12

I am building a server using this config -> http://www.purplehat.org/?page_id=4 and when trying to test basic email capabilities I get -> NOQUEUE: reject: RCPT from when try to send a test email.

Below are my related configs

How to I get postfix to send emails?

Logs output:

Feb 13 18:37:43 r2d2 dovecot: pop3-login: Login: user=<bra@telecomm.com>, method=PLAIN, rip=67.85.57.155, lip=107.191.60.48, mpid=13390, TLS, session=<QA0yiPwOiwBDVTmb>
Feb 13 18:37:43 r2d2 dovecot: pop3(bra@telecomm.com): Disconnected: Logged out top=0/0, retr=0/0, del=0/4, size=68813
Feb 13 18:37:44 r2d2 postfix/smtpd[13391]: connect from ool-4355399b.dyn.optonline.net[67.85.57.155]
Feb 13 18:37:46 r2d2 postfix/smtpd[13391]: NOQUEUE: reject: RCPT from ool-4355399b.dyn.optonline.net[67.85.57.155]: 454 4.7.1 <bcddd214@yahoo.com>: Relay access denied; from=<bra@telecomm.com> to=<bcddd@yahoo.com> proto=ESMTP helo=<Bramini>
Feb 13 18:37:49 r2d2 postfix/smtpd[13391]: disconnect from ool-4355399b.dyn.optonline.net[67.85.57.155]

postconf -n

broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debug_peer_list = 127.0.0.1
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
mail_owner = postfix
mailman_destination_recipient_limit = 1
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = ex-mailer.com
myhostname = r2d2.ex-mailer.com
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relay_domains = proxy:mysql:/usr/local/etc/postfix/mysql_relay_domains_maps.cf list.ex-mailer.com
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_hostname, reject_rbl_client list.dsbl.org, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl-xbl.spamhaus.org
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
smtpd_tls_CAfile = /etc/ssl/postfix/smtpd.pem
smtpd_tls_cert_file = /etc/ssl/postfix/smtpd.pem
smtpd_tls_key_file = /etc/ssl/postfix/smtpd.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550
vacation_destination_recipient_limit = 1
virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:125
virtual_mailbox_base = /usr/local/virtual
virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 51200000
virtual_mailbox_limit_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_maildir_limit_message = Sorry, this user has overdrawn their diskspace quota. Please try again later.
virtual_minimum_uid = 125
virtual_overquota_bounce = yes
virtual_transport = virtual
virtual_uid_maps = static:125
postconf: warning: /usr/local/etc/postfix/main.cf: unused parameter: contencontent_filter=smtp-amavis:[127.0.0.1]:10024
postconf: warning: /usr/local/etc/postfix/main.cf: unused parameter: virtual_create_maildirsize=yes
postconf: warning: /usr/local/etc/postfix/main.cf: unused parameter: virtual_mailbox_extended=yes

The domain telecomm.com was defined in relay_domains parameter. Here the content of /usr/local/etc/postfix/mysql_relay_domains_maps.cf

 user = doughnuts
 password = [redacted]
 hosts = localhost
 dbname = postfix
 query = SELECT domain FROM domain WHERE domain="%s" and backupmx ="0" and active ="1"

netstat -an |less

Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 *.587                  *.*                    LISTEN
tcp4       0      0 127.0.0.1.10025        *.*                    LISTEN
tcp4       0      0 *.465                  *.*                    LISTEN
tcp4       0      0 *.25                   *.*                    LISTEN
tcp4       0    128 107.191.60.48.2222     67.85.57.155.51823     ESTABLISHED
tcp4       0      0 127.0.0.1.953          *.*                    LISTEN
tcp4       0      0 127.0.0.1.53           *.*                    LISTEN
tcp6       0      0 ::1.53                 *.*                    LISTEN
tcp4       0      0 107.191.60.48.53       *.*                    LISTEN
tcp6       0      0 2001:19f0:7000:8.53    *.*                    LISTEN
tcp4       0      0 *.8282                 *.*                    LISTEN
tcp6       0      0 *.8282                 *.*                    LISTEN
tcp4       0      0 *.8181                 *.*                    LISTEN
tcp6       0      0 *.8181                 *.*                    LISTEN
tcp4       0      0 107.191.60.48.2222     67.85.57.155.57964     ESTABLISHED
tcp46      0      0 *.3306                 *.*                    LISTEN
tcp4       0      0 127.0.0.1.10024        *.*                    LISTEN
tcp6       0      0 *.993                  *.*                    LISTEN
tcp4       0      0 *.993                  *.*                    LISTEN
tcp6       0      0 *.143                  *.*                    LISTEN
tcp4       0      0 *.143                  *.*                    LISTEN

UPDATE 2/14/2015 1430 EST

Verbose logging output:

https://bpaste.net/show/6a2a70cb2ab5

By setting test computer IP to mynetworks = IP, You can see mail getting much farther through the system, but then chokes match classes. How do I force Postfix to match 0.0.0.0 any IP source /and destination domain?

cat /usr/local/etc/postfix/master.cf

# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
smtps     inet  n       -       n       -       -       smtpd
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

vacation  unix  -       n       n       -       -       pipe
  flags=DRhu user=vacation argv=/var/spool/vacation/vacation.pl

smtp-amavis unix - - n - 2 smtp
  -o smtp_data_done_timeout=2400
  -o smtp_send_xforward_command=yes
  -o disable_dns_lookups=yes
  -o max_use=20
127.0.0.1:10025 inet n - n - - smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_delay_reject=no
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks_style=host
  -o mynetworks=127.0.0.0/8
  -o strict_rfc821_envelopes=yes
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

mailman unix - n n - - pipe
  flags=FR user=mailman:nobody
  argv=/usr/local/mailman/postfix-to-mailman.py ${nexthop} ${user}

submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_delay_reject=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o smtpd_data_restrictions=
  -o smtpd_sasl_authenticated_header=yes
  -o receive_override_options=no_address_mappings
  -o syslog_name=postfix/submission
mine
  • 197
  • 1
  • 4
  • 14
  • Neither from or to domains are local or configured as relay domains, therefore you get a relaying denied error – Dan Feb 13 '15 at 19:27
  • @Dan it is supposed to be mapping that information from MySQL. mysql_relay_domains_maps.cf o.0 – mine Feb 13 '15 at 19:52
  • @Dan and all database queries work as expected https://bpaste.net/show/e9be64528685 – mine Feb 13 '15 at 19:58
  • nyctelecomm.com (as in your db) and telecomm.com (as in your logs) are not the same domain – Dan Feb 13 '15 at 20:27
  • @Dan because bpaste deletes its self after 14 days. I don't want my data lingering on the www forever. One is edited, one is not :) – mine Feb 13 '15 at 20:28
  • @Dan you can see the queries hitting the database so postfix 'knows about' whom is authorized to send for. but postfix isn't using the information, just denying me https://bpaste.net/show/3fd3830402a7 – mine Feb 13 '15 at 20:44
  • `mysql_virtual_domains_maps.cf` content (without db password of course)? – Dan Feb 13 '15 at 20:50
  • @Dan https://bpaste.net/show/d6d20a188922 no errors when done manual in the MySQL console. – mine Feb 13 '15 at 21:09
  • Hmmm, I do not define the query itself, but use something like this https://bpaste.net/show/cf30f82a89e3 – Dan Feb 13 '15 at 21:22
  • @Dan, mysql maps like above (without `query` parameter) was also supported as backward compatibility. The docs suggest that you should use mysql maps with `query` parameter http://www.postfix.org/mysql_table.5.html – masegaloeh Feb 13 '15 at 22:00
  • @mine, could you enable postfix verbose mode like instructed in this page http://www.postfix.org/DEBUG_README.html#debug_peer? And don't forget to share the logs – masegaloeh Feb 13 '15 at 22:04
  • @masegaloeh It is failing on mynetworks. I have deleted everything related to mynetworks from main.cf but cannot get it to quit inspecting IP address. every email sender is dynamic IP https://bpaste.net/show/d2cfc0115883 – mine Feb 13 '15 at 22:54
  • @Dan see above response – mine Feb 13 '15 at 22:55
  • Oh I see, your clients are not on local network, therefore they need to use smtp authentication. – Dan Feb 14 '15 at 07:34

3 Answers3

10

FYI, 454 4.7.1 <someemail@example.com: Relay access denied; was the result of defer_unauth_destination. It's slightly different with reject_unauth_destination, with reject means permanent error with code 550 and defer means temporary error with code 450.

But wait..., I don't have any parameter that use defer_unauth_destination. Where does the weird restriction come from?

Actually, postfix has one hidden restriction parameter called smtpd_relay_restriction. It is new feature so older tutorial may not covers it. By default, smtpd_relay_restriction has value

# postconf smtpd_relay_restriction
permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination

So, that explains where the defer_unauth_destination

But it didn't answered my question about my client getting rejected :(

The behavior of (defer|reject)_unauth_destination was documentation in postfix manual pages.

reject_unauth_destination

Reject the request unless one of the following is true:

  • Postfix is mail forwarder: the resolved RCPT TO domain matches $relay_domains or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain),
  • Postfix is the final destination: the resolved RCPT TO domain matches $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain).

In simple terms: postfix will check the recipient address. If domain part wasn't defined in relay_domains (or its subdmomain), $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains, then postfix will reject it.

In your logs above, the recipient was someone@yahoo.com, so it is obvious why postfix rejecting it.

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
  • I honestly thought you nailed. I ran into a similar issue some time ago. I make the change, I tried setting mynetworks to 0.0.0.0 and I even copied a config that address the exact issue you brought to light. Same error :( https://bpaste.net/show/a26076c941b4 https://bpaste.net/show/6def40226cea – mine Feb 14 '15 at 01:15
  • Don't set mynetworks to 0.0.0.0/0. Your server will turn into openrelay – masegaloeh Feb 14 '15 at 01:44
  • Still, I really don't know what are you trying to do... Your statement about 'test basic email capabilities' was still vague. This answer only explain why you get the error. No solution given here yet... – masegaloeh Feb 14 '15 at 01:53
  • it's a standard mailserver on a public IP. All clients are dynamic and routable. I just need to find the 'send all' button (not the open relay). i.e. sasl auth. It's hitting the database fine. – mine Feb 14 '15 at 05:09
  • 1
    Good. Now, we need to verify that SASL auth was properly configured on both server and client. Could you verified it by following [this docs](www.postfix.org/SASL_README.html#server_test)? – masegaloeh Feb 14 '15 at 06:44
  • I connect but auth fails but I 'do' see the query hit the database! o.0 -> 535 5.7.8 Error: authentication failed: -> https://bpaste.net/show/529eb6ccc11e – mine Feb 14 '15 at 17:09
  • I went ahead and checked it as right answer even though my issue ended up being a broken variable on relay_recipient_maps from screen breaking lines when pasting a config. Your answer is sooo correct in soooo many ways. – mine Feb 14 '15 at 21:37
1

I'm using THUNDERBIRD as MUA and I have same issues. I solved adding the IP address of my home PC on mynetworks parameter on main.cf

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 MyIpAddress

P.S. I don't have a static ip for my home PC so when my ISP change it I ave to adjust every time.

0

FWIW adding the below worked for me. I am using an spf checker which is the need for the check_policy_service. My client is squirrelmail and my server postfix.

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_policy_service unix:private/policyd-spf