LinuxQuestions.org - Postfix+Dovecot+MySQL+SASL/TLS : Client host rejected: Access denied

- Slackware (https://www.linuxquestions.org/questions/slackware-14/)

- - Postfix+Dovecot+MySQL+SASL/TLS : Client host rejected: Access denied (https://www.linuxquestions.org/questions/slackware-14/postfix-dovecot-mysql-sasl-tls-client-host-rejected-access-denied-878895/)

Postfix+Dovecot+MySQL+SASL/TLS : Client host rejected: Access denied

Hiya folks!
I am hoping desperately that there is some uber-guru out there with some extra time on his/her hands to help me with a problem.
I have been searching forums and working on this for 2 weeks now and I am going in circles. I really NEED to get this working very quickly so if anybody out there can assist me, I would appreciate it.

GOAL:
Slackware 13.1 server with postfix and dovecot handling email for 300+ virtual users in MySQL (just the users..the emails them selves are stored on the hard drive), both incoming and outgoing scanned for spam with spamassassin and scanned for viruses with clamav (possibly amavis, not sure yet..current plan is clamav). Users should be able to access email from either an imap client (authentication required to send/receive) or webmail via https.
Server should allow all incoming email as long as the recipient exists as a virtual user (in mysql) AND the sender email matches with a valid FQDname (to cut down on spam) Otherwise, reject it. Sever should relay email for valid virtual user once they have been authenticated.

SITUATION:
sending email (as root) from a command line on the local machine to a virtual user or to a user on an outside domain works great but says its from 'root@{MyHostname}.localdomain'.

sending email from webmail to either a virtual user or user at outside domain results in error :

error from webmail client:

Code:

"Authentication required 530 5.7.0 Must issue a STARTTLS command first"

error in /varlog/maillog/:

Code:

dovecot: auth: mysql: Connected to localhost (mail)

dovecot: imap-login: Login: user=<{myusername@mydomain}>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=2822, secured

dovecot: imap({myusername@mydomain}): Disconnected: Logged out bytes=117/1449



postfix/smtpd[2814]: connect from localhost[127.0.0.1]

postfix/smtpd[2814]: lost connection after EHLO from localhost[127.0.0.1]

postfix/smtpd[2814]: disconnect from localhost[127.0.0.1]

sending email from imap e-mail client (both as a valid virtual user sending email to another(or same) valid virtual user, or as an outside domain user sending email TO a valid virtual user) results in error :

error from imap email client:

Code:

"An error occured sending mail: The mail server sent an incorrect greeting 5.7.1 <{MyIP}>: Client host rejected: Access denied."

error in /var/log/maillog/:

Code:

postfix/smtpd[2904]: connect from {MyIP}

postfix/smtpd[2904]: NOQUEUE: reject: CONNECT from {MyIP}: 554 5.7.1 <{MyIP}>: Client host rejected: Access denied; proto=SMTP

here are the portions from /etc/postfix/main.cf that I think might be affecting this :
(this is of course not the whole thing, only the things I think might help determine the problem)

Code:

smtpd_sasl_sender_login_maps =

smtpd_sasl_type = dovecot

smtpd_sender_restrictions = 

smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,permit

smtpd_use_tls = no

virtual_transport = dovecot

virtual_maps = proxy:mysql:/etc/postfix/mysql_virtual_maps.cf

same thing here with /etc/postfix/master.cf

Code:

smtp  inet  n  -  n  -  -  smtpd

-o smtpd_tls_security_level=encrypt

-o smtpd_sasl_auth_enable=yes

-o smtpd_sasl_type=dovecot

-o smtpd_sasl_path=private/auth

-o smtpd_sasl_security_options=noanonymous

-o smtpd_sasl_local_domain=$myhostname

-o smtpd_client_restrictions=permit_sasl_authenticated,reject

-o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/mysql_virtual_login_maps.cf

-o smtpd_sender_restrictions=permit_sasl_authenticated,reject

-o smtpd_recipient_restrictions=reject_unknown_recipient_domain,reject_non_fqdn_recipient,permit_sasl_authenticated,reject



#interface

dovecot unix - n n - - pipe flags=DRhu user=dovecot:dovecot argv=/usr/libexec/dovecot/deliver -d $(recipient)

I can NOT telnet localhost 25 :

Code:

554 5.7.1 <localhost[127.0.0.1]>: Client host rejected: Access denied

At one point, I COULD but I was getting this:

Code:

>>ehlo localhost

>>{MyHostname}.localdomain

(instead of {MyDomainName} so if hostname=MyServer and domain = example.com, it would say "MyServer.localdomain" instead of "example.com" or "mail.example.com")

Even when that was the case, I was still getting the 'Client host rejected: access denied' error for mail examples above though...just thought it might be worth mentioning.

I have a feeling I am probably skipping something, so if you have any questions that might help get this thing going, ask away.

I am pretty desperate here and will go out of my way to make this easier on anybody that is willing and able to help get this going in a rapid manner.

I have skype, vent, email, cell-phone, land-line, and might even provide remote access via ssh and a SCREEN session.

It seems like I am very close to getting this thing going, but I am at the end of my deadline and am going in circles running into this same issue over and over again.

I suspect there may be several steps in solving this problem, but I am willing to try just about anything at this point.

I would greatly appreciate any assistance anybody could provide in helping me get this thing going asap.

Thanks!!
-=*CopalFreak*=-

Hi,

I think you miss to give us alot of information , posting just a part of your config leave me with alot of dubt of what you left out , so it is hard to give out advise .. I am far from being a guru of postfix , anyway I l try my best to give you some insight :

1) you say you' ll use spamassassin and clamav ( via amavis ) but I don't see any of this configuration in your master.cf , so I assume you ll configure those later on ... ( anyway if oyur going to deploy amavis you may want also that to manage spamassassin )

2) I think your doing a good lot of misconception as far as go as smtpd configuration via master.cf ... your configuring smtp deamon to require authentication , and that is why your getting the access denied even from localhost ( since you do not even have a permit_mynetworks)

Definitely I suggest you go back to postfix documentation, deploying such a server is not trivial task

Thank you for the reply!

1) Actually I thought Amavis is a separate scanner product altogether. What I meant was that I am currently planning to scan emails with spamassassin and Clamav, but may add Amavis later because most of the example configurations I am seeing on the net are using Amavis. (I don't know enough about that yet, and was planning on getting that done AFTER this part is fixed..I mentioned it in case it makes a difference in the configuration)

2) I do have permit_mynetworks for smtpd_recipient_restrictions in the postfix main.cf (as posted above).
Is it supposed to go somewhere else also? In all of the forums and docs I have seen, I haven't seen it in the master.cf...maybe I missed it..will check again.

I can certainly post the entire contents of the .cf files, but I figured this would be enough for anybody that knows what they are doing..or at least would ask for more info.
It's a TON of junk to go through and as I said, I am willing to go out of my way, so if it's lack of config files that is causing lack of response here, I can certainly post them...just somebody let me know what info I need to give in order to get the proper help I need.

Thanks for the response NetNightmare!
I will look further into the master.cf and go over the docs again.
(although following docs and tutorials on the net is what got me into the situation in the first place)

-=*CopalFreak*=-

Quote:

Originally Posted by NetNightmare (Post 4347534)