On Fri, Jul 27, 2012 at 01:24:12PM +0100, Nicolás wrote: > El 26/07/2012 15:52, /dev/rob0 escribió: > >On Thu, Jul 26, 2012 at 01:45:54PM +0100, Nicolás wrote: > >>El 23/07/2012 12:13, Nicolás escribió: > >>>I have a server with postfix with virtual users (using MySQL), > >>>it's working ok, let's call it A. I also have a secondary server, > >>>which I want to use to send mails even outside my local network, > >>>let's call it B. So I'm trying to configure B to relay through A > >>>to send e-mails. The problem is I have SMTP auth enabled on A and > >>>I'm missing something at the config of B because I get this error: > >>> > >>> > > [ ... ]
Somewhere in the cut part was this log line: > >Jul 23 11:50:41 mail postfix/smtp[9912]: D7429100B65: > >to=<r...@socks.mydomain.es>, relay=mydomain.es[X.X.X.X.]:25, > >delay=0.39, delays=0.09/0/0.22/0.08, dsn=5.0.0, status=bounced > >(host mydomain.es[X.X.X.X.] said: 550-Please turn on SMTP > >Authentication in your mail client, or login to the 550-IMAP/POP3 > >server before sending your message. 550-85.155.X.X.X.X > >(mail.mydomain.es) [X.X.X.X]:60006 is 550 not permitted to relay > >through this server without authentication. (in reply to RCPT TO > >command)) That's a multi-line non-Postfix-looking rejection. Find the correlated smtpd(8) log line from A and show it. Lose the munging. > >Either add the un-munged IP address of B to A's mynetworks, or > >configure B to authenticate at A. SOHO_README has the excerpt from > >SASL_README which describes the latter. BASIC_CONFIGURATION_README > >covers the former. > > > >If B has a dynamic IP address, the former choice is generally not > >ideal. But you can do what I did: connect both sites via a VPN > >tunnel, relay through the tunnel, and put the tunnel's address in > >mynetworks. > > Yes, that's my fault as I didn't post my mynetworks line. The B > server has a static private IP address, so I added the private range > to it. > > mynetworks = 127.0.0.0/8 192.168.0.0/24 This would have fixed the relay failure, if in fact you were attempting relay through A. > I'm pasting my postconf -n at the end of the mail with the changes > you adviced me. > >>>smtpd_sasl_auth_enable = yes > >>>smtpd_sasl_authenticated_header = yes > >>>smtpd_sasl_security_options = noanonymous > >It appears that you are using Cyrus SASL. (Why? What imapd are > >you using?) Did you set it up properly? > > I'm not using Cyrus SASL. My postfix is integrated with Dovecot > so that's my imapd. Apparently you ARE using Cyrus SASL. What is "postconf smtpd_sasl_type" showing on A? Do note that if B is going to authenticate at A, it must have Cyrus SASL, because that is the only supported means of client SASL in Postfix. > >>>2) Whole B main.cf config: > >>> > >>>config_directory = /etc/postfix > >>>relayhost = 192.168.0.14 > >And 192.168.0.14 is the IP address you munged out above? Why? If both > >hosts are on the same LAN, why not just use A directly? Why do you > >think you need B? > > That IP address if the server's. Both (server and client) machines > are on the same LAN but the reason why I'm using B is because B has > a bug-tracker installed on it sending mails on each update event. > So I want to have it on a separate machine from A, because A is > just the mail server and I would like to keep it that way, that's > why I'm trying to relay B mails through A. That's the only idea I > had, if you see any better solution I'll be glad to hear it. Typically a nullclient implementation is simpler to set up, with fewer moving parts and chances for disaster. There are lots of them available. I don't have any to specifically recommend; maybe someone else will? > Finally my postconf -n, after changes: > mynetworks = 127.0.0.0/8 192.168.0.0/24 > smtpd_recipient_restrictions = check_recipient_access > hash:/etc/postfix/valid_recipients, reject_sender_login_mismatch, > permit_mynetworks, permit_sasl_authenticated, reject_rbl_client > zen.spamhaus.org, check_policy_service unix:private/policy-spf, > reject_unauth_destination These should permit relaying. Again, that "check_recipient_access hash:/etc/postfix/valid_recipients" looks like trouble. > smtpd_sasl_auth_enable = yes > smtpd_sasl_authenticated_header = yes > smtpd_sasl_security_options = noanonymous smtpd_sasl_type is at the default. So is smtpd_sasl_path. Unless overridden at compile time, Cyrus SASL is the default. > transport_maps = mysql:/etc/postfix/mysql-virtual_transport.cf Why are you using transport_maps? Things turn ugly when transport_maps are unavailable, so it's generally not recommended to have transport_maps in mysql. In fact, IME transport_maps are widely misunderstood and overused. Most sites should not need them. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
