get zimbra postfix server to relay through another postfix host

[bluethundr]

I am trying to get one postfix server (a zimbra server) to authenticate through sasl to another postfix server (production mail) so it can be used as a relay host.

But I notice that the authentication method in /etc/postfix/sasl/smtpd.conf on the other machine is auxprop because that machine uses mysql as a back end.

How do I get the first postfix server (zimbra) to authenticate against the second postfix server so that the second postfix server (production mail) can be used as a relay host?

When I try to send mail using the postfix setup on the zimbra server I get:

: SASL authentication failed; server
mail.beta.beezag.com[192.168.1.10] said: 535 5.7.8 Error: authentication
failed: authentication failure

 

[Noway2]

Ok, so you are trying to use "production mail" as a relay host.
1 - Are you able to configure this "production mail" server? or is it someone elses?
2 - Are these servers on the same network?
3 - Is you Zimbra server on a static IP address?
4 - do you have an authenticated account on the "production mail" server?

There are many ways that production mail could be configured to relay for your zimbra server. Zimbra would be configured to relay to production mail - but production mail must accept these connections, as you figured out. The easiest thing to do would be to configure production mail to accept the network segment the zimbra server is on (part of the PERMIT_MY_NETWORKS, setup. Otherwise, if production mail is authenticating to a MySQL backend, it would need to have a user name and password configured that Zimbra would log into as to authenticate. If you have configuration access to both servers, it might be easiest to start out using plain text authentication and telnet into production mail to verify that the account has been configured correctly. Also turn on password debugging.

 

[bluethundr]

hi and thanks

1 - yes I have access to both
2 - yes these are both on 192.168.1.0
3 - production mail is 192.168.1.10 and zimbra is 192.168.1.17
4 - I do have an authenticated account on the production mail server.


I have a thread on this that is a little more developed on the zimbra forums.

http://snurl.com/zimbra-prob

here are a few directives that I think may be important:

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24 

smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
 
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit_sasl_authenticated

I can telnet to SMTP on the production host and send no problem at all. If I telnet into zimbra's SMTP I get the same error. I am unsure how to authenticate using the account I setup in MySQL. I could also use some help turning on password debugging.

 

[Noway2]

Hmmm, with 192.168.1.0/24 defined in my networks and the permit_mynetworks, I would have thought that it would have worked...

I looked at the post chain in the referenced forum and the results do look like you are having a problem with authentication with the SQL database. It also looks like you were trying to do a plain authentication but this feature is not enabled.

There is a debug option in postfix. I don't recall the command off hand, but the web page for postfix has a pretty good description of all the parameters. I will try to rememeber to look tonight and post the answer to that one.

In the mean time, perhaps someone else will have some suggestions.

 

[Noway2]

As a follow up to this issue, I did some reading in Postfix, the definitive guide. It turns out that there is a short chapter on setting up incoming and outgoing relays and there are a couple of configuration parameters specific to relays.

Specifically, the "relay_domains" paramter is used to indicate to postfix that it should receive email for that domain. There is also thre relay_recipients_maps which can be an SQL or hash mapping. The mapping is of the format: user@example.com any_value. The email address is the user and any value apparently can be anything as it is not used by postfix, but there must be a value there. Typically these values are used for backup exchanges, but it looks like they may be application to your installation also.

The chapter also says that to configure postfix to correctly relay you need to 1- make sure the DNS has been properly configured, 2- set delay_domains = xxx, make sure that the transport_maps parameter points to the correct lookup table, 4 - add entries to the transport.

For item 4, it shows the following example: sales.example.com relay:mail2.example.com.

Lastly, but also very important. *** after you make any configuration changes reload / restart postfix ****

Also, as I previously stated, enable the plain authentication and try it with that. You will still need to do the encoding, but it will remove a layer of encryption.

As far as debug goes: I looked through my own postfix configuration and can't find the debug commands anymore. Apparently I removed them. However, the book says that there is a DEBUG_README file that is installed with the postfix distribution that has all of the debug commands listed in it. Try looking in that file.

Hope that the above helps.

 

[bluethundr]

Hmm.. Ok I don't think this mail host is receiving mail at all.

I tried echoing to a user that is in the mail database.

Just 'echo "hello" | mail timd@foo.com'

and this interesting interaction happened in my logs

Aug 25 15:25:48 mail postfix/qmgr[3024]: 3EA963188B: removed
Aug 25 15:25:48 mail authdaemond: received userid lookup request: root@foo.com
Aug 25 15:25:48 mail authdaemond: authmysql: trying this module
Aug 25 15:25:48 mail authdaemond: authmysqllib: connected. Versions: header 50051, client 50051, server 50051
Aug 25 15:25:48 mail authdaemond: SQL query: SELECT concat(id, '@', mbox_host), crypt, passwd, uid, gid, home, '', quota_couriermaildrop, ''  FROM pop_access  WHERE ( (id = 'root' AND mbox_host = 'beta.beezag.com') OR (id = SUBSTRING_INDEX('root', '%', 1) AND mbox_host = SUBSTRING_INDEX('root', '%', -1)) ) AND active = '1'
Aug 25 15:25:48 mail authdaemond: zero rows returned
Aug 25 15:25:48 mail authdaemond: authmysql: REJECT - try next module
Aug 25 15:25:48 mail authdaemond: authpam: trying this module
Aug 25 15:25:48 mail authdaemond: authpam: username 'root@beta.foo.com' not found in password file
Aug 25 15:25:48 mail authdaemond: authpam: REJECT - try next module
Aug 25 15:25:48 mail authdaemond: FAIL, all modules rejected
Aug 25 15:25:48 mail postfix/pipe[3093]: 5FAE6318D3: to=<root@foo.com>, relay=maildrop, delay=0.06, delays=0.02/0/0/0.04, dsn=5.1.1, status=bounced (user unknown. Command output: Invalid user specified. )
Aug 25 15:25:48 mail postfix/qmgr[3024]: 5FAE6318D3: removed
timd@foo.com

it looks like postfix is not in fact talking to my database.

 

[bluethundr]

ah-HA! I am getting closer. MySQL can connect and postfix seems to be at least TRYING to extract info from the tables.

I had tried to install something called dtc-postfix-courier that had messed up my authmysqlrc

I have set everything back to the way I believe it should be.

# DB details for dtc mysql DB
MYSQL_SERVER            db
MYSQL_PORT              3306
MYSQL_DATABASE          maildb
MYSQL_USERNAME          mail
MYSQL_PASSWORD          th3p455
MYSQL_USER_TABLE        users
MYSQL_LOGIN_FIELD       id
MYSQL_CRYPT_PWFIELD     crypt
MYSQL_HOME_FIELD        home
MYSQL_UID_FIELD         uid
MYSQL_GID_FIELD         gid
MYSQL_QUOTA_FIELD       quota
MYSQL_DEFAULT_DOMAIN    beta.beezag.com

# use the experimental query
MYSQL_SELECT_CLAUSE     SELECT concat(id, '@', domains), crypt, passwd, 
uid, gid, home, maildir  FROM users  WHERE ( (id = '$(local_part)' AND 
mbox_host = '$(domain)') OR (id = SUBSTRING_INDEX('$(local_part)', '%', 1) 
AND mbox_host = SUBSTRING_INDEX('$(local_part)', '%', -1)) ) AND active = 
'1'

#MYSQL_CHPASS_CLAUSE     UPDATE pop_access SET passwd='$(newpass)', 
crypt='$(newpass_crypt)' WHERE (id = '$(local_part)' AND mbox_host = 
'$(domain)') OR (id = SUBSTRING_INDEX('$(local_part)', '%', 1)  AND 
mbox_host = SUBSTRING_INDEX('$(local_part)', '%', -1))

here is the table that it is trying to access:

+------------------------+
| id                                   | name              | uid   | gid  
| home                                    | maildir        | enabled | 
change_password  | clear                         | 
crypt                     | quota | procmailrc | spamassassinrc |

--+------------------+------------------+

| timd@foo.com                      | timd          | 5000 | 5000 | 
/var/spool/mail/virtual | timd/            |       1       |               
1                    | r4nd0mp455           | krypt3d               
|             |                       |                             | 

| melissas@foo.com              | melissas | 5000 | 5000 | /var/spool/mail/virtual | melissas/    |       1       |               1                    | fTKySjATjqFTA        | krypt3d              |             |                       |                             | 
| stevens@foo.com                | stevens  | 5000 | 5000 | /var/spool/mail/virtual | stevens/       |       1       |               1                     | fTTiK63Wif92g        | krypt3d              |            |                        |                             | 
| root@localhost                     | root         | 5000 | 5000 | /var/spool/mail/virtual | root/              |       1       |               1                     | ChangeMe               | yVsfS3kiqZP6s |           |                        |                             | 
| timd@beta.foo.com             | timd         | 5000 | 5000 | /var/spool/mail/virtual | timd/             |       1       |               1                     | jFWLtgBqNLD0c     | krypt3d               |            |                        |                            | 
| bluethundr@beta.foo.com | timd         | 5000 | 5000 | /var/spool/mail/virtual | timd/             |       1       |               1                      | ohaysS.DjipEQ       | krypt3d               |            |                        |                            | 
| bluethundr@foo.com          | timd         | 5000 | 5000 | /var/spool/mail/virtual | timd/             |       1       |               1                      | BiBO6tYLvbzIw      | krypt3d                |             |                       |                            | 
+--------+------------------+

here's what's going on in the logs. I think from this I need a little help with the first MySQL query in authmysqlrc. The second query I have no idea what it is or what to do with it so I am commenting it out (for now).

Aug 25 16:38:47 mail postfix/pickup[3251]: E0ADE318DE: uid=0 from=<root>
Aug 25 16:38:47 mail postfix/cleanup[4178]: E0ADE318DE: message-id=<20090825203847.E0ADE318DE@mx.alpha.beezag.com>
Aug 25 16:38:47 mail postfix/qmgr[3252]: E0ADE318DE: from=<root@beta.beezag.com>, size=290, nrcpt=1 (queue active)
Aug 25 16:39:09 mail postfix/smtpd[4198]: initializing the server-side TLS engine
Aug 25 16:39:09 mail postfix/smtpd[4198]: connect from localhost[127.0.0.1]
Aug 25 16:39:09 mail postfix/smtpd[4198]: 722B7318DA: client=localhost[127.0.0.1]
Aug 25 16:39:09 mail postfix/cleanup[4178]: 722B7318DA: message-id=<20090825203847.E0ADE318DE@mx.alpha.beezag.com>
Aug 25 16:39:09 mail postfix/smtpd[4198]: disconnect from localhost[127.0.0.1]
Aug 25 16:39:09 mail postfix/qmgr[3252]: 722B7318DA: from=<root@beta.beezag.com>, size=752, nrcpt=1 (queue active)
Aug 25 16:39:09 mail amavis[2839]: (02839-05) Passed CLEAN, <root@beta.beezag.com> -> <timd@beta.beezag.com>, Message-ID: <20090825203847.E0ADE318DE@mx.alpha.beezag.com>, mail_id: TwCAcmSIjCZA, Hits: 1.284, size: 290, queued_as: 722B7318DA, 21533 ms
Aug 25 16:39:09 mail postfix/smtp[4180]: E0ADE318DE: to=<timd@beta.beezag.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=22, delays=0.08/0.01/0/22, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=02839-05, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 722B7318DA)
Aug 25 16:39:09 mail postfix/qmgr[3252]: E0ADE318DE: removed
Aug 25 16:39:09 mail authdaemond: received userid lookup request: timd@beta.beezag.com
Aug 25 16:39:09 mail authdaemond: authmysql: trying this module
Aug 25 16:39:09 mail authdaemond: authmysqllib: connected. Versions: header 50051, client 50051, server 50051
Aug 25 16:39:09 mail authdaemond: SQL query: SELECT concat(id, '@', domains), crypt, passwd, uid, gid, home, maildir  FROM users  WHERE ( (id = 'timd' AND mbox_host = 'beta.beezag.com') OR (id = SUBSTRING_INDEX('timd', '%', 1) AND mbox_host = SUBSTRING_INDEX('timd', '%', -1)) ) AND active = '1'
Aug 25 16:39:09 mail authdaemond: mysql_query failed, reconnecting: Unknown column 'domains' in 'field list'
Aug 25 16:39:09 mail authdaemond: authmysqllib: connected. Versions: header 50051, client 50051, server 50051
Aug 25 16:39:09 mail maildrop[4202]: Temporary authentication failure.
Aug 25 16:39:09 mail authdaemond: mysql_query failed second time, giving up: Unknown column 'domains' in 'field list'
Aug 25 16:39:09 mail authdaemond: authmysql: TEMPFAIL - no more modules will be tried
Aug 25 16:39:09 mail postfix/pipe[4201]: 722B7318DA: to=<timd@beta.beezag.com>, relay=maildrop, delay=0.09, delays=0.03/0.01/0/0.04, dsn=4.3.0, status=deferred (temporary failure. Command output: /usr/bin/maildrop: Temporary authentication failure. )

This is what I think I need help with:

MYSQL_SELECT_CLAUSE     SELECT concat(id, '@', domains), crypt, passwd, uid, gid, home, maildir  FROM users  WHERE ( (id = '$(local_part)' AND mbox_host = '$(domain)') OR (id = SUBSTRING_INDEX('$(local_part)', '%', 1) AND mbox_host = SUBSTRING_INDEX('$(local_part)', '%', -1)) ) AND active = '1'

specifically

 SELECT concat(id, '@', domains)

I have a separate table called domains. I think I am trying to put the id from the users table concatenate it with the '@' symbol and pull a domain from the domains table.

 

[Noway2]

Yes, I agree that you are getting close to a solution and I also agree that the problem is with the SQL lookup.

Based on the table description in your post above, it looks like you do not have a domains field, but your sql query is trying to access one (select the concatenation of id, @, domains), to which SQL responds that it doesn't know what domains is.

I think your intent was to take these parts of the EMAIL header and do a lookup against your ID field, but instead you are trying to access a non-existant field.

Here is how I have mine setup:
user = xxxx
password = xxxx
hosts = 127.0.0.1
dbname = mail
table = mailbox
select_field = CONCAT(domain,'/',maildir)
where_field = username
additional_conditions = and active = '1'

and the table has username, password, name, maildir, quota, domain, created, modified, and active.

P.S. - I used postfixadmin, which is a PHP based interface to create and maintain the tables. This made it MUCH easier.

 

[bluethundr]

Ok, I finally got the MySQL portion right (I think), but I am getting a new error in my logs.. closer than ever!!

Aug 27 10:39:32 mail authdaemond: SQL query: SELECT id, "", clear, uid, gid, home, concat(home,'/',maildir), "", name, "" FROM users WHERE id = 'timd@beta.foo.com'  AND (enabled=1)
[b]Aug 27 10:39:32 mail maildrop[32427]: You are not a trusted user.[/b]
Aug 27 10:39:32 mail authdaemond: Authenticated: sysusername=<null>, sysuserid=5000, sysgroupid=5000, homedir=/var/spool/mail/virtual, address=timd@beta.foo.com, fullname=timd, maildir=/var/spool/mail/virtual/timd/, quota=<null>, options=<null>
Aug 27 10:39:32 mail authdaemond: Authenticated: clearpasswd=r4nd0mp455, passwd=<null>

This is the offening line:

Aug 27 10:39:32 mail maildrop[32427]: You are not a trusted user.

Thanks for sticking with me through this, I could not have gotten this far without you!

 

[Noway2]

Happy to help.

Thats a good one you've got now. I did a quick bit of digging on google for the terms maildrop and "you are not a trusted user" (with quotes) and came back with a few hits and I have an idea.

When I created my SQL+postfix setup, I created a chrooted, virtual user called vmail, under which everything runs. I think maildrop is one of the mail delivery programs, specifically the one that delivers to user mboxes. This may indicate that there is a configuration error in either master.cf or main.cf...but here is a line from my master.cf

# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}

As you can see, it has user=vmail AND it has a statement about maildrop destination_recipient_limit = 1 in main.cf, if you are using it.

I would suggest checking the user that your system is running as, and check the maildrop parameters in master.cf. You might also want to follow up determining exactly what maildrop is and whether or not you want/need it.

 

[bluethundr]

Ok, I found this page:

http://osdir.com/ml/mail.spam.dspam.user/2004-08/msg00053.html

And tried: chmod u+s /usr/bin/maildrop

when I did that I didn't see ANY log activity when I tried to send to that account on the command line.

then I tried: chmod g+s /usr/bin/maildrop

When I did that, THIS started happening in my logs:

Aug 27 15:07:12 mail authdaemond: SQL query: SELECT id, "", clear, uid, gid, home, concat(home,'/',maildir), "", name, "" FROM users WHERE id = 'timd@beta.foo.com'  AND (enabled=1)
Aug 27 15:07:12 mail authdaemond: Authenticated: sysusername=<null>, sysuserid=5000, sysgroupid=5000, homedir=/var/spool/mail/virtual, address=timd@beta.foo.com, fullname=timd, maildir=/var/spool/mail/virtual/timd/, quota=<null>, options=<null>
Aug 27 15:07:12 mail authdaemond: Authenticated: clearpasswd=jFWLtgBqNLD0c, passwd=<null>
[b]Aug 27 15:07:12 mail maildrop[2982]: Unable to create a dot-lock at /var/spool/mail/virtual/timd/2982.0.mail.
Aug 27 15:07:12 mail postfix/pipe[2981]: BC0672BEBB: to=<timd@beta.foo.com>, relay=maildrop, delay=0.07, delays=0.02/0.01/0/0.03, dsn=4.3.0, status=deferred (temporary failure. Command output: /usr/bin/maildrop: Unable to create a dot-lock at /var/spool/mail/virtual/timd/2982.0.mail.  )[/b]

Also I had this line in my master.cf file originally:

maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}

And I didn't have a user of that name, so I changed it to this:

maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=virtual argv=/usr/bin/maildrop -d ${recipient}

And of course reloaded postfix. That did not seem to affect things at all however. Inching towards a solution...LOL

 

[Noway2]

Yes, you are definately getting closer.

This time the authdaemon is recognizing the user and postfix is accepting the message into queue. Unfortunately, it was unable to deliver it.

The error message really looks like a permissions issue. Unable to create a dot-lock sounds like it doesn't have write permissions to the directory.

Double check the groupwner permissions.

 

[bluethundr]

Hmm. It seems like a permissions error to me too...

but..

drwxr-xr-x 2 virtual virtual  6 2009-05-26 21:45 virtual

that is the /var/spool/mail/virtual directory. For good measure I changed permissions on the mail directory as well and restarted both postfix and courier-authdaemon.

Nada...

 

[Noway2]

I wonder if issuing a "dot lock" means obtaining write access to the folder. The only user who has write access to your mail directory is root. This suggests that the virtual user can't access it either.

As a cross check, I checked the permissions on my /var/vmail directory, which is where I have mine configured to and the permission are a little different.

My permissions are: drwxrwx--- vmail:mail, meaning that root and virtual users of the group vmail (of which mail should be a member) have write access to the directory.

My understanding of the purpose is that the virtual users can't log in so that nobody can hijack the acounts to access the directory, but the applications that run as these virtual users can.

 

[bluethundr]

another theory shot down.

mail:/var/spool# ls -la
total 4
drwxr-xr-x  8 root        root          85 2009-08-25 11:09 .
drwxr-xr-x 14 root        root         138 2009-05-26 22:28 ..
drwxr-xr-x  5 root        root          48 2009-05-26 21:58 cron
drwxr-x---  5 Debian-exim Debian-exim   40 2009-05-26 22:24 exim4
drwxrwxrw-  3 virtual     virtual       31 2009-05-26 21:46 mail

 

[Noway2]

Well, I must admit at the moment, I am stumped. Anyone else reading this have any ideas?

I hate to say it, but perhaps another forum such as Linuxquestions.org or another popular linux forum, like ubuntuforums.org might shed some light on this.

 

[Noway2]

Ping Bluethundr:

Just wondering if you were able to get any farther on this problem.

It looks someone back in June is / was experiencing the same problem. See:

http://www.nabble.com/Unable-to-create-a-dot-lock-at-...-tt24073390.html#a24073390.

 

[bluethundr]

Sorry, no progress to report. :-(