| Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
12-17-2010, 01:40 PM
|
#1
|
|
Senior Member
Registered: May 2004
Location: Orlando, FL
Distribution: Debian
Posts: 2,860
Rep: 
|
Relay Access Denied Error
I have not done the SMTP debug yet but just from basic troubleshooting, I think I know what the problem is. My mail server is rejecting my web server from sending mail due to 'relay access denied':
Code:
root@www:# telnet mail.domain.tld 25
Trying 211.113.101.135...
Connected to mail.domain.tld.
Escape character is '^]'.
220 mail.domain.tld ESMTP Postfix
EHLO www.domain.tld
250-mail.domain.tld
250-PIPELINING
250-SIZE 20480000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:carlos@domain.tld
250 2.1.0 Ok
RCPT TO:some.email@gmail.com
554 5.7.1 <some.email@gmail.com>: Relay access denied
quit
221 2.0.0 Bye
Now the above was my web server on the same network / same subnet trying to access my mail server.
mail - 192.168.1.200 / 211.113.101.135
www - 192.168.1.201 / 211.113.101.136
Above addresses are internal IP / external static IP.
However when I look in my mail server logs, I see:
Code:
Dec 17 14:27:45 mail dovecot: imap-login: Login: user=<carlos>, method=PLAIN, rip=211.113.101.136, lip=192.168.0.200, mpid=8013, TLS
Dec 17 14:27:45 mail dovecot: imap(carlos): Disconnected: Logged out bytes=94/885
So basically from above, my problem is that my 'mail' server sees my web server's external IP for internal connections rather than the internal IP which is listed in '/etc/postfix/mynetworks'. So when my web server's webmail program attempts to send mail from the external IP, Postfix doesn't know what IP that is because it's not authorized in the 'mynetworks' file. Anyone know how I can resolve this? |
|
|
|
|
12-17-2010, 03:32 PM
|
#2
|
|
Senior Member
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,046
|
Are you using SASL Authentication? I notice that your using Dovecot and Postfix supports Dovecot SASL.
Here is a similar log entry from my server, with a remote IP that is not part of my network and the authentication appears to work. when I telnet into my own server, I don't see any real differences in the 250-xxx authentication options. BTW, I am not sure how the SASL works off hand.
Code:
Dec 12 12:06:30 server dovecot: imap-login: Login: user=<user@noway2.net>, method=PLAIN, rip=67.223.65.81, lip=96.10.215.214, TLS
Dec 12 12:06:32 server dovecot: IMAP(user@noway2.net): Disconnected: Logged out bytes=77/5678
|
|
|
1 members found this post helpful.
|
|
12-17-2010, 04:35 PM
|
#3
|
|
Senior Member
Registered: May 2004
Location: Orlando, FL
Distribution: Debian
Posts: 2,860
Original Poster
Rep:
|
When I try and send mail from thunderbird on a PC that is on a network in '/etc/postfix/mynetworks' works fine. When I try and send an email from my web server running RoundCube webmail, it fails with '250: SMTP Authentication Error'. I'm not using SASL, just TLS. This appears to be more of an SMTP issue, no?
|
|
|
|
|
12-17-2010, 06:04 PM
|
#4
|
|
Senior Member
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,046
|
Your assessment of the problem is correct. By default, Postfix will only send mail for networks specified in the my_networks parameter and hosts that it has been told to relay to. Consequently, when you log in via roundcubemail, it is picking up your public IP and it is rejecting the mail based upon you not being on the appropriate network. (edit) **You probably don't want to make your public IP part of 'my_networks' least you become an open relay!**
This is where the different authentication methods come into play. The Dovecot authentication is rather straight forward. The postfix documentation ( link) shows a code fragment that can pretty much be copied straight into the bottom of your /etc/dovecot.conf. The example shown is for using system accounts, but can also be modified for virtual users where the passwwords are stored in an SQL database instead of the user account passwords. In main.cf the settings are rather trivial with there only being two that are required. A set of ones that I use that are slightly more restrictive are shown below.
Basically, with this option, Postfix will see if the user that is trying to send mail is a valid mail user on that system authenticated by the password and if so, permit it to send mail, regardless of the IP they are coming from. This is really handy when you are away from your home network. However, it only supports PLAIN authentication. For this reason it is imperative that you use TLS so that your password can't be captured by a packet sniffer.
The Flurdy tutorial for postfix should have a solid example of setting this up too. I personally also like the tutorial by Johnny Chadda.
Here are my SASL settings (in main.cf):
Code:
smtpd_sasl_type = dovecot
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = <your domain here>
I would also suggest (in dovecot) that if you run into trouble, that you can turn on the three debug functions: verbose, debug, and debug password - though it looks like you have the password part working. Therefore, SASL should be relatively easy for you to implement.
Last edited by Noway2; 12-17-2010 at 06:05 PM.
Reason: added open relay warning
|
|
|
|
|
12-18-2010, 08:05 AM
|
#5
|
|
Senior Member
Registered: May 2004
Location: Orlando, FL
Distribution: Debian
Posts: 2,860
Original Poster
Rep:
|
I resolved the DNS / IP issue by simply entering the following entries in both my mail and web servers '/etc/hosts' file:
192.168.0.200 mail.domain.tld mail
192.168.0.201 www.domain.tld www
So now when my web server connects to my mail server via port 25, I see the following:
Code:
Dec 17 15:51:37 mail dovecot: imap-login: Login: user=<carlos>,
method=PLAIN, rip=192.168.0.201, lip=192.168.0.200, mpid=1561, TLS
Dec 17 15:51:37 mail dovecot: imap(carlos): Disconnected: Logged out
bytes=12/341
Now you can see above the 'rip' is now my internal IP of my web server which is listed in '/etc/postfix/mynetworks' file.
I enabled 'smtpd_debug' on my mail server and here is what happens when my www server tries to send mail from the webmail software (Roundcube):
Code:
Dec 17 16:05:50 mail postfix/smtpd[1604]: connect from
www.domain.tld[192.168.0.201]
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostname:
www.domain.tld ~? 127.0.0.0/8
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostaddr:
192.168.0.201 ~? 127.0.0.0/8
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostname:
www.domain.tld ~? 192.168.0.0/24
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostaddr:
192.168.0.201 ~? 192.168.0.0/24
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 220 mail.domain.tld ESMTP Postfix
Dec 17 16:05:50 mail postfix/smtpd[1604]: watchdog_pat: 0x26abbf0
Dec 17 16:05:50 mail postfix/smtpd[1604]: <
www.domain.tld[192.168.0.201]: EHLO 192.168.0.201
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-mail.domain.tld
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-PIPELINING
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-SIZE 20480000
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-VRFY
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-ETRN
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_list_match:
www.domain.tld: no match
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_list_match:
192.168.0.201: no match
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-STARTTLS
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-ENHANCEDSTATUSCODES
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250-8BITMIME
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250 DSN
Dec 17 16:05:50 mail postfix/smtpd[1604]: watchdog_pat: 0x26abbf0
Dec 17 16:05:50 mail postfix/smtpd[1604]: < www.domain.tld[192.168.0.201]: RSET
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 250 2.0.0 Ok
Dec 17 16:05:50 mail postfix/smtpd[1604]: watchdog_pat: 0x26abbf0
Dec 17 16:05:50 mail postfix/smtpd[1604]: < www.domain.tld[192.168.0.201]: QUIT
Dec 17 16:05:50 mail postfix/smtpd[1604]: >
www.domain.tld[192.168.0.201]: 221 2.0.0 Bye
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostname:
www.domain.tld ~? 127.0.0.0/8
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostaddr:
192.168.0.201 ~? 127.0.0.0/8
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostname:
www.domain.tld ~? 192.168.0.0/24
Dec 17 16:05:50 mail postfix/smtpd[1604]: match_hostaddr:
192.168.0.201 ~? 192.168.0.0/24
Dec 17 16:05:50 mail postfix/smtpd[1604]: disconnect from
www.domain.tld[192.168.0.201]
Dec 17 16:05:50 mail dovecot: imap(carlos): Disconnected: Logged out
bytes=12/341
|
|
|
|
|
12-18-2010, 10:04 AM
|
#6
|
|
Senior Member
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,046
|
Postfix appears to be performing a DNS query and finding that your domain versus the IP doesn't match. This looks like you are either using domain keys or have a sender/recipient restrictions setting to check this as a spam measure.
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 12:32 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
