Plötzlich: Relay access denied

postfix

#1

Hallo,

ich bin ein wenig am verzweifeln. UCS nimmt keine Mails mehr von ausserhalb des eigenen Netzwerkes mehr an. Die Direktive “permit_sasl_autentificated” scheint nicht zu greifen.
Es funktioniert nur dann, wenn ich meine (externe) Adresse bei mynetwoks eingebe.
Hier die main.cf:

# Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
#          univention-config-registry ueberschrieben werden.
#          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
# 
# 	/etc/univention/templates/files/etc/postfix/main.cf.d/10_general
# 	/etc/univention/templates/files/etc/postfix/main.cf.d/30_maps
# 	/etc/univention/templates/files/etc/postfix/main.cf.d/40_postscreen
# 	/etc/univention/templates/files/etc/postfix/main.cf.d/50_restrictions
# 	/etc/univention/templates/files/etc/postfix/main.cf.d/60_tls
# 	/etc/univention/templates/files/etc/postfix/main.cf.d/80_delivery
# 	/etc/univention/templates/files/etc/postfix/main.cf.d/99_local
# 

# The message_size_limit parameter limits the total size in bytes of
# a message, including envelope information. Default is 10240000
message_size_limit = 104857600


# mailbox_size_limit limits the max. size of local mailboxes. Default is 51200000
# mailbox_size_limit = 51200000


# some basic path definitions
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin


# some basic mail system settings
myhostname = [meine domain]
# mydomain is unset - The default is to use $myhostname minus the first component.
myorigin = [meine domain]
smtp_helo_name = [meine domain]



append_dot_mydomain = no

inet_interfaces = all
inet_protocols = ipv4

mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = 127.0.0.0/8 192.9.200.0/24 192.9.201.0/24
mynetworks_style = subnet

masquerade_domains = $mydomain
masquerade_exceptions = root

transport_maps = hash:/etc/postfix/transport
relay_domains = $mydestination


# we need to name a smtp relay host to which we forward non-local
# mails. smtp authentication is also possible.
relayhost = smtp.1und1.de
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth


disable_vrfy_command = no


# banner
smtputf8_enable = no

local_header_rewrite_clients = 


virtual_alias_domains = 

virtual_alias_maps = hash:/etc/postfix/virtual,
        ldap:/etc/postfix/ldap.groups,
        ldap:/etc/postfix/ldap.distlist,
        ldap:/etc/postfix/ldap.virtual,
        ldap:/etc/postfix/ldap.external_aliases,
        ldap:/etc/postfix/ldap.sharedfolderremote,
        ldap:/etc/postfix/ldap.sharedfolderlocal_aliases

virtual_mailbox_domains = ldap:/etc/postfix/ldap.virtualdomains

virtual_mailbox_maps = ldap:/etc/postfix/ldap.virtual_mailbox,
        ldap:/etc/postfix/ldap.sharedfolderlocal

virtual_transport = lmtp:127.0.0.1:2003


canonical_maps = hash:/etc/postfix/canonical
relocated_maps = hash:/etc/postfix/relocated

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases


# postscreen settings

postscreen_dnsbl_action = enforce
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_sites = 

postscreen_helo_required = no
postscreen_greet_action = drop
postscreen_greet_ttl = 1d

postscreen_non_smtp_command_enable = no
postscreen_non_smtp_command_action = ignore

postscreen_bare_newline_enable = no
postscreen_bare_newline_action = ignore

postscreen_blacklist_action = ignore
postscreen_access_list = permit_mynetworks
        cidr:/etc/postfix/postscreen_access.cidr

# smtpd_sender_restrictions is not defined since all relevant checks have been moved to
# smtpd_recipient_restrictions (see below) and every mail has to pass smtpd_recipient_restrictions too.
#smtpd_sender_restrictions =

smtpd_recipient_restrictions = permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_unlisted_recipient

# special recipient_restrictions which may be used by smtps/submission services
# (can be configured via UCR: mail/postfix/submission/restrictions/recipient/...)
# submission_recipient_restrictions =


#TLS settings
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_starttls_timeout = 300s
smtpd_timeout = 300s
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = 
smtpd_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_cert_file = /etc/univention/letsencrypt/signed_chain.crt
smtpd_tls_key_file = /etc/univention/letsencrypt/domain.key
smtpd_tls_CAfile = /etc/univention/letsencrypt/signed_chain.crt

smtpd_tls_received_header = no
smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

smtpd_sasl_local_domain =

smtpd_sasl_security_options = noanonymous



# smtp client
smtp_tls_security_level = may
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy



# Support broken clients like Microsoft Outlook Express 4.x which expect AUTH=LOGIN instead of AUTH LOGIN
broken_sasl_auth_clients = yes

# tls logging
smtp_tls_loglevel = 0
smtpd_tls_loglevel = 0

# EDH config
smtpd_tls_dh1024_param_file = /etc/postfix/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem

# use the Postfix SMTP server's cipher preference order instead of the remote client's cipher preference order.
tls_preempt_cipherlist = yes

# The Postfix SMTP server security grade for ephemeral elliptic-curve Diffie-Hellman (EECDH) key exchange
smtpd_tls_eecdh_grade = strong

# if virus scanning is desired, all mails can be redirected through amavis.
content_filter = smtp-amavis:[127.0.0.1]:10024
# Send a blind carbon copy of every mail to this account.
always_bcc = mailarchive@[meine domain]


debug_peer_list = [meine ip]

header_access = regexp:/etc/postfix/header_access

Jan


#2

Huhu,

SASL ist im SMTP-Server (Postfix-Variable smtpd_sasl_auth_enable[1]) für den Port 25 unter Univention nicht mehr an, sondern wenn nur für die Ports 465 (smtps) und 587 (submission), wenn die entsprechenden UCR-Variablen mail/postfix/mastercf/options/smtps/smtpd_sasl_auth_enable respektive mail/postfix/mastercf/options/submission/smtpd_sasl_auth_enable gesetzt sind. Die einfachste Variante ist daher, einen dieser beiden Ports zu nutzen, wofür man dann auch Verschlüsselung einschalten muss (auf Port 465 immer, auf Port 587 über STARTTLS).

Edit: man kann alternativ schlicht eine neue UCR-Variable für den Port 25 (smtp) anlegen:

ucr set mail/postfix/mastercf/options/smtp/smtpd_sasl_auth_enable=yes

Denn alle Optionen unterhalb von mail/postfix/mastercf/options/XYZ/… werden nämlich in die master.cf für den Dienst/Port XYZ mit aufgenommen. Das geht für smtp, smtps und submission.

Gruß
mosu

[1] Nicht zu verwechseln mit smtp_sasl_auth_enable (ohne d in smtp), was SASL für dien SMTP-Client einschaltet, wenn also Postfix eine Mail an einen anderen Mailserver zustellen möchte.


#3

In myhostname sollte der hostname stehen, nicht die domain.
Dadurch steht in mydomain jetzt nur noch ein domain level weniger… also zB de, statt univention.de.
myhostname sollte etwas in der Art mail.univention.de sein.

Gruß
Daniel


#4

Hallo Mosu, Hallo Daniel,

ich könnte mir mit der flachen Hand auf die Stirn schlagen.
Der (Thunderbird) Client hat auf Port 25 senden wollen …(oh mein Gott) - das hat mich jetzt den ganzen Nachmittag gekostet.

VIELEN LIEBEN DANK!!!

Jan