Postfix Relay access Denied

38 posts / 0 new
Last post
#1 Wed, 10/29/2008 - 08:03
FilipeLacerda

Postfix Relay access Denied

I have tried for 2 weeks to fix this and am loosing the will to live so any help will be gratefully received.

Postfix and Dovecot are running on my Centos 5 box. Sending and receiving emails using Usermin works fine and I can also connect to the server using Eudora and Outlook to receive emails from the server.

However I cannot send mail from Outlook or Eudora no-matter what setting I use in the รข

Tue, 06/26/2007 - 03:25
FilipeLacerda

I've tryed to manually configure main.cf of postfix... but with no sucess...

readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
virtual_alias_maps = hash:/etc/postfix/virtual
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

Tue, 06/26/2007 - 03:30 (Reply to #2)
Joe
Joe's picture

Is your mail client configured to use SMTP authentication when sending? This is required.

If not, you'll need to enable it--the username and password are the same as your POP/IMAP login.

If so, then we'll need to see the /var/log/maillog during a failed send attempt.

--

Check out the forum guidelines!

Tue, 06/26/2007 - 03:30 (Reply to #3)
FilipeLacerda

Well....

now i have it like this

readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
mynetworks = 127.0.0.0/8
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
home_mailbox = Maildir/
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
virtual_alias_maps = hash:/etc/postfix/virtual

Tue, 06/26/2007 - 04:28 (Reply to #4)
FilipeLacerda

this is what i get from mailog....

and after putting authentication im SMTP, using the same login and passd, e cannot send, as it does not allow me to "login" ??

Jun 26 03:26:27 hosting postfix/smtpd[2762]: warning: unknown[85.138.60.160]: SASL PLAIN authentication failed: authentication failure
Jun 26 03:26:28 hosting postfix/smtpd[2762]: disconnect from unknown[85.138.60.160]
Jun 26 03:26:48 hosting dovecot: pop3-login: Login: user=<filipe.lacerda@lusolabs.com>, method=PLAIN, rip=::ffff:85.138.60.160, lip=::ffff:82.103.137.132, TLS
Jun 26 03:26:48 hosting postfix/smtpd[3098]: connect from unknown[85.138.60.160]
Jun 26 03:26:49 hosting dovecot: POP3(filipe.lacerda@lusolabs.com): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
Jun 26 03:26:49 hosting postfix/smtpd[3098]: NOQUEUE: reject: RCPT from unknown[85.138.60.160]: 554 5.7.1 <semedos@semedos-pub.com>: Relay access denied; from=<filipe.lacerda@lusolabs.com> to=<semedos@semedos-pub.com> proto=ESMTP helo=<IBM.lan>
Jun 26 03:26:49 hosting postfix/smtpd[3098]: disconnect from unknown[85.138.60.160]
Jun 26 03:26:49 hosting postfix/smtpd[2762]: connect from unknown[85.138.60.160]
Jun 26 03:26:49 hosting postfix/smtpd[2762]: NOQUEUE: reject: RCPT from unknown[85.138.60.160]: 554 5.7.1 <joe@virtualmin.com>: Relay access denied; from=<filipe.lacerda@lusolabs.com> to=<joe@virtualmin.com> proto=ESMTP helo=<IBM.lan>
Jun 26 03:26:49 hosting postfix/smtpd[2762]: disconnect from unknown[85.138.60.160]

Tue, 06/26/2007 - 06:18 (Reply to #5)
Joe
Joe's picture

Hey Filipe,

Looks like maybe you're using @ in usernames. There's a FAQ about this.

If your OS has a reasonably new version of saslauthd, you have to pass it a parameter to tell it to accept names like this (it's generally a problematic choice and quite a few pieces of software will fight against it).

Edit the file /etc/sysconfig/saslauthd on Red Hat based systems or /etc/default/saslauthd on Debian based systems. Add the "-r" option to either the "FLAGS" line on RH based systems or the "PARAMS" or "OPTIONS" line on Debian based systems. Restart saslauthd, and give it another try.

This will be automatically added during installation in the next release of the virtualmin-base package--I've had to do a bit of digging to figure out which versions of saslauthd are effected (the rest would be confused by the -r option).

--

Check out the forum guidelines!

Tue, 06/26/2007 - 14:00 (Reply to #6)
FilipeLacerda

Hello JOE

Well... i decided to REinstall the hole server again... a fresh new installation of Centos 5 64bit, SELinux disable and straight to "wget--- your script"... It is installing everything from the scracth. nice to see all the hard work to be done with one script. Howevere, i've made two things first.
First: vi /etc/hosts , in order to define the IP's and various hostnames.
Second: i've had virtual IP address (2) so i can use them for the future as NS1 and NS2 of my domain and server, as well as NS service for my clients.

As for now... the script install runs smoth... :)
I'll cath this post up, wit new upcomming events :)

But i need a help on here to go in order not to get AGAIN the relay access denied.

I'll try to connect using SMTP autentication... but must i go somehere else and change something ??? (one more thing... the SMTP authentication should be plain?)

Thanks Filipe

Tue, 06/26/2007 - 14:04 (Reply to #7)
FilipeLacerda

By the way.. the last instalation was made by myself using
"http://www.howtoforge.com/perfect_setup_centos5.0_p3 " that is for ISPconfig.... and then i've put virtualmin GPL, and then upgraded to Virtualmin PRO.

maybe it was so messy, that the server confused... or me?!?!

then again.. thanks

Tue, 06/26/2007 - 22:42 (Reply to #8)
Joe
Joe's picture

Oh, yeah, regarding the HowtoForge article...yeah, a Virtualmin system is not entirely consonant with the way they set things up in that example. It's not a bad article--a lot of valid advice is to be found there--but there are a few technical differences in the way Virtualmin works vs. the way ISPConfig works (I've never used ISPConfig...I only guess based on a glance over that article).

I should probably write up some similar articles for Virtualmin GPL on HowtoForge. We've started hearing from quite a few people who go through that process before settling on Virtualmin (either GPL or Professional), to get all of the features they need or want. Might as well save folks some time, and allow them to start with Virtualmin, even if they want to stick to only Open Source tools.

--

Check out the forum guidelines!

Tue, 06/26/2007 - 22:36 (Reply to #9)
Joe
Joe's picture

Hey Filipe,

Yes, when you use @ in the username on CentOS 5, a change is needed to /etc/sysconfig/saslauthd. This will be fixed in the next release of virtualmin-base, but right now, you'll need to edit /etc/sysconfig/saslauthd, find the line that starts with FLAGS=, and add "-r". So, you'd make it:

FLAGS="-r"

The quotes might not be necessary, but they shouldn't hurt anything. If you don't use @ in usernames, you don't need to do this step.

--

Check out the forum guidelines!

Tue, 06/26/2007 - 04:31 (Reply to #10)
FilipeLacerda

And then i get a message obx saying.. unable to authenticate in SMTP server... please introduce the password for the user X.

I've reset the passd usin webmin already,,,, and nothing :(

Tue, 06/26/2007 - 05:00 (Reply to #11)
FilipeLacerda

I give up

i've put outlook express and evolution trying to autenticate.... and nothing...

Wed, 06/27/2007 - 22:41 (Reply to #12)
FilipeLacerda

Hello Joe

Thanks for the replyes.

The reinstalation went ok, but the importation of CPANEL accounts did not went quite well, we me having to knock down some mailboxes and rebuilding them from the scracth.

I'll do that FLAGS="-r" thing...

But now i have a another problem:

for example. We have configure an email like teste@emotions.pt

to connect to that via webmail squirrelmail or outlook, we use teste.emotions for pop and SMTP authentication.

what happen's is, I send an email to teste@emotions.pt from gmail account. I goes well, e reply to it, and in the gmail account i receive an email not from teste@emotions.pt, but from teste.emotions@emotions.pt. When making a reply to this last email, the gmail , and other programs, i receive the following:

This is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:

teste.emotions@emotions.pt

Technical details of permanent failure:
PERM_FAILURE: SMTP Error (state 13): 550 5.1.1 <teste.emotions@emotions.pt>: Recipient address rejected: User unknown in virtual alias table

----- Original message -----

Received: by 10.100.191.5 with SMTP id o5mr430934anf.1182961757403;
Wed, 27 Jun 2007 09:29:17 -0700 (PDT)
Received: by 10.100.108.3 with HTTP; Wed, 27 Jun 2007 09:29:17 -0700 (PDT)
Message-ID: <7ba8dc730706270929g1bf4b43el58e5ccf52574acf7@mail.gmail.com>
Date: Wed, 27 Jun 2007 17:29:17 +0100
From: "Filipe L" <lipinho69@gmail.com>
To: "teste.emotions@emotions.pt" <teste.emotions@emotions.pt>
Subject: Re: boa tarde 2 vindo do webmail emotion
In-Reply-To: <1255.85.139.174.153.1182961729.squirrel@www.emotions.pt>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_45241_32195154.1182961757369"
References: <1255.85.139.174.153.1182961729.squirrel@www.emotions.pt>

------=_Part_45241_32195154.1182961757369
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

recebido

On 6/27/07, teste.emotions@emotions.pt <teste.emotions@emotions.pt> wrote:
>
> boa tarde 2 vindo do webmail emotion

----- Message truncated -----

----------------------------------------------

Meaning that the emails that are getting out of the server are getting a mask on top of the.

Filipe.lacerda@lusolabs.com is mail email... in the gmail i receive like the sender would be, filipe.lacerda.lusolabs@lusolabs.com . The patern is name.surname.domain@domain.tld instead of name.surname@domain.tld , because that's how the mail account is configured.

Anything to do with the FLAGS thing????

Thanks

Wed, 06/27/2007 - 23:01 (Reply to #13)
FilipeLacerda

Hello Joe,

After the FLAGS thing, ive tryied to login with filipe.lacerda@lusolabs.com via webmail and no can do... :(

I've went reading the man file for the sasl and saw this

"...

-r Combine the realm with the login (with an '@' sign in between).
e.g. login: "foo" realm: "bar" will get passed as login:
"foo@bar". Note that the realm will still be passed, which may lead to unexpected behavior.

..."

This behavior gave me and my clients this error on the login page....
It is here bellow:

ERROR:
ERROR: Could not complete request.
Query: LIST "" "Sent"
Reason Given: Internal error occurred. Refer to server log for more information. [2007-06-27 22:00:25]

So, the FLAG's option did not worked out on webmail... Still don't know how it will behave with send the emails...

Wed, 06/27/2007 - 23:26 (Reply to #14)
Joe
Joe's picture

Hey Filipe,

Maybe I'd better drop in and straighten all of this out for you. ;-)

Looks like a combination of a few quirks of using @ in usernames. Some webmail clients need extra modules installed to get the logins and outgoing stuff right, some need canonical maps to be setup (Virtualmin can do that for you, but I don't think we enable it by default, as @ in usernames isn't really a good idea on a lot of levels). It's all pretty easy to fix, but it's hard to guess at exactly which combination of components you're dealing with here and remember exactly what needs to be done for any given combination of software. If I'm looking at it, I can probably get it fixed in a couple of minutes.

If you'll send over the IP and login details to joe@virtualmin.com I can take a look right away.

--

Check out the forum guidelines!

Wed, 06/27/2007 - 23:41 (Reply to #15)
FilipeLacerda

Joe,

I ve sent you de access for the server via email.

I'm here on this side to make whatever tests that are needed...
thanks

Thu, 06/28/2007 - 00:27 (Reply to #16)
FilipeLacerda

Hello Joe,

So, any news? Can I help on this side?

Thanks

Thu, 06/28/2007 - 00:35 (Reply to #17)
Joe
Joe's picture

Hey Filipe,

It's underway. It's not at all @ in username issues. You're not using @ in usernames (at least not in the domain I'm looking at). That's good. Easier to figure things out and fix them. ;-)

--

Check out the forum guidelines!

Thu, 06/28/2007 - 00:45 (Reply to #18)
Joe
Joe's picture

Ok, Usermin webmail is fixed. The defaults are apparently being left to the sendmail settings on install! I can't believe we haven't heard lots of complaining about this! It's kind of irritating, isn't it? ;-)

I'm checking out SMTP auth and such now. Will let you know what I figure out.

--

Check out the forum guidelines!

Thu, 06/28/2007 - 00:56 (Reply to #19)
FilipeLacerda

Ok,

The flags stuff was written by me like you proposed...
the server had a reboot after that, made by me. at www.lusolabs.com/webmail, i can enter with filipe.lacerda@lusolabs com the email client, squirrelmail, instaled via your scripts.

Are you sugesting also that users should use usermin webmail?
i think its access is www.lusolabs.com port 20000 right?

thanks

Thu, 06/28/2007 - 01:00 (Reply to #20)
Joe
Joe's picture

Hehehe...Yeah, we're not going a very good job marketing Usermin, are we? It's the preferred webmail for Virtualmin systems (and it does a lot more). We think it's superior to Squirrel for most folks. Squirrel is a fine product, and many, possibly most, of our users do prefer it--but we're improving Usermin at a more rapid pace than the development on Squirrel is progressing, so at some point we'll have such a clearly superior tool that the world will beat a path to our door... ;-)

Anyway, Squirrelmail takes a bit of its own tweaking to get the username stuff right. We've started installing the virtual login plugin that addresses the problem, but maybe we're not configuring it right by default. I'll take a look at that next.

--

Check out the forum guidelines!

Thu, 06/28/2007 - 01:04 (Reply to #21)
FilipeLacerda

Hello again,

I've made some tests sending emails and figured out that user usermin webmail like www.lusolabs.com:20000, now it does not sends emails like filipe.lacerda.lusolabs@lusolabs.com, and sends them well with filipe.lacerda@lusolabs.com

That's wonderfull!!!! :D

So now i just have to tell my clients to use :20000 port ? and the can read and send their mails ok?

I'm testing now the mail for emotions.pt ;)

Filipe

Thu, 06/28/2007 - 01:11 (Reply to #22)
FilipeLacerda

Didn't saw your last post before writing my last one...

Lovelly!

Well, now it the tests using usermin webmail to the following user

user:florence.ricou.emotions
pass:florence

returns this in the inbox panel:

An error occurred listing mail in this folder : Failed to login to POP3 server : Internal error occurred. Refer to server log for more information. [2007-06-28 00:08:10]

-----------------------------

This account has been migrated from CPANEL.

all of the email accounts except one have this problem.
The following login:
user:johan.ricou.emotions
pass:johan

have no problems, because i've deleted it, and them recreat it in the virtualmin panel.

Thanks

Filipe

Thu, 06/28/2007 - 01:41 (Reply to #23)
FilipeLacerda

Ok,

the domain kadeos.pt and kadeos.be, were both migrated from cpanel account. Both email accounts from these domains will have to be recreated, i think... :(

Joe,

I've been migrating a client for the past 36hours... i need some hours of sleep. Fell free to dig into the server and let me know your conclusions.

Many thanks by solve my mail problems with the usermin. Any tests that you think that i need to do , let me know, and i'll do them in a few hours...

Filipe

Thu, 06/28/2007 - 02:29 (Reply to #24)
Joe
Joe's picture

<div class='quote'>the domain kadeos.pt and kadeos.be, were both migrated from cpanel account. Both email accounts from these domains will have to be recreated, i think... :(</div>

Don't do that. We need to make cPanel migrations work correctly. If it doesn't, then it's our fault and we'll fix it.

--

Check out the forum guidelines!

Thu, 06/28/2007 - 01:46 (Reply to #25)
FilipeLacerda

By the way,

using evolution for the account filipe.lacerda.lusolabs i'm not beeing able to pop3 or imap and smtp usage.... maybe your're digging into the server and the services are not running?

ok.. defenitly i need some sleep.

thanks for everything.

Thu, 06/28/2007 - 02:33 (Reply to #26)
Joe
Joe's picture

<div class='quote'>using evolution for the account filipe.lacerda.lusolabs i'm not beeing able to pop3 or imap and smtp usage.... maybe your're digging into the server and the services are not running?</div>

POP3/IMAP and SMTP are working for me, but I'll double-check before calling it done.

SMTP auth was broken for Outlook (but probably not others) before I started poking around. It led to the discovery of a new bug in our installer on 64 bit systems--there are three (count'em, one, two, three!) smtpd.conf files for saslauthd on your system, and only one of them actually effects the configuration of the service. Our installer changed the wrong one (it's a poor shell script, how is it supposed to read the minds of the Red Hat developers and figure out why the heck there are three of the darned things?!?!). Anyway, I'm working on a new version that will find and modify all of them.

--

Check out the forum guidelines!

Fri, 06/29/2007 - 00:26 (Reply to #27)
FilipeLacerda

Hello again Joe,

I've seen that you are still log on the server... How is everything?

Filipe

Fri, 06/29/2007 - 00:57 (Reply to #28)
Joe
Joe's picture

Hey Filipe,

Yes, I wanted to poke at the cPanel migrated users some more. I'm not seeing any problems with them (I reset the password for one of the contact. addresses, and it worked fine...I've set it back now). Maybe the passwords aren't what you think, and need to be reset?

What error do you get in the /var/log/maillog when you try to check mail?

I'll also fix SquirrelMail while I'm logged in. Not sure what to make of the error it's producing.

--

Check out the forum guidelines!

Fri, 06/29/2007 - 01:05 (Reply to #29)
Joe
Joe's picture

Nevermind. The squirrelmail error isn't weird after all. The quota for your site is too small! I set it to unlimited and SquirrelMail is working fine. I'm looking into why the virtusertable plugin isn't working.

Any other outstanding issues?

--

Check out the forum guidelines!

Fri, 06/29/2007 - 01:08 (Reply to #30)
FilipeLacerda

I've send you an email

subject : CPANEL migrations

thanks

Fri, 06/29/2007 - 23:14 (Reply to #31)
FilipeLacerda

Hello Joe,

Did you got my mail ?

thanks

Sun, 06/07/2009 - 07:15 (Reply to #32)
ikvat

Hi all
I have a lot of trouble for configuring the main.cf postfix file.
I use a etch installed with a howtoforge tuto too. I use Virtualmin GPL because i'm not a professional webmaster (it's just a hobby)

My configuration look like this:
[code:1]# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate &quot;delayed mail&quot; warnings
#delay_warning_time = 4h

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = ns24588.ovh.net, localhost.ovh.net, localhost.localdomain, localhost
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a $EXTENSION
mailbox_size_limit = 0
recipient_delimiter = +
inet_protocols = ipv4
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
home_mailbox = Maildir/
virtual_alias_maps = hash:/etc/postfix/virtual
mail_spool_directory = /home/mail[/code:1]
Is it right?
Best
Olivier
France

Thu, 09/20/2007 - 06:51 (Reply to #33)
ikvat

PS, I can send e-mails but not receive them, and have the following message

<div class='quote'>Reporting-MTA: dns;bay0-omc1-s24.bay0.hotmail.com
Received-From-MTA: dns;BAY141-W27
Arrival-Date: Thu, 20 Sep 2007 07:29:06 -0700

Final-Recipient: rfc822;bulve@labas-lietuva.com
Action: failed
Status: 5.7.1
Diagnostic-Code: smtp;554 5.7.1 &lt;bulve@labas-lietuva.com&gt;: Relay access denied
</div>

Wed, 12/26/2007 - 11:16 (Reply to #34)
fuzzie

I am using Deb4 and GPL. I just migrated from cPanel and can send mail, but can't receive it.
Some accounts get Diagnostic-Code: smtp; 554 5.7.1 &lt;user@domain.com&gt;: Relay access denied and others just can't access mail through their client (although the virtualmin web interface can see the new mail.
Very weird. Any ideas on what I am missing?

Thu, 10/30/2008 - 02:12 (Reply to #35)
betgizmo

Joe, can you make a small change to my post title so it will show and be correctly linked from the summary page please. As the forum gets confused because it has the same title as another post.

Wed, 10/29/2008 - 08:12
andreychek

Agreed, you certainly don't want it to be an open relay.

Just to verify, when setting up Outlook and such, you checked the option to have it authenticate when sending email?

Also, when you try to send an email and it fails, in theory you should see an error in the logs (either /var/log/secure, or /var/log/maillog), depending on the exact problem).

Do you see anything in those logs around the time you try to send?

Lastly, do you see saslauthd running? You can type this to see:

ps auxw | grep saslauth

Paste in the output there if you can, the options it's using can matter.

Thanks!
-Eric

Wed, 10/29/2008 - 14:39 (Reply to #37)
Joe
Joe's picture

Are you using mailboxes with @ in the username? If so, there's a FAQ for you:

http://www.virtualmin.com/documentation/id,frequently_asked_questions/#w...

--

Check out the forum guidelines!

Topic locked