On Jul 11, 2011, at 11:07 PM, Stan Hoeppner wrote:
> On 7/12/2011 12:12 AM, Ron Garret wrote:
>>
>> On Jul 11, 2011, at 9:31 PM, Stan Hoeppner wrote:
>>
>>> On 7/11/2011 8:12 PM, Ron Garret wrote:
>>>> I'm trying to set up a relay host with authentication according to these
>>>> instructions:
>>>>
>>>> http://anothersysadmin.wordpress.com/2009/02/06/postfix-as-relay-to-a-smtp-requiring-authentication/
>>>>
>>>> but it's not working. I know my SMTP server is set up properly because I
>>>> can send mail using various other clients, but postfix is apparently not
>>>> even attempting to authorize. Here are the relevant lines from main.cf:
>>>>
>>>> relayhost = secure.genesisgroup.info
>>>> smtp_sasl_auth_enable = yes
>>>> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
>>>> smtp_sasl_security_options =
>>>>
>>>> Here is a log excerpt from my server from a successful login from a
>>>> different client (python smtplib):
>>>>
>>>> Jul 11 17:59:57 vm01 postfix/smtpd[812]: connect from
>>>> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10]
>>>> Jul 11 17:59:58 vm01 postfix/smtpd[812]: A567C4CA949:
>>>> client=ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10],
>>>> sasl_method=LOGIN, sasl_username=XXX
>>>>
>>>> and here's the same thing when Postfix tries to connect between the same
>>>> two machines:
>>>>
>>>> Jul 11 18:00:26 vm01 postfix/smtpd[820]: connect from
>>>> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10]
>>>> Jul 11 18:00:26 vm01 postfix/smtpd[820]: NOQUEUE: reject: RCPT from
>>>> ec2-184-73-65-10.compute-1.amazonaws.com[184.73.65.10]: 554 5.7.1
>>>> <[email protected]>: Relay access denied;
>>>> from=<[email protected]> to=<[email protected]> proto=ESMTP
>>>> helo=<mail.sunfire-offices.com>
>>>>
>>>> As you can see, postfix is not even attempting to authorize.
>>>>
>>>> What am I doing wrong?
>>>
>>> You're not telling us what you're attempting to accomplish for starters.
>>
>> Sorry, I thought that would be clear from the context. I'm trying to do
>> exactly what you say:
>>
>>> When you specify relayhost you're telling Postfix to forward all non
>>> local outbound mail to a gateway instead of delivering it directly to
>>> internet MX destinations.
>>
>> Yes, that is exactly what I'm trying to do. The reason is that mail sent
>> directly from an EC2 instance is usually flagged as spam by many mail
>> recipients because the reverse DNS doesn't resolve properly.
>>
>>> You're showing smtpd logging, but the relayhost parameter applies to
>>> smtp, not smtpd. Your logging shows a host connecting to your Postfix
>>> server, not your Postfix server connecting to secure.genesisgroup.info.
>>
>>
>> The log excerpts are taken from the postfix server on
>> secure.genesisgroup.info, which is the machine I want to use to relay
>> outbound mail from the EC2 instance. Sorry that wasn't clear.
>
> Ok, now the logging snippets make sense. I'm guessing you simply need
> to add permit_sasl_authenticated to your smtpd_client_restrictions on
> host secure.genesisgroup.info, or if you use the "everything under
> smtpd_recipient_restrictions" main.cf style you'd do:
>
> smtpd_recipient_restrictions =
> permit_mynetworks
> permit_sasl_authenticated
> reject_unauth_destination
> ...
No, that's not the problem. I already have exactly that on
secure.genesisgroup.info. (See below.) And I have multiple clients
successfully using that host for authenticated SMTP, including a python client
running on the same machine that the non-working (in this respect) postfix is
running on.
> You provided 'postconf -d' instead of 'postconf -n', so it's impossible
> for me to tell what your parameters actually are. "-d" simply shows the
> Postfix defaults. Please provide 'postconf -n' so we can wrap this
> thread up, assuming permit_sasl_authenticated doesn't fix the problem.
Actually, it was postconf with no arguments. Here is postconf -n:
[ron@domU-12-31-39-00-E6-ED:~]$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = localhost
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = sunfire-offices.com
myhostname = mail.sunfire-offices.com
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relayhost = secure.genesisgroup.info
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
unknown_local_recipient_reject_code = 550
And just for completeness, here it is for secure.genesisgroup.info:
[ron@vm1:/etc/postfix]$ /usr/sbin/postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 15000000
mydestination = vm01.awun.ml.zerolag.com, localhost.awun.ml.zerolag.com, ,
localhost
myhostname = vm01.awun.ml.zerolag.com
mynetworks = 127.0.0.0/8, 67.201.56.75
myorigin = /etc/mailname
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_hostname, permit
smtpd_recipient_restrictions = reject_unauth_pipelining,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination,
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_non_fqdn_sender, reject_unknown_sender_domain, permit
smtpd_tls_CAfile = /etc/ssl/local-certs/startssl.ca.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/local-certs/genesisgroup.info.crt
smtpd_tls_key_file = /etc/ssl/local-keys/genesisgroup.info.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias.cf
virtual_gid_maps = static:107
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailboxes.cf
virtual_minimum_uid = 100
virtual_uid_maps = static:106
