Hi guys,
I'm setting up a new box using Dovecot SASL (all my other servers use
saslauthd at the moment) and Postfix 2.5.5.
Sending on submission with SMTP AUTH works fine, but not for smtps.
Sending from a mail client I get the following in the logs:
May 14 14:56:08 server01 postfix/smtpd[27846]: NOQUEUE: reject: RCPT
from broadband.domain.net[x.x.x.x]: 554 5.7.1 <mya...@gmail.com>:
Relay access denied; from=<g...@mydomain.net> to=<mya...@gmail.com>
proto=ESMTP helo=<[x.x.x.x]>
If I connect to 465 with openssl I get the following:
openssl s_client -CAfile /etc/ssl/certs/AddTrust_External_Root.pem
-crlf -connect secure.localdomain.net:465
<snip>
No client certificate CA names sent
---
SSL handshake has read 4232 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: F29A097737AF4760326270E53633A734B7B303D816ABA49212AA26D9B2793348
Session-ID-ctx:
Master-Key:
1C0425A3ADB56B0FBDA4BC06E9C559D461150D53A63D03E781133A6B3AA7DAF8779509C5E6EEFB8AC533799120538C06
Key-Arg : None
Start Time: 1242371658
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
220 pichi.localdomain.net ESMTP Postfix (Ubuntu)
AUTH PLAIN <auth string>
235 2.7.0 Authentication successful
MAIL FROM: g...@localdomain.net
250 2.1.0 Ok
RCPT TO: mya...@gmail.com
RENEGOTIATING
depth=2 /C=SE/O=AddTrust AB/OU=AddTrust External TTP
Network/CN=AddTrust External CA Root
verify return:1
depth=1 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
verify return:1
depth=0
/C=GB/postalCode=12345/ST=County/L=City/streetAddress=street/streetAddress=number/O=Co
name/OU=Provided by Complete Web Services
llc/OU=CompleteSSL/CN=secure.localdomain.net
verify return:1
The certificate is not self signed (I found something on google where
someone had a similar problem because of a self signed certificate)
and as you can see the initial connection returns a 0 verify code.
It's almost as if the successful auth is ignored on smtps. Am I
missing something in my config? postconf -n and other config options
are listed below.
Thanks
Guy
I have the following added to my main.cf:
smtps_recipient_restrictions =
check_policy_service inet:127.0.0.1:10031,
permit_sasl_authenticated,
reject
submission_recipient_restrictions =
check_policy_service inet:127.0.0.1:10031,
permit_sasl_authenticated,
reject
And I have submission and smtps set up in master.cf (smtpd has
"submission" as a symbolic link to it):
submission inet n - n - - submission
-o smtpd_tls_security_level=may
# -o smtpd_enforce_tls=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=$submission_recipient_restrictions
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=$smtps_recipient_restrictions
-o milter_macro_daemon_name=ORIGINATING
postconf -n
2bounce_notice_recipient = postmas...@localdomain.net
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_rate_time_unit = 60s
biff = no
bounce_notice_recipient = postmas...@localdomain.net
bounce_template_file = /etc/postfix/bounce.cf
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
delay_notice_recipient = postmas...@localdomain.net
error_notice_recipient = postmas...@localdomain.net
inet_interfaces = all
local_recipient_maps =
local_transport = error:local mail delivery is disabled
mail_owner = postfix
mailq_path = /usr/bin/mailq
message_size_limit = 31240000
mydestination =
myhostname = pichi.localdomain.net
mynetworks = 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
proxy_read_maps = $relay_domains $relay_recipient_maps
$virtual_alias_maps $transport_maps
queue_directory = /var/spool/postfix
relay_domains = proxy:mysql:/etc/postfix/mysql_relay_domains.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/mysql_relay_recipient_maps.cf
remote_header_rewrite_domain = domain.unspecified
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 100
smtpd_client_message_rate_limit = 200
smtpd_client_recipient_rate_limit = 50
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031,
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_recipient_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
permit_mynetworks, reject_unauth_destination,
check_client_access cidr:/etc/postfix/postfix-dnswl-permit,
check_client_access cidr:/etc/postfix/postfix-dnswl-custom,
reject_invalid_hostname, check_recipient_access
mysql:/etc/postfix/mysql_spamcheck_alias_bypass.cf
mysql:/etc/postfix/mysql_spamcheck_bypass.cf, reject_rbl_client
zen.spamhaus.org, reject_rbl_client bl.spamcop.net,
reject_rbl_client b.barracudacentral.org, reject_rbl_client
psbl.surriel.com, check_policy_service inet:127.0.0.1:10031,
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth-client
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 10
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_cert_file = /etc/ssl/certs/imapd.pem
smtpd_tls_key_file = /etc/ssl/private/imapd.key
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/virtual_exception_transport_maps
proxy:mysql:/etc/postfix/mysql_transport_maps.cf
unknown_local_recipient_reject_code = 550
virtual_alias_maps =
proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
proxy:mysql:/etc/postfix/mysql_virtual_catchall_maps.cf
--
Don't just do something...sit there!
