Why will postfix not relay my mail?

afallison · 01-05-2012, 12:03 PM

I'm trying to configure a centralized mailing configuration. The idea is to shovel all the mail through one postfix instance, then immediately relay it so it can "trickle down the pyramid" until it delivers.

So when a user sends an email, they always connect to the standard instance. From there it should relay to the "level 1" postfix instance (using round robin dns to rotate). If mail does not send using the "level 1" instance, it uses fallback_relay and relays the mail to the "level 2" host.

Each level has different speeds and configurations for destination domains. One of our biggest delivery issues are with yahoo so this whole idea started with them. Level 1 may deliver 20/min to yahoo but level 2 may only be 10/min. To make it easy to pass mail to the next level, I configured round robin dns.

Level 1 = mta-mx-1.outbound.com
Level 2 = mta-mx-2.outbound.com
Level 3 = mta-mx-3.outbound.com
Level 4 = mta-mx-4.outbound.com
Level 5 = mta-mx-5.outbound.com

With all that said, here is my problem:

When I relay mail, I get a relay access denied (554). I know it is because I have not set the ip in mynetworks and/or have not set the relay_domains. I was under the impression that as long as authentication passes between the 2 relaying servers, mail should send regardless of domain or where it came from, and as long as it's set in the main.cf using:

Code:

smtpd_sender_restrictions = permit_mynetworks,permit_sasl_authenticated

here is the master postfix instance:

Code:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = 168.100.189.0/28, 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.8.7/README_FILES
relayhost = [mta-mx-1.outbound.com]
sample_directory = /usr/share/doc/postfix-2.8.7/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,permit_sasl_authenticated
unknown_local_recipient_reject_code = 550
relayhost = [mta-mx-1.outbound.com]

here is the conf for [mta-mx-1.outbound.com]:

Code:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = domain.net
mynetworks = 168.100.189.0/28, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.8.7/README_FILES
sample_directory = /usr/share/doc/postfix-2.8.7/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,permit_sasl_authenticated
unknown_local_recipient_reject_code = 550

My #1 issue is that I run a LOT of domains and a LOT of mailing lists. Without manually adding domains and ip's into postfix configuration files on dozens of postfix instances, is there a way to just relay the mail when authentication is good? Am I missing something? Unless I set the ip in mynetworks or the domain in relay_domains, I get relay acccess denied.

I'm trying to make it a one size fits all solution for my outbound mail. Even when mail fails to send it still has somewhere to go. My problem is relaying it without setting specific ip's or allowed domains.

I think the best way I can describe what I'm trying to do is an authenticated open relay. Once postfix needs to relay, it authenticates with the next server and tried again.

Any ideas or insight would be really helpful at this point. I've been messing with it for a few days now and I'm worried I'm missing something. Thanks.

leslie_jones · 01-06-2012, 05:20 AM

Quote:

Originally Posted by afallison

here is my problem:

When I relay mail, I get a relay access denied (554). I know it is because I have not set the ip in mynetworks and/or have not set the relay_domains.

You've answered your own question!

Quote:

Originally Posted by afallison

I was under the impression that as long as authentication passes between the 2 relaying servers, mail should send regardless of domain or where it came from

As long as your client is authenticated against the specific Postfix server, it should work for THAT server, but remember it is the CLIENT that authenticates to a specific server. If you are saying that your client is authenticating against MTA 1, which is then trying to relay through MTA2/3/4/whateva how can it possibly know the client was originally authenticated? Sure, you can stick in a header to read (there are some kludges that do this) - but so can any spammer. No authentication 'state' exists between MTA1 and any other MTA.

Probably the best you can do if you are running something like this:

[CLIENT] --->>> SASL MTA1 ---->>> [ANOTHER MTA/SMARTHOST] is to set up [ANOTHER MTA/SMARTHOST] so it allows the IP of MTA 1 to relay through it. However, I would not call that a high security solution and it may not be without issues.

leslie_jones · 01-06-2012, 05:35 AM

On the outbound relay you have:
mynetworks = 168.100.189.0/28, 127.0.0.0/8
If you add the single IP of the master MTA to this, it should relay for it. However, be aware that anything on that box could then potentially relay out via it.

Specific documentation:

http://www.postfix.org/SMTPD_ACCESS_README.html#relay

http://www.postfix.org/postconf.5.ht...t_restrictions

That basically covers your options.