On Thu, Jul 26, 2012 at 01:45:54PM +0100, Nicolás wrote: > El 23/07/2012 12:13, Nicolás escribió: > >Hi all! > > > >I have a server with postfix with virtual users (using MySQL), > >it's working ok, let's call it A. I also have a secondary server, > >which I want to use to send mails even outside my local network, > >let's call it B. So I'm trying to configure B to relay through A > >to send e-mails. The problem is I have SMTP auth enabled on A and > >I'm missing something at the config of B because I get this error: > > > >Jul 23 11:50:41 mail postfix/smtp[9912]: D7429100B65: > >to=<r...@socks.mydomain.es>, relay=mydomain.es[X.X.X.X.]:25, > >delay=0.39, delays=0.09/0/0.22/0.08, dsn=5.0.0, status=bounced > >(host mydomain.es[X.X.X.X.] said: 550-Please turn on SMTP > >Authentication in your mail client, or login to the 550-IMAP/POP3 > >server before sending your message. 550-85.155.X.X.X.X > >(mail.mydomain.es) [X.X.X.X]:60006 is 550 not permitted to relay > >through this server without authentication. (in reply to RCPT TO > >command))
Either add the un-munged IP address of B to A's mynetworks, or configure B to authenticate at A. SOHO_README has the excerpt from SASL_README which describes the latter. BASIC_CONFIGURATION_README covers the former. If B has a dynamic IP address, the former choice is generally not ideal. But you can do what I did: connect both sites via a VPN tunnel, relay through the tunnel, and put the tunnel's address in mynetworks. > >1) Relevant A main.cf config: As the list welcome message advises, "postconf -n" is highly preferred. Many times it exposes typos and syntax errors. > >smtpd_tls_security_level = encrypt This does not work for a general purpose MX host. Some clients might not support TLS. > >smtpd_sender_restrictions = hash:/etc/postfix/access 1. Deprecated syntax; this should be "check_sender_access hash:/etc/postfix/access". 2. Bad file naming! "access" could be anything. Give your maps sensible names, i.e., "sender_access", so you can tell at a glance what it is supposed to do. > >smtpd_sasl_auth_enable = yes > >smtpd_sasl_authenticated_header = yes > >smtpd_sasl_security_options = noanonymous It appears that you are using Cyrus SASL. (Why? What imapd are you using?) Did you set it up properly? > >smtpd_error_sleep_time = 2s > >smtpd_soft_error_limit = 10 > >smtpd_hard_error_limit = 20 Typically you should not tinker with the defaults of these. > >smtpd_helo_restrictions = permit_mynetworks This does nothing at all. > >2) Whole B main.cf config: > > > >config_directory = /etc/postfix > >relayhost = 192.168.0.14 And 192.168.0.14 is the IP address you munged out above? Why? If both hosts are on the same LAN, why not just use A directly? Why do you think you need B? > >myhostname = socks.mydomain.es > >smtp_sasl_auth_enable = yes > >smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd > >smtp_sasl_security_options = noanonymous > >smtp_tls_security_level = encrypt > > > >Note: 192.168.0.14 is A. > > > >3) Content of /etc/postfix/sasl/passwd: > > > >192.168.0.14 b...@domain.es:password > > > >I'm using mailx command to send mails, for example: > > > ># echo "Bar" | mailx -s "Foo" postfix-...@gmail.com --tls=true If your mailx(1) supports TLS, you probably also want to set a real sender address when relaying outside your network. > >Could someone tell me what am I doing wrong? I thought using > >'smtp_sasl_auth_enable' at B would be enough to use SMTP > >authentication, but it's not happening. > > Any idea about this? I'm really stuck, as I found an example at > http://www.postfix.org/SASL_README.html with a very alike config, > but I can't get this working. Again, see the list welcome message or DEBUG_README.html#mail . Saslfinger might be useful in your case. > I'm adding a relevant config at the postfix server: Yes, that WAS missing before. So is mynetworks. > smtpd_recipient_restrictions = > check_recipient_access hash:/etc/postfix/valid_recipients This is not safe. What's in that map? See SMTPD_ACCESS_README.html#danger for an explanation of why. > permit_mynetworks > reject_sender_login_mismatch > permit_sasl_authenticated > reject_rbl_client bl.spamcop.net I don't recommend Spamcop for use like this. > reject_rbl_client relays.ordb.org This list shut down many years ago! > reject_rbl_client sbl.spamhaus.org SBL still works but has been superceded by Zen. > check_policy_service unix:private/policy-spf > reject_unauth_destination -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
