Home / server / Questions / 324689
Accepted
NPE
Asked: 2011-10-26 08:58:12 +0800 CST

Postfix rejecting mail from authenticated clients

  • 772

I am trying to configure Postfix so that it would accept mail from authenticated clients outside $mynetworks.

When I try to send a test email from my iPhone, which is configured to use port 25, SSL and password authentication, the mail gets rejected by Postfix. I get the following in /var/log/mail.info:

Oct 25 17:41:35 mailhost postfix/smtpd[6136]: warning: 212.183.x.x: hostname host212-183-x-x.uk.access.vodafone.net verification failed: Name or service not known

Oct 25 17:41:35 mailhost postfix/smtpd[6136]: connect from unknown[212.183.x.x]

Oct 25 17:41:39 mailhost postfix/smtpd[6136]: NOQUEUE: reject: RCPT from unknown[212.183.x.x]: 554 5.7.1 : Client host rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[10.25.x.x]>

Oct 25 17:41:39 mailhost postfix/smtpd[6136]: disconnect from unknown[212.183.x.x]

Here are all my main.cf settings that have to do with SASL/TLS:

smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtp_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_auth_only = yes
tls_random_source = dev:/dev/urandom

How do I establish that the session is indeed authenticated?

How do I go about troubleshooting this further?

authentication smtp postfix sasl

5 Answers

  1. Best Answer

    After much experimentation it turned out I had to add permit_sasl_authenticated to smtpd_client_restrictions (not to be confused with smtpd_recipient_restrictions).

    This has fixed it.

    • 6

  2. Test from a system with telnet/openssl http://www.postfix.org/SASL_README.html#server_test I don't know if the iPhone supports starttls, so you may want to test against 465 and 587 for ssl support. I think also you have it setup to only accept authentication if ssl is used.

    • 0

  3. I solved my problem by adding "smtpd_sasl_auth_enable" line to my main.cf and then restart postfix.(there was no problem with webmail I just get the access denied error on Thunderbird) 

    smtpd_sasl_auth_enable = yes
    • 0

  4. i solve with this:

    submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,check_relay_domains
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
    • 0

  5. The parameters you are specifying on the line: 

    smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

    Are the likely culprit.

    More on how to configure postfix relaying and access control can be found in the documentation.

    Looks like you'll want to start by adding *.vodafone.net domain to the list of allowed domains for relaying.

    • -4