0

We are setting up a Postfix mail relay to accept only authenticated smtp sessions and forward them to our backend smarthosts.

CentOS 6.8
postfix-2.6.6-6.el6_7.1.x86_64
cyrus-sasl-lib-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-md5-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-2.1.23-15.el6_6.2.x86_64
cyrus-sasl-plain-2.1.23-15.el6_6.2.x86_64

We have installed and configured Postfix as well as SASL according to a couple of tutorials and references from the postfix manual on postfix.org, although we seem to have a couple of configuration or permission errors. Any help would be appreciated.

[root@server]# saslpasswd2 -c -u test.com test Password: test123 Again (for verification): test123 [root@server]# sasldblistusers2 [email protected]: userPassword [root@server]# testsaslauthd -u [email protected] -p test123 0: NO "authentication failed" [root@server]# tail -n1 /var/log/messages Jan 13 08:10:19 server saslauthd[2595]: do_auth : auth failure: [[email protected]] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] [root@server]# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = all inet_protocols = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost mydomain = testing.com myhostname = smtp.testing.com newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES relayhost = [mx01.testing.com]:25 sample_directory = /usr/share/doc/postfix-2.6.6/samples sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_map sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_fallback_relay = [mx02.testing.com]:25 smtp_tls_CAfile = /etc/postfix/ssl/smtp.testing.com.ca-file smtp_tls_cert_file = /etc/postfix/ssl/smtp.testing.com.crt smtp_tls_key_file = /etc/postfix/ssl/smtp.testing.com.key smtp_use_tls = yes smtpd_banner = $myhostname ESMTP ($mail_version) smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous smtpd_tls_CAfile = /etc/postfix/ssl/smtp.testing.com.ca-file smtpd_tls_cert_file = /etc/postfix/ssl/smtp.testing.com.crt smtpd_tls_key_file = /etc/postfix/ssl/smtp.testing.com.key smtpd_tls_security_level = may unknown_local_recipient_reject_code = 550 [root@server]# cat /etc/sasl2/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 log_level: 7 [root@server]# cat /etc/postfix/master.cf smtp inet n - n - - smtpd -v #submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd -v # -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING

SMTP Client Log

Stat Connected. Recv 13/01/2017 8:34:12 AM: 220 smtp.test.com ESMTP (2.6.6)<EOL> Sent 13/01/2017 8:34:12 AM: EHLO SendSMTPv2.19.0.1<EOL> Recv 13/01/2017 8:34:12 AM: 250-smtp.securmail.net.au<EOL>250-PIPELINING<EOL>250-SIZE 10240000<EOL>250-VRFY<EOL>250-ETRN<EOL>250-STARTTLS<EOL>250-AUTH LOGIN DIGEST-MD5 CRAM-MD5 PLAIN<EOL>250-AUTH=LOGIN DIGEST-MD5 CRAM-MD5 PLAIN<EOL>250-ENHANCEDSTATUSCODES<EOL>250-8BITMIME<EOL>250 DSN<EOL> Sent 13/01/2017 8:34:12 AM: STARTTLS<EOL> Recv 13/01/2017 8:34:12 AM: 220 2.0.0 Ready to start TLS<EOL> Sent 13/01/2017 8:34:12 AM: EHLO SendSMTPv2.19.0.1<EOL> Recv 13/01/2017 8:34:12 AM: 250-smtp.test.com<EOL>250-PIPELINING<EOL>250-SIZE 10240000<EOL>250-VRFY<EOL>250-ETRN<EOL>250-AUTH LOGIN DIGEST-MD5 CRAM-MD5 PLAIN<EOL>250-AUTH=LOGIN DIGEST-MD5 CRAM-MD5 PLAIN<EOL>250-ENHANCEDSTATUSCODES<EOL>250-8BITMIME<EOL>250 DSN<EOL> Sent 13/01/2017 8:34:12 AM: MAIL FROM:<[email protected]><EOL> Recv 13/01/2017 8:34:12 AM: 250 2.1.0 Ok<EOL> Sent 13/01/2017 8:34:12 AM: RCPT TO:<[email protected]><EOL> Recv 13/01/2017 8:34:12 AM: 554 5.7.1 <[email protected]>: Relay access denied<EOL> Sent 13/01/2017 8:34:12 AM: RSET<EOL> Recv 13/01/2017 8:34:13 AM: 250 2.0.0 Ok<EOL> [root@Sserver]# tail -n 50 /var/log/maillog Jan 13 08:34:23 server/smtpd[13157]: NOQUEUE: reject: RCPT from xx.xx.xx.xx.isp.com[xx.xx.xx.xx]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<SendSMTPv2.19.0.1> Jan 13 08:34:23 server/smtpd[13157]: generic_checks: name=reject_unauth_destination status=2 Jan 13 08:34:23 server/smtpd[13157]: > xx.xx.xx.xx.isp.com[xx.xx.xx.xx]: 554 5.7.1 <[email protected]>: Relay access denied

Please let me know if any more logs or configuration extracts would be helpful. Thanks in advance

Improve this question

2 Answers 2

Reset to default
0

I had the same problem with exim.

You can test with cyrus the username and password on the server shell with e.g.

testsaslauthd -u username -r example.com -p secret

It does not work with

testsaslauthd -u [email protected] -p secret

There is further explanation on my post here: Cyrus sasl error - ''0: NO authentication failed" On Debian 9

Improve this answer
0

Have you set the /etc/postfix/sasl_passwd for the relay host usually it is needed to relay mail. Also mydestination try setting it to localhost only and see what happen. I hope this helps

Improve this answer
1
  • I use to relay through outbound.mailhop.org and my sasl_passwd file is set like this outbound.mailhop.org:2525 username:password Commented Jan 14, 2017 at 11:37

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.