[SOLVED] Postfix/Dovecot email server

the big cheese · 11-08-2009, 07:11 PM

Hi guys.

I'm running Ubuntu 8.10 server edition with postfix and dovecot handling my email duties. Currently, I can log in correctly and receive any mail/sync folder (IMAP) but I cannot send mail to any address I care to try.

The error message in the mail log is:

Quote:

postfix/smtpd[4757]: NOQUEUE: reject: RCPT from XX-XXX-XX-XXX.dynamic.dsl.as9105.com[XX.XXX.XX.XXX]: 554 5.7.1 <recipiant@xxxxxxx.co.uk>: Relay access denied; from=<me@mylinuxdomain.co.uk> to=<recipiant@xxxxxxx.co.uk> proto=ESMTP helo=<BigCheeseLaptop>

The output from postconf -n is:

Quote:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
delay_warning_time = 4h
inet_interfaces = all
inet_protocols = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = mylinuxdomain.co.uk, localhost.mylinuxdomain.co.uk, localhost
mydomain = mylinuxdomain.co.uk
myhostname = mylinuxdomain.co.uk
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth-client
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom

Can anyone help me shed some light on this?

acid_kewpie · 11-09-2009, 12:50 PM

Is this not the remote server telling you to get stuffed, possibly because you're coming from a dynamic IP? Generally you'd be better off looking to always relay outbound mail via your ISP's smtp relay, which hopefully exists. This means that email is directly passed from an official known ISP MTA, not you, meaning it won't be blocked (or at least much less likely). That rejected relay source is tiscali... your ISP I take it? Try making it smart relay through smtp.tiscali.co.uk.

That's how I read it at least, not 100% sure it's that, if not maybe you need to clarify the topology you're using... sending to your MTA over the net instead of locally? Hard to see where the internet domains in the log come into the equation.

the big cheese · 11-09-2009, 07:33 PM

acid_kewpie - thanks for the reply.

What's happening is I'm attempting to send any mail from my laptop at home (Tiscali being my ISP) through my mail client, connected to my linux server.
The linux server is a hosted machine with a static IP address. The IP address in the error message above is of my laptop, not the mail server.
The sending fails in my mail client and I get the error message above in my mail log.

Is it possible it's rejecting my laptop's IP, and not the actual server IP? and therefore that the relay source in my mails is incorrect?

sleddog · 11-09-2009, 07:52 PM

I don't see any indication that you are authenticating. Is the email program on your laptop configured to send a username/password for SMTP access?

the big cheese · 11-09-2009, 09:25 PM

sleddog - yes, it does send a username/password, but I think you may be correct.

I actually think I might have found the issue (potentially). When searching about after acid_kewpie's suggestions, I came across this:
http://ubuntuforums.org/archive/inde...t-1061230.html

Which leads me to believe that my postfix setting:

Quote:

mynetworks = 127.0.0.0/8

may be the cause of my issue.

mynetworks apparently "lists all networks that this machine somehow trusts. This information can be used by the anti-UCE features to recognize trusted SMTP clients that are allowed to relay mail through Postfix."

It's almost 03:30 here though, so I shall try that in the morning...

acid_kewpie · 11-09-2009, 11:21 PM

well mynetworks will stop anything other than the machine itself sending, depending on how it's used, and normally that would be 127.0.0.1/8,192.168.1.0/24 or something similar to permit local clients. I'm still a bit confused then as to why the logs are reporting inet hostnames as opposed to local data though. If this is all on a home LAN, then mynetworks would want to change, otherwise with authentication (and where does auth come into this... unclear again) then I think you'd want to define smtpd_client_restrictions to cover permit_mynetworks and permit_sasl_authenticated to allow you to send remotely with a username and password and locally without.

the big cheese · 11-10-2009, 08:18 AM

Quote:

Nov 10 12:53:36 servername postfix/smtpd[3869]: connect from xx-xxx-xx-xxx.dynamic.dsl.as9105.com[xx.xxx.xx.xxx]
Nov 10 12:53:36 servername postfix/smtpd[3869]: setting up TLS connection from xx-xxx-xx-xxx.dynamic.dsl.as9105.com[xx.xxx.xx.xxx]
Nov 10 12:53:36 servername postfix/smtpd[3869]: Anonymous TLS connection established from xx-xxx-xx-xxx.dynamic.dsl.as9105.com[xx.xxx.xx.xxx]: TLSv1 with cipher AES128-SHA (128/128 bits)
Nov 10 12:53:36 servername postfix/smtpd[3869]: NOQUEUE: reject: RCPT from xx-xxx-xx-xxx.dynamic.dsl.as9105.com[xx.xxx.xx.xxx]: 554 5.7.1 <recipient@domain.co.uk>: Relay access denied; from=<localname@postfixserver.co.uk> to=<recipent@domain.co.uk> proto=ESMTP helo=<BigCheeseLaptop>

That is the complete log. If that helps at all.
Changing mynetworks to allow all 88.x.x.x addresses didn't seem to change anything.

acid_kewpie · 11-10-2009, 08:30 AM

It's still vague where you are doing what... don't permit internet ranges in mynetworks, instead you need to authenticate really. Note that the act of authenticating doesn't mean anything in itself, you still need to attach a significance of it having been successful, e.g. the smtpd_client_restrictions directive (as I read the docs at least)

the big cheese · 11-10-2009, 09:36 AM

I added the smptd_client_restrictions option as you suggested, but no luck.
There is no sign of authentication in the mail log (when sending a mail) - just an anonymous connection and a relay denial.
My email client is definitely set to send user/pass info, so I'm not sure why there isn't some sort of authentication in the log

acid_kewpie · 11-10-2009, 10:33 AM

Well are you requesting authentication to take place on the server side?

the big cheese · 11-10-2009, 11:44 AM

acid - I finally solved my problem.
The sasl daemon was not running, and therefore failing to authenticate connections.
A little trick with the sasldb2 file and it's now accepting and sending my mail.

Thankyou very much for your help!