LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Relay Access Denied Error (http://www.linuxquestions.org/questions/linux-server-73/relay-access-denied-error-850910/)

carlosinfl 12-17-2010 01:40 PM

Relay Access Denied Error
 
I have not done the SMTP debug yet but just from basic troubleshooting, I think I know what the problem is. My mail server is rejecting my web server from sending mail due to 'relay access denied':

Code:

root@www:# telnet mail.domain.tld 25
Trying 211.113.101.135...
Connected to mail.domain.tld.
Escape character is '^]'.
220 mail.domain.tld ESMTP Postfix
EHLO www.domain.tld
250-mail.domain.tld
250-PIPELINING
250-SIZE 20480000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:carlos@domain.tld
250 2.1.0 Ok
RCPT TO:some.email@gmail.com
554 5.7.1 <some.email@gmail.com>: Relay access denied
quit
221 2.0.0 Bye

Now the above was my web server on the same network / same subnet trying to access my mail server.

mail - 192.168.1.200 / 211.113.101.135
www - 192.168.1.201 / 211.113.101.136

Above addresses are internal IP / external static IP.

However when I look in my mail server logs, I see:

Code:

Dec 17 14:27:45 mail dovecot: imap-login: Login: user=<carlos>, method=PLAIN, rip=211.113.101.136, lip=192.168.0.200, mpid=8013, TLS
Dec 17 14:27:45 mail dovecot: imap(carlos): Disconnected: Logged out bytes=94/885

So basically from above, my problem is that my 'mail' server sees my web server's external IP for internal connections rather than the internal IP which is listed in '/etc/postfix/mynetworks'. So when my web server's webmail program attempts to send mail from the external IP, Postfix doesn't know what IP that is because it's not authorized in the 'mynetworks' file. Anyone know how I can resolve this?

Noway2 12-17-2010 03:32 PM

Are you using SASL Authentication? I notice that your using Dovecot and Postfix supports Dovecot SASL.

Here is a similar log entry from my server, with a remote IP that is not part of my network and the authentication appears to work. when I telnet into my own server, I don't see any real differences in the 250-xxx authentication options. BTW, I am not sure how the SASL works off hand.

Code:

Dec 12 12:06:30 server dovecot: imap-login: Login: user=<user@noway2.net>, method=PLAIN, rip=67.223.65.81, lip=96.10.215.214, TLS
Dec 12 12:06:32 server dovecot: IMAP(user@noway2.net): Disconnected: Logged out bytes=77/5678


carlosinfl 12-17-2010 04:35 PM

When I try and send mail from thunderbird on a PC that is on a network in '/etc/postfix/mynetworks' works fine. When I try and send an email from my web server running RoundCube webmail, it fails with '250: SMTP Authentication Error'. I'm not using SASL, just TLS. This appears to be more of an SMTP issue, no?

Noway2 12-17-2010 06:04 PM

Your assessment of the problem is correct. By default, Postfix will only send mail for networks specified in the my_networks parameter and hosts that it has been told to relay to. Consequently, when you log in via roundcubemail, it is picking up your public IP and it is rejecting the mail based upon you not being on the appropriate network. (edit) **You probably don't want to make your public IP part of 'my_networks' least you become an open relay!**

This is where the different authentication methods come into play. The Dovecot authentication is rather straight forward. The postfix documentation (link) shows a code fragment that can pretty much be copied straight into the bottom of your /etc/dovecot.conf. The example shown is for using system accounts, but can also be modified for virtual users where the passwwords are stored in an SQL database instead of the user account passwords. In main.cf the settings are rather trivial with there only being two that are required. A set of ones that I use that are slightly more restrictive are shown below.

Basically, with this option, Postfix will see if the user that is trying to send mail is a valid mail user on that system authenticated by the password and if so, permit it to send mail, regardless of the IP they are coming from. This is really handy when you are away from your home network. However, it only supports PLAIN authentication. For this reason it is imperative that you use TLS so that your password can't be captured by a packet sniffer.

The Flurdy tutorial for postfix should have a solid example of setting this up too. I personally also like the tutorial by Johnny Chadda.

Here are my SASL settings (in main.cf):
Code:

smtpd_sasl_type = dovecot
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = <your domain here>

I would also suggest (in dovecot) that if you run into trouble, that you can turn on the three debug functions: verbose, debug, and debug password - though it looks like you have the password part working. Therefore, SASL should be relatively easy for you to implement.

carlosinfl 12-18-2010 08:05 AM

I resolved the DNS / IP issue by simply entering the following entries in both my mail and web servers '/etc/hosts' file:

192.168.0.200 mail.domain.tld mail
192.168.0.201 www.domain.tld www

So now when my web server connects to my mail server via port 25, I see the following:

Code:

Dec 17 15:51:37 mail dovecot: imap-login: Login: user=<carlos>,
method=PLAIN, rip=192.168.0.201, lip=192.168.0.200, mpid=1561, TLS
Dec 17 15:51:37 mail dovecot: imap(carlos): Disconnected: Logged out
bytes=12/341

Now you can see above the 'rip' is now my internal IP of my web server which is listed in '/etc/postfix/mynetworks' file.

I enabled 'smtpd_debug' on my mail server and here is what happens when my www server tries to send mail from the webmail software (Roundcube):

Code:

Dec 17 16:05:50 mail postfix/smtpd[1604]: connect from
www.domain.tld[192.168.0.201]
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostname:
www.domain.tld ~? 127.0.0.0/8
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostaddr:
192.168.0.201 ~? 127.0.0.0/8
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostname:
www.domain.tld ~? 192.168.0.0/24
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostaddr:
192.168.0.201 ~? 192.168.0.0/24
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 220 mail.domain.tld ESMTP Postfix
Dec 17 16:05:50 mail postfix/smtpd[1604]: watchdog_pat: 0x26abbf0
Dec 17 16:05:50 mail postfix/smtpd[1604]: <
www.domain.tld[192.168.0.201]: EHLO 192.168.0.201
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-mail.domain.tld
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-PIPELINING
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-SIZE 20480000
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-VRFY
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-ETRN
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_list_match:
www.domain.tld: no match
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_list_match:
192.168.0.201: no match
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-STARTTLS
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-ENHANCEDSTATUSCODES
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-8BITMIME
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250 DSN
Dec 17 16:05:50 mail postfix/smtpd[1604]: watchdog_pat: 0x26abbf0
Dec 17 16:05:50 mail postfix/smtpd[1604]: < www.domain.tld[192.168.0.201]: RSET
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250 2.0.0 Ok
Dec 17 16:05:50 mail postfix/smtpd[1604]: watchdog_pat: 0x26abbf0
Dec 17 16:05:50 mail postfix/smtpd[1604]: < www.domain.tld[192.168.0.201]: QUIT
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 221 2.0.0 Bye
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostname:
www.domain.tld ~? 127.0.0.0/8
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostaddr:
192.168.0.201 ~? 127.0.0.0/8
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostname:
www.domain.tld ~? 192.168.0.0/24
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostaddr:
192.168.0.201 ~? 192.168.0.0/24
Dec 17 16:05:50 mail postfix/smtpd[1604]: disconnect from
www.domain.tld[192.168.0.201]
Dec 17 16:05:50 mail dovecot: imap(carlos): Disconnected: Logged out
bytes=12/341


Noway2 12-18-2010 10:04 AM

Postfix appears to be performing a DNS query and finding that your domain versus the IP doesn't match. This looks like you are either using domain keys or have a sender/recipient restrictions setting to check this as a spam measure.


All times are GMT -5. The time now is 07:43 AM.