LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 12-17-2010, 02:40 PM   #1
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Rep: Reputation: 73
Question Relay Access Denied Error


I have not done the SMTP debug yet but just from basic troubleshooting, I think I know what the problem is. My mail server is rejecting my web server from sending mail due to 'relay access denied':

Code:
root@www:# telnet mail.domain.tld 25
Trying 211.113.101.135...
Connected to mail.domain.tld.
Escape character is '^]'.
220 mail.domain.tld ESMTP Postfix
EHLO www.domain.tld
250-mail.domain.tld
250-PIPELINING
250-SIZE 20480000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:carlos@domain.tld
250 2.1.0 Ok
RCPT TO:some.email@gmail.com
554 5.7.1 <some.email@gmail.com>: Relay access denied
quit
221 2.0.0 Bye
Now the above was my web server on the same network / same subnet trying to access my mail server.

mail - 192.168.1.200 / 211.113.101.135
www - 192.168.1.201 / 211.113.101.136

Above addresses are internal IP / external static IP.

However when I look in my mail server logs, I see:

Code:
Dec 17 14:27:45 mail dovecot: imap-login: Login: user=<carlos>, method=PLAIN, rip=211.113.101.136, lip=192.168.0.200, mpid=8013, TLS
Dec 17 14:27:45 mail dovecot: imap(carlos): Disconnected: Logged out bytes=94/885
So basically from above, my problem is that my 'mail' server sees my web server's external IP for internal connections rather than the internal IP which is listed in '/etc/postfix/mynetworks'. So when my web server's webmail program attempts to send mail from the external IP, Postfix doesn't know what IP that is because it's not authorized in the 'mynetworks' file. Anyone know how I can resolve this?
 
Old 12-17-2010, 04:32 PM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Are you using SASL Authentication? I notice that your using Dovecot and Postfix supports Dovecot SASL.

Here is a similar log entry from my server, with a remote IP that is not part of my network and the authentication appears to work. when I telnet into my own server, I don't see any real differences in the 250-xxx authentication options. BTW, I am not sure how the SASL works off hand.

Code:
Dec 12 12:06:30 server dovecot: imap-login: Login: user=<user@noway2.net>, method=PLAIN, rip=67.223.65.81, lip=96.10.215.214, TLS
Dec 12 12:06:32 server dovecot: IMAP(user@noway2.net): Disconnected: Logged out bytes=77/5678
 
1 members found this post helpful.
Old 12-17-2010, 05:35 PM   #3
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Original Poster
Rep: Reputation: 73
When I try and send mail from thunderbird on a PC that is on a network in '/etc/postfix/mynetworks' works fine. When I try and send an email from my web server running RoundCube webmail, it fails with '250: SMTP Authentication Error'. I'm not using SASL, just TLS. This appears to be more of an SMTP issue, no?
 
Old 12-17-2010, 07:04 PM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Your assessment of the problem is correct. By default, Postfix will only send mail for networks specified in the my_networks parameter and hosts that it has been told to relay to. Consequently, when you log in via roundcubemail, it is picking up your public IP and it is rejecting the mail based upon you not being on the appropriate network. (edit) **You probably don't want to make your public IP part of 'my_networks' least you become an open relay!**

This is where the different authentication methods come into play. The Dovecot authentication is rather straight forward. The postfix documentation (link) shows a code fragment that can pretty much be copied straight into the bottom of your /etc/dovecot.conf. The example shown is for using system accounts, but can also be modified for virtual users where the passwwords are stored in an SQL database instead of the user account passwords. In main.cf the settings are rather trivial with there only being two that are required. A set of ones that I use that are slightly more restrictive are shown below.

Basically, with this option, Postfix will see if the user that is trying to send mail is a valid mail user on that system authenticated by the password and if so, permit it to send mail, regardless of the IP they are coming from. This is really handy when you are away from your home network. However, it only supports PLAIN authentication. For this reason it is imperative that you use TLS so that your password can't be captured by a packet sniffer.

The Flurdy tutorial for postfix should have a solid example of setting this up too. I personally also like the tutorial by Johnny Chadda.

Here are my SASL settings (in main.cf):
Code:
smtpd_sasl_type = dovecot
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = <your domain here>
I would also suggest (in dovecot) that if you run into trouble, that you can turn on the three debug functions: verbose, debug, and debug password - though it looks like you have the password part working. Therefore, SASL should be relatively easy for you to implement.

Last edited by Noway2; 12-17-2010 at 07:05 PM. Reason: added open relay warning
 
Old 12-18-2010, 09:05 AM   #5
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Original Poster
Rep: Reputation: 73
I resolved the DNS / IP issue by simply entering the following entries in both my mail and web servers '/etc/hosts' file:

192.168.0.200 mail.domain.tld mail
192.168.0.201 www.domain.tld www

So now when my web server connects to my mail server via port 25, I see the following:

Code:
Dec 17 15:51:37 mail dovecot: imap-login: Login: user=<carlos>,
method=PLAIN, rip=192.168.0.201, lip=192.168.0.200, mpid=1561, TLS
Dec 17 15:51:37 mail dovecot: imap(carlos): Disconnected: Logged out
bytes=12/341
Now you can see above the 'rip' is now my internal IP of my web server which is listed in '/etc/postfix/mynetworks' file.

I enabled 'smtpd_debug' on my mail server and here is what happens when my www server tries to send mail from the webmail software (Roundcube):

Code:
Dec 17 16:05:50 mail postfix/smtpd[1604]: connect from
www.domain.tld[192.168.0.201]
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostname:
www.domain.tld ~? 127.0.0.0/8
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostaddr:
192.168.0.201 ~? 127.0.0.0/8
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostname:
www.domain.tld ~? 192.168.0.0/24
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostaddr:
192.168.0.201 ~? 192.168.0.0/24
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 220 mail.domain.tld ESMTP Postfix
Dec 17 16:05:50 mail postfix/smtpd[1604]: watchdog_pat: 0x26abbf0
Dec 17 16:05:50 mail postfix/smtpd[1604]: <
www.domain.tld[192.168.0.201]: EHLO 192.168.0.201
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-mail.domain.tld
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-PIPELINING
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-SIZE 20480000
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-VRFY
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-ETRN
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_list_match:
www.domain.tld: no match
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_list_match:
192.168.0.201: no match
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-STARTTLS
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-ENHANCEDSTATUSCODES
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-8BITMIME
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250 DSN
Dec 17 16:05:50 mail postfix/smtpd[1604]: watchdog_pat: 0x26abbf0
Dec 17 16:05:50 mail postfix/smtpd[1604]: < www.domain.tld[192.168.0.201]: RSET
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250 2.0.0 Ok
Dec 17 16:05:50 mail postfix/smtpd[1604]: watchdog_pat: 0x26abbf0
Dec 17 16:05:50 mail postfix/smtpd[1604]: < www.domain.tld[192.168.0.201]: QUIT
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 221 2.0.0 Bye
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostname:
www.domain.tld ~? 127.0.0.0/8
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostaddr:
192.168.0.201 ~? 127.0.0.0/8
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostname:
www.domain.tld ~? 192.168.0.0/24
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostaddr:
192.168.0.201 ~? 192.168.0.0/24
Dec 17 16:05:50 mail postfix/smtpd[1604]: disconnect from
www.domain.tld[192.168.0.201]
Dec 17 16:05:50 mail dovecot: imap(carlos): Disconnected: Logged out
bytes=12/341
 
Old 12-18-2010, 11:04 AM   #6
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Postfix appears to be performing a DNS query and finding that your domain versus the IP doesn't match. This looks like you are either using domain keys or have a sender/recipient restrictions setting to check this as a spam measure.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SOLVED postfix error Relay access denied. trying to setup virtual domains periferral Linux - Networking 4 10-20-2009 04:51 PM
Postfix+Dovecot error : RELAY ACCESS DENIED when send mail out to Other domain simon.unix Linux - Networking 6 09-16-2009 11:54 AM
Postfix as a mail relay (getting relay access denied) hypexr Linux - Software 3 09-13-2005 08:15 PM
Postfix error - Recipient address rejected: Relay access denied robbiemorgan Linux - Newbie 1 10-01-2004 04:57 AM
Email Error - "Recipient address rejected: Relay access denied" ripcord Linux - Newbie 1 10-31-2002 04:00 PM


All times are GMT -5. The time now is 07:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration