My ISP has implemented SASL AUTH on its smtp server. Thus I now have to
setup my postfix client to provide login information. I've read the
docs and added the relevant lines to my main.cf file.
The SASL AUTH part seems to be working but I keep getting errors about
"Recipient address rejected: Relay access denied". However I can send
mail to my ISP's smtpauth server via Mozilla Thunderbird client on a
Windows XP box to the exact same addresses.
My network setup is like so:
ISP
|
DSL Modem
|
Router/NAT
|
------------------------------------
| | | |
FreeBSD WinXP WinXP Linux
I show this so you can see that all clients will come from the same
public IP address.
Here is a successful session from my WinXP box as best I could extract
with Ethereal:
--- BEGIN ---
Escape character is '^]'.
220 smtpauth.surewest.net ESMTP Postfix
EHLO 192.168.1.3
250-smtpauth.surewest.net
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH CRAM-MD5
334 PDM0Nzc0MzkzODYuMTM5NjQzNDRAc210cGF1dGguc3VyZXdlc3QubmV0Pg==
<my password string>
535 5.7.0 Error: authentication failed: authentication failure
AUTH PLAIN <my password string>
235 2.0.0 Authentication successful
MAIL FROM:[EMAIL PROTECTED]
250 2.1.0 Ok
RCPT TO:[EMAIL PROTECTED]
250 2.1.0 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
<lots of data>
250 2.0.0 Ok: queued as 8887C9BF12
--- END ---
Here's the same session with the Postfix smtp client with smtp -v set in
master.cf:
--- BEGIN ---
Sep 20 07:48:17 blacklamb postfix/smtp[8558]: smtp_connect_addr: trying:
smtpauth.surewest.net[66.60.130.153] port 25...
Sep 20 07:48:17 blacklamb postfix/smtpd[8761]: disconnect from
bigdaddy.mykitchentable.net[192.168.1.3]
Sep 20 07:48:17 blacklamb postfix/smtp[8558]: vstream_tweak_tcp:
TCP_MAXSEG 1448
Sep 20 07:48:17 blacklamb postfix/smtp[8558]: global TLS level: may
Sep 20 07:48:17 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.153]:25: 220 smtpauth.surewest.net ESMTP
Postfix
Sep 20 07:48:17 blacklamb postfix/smtp[8558]: >
smtpauth.surewest.net[66.60.130.153]:25: EHLO blacklamb.mykitchentable.net
Sep 20 07:48:17 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.153]:25: 250-smtpauth.surewest.net
Sep 20 07:48:17 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.153]:25: 250-SIZE 10240000
Sep 20 07:48:17 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.153]:25: 250-VRFY
Sep 20 07:48:17 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.153]:25: 250-ETRN
Sep 20 07:48:17 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.153]:25: 250-STARTTLS
Sep 20 07:48:17 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.153]:25: 250-AUTH=LOGIN PLAIN DIGEST-MD5
CRAM-MD5
Sep 20 07:48:17 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.153]:25: 250-ENHANCEDSTATUSCODES
Sep 20 07:48:17 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.153]:25: 250-8BITMIME
Sep 20 07:48:17 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.153]:25: 250 DSN
Sep 20 07:48:17 blacklamb postfix/smtp[8558]: server features: 0x901b
size 10240000
Sep 20 07:48:17 blacklamb postfix/smtp[8558]: >
smtpauth.surewest.net[66.60.130.153]:25: STARTTLS
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.153]:25: 220 2.0.0 Ready to start TLS
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: auto_clnt_open: connected
to private/tlsmgr
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: send attr request = seed
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: send attr size = 32
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: private/tlsmgr: wanted
attribute: status
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: input attribute name: status
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: input attribute value: 0
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: private/tlsmgr: wanted
attribute: seed
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: input attribute name: seed
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: input attribute value: <my
password string>
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: private/tlsmgr: wanted
attribute: (list terminator)
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: input attribute name: (end)
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: >
smtpauth.surewest.net[66.60.130.153]:25: EHLO blacklamb.mykitchentable.net
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.153]:25: 250-smtpauth.surewest.net
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.153]:25: 250-PIPELINING
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.153]:25: 250-SIZE 10240000
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.153]:25: 250-VRFY
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.153]:25: 250-ETRN
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.153]:25: 250-AUTH=LOGIN PLAIN DIGEST-MD5
CRAM-MD5
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.153]:25: 250-ENHANCEDSTATUSCODES
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.153]:25: 250-8BITMIME
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.153]:25: 250 DSN
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: server features: 0x900f
size 10240000
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: Using ESMTP PIPELINING,
TCP send buffer size is 4096
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: >
smtpauth.surewest.net[66.60.130.153]:25: MAIL
FROM:<[EMAIL PROTECTED]> SIZE=777
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: >
smtpauth.surewest.net[66.60.130.
153]:25: RCPT TO:<[EMAIL PROTECTED]>
ORCPT=rfc822;[EMAIL PROTECTED]
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: >
smtpauth.surewest.net[66.60.130.153]:25: DATA
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.153]:25: 250 2.1.0 Ok
Sep 20 07:48:18 blacklamb postfix/smtp[8558]: <
smtpauth.surewest.net[66.60.130.
153]:25: 554 5.7.1 <[EMAIL PROTECTED]>: Recipient address
rejected: Relay access denied
--- END ---
Yet I can send via interactive telnet session:
--- BEGIN ---
blacklamb# telnet smtpauth.surewest.net 25
Trying 66.60.130.153...
Connected to smtpauth.surewest.net.
Escape character is '^]'.
220 smtpauth.surewest.net ESMTP Postfix
AUTH PLAIN <my password string>
235 2.0.0 Authentication successful
mail from:[EMAIL PROTECTED]
250 2.1.0 Ok
rcpt to:[EMAIL PROTECTED]
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
some data here
some more here
.
250 2.0.0 Ok: queued as 03D609BF3C
rset
250 2.0.0 Ok
quit
221 2.0.0 Bye
--- END ---
Thus I suspect I don't have something correct in my Postfix
configuration. I have been trying to resolve this for a few days and am
stuck. Can anyone show me my error? I'd *REALLY* appreciate it.
Thanks,
Drew
---
Requested output from http://www.postfix.org/DEBUG_README.html#mail follows:
The postfinger link returns a forbidden error. Thus:
blacklamb# postconf -n
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
default_privs = nobody
disable_vrfy_command = yes
header_checks = regexp:/usr/local/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
mail_owner = postfix
mailbox_command = /usr/local/bin/procmail
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydestination = $myhostname localhost.$mydomain $mydomain
alchemistswarehouse.com
mynetworks = 192.168.0.0/16, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
notify_classes = 2bounce, delay, resource, software
queue_directory = /var/spool/postfix
readme_directory = no
relayhost = smtpauth.surewest.net
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_sasl_mechanism_filter = plain
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd
smtp_sasl_type = cyrus
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_banner = $myhostname NO UCE ESMTP
smtpd_client_restrictions = check_client_access
hash:/usr/local/etc/postfix/client_access,
reject_unauth_pipelining, reject_rbl_client dnsbl.njabl.org,
reject_rbl_client bl.spamcop.net, reject_rbl_client
sbl.spamhaus.org, reject_rbl_client xbl.spamhaus.org,
reject_rbl_client list.dsbl.orgreject_rbl_client dsn.rfc-ignorant.org
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
soft_bounce = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
blacklamb# ./saslfinger.sh -c
saslfinger.sh - postfix Cyrus sasl configuration Sat Sep 20 09:48:55 PDT
2008
version: 1.0.2
mode: client-side SMTP AUTH
-- basics --
Postfix: 2.5.1
System: FreeBSD 6.2-RELEASE-p8 (BLACKLAMB) #2: Thu Oct 25 23:17:42 PDT 2007
Welcome to FreeBSD!
Before seeking technical support, please use the following resources:
o Security advisories and updated errata information for all releases are
at http://www.FreeBSD.org/releases/ - always consult the ERRATA section
for your release first as it's updated frequently.
o The Handbook and FAQ documents are at http://www.FreeBSD.org/ and,
along with the mailing lists, can be searched by going to
http://www.FreeBSD.org/search/. If the doc distribution has
been installed, they're also available formatted in /usr/share/doc.
If you still have a question or problem, please take the output of
`uname -a', along with any relevant error messages, and email it
as a question to the [EMAIL PROTECTED] mailing list. If you are
unfamiliar with FreeBSD's directory layout, please refer to the hier(7)
manual page. If you are not familiar with manual pages, type `man man'.
You may also use sysinstall(8) to re-enter the installation and
configuration utility. Edit /etc/motd to change this login announcement.
-- smtp is linked to --
libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x280e9000)
-- active SMTP AUTH and TLS parameters for smtp --
relayhost = smtpauth.surewest.net
smtp_sasl_mechanism_filter = plain
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd
smtp_sasl_type = cyrus
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
-- listing of /usr/local/lib/sasl2 --
total 692
drwxr-xr-x 2 root wheel 1024 Jul 16 06:15 .
drwxr-xr-x 25 root wheel 9728 Aug 20 09:23 ..
-rw-r--r-- 1 root wheel 26 May 30 2006 Sendmail.conf
-rw-r--r-- 1 root wheel 13276 Jul 16 06:15 libanonymous.a
-rwxr-xr-x 1 root wheel 829 Jul 16 06:15 libanonymous.la
-rwxr-xr-x 1 root wheel 16549 Jul 16 06:15 libanonymous.so
-rwxr-xr-x 1 root wheel 16549 Jul 16 06:15 libanonymous.so.2
-rw-r--r-- 1 root wheel 15478 Jul 16 06:15 libcrammd5.a
-rwxr-xr-x 1 root wheel 815 Jul 16 06:15 libcrammd5.la
-rwxr-xr-x 1 root wheel 18850 Jul 16 06:15 libcrammd5.so
-rwxr-xr-x 1 root wheel 18850 Jul 16 06:15 libcrammd5.so.2
-rw-r--r-- 1 root wheel 46360 Jul 16 06:15 libdigestmd5.a
-rwxr-xr-x 1 root wheel 838 Jul 16 06:15 libdigestmd5.la
-rwxr-xr-x 1 root wheel 48299 Jul 16 06:15 libdigestmd5.so
-rwxr-xr-x 1 root wheel 48299 Jul 16 06:15 libdigestmd5.so.2
-rw-r--r-- 1 root wheel 23156 Jul 16 06:15 libgssapiv2.a
-rwxr-xr-x 1 root wheel 891 Jul 16 06:15 libgssapiv2.la
-rwxr-xr-x 1 root wheel 27232 Jul 16 06:15 libgssapiv2.so
-rwxr-xr-x 1 root wheel 27232 Jul 16 06:15 libgssapiv2.so.2
-rw-r--r-- 1 root wheel 13482 Jul 16 06:15 liblogin.a
-rwxr-xr-x 1 root wheel 809 Jul 16 06:15 liblogin.la
-rwxr-xr-x 1 root wheel 17008 Jul 16 06:15 liblogin.so
-rwxr-xr-x 1 root wheel 17008 Jul 16 06:15 liblogin.so.2
-rw-r--r-- 1 root wheel 29640 Jul 16 06:15 libntlm.a
-rwxr-xr-x 1 root wheel 803 Jul 16 06:15 libntlm.la
-rwxr-xr-x 1 root wheel 33727 Jul 16 06:15 libntlm.so
-rwxr-xr-x 1 root wheel 33727 Jul 16 06:15 libntlm.so.2
-rw-r--r-- 1 root wheel 19738 Jul 16 06:15 libotp.a
-rwxr-xr-x 1 root wheel 803 Jul 16 06:15 libotp.la
-rwxr-xr-x 1 root wheel 23669 Jul 16 06:15 libotp.so
-rwxr-xr-x 1 root wheel 23669 Jul 16 06:15 libotp.so.2
-rw-r--r-- 1 root wheel 13610 Jul 16 06:15 libplain.a
-rwxr-xr-x 1 root wheel 809 Jul 16 06:15 libplain.la
-rwxr-xr-x 1 root wheel 16970 Jul 16 06:15 libplain.so
-rwxr-xr-x 1 root wheel 16970 Jul 16 06:15 libplain.so.2
-rw-r--r-- 1 root wheel 19632 Jul 16 06:15 libsasldb.a
-rwxr-xr-x 1 root wheel 808 Jul 16 06:15 libsasldb.la
-rwxr-xr-x 1 root wheel 21743 Jul 16 06:15 libsasldb.so
-rwxr-xr-x 1 root wheel 21743 Jul 16 06:15 libsasldb.so.2
-rw-r--r-- 1 root wheel 50 Apr 14 2006 smtpd.conf
-- permissions for /usr/local/etc/postfix/sasl_passwd --
-rw-r--r-- 1 root wheel 55 Sep 20 08:54
/usr/local/etc/postfix/sasl_passwd
-- permissions for /usr/local/etc/postfix/sasl_passwd.db --
-rw-r--r-- 1 root wheel 16384 Sep 19 22:57
/usr/local/etc/postfix/sasl_passwd.db
/usr/local/etc/postfix/sasl_passwd.db is older than
/usr/local/etc/postfix/sasl_passwd!
Run the following command as root to sync
/usr/local/etc/postfix/sasl_passwd.db:
postmap hash:/usr/local/etc/postfix/sasl_passwd
