LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Help with postfix mail relay (https://www.linuxquestions.org/questions/linux-software-2/help-with-postfix-mail-relay-4175592579/)

herkalurk 10-31-2016 10:45 AM
Help with postfix mail relay
 
I have a VPS in the cloud running sendmail currently. It's job is to be the public MX for my domain, it receives and sends all email from my domain to the world via esmtp direct to the recipients MX server. Received mail for my domain gets forwarded on a non standard port to my home server for storage. Basically the whole point of this server is mail relay. I have the settings working well with sendmail. I'm keeping out the rif raf, all while allowing my domain to send mail as I please. I thought I had postfix setup properly based on the docs to replicate the settings but I can't get it to work.
  • I can send an email from the local VPS to my domain, and it will get delivered
  • I CANNOT send an email from my local VPS to google
  • I CANNOT send an email from the remote email server(storing email home server) to google
  • Google cannot send an email to my domain successfully

I'm attaching my configs, minus hostnames and IPs removed. Please let me know if this is the wrong forum to post in, or if you can point me in the right direction.

/etc/postfix/main.cf
Code:
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
inet_interfaces = localhost, 198.46.xxx.xxx, 198.46.xxx.xxx
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
mynetworks = 127.0.0.1/32
relay_domains = domain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
        PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
        ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/samples
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
transport_maps = hash:/etc/postfix/transport
smtpd_client_restrictions = check_client_access hash:/etc/postfix/access, permit_mynetworks, reject
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access, permit_mynetworks, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client dnsbl.sorbs.net
smtpd_relay_restrictions = permit_mynetworks
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, permit
/etc/postfix/access
Code:
alkain.com                        DISCARD
cablevision.net.mx                DISCARD
cantv.net                          DISCARD
coppermail-usa.com                DISCARD
esab.co.uk                        DISCARD
fbclouderfb.com                    DISCARD
kalyanimotors.com                  DISCARD
midialocal.com.br                  DISCARD
orange.fr                          DISCARD
qlink.queensu.ca                  DISCARD
spdop.ru                          DISCARD
slsenterprise.com                  DISCARD
speedy.com.ar                      DISCARD
static.vnpt.vn                    DISCARD
tin.it                            DISCARD
vtr.net                            DISCARD
wanadoo.fr                        DISCARD
xdpromos.com                      DISCARD
68.228.xxx.xx                      OK
localhost.localdomain              OK
127.0.0.1                          OK
domain.com                        OK
/etc/postfix/recipient_access
Code:
2z9yi3cdccr07z8zeu7s@domain.com  DISCARD
5jlxDZCt2vozd7CxJpZ1@domain.com  DISCARD
8dk3@domain.com                  DISCARD
8ei3@domain.com                  DISCARD
9227k1yq2B4zukd9URIi@domain.com  DISCARD
9p7fsuzci88zg86obbab@domain.com  DISCARD
ads@domain.com                    DISCARD
asdfasdfasdfessdf@domain.com      DISCARD
city@domain.com                  DISCARD
ding@domain.com                  DISCARD
dolke@domain.com                  DISCARD
f5fwsb6207igpcvbradl@domain.com  DISCARD
flash@domain.com                  DISCARD
fre@domain.com                    DISCARD
fred@domain.com                  DISCARD
freed@domain.com                  DISCARD
gkfdo7xexye7dyez0mms@domain.com  DISCARD
hope@domain.com                  DISCARD
hrvczyw2778ryetkaizc@domain.com  DISCARD
kln@domain.com                    DISCARD
lsidi@domain.com                  DISCARD
ocho@domain.com                  DISCARD
pujsdvponesnykdgiepe@domain.com  DISCARD
roulette@domain.com              DISCARD
s8i3ks8s893k@domain.com          DISCARD
sadfesdf93ks93@domain.com        DISCARD
skeiksi@domain.com                DISCARD
smsqscnxpxefuozs4wpn@domain.com  DISCARD
steve@domain.com                  DISCARD
domain.com                          OK
/etc/postfix/sender_access
Code:
CANON@domain.com                DISCARD
canon211847@domain.com          DISCARD
copier@domain.com              DISCARD
CreditControl@domain.com        DISCARD
document@domain.com            DISCARD
Kopierer@domain.com            DISCARD
Leonie6353@domain.com          DISCARD
nadiam1pa@domain.com            DISCARD
qwer8@domain.com                DISCARD
scanner@domain.com              DISCARD
voicemail@domain.com            DISCARD
xerox@domain.com                DISCARD
Tess.Chao15@msn.com                DISCARD
seminars@info.ve10.com            DISCARD
email2jbala@gmail.com              DISCARD
serv-a@mail.ru                    DISCARD
domain.com                        OK
/etc/postfix/transport
Code:
domain.com    smtp:mail.domain.com:143

scheidel21 11-02-2016 06:42 PM
What do your smtp logs indicate? Is the traffic being received by your VHS smarthost from your local machine? From google? Does your mix record publicly resolve properly? Is your VHS IP or your registered domain on any black list? You van check at mxtoolbox. If you send and email from a Gmail account do you get an NDR back and if so what does it say? Same with sending mail out. The issue doesn't sound like a postfix configuration issue. I also didn't see anything glaringly wrong with your postfix config.

herkalurk 11-02-2016 09:30 PM
It's a postfix config issue for sure. I'm trying to migrate from a working sendmail setup. My MX/DNS records are good. Traffic is getting there, but it's always being denied(rejected).

You can see the reject here from google to my domain and from my homeserver trying to use the VPS to sendout

Code:
Oct 28 18:10:31 vps1 postfix/master[8771]: daemon started -- version 2.6.6, configuration /etc/postfix
Oct 28 18:10:46 vps1 postfix/smtpd[8843]: connect from mail-pf0-f174.google.com[209.85.192.174]
Oct 28 18:10:46 vps1 postfix/smtpd[8843]: NOQUEUE: reject: RCPT from mail-pf0-f174.google.com[209.85.192.174]: 554 5.7.1 <mail-pf0-f174.google.com[209.85.192.174]>: Client host rejected: Access denied; from=<user@gmail.com> to=<administrator@domain.com> proto=ESMTP helo=<mail-pf0-f174.google.com>
Oct 28 18:10:46 vps1 postfix/smtpd[8843]: disconnect from mail-pf0-f174.google.com[209.85.192.174]

Oct 28 18:17:35 vps1 postfix/smtpd[9382]: connect from domain.local[68.228.xxx.xxx]
Oct 28 18:17:35 vps1 postfix/trivial-rewrite[9384]: warning: do not list domain domain.com in BOTH virtual_alias_domains and relay_domains
Oct 28 18:17:35 vps1 postfix/smtpd[9382]: NOQUEUE: reject: RCPT from domain.local[68.228.xxx.xxx]: 554 5.7.1 <user@gmail.com>: Relay access denied; from=<administrator@domain.com> to=<herker@gmail.com> proto=SMTP helo=<mail.domain.com>
Oct 28 18:17:35 vps1 postfix/smtpd[9382]: disconnect from domain.local[68.228.xxx.xxx]
and here is a good send from localhost(the vps) to the mail server at my house

Code:
Oct 28 18:13:27 vps1 postfix/smtpd[9260]: connect from localhost.localdomain[127.0.0.1]
Oct 28 18:13:27 vps1 postfix/smtpd[9260]: EA8D7184110F: client=localhost.localdomain[127.0.0.1]
Oct 28 18:13:27 vps1 postfix/cleanup[9264]: EA8D7184110F: message-id=<201610282311.u9SNBeuI009155@vps1.domain.com>
Oct 28 18:13:27 vps1 postfix/smtpd[9260]: disconnect from localhost.localdomain[127.0.0.1]
Oct 28 18:13:27 vps1 postfix/qmgr[9258]: EA8D7184110F: from=<root@vps1.domain.com>, size=2639, nrcpt=1 (queue active)
Oct 28 18:13:28 vps1 postfix/cleanup[9264]: 03ED01841119: message-id=<201610282311.u9SNBeuI009155@vps1.domain.com>
Oct 28 18:13:28 vps1 postfix/qmgr[9258]: 03ED01841119: from=<root@vps1.domain.com>, size=2778, nrcpt=1 (queue active)
Oct 28 18:13:28 vps1 postfix/local[9265]: EA8D7184110F: to=<root@vps1.domain.com>, relay=local, delay=0.1, delays=0.06/0.03/0/0.02, dsn=2.0.0, status=sent (forwarded as 03ED01841119)
Oct 28 18:13:28 vps1 postfix/qmgr[9258]: EA8D7184110F: removed
Oct 28 18:13:28 vps1 postfix/smtp[9266]: 03ED01841119: to=<administrator@domain.com>, orig_to=<root@vps1.domain.com>, relay=mail.keagaming.com[68.228.xxx.xxx]:143, delay=0.67, delays=0/0.01/0.34/0.32, dsn=2.0.0, status=sent (250 Queued (0.078 seconds))
Oct 28 18:13:28 vps1 postfix/qmgr[9258]: 03ED01841119: removed

scheidel21 11-02-2016 10:26 PM
For outbound mail to work I'd add your home public IP to the mynetworks, or better use authentication such as this https://blog.bravi.org/?p=1065 for the relay out. Not sure if that would resolve the inbound issue though. Do you have logs for the inbound?

scheidel21 11-02-2016 10:34 PM
Look over this, pretty sure this is where it is bunged up in the smtpd access restrictions. http://www.postfix.org/postconf.5.ht...y_restrictions

herkalurk 11-03-2016 12:16 AM
I updated my smtpd_relay_restrictions

Code:
smtpd_relay_restrictions = permit_mynetworks, permit relay_domains
Now I can send mail out from my accounts to any other(tested with 2 google accounts, and my work email which is a separate server), however, even after fiddling some more and adding "permit relay_domains" to smtpd_recipient_restrictions, I still can't receive mail.

Code:
Nov  3 00:10:38 vps1 postfix/smtpd[2176]: connect from mail-pf0-f172.google.com[209.85.192.172]
Nov  3 00:10:38 vps1 postfix/smtpd[2176]: NOQUEUE: reject: RCPT from mail-pf0-f172.google.com[209.85.192.172]: 554 5.7.1 <mail-pf0-f172.google.com[209.85.192.172]>: Client host rejected: Access denied; from=<user@gmail.com> to=<reply@domain.com> proto=ESMTP helo=<mail-pf0-f172.google.com>
Nov  3 00:10:38 vps1 postfix/smtpd[2176]: disconnect from mail-pf0-f172.google.com[209.85.192.172]
The fact it says "Client host rejected" makes me think it's in the smtpd_client_restrictions settings, but IDK which one....

herkalurk 11-03-2016 01:20 AM
After more screwing around, it appears I have the config correct, going to let it run over night and see if I run into any issues.

Code:
smtpd_client_restrictions = permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client dnsbl.sorbs.net, permit
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access, permit_mynetworks, permit relay_domains, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, permit
I'm able to receive any email for my domain, except those listed as DISCARD in the recipient access list (/etc/postfix/recipient_access), only localhost and my home server IP are allowed to send or relay any address through, it's actually discarding emails from bad domains listed in (/etc/postfix/sender_access), and not allowing any user of my domain to send from another server (tested with a work computer)

herkalurk 11-14-2016 10:48 AM
Finalized the config, had to slow down mail transmission but otherwise mostly the same, these are just the lines I've added to the main.cf

Code:
transport_maps = hash:/etc/postfix/transport
smtpd_client_restrictions = permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client dnsbl.sorbs.net, permit
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access, permit_mynetworks, permit relay_domains, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, permit
default_destination_rate_delay = 5s
default_extra_recipient_limit = 5


All times are GMT -5. The time now is 05:30 AM.