Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Postfix Issue

Posted on 2012-03-29
11
Medium Priority
?
528 Views
Last Modified: 2012-04-04
I have some executives that refuse to use exchange and insist on using postfix.
So I setup a postfix server for them. I have tested this postfix server and it works perfectly using thunder bird. Here is a successful message:

Mar 27 21:41:15 XXXXpostfix01 postfix/smtp[4761]: A5B1B21694: to=<tra17@gmail.com>, relay=gmail-smtp-in.l.google.com[209.85.225.26]:25, delay=1.3, delays=0.65/0/0.12/0.56, dsn=2.0.0, status=sent (250 2.0.0 OK 1332946033 np1si3148089igc.2)

Now when the executives use the postfix server it fails:

Mar 29 06:55:53 XXXXpostfix01 postfix/smtpd[10291]: NOQUEUE: reject: RCPT from unknown[12.43.172.10]: 554 5.7.1 <XXXXllc@gmail.com>: Recipient address rejected: Relay access denied; from=<XXXtest@mydomain.com> to=<XXXXllc@gmail.com> proto=SMTP helo=<SonyXXXXX.mydomain.com>

These users refuse to tell me what mail client they are using. But only differance I see is they are using IMAP 554 and they got a different IP for MX record on DNS.

I am stumped help!
0
Comment
Question by:JFTech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
11 Comments
 
LVL 21

Assisted Solution

by:Papertrip
Papertrip earned 400 total points
ID: 37784140
What do you have in main.cf for the following options:

mynetworks
smtpd_recipient_restrictions
0
 

Author Comment

by:JFTech
ID: 37784180
smtpd_recipient_restrictions:

smtpd_sasl_auth_enable = yessmtpd_sasl_security_options = noanonymoussmtpd_sasl_path = postfixsmtpd_sasl_local_domain = $myhostnamebroken_sasl_auth_clients = yessmtpd_sasl_authenicated_header = yessmtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,check_relay_domainssmtpd_client_restrictions = permit_mynetworks,permit_sasl_authenticated#smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domainssmtp_sasl_auth_enable = yessmtp_sasl_password_maps = hash:/etc/postfix/sasl_passwdsmtpd_sasl_security_options = noanonymoussmtpd_client_restrictions = permit_sasl_authenticatedsmtpd_helo_required = yessmtpd_delay_reject = nodisable_vrfy_command =yessmtpd_helo_restrictions = permit_mynetworks,reject_invalid_hostname

My network -

mynetwork = 10.68.0.0/24
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37784243
Heh that is like a dozen different options jumbled together and hard to read, but I found the option I was looking for: smtpd_client_restrictions = permit_sasl_authenticated

Change the option to the following, reload postfix, and try again.
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Open in new window

0
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

 
LVL 21

Assisted Solution

by:Papertrip
Papertrip earned 400 total points
ID: 37784258
If your users are not on 10.68.0.0/24 then make sure you add any networks your clients will be sending from to the mynetworks option.
0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 1600 total points
ID: 37784439
You need to configure Skype auth and have them configure thunderbird to authenticate prior to sending email.
Check master.cf for which features are enabled.
You may want to use secure smtp/tls to have the message transfer between the execs and the server in secure mode rather than plain text.

The ip of the client was public 12.x.x.x network.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37784503
What does Skype auth have to do with this?  Do you mean SMTP auth?

In regards to the client IP I admit I overlooked that and didn't notice it wasn't RFC 1918, so permit_mynetworks isn't going to fix this particular issue.  Are your users authenticating to the server?
0
 
LVL 79

Expert Comment

by:arnold
ID: 37784511
Auto correction that I did not notice, should be smtp auth.
0
 

Author Comment

by:JFTech
ID: 37787278
Thanks for the replies.
Yes they can authenticate to the email system.
They are able to send emails in to our corporate exchange system.
But get the shown failure when trying to send emails to external mail domains.
As for their 12. address, they travel all over the world. I wont be able to predict what IP they will use. So how can I configure the networks to allow that?
0
 
LVL 79

Accepted Solution

by:
arnold earned 1600 total points
ID: 37787558
The issue and the log entry suggests that they do not actually authenticate.
Into the corporate exchange the authentication might be transparent (NTLM) or completely unnecessary based on the relay rules for the network segments.
While the systems provide similar functionality, they are two different systems and have to be configured individually.
check the log to see whether there is an entry noting user A authenticated?
0
 

Author Comment

by:JFTech
ID: 37787724
I assume you want me to check if they auth to the postfix server?

I should give some more backround:

The exchange sever is authoritative for the MX record for our domain [@mymail.com].
These executive users do not have mailboxes on the exchange server. What the have is a contact object on exchange that has two records - an SMTP address: UserA@mymail.com and an external SMTP address: UserA@mymail.info. I have a connector setup in exchange to relay any @mymail.info to the postfix server.

Any email these users generate on the post fix server is delivered to the internet by the postfix server.

The log examples I gave show me testing external mail delivery from the postfix server and it working.[Thunderbird]

The next example shows the executive  user trying the same test from their client and location and it failing.[Client unknown, they wont tell me =( ]

I am upping the points to 500....
0
 
LVL 79

Expert Comment

by:arnold
ID: 37787821
They could be using their smart phone, but as long as they configure the device to authenticate, the emails will go through.
0

Featured Post

How To Install Bash on Windows 10

Windows’ budding partnership with Canonical has certainly led to some great improvements. One of them being the ability to use Bash on your Windows machine without third party applications! This might be one of the greatest things a cloud engineer in a Windows environment can do!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question