to send to my system with as follows:

Code: Select all

This report relates to your message:
Subject: test,
        Message-ID: <200402182225.10563.dwer@erwer.cef>,
        To: mdfg@sqs.dfgdfgs.org

of Wed, 18 Feb 2004 22:25:17 +0000

Your message was not delivered to:
        mdfg@sqs.dfgdfgs.org
for the following reason:
Diagnostic was Unable to transfer, -1
Information MTA 'mdfg@sqs.dfgdfgs.org' gives error message <mdfg@sqs.dfgdfgs.org>: Relay access denied

The Original Message follows:
 

Received: from tt.audi (actually host 296.997.9.90.in-addr.arpa) by d2333 with SMTP (XT-PP) with ESMTP; Wed, 18 Feb 2004 22:25:11 +0000
From: Daniel Squires <dwer@erwer.cef>
Reply-To: ddwer@erwer.cef
Organization: werwerwer
To: mdfg@sqs.dfgdfgs.org
Subject: test
Date: Wed, 18 Feb 2004 22:25:10 +0000
User-Agent: KMail/1.5.4
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200402182225.10563.dwer@erwer.cef>

The following errors is in the logs

Code: Select all

Feb 18 22:25:17 [postfix/smtpd] starting TLS engine
Feb 18 22:25:17 [postfix/smtpd] connect from d2333.dfgdfgt.cfgm[193.134.789.99]
Feb 18 22:25:17 [postfix/smtpd] 8761511DA9F: client=d2333.dfgdfgt.cfgm[193.134.789.99]
Feb 18 22:25:17 [postfix/smtpd] 8761511DA9F: reject: RCPT from d2333.dfgdfgt.cfgm[193.134.789.99]: 554 <mdfg@sqs.dfgdfgs.org>: Relay access denied; from=<dwer@erwer.cef> to=<mdfg@sqs.dfgdfgs.org> proto=SMTP helo=<d2333.dfgdfgt.cfgm>
Feb 18 22:25:18 [postfix/smtpd] disconnect from d2333.dfgdfgt.cfgm[193.134.789.99]
Feb 18 22:30:00 [CRON] (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )_

This has me stumped!!

I have tried various combinations of the line:

smtpd_client_restrictions = permit_sasl_authenticated, reject

as mentioned above but have had no success with any

Cheers

[john5211]

Hi Dan,

Could you post your entire main.cf?

ie the resutls from

Code: Select all

grep -v '^#' /etc/postfix/main.cf

This is usually a good starting point for figuring out what is wrong.

John

[dan2003]

of course..

• queue_directory = /var/spool/postfix
  command_directory = /usr/sbin
  daemon_directory = /usr/lib/postfix
  mail_owner = postfix
  myorigin = a3.woops.daisy.org
  mydestination = smtp.woops.daisy.org, a3.woops.daisy.org
  unknown_local_recipient_reject_code = 450
  mynetworks_style = subnet
  mynetworks = 127.0.0.0/8 192.168.22.0/24
  mailbox_command = /usr/bin/procmail
  debug_peer_level = 2
  debugger_command =
  PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
  xxgdb $daemon_directory/$process_name $process_id & sleep 5
  sendmail_path = /usr/sbin/sendmail
  newaliases_path = /usr/bin/newaliases
  mailq_path = /usr/bin/mailq
  setgid_group = postdrop
  manpage_directory = /usr/share/man
  sample_directory = /usr/share/doc/postfix-2.0.16-r1/sample
  readme_directory = /usr/share/doc/postfix-2.0.16-r1/readme
  default_destination_concurrency_limit = 2
  alias_database = hash:/etc/mail/aliases
  local_destination_concurrency_limit = 2
  alias_maps = hash:/etc/mail/aliases
  home_mailbox = .maildir/
  
  smtpd_sasl_auth_enable = no
  smtpd_sasl_security_options = noanonymous
  smtpd_sasl_local_domain =
  broken_sasl_auth_clients = yes

Cheers

Edit: thinking about it now it was a bit pointless but i substituted my domain name for woops.daisy.org.

[Woolong]

john5211:
I'm sorry I misunderstood your question, and I verified the problem too. The problem is caused by the keyword "reject"

dan2003:
Add these lines to your /etc/postfix/main.cf

Code: Select all

mydestination = $myhostname, localhost.$mydomain $mydomain
smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination
smtpd_client_restrictions = permit_sasl_authenticated,reject_unauth_destination

[dan2003]

Many thanks..

All workng now

[dj_goku]

Hi,

Don't know if this is bad or what but I have some questions.

On 3.2 Adding SMTP-AUTH to Postfix:
root@server # vi /etc/sasl2/smtpd.conf -- I don't have this config
root@server # vi /usr/lib/sasl2/smtpd.conf -- I dont' have this config
So I made the file anyways and I have emerged Cyrus-SASL.

3.6 Automating and Finalizing:

Code: Select all

root@server # vi /etc/mail/aliases

# Well-known aliases -- these should be filled in
 root:          2ls-beo 

what do I put for 2ls-beo, I tried putting the user I created for everyday use. And this is what error came up.

Code: Select all

root@testserver2 tek# /usr/bin/newaliases 
newaliases: fatal: gethostbyname: No such file or directory

I'm not sure but this guide does say if you have to emerge things for or what...but other then that is good so far.

JO

[smok]

Hi,
i finally made everything working, not without problems thou. But after
few hours of searches through all mesages i made everything workable.

but... when started sasl auth. no mails can come from outside world

description:
i got my mail server in my own domain behind firewall. firewall is 10.0.0.1 and mail sever 10.0.0.2. when i made smtp sasl authentification of course all mails which come from outside are rejected.
how to make it so that everybody who wants to send mails from domain computers uses authentification and incoming mails to the domain not?

thanks in advance
smok

[malloc]

I've used this guide by the 2nd time to successfully build my webmail server, however this time i found a big problem on the way.
Apparently squirrelmail (or php wich is my guess) made some sort of modification and doesn't use dns to translate addresses anymore.
I couldn't get squirrelmail to login to the imap server.
After much effort i finally found out that you must put THE EXACT ip address to wich the imap server is binded to.
I tried to put localhost, 127.0.0.1 and neither worked!? This made me totally confused but a quick netstat -an gave the answer. imap was binded to 0.0.0.0 so that was the adress i had to put in the squirrelmail config.
To change this just head to /etc/courier-imap/imapd and change the "ADDRESS=" to either 127.0.0.1 or let it be 0 and change the squirrelmail conf to 0.0.0.0
I don't know if this problem is only mine, or not, but i'll just leave this as a warning to any who need it.