[SOLVED] Postfix returning "Relay access denied" error.

25 posts / 0 new
Last post
#1 Wed, 09/16/2009 - 10:51
snoz

[SOLVED] Postfix returning "Relay access denied" error.

Hi, you can view some info (not really relevant, IMO) about this post on the first post here: https://www.virtualmin.com/node/11477

You can throw at me technical stuff, don't worry.

Basically, my problem is I couldn't get postfix to send my emails via smtp when it was for a mail like "mymail@gmail.com", stating it was invalid relaying.

Here's a sample log line:

Sep 16 15:56:35 stock postfix/smtpd[26216]: NOQUEUE: reject: RCPT from XXX: 554 5.7.1 <mymail@gmail.com>: Relay access denied; from=<user@domain.tld> to=<mymail@gmail.com> proto=ESMTP helo=<[XXX]>

The user exists and can be authenticated (though I never really got a password request for it), but I don't believe that's happening.

I tried activating SASL, but it would always get:

Sep 16 15:55:16 stock postfix/smtpd[25653]: warning: xsasl_cyrus_server_get_mechanism_list: no applicable SASL mechanisms
Sep 16 15:55:16 stock postfix/smtpd[25653]: fatal: no SASL authentication mechanisms

And I couldn't get out of there... if you can help me, I'd love it.

Anyway, I can only send emails through smtp now because I've got postfix as open-relay.

Here's my main.cf

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = XXX
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = XXX
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
virtual_alias_maps = hash:/etc/postfix/virtual
mailbox_command = /usr/bin/procmail
smtpd_recipient_restrictions = permit_mynetworks permit_inet_interfaces reject_unknown_reverse_client_hostname permit_sasl_authenticated check_client_access hash:/etc/postfix/rbl_override permit defer_if_permit

As you can see, I have these two to allow "anything": permit defer_if_permit

I'm using Dovecot + Postfix on Debian 5.

Let me know if you need anything else.

Thank you for your help.

Wed, 09/16/2009 - 10:59
andreychek

This typically occurs whenever the desktop client isn't setup to authenticate for Outgoing Email -- which many don't do by default.

I'd look in the setting for your client, and verify that it's set to authenticate for all Outgoing Email.

-Eric

Wed, 09/16/2009 - 11:11
snoz

Hi Eric,

Thank you so much for your availability.

Unfortunately, I have it set to authenticate, and with the right user/server settings (I'm using thunderbird, so it's kind of common to not associate a correct smtp server with pop account).

Any other suggestion?

Wed, 09/16/2009 - 11:32
andreychek

Sep 16 15:55:16 stock postfix/smtpd[25653]: fatal: no SASL authentication mechanisms

Okay, the above issue appears to be the relevant one here.

What distro/version are you using, and how had you performed the Virtualmin installation?

Also, had you used a fresh install of your distro?

You may want to verify that saslauthd is running... if you run "ps auxw | grep saslauth" -- do you see any processes listed?

-Eric

Wed, 09/16/2009 - 15:07
snoz

Hey Eric,

Currently I haven't got enabled SASL auth because it'll crash the email service, but if you're here with me I can afford to let it go down for about an hour or so.

I'm using Debian 5 (lenny).

I used a fresh install. I downloaded the webmin .deb and installed everything except apache from webmin/virtualmin, so virtualmin was installed through webmin (I thought that would be better than the install script).

I have saslauth installed and running.

The weird thing is that I get that error when I enable SASL on Webmin/Postfix, even though saslauth is running. I don't think postfix knows how to get to saslauth or how saslauth is running (what's it accepting, etc.).

Wed, 09/16/2009 - 15:09
andreychek

Okay -- so, it sounds like you may have installed things the hard way :-)

The easy way is with the install.sh, which installs all the dependencies for you, as well as configuring everything such that it should all work right out of the box.

However, from the sound of it, you have some live things running on there now, so I suspect you'd prefer not to start over ;-)

My guess, though, is that you're either missing some dependencies, or that one of them isn't configured quite right.

First, what is the output of this command:

dpkg -l 'sasl' | grep ii

Second, what errors/warnings, if any, do you see in the email log after restarting both Postfix and Saslauthd?

-Eric

Wed, 09/16/2009 - 15:27
snoz

Hey Eric,

There's no errors or warnings if I enable sasl on postfix and restart it, by the time it restarts, only when I try to send an email through smtp. And the errors that occur are the ones I mentioned above in the first post.

dpkg -l 'sasl' | grep ii

Returns no package, neither does

dpkg -l 'sasl' | grep ii

which I believe is weird, right? I mean saslauthd is installed and running!

Wed, 09/16/2009 - 15:33
andreychek

Hrm, just to be clear as it looks like the forum is mangling the code, the text "sasl" in the dpkg -l command above should be surrounded by asterisks (* characters).

When I run that command, I get this:

ii  libsasl2-2                          2.1.22.dfsg1-23+lenny1     Cyrus SASL - authentication abstraction libr
ii  libsasl2-modules                2.1.22.dfsg1-23+lenny1     Cyrus SASL - pluggable authentication module
ii  sasl2-bin                           2.1.22.dfsg1-23+lenny1     Cyrus SASL - administration programs for SAS
Wed, 09/16/2009 - 15:50
snoz

Doh, my bad, I thought you wanted something specific, thus no *.

Here's what I get then:

ii  libsasl2-2                          2.1.22.dfsg1-23+lenny1   Cyrus SASL - authentication abstraction libr
ii  sasl2-bin                           2.1.22.dfsg1-23+lenny1   Cyrus SASL - administration programs for SAS

So it looks like I'm missing libsasl2-modules. I'm going to install it and let you know if something changes.

Wed, 09/16/2009 - 16:19
snoz

Ok. Now it asks me for a password for the correct user (no tld now :)), but I put the correct one and nothing happens (I think it's too quick to even do a server check). It just asks again and again. I doesn't return an error or anything.

This happens for TLS and no TLS.

I checked the logs, and it looks very normal:

Sep 16 23:13:01 stock postfix/smtpd[22601]: connect from XXX
Sep 16 23:13:02 stock postfix/smtpd[22601]: lost connection after RCPT from XXX
Sep 16 23:13:02 stock postfix/smtpd[22601]: disconnect from XXX

If I don't use SMTP auth, it throws me a Relay access denied error, but that's supposed to happen if SMTP auth is working fine :)

I'm also getting this but I don't think it's related at all so I'm not gonna focus on this just yet (though it does sound bad, and the server did go berserk for a few minutes):

Sep 16 22:21:08 stock postfix/trivial-rewrite[18691]: fatal: epoll_create: Too many open files
Sep 16 22:29:27 stock postfix/smtp[19163]: fatal: epoll_create: Too many open files
Sep 16 22:30:27 stock postfix/error[19197]: fatal: epoll_create: Too many open files
Sep 16 22:44:31 stock postfix/error[19971]: fatal: epoll_create: Too many open files
Sep 16 22:49:26 stock postfix/smtp[20241]: fatal: epoll_create: Too many open files
Sep 16 22:49:27 stock postfix/bounce[20242]: fatal: epoll_create: Too many open files
Sep 16 22:54:27 stock postfix/smtp[20542]: fatal: epoll_create: Too many open files
Sep 16 22:54:27 stock postfix/proxymap[20544]: fatal: epoll_create: Too many open files
Sep 16 22:54:30 stock postfix/error[20545]: fatal: epoll_create: Too many open files
Sep 16 22:55:31 stock postfix/error[20581]: fatal: epoll_create: Too many open files

Do you have any idea why thunderbird repeatedly requests me a password without even checking the server? It does look like a thunderbird error, but I hardly doubt it as it works perfectly fine for other servers, so there probably is something missing me. Can you post here your main.cf?

Wed, 09/16/2009 - 16:23
andreychek

I'll see if I can dig up a fairly default main.cf, as mine is pretty customized and isn't likely to work well for you.

What distro/version are you using?

However, the "Too many open files" errors are troubling :-)

What does your /etc/security/limits.conf file have in it?

-Eric

Wed, 09/16/2009 - 16:38
snoz

Debian 5 (lenny)

Nothing there yet, I haven't come to that as I did a fresh install today, but many things are live in there and that's why another fresh install wasn't really thinkable :)

Wed, 09/16/2009 - 16:38
snoz

Debian 5 (lenny)

Nothing there yet, I haven't come to that as I did a fresh install today, but many things are live in there and that's why another fresh install wasn't really thinkable :)

Wed, 09/16/2009 - 16:44
snoz

Ok, after digging up some more on other logs, here's what I've got:

Sep 16 23:41:35 stock postfix/smtpd[24836]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Sep 16 23:41:35 stock postfix/smtpd[24836]: warning: SASL authentication failure: Password verification failed
Sep 16 23:41:35 stock postfix/smtpd[24836]: warning: XXX: SASL PLAIN authentication failed: generic failure
Sep 16 23:41:35 stock postfix/smtpd[24836]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Sep 16 23:41:35 stock postfix/smtpd[24836]: warning: XXX: SASL LOGIN authentication failed: generic failure
Sep 16 23:41:38 stock postfix/smtpd[24836]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Sep 16 23:41:38 stock postfix/smtpd[24836]: warning: SASL authentication failure: Password verification failed
Sep 16 23:41:38 stock postfix/smtpd[24836]: warning: XXX: SASL PLAIN authentication failed: generic failure
Sep 16 23:41:38 stock postfix/smtpd[24836]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Sep 16 23:41:38 stock postfix/smtpd[24836]: warning: XXX: SASL LOGIN authentication failed: generic failure
Sep 16 23:41:39 stock postfix/smtpd[24836]: disconnect from XXX

This indicates something is still not correct ( warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory ). I'm gonna look around for solutions for this, in the meanwhile, feel free to help ;)

Wed, 09/16/2009 - 16:44
snoz

Ok, after digging up some more on other logs, here's what I've got:

Sep 16 23:41:35 stock postfix/smtpd[24836]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Sep 16 23:41:35 stock postfix/smtpd[24836]: warning: SASL authentication failure: Password verification failed
Sep 16 23:41:35 stock postfix/smtpd[24836]: warning: XXX: SASL PLAIN authentication failed: generic failure
Sep 16 23:41:35 stock postfix/smtpd[24836]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Sep 16 23:41:35 stock postfix/smtpd[24836]: warning: XXX: SASL LOGIN authentication failed: generic failure
Sep 16 23:41:38 stock postfix/smtpd[24836]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Sep 16 23:41:38 stock postfix/smtpd[24836]: warning: SASL authentication failure: Password verification failed
Sep 16 23:41:38 stock postfix/smtpd[24836]: warning: XXX: SASL PLAIN authentication failed: generic failure
Sep 16 23:41:38 stock postfix/smtpd[24836]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Sep 16 23:41:38 stock postfix/smtpd[24836]: warning: XXX: SASL LOGIN authentication failed: generic failure
Sep 16 23:41:39 stock postfix/smtpd[24836]: disconnect from XXX

This indicates something is still not correct ( warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory ). I'm gonna look around for solutions for this, in the meanwhile, feel free to help ;)

Wed, 09/16/2009 - 16:49
snoz

It seems that creating a symlink should help:

ln -s /var/spool/postfix/var/run/saslauthd /var/run/saslauthd

But it didn't for me (and yes, I restarted saslauthd, postfix and dovecot).

Wed, 09/16/2009 - 17:21
snoz

Ok, finally it worked fine!!!

So here's what I did (it has to do with postfix being chroot'd):

First, I had to change in /etc/default/saslauthd OPTIONS var, because it wasn't set for postfix:

OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

Then, I did this:

rm -r /var/run/saslauthd/
mkdir -p /var/spool/postfix/var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /var/run
chgrp sasl /var/spool/postfix/var/run/saslauthd
adduser postfix sasl

restared postfix, saslauthd and dovecot and voilá!! It works :D

Now if I run into anymore problems in mail, I'll comeback and ask for help :D

In the meanwhile, Eric, I'd like to know a way to contact you 'cause I'd love to make a small donation as an appreciation for your time spent with me :)

Wed, 09/16/2009 - 17:41
andreychek

Ok, finally it worked fine!!!

I'm glad you got it working! That's great news.

In the meanwhile, Eric, I'd like to know a way to contact you 'cause I'd love to make a small donation as an appreciation for your time spent with me :)

I appreciate your kind words -- however, there's no need to reimburse me... just say nice things about Virtualmin to people, that'd be plenty :-)

Thanks for the update!

-Eric

Thu, 09/17/2009 - 02:54
snoz

ok, so something must've happened because just a few minutes after I said it was working fine, it wasn't working and I can't figure out why.

I don't believe I changed anything and I know how dumb that sounds (yeah sure, you changed something and you don't remember)...

Anyway, now the error is different, I still get to have to repeatedly input the SMTP password (the user and password are 100% correct, I tested it with testsaslauth -u user@domain.tld -p password), .

Here's what I get on the logs:

Sep 17 08:48:52 r25074 postfix/smtpd[29567]: connect from XXX
Sep 17 08:48:58 r25074 postfix/smtpd[29567]: warning: SASL authentication failure: Password verification failed
Sep 17 08:48:58 r25074 postfix/smtpd[29567]: warning: XXX: SASL LOGIN authentication failed: authentication failure
Sep 17 08:49:10 r25074 postfix/smtpd[29567]: warning: SASL authentication failure: Password verification failed
Sep 17 08:49:10 r25074 postfix/smtpd[29567]: warning: XXX: SASL PLAIN authentication failed: authentication failure
Sep 17 08:49:12 r25074 postfix/smtpd[29567]: warning: XXX: SASL LOGIN authentication failed: authentication failure
Sep 17 08:49:13 r25074 postfix/smtpd[29567]: disconnect from XXX

So it does look like a simple wrong password thing... at least POP is working correctly:

Sep 17 08:49:18 r25074 dovecot: pop3-login: Login: user=<user@domain.tld>, method=PLAIN, rip=XXX, lip=XXX
Sep 17 08:49:18 r25074 dovecot: POP3(user@domain.tld): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
Thu, 09/17/2009 - 08:29
andreychek

Just to verify things are working as expected, what is the output of this command:

ps auxw | grep saslauthd

I want to make sure the -r option is in there.

Also, if you restart saslauthd, do you see any errors or warnings in the log files?

-Eric

Thu, 09/17/2009 - 08:41
snoz

-r option isn't there, why? Should it be?

root      5568  0.0  0.1  53044   900 ?        Ss   13:25   0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -n 5
root      5595  0.0  0.1  53044   632 ?        S    13:25   0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -n 5
root      5597  0.0  0.1  53044   512 ?        S    13:25   0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -n 5
root      5598  0.0  0.1  53044   512 ?        S    13:25   0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -n 5
root      5599  0.0  0.1  53044   512 ?        S    13:25   0:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -n 5
root     10760  0.0  0.1   5612   672 pts/0    D+   14:38   0:00 grep saslauthd

I read that -r does this:

Combine the realm with the login before passing to authentication mechanism
Ex. login: "foo" realm: "bar" will get passed as login: "foo@bar"
The realm name is passed untouched.

I thought I was passing the login together with the @domain.tld part, or is that ignored? Should I try with -r? (I can't right now, I'm having some trouble cleaning up bad emails on queue, 'cause of the open relay, but the users are happy and only in about 4hours can I make some more tests)

Thu, 09/17/2009 - 09:11
andreychek

Well, I'm a little puzzled, as your post above suggests -r should be there, based on the OPTIONS line in /etc/default/saslauthd:

OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

However, in that file, I'd just double-check that the -r option is being passed in.

Using users with an "@" in their name requires some workarounds (it's not the default, and that's all explained in the help text for the "Format for usernames that include domain" Option where you'd set that in the Server Templates).

One of the workarounds is that you have to make sure the -r parameter is being passed into saslauthd.

-Eric

Thu, 09/17/2009 - 09:21
snoz

Ok, I read that Help but didn't see that in there, maybe I didn't pay that much attention to it. I mostly saw variables.

Anyway, I put the -r in there (it was missing) and later on I'll check if that fixes it.

But, for what you're telling me, it should work fine. I'll update you.

I have another topic I'm having trouble with, can you see private topics? If not, I can make it public.

Thu, 09/17/2009 - 09:29
andreychek

Ok, I read that Help but didn't see that in there, maybe I didn't pay that much attention to it. I mostly saw variables.

No worries, there's a ton of things to have to remember when getting a new server setup :-) I was only suggesting that if you wanted a deeper explanation, you could peek in there.

Hrm, but upon closer inspection, it doesn't actually mention -r in there anymore.

I suspect Jamie since set it up to automatically add that in (as your line above suggests it once was), but I think something may have gone awry in all this troubleshooting :-)

Anyhow, that's neither here nor there -- with the -r, it should do the trick for you :-)

I have another topic I'm having trouble with, can you see private topics? If not, I can make it public.

Yup! I saw it... there's a bazillion forum posts and bug tracker issues this morning that I'm trying to get caught up on, but I'll work my way over to that here shortly :-)

Thanks!

-Eric

Thu, 09/17/2009 - 17:48
snoz

Seems this is solved.

The emails are looking like they're taking too much time to get out of the queue, but it doesn't seem related to the topic, so I'm marking this as solved if tomorrow brings no problems :)

Topic locked