# [SOLVED]postfix doesn't accept incoming mail

## boudewijn

Hi

I've been messing around with postfix for the last couple of days, and I ran into some kind of problem.

My mail will not get delivered, and postfix will NOT ehlo too.

But I can connect to the IP at port 25 (using telnet). The box is running gentoo on amd64.

This is my config:

```
Password: 

mail boudewijn # cat /etc/postfix/main.cf  

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

myorigin = $myhostname

mydestination = $myhostname, localhost.$mydomain, tendam-bremer.nl

unknown_local_recipient_reject_code = 450

mynetworks_style = subnet

mynetworks = 127.0.0.0/8 192.168.1.0/24

mailbox_command = /usr/bin/procmail

debug_peer_level = 2

debugger_command =

        PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin:

                xxgdb = $daemon_directory/$process_name $process_id & sleep 5

                sendmail_path = /usr/sbin/sendmail

                newaliases_path = /usr/bin/newaliases

                mailq_path = /usr/bin/mailq

                setgid_group = postdrop

                manpage_directory = /usr/share/man

                readme_directory = /usr/share/doc/postfix-2.1.5-r2/readme

                default_destination_concurrency_limit = 2

                alias_database = hash:/etc/mail/aliases

                local_destination_concurrency_limit = 2

                alias_maps = hash:/etc/mail/aliases

                home_mailbox = .maildir/

masquerade_domains = tendam-bremer.nl

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

smtpd_client_restrictions = permit_sasl_authenticated, reject_unauth_destination

smtpd_use_tls=yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

```

It will be used for a single domain only, so virtual hosting etc will not be an issue. The IP of the box is 192.168.1.2 so mynetworks should be fine. The portmapping is also well:

```
Connection to tendam-bremer.nl closed.

bigmac:~ boudewijn$ telnet 

Display all 108 possibilities? (y or n)

bigmac:~ boudewijn$ telnet tendam-bremer.nl 25

Trying 62.59.177.186...

Connected to tendam-bremer.nl.

Escape character is '^]'.

EHLO tendam-bremer.nl

```

After sending the EHLO it seams to hang....

in messages, i find this:

```
Jun 13 16:15:26 mail postfix/smtpd[5278]: smtpd_sasl_initialize: SASL config file is smtpd.conf

Jun 13 16:15:26 mail postfix/smtpd[5278]: fatal: SASL per-process initialization failed

Jun 13 16:15:27 mail postfix/master[4709]: warning: process /usr/lib/postfix/smtpd pid 5278 exit status 1

Jun 13 16:15:27 mail postfix/master[4709]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling

```

And the smtpd.conf (in /etc/sasl2) looks like this:

```
mail boudewijn # cat /etc/sasl2/smtpd.conf 

# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.sasl,v 1.2 2004/07/18 03:26:56 dragonheart Exp $

pwcheck_method:saslauthd

mech_list : plain login

```

For the sake of completeness:

```
mail boudewijn # cat /etc/conf.d/saslauthd 

SASLAUTH_MECH=shadow

SASL_RIMAP_HOSTNAME=""

SASL_TIME_OF_DAY_LOGIN_RESTRICTIONS=yes

SASLAUTHD_OPTS="-a ${SASLAUTH_MECH}"

mail boudewijn # 
```

Does anyone know what's wrong here? (I've restarted both saslauthd and postfix a few times).

----------

## boudewijn

nobody?

sorry for the brutal kick, but i'm getting quite sick of messing around with that piece of software for almost a whole week   :Crying or Very sad: 

----------

## Drunkula

Sorry.  I can't help!  I had Postfix setup for awhile with SASL but that was quite some time ago - and even then the SASL stuff was bewildering to me.

Perhaps the bump will get a useful bite this time.

----------

## overkll

You're main.cf looks strange to me so I checked something.  At the top of the main.cf example file, there is a blurb:

 *Quote:*   

> # The general format of each line is: parameter = value. Lines
> 
> # that begin with whitespace continue the previous line. A value can
> 
> # contain references to other $names or ${name}s.

 

This being the case your "debugger_command=" line is including many seperate configuration parameters that should have * NO * whitespace in front of them.  try removing the whitespace in that section, like so:

```
debugger_command =

        PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin:

        xxgdb = $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

readme_directory = /usr/share/doc/postfix-2.1.5-r2/readme

default_destination_concurrency_limit = 2

alias_database = hash:/etc/mail/aliases

local_destination_concurrency_limit = 2

alias_maps = hash:/etc/mail/aliases

home_mailbox = .maildir/ 
```

and issue a "postfix reload"

Hope this helps.

----------

## boudewijn

well i had som bite because of my kick \o/

Just tried sending an email to my account on the server:

```
Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: mynetworks ~? debug_peer_list

Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: mynetworks ~? fast_flush_domains

Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: mynetworks ~? mynetworks

Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: relay_domains ~? debug_peer_list

Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: relay_domains ~? fast_flush_domains

Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: relay_domains ~? mynetworks

Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: relay_domains ~? permit_mx_backup_networks

Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: relay_domains ~? qmqpd_authorized_clients

Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: relay_domains ~? relay_domains

Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: permit_mx_backup_networks ~? debug_peer_list

Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: permit_mx_backup_networks ~? fast_flush_domains

Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: permit_mx_backup_networks ~? mynetworks

Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: permit_mx_backup_networks ~? permit_mx_backup_networks

Jun 14 22:53:15 mail postfix/smtpd[12037]: connect to subsystem private/proxymap

Jun 14 22:53:15 mail postfix/smtpd[12037]: send attr request = open

Jun 14 22:53:15 mail postfix/smtpd[12037]: send attr table = unix:passwd.byname

Jun 14 22:53:15 mail postfix/smtpd[12037]: send attr flags = 64

Jun 14 22:53:15 mail postfix/smtpd[12037]: private/proxymap socket: wanted attribute: status

Jun 14 22:53:15 mail postfix/smtpd[12037]: input attribute name: status

Jun 14 22:53:15 mail postfix/smtpd[12037]: input attribute value: 0

Jun 14 22:53:15 mail postfix/smtpd[12037]: private/proxymap socket: wanted attribute: flags

Jun 14 22:53:15 mail postfix/smtpd[12037]: input attribute name: flags

Jun 14 22:53:15 mail postfix/smtpd[12037]: input attribute value: 80

Jun 14 22:53:15 mail postfix/smtpd[12037]: private/proxymap socket: wanted attribute: (list terminator)

Jun 14 22:53:15 mail postfix/smtpd[12037]: input attribute name: (end)

Jun 14 22:53:15 mail postfix/smtpd[12037]: dict_proxy_open: connect to map=unix:passwd.byname status=0 server_flags=0120

Jun 14 22:53:15 mail postfix/smtpd[12037]: dict_open: proxy:unix:passwd.byname

Jun 14 22:53:15 mail postfix/smtpd[12037]: dict_open: hash:/etc/mail/aliases

Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: smtpd_access_maps ~? debug_peer_list

Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: smtpd_access_maps ~? fast_flush_domains

Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: smtpd_access_maps ~? mynetworks

Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: smtpd_access_maps ~? permit_mx_backup_networks

Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: smtpd_access_maps ~? qmqpd_authorized_clients

Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: smtpd_access_maps ~? relay_domains

Jun 14 22:53:15 mail postfix/smtpd[12037]: match_string: smtpd_access_maps ~? smtpd_access_maps

Jun 14 22:53:15 mail postfix/smtpd[12037]: smtpd_sasl_initialize: SASL config file is smtpd.conf

Jun 14 22:53:15 mail postfix/smtpd[12037]: fatal: SASL per-process initialization failed

Jun 14 22:53:16 mail postfix/master[12016]: warning: process /usr/lib/postfix/smtpd pid 12037 exit status 1

Jun 14 22:53:16 mail postfix/master[12016]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling

```

SASL still isn't working  :Sad: 

I'm afraid I can't use postfix without it...

Is the space-on-begin-is-comment rule also valid for the SASL files?

----------

## boudewijn

another strange thing:

```
bigmac:~ boudewijn$ telnet <domain> 25

Trying <IP>...

Connected to <domain>.

Escape character is '^]'.

EHLO <domain>

```

This is the output of telnet from outside... it timed out after the EHLO.

I just tried to connect to another server (just the same setup):

```
bigmac:~ boudewijn$ telnet vbds.nl 25

Trying 82.92.214.58...

Connected to vbds.nl.

Escape character is '^]'.

220 mail.vbds.nl ESMTP Postfix

EHLO vbds.nl

250-mail.vbds.nl

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250 8BITMIME

```

Before having done anything in the telnet session, it gives a 220 code.... which the problematic setup does NOT do. (the working is gentoo, amd64 too and also using postfix).

----------

## boudewijn

/usr/sbin/postfix check did not return any errors.

and the postfinger output:

```
postfinger - postfix configuration on Wed Jun 14 23:42:57 CEST 2006

version: 1.30

Warning: postfinger output may show private configuration information,

such as ip addresses and/or domain names which you do not want to show

to the public.  If this is the case it is your responsibility to modify

the output to hide this private information.  [Remove this warning with

the --nowarn option.]

--System Parameters--

mail_version = 2.2.5

hostname = mail

uname = Linux mail 2.6.15 #2 SMP Wed May 31 07:33:04 Local time zone must be set--see zic  x86_64 AMD Athlon(tm) 64 Processor 3200+ GNU/Linux

--Packaging information--

--main.cf non-default parameters--

broken_sasl_auth_clients = yes

default_destination_concurrency_limit = 2

home_mailbox = .maildir/

mailbox_command = /usr/bin/procmail

masquerade_domains = tendam-bremer.nl

mydestination = $myhostname, localhost.$mydomain, tendam-bremer.nl

mynetworks = 127.0.0.0/8 192.168.1.0/24

readme_directory = /usr/share/doc/postfix-2.1.5-r2/readme

smtpd_client_restrictions = permit_sasl_authenticated, reject_unauth_destination

smtpd_sasl_auth_enable = yes

smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

smtpd_tls_auth_only = yes

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_use_tls = yes

unknown_local_recipient_reject_code = 450

--master.cf--

smtp      inet  n       -       n       -       -       smtpd -v

pickup    fifo  n       -       n       60      1       pickup

cleanup   unix  n       -       n       -       0       cleanup

qmgr      fifo  n       -       n       300     1       qmgr

rewrite   unix  -       -       n       -       -       trivial-rewrite

bounce    unix  -       -       n       -       0       bounce

defer     unix  -       -       n       -       0       bounce

trace     unix  -       -       n       -       0       bounce

verify    unix  -       -       n       -       1       verify

flush     unix  n       -       n       1000?   0       flush

proxymap  unix  -       -       n       -       -       proxymap

smtp      unix  -       -       n       -       -       smtp

relay     unix  -       -       n       -       -       smtp

showq     unix  n       -       n       -       -       showq

error     unix  -       -       n       -       -       error

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual

lmtp      unix  -       -       n       -       -       lmtp

anvil     unix  -       -       n       -       1       anvil

maildrop  unix  -       n       n       -       -       pipe

  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

old-cyrus unix  -       n       n       -       -       pipe

  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}

cyrus     unix  -       n       n       -       -       pipe

  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}

uucp      unix  -       n       n       -       -       pipe

  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

ifmail    unix  -       n       n       -       -       pipe

  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)

bsmtp     unix  -       n       n       -       -       pipe

  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

-- end of postfinger output --

```

postfinger can be found here: http://ftp.wl0.org/SOURCES/postfinger btw.

----------

## Non_E

Does it work without all that sasl stuff?

----------

## boudewijn

 *Non_E wrote:*   

> Does it work without all that sasl stuff?

 

how to turn it off?

(well that's not tough, but i should make sure there is some way to authenticate  :Wink:  )

----------

## overkll

OK, I think I found another problem in your main.cf file.

```
smtpd_client_restrictions = permit_sasl_authenticated, reject_unauth_destination

```

Try changing it to:

```
smtpd_recipient_restrictions =

                    permit_mynetworks,

                    permit_sasl_authenticated,

                    reject_unauth_destination
```

The "smtpd_recipient_restrictions" may not sound like what you want, but it is the last smtpd restriction test, and performs all previous stage checks (helo, client, sender, and recipient) and is required.  Here's a table straight from SMTP_ACCESS_README:

```
The table below summarizes the purpose of each SMTP access restriction list.

All lists use the exact same syntax; they differ only in the time of evaluation

and in the effect of a REJECT or DEFER result.

    |Restriction list name         |Status  |Effect of REJECT or DEFER result|

    |                              |        |                                |

    |smtpd_client_restrictions     |Optional|Reject all client commands      |

    |                              |        |                                |

    |smtpd_helo_restrictions       |Optional|Reject HELO/EHLO information    |

    |                              |        |                                |

    |smtpd_sender_restrictions     |Optional|Reject MAIL FROM information    |

    |                              |        |                                |

    |smtpd_recipient_restrictions  |Required|Reject RCPT TO information      |

    |                              |        |                                |

    |smtpd_data_restrictions       |Optional|Reject DATA command             |

    |                              |        |                                |

    |smtpd_end_of_data_restrictions|Optional|Reject END-OF-DATA command      |

    |                              |        |                                |

    |smtpd_etrn_restrictions       |Optional|Reject ETRN command             |

    |                              |        |                                |

```

You were also missing "permit_mynetworks"  I've changed the formating (added whitespace)  just to make it easier to view the seperate options.  Your format is correct as well.

I'd turn off SASL for now to test.  The log you posted spits out:

```
Jun 14 22:53:15 mail postfix/smtpd[12037]: fatal: SASL per-process initialization failed

Jun 14 22:53:16 mail postfix/master[12016]: warning: process /usr/lib/postfix/smtpd pid 12037 exit status 1

Jun 14 22:53:16 mail postfix/master[12016]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling 
```

Just comment out all the SASL lines in your main.cf file.  If you still get the "bad command startup -- throttling" after disabling SASL, then there is still an error in your main.cf and/or master.cf file.

In general, one should try to change only a few parameters at a time then test.  If it works, change a few more and test again.  Keep repeating until postfix is setup like you want.  If you try to do it all in one take, its difficult to pinpoint the problem.

There are many excellent links to postfix howtos at www.postfix.org for different setups.  You should take a look at a few.  Personally I've mixed and matched many options from different howtos over the years.

----------

## boudewijn

okay.

At first: thanks for helping me! This is one of the best things about the Gentoo community.

Second:

I removed all the SASL stuff and fixed the smtpd_client_restrictions. It seems to work now... I get a '220' when telnetting.

Would you please have a look at the sasl stuff too? (I just did, and can not find the problem).

----------

## overkll

 *boudewijn wrote:*   

> okay.
> 
> At first: thanks for helping me! This is one of the best things about the Gentoo community.

 

You're welcome

 *boudewijn wrote:*   

> Second:
> 
> I removed all the SASL stuff and fixed the smtpd_client_restrictions. It seems to work now... I get a '220' when telnetting.
> 
> Would you please have a look at the sasl stuff too? (I just did, and can not find the problem).

 

For Postfix:

Post your main.cf, master.cf, and error log.

SASL:

What program are you using for sasl?  cyrus-sasl?

Post smtpd.conf and any other sasl config file you are using.

TLS/SSL:

Are you using TLS/SSL too?

How did you get to this current configuration?  Did you use a guide?  If so, which one?

Post the output of "emerge -pv postfix cyrus-sasl"

Post the output of "emerge --info" as well

----------

## boudewijn

Allright: I will use TLS or SSL in the future; it's a nice feature.

I'm using cyrus-sasl. 

The guide: the one on gentoo-wiki.com (email system for the home network). I haven't used it before. My standard mail setup (about five boxes currently deployed... and stable as a rock) is from gentoo.org itself (the documentation\administration part).

saslauthd and smtpd.conf : please have a look at my start-posts. I don't mindd reposting them, although there might be people who are considering that being spam.

Installed versions:

```

Calculating dependencies ...done!

[ebuild   R   ] dev-libs/cyrus-sasl-2.1.21-r2  

[ebuild   R   ] mail-mta/postfix-2.2.5  
```

Currently I'm not using any kind of SSL or TLS, the inbound mail is sent without SSL\TLS.

Outbound mail is done using mutt (just like the checking of my mailbox).

smtpd.conf:

```

mail boudewijn # cat /usr/lib64/sasl2/smtpd.conf

# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.sasl,v 1.2 2004/07/18 03:26:56 dragonheart Exp $

pwcheck_method:saslauthd

mech_list : plain login

mail boudewijn # cat /etc/sasl2/smtpd.conf

# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.sasl,v 1.2 2004/07/18 03:26:56 dragonheart Exp $

pwcheck_method:saslauthd

mech_list : plain login

```

And the rest (please tell me if you need more):

```
mail postfix # cat main.cf 

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

myorigin = $myhostname

mydestination = $myhostname, localhost.$mydomain, <domain>

unknown_local_recipient_reject_code = 450

mynetworks_style = subnet

mynetworks = 127.0.0.0/8 192.168.1.0/24

mailbox_command = /usr/bin/procmail

debug_peer_level = 2

debugger_command =

        PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin:

        xxgdb = $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

readme_directory = /usr/share/doc/postfix-2.1.5-r2/readme

default_destination_concurrency_limit = 2

alias_database = hash:/etc/mail/aliases

local_destination_concurrency_limit = 2

alias_maps = hash:/etc/mail/aliases

home_mailbox = .maildir/

masquerade_domains = <domain>

#smtpd_sasl_auth_enable = yes

#smtpd_sasl_security_options = noanonymous

#smtpd_sasl_local_domain =

#broken_sasl_auth_clients = yes

smtpd_recipient_restrictions =

                    permit_mynetworks,

                    permit_sasl_authenticated,

                    reject_unauth_destination

                    smtpd_use_tls = yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

mail postfix # grep -v '^#' master.cf 

smtp      inet  n       -       n       -       -       smtpd -v

pickup    fifo  n       -       n       60      1       pickup

cleanup   unix  n       -       n       -       0       cleanup

qmgr      fifo  n       -       n       300     1       qmgr

rewrite   unix  -       -       n       -       -       trivial-rewrite

bounce    unix  -       -       n       -       0       bounce

defer     unix  -       -       n       -       0       bounce

trace     unix  -       -       n       -       0       bounce

verify    unix  -       -       n       -       1       verify

flush     unix  n       -       n       1000?   0       flush

proxymap  unix  -       -       n       -       -       proxymap

smtp      unix  -       -       n       -       -       smtp

relay     unix  -       -       n       -       -       smtp

showq     unix  n       -       n       -       -       showq

error     unix  -       -       n       -       -       error

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual

lmtp      unix  -       -       n       -       -       lmtp

anvil     unix  -       -       n       -       1       anvil

maildrop  unix  -       n       n       -       -       pipe

  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

old-cyrus unix  -       n       n       -       -       pipe

  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}

cyrus     unix  -       n       n       -       -       pipe

  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}

uucp      unix  -       n       n       -       -       pipe

  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

ifmail    unix  -       n       n       -       -       pipe

  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)

bsmtp     unix  -       n       n       -       -       pipe

  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

```

Thanks btw, dude!

edit:

Connecting through telnet now results in normal output:

```

bigmac:~ boudewijn$ telnet<domain> 25

Trying <IP>...

Connected to tendam-bremer.nl.

Escape character is '^]'.

220 mail.<domain> ESMTP Postfix

ehlo <domain>

250-mail.<domain>

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250 8BITMIME

^]

telnet> Connection closed.

```

----------

## boudewijn

hell.

I was just messing around a bit with mutt as user 'boudewijn' . Boudewijn is my unprivileged user on the box, and the mail for root is redirected to 'boudewijn' ( via an alias in /etc/mail/aliases).

There are about 12 new mails, all containing this (or some equivalent content):

```

Return-Path: double-bounce@<domain>                                                                                                                   

X-Original-To: postmaster                                                                                                                                        

Delivered-To: root@mail.<domain>                                                                                                                              

Received: by mail.<domain>       (Postfix)                                                                                                                     

        id 5C8B19003A; Thu, 15 Jun 2006 22:19:37 +0200 (11mer.nl>                                                                                                    

                                                                                                                                                                 

Transcript of session follows.                                                                                                                                   

                                                                                                                                                                 

 Out: 220 mail.<domain> ESMTP Postfix                                                                                                                    

 In:  EHLO dionysos.<myowndomain>                                                                                                           

 Out: 250-mail.<domain>                                                                                                                          

 Out: 250-PIPELINING                                                                                                                                             

 Out: 250-SIZE 10240000                                                                                                                                          

 Out: 250-VRFY                                                                                                                                                   

 Out: 250-ETRN                                                                                                                                                   

 Out: 250 8BITMIME                                                                                                                                               

 In:  MAIL FROM:<boudewijn@<myowndomain>.nl> SIZE=739                                                                                                           

 Out: 250 Ok                                                                                                                                                     

 In:  RCPT TO:<boudewijn@<domain>.nl>                                                                                                                       

 Out: 451 Server configuration error                                                                                                                             

 In:  DATA                                                                                                                                                       

 Out: 554 Error: no valid recipients                                                                                                                             

 In:  RSET                                                                                                                                                       

 Out: 250 Ok                                                                                                                                                     

 In:  QUIT                                                                                                                                                       

 Out: 221 Bye                                                                                                                                                    

                                                                                                                                                                 

```

I've sent my mails (about 2) to : boudewijn@<domain>. Also telnetted a few times....

----------

## overkll

 *boudewijn wrote:*   

> Allright: I will use TLS or SSL in the future; it's a nice feature.
> 
> I'm using cyrus-sasl. 

 

Lets get sasl going first.

 *boudewijn wrote:*   

> The guide: the one on gentoo-wiki.com (email system for the home network). I haven't used it before. My standard mail setup (about five boxes currently deployed... and stable as a rock) is from gentoo.org itself (the documentation\administration part).

 

Thought so.  No offense to the authors at gentoo-wiki, but I've found most of the articles there inaccurate, incomplete, and/or out of date.  Docs at gentoo.org are usually much better, but also get outdated from time to time.

 *boudewijn wrote:*   

> saslauthd and smtpd.conf : please have a look at my start-posts. I don't mindd reposting them, although there might be people who are considering that being spam.

 

Just want to make sure nothing has changed.

 *boudewijn wrote:*   

> Installed versions:
> 
> ```
> 
> Calculating dependencies ...done!
> ...

 

You forgot the -v option.  I want to see which USE flags are enabled/disabled.

 *boudewijn wrote:*   

> Currently I'm not using any kind of SSL or TLS, the inbound mail is sent without SSL\TLS.
> 
> Outbound mail is done using mutt (just like the checking of my mailbox).
> 
> smtpd.conf:
> ...

 

Looks good so far...

 *boudewijn wrote:*   

> And the rest (please tell me if you need more):
> 
> ```
> mail postfix # cat main.cf 
> 
> ...

 

I don't see either "mydomain" or "myhostname".  Thats a problem!  Should be something like:

```
mydomain = mydomain.nl

myhostname = mailserver.mydomain.nl
```

Also, you need to change your smtp_recipient_restrictions line to EXCLUDE "smtpd_use_tls = yes"  That's not a restriction, its a parameter for TLS/SSL.  Remember the whitespace line continuation I mentioned earlier?  Jeetje!, Wat ben je aan doen?  Graapje.  Just kidding  :Smile:   Also comment all the tls stuff for now.  That section should appear like so:

```
smtpd_recipient_restrictions =

                    permit_mynetworks,

                    permit_sasl_authenticated,

                    reject_unauth_destination

#smtpd_use_tls = yes

#smtpd_tls_auth_only = yes

#smtpd_tls_key_file = /etc/ssl/postfix/server.key

#smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

#smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

#smtpd_tls_loglevel = 3

#smtpd_tls_received_header = yes

#smtpd_tls_session_cache_timeout = 3600s

#tls_random_source = dev:/dev/urandom
```

 *boudewijn wrote:*   

> 
> 
> ```
> mail postfix # grep -v '^#' master.cf 
> 
> ...

 

Looks good.  You didn't change anything in master.cf did you (except for the -v for logging)?

 *boudewijn wrote:*   

> Thanks btw, dude!

 

You're welcome.

 *boudewijn wrote:*   

> edit:
> 
> Connecting through telnet now results in normal output:
> 
> ```
> ...

 

This looks good.

Apply the changes to main.cf and test again (postfix reload).  I think the error messages you are getting:

```
Out: 451 Server configuration error
```

might be related to not having mydomain or myhostname in your main.cf.  Check you mail log (/var/log/mail.log) for more specific errors.

Also, did you "postmap /etc/mail/aliases" after you added the root alias?  If so, you should have a /etc/mail/aliases.db file.

"postfix check" probably wouldn't hurt either.

EDIT:  Forgot to mention something.... This is an excellent guide to Postfix/sasl/tls.  Step by step instructions including explaination and testing as you go.  Though it is geared toward Redhat, the configuration and testing info is much better than I could ever do here.  Suggest you check it out.

----------

## boudewijn

okay:

The aliases stuff:  I did a newaliases. According to "postfix" by O'Reilly this should be enough. I'll run your command in a few minutes (can't hurt i presume).

You're dutch too? (according to: jeetje wat ben je aan het doen?  :Wink:  )

Indeed, I've only changed the -v parameter.... 

About the wiki folks: most of the howto's does *not* work very well, I''m afraid. The gentoo.org stuff is really good indeed, but there's usually not enough (although in the virtual mail howto on gentoo.org, there are also some mistakes which I'll report soon).

edit:

Shouldn't mydomain and myhostname be extracted from hostname --fqdn if not specified otherwise?

I'll put hem in the config.

Also: mydestination is missing! This is a really valid reason for postfix to drop those emails, if I'm correct.

edit2: It IS in the config. I've been awake for too long :+

----------

## overkll

 *boudewijn wrote:*   

> okay:
> 
> The aliases stuff:  I did a newaliases. According to "postfix" by O'Reilly this should be enough. I'll run your command in a few minutes (can't hurt i presume).

 

newaliases is good enough, does the same.

 *boudewijn wrote:*   

> You're dutch too? (according to: jeetje wat ben je aan het doen?  )
> 
> Indeed, I've only changed the -v parameter.... 

 

Nope, American.  Lived in Tilburg for about 4 years and learned Dutch.

 *boudewijn wrote:*   

> About the wiki folks: most of the howto's does *not* work very well, I''m afraid. The gentoo.org stuff is really good indeed, but there's usually not enough (although in the virtual mail howto on gentoo.org, there are also some mistakes which I'll report soon).

 

Check out the link I added to my last post.  It should be very helpful.

 *boudewijn wrote:*   

> edit:
> 
> Shouldn't mydomain and myhostname be extracted from hostname --fqdn if not specified otherwise?
> 
> I'll put hem in the config.

 

Did it help?  What about the "emerge -pv cyrus-sasl postfix" output?  I'd still like to see the USE flags.

 *boudewijn wrote:*   

> Also: mydestination is missing! This is a really valid reason for postfix to drop those emails, if I'm correct.
> 
> edit2: It IS in the config. I've been awake for too long :+

 

LOL, yes you have!

----------

## boudewijn

i'll check your link out tomorrow; had a very tough day today.

the emerge output:

```

[ebuild   R   ] dev-libs/cyrus-sasl-2.1.21-r2  USE="berkdb crypt gdbm mysql pam ssl -authdaemond -java -kerberos -ldap -ntlm_unsupported_patch -postgres -sample -srp -urandom" 0 kB 

[ebuild   R   ] mail-mta/postfix-2.2.5  USE="mysql pam sasl ssl -hardened -ipv6 -ldap -mailwrapper -mbox -nis -postgres -vda" 0 kB 

```

About Tilburg; nice I live near it (near eindhoven)

----------

## overkll

You may want to re-emerge postfix with -mysql if you're not going to use mysql with it.

----------

## boudewijn

 *overkll wrote:*   

> You may want to re-emerge postfix with -mysql if you're not going to use mysql with it.

 

okay I will, but is isn't necessary.

I was doubting whether I should deploy a DB based solution or not, and I chose for the 'simple' way. Just because it's about 5-10 adresses and 4 people all in the same domain.

----------

## boudewijn

inbound email still is not working:

```
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------

72A86178ACD      739 Thu Jun 15 21:21:50  boudewijn@my_domain

(host mx2.domain2[IP] said: 451 Server configuration error (in reply to RCPT TO command))

                                         boudewijn@domain2

7EDDF3601AF      575 Wed Jun 14 22:52:41  boudewijn@my_domain

(host mx2.domain2[IP] said: 451 Server configuration error (in reply to RCPT TO command))

                                         boudewijn@domain2

E40BD179642      557 Fri Jun 16 00:20:39  boudewijn@my_domain

(host mx2.domain2[IP] said: 451 Server configuration error (in reply to RCPT TO command))

                                         boudewijn@domain2

3BBB4179657      571 Tue Jun 13 13:44:57  boudewijn@my_domain

(host mx2.domain2[IP] said: 451 Server configuration error (in reply to RCPT TO command))

                                         boudewijn@domain2

0F8EA178254      557 Fri Jun 16 19:45:36  boudewijn@my_domain

(host mx2.domain2[IP] said: 451 Server configuration error (in reply to RCPT TO command))

                                         boudewijn@domain2

11C7817901A     1021 Tue Jun 13 13:40:25  boudewijn@my_domain

(host mx2.domain2[IP] said: 451 Server configuration error (in reply to RCPT TO command))

                                         root@domain2

-- 6 Kbytes in 6 Requests.

```

my six sent mails are still queued on my own (working!) server. 

boudewijn@my_domain is my mailadress.

I've removed the real IP for 'IP', and replaced the domain of the not correctly working server with 'domain2'.

After that I've fired up courier-imap, and fetched my mail from the boudewijn@domain2 mail-account. Authentication etc went fine.... the mail was downloaded correctly.

The mail-server has produced quite  a lot of error mails, and forwarded them to my account. 6 mails at 18:03... 6 at 18:36.... 6 at 19:26.... 6 at 19:43.

etc.

The content of these mails is exactly the same (except for the time... doh).

```
Transcript of session follows.

 Out: 220 mail.tendam-bremer.nl ESMTP Postfix

 In:  EHLO dionysos.<my_domain>

 Out: 250-mail.<domain>

 Out: 250-PIPELINING

 Out: 250-SIZE 10240000

 Out: 250-VRFY

 Out: 250-ETRN

 Out: 250 8BITMIME

 In:  MAIL FROM:<boudewijn@<my_domain>> SIZE=557

 Out: 250 Ok

 In:  RCPT TO:<boudewijn@<domain>>

 Out: 451 Server configuration error

 In:  DATA

 Out: 554 Error: no valid recipients

 In:  RSET

 Out: 250 Ok

 In:  QUIT

 Out: 221 Bye
```

The emails are sent to postmaster@<mail-server-domain>,  and the subject is:

 *Quote:*   

> Postfix SMTP server: errors from <my own hostname+IP>

 

In /var/log/messages:

```
Jun 16 20:16:23 mail postfix/smtpd[18476]: permit_auth_destination: boudewijn@<domain>

Jun 16 20:16:23 mail postfix/smtpd[18476]: ctable_locate: leave existing entry key boudewijn@<domain>

Jun 16 20:16:23 mail postfix/smtpd[18476]: generic_checks: name=reject_unauth_destination status=0

Jun 16 20:16:23 mail postfix/smtpd[18476]: generic_checks: name=smtpd_use_tls

Jun 16 20:16:23 mail postfix/smtpd[18476]: warning: unknown smtpd restriction: "smtpd_use_tls"

Jun 16 20:16:23 mail postfix/smtpd[18476]: NOQUEUE: reject: RCPT <MY IP>: 451 Server configuration error; from=<boudewijn@<my_domain>> to=<boudewijn@<domain>> proto=ESMTP helo=<dionysos.<my_domain>>

```

In the code segments, <my_domain> is my own working server-domain. <domain> is the domain of the not-that-good-working-server.

edit:

postfix check returns no errors.

the .cf files are named correctly and 644... so postfix should be able to read these.

----------

## overkll

```
Jun 16 20:16:23 mail postfix/smtpd[18476]: warning: unknown smtpd restriction: "smtpd_use_tls"
```

Did you fix the " smtpd_recipient_restrictions = " line like I suggested earlier?  Doesn't look like it.  Remember "Jeetje, wat ben ja ann het doen?"    :Wink: 

EDIT:  I'll save you the search.  You had:

```
smtpd_recipient_restrictions =

                    permit_mynetworks,

                    permit_sasl_authenticated,

                    reject_unauth_destination

                    smtpd_use_tls = yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom
```

and it should be:

```
smtpd_recipient_restrictions =

                    permit_mynetworks,

                    permit_sasl_authenticated,

                    reject_unauth_destination

#smtpd_use_tls = yes

#smtpd_tls_auth_only = yes

#smtpd_tls_key_file = /etc/ssl/postfix/server.key

#smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

#smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

#smtpd_tls_loglevel = 3

#smtpd_tls_received_header = yes

#smtpd_tls_session_cache_timeout = 3600s

#tls_random_source = dev:/dev/urandom
```

----------

## boudewijn

it works now \o/

thanks a lot guys (if you were still living in the netherlands, i'd buy you a beer).

although the system is running, I'm still missing the TLS for SMTP features. And SASL too  :Sad: 

Tonight (it's 11pm localtime) I'll try to get these features up and running too.

----------

## boudewijn

sasl seems dead.

TLS is working.

(just tested it).

What's a smart strategy to debug it?

----------

## overkll

 *boudewijn wrote:*   

> it works now \o/
> 
> thanks a lot guys (if you were still living in the netherlands, i'd buy you a beer).

 

Make mine a Palm!  hmm, lekker!

 *boudewijn wrote:*   

> sasl seems dead.
> 
> TLS is working.
> 
> (just tested it).
> ...

 

First of all, shitcan all the wiki stuff.  lol, just kidding.  I've got sasl and tls working.  Here's my config files for SASL:

/etc/conf.d/saslauthd:

```
# Config file for /etc/init.d/saslauthd

# Initial (empty) options.

SASLAUTHD_OPTS=""

# Specify the authentications mechanism.

# *NOTE* For list see: saslauthd -v

# From 2.1.19, add "-r" to options for old behavior

# ie. reassemble user and realm to user@realm form.

# SASLAUTHD_OPTS="${SASLAUTH_MECH} -a pam -r"

SASLAUTHD_OPTS="${SASLAUTH_MECH} -a pam"

# Specify the hostname for remote IMAP server.

# *NOTE* Only needed if rimap auth mech is used.

#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -O localhost"

# Specify the number of worker processes to create.

#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -n 5"

# Enable credential cache, cache size, and timeout.

# *NOTE* Size is measured in kilobytes

#        Timeout is measured in seconds

#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -c -s 128 -t 30"
```

Nothing fancy, just the stock parameters included with gentoo's cyrus-sasl ebuild.

/etc/sasl2/smtpd.conf

```
pwcheck_method:saslauthd

mech_list:plain login
```

I dont seem to need the other smtpd.conf that you have.

/etc/postfix/main.cf

```
...

#####################

# SASL Authentication

#####################

smtpd_sasl_auth_enable = yes

smtpd_sasl2_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

...
```

Don't forget you'll need saslauthd running and add it to the default runlevel.  And of course, reload postfix after you update main.cf.

```
/etc/init.d/saslauthd start

rc-update add saslauthd default

postfix reload
```

----------

## boudewijn

thanks.

saslauthd was messed up.. and authdaemond too.

Fixed them (using one of your examples) and it works now!

----------

## overkll

No problem.  You may want to add [Solved] to the title of this thread.

----------

## boudewijn

okay I'll doe.

Thanks a huge lot btw.

----------

