# Postfix & Postfixadmin SASL/SSL/TLS relaying deny error



## Polideuces (Sep 3, 2013)

Hi friends,

This is my first post in your forum. I read a lot and  thank you for a lot of suitable information. I'm sorry if my English is with some grammatical or logical errors but it is not my birth language.

Let me explain my trouble. I have been using FreeBSD from its version 4.0, but I'm not an expert. Two months ago I started implementing a new mail server with FreeBSD 9.1, latest Postfix/Dovecot(2.2),  Postfixadmin, MySQL, Spamassassin, ClamAV, Amavis (including OpenDKIM,  SPF, razr, pizor, etc.), Perl, Nginx, PHP, etc.

I read a lot and performed tests before I published it to a real IP with MX records. It works.

When I published it I find that users with remote SSL/TLS connections can not send mails. They can read email from Dovecot in an SSL session.

I am posting here my main.cf:

```
inet_protocols = ipv4

############# From Here is my conf

virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
relay_domains = proxy:mysql:/usr/local/etc/postfix/mysql_relay_domains.cf
virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_domains.cf
###virtual_mailbox_maps = mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_alias_maps = mysql:/usr/local/etc/postfix/mysql_virtual_alias_maps.cf
recipient_bcc_maps = hash:/usr/local/etc/postfix/recipient-bcc
sender_bcc_maps    = hash:/usr/local/etc/postfix/sender-bcc
############sender_bcc_maps = hash:/usr/local/etc/postfix/sender-bcc

smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated, 
   reject_unauth_destination, 
   reject_unknown_reverse_client_hostname, 
   reject_invalid_hostname,
   reject_non_fqdn_hostname,
   reject_unknown_sender_domain,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_recipient_domain,
   reject_unauth_pipelining,
   check_policy_service unix:private/spf-policy,
#   reject_rbl_client rbl.brasilrbl.com.br,
   reject_rbl_client zen.spamhaus.org, 
#   reject_rhsbl_client rhsbl.brasilrbl.com.br
   reject_rbl_client list.dsbl.org
   reject_rbl_client bl.spamcop.net,
   reject_rbl_client sbl-xbl.spamhaus.org,
   reject_rbl_client list.dsbl.org,
   reject_rbl_client sbl.spamhaus.org,
   reject_rbl_client cbl.abuseat.org,
   reject_rbl_client dul.dnsbl.sorbs.net,
   permit

#### SASL
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
maximal_queue_lifetime = 4h
bounce_queue_lifetime = 4h
spf_received_header = yes

#### Mynetworks
mynetworks = $config_directory/mynetworks

##### SSL
smtpd_tls_security_level = may
###smtpd_tls_security_level = encrypt
smtpd_use_tls = yes
smtpd_tls_auth_only = no
#### smtpd_tls_key_file = /etc/ssl/private/postfix.pem
smtpd_tls_key_file = /etc/ssl/private/dovecot.pem
#### smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
smtpd_tls_cert_file = /etc/ssl/certs/dovecot.pem
smtpd_tls_loglevel = 2
smtpd_tls_session_cache_timeout = 3600s
####smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_tls_cache
tls_random_source = dev:/dev/urandom

##### AMAVIS
content_filter = amavisfeed:[127.0.0.1]:10024

##### Autoreplay from Postfixadmin
transport_maps = hash:/usr/local/etc/postfix/transport
vacation_destination_recipient_limit = 1

##### Postgrey
###
###    check_sender_access regexp:/usr/local/etc/postfix/tag_as_originating.re
###    check_banned_recipients,
###    check_banned_senders,
###    permit_mynetworks,
###    permit_sasl_authenticated,
###    reject_non_fqdn_helo_hostname,
###    reject_sender_login_mismatch,
###    reject_spf_invalid_sender,
###    check_sender_access regexp:/usr/local/etc/postfix/tag_as_foreign.re,
###    check_policy_service inet:127.0.0.1:10023 

spf-policy_time_limit = 3600

message_size_limit = 307200000
mailbox_size_limit = 5120000000
header_size_limit = 1024000
```
And here is the error in my mail log file:

```
Sep  3 22:23:02 mailserver postfix/smtpd[35342]: connect from unknown[85.118.193.164]
Sep  3 22:23:02 mailserver postfix/smtpd[35342]: setting up TLS connection from unknown[85.118.193.164]
Sep  3 22:23:02 mailserver postfix/smtpd[35342]: unknown[85.118.193.164]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Sep  3 22:23:02 mailserver postfix/smtpd[35342]: SSL_accept:before/accept initialization
Sep   3 22:23:03 mailserver postfix/smtpd[35342]: unknown[85.118.193.164]:  looking up session  BDBC922D7267599A71A060FE280FCC4D4B1BCD87430F53EA81CAFE2CAED4FBEA&s=smtps&l=9470367  in smtpd cache
Sep  3 22:23:03 mailserver postfix/tlsmgr[35070]:  lookup smtpd session  id=BDBC922D7267599A71A060FE280FCC4D4B1BCD87430F53EA81CAFE2CAED4FBEA&s=smtps&l=9470367
Sep   3 22:23:03 mailserver postfix/tlsmgr[35070]: read smtpd TLS cache entry   BDBC922D7267599A71A060FE280FCC4D4B1BCD87430F53EA81CAFE2CAED4FBEA&s=smtps&l=9470367:  time=1378236158 [data 127 bytes]
Sep  3 22:23:03 mailserver  postfix/smtpd[35342]: unknown[85.118.193.164]: reloaded session  BDBC922D7267599A71A060FE280FCC4D4B1BCD87430F53EA81CAFE2CAED4FBEA&s=smtps&l=9470367  from smtpd cache
Sep  3 22:23:03 mailserver postfix/smtpd[35342]: SSL_accept:SSLv3 read client hello A
Sep  3 22:23:03 mailserver postfix/smtpd[35342]: SSL_accept:SSLv3 write server hello A
Sep  3 22:23:03 mailserver postfix/smtpd[35342]: SSL_accept:SSLv3 write change cipher spec A
Sep  3 22:23:03 mailserver postfix/smtpd[35342]: SSL_accept:SSLv3 write finished A
Sep  3 22:23:03 mailserver postfix/smtpd[35342]: SSL_accept:SSLv3 flush data
Sep  3 22:23:04 mailserver postfix/smtpd[35342]: SSL_accept:SSLv3 read finished A
Sep  3 22:23:04 mailserver postfix/smtpd[35342]: unknown[85.118.193.164]: Reusing old session
Sep   3 22:23:04 mailserver postfix/smtpd[35342]: Anonymous TLS connection  established from unknown[85.118.193.164]: TLSv1 with cipher RC4-MD5  (128/128 bits)
Sep  3 22:23:05 mailserver postfix/smtpd[35342]:  NOQUEUE: reject: RCPT from unknown[85.118.193.164]: 554 5.7.1  <vbotchev@gmail.com>: Relay access denied;  from=<vbotchev@orbit.bg> to=<vbotchev@gmail.com> proto=ESMTP  helo=<[10.46.34.230]>
Sep  3 22:23:05 mailserver postfix/smtpd[35342]: lost connection after RCPT from unknown[85.118.193.164]
Sep  3 22:23:05 mailserver postfix/smtpd[35342]: disconnect from unknown[85.118.193.164]
```
I have these records in Postfixadmin's table "domain":

```
ALL   0  0  0  0   0  0000-00-00 00:00:00  0000-00-00 00:00:00  1
orbit.bg   1000  1000  1000  0  virtual  0  2013-05-20 21:13:33  2013-05-22 12:50:27  1
mail.orbit.bg  Aslias to orbit.bg  0  1000  1024  0  virtual  0  2013-06-02 12:19:33  2013-06-02 12:19:33  1
```
I'll be grateful if you could help me. Thanks in advance!


----------



## gordon@ (Sep 4, 2013)

Your user is getting blocked because of the reject_unauth_destination in smtpd_recipient_restrictions. The verbiage for that (found at http://www.postfix.org/postconf.5.html#reject_unauth_destination) is:


> Reject the request unless one of the following is true:
> Postfix is mail forwarder: the resolved RCPT TO domain matches $relay_domains or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain),
> Postfix is the final destination: the resolved RCPT TO domain matches $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain).
> The relay_domains_reject_code parameter specifies the response code for rejected requests (default: 554).



I don't see in the logs that the user is using SASL, so maybe they aren't authenticating?


----------



## Polideuces (Sep 4, 2013)

Hi @gordon@,

I do a lot of tests including remarkind reject_unauth_destination (actually everything after permit_sasl_authenticated) and the problem persists. Yes I think the problem is with SASL, but my remote clients are configured and they work fine with our old server. What I find until now is, that these remote clients can send mails for our domain.

This is my configuration in master.cf


```
smtp      inet  n       -       n       -       300      smtpd
smtps     inet  n       -       n       -       300      smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated
    -o smtpd_enforce_tls=yes
```


----------



## pacija (Sep 5, 2013)

Where did you get your instruction on setting master.cf?

I have a working TLS-enabled Postfix/Dovecot2 setup, but it's very different from yours. I suggest you not to follow any howtos out there, but to follow strictly official postfix and dovecot2 documentation. Keep it simple at first, without MySQL maps (PostfixAdmin), use plain hash tables instead. You can start adding bells and whistles later on when you get the basic functionality working.


----------



## Polideuces (Sep 11, 2013)

Case closed. After a new Postfix update in the ports collection, the problem is solved.

Thanks for all suggestions.


----------



## quintessence (Sep 11, 2013)

Hi,

Since Postfix 2.10 there is a new directive smtpd_relay_restrictions, which regarding Postfix documentation should allow by default:


> smtpd_relay_restrictions (default: permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination)


.
Unfortunately in ports from 23.08.2013:

```
Aug 23 11:41 postfix-2.10.0,1
```
by defaults in this directive are not allowed SASL authenticated:

```
postconf -d | grep smtpd_relay_restrictions
smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination
```
.
And you should reapply it in the main.cf:

```
smtpd_relay_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination
```

May be, it is already fixed in ports. You can check smtpd_relay_restrictions default value in your updated Postfix.


----------



## Polideuces (Sep 11, 2013)

Thank's @quintessence, I think that is the right answer. Be well! And lots of success to all of you guys.


----------

