postfix relayhost implementation problem 1

[SteveInTallyFL]

I have installed postfix 2.2.10 (from Oracle Unbreakable Enterprise Linux 4 (kernel 2.6.9-78.0.17.0.1.ELsmp) on a standalone server. I relay to Rackspace, who requires smtp auth login, to relay. I created the sasl_passwd db and have cyrus sasl running. I created a canonical db to rename messages from a particular local user to a domain that can be resolved by reverse dns lookup. When I send simple test messages using mailx the msssages are bounced by Rackspace and not forwarded. I believe that Rackspace is accepting the smtp login to even consider acting on the incoming message with a relay request. What I cannot figure out is what could be wrong with either the canonical configuration or something else that might be mmessing up creation of the message header and/or address info and leaving Rackspace to not like the RCPT TO information. I have sought assistance at LinuxQuestions and generated 0 replies. I have sought assistance from Oracle Support and received nothing useful.
If someone is willing to look at logs or configs I will be pleased to upload to this thread.

 

[Noway2]

Go ahead and post what information you have. There are a few of us here with some experience with Postfix. Maybe we will be able to help.

 

[SteveInTallyFL]

in main.cf:
# Canonical
sender_canonical_maps = hash:/etc/postfix/canonical
myhostname = bog-sas-02.flbog.org
mydomain = flbog.org
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain, localhost
relayhost = smtp.emailsrvr.com
smtp_sasl__auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =

in canonical:
sas@bog-sas-02.flbog.org sas_do_not_reply@flbog.net
sas@flbog.org sas_do_not_reply@flbog.net
sas sas_do_not_reply

in /var/log/maillog:
Apr 29 10:00:12 bog-sas-02 postfix/pickup[5774]: DE64B5AA28: uid=504 from=<sas>
Apr 29 10:00:12 bog-sas-02 postfix/cleanup[6564]: DE64B5AA28: message-id=<201004 29140012.DE64B5AA28@bog-sas-02.flbog.org>
Apr 29 10:00:12 bog-sas-02 postfix/qmgr[21393]: DE64B5AA28: from=<sas_do_not_rep ly@flbog.net>, size=365, nrcpt=1 (queue active)
Apr 29 10:00:13 bog-sas-02 postfix/smtp[6566]: DE64B5AA28: to=<steven.auerbach@f lbog.edu>, relay=smtp.emailsrvr.com[98.129.185.2], delay=1, status=bounced (host smtp.emailsrvr.com[98.129.185.2] said: 554 5.7.1 <sas_do_not_reply@flbog.net>: Sender address rejected: Access denied (in reply to RCPT TO command))
Apr 29 10:00:13 bog-sas-02 postfix/qmgr[21393]: DE64B5AA28: removed

 

[Noway2]

Your SMTP server (Postfix) is attempting to contact and relay through smtp.emailsrvr.com. However, smtp.emailsrvr.com is saying relay access denined and it looks like this is due to a lack of user authentication. It appears to recognize that the RCPT TO is NOT for a recipient of its domain, hence it is a relay action.

The first question is, do you have authorization to use this server as a relay host?

Assuming you do, what authentication methods does this server support? If you don't know, you should be able to find out by testing your ability to send the email via telnet.

Using authentication should look something like this in regards to the command structure: MAIL FROM:<e=mc2@example.com> AUTH=e+3Dmc2@example.com. Notice that AUTH= plus the stuff after it, which demonstrates using a form of hashing (md5) to encode the authorization information.

Once you have the authentication method and credentials figured out, you need to configure postfix to use this authentication. Try the following link:

http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailservers.html

I found it by googling the words "postfix relay smtp authentication".

 

[SteveInTallyFL]

We are authorized. Rackspace expects auth login. We are using cyrus-sasl and have created a sasl_passwd db with the account and password information for the server. What I understand from your reply is that you believe this information is not being provided to Rackspace in the relay transaction so Rackspace bounces us out. What else do I need to tell postfix so it will provide the authentication information to Rackspace?

 

[SteveInTallyFL]

just tried a telnet to Rackspace. Did not work, either. Here is how it went:
[root@bog-sas-02 postfix]# telnet smtp.emailsrvr.com 25
Trying 98.129.185.2...
Connected to smtp.emailsrvr.com (98.129.185.2).
Escape character is '^]'.
220 relay16.relay.dfw.mlsrvr.com ESMTP - VA Code Section 18.2-152.3:1 forbids use of this system for unsolicited bulk electronic mail (Spam)
HELO flbog.net
250 relay16.relay.dfw.mlsrvr.com
AUTH LOGIN
334 VXNlcm5hbWU6
<< base64 crypt of username >>
334 UGFzc3dvcmQ6
<< base 64 crypt of password >>
235 2.7.0 Authentication successful
MAIL FROM:sas@flbog.org
501 5.1.7 Bad sender address syntax

flbog.org is reverse dns resolvable.

Also tried:
MAIL FROM:sas_do_not_reply@flbog.net
501 5.1.7 Bad sender address syntax

flbog.net is also resolvable.

I am clearly missing something fundamental here.

 

[Noway2]

I don't mean to offend, but did you read the second link I suggested?

At the top of the page it states that to get postfix to use sasl authentication you need to:
1) Provide a file, which will holds necessary information about credentials
2) Configure Postfix to enable SMTP AUTH for the smtp daemon
3)Configure Postfix to use the file with the SASL credentials.

It looks like you have at least partially done these things, but unless you have declarations for this function that aren't part of your original post there is no way to tell. These things include running postmap on the (canonical) database, creating the password table, and setting addtional security options.

 

[SteveInTallyFL]

I am not offended. I do have the sasl and smtp option set:
smtp_sasl__auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =

and there is a sasl_passwd plain text and hashed db file with the account/login information for smtp.emailsrvr.com.

/etc/postfix/sasl_passwd:
smtp.emailsrvr.com sas_do_not_reply@flbog.net:<<clear text password>>


Should I have made this entry as base64 crypt before making the postmap hash:/etc/postfix/sasl_passwd ??

 

[Noway2]

The base64 encoding is a good thought, quite frankly. Now that you have mentioned it, I recall seeing in a lot of the tutorials on mail servers regarding how to authenticate that you need to encode the information in base64 and suggesting perl scripts to do so.

One easy way to find out would be to use telnet and try to login an authenticate manually using the information in your databases. Try it using plain text and base64 and see if either of them work.

Once you are able to login manually via telnet, you could use a packet sniffer to see what postfix is trying to send and compare.

 

[SteveInTallyFL]

Telnet was a great suggestion. I was able to get a message to go through that way. This is what the session looked like:
# telnet smtp.emailsrvr.com 25
Trying 72.4.117.9...
Connected to smtp.emailsrvr.com (72.4.117.9).
Escape character is '^]'.
220 relay6.relay.iad.emailsrvr.com ESMTP - VA Code Section 18.2-152.3:1 forbids use of this system for unsolicited bulk electronic mail (Spam)
ehlo flbog.net
250-relay6.relay.iad.emailsrvr.com
250-PIPELINING
250-SIZE 75000000
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN CRAM-MD5
250-AUTH=PLAIN LOGIN CRAM-MD5
250-ENHANCEDSTATUSCODES
250 8BITMIME
auth login
334 VXNlcm5hbWU6
<< base64 of account at emailsrvr.com >>
334 UGFzc3dvcmQ6
<< base64 of password on account
235 2.7.0 Authentication successful
mail from:<sas_do_not_reply@flbog.net>
250 2.1.0 Ok
rcpt to:<MyOfficeEmailName@flbog.edu>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
subject: test telnet smtp

blah blah blah
.
250 2.0.0 Ok: queued as 1322D16CFBE
quit
221 2.0.0 Bye

 

[Noway2]

Thats great. You now know that it will work. The trick is to get Postfix to duplicate that result, if you haven't yet.

I found this site:

http://www.cyberciti.biz/faq/postfix-smtp-authentication-for-mail-servers/,

which basically re-iterates what we have already covered about using a password file or database and enabling smtp_sasl__auth_enable. It looks like, to get this to work, you would simply subsitute the base64 encoded values in your password file. Be sure you rerun postmap on the file and reload postfix.
With any luck, that will get you going.

 

[SteveInTallyFL]

SAS programmers fear the 'missing semicolon'. I fear the 'extra underscore'. It turns out that I coded the smtp_sasl_auth_enable semaphore with an extra underscore. Hard to notice in an SSH session using vim. Anyway, once fixed my postfix test message did go through the authenticate. Message was accepted, and MAIL FROM: and RCPT TO: looked good.

IT IS WORKING! I received my test message in office e-mail.

The test method in the link immediate above worked like a champ and was easy!