LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices

Reply
 
Search this Thread
Old 12-31-2006, 10:24 AM   #1
alexxxis
Member
 
Registered: Jun 2004
Distribution: Debian 3.1
Posts: 33

Rep: Reputation: 15
Postfix smtp with SASL from ANY ip to ANY address


Hi all,

I have successfully set up Postfix to do smtp
and use SASL... but at the moment it is just
possible to smtp from IPs i set on mynetworks (e.g. xxx.xxx.xxx.xxx) and ONLY to local addresses.

I want my users to be able to smtp from ANY ip
and send mail to ANY address (even outside my server)

does anyone know how to do this?
(i have wasted ages to make this work.. with no luck)
Below is a small snippet of the relevant configuration
in my main.cf file..


Any help would be appreciated!
Alex


Code:
# local
myhostname = mail.xyz.com
mydomain = xyz.com
myorigin = $myhostname
mynetworks = 127.0.0.0/24 xxx.xxx.xxx.xxx
mydestination = $myhostname localhost localhost.$mydomain localhost.localdomain
alias_maps = hash:/etc/aliases
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
local_transport = local


smtpd_recipient_restrictions =
  reject_unknown_sender_domain,
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
  reject_rbl_client relays.ordb.org,
  reject_rbl_client sbl.spamhaus.org,
  reject_rbl_client cbl.abuseat.org,

# SMTP AUTH (SASL)
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
# Be nice to brokenware like Outlook Express:
broken_sasl_auth_clients = yes

Last edited by alexxxis; 01-01-2007 at 08:16 AM.
 
Old 01-01-2007, 05:57 AM   #2
saman007uk
Member
 
Registered: Dec 2003
Location: ~root
Distribution: Debian
Posts: 363

Rep: Reputation: 32
Below is my configuration, which allows smtp from any IP to any IP.
Code:
# see /usr/share/postfix/main.cf.dist for a commented, fuller
# version of this file.

# Do not change these directory settings - they are critical to Postfix
# operation.
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
program_directory = /usr/lib/postfix

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
setgid_group = postdrop
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no
myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains
inet_interfaces = all
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
 
Old 01-01-2007, 11:40 AM   #3
alexxxis
Member
 
Registered: Jun 2004
Distribution: Debian 3.1
Posts: 33

Original Poster
Rep: Reputation: 15
Tnx,

I manage to receive mail from outside address by setting:

Code:
smtpd_recipient_restrictions =
  #reject_unknown_sender_domain,
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
but i catually found out on the log file that
SASL authentication failure: no secret in database

so i still cannot send mail to addresses outside my domains.
Any ideas?

Code:
Jan  1 15:07:22 xyz postfix/smtpd[7380]: connect from unknown[xx.xxx.xxx.xxx] 
Jan  1 15:07:25 xyz postfix/smtpd[7380]: warning: SASL authentication failure: no secret in database 
Jan  1 15:07:25 xyz postfix/smtpd[7380]: warning: unknown[xx.xxx.xxx.xxx]: SASL CRAM-MD5 authentication failed 
Jan  1 15:07:25 xyz postfix/smtpd[7380]: NOQUEUE: reject: RCPT from unknown[xx.xxx.xxx.xxx]: 454 <test@test.com>: Relay access denied; from=<sander@xyz.com> to=<test@test.com> proto=ESMTP helo=<Alexis.xyz.com> 
Jan  1 15:07:26 xyz postfix/smtpd[7380]: disconnect from unknown[xx.xxx.xxx.xxx]
 
Old 01-01-2007, 12:46 PM   #4
saman007uk
Member
 
Registered: Dec 2003
Location: ~root
Distribution: Debian
Posts: 363

Rep: Reputation: 32
SASL is currently configured to check for usernames/password in a database (/etc/sasldb I think). You will need to confiure SASL to use a differnt authetication method, or add the usernames to the database. The approproate configartion files are /etc/defaults/saslauthd and /etc/postfix/sasl/smtpd.conf I think.

See:Debian Sarge: The Perfect Setup
 
Old 01-01-2007, 03:53 PM   #5
alexxxis
Member
 
Registered: Jun 2004
Distribution: Debian 3.1
Posts: 33

Original Poster
Rep: Reputation: 15
Thanks saman007uk,

I am storing it in database and using /etc/postfix/sasl/smtpd.conf.

Do you know how should the password be encoded?
I am getting this error now:
SASL authentication failure: incorrect digest response

all the best for the new year,
Alex
 
Old 01-01-2007, 04:47 PM   #6
saman007uk
Member
 
Registered: Dec 2003
Location: ~root
Distribution: Debian
Posts: 363

Rep: Reputation: 32
That's probably because the postfix daemon is chrooted, and can't access the files. See if the following helps (I rather create symlinks than move files):

Code:
mkdir -p /var/spool/postfix/etc
chown -r postfix:postfix /var/spool/postfix/etc
ln -s /etc/sasldb /var/spool/postfix/etc/sasldb
If not, simply copy the file over, giving it proper premissions.

Personally, I rather use PAM to authenticate for SMTP rather than a databse, since it means I don't have to worry about modyfing the databse everytime a user changes their password.

Last edited by saman007uk; 01-01-2007 at 04:48 PM.
 
Old 01-01-2007, 05:27 PM   #7
alexxxis
Member
 
Registered: Jun 2004
Distribution: Debian 3.1
Posts: 33

Original Poster
Rep: Reputation: 15
saman007uk,

I managed to get it working from the database (I am using an admin tool that adds passwords there)
.. what is worring is that it needs plain password
.. but nevermind this for a sec

the problem now is that although the SASL auth works
the emails are queued forever because of:
"[hotmail.com]: Name or service not known" or
[gmx.net]: Name or service not known

why could this be?

Code:
Jan  1 23:22:40 cytopia postfix/smtpd[10579]: connect from unknown[xx.xxx.xxx.xxx]
Jan  1 23:22:43 xyz postfix/smtpd[10579]: 1DFAF4482F5: client=unknown[xx.xxx.xxx.xxx], sasl_method=CRAM-MD5, sasl_username=sander@xyz.com
Jan  1 23:22:45 xyz postfix/smtpd[10579]: 654384482F5: client=unknown[xx.xxx.xxx.xxx], sasl_method=CRAM-MD5, sasl_username=sander@xyz.com
Jan  1 23:22:46 xyz postfix/cleanup[10592]: 654384482F5: message-id=<7.0.1.0.0.20070102012221.05a4d0e0@gmx.net>
Jan  1 23:22:46 xyz postfix/qmgr[10287]: 654384482F5: from=<sander@xyz.com>, size=518, nrcpt=1 (queue active)
Jan  1 23:22:46 xyz postfix/smtp[10595]: 654384482F5: to=<xyz@hotmail.com>, relay=none, delay=1, status=SOFTBOUNCE ([hotmail.com]: Name or service not known)
Jan  1 23:22:46 xyz postfix/smtpd[10579]: disconnect from unknown[xx.xxx.xxx.xxx]
 
Old 01-01-2007, 05:37 PM   #8
saman007uk
Member
 
Registered: Dec 2003
Location: ~root
Distribution: Debian
Posts: 363

Rep: Reputation: 32
Postfix can't do DNS lookups. Doing the following migth help:
Code:
postconf - e'disable_dns_lookups = no'
/etc/init.d/postfix restart
If not, login as the postfix user (using sudo) and see if you can look-up the mx host:
Code:
dig mx hotmail.com
 
Old 01-01-2007, 10:43 PM   #9
alexxxis
Member
 
Registered: Jun 2004
Distribution: Debian 3.1
Posts: 33

Original Poster
Rep: Reputation: 15
Code:
# postconf - e'disable_dns_lookups = no'
postconf: warning: -: unknown parameter
postconf: warning: edisable_dns_lookups = no: unknown parameter
it does not seem to work


Code:
xyz:~# su postfix
xyz:~# dig mx hotmail.com

; <<>> DiG 9.2.4 <<>> mx hotmail.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4443
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;hotmail.com.                   IN      MX

;; AUTHORITY SECTION:
.                       518400  IN      NS      F.ROOT-SERVERS.NET.
.                       518400  IN      NS      G.ROOT-SERVERS.NET.
.                       518400  IN      NS      H.ROOT-SERVERS.NET.
.                       518400  IN      NS      I.ROOT-SERVERS.NET.
.                       518400  IN      NS      J.ROOT-SERVERS.NET.
.                       518400  IN      NS      K.ROOT-SERVERS.NET.
.                       518400  IN      NS      L.ROOT-SERVERS.NET.
.                       518400  IN      NS      M.ROOT-SERVERS.NET.
.                       518400  IN      NS      A.ROOT-SERVERS.NET.
.                       518400  IN      NS      B.ROOT-SERVERS.NET.
.                       518400  IN      NS      C.ROOT-SERVERS.NET.
.                       518400  IN      NS      D.ROOT-SERVERS.NET.
.                       518400  IN      NS      E.ROOT-SERVERS.NET.

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan  2 04:40:58 2007
;; MSG SIZE  rcvd: 240
looks fine no?

Last edited by alexxxis; 01-01-2007 at 10:44 PM.
 
Old 01-02-2007, 04:57 AM   #10
saman007uk
Member
 
Registered: Dec 2003
Location: ~root
Distribution: Debian
Posts: 363

Rep: Reputation: 32
From your DNS query, I can see that postfix is unable to lookup MX DNS recors.

You should have gotten something like this:
Code:
; <<>> DiG 9.2.5 <<>> mx hotmail.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 508
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;hotmail.com.                   IN      MX

;; ANSWER SECTION:
hotmail.com.            2687    IN      MX      5 mx2.hotmail.com.
hotmail.com.            2687    IN      MX      5 mx3.hotmail.com.
hotmail.com.            2687    IN      MX      5 mx4.hotmail.com.
hotmail.com.            2687    IN      MX      5 mx1.hotmail.com.

;; Query time: 38 msec
;; SERVER: 81.169.163.104#53(81.169.163.104)
;; WHEN: Tue Jan  2 11:47:08 2007
;; MSG SIZE  rcvd: 109
 
Old 01-02-2007, 07:54 AM   #11
alexxxis
Member
 
Registered: Jun 2004
Distribution: Debian 3.1
Posts: 33

Original Poster
Rep: Reputation: 15
that is bizarre.

why would such a thing happen?
Is it my network provider's fault?
 
Old 01-02-2007, 09:02 AM   #12
saman007uk
Member
 
Registered: Dec 2003
Location: ~root
Distribution: Debian
Posts: 363

Rep: Reputation: 32
Try the same command as the root user, see what you get. Are you using Debian stable?
 
Old 01-02-2007, 09:35 AM   #13
alexxxis
Member
 
Registered: Jun 2004
Distribution: Debian 3.1
Posts: 33

Original Poster
Rep: Reputation: 15
I am Debian 3.1 stable yes.. and I get the same results for root
.. i also run bind9 on the server.. could this be related somehow?
 
Old 01-02-2007, 10:09 AM   #14
saman007uk
Member
 
Registered: Dec 2003
Location: ~root
Distribution: Debian
Posts: 363

Rep: Reputation: 32
Yes, it is very likly that the server is trying to lookup the domaisn from the local bind server.

Look at /etc/resolv.conf and see if it lists the localserver.
 
Old 01-02-2007, 03:41 PM   #15
alexxxis
Member
 
Registered: Jun 2004
Distribution: Debian 3.1
Posts: 33

Original Poster
Rep: Reputation: 15
Thanks for you petience saman007uk,

yes you are right there /etc/resolv.conf has:
nameserver 127.0.0.1

there is also a weird record: search org

(the file says not to edit it by hand)
so i did:
resolvconf -d nameserver 127.0.0.1 (remove)
resolvconf -u (update scripts)

but the local address is still in the file..
how do i remove it?

Last edited by alexxxis; 01-02-2007 at 04:22 PM.
 
  


Reply

Tags
postfix, resolvconf


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Why is PostFix sending mail using the email address of the smtp account? taigon Linux - Server 34 02-09-2007 01:09 AM
Postfix with Sasl for Engarde? natewlew Linux - Software 0 09-05-2006 09:34 PM
sasl/postfix smtp relay problems 5teve-o Red Hat 0 04-02-2005 03:50 PM
sasl and postfix configuration smaida Linux - Software 2 12-15-2004 07:48 PM
SMTP AUTH, SASL and Sendmail not getting along prozach Linux - Software 0 12-02-2003 05:10 PM


All times are GMT -5. The time now is 12:32 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration