Commenting
mynetworks = 127.0.0.0/8
users with shell on system can again send emails using postfix:
main.cf
#mynetworks =
[...]
smtpd_recipient_restrictions =
check_policy_service inet:127.0.0.1:10031
permit_mynetworks,
permit_inet_interfaces,
# reject_sender_login_mismatch,
reject_authenticated_sender_login_mismatch,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_hostname,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
So, also put:
reject_mynetworks,
same problem
I only need force SASL authentication either from lan and from 127.0.0.1 too.
Commenting out mynetworks implies postfix to generate mynetworks based on the value of mynetworks_style
So set mynetworks to empty string to fix this.
Related
I have setup postfix, dovecot and rainloop on Ubuntu Server 20.04 and having some issues with authentication on the SMTP connection, I can successfully login using rainloop and I can also access via ios externally and view emails but I am unable to send, the only way that I can send using Rainloop is to uncheck the use authentication checkbox in the domains.
In rainloop domain setup for the server if I choose SSL/TLS on SMTP and Test the connection I get
stream_socket_client(): unable to connect to ssl://127.0.0.1:465 (Connection refused)
here are my configs for postfix and dovecot
main.cf
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.arpradio.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.arpradio.com/privkey.pem
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.arpradio.com
mydomain = arpradio.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, arpradio.com, mail.arpradio.com, localhost.arpradio.com, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
virtual_alias_maps = hash:/etc/postfix/virtual
# mailbox_command = /usr/bin/procmail
# RBL
strict_rfc821_envelopes = yes
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unverified_recipient_reject_code = 554
smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client dsn.rfc-ignorant.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client list.dsbl.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, permit
## Dovecot configuration file
# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
# "doveconf -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting files when posting to the Dovecot mailing list.
# '#' character and everything after it is treated as comments. Extra spaces
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace "
# Most (but not all) settings can be overridden by different protocols and/or
# source/destination IPs by placing the settings inside sections, for example:
# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
# Default values are shown for each setting, it's not required to uncomment
# those. These are exceptions to this though: No sections (e.g. namespace {})
# or plugin settings are added by default, they're listed only as examples.
# Paths are also just examples with the real defaults being based on configure
# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/etc --localstatedir=/var
# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol
# A comma separated list of IPs or hosts where to listen in for connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
listen = *, ::
# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/
# Name of this instance. In multi-instance setup doveadm and other commands
# can use -i <instance_name> to select which instance is used (an alternative
# to -c <config_path>). The instance name is also added to Dovecot processes
# in ps output.
#instance_name = dovecot
# Greeting message for clients.
#login_greeting = Dovecot ready.
# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =
# Space separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets =
# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
# proxying. This isn't necessary normally, but may be useful if the destination
# IP is e.g. a load balancer's IP.
#auth_proxy_self =
# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
#verbose_proctitle = no
# Should all processes be killed when Dovecot master process shuts down.
# Setting this to "no" means that Dovecot can be upgraded without
# forcing existing client connections to close (although that could also be
# a problem if the upgrade is e.g. because of a security fix).
#shutdown_clients = yes
# If non-zero, run mail commands via this many connections to doveadm server,
# instead of running them directly in the same process.
#doveadm_worker_count = 0
# UNIX socket or host:port used for connecting to doveadm server
#doveadm_socket_path = doveadm-server
# Space separated list of environment variables that are preserved on Dovecot
# startup and passed down to all of its child processes. You can also give
# key=value pairs to always set specific settings.
#import_environment = TZ
##
## Dictionary server settings
##
# Dictionary can be used to store key=value lists. This is used by several
# plugins. The dictionary can be accessed either directly or though a
# dictionary server. The following dict block maps dictionary names to URIs
# when the server is used. These can then be referenced using URIs in format
# "proxy::<name>".
dict {
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
#expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}
# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf
# A config file can also tried to be included without giving an error if
# it's not found:
I found this in /var/log/auth.log
auth: pam_unix(dovecot:auth): Couldn't open /etc/securetty: No such file or directory
auth: pam_unix(dovecot:auth): check pass; user unknown
auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=user#domain.com rhost=<IP>
Your problem is that you have not enabled smtps listener in postfix master.cf. You need to uncomment that listener.
I have RBL checks in postfix but it doesn't work and blacklisted IPs get through.
This is the smtpd_recipient_restrictions of my postfix's main.cf file:
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unlisted_recipient,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client b.barracudacentral.org,
check_policy_service unix:private/policyd-spf,
check_client_access pcre:/etc/postfix/rbl_override
My IP has access to query b.barracudacentral.org and
dig +short #b.barracudacentral.org 4.3.2.1.b.barracudacentral.org.
returns 127.0.0.2 but postfix says Host not found.
postfix log:
Sep 15 05:03:33 mta02 postfix/smtpd[22172]: dns_query: 4.3.2.1.b.barracudacentral.org (A): Host not found
Sep 15 05:03:33 mta02 postfix/smtpd[22172]: ctable_locate: install entry key 4.3.2.1.b.barracudacentral.org
Sep 15 05:03:33 mta02 postfix/smtpd[22172]: generic_checks: name=reject_rbl_client status=0
Please check if the smtpd process is running chrooted. For this, check the "chroot" column in master.cf.
Also note that any host in $mynetworks (permit_mynetworks) won't be blacklisted as well as any SASL authenticated client (permit_sasl_authenticated).
Note:
check_client_access pcre:/etc/postfix/rbl_override
can never act as an override to "reject_rbl_client b.barracudacentral.org" since the latter will always trigger first.
Getting error relay access denied on a CentOS server with postfix and dovecot installed, trying to set up a catchall email on a CentOS 7 server. Fresh installation, installed Nano text editor and nothing else, pretty much a clean server in case it matters.
error im getting:
[root#accountcreator ssl]# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mail.tmkiller.site ESMTP Postfix
EHLO howdy.com
250-mail.tmkiller.site
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: testAccount
250 2.1.0 Ok
rcpt to: myEmail#gmail.com
454 4.7.1 <myEmail#gmail.com>: Relay access denied
My main.cf file:
myhostname = mail.mydomain.site
mydomain = mydomain.site
myorigin = $mydomain
home_mailbox = mail/
mynetworks = 127.0.0.0/8
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetwor$
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_key_file = /etc/postfix/ssl/server.key
smtpd_tls_cert_file = /etc/postfix/ssl/server.crt
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
Yes, i have replaced mydomain.site with my actual domain.
/etc/hosts file:
127.0.0.1 AccountCreator AccountCreator
127.0.0.1 localhost.localdomain localhost
127.0.0.1 localhost4.localdomain4 localhost4
# The following lines are desirable for IPv6 capable hosts
::1 AccountCreator AccountCreator
::1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdom$
::1 localhost localhost.localdomain localhost6 localhost6.localdom$
serverIP mail.mydomain.site
I've tried reinstalling the OS and starting all over through this guide:
https://hostpresto.com/community/tutorials/how-to-setup-an-email-server-on-centos7/
I've tried googling around, tried suggestions on several Stack Overflow threads, didn't manage to find a fix that resolved this issue.
I would like to get anything#mydomain.com to forward to catchall#mydomain.com.
You need to setup smtpd_relay_restrictions to allow your domain to send mail through, as it stands it appears your configuration is to only receive emails to your domain.
While you're at it, you should also configure smtpd_client_restrictions and smtpd_sender_restrictions too.
Another thing, if this is centos 7, install roundcube instead of squirrelmail for web mail. It's simpler to maintain and looks cooler.
in your case, under mynetworks you should add the IP address of your server
reload the postfix configuration.
There are other "best practices" how to accomplish this with hash: files for example, so you don't hardcode anything into your configuration, but have separate files that you can administer.
You can read more about it at the postfix official documentation here
also this looks like a typo permit_mynetworks:
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetwor$
Where should the smtpd_client_restrictions be put: in main.cf or in master.cf ?
For me, only the master.cf seems to be working (because my postfix is working fine as a relay) :
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated
in main.cf the following reject rule is not applied:
smtpd_client_restrictions = permit_mynetworks, reject
Thanks
You need to comment the line in master.cf for client restrictions in submission. Submission is for linux CLI users on the same machine. The client restrictions you're trying to use (permit_mynetworks, reject) will only work if the client connects to the smtp ports. An example of a working client restrictions statement in main.cf is like below on my mail relay in the cloud.
smtpd_client_restrictions = permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2, permit
From what I can recall (someone more knowledgeable can confirm/deny) main.cf restrictions will be by default applied to all smtp processes (so if you have submission/smtps/smtp), but are overwritten by configurations on the actual process (master.cf)
Therefore I'd assume your main.cf value (with reject) is being overwritten by your value on the process (no reject) thus not getting rejected.
I have two domains, dom1.com and dom2.com; dom1.com has IP1; the email for dom1.com are handled by google.
I need to create an email, xxx#dom2.com and redirect all emails to an email account of dom1.com ( example: yyy#dom1.com )
I 'd like to use postfix, installed on dom1.com server.
I set the MX record for dom2.com in this way:
MX mail.dom2.com
mail A IP1
so mail.dom2.com should point to IP1.
To configure postfix on dom1.com server, I did as follow:
myhostname = dom1.com
mydestination = dom1.com, dom2.com
virtual_alias_domains = hash:/etc/postfix/virtual_domains
virtual_alias_maps = hash:/etc/postfix/virtual
in virtual_domains:
dom1.com #domain
dom2.com #domain
in virtual:
xxx#dom2.com yyy#dom1.com
than I did postmap for both files and I reload postfix ... but sending email to xxx#dom2.com , I don't reveice emails on yyy#dom1.com
Where is the error?
Thanks in advance
Option what you want to use is: Catch-all
This Tutorial will help you to setup catch-all email address with postfix.
Step 1. Configure Catch-All Account
Edit /etc/postfix/virtual and configure your catch-all address like below.
# nano /etc/postfix/virtual
#example.com myuser
If you want to add exception’s in catch-all and do not want to catch-all specific accounts, Add them also in /etc/postfix/virtual file. Below configuration will send all emails to user “myuser” except emails of info#example.com and support#example.com.
#example.com myuser
info#example.com info
support#example.com support
Save /etc/postfix/virtual file and execute following command.
# postmap /etc/postfix/virtual
2. Update Postfix Configuration File
Edit Postfix configuration file /etc/postfix/main.cf and add following line at end of file.
# nano /etc/postfix/main.cf
virtual_alias_maps = hash:/etc/postfix/virtual
3. Reload Postfix Server
After changing we need to reload server to activate newly settings addedUse following command to reload postfix configuration .
# service postfix reload