DevHeads.net

Postfix does not authenticate to relayhost

Hello,

I run two postfix servers. One on my server, which just runs fine and is used to sent mail directly. The other one on my local machine which should relay mail to other one. Problem is that the desktop MTA does not seem to authenticate to its relayhost:

The server says:

May 15 22:10:04 venus postfix/smtpd[20438]: connect from host[x.x.x]
May 15 22:10:04 venus postfix/smtpd[20438]: NOQUEUE: reject: RCPT from host[x.x.x]: 450 4.1.8 < ... at horus dot localdomain>: Sender address rejected: Domain not found; from=< ... at horus dot localdomain> to=<florian. ... at xgm dot de> proto=ESMTP helo=<horus.localdomain>

xgm.de is local to the server. Of course it's right about domain not found, but my relay settings should allow that is sasl_authenticated:

smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination

smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit

on the local site it says just the same error message, nothing error like else.

Local configuration is

% postconf -n
[...]
mynetworks_style = host
relayhost = [venus.centershock.net]
smtp_sasl_password_maps = hash:/etc/postfix/relay
smtp_sasl_security_options = noanonymous
smtpd_tls_security_level = encrypt

# cat relay
venus.centershock.net ... at xgm dot de:passwd

and of course "postmap hash:/etc/postfix/relay" ran without errors.

What could be wrong here?

Thanks!
Florian

Comments

Re: Postfix does not authenticate to relayhost

By Viktor Dukhovni at 05/15/2018 - 16:34

Note, that last setting should be "smtp_tls_security_level"...

Re: Postfix does not authenticate to relayhost

By Viktor Dukhovni at 05/15/2018 - 16:15

I see no SASL support at the relayhost.

posttls-finger: Connected to venus.centershock.net[188.68.38.242]:25
posttls-finger: < 220 venus.centershock.net ESMTP Postfix (Debian/GNU)
posttls-finger: > EHLO amnesiac
posttls-finger: < 250-venus.centershock.net
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 100000000
posttls-finger: < 250-VRFY
posttls-finger: < 250-ETRN
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250 SMTPUTF8
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: Untrusted TLS connection established to venus.centershock.net[188.68.38.242]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
posttls-finger: > EHLO amnesiac
posttls-finger: < 250-venus.centershock.net
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 100000000
posttls-finger: < 250-VRFY
posttls-finger: < 250-ETRN
posttls-finger: < 250-AUTH PLAIN LOGIN
posttls-finger: < 250-AUTH=PLAIN LOGIN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250 SMTPUTF8
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye

Re: Postfix does not authenticate to relayhost

By Benny Pedersen at 05/15/2018 - 16:30

Viktor Dukhovni skrev den 2018-05-15 23:15:
port 25 should not provide auth senders

add a transportmap to relay host and do not use port 25 in the transport
map

okay for tls

wish how i can make that works with postfixadmin using idn in sql,
postfix miss to convert utf8 to idn so its only one map to check in
backend, else one needs 2 maps one for idn and one for utf8

should not be provided in port 25

Re: Postfix does not authenticate to relayhost

By Viktor Dukhovni at 05/15/2018 - 16:36

There's no need for transport entries. Just setting "relayhost' is enough.
The relayhost setting can include a port number if desired:

<a href="http://www.postfix.org/postconf.5.html#relayhost" title="http://www.postfix.org/postconf.5.html#relayhost">http://www.postfix.org/postconf.5.html#relayhost</a>

Re: Postfix does not authenticate to relayhost

By Benny Pedersen at 05/15/2018 - 15:29

Florian Lindner skrev den 2018-05-15 22:17:

its a dns problem to solve, not postfix

# /etc/hosts

127.0.0.1 horus.localdomain horus

Re: Postfix does not authenticate to relayhost

By Florian Lindner at 05/15/2018 - 16:12

Am 15.05.2018 um 22:29 schrieb Benny Pedersen:
I understand why there is the Domain not found for horus.localdomain, but not why it blocks the delivery, given my
sender_restriction and relay_restrictions.

Thanks,
Florian

Re: Postfix does not authenticate to relayhost

By Matus UHLAR - f... at 05/16/2018 - 08:24

On 15.05.18 22:17, Florian Lindner wrote:
Benny, 127.0.0.1 should always resolve to "localhost" (surprises can happen
otherwise).
That's why debian puts local host name with IP 127.0.1.1 to /etc/hosts.

On 15.05.18 23:12, Florian Lindner wrote:
you have reject_unknown_sender_domain in sender restrictions.

your DNS servers don't apparently know "horus.localdomain"
you should better configure proper sender address in source address.

Re: Postfix does not authenticate to relayhost

By Bastian Blank at 05/15/2018 - 15:26

On Tue, May 15, 2018 at 10:17:40PM +0200, Florian Lindner wrote:
'[venus.centershock.net]' != 'venus.centershock.net'. The name needs to
match in full.

Bastian

Re: Postfix does not authenticate to relayhost

By Florian Lindner at 05/15/2018 - 16:10

Am 15.05.2018 um 22:26 schrieb Bastian Blank:
Sorry, I tried several permutation of with and without [] and seemed to have lost track.

I have changed it to:

# cat relay
[venus.centershock.net] ... at xgm dot de:passwd

and rerun postmap.

However, it's still the same error message.

Best Thanks,
Florian