info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Trouble relaying email from Dovecot through postfix to another mail server after putting in client restrictions
13 views
Skip to first unread message
Scott Sander
Aug 22, 2016, 9:29:20 AM8/22/16
to
I set up a internal postfix + dovecot server running on Ubuntu 14.04.5 a few months ago. I used the guide at the following link in order to get it set up:
http://www.binarytides.com/install-postfix-dovecot-debian/
Just last week, I noticed that the server was accepting mail from basically anything (though relay was configured to be more restricted). I wanted it to act more like Microsoft Exchange 2010 where authenticated mail clients can connect and relay mail but unauthenticated clients are added to a "receive connector" (Exchange term) by IP address and cannot even successfully start sending SMTP commands unless they are in that list.
I did some research and reconfigured the client, HELO, and relay restrictions. My application servers that use postfix to relay mail are still able to deliver the mail to both dovecot mailboxes and another domain hosted on Microsoft Exchange without issue, but now dovecot clients are not able to relay mail to Microsoft Exchange.
Here is the exact error message that is received by the mail client:
-------
Server error: '554 5.7.1 <client47.domain.com[10.10.10.47]:51423>: Client host rejected: Access denied'
-------
I know that this error is caused by the smptd_client_restrictions parameter and not smptd_relay_restrictions. Is there a way I can whitelist clients that authenticated to dovecot via IMAP in postfix as well as other application servers that are currently whitelisted by IP address?
Here is postconf -n:
-------
user@appserver4:~$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
debug_peer_level = 1
debug_peer_list = domain.com
inet_interfaces = all
inet_protocols = all
lmtp_tls_security_level = none
mailbox_size_limit = 0
mydestination = appserver4.subdomain.domain.com, localhost.domain.com, localhost, mail.domain.test
myhostname = mail.domain.test
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.253.254.225 10.254.254.225 10.254.254.226 10.254.254.171 10.254.254.172
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_domains = domain.com
relayhost = [exchangefe01.subdomain.domain.com]
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_type = cyrus
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = aNULL, MD5, DES, ADH, RC4
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_connection_rate_limit = 1000
smtpd_client_message_rate_limit = 1000
smtpd_client_new_tls_session_rate_limit = 1000
smtpd_client_port_logging = yes
smtpd_client_recipient_rate_limit = 3000
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname
smtpd_recipient_limit = 3000
smtpd_reject_unlisted_sender = no
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unverified_recipient, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/apps4_combined.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4
smtpd_tls_key_file = /etc/ssl/private/apps4_key.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5, DES, ADH, RC4
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
virtual_mailbox_domains = /etc/postfix/virtual_mailbox_domains
virtual_transport = lmtp:unix:private/dovecot-lmtp
http://www.binarytides.com/install-postfix-dovecot-debian/
Just last week, I noticed that the server was accepting mail from basically anything (though relay was configured to be more restricted). I wanted it to act more like Microsoft Exchange 2010 where authenticated mail clients can connect and relay mail but unauthenticated clients are added to a "receive connector" (Exchange term) by IP address and cannot even successfully start sending SMTP commands unless they are in that list.
I did some research and reconfigured the client, HELO, and relay restrictions. My application servers that use postfix to relay mail are still able to deliver the mail to both dovecot mailboxes and another domain hosted on Microsoft Exchange without issue, but now dovecot clients are not able to relay mail to Microsoft Exchange.
Here is the exact error message that is received by the mail client:
-------
Server error: '554 5.7.1 <client47.domain.com[10.10.10.47]:51423>: Client host rejected: Access denied'
-------
I know that this error is caused by the smptd_client_restrictions parameter and not smptd_relay_restrictions. Is there a way I can whitelist clients that authenticated to dovecot via IMAP in postfix as well as other application servers that are currently whitelisted by IP address?
Here is postconf -n:
-------
user@appserver4:~$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
debug_peer_level = 1
debug_peer_list = domain.com
inet_interfaces = all
inet_protocols = all
lmtp_tls_security_level = none
mailbox_size_limit = 0
mydestination = appserver4.subdomain.domain.com, localhost.domain.com, localhost, mail.domain.test
myhostname = mail.domain.test
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.253.254.225 10.254.254.225 10.254.254.226 10.254.254.171 10.254.254.172
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_domains = domain.com
relayhost = [exchangefe01.subdomain.domain.com]
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_type = cyrus
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = aNULL, MD5, DES, ADH, RC4
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_connection_rate_limit = 1000
smtpd_client_message_rate_limit = 1000
smtpd_client_new_tls_session_rate_limit = 1000
smtpd_client_port_logging = yes
smtpd_client_recipient_rate_limit = 3000
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname
smtpd_recipient_limit = 3000
smtpd_reject_unlisted_sender = no
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unverified_recipient, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/apps4_combined.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4
smtpd_tls_key_file = /etc/ssl/private/apps4_key.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5, DES, ADH, RC4
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
virtual_mailbox_domains = /etc/postfix/virtual_mailbox_domains
virtual_transport = lmtp:unix:private/dovecot-lmtp
0 new messages