Wheezy/Postfix/Dovecot SASL issue

July 26, 2014 2.3k views

Hi guys,

I followed this tutorial to the letter: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-postfix-e-mail-server-with-dovecot

The installation has gone fine, with one small exception: sending messages from a remote client.

It feels as though Postfix is not honoring the permitsaslauthenticated parameter in main.cf (smtpdrecipientrestrictions) - to elaborate:

I can successfully authenticate via IMAP from a remote client (using Outlook 2010), am able to traverse the mail folder structure and receive new email as it comes in, I can't, however, send any mail - initially, it immediately returned a Server error: 554 5.7.1 error. I then modified master.conf and edited out:
# -o smtpdrecipientrestrictions=permitmynetworks,permitsaslauthenticated,rejectunauth_destination - this has now left me with messages sitting in the outbound queue and subsequently timing out.

I was just wondering if anybody is able to offer an opinion as to what's happening and how I might fix it.

Edit: One other thing to note: of course, if I add my remote IP to mynetworks, I can send mail without issue.

Edit2: Logs can be found at http://pastebin.com/Ai4E8Fme - formatting below is horrible

postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
config_directory = /etc/postfix
inet_interfaces = all
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mailbox_size_limit = 0
mydestination = mail.domain.com, domain.com, localhost, localhost.localdomain
myhostname = mail.domain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_tls_cert_file = /etc/ssl/certs/mailcert.pem
smtpd_tls_key_file = /etc/ssl/private/mail.key
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

master.cf:

smtp      inet  n       -       -       -       -       smtpd
        -o content_filter=spamassassin
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_wrappermode=no
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq

/var/log/mail.log (modified):

Jul 26 13:37:08 Scratchy dovecot: imap-login: Login: user=<user>, method=PLAIN, rip=1.2.3.4, lip=4.5.6.7, mpid=20681, TLS, session=<2WC58hf/xgBeDEO/>
Jul 26 13:37:08 Scratchy dovecot: imap-login: Login: user=<user>, method=PLAIN, rip=1.2.3.4, lip=4.5.6.7, mpid=20683, TLS, session=<Q6y88hf/zABeDEO/>
Jul 26 13:37:42 Scratchy dovecot: imap(user): Disconnected: Logged out in=97 out=620
Jul 26 13:37:47 Scratchy postfix/submission/smtpd[20685]: warning: hostname <address> does not resolve to address 4.5.6.7: No address associated with hostname
Jul 26 13:37:47 Scratchy postfix/submission/smtpd[20685]: connect from unknown[4.5.6.7]
Jul 26 13:37:47 Scratchy postfix/submission/smtpd[20685]: NOQUEUE: reject: RCPT from unknown[4.5.6.7]: 554 5.7.1 <unknown[4.5.6.7]>: Client host rejected: Access denied; from=<some@email.com> to=<some.other@email.com> proto=ESMTP helo=<8ZV1YY1PC>
Jul 26 13:37:49 Scratchy postfix/submission/smtpd[20685]: disconnect from unknown[4.5.6.7]
1 comment
  • You mentioned that if you added your IP to mynetworks then you were able to send messages. The default shown here may restrict email sending to clients running on the same server so if you are also using authentication of users connecting to your SMTP server you should be able to remove the permit_mynetworks from your configuration in order to allow authenticated clients to send mail regardless of the originating IP address.

1 Answer

This question was answered by @ryanpq:

You mentioned that if you added your IP to mynetworks then you were able to send messages. The default shown here may restrict email sending to clients running on the same server so if you are also using authentication of users connecting to your SMTP server you should be able to remove the permit_mynetworks from your configuration in order to allow authenticated clients to send mail regardless of the originating IP address.

View the original comment

Have another answer? Share your knowledge.