# Postfix: can't find where problem is!



## gnr (Jun 30, 2009)

For some reason my mail client cannot connect to newly built FreeBSD mail server to send emails - connection refused. Originally I was intending to build secure connection using SASL2 and TLS/SSL but like I said I experience difficulties connecting to SMTP server.


My observations:

1. Receiving of emails works fine via Courier IMAP (993)

2. Squirrelmail installed on the system DOES allow to send with SMTP Authentication set to 'none' and TLS set to 'false'. So far this is the only way of responding to emails.

3. Posffix was compiled with SASL2 (see below):

```
one# make showconfig
===> The following configuration options are available for postfix-2.6.1,1:
     PCRE=on "Perl Compatible Regular Expressions"
     SASL2=on "Cyrus SASLv2 (Simple Auth. and Sec. Layer)"
     DOVECOT=off "Dovecot SASL authentication method"
     SASLKRB=off "If your SASL req. Kerberos select this option"
     SASLKRB5=off "If your SASL req. Kerberos5 select this option"
     SASLKMIT=off "If your SASL req. MIT Kerberos5 select this option"
     TLS=on "Enable SSL and TLS support"
     BDB=off "Berkeley DB (choose version with WITH_BDB_VER)"
     MYSQL=off "MySQL maps (choose version with WITH_MYSQL_VER)"
     PGSQL=off "PostgreSQL maps (choose with DEFAULT_PGSQL_VER)"
     OPENLDAP=off "OpenLDAP maps (choose ver. with WITH_OPENLDAP_VER)"
     CDB=off "CDB maps lookups"
     NIS=off "NIS maps lookups"
     VDA=off "VDA (Virtual Delivery Agent)"
     TEST=off "SMTP/LMTP test server and generator"
===> Use 'make config' to modify these settings
```

4. SMTP is set to listen to the outside world:

```
one# netstat -a | grep 'smtp'
tcp4       0      0 *.smtp                 *.*                    LISTEN
ffffff0001b348b8 stream      0      0 ffffff0001ceb3f0        0        0        0 private/smtp
```

5. I can telnet localhost 25 and openssl localhost:25 during my ssh session.

6. Here's the output of postconf -n


```
broken_sasl_auth_clients = yes
canonical_maps = hash:/usr/local/etc/postfix/canonical
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
mail_owner = postfix
mailbox_command = /usr/local/bin/procmail
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
sample_directory = /usr/local/share/examples/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/local/etc/sasldb2
smtp_tls_CAfile = /usr/local/openssl/certs/mailexpeditor.com-CAcert.pem
smtp_tls_cert_file = /usr/local/openssl/certs/one.mailexpeditor.com-cert.pem
smtp_tls_key_file = /usr/local/openssl/certs/one.mailexpeditor.com-unencrypted-key.pem
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtpd_recipient_restrictions = permit_sasl_authenticated    permit_mynetworks    reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /usr/local/openssl/certs/mailexpeditor.com-CAcert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/openssl/certs/one.mailexpeditor.com-cert.pem
smtpd_tls_key_file = /usr/local/openssl/certs/one.mailexpeditor.com-unencrypted-key.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_domains = domain1.co.uk, domain2.com
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
```

7. I tried connecting to SMTP with "no authentication" and "no SSL" set in mail client (as in case with Squirrelmail) but all I get is email back with "Relay access denied" in *tail -f /var/log/maillog*:

```
Jun 30 16:41:41 one postfix/smtpd[23319]: NOQUEUE: reject: RCPT from host86-165-212-234.range86-165.btcentralplus.com[86.165.212.234]: 554 5.7.1 <sometestaccount@gmail.com>: Relay access denied; from=<myemail@domain1.co.uk> to=<sometestaccount@gmail.com> proto=ESMTP helo=<gnrPC>
```

8. If I set mail client to authenticate and use SSL result in log is as follows:

```
Jun 30 16:47:16 one postfix/smtpd[23346]: connect from host86-165-212-234.range86-165.btcentralplus.com[86.165.212.234]
Jun 30 16:47:16 one postfix/smtpd[23346]: lost connection after UNKNOWN from host86-165-212-234.range86-165.btcentralplus.com[86.165.212.234]
Jun 30 16:47:16 one postfix/smtpd[23346]: disconnect from host86-165-212-234.range86-165.btcentralplus.com[86.165.212.234]
```


Not sure why this is happening. Help please!


----------



## rbelk (Jul 1, 2009)

You still need to allow the 127.0.0.0/8 localnet.
Add the following to /usr/local/etc/postfix/main.cf and see if it works

```
mynetworks = 127.0.0.0/8
```


----------



## vivek (Jul 1, 2009)

What about master.cf? Is it configured properly?


----------



## gnr (Jul 1, 2009)

rbelk said:
			
		

> You still need to allow the 127.0.0.0/8 localnet.
> Add the following to /usr/local/etc/postfix/main.cf and see if it works
> 
> ```
> ...



Thanks for your reply rbelk. Server is in remote office with no local network. All clients are remote on dynamic IPs. Not to question your experience but given the circumstances will it change anything?


----------



## gnr (Jul 1, 2009)

vivek said:
			
		

> What about master.cf? Is it configured properly?



Hi Vivek,


Can you pls have a look and say if you see anything misconfigured?

here goes:




```
smtp      inet  n       -       n       -       -       smtpd
  -o content_filter=spamd:
submission inet n       -       n       -       -       smtpd
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop  unix  -       n       n       -       -       pipe
#  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp      unix  -       n       n       -       -       pipe
#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail    unix  -       n       n       -       -       pipe
#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp     unix  -       n       n       -       -       pipe
#  flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipien
#
#scalemail-backend unix -       n       n       -       2       pipe
#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
#  ${nexthop} ${user} ${extension}
#
#mailman   unix  -       n       n       -       -       pipe
#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
#  ${nexthop} ${user}

spamd   unix    -       n       n       -       -       pipe
  flags=Rq user=spamd argv=/usr/local/bin/spamd.sh -f ${sender} -- ${recipient}
```


----------

