LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-20-2007, 09:44 AM   #1
_MD_
Member
 
Registered: Apr 2004
Location: Toronto, Canada
Distribution: BackTrack, Knoppix, Fedora, Slackware
Posts: 43

Rep: Reputation: 16
Unhappy Postfix: relay denied from a different subnet


Following this thread, I'm continuing with Postfix question...

For some reason, I'm unable to relay mail from my other subnet (192.168.2.0). My primary email server is on 1.0 network with the IP of 192.168.1.99.
2.0 network is connected via VPN.
I've added the 2.0 network to my main.cf... but still to no avail. 2.0 users can not send mail through outlook.

Code:
...
smtpd_client_restrictions = permit_mynetworks, reject_unauth_destination,reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain
mynetworks = 192.168.10.0/24, 192.168.1.0/24, 127.0.0.0/8, 192.168.2.0/24
relay_domains = server01.intra
....

***Note - server01 is my windows dns and dhcp server.
Please help.
Thanks
 
Old 04-20-2007, 06:09 PM   #2
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Let's see the output of postconf -n and your logs showing a relay attempt from the .2.0 network.
 
Old 04-23-2007, 10:14 AM   #3
_MD_
Member
 
Registered: Apr 2004
Location: Toronto, Canada
Distribution: BackTrack, Knoppix, Fedora, Slackware
Posts: 43

Original Poster
Rep: Reputation: 16
# postconf -n
Code:
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
mailbox_command = /usr/bin/procmail -t
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_domains = mydomain2.com
mydestination = mydomain2.com, mydomain1.com
mynetworks = 192.168.1.0/24, 127.0.0.0/8, 192.168.2.0/24
myorigin = mydomain1.com
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.0.18/README_FILES
relay_domains = server01.intra
sample_directory = /usr/share/doc/postfix-2.0.18/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = Welcome To MyDomain1
smtpd_client_restrictions = permit_mynetworks, reject_unauth_destination,reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain
unknown_local_recipient_reject_code = 450

As for logs... I'm guessing you're talking about /var/log/maillog? If so, I didn't see anything with 192.168.2.0 network in there.... :S
 
Old 04-23-2007, 10:46 AM   #4
farslayer
LQ Guru
 
Registered: Oct 2005
Location: Willoughby, Ohio
Distribution: linuxdebian
Posts: 7,232
Blog Entries: 5

Rep: Reputation: 190Reputation: 190
Are you sure user on that network can get to the mail server ?
you should see a connect and a deny if they are actually reaching the server.

if you dig mydomain1.com mx from a users machine is your DNS on that subnet returning the Private IP of your mail server ?

Can those users Ping the mail server ?
 
Old 04-23-2007, 10:59 AM   #5
_MD_
Member
 
Registered: Apr 2004
Location: Toronto, Canada
Distribution: BackTrack, Knoppix, Fedora, Slackware
Posts: 43

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by farslayer
Are you sure user on that network can get to the mail server ?
you should see a connect and a deny if they are actually reaching the server.

if you dig mydomain1.com mx from a users machine is your DNS on that subnet returning the Private IP of your mail server ?

Can those users Ping the mail server ?

Yes, most definitely users on the 2.0 network can see the mail server. They can see any pc on the 1.0 network. What's even more strange, they can retrieve mail using outlook but just can't send...

Here's the dig output:
Code:
; <<>> DiG 9.2.3 <<>> mydomain1.com mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28369
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
...
;; Query time: 1 msec
;; SERVER: 192.168.1.11#53(192.168.1.11)
;; WHEN: Mon Apr 23 09:51:53 2007
;; MSG SIZE  rcvd: 71
***Note, it says the server is 192.168.1.11 (!!!) which is not my mail server address...
mail: 192.168.1.99
server01: 192.168.1.11 (which again, is windows dns, dhcp)
 
Old 04-23-2007, 08:20 PM   #6
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Quote:
I didn't see anything with 192.168.2.0 network in there
As farslayer mentioned, you should have seen the connection attempt.

Until you get your DNS records in order, just use IP addresses. In your outlook clients, use 192.168.1.99 as your outgoing server.
Before doing that, you might want to telnet from your .2.0 network to port 25 of the postfix machine and submit mail by hand,
just to make sure everything works.

Also note that when you specify an outgoing (smtp) host name, it's translated to an IP address using its A record. The MX record doesn't figure into it.
 
Old 04-23-2007, 10:01 PM   #7
farslayer
LQ Guru
 
Registered: Oct 2005
Location: Willoughby, Ohio
Distribution: linuxdebian
Posts: 7,232
Blog Entries: 5

Rep: Reputation: 190Reputation: 190
your Dig should have returned the mail server name in the Answer section..

Quote:
debian:~# dig adelphia.net mx

; <<>> DiG 9.3.4 <<>> adelphia.net mx
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13011
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 5

;; QUESTION SECTION:
;adelphia.net. IN MX

;; ANSWER SECTION:

adelphia.net. 68 IN MX 10 mx.adelphia.net.


;; ADDITIONAL SECTION:
mx.adelphia.net. 314 IN A 68.168.78.104


;; Query time: 37 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Mon Apr 23 21:56:42 2007
;; MSG SIZE rcvd: 203
note the A record with the Name to IP mapping
and the MX record mapping to the NAME in the A record.

That is what your DNS server should be returning.

As Berhanie suggested using the IP in the client should work for now.
 
Old 04-24-2007, 11:19 AM   #8
_MD_
Member
 
Registered: Apr 2004
Location: Toronto, Canada
Distribution: BackTrack, Knoppix, Fedora, Slackware
Posts: 43

Original Poster
Rep: Reputation: 16
Sorry, I must've posted the whole output of the dig command... like so:

Code:
; <<>> DiG 9.3.2 <<>> mydomain.com mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65288
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;mydomain.com.                 IN      MX

;; ANSWER SECTION:
mydomain.com.          3350    IN      MX      10 webmail.mydomain.com.

;; ADDITIONAL SECTION:
webmail.mydomain.com.  2970    IN      A       64.23.10.81

;; Query time: 1 msec
;; SERVER: 192.168.1.99#53(192.168.1.99)
;; WHEN: Tue Apr 24 10:34:37 2007
;; MSG SIZE  rcvd: 71
And yes, on the 2.0 network I have the IP address (192.168.1.99) for the incoming and outcoming servers in outlook.

Here's a short output of /var/log/maillog:

Code:
// joe.tops is using outlook on the 2.0 network
// Here's a delivered message for him:
Apr 22 16:58:02 mailserver postfix/smtpd[20853]: connect from unknown[64.23.10.81]
Apr 22 16:58:02 mailserver postfix/smtpd[20853]: ECE6F1A4002: client=unknown[64.23.10.81]
Apr 22 16:58:03 mailserver postfix/cleanup[20863]: ECE6F1A4002: message-id=<005001c78529$602a0b70$0c02a8c0@mdgym6ls3mkq6i>
Apr 22 16:58:04 mailserver postfix/nqmgr[6530]: ECE6F1A4002: from=<cedmonds@kw.igs.net>, size=88539, nrcpt=1 (queue active)
Apr 22 16:58:13 mailserver postfix/local[20883]: ECE6F1A4002: to=<joe.tops@mydomain.com>, relay=local, delay=11, status=sent ("|/usr/bin/procmail -t")

// And here he's trying to send from 2.0 network:
Apr 22 20:30:56 mailserver postfix/nqmgr[6530]: EEA161A08B0: from=<joe.tops@mailserver.mydomain.com>, size=1738, nrcpt=1 (queue active)
Apr 22 20:31:06 mailserver postfix/smtp[21862]: EEA161A08B0: to=<kellydm@inspection.gc.ca>, relay=agrpazsmtp4.agr.gc.ca[192.197.71.135], delay=217479, status=deferred (host agrpazsmtp4.agr.gc.ca[192.197.71.135] said: 450 <joe.tops@mailserver.mydomain.com>: Sender address rejected: Domain not found (in reply to RCPT TO command))

// And here's another attempt from joe:
Apr 23 03:12:11 mailserver postfix/smtp[1862]: EDK810V94R1: to=<hr@tmwnp.gc.ca>, relay=agrpazsmtp5.agr.gc.ca[192.197.71.130], delay=191280, status=deferred (host agrpazsmtp5.agr.gc.ca[192.197.71.130] said: 450 <joe.tops@mailserver.mydomain.com>: Sender address rejected: Domain not found (in reply to RCPT TO command))

// Local emails go through no problem:
Apr 23 09:57:24 mailserver postfix/smtpd[658]: ADB061A04CE: client=unknown[64.23.10.81]
Apr 23 09:57:24 mailserver postfix/cleanup[660]: ADB061A04CE: message-id=<001e01c785c0$001aa630$e302a8c0@server01.intra>
Apr 23 09:57:24 mailserver postfix/nqmgr[6530]: ADB061A04CE: from=<joe.tops@mydomain.com>, size=36680, nrcpt=1 (queue active)
Apr 23 09:57:33 mailserver postfix/local[825]: ADB061A04CE: to=<lesley.jiles@mydomain.com>, relay=local, delay=9, status=sent ("|/usr/bin/procmail -t")
So you see, for some reason it uses agrpazsmtp5.agr.gc.ca domain for relaying... how can I modify it?

Last edited by _MD_; 06-14-2007 at 11:01 AM.
 
Old 04-24-2007, 07:27 PM   #9
farslayer
LQ Guru
 
Registered: Oct 2005
Location: Willoughby, Ohio
Distribution: linuxdebian
Posts: 7,232
Blog Entries: 5

Rep: Reputation: 190Reputation: 190
Dig says your mail server is
Quote:
webmail.mydomain.com. 2970 IN A 64.23.10.81
but YOU said your mail server is
Quote:
My primary email server is on 1.0 network with the IP of 192.168.1.99.
so it looks to me like your internal DNS is still configured wrong.
Guess if you are using the IP's it doesn't matter, but it's just being lazy to me.. if I change the IP address of the mail server I can modify it ONCE in my DNS server and not touch the clients.. if the IP is in all the clients I have to touch every single one of them to make the change if I move the mail server.. Something to think about.




the second item I notice in the logs is the message that fails is from=<joe.tops@mailserver.mydomain.com>
and the Successful Message is from : from=<joe.tops@mydomain.com>

Which is exactly why it says Sender address rejected: Domain not found there is no mailserver.mydomain.com domain.

Quote:
http://www.postfix.org/rewrite.html#masquerade
Address masquerading is a method to hide all hosts inside a domain behind their mail gateway, and to make it appear as if the mail comes from the gateway itself, instead of from individual machines.

Address masquerading is disabled by default. To enable, edit the masquerade_domains parameter in the main.cf file and specify one or more domain names separated by whitespace or commas. The list is processed left to right, and processing stops at the first match. Thus,

masquerade_domains = foo.example.com example.com

strips any.thing.foo.example.com to foo.example.com, but strips any.thing.else.example.com to example.com.
you may want to try adding the following to your config

masquerade_domains = mydomain.com

Last edited by farslayer; 04-24-2007 at 07:28 PM.
 
Old 04-24-2007, 07:36 PM   #10
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Quote:
for some reason it uses agrpazsmtp5.agr.gc.ca domain for relaying... how can I modify it?
The reason is that agrpazsmtp5.agr.gc.ca is an MX for inspection.gc.ca.
 
Old 04-24-2007, 08:58 PM   #11
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
The problem I see is the line:

smtpd_client_restrictions = permit_mynetworks, reject_unauth_destination,reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain
unknown_local_recipient_reject_code = 450

In order for this work you have to have every workstation in your dns records. This is good for static workstations or with workstations on a windows dns.

Take this line off, use this instead.

smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
 
Old 04-24-2007, 10:51 PM   #12
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
There is some misunderstanding here. To clarify:

(1) The rejection was made by the nexthop mail server, not by the one on the LAN.

(2) Putting permit_myworks first on any access restriction list exempts members of $mynetworks from any other restriction on that list.

I think farslayers recommendation of masquerading the domain is quite reasonable.
 
Old 04-25-2007, 10:33 AM   #13
_MD_
Member
 
Registered: Apr 2004
Location: Toronto, Canada
Distribution: BackTrack, Knoppix, Fedora, Slackware
Posts: 43

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by farslayer
Dig says your mail server is 64.23.10.81

but YOU said your mail server is 192.168.1.99
Well, 64.23.10.81 is the external address and 1.99 - internal. My DNS name for 1.99 is mailserver. I can type in mailserver in outlook incoming/outcoming addresses and it would work the same. I said I use the ip to avoid the confusion.

Quote:
the second item I notice in the logs is the message that fails is from=<joe.tops@mailserver.mydomain.com>
and the Successful Message is from : from=<joe.tops@mydomain.com>
Which is exactly why it says Sender address rejected: Domain not found there is no mailserver.mydomain.com domain.
you may want to try adding the following to your config
masquerade_domains = mydomain.com
You see... if you look at the beginning of the post, I've provided the output of the postconf -n. In there you can see that I do have masquerade_domains set to my domain2 (we have 2 domains, both go to the same server for http and smtp requests). I'm not exactly sure why it goes to mailserver.mydomain.com when the mail is rejected, but the same configuration works perfectly fine on the 1.0 network. For example, users that use outlook on 1.0 net and usually have no problems sending/receiving, if they type an email address incorrectly, they get a mail back from <postmaster@mailserver.mydomain.com> saying that it wasn't delivered blah blah blah. And sometimes I know that some clients receive emails from <user@mailserver.mydomain.com>... So the way I look at it, @mydomain.com and @mailserver.mydomain.com is pretty much the same thing.

Also, ramram29,
Quote:
Originally Posted by Berhanie
Putting permit_myworks first on any access restriction list exempts members of $mynetworks from any other restriction on that list.
So regardless of what restrictions I have, I don't think it would affect $mynetworks...


Now... here's how the situation looks like now:
I've decided to move to a better server. Already configured it and all... I gave it 192.168.1.199 address to be on the network concurrently and to smoothly make a transition. So I went to my 2.0 location and typed 1.199 as the outlook outgoing server... and guess what?! it went through!!! As far as I can see, they both have the same configuration... It's kinda like magic to me why it works here, but not there... So If you want to see any of the config files from the new server, please let me know, I'd be glad to post it. I just wanna know what was the reason why it wasn't relaying mail on the old server...

Also, it all looks like the transition should go fine, I just copied /home/* and /var/spool/mail/* to the new server but for some reason, when I copied /var/lib/squirrelmail/prefs/* to my new squirrelmail directory, I get a permission denied error. Here's a thread that I've started... maybe somebody have experienced something similar... Help is appreciated.

Last edited by _MD_; 04-25-2007 at 10:43 AM.
 
Old 04-25-2007, 04:11 PM   #14
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
It looks to me like you have a DNS misconfiguration. DNS is very important for Email servers. The first step in delivering a message is finding the system to send it to. Also, if you don't have DNS configured properly then postfix might not work well either. I would suggest to use the minimum amount of setting for postfix. Do not use any special settings or parameters for any of the variables. Use plain vanilla first for bind and postfix and make sure it works well first, then go on with the rest of the custome settings. But before you configure postfix make sure your DNS is working properly and that you can query and reach systems inside and outside your network.
 
Old 04-25-2007, 07:28 PM   #15
farslayer
LQ Guru
 
Registered: Oct 2005
Location: Willoughby, Ohio
Distribution: linuxdebian
Posts: 7,232
Blog Entries: 5

Rep: Reputation: 190Reputation: 190
And this is a prime example of why the postfix support list REQUIRES you to provide actual domain names and IP addresses in your request..

- so they are not trying to guess if something resolves,
- whether your DNS is configured properly because they can query it themselves,
- nor will they have to decipher if mydomain is the same as mydomain1 or mydomain2 in your configs..

It's not like providing actual IP addresses and DNS info is going to cause your system to be hacked.. I mean if theres problems with your configs and security that will happen on its own. but using imaginary Names, IP's, and DNS info makes it hard to troubleshoot properly especially when you aren't 100% consistent with them. (how would I know that mydomain and mydomain1 are supposed to be the same thing ? )

I still say your internal DNS is wrong,
A DNS query on your internal network should resolve the 192 address,
mail.mydomain.com 192.168.1.99

a DNS query from outside should resolve the Public IP.
mail.mydomain.com 64.23.10.81

the fqdn of the mailserver should be the same from either location

You aren't using your internal DNS server as the authoritative DNS for your domain are you ?

Quote:
So the way I look at it, @mydomain.com and @mailserver.mydomain.com is pretty much the same thing.
nope it isn't

do you have a MX record on the internet for a domain called mailserver.mydomain.com ?
if so then the two following dig queries should get the same result..

dig mailserver.mydomain.com mx
dig mydomain.com mx


But I would bet the first one fails while the second one succeeds.

This is exactly why the other server rejected mail from you (as seen in your logs). it did a fqdn check for mailserver.mydomain.com before accepting mail, and when the query failed it rejected the mail.

you have a number of issues in your overall network configuration it's not just one.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix Relay Access Denied dwpondscum Linux - Networking 2 09-20-2007 05:37 AM
Sendmail: relay denied from a different subnet _MD_ Linux - Newbie 8 04-20-2007 09:20 AM
HELP! POSTFIX Relay access denied cozyk1515 Linux - Software 3 07-21-2006 09:56 AM
Postfix as a mail relay (getting relay access denied) hypexr Linux - Software 3 09-13-2005 08:15 PM
postfix: Relay access denied SolidSnake Linux - Networking 4 02-20-2004 10:05 PM


All times are GMT -5. The time now is 11:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration