-   Debian (
-   -   Postfix smtp with SASL from ANY ip to ANY address (

alexxxis 12-31-2006 10:24 AM

Postfix smtp with SASL from ANY ip to ANY address
Hi all,

I have successfully set up Postfix to do smtp
and use SASL... but at the moment it is just
possible to smtp from IPs i set on mynetworks (e.g. and ONLY to local addresses.

I want my users to be able to smtp from ANY ip
and send mail to ANY address (even outside my server)

does anyone know how to do this?
(i have wasted ages to make this work.. with no luck)
Below is a small snippet of the relevant configuration
in my file..

Any help would be appreciated!


# local
myhostname =
mydomain =
myorigin = $myhostname
mynetworks =
mydestination = $myhostname localhost localhost.$mydomain localhost.localdomain
alias_maps = hash:/etc/aliases
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
local_transport = local

smtpd_recipient_restrictions =

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
# Be nice to brokenware like Outlook Express:
broken_sasl_auth_clients = yes

saman007uk 01-01-2007 05:57 AM

Below is my configuration, which allows smtp from any IP to any IP.

# see /usr/share/postfix/ for a commented, fuller
# version of this file.

# Do not change these directory settings - they are critical to Postfix
# operation.
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
program_directory = /usr/lib/postfix

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
setgid_group = postdrop
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no
myhostname =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination =,, localhost
relayhost =
mynetworks =
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains
inet_interfaces = all
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

alexxxis 01-01-2007 11:40 AM


I manage to receive mail from outside address by setting:


smtpd_recipient_restrictions =

but i catually found out on the log file that
SASL authentication failure: no secret in database

so i still cannot send mail to addresses outside my domains.
Any ideas?


Jan  1 15:07:22 xyz postfix/smtpd[7380]: connect from unknown[]
Jan  1 15:07:25 xyz postfix/smtpd[7380]: warning: SASL authentication failure: no secret in database
Jan  1 15:07:25 xyz postfix/smtpd[7380]: warning: unknown[]: SASL CRAM-MD5 authentication failed
Jan  1 15:07:25 xyz postfix/smtpd[7380]: NOQUEUE: reject: RCPT from unknown[]: 454 <>: Relay access denied; from=<> to=<> proto=ESMTP helo=<>
Jan  1 15:07:26 xyz postfix/smtpd[7380]: disconnect from unknown[]

saman007uk 01-01-2007 12:46 PM

SASL is currently configured to check for usernames/password in a database (/etc/sasldb I think). You will need to confiure SASL to use a differnt authetication method, or add the usernames to the database. The approproate configartion files are /etc/defaults/saslauthd and /etc/postfix/sasl/smtpd.conf I think.

See:Debian Sarge: The Perfect Setup

alexxxis 01-01-2007 03:53 PM

Thanks saman007uk,

I am storing it in database and using /etc/postfix/sasl/smtpd.conf.

Do you know how should the password be encoded?
I am getting this error now:
SASL authentication failure: incorrect digest response

all the best for the new year,

saman007uk 01-01-2007 04:47 PM

That's probably because the postfix daemon is chrooted, and can't access the files. See if the following helps (I rather create symlinks than move files):


mkdir -p /var/spool/postfix/etc
chown -r postfix:postfix /var/spool/postfix/etc
ln -s /etc/sasldb /var/spool/postfix/etc/sasldb

If not, simply copy the file over, giving it proper premissions.

Personally, I rather use PAM to authenticate for SMTP rather than a databse, since it means I don't have to worry about modyfing the databse everytime a user changes their password.

alexxxis 01-01-2007 05:27 PM


I managed to get it working from the database (I am using an admin tool that adds passwords there)
.. what is worring is that it needs plain password
.. but nevermind this for a sec

the problem now is that although the SASL auth works
the emails are queued forever because of:
"[]: Name or service not known" or
[]: Name or service not known

why could this be?


Jan  1 23:22:40 cytopia postfix/smtpd[10579]: connect from unknown[]
Jan  1 23:22:43 xyz postfix/smtpd[10579]: 1DFAF4482F5: client=unknown[], sasl_method=CRAM-MD5,
Jan  1 23:22:45 xyz postfix/smtpd[10579]: 654384482F5: client=unknown[], sasl_method=CRAM-MD5,
Jan  1 23:22:46 xyz postfix/cleanup[10592]: 654384482F5: message-id=<>
Jan  1 23:22:46 xyz postfix/qmgr[10287]: 654384482F5: from=<>, size=518, nrcpt=1 (queue active)
Jan  1 23:22:46 xyz postfix/smtp[10595]: 654384482F5: to=<>, relay=none, delay=1, status=SOFTBOUNCE ([]: Name or service not known)
Jan  1 23:22:46 xyz postfix/smtpd[10579]: disconnect from unknown[]

saman007uk 01-01-2007 05:37 PM

Postfix can't do DNS lookups. Doing the following migth help:

postconf - e'disable_dns_lookups = no'
/etc/init.d/postfix restart

If not, login as the postfix user (using sudo) and see if you can look-up the mx host:

dig mx

alexxxis 01-01-2007 10:43 PM


# postconf - e'disable_dns_lookups = no'
postconf: warning: -: unknown parameter
postconf: warning: edisable_dns_lookups = no: unknown parameter

it does not seem to work


xyz:~# su postfix
xyz:~# dig mx

; <<>> DiG 9.2.4 <<>> mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4443
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0

;                  IN      MX

.                      518400  IN      NS      F.ROOT-SERVERS.NET.
.                      518400  IN      NS      G.ROOT-SERVERS.NET.
.                      518400  IN      NS      H.ROOT-SERVERS.NET.
.                      518400  IN      NS      I.ROOT-SERVERS.NET.
.                      518400  IN      NS      J.ROOT-SERVERS.NET.
.                      518400  IN      NS      K.ROOT-SERVERS.NET.
.                      518400  IN      NS      L.ROOT-SERVERS.NET.
.                      518400  IN      NS      M.ROOT-SERVERS.NET.
.                      518400  IN      NS      A.ROOT-SERVERS.NET.
.                      518400  IN      NS      B.ROOT-SERVERS.NET.
.                      518400  IN      NS      C.ROOT-SERVERS.NET.
.                      518400  IN      NS      D.ROOT-SERVERS.NET.
.                      518400  IN      NS      E.ROOT-SERVERS.NET.

;; Query time: 1 msec
;; WHEN: Tue Jan  2 04:40:58 2007
;; MSG SIZE  rcvd: 240

looks fine no?

saman007uk 01-02-2007 04:57 AM

From your DNS query, I can see that postfix is unable to lookup MX DNS recors.

You should have gotten something like this:

; <<>> DiG 9.2.5 <<>> mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 508
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;                  IN      MX

;; ANSWER SECTION:            2687    IN      MX      5            2687    IN      MX      5            2687    IN      MX      5            2687    IN      MX      5

;; Query time: 38 msec
;; WHEN: Tue Jan  2 11:47:08 2007
;; MSG SIZE  rcvd: 109

alexxxis 01-02-2007 07:54 AM

that is bizarre.

why would such a thing happen?
Is it my network provider's fault?

saman007uk 01-02-2007 09:02 AM

Try the same command as the root user, see what you get. Are you using Debian stable?

alexxxis 01-02-2007 09:35 AM

I am Debian 3.1 stable yes.. and I get the same results for root
.. i also run bind9 on the server.. could this be related somehow?

saman007uk 01-02-2007 10:09 AM

Yes, it is very likly that the server is trying to lookup the domaisn from the local bind server.

Look at /etc/resolv.conf and see if it lists the localserver.

alexxxis 01-02-2007 03:41 PM

Thanks for you petience saman007uk,

yes you are right there /etc/resolv.conf has:

there is also a weird record: search org

(the file says not to edit it by hand)
so i did:
resolvconf -d nameserver (remove)
resolvconf -u (update scripts)

but the local address is still in the file..
how do i remove it?

All times are GMT -5. The time now is 01:57 AM.