Postfix reject relay for Squirrelmail/mail clients!

tpe · 06-05-2008, 08:06 AM

Dear all,
My setup is:
Centos 5,
Postfix/Dovecot/Squirrelmail (1.4.0).
Postfix is configured to accept email only for existing unix users.
Aliases domains are set up as "mydestination" parameters.

What I can do:

trickykid · 06-05-2008, 08:50 AM

When is this error occurring or what is the exact error, sending or receiving email to your domain?

tpe · 06-05-2008, 08:55 AM

Dear all,
My setup is:

Centos 5,
Postfix/Dovecot/DSpam/Squirrelmail (1.4.0).

Postfix is configured to accept email only for existing unix users.
Aliases domains are set up as "mydestination" parameters. The file contains:

Code:

mydestination1.com
 mydestination2.com
 mydestination3.com

What I can do:

I can receive emails that their destination is a 'virtual user' (meaning a unix account to a domain listed in the mydestination file) such as:
joedoe@domain.com,
joedoe@mydestination1.com,
joedoe@mydestination2.com, etc.
I can use mutt to sent/receive mails.
I can use squirrelmail to read mails.
I can use squirrelmail to send e-mails to local users.
I can use squirrelmail to send e-mails to users@mydestination*.com.

What I CANNOT do:

Send emails from telnet localhost smtp!
Send emails from squirrel
Send emails from KMail/Thunderbird/Evolution/Outlook!

Before anyone ask, I have even tried to use SSH tunnels but no luck (of course, since the telnet is not actually working!).

The main.cf file is:

Code:

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix

myorigin = domain.com
proxy_interfaces = 192.168.0.1
mydestination = /etc/postfix/virtuals/destinations

mynetworks = 192.168.0.0/24, 127.0.0.0/8, 111.112.113.114 #Natted real IP of the server
relay_domains = $mynetworks

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

local_recipient_maps = unix:passwd.byname

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
notify_classes = resource, software, delay

home_mailbox = Mail/

smtpd_helo_required     = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes

unknown_address_reject_code  = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code   = 554
unknown_local_recipient_reject_code = 550

smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit

smtpd_recipient_restrictions =
	reject_non_fqdn_sender,
	reject_non_fqdn_recipient,
	reject_unknown_recipient_domain,
	reject_unknown_sender_domain,
	reject_unknown_recipient_domain,
	reject_rbl_client multihop.dsbl.org,
	reject_unauth_destination,
	permit_mx_backup,
	permit_mynetworks

smtpd_client_restrictions = permit_mynetworks
       check_client_access pcre:/etc/postfix/dspam_filter_access

smtpd_sender_restrictions = reject_non_fqdn_sender,
							reject_unknown_sender_domain

dspam_destination_recipient_limit = 1

Example of 'telnet' failure:

Code:

telnet 127.0.0.1 smtp
Trying 127.0.0.1...
Connected to SERVER1.DOMAIN.COM (127.0.0.1).
Escape character is '^]'.
220 SERVER1.DOMAIN.COM ESMTP Postfix
EHLO 111.112.113.114
250-SERVER1.DOMAIN.COM
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: <testaccount@SERVER1.DOMAIN.COM>
250 2.1.0 Ok
RCPT TO: <myaccount@yahoo.com>
554 5.7.1 <myaccount@yahoo.com>: Relay access denied

The maillog for that session was:

Code:

Jun  5 15:52:39 SERVER1 postfix/smtpd[22534]: connect from SERVER1.DOMAIN.COM[127.0.0.1]
Jun  5 15:53:35 SERVER1 postfix/smtpd[22534]: NOQUEUE: reject: RCPT from SERVER1.DOMAIN.COM[127.0.0.1]: 554 5.7.1 <myaccount@yahoo.com>: Relay access denied; from=<testaccount@SERVER1.DOMAIN.COM> to=<myaccount@yahoo.com> proto=ESMTP helo=<111.112.113.114>
Jun  5 15:54:09 SERVER1 postfix/smtpd[22534]: disconnect from SERVER1.DOMAIN.COM[127.0.0.1]

Now, from squirrelmail:
The maillog output is:

Code:

Jun  5 16:50:46 SERVER1 postfix/smtpd[23736]: connect from SERVER1.ROTA.GR[127.0.0.1]
Jun  5 16:50:53 SERVER1 postfix/smtpd[23736]: NOQUEUE: reject: RCPT from SERVER1.DOMAIN.COM[127.0.0.1]: 554 5.7.1 <myaccount@yahoo.com>: Relay access denied; from=<testaccount@mydestination1.com> to=<myaccount@yahoo.> proto=ESMTP helo=<111.112.113.114>

The email clients, receive the 554 Relay access denied message when users press the "Sent" button.

My apologies for the large post, but I wanted to be as detailed as possible. Please inform me if you need more information.

Any help would be appreciated.

trickykid · 06-05-2008, 08:55 AM

Please post your thread in only one forum. Posting a single thread in the most relevant forum will make it easier for members to help you and will keep the discussion in one place. This thread is being closed because it is a duplicate.

I've reported this thread to be merged with your existing one you already created.

tpe · 06-05-2008, 09:04 AM

The previous post was accidentally sent. This is the correct post.

trickykid · 06-05-2008, 09:14 AM

Quote:

Originally Posted by tpe

The previous post was accidentally sent. This is the correct post.

Well, they're destined to be merged. Think before hitting the post button please.

jtshaw · 06-05-2008, 11:07 AM

Quote:

Originally Posted by trickykid

Well, they're destined to be merged. Think before hitting the post button please.

and we are all merged up...

tpe · 06-05-2008, 03:34 PM

I do know that the issue can be solved. Any ideas?

Mr. C. · 06-06-2008, 04:06 PM

You are confusing two difference address classes. You say:

Quote:

Postfix is configured to accept email only for existing unix users.
Aliases domains are set up as "mydestination" parameters. The file contains:

However, mydestination settings are for the "local" address class, which means those accounts defined in /etc/passwd.

If the domains listed in the file /etc/postfix/virtuals/destinations are indeed real local users, perhaps the /etc/postfix/virtuals directory is not the best named location.

The error:

Quote:

NOQUEUE: reject: RCPT from SERVER1.DOMAIN.COM[127.0.0.1]:
554 5.7.1 <myaccount@yahoo.com>: Relay access denied;
from=<testaccount@SERVER1.DOMAIN.COM> to=<myaccount@yahoo.com>
proto=ESMTP helo=<111.112.113.114>

is telling you that postfix thinks you are trying to *relay* mail as opposed to send mail to another MTA. This occurs because your recipient restrictions contain:

Code:

smtpd_recipient_restrictions =
...
	reject_unauth_destination,
...
	permit_mynetworks

which rejects your system since yahoo.com is not part of mydestination. You need permit_mynetworks *before* reject_unauth_destination.

MrC

cc_karthik · 06-07-2008, 02:09 AM

Can u send the squirrel mail configuration

halvorls · 06-07-2008, 06:45 PM

Can you post a complete main.cf file, so i can look at this and set up my postfix?

tpe · 06-08-2008, 04:25 AM

halvorls: The main.cf IS posted!
cc_karthik: This is not the problem. Squirrelmail has other issues, but that's another post.

Mr. C.: MANY Thanks!
The problem WAS the order of the reject/permit. Changing the order the e-mail was sent. However, I still do not know if I will have spam/relay issues or not. Of course relay abuse reports that the server is not an open relay, thus, I suppose that it's OK.

Mr. C. · 06-09-2008, 12:27 AM

Quote:

Originally Posted by tpe

Mr. C.: MANY Thanks!
The problem WAS the order of the reject/permit. Changing the order the e-mail was sent. However, I still do not know if I will have spam/relay issues or not. Of course relay abuse reports that the server is not an open relay, thus, I suppose that it's OK.

There's no problem with that order. The secure default is:

Code:

smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination

Spam being sent to your server is today's fact of life. Configure your UCE restrictions appropriately, take one step at a time until you gain experience and always evaluate your logs. Also consider spending some time reading minimally:

http://www.postfix.org/SMTPD_ACCESS_README.html
http://www.postfix.org/CONTENT_INSPECTION_README.html

MrC

tpe · 06-09-2008, 02:02 AM

Thanks! I will start reading. Since I will not be the sysadmin, just the `migrator` (from Win2K to Linux) I will try to read and most importantly, to understand them. Again, thank you.

Mr. C. · 06-09-2008, 11:07 PM

Consider getting yourself, and the to-be-hired admin, The Book of Postfix - its the best out there and will walk you through all the steps.