Postfix - relay access denied

CopalFreak · 03-29-2012, 06:22 PM

Ok..got a weird one..

I have a postfix email server setup so that only authenticated users can relay mail from locations other that the ones I specify (MyNetworks, etc).

When I travel with my laptop and get to some place using DHCP (hotel or something), I get 'relay access denied' when sending mail to certain domains (gmail.com for example).

It only happens when I use Outlook 2010, which for some reason has to be 'rigged' to authenticate with the way I have this thing setup...but even though I am authenticating, it still gets 'relay access denied'.

Only Outlook 2010 or Outlook 2003 seem to have this problem.

It works fine when using an email client other than Outlook 2010 or Outlook 2003 (all other versions of outlook seem to work fine, as does Thunderbird).

I suspect the 'STARTTLS' has something to do with it, as this is not an option on either of those clients.

I want to make this work with any email client that is capable of doing it, and both outlook 2010 and outlook 2003 are supposed to support this type of thing.

postfix main.cf

Code:

broken_sasl_auth_clients = yes

smtpd_client_restrictions =

smtpd_sender_restrictions = reject_invalid_hostname reject_unknown_sender_domain  reject_unauthenticated_sender_login_mismatch permit_sasl_authenticated permit_mynetworks permit

Here is what the maillog says

Code:

connect from unknown[{temp-IP}]

postfix/smtpd[24883]: setting up TLS connection from unknown[{temp-IP}]

postfix/smtpd[24883]: TLS connection established from unknown[{temp-IP}]: TLSv1 with cipher AES128-SHA (128/128 bits)

postfix/smtpd[24883]: NOQUEUE: reject: RCPT from unknown[{temp-IP}]: 554 5.7.1 <{recipient@gmail.com}>: Relay access denied; from=<{my_email_address}> to=<{recipient @gmail.com}> proto=ESMTP helo=<{MyPC}>

postfix/smtpd[24883]: disconnect from unknown[{temp-IP}]

Once I get this working, I had planned to move away from TLSv1, but now I am starting to think that TLSv1 may be part of the problem (I want to move up anyway, but am trying to get the silly thing to work first before I go and mess the entire thing up again)

As I understand it, for outgoing mail I can use :

PORT(portDesc) [what to use]
----------------------------
25(smtpd) [standard, could use SSL_client_cert to auth, but what a pain]
465(smpts) [SSL/TLS]
587(submission) [STARTTLS - which is where outlook 2010/2003 has problems because they dont support it the 'normal' way]

(is that right?)

Any ideas on how I can go about fixing this?

Thanks!

Noway2 · 04-02-2012, 03:28 PM

Are you perchance using Dovecot for you SASL authentication?
I hate to say it but it is undoubtedly yet another one of those damned Micro$haft non-standardization issues.

A few years ago, I had to make a change to my Dovecot configuration to allow a user with Outlook, I believe that the problem was authentication on sending. Looking over my dovecot configuration, I don't see that I made any comments in this regard, but I do have this line "pop3_uidl_format = %08Xu%08Xv", which I seem to recall as being the one that I had to add to make it work, however, this doesn't make sense for your situation. This link shows the uidl line as well as a command to not disable plain login, which is what is used over TLS.

Then again, this link says that Outlook gave a lot of trouble until they moved the mechanisms = plain login line towards the end of the file. The page links to the reference post that helped them to solve the problem too.

It could also be a case of needing "broken_sasl_auth_clients = yes" in your smtpd_recipient_restrictions section, which if I recall correctly comes down to an issue with "AUTH PLAIN" versus "AUTH=PLAIN" in the SMTP negotiation phase.

If none of the above work, perhaps you could turn on a higher level of debugging and look at the SASL authentication because for whatever reason, your not being granted sasl authenticated status.

CopalFreak · 04-04-2012, 02:21 PM

NoWay2,

Thank you for the information!

I am indeed using Dovecot for SASL authentication.
It seems to work with everything except MS Outlook 2010.

I added "pop3_uidl_format = %08Xu%08Xv".
I already had "broken_sasl_auth_clients = yes", "disable_plaintext_auth = no", and the Dovecot2 equivalent to "mechanisms = plain login".

My "auth_mechanisms = plain login ntlm" was at the top, and I have moved it to the bottom.
I added ntlm because I read that is what outlook 2010 may be using.
I referenced
http://wiki2.dovecot.org/Authentication/Mechanisms
and
http://wiki2.dovecot.org/Authentication/Mechanisms/NTLM

I have the all the debugging stuff turned on (with the exception of showing passwords) as specified here :
http://wiki2.dovecot.org/Logging#Logging_verbosity

I should know soon if any of this has a positive affect on the situation and will post results here.

Thanks again!

Noway2 · 04-04-2012, 02:26 PM

Thank you for the update. Hopefully the changes work, but if not maybe you will get some critical information!