need help with postfix

[Cheetoz]

trying to send email, out, i get

postfix/smtpd[16675]: warning: SASL authentication failure: Password verification failed

mail from: [email protected]
250 2.1.0 Ok
rcpt to:[email protected]
554 5.7.1 <localhost[127.0.0.1]>: Client host rejected: Access denied

here are my stats

ehlo localhost
250-mail.virtualdomain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

my main.cf

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
inet_protocols = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = mailserver.LanDomain, localhost
mydomain = mailserver.LanDomain
myhostname = mailserver.VirtualDomain.com
mynetworks = 127.0.0.0/8, 10.0.0.0/8
myorigin = /etc/mailname
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
recipient_delimiter = +
smtp_host_lookup = native
smtp_sasl_mechanism_filter = plain, login
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination permit_inet_interfaces reject_unknown_reverse_client_hostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = 
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_alias_domains = 
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_uid_maps = static:5000

master.cf

smtp      inet  n       -       -       -       -       smtpd
#submission inet n       -       -       -       -       smtpd
  -o smtpd_enforce_tls=no
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
        -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache

my /etc/default/saslauthd

# Settings for saslauthd daemon
START=yes

MECHANISMS="pam"

MECH_OPTIONS=""

THREADS=5

OPTIONS="-c -m /var
/spool/postfix/var/run/saslauthd"

my /etc/hosts

127.0.0.1       localhost localhost.local
10.0.0.3        mailserver mailserver.LocalDomain virtualdomain.com

sasl smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
auxprop_plugin: mysql
sql_hostnames: 127.0.0.1
sql_user: mail_admin
sql_passwd: 15982
sql_database: mail
sql_select: select password from users where email = '%u'

 

[killerbobjr]

Try changing your smtpd_recipient_restrictions order:

smtpd_recipient_restrictions = permit_mynetworks permit_inet_interfaces permit_sasl_authenticated reject_unauth_destination reject_unknown_reverse_client_hostname

Postfix tries each of those tests in the order they're listed, so if you have a permit_xxx after a reject_xxx, a permit may never get tested.

 

[Cheetoz]

NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <localhost[127.0.0.1]>: Client host rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=SMTP

 

[killerbobjr]

Doh! I just noticed your smtpd_recipient_restrictions is not terminated with a "permit" as in:

smtpd_recipient_restrictions = permit_mynetworks permit_inet_interfaces permit_sasl_authenticated reject_unauth_destination permit_inet_interfaces reject_unknown_reverse_client_hostname permit

All Postfix xxx_restrictions configuration lines should end with "permit" as the last parameter, otherwise Postfix won't allow the transaction.

As an example (DON'T use this unless you know what you are doing!!), here is my Postfix configuration smtpd_recipient_restrictions:

smtpd_recipient_restrictions = permit_mynetworks,
 permit_auth_destination,
 reject_unknown_client,
 reject_invalid_hostname,
 reject_unknown_hostname,
 reject_unknown_sender_domain,
 reject_unauth_destination,
 reject_unauth_pipelining,
 reject_unknown_recipient_domain,
 reject_non_fqdn_hostname,
 reject_non_fqdn_sender,
 reject_non_fqdn_recipient,
 reject_unknown_reverse_client_hostname,
 check_policy_service unix:private/policy-spf,
 reject_rbl_client sbl-xbl.spamhaus.org,
 reject_rbl_client bl.spamcop.net,
 reject_rbl_client blackhole.securitysage.com,
 reject_rbl_client block.rhs.mailpolice.com,
 check_relay_domains,
 permit

 

[Cheetoz]

finally figured it out

-o smtpd_client_restrictions=permit_sasl_authenticated,reject

in my master.cf

edit; thats safe, right??

 

[killerbobjr]

The default postfix master.cf has the smtps process as:

smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

Notice that chroot is set to "n" (the default is "y" -- yours is a "-" which equals "y"). You should read the man at: http://www.postfix.org/BASIC_CONFIGURATION_README.html#chroot_setup and also read the man pages about chroot jails to get it properly set up. If your intent was NOT to have the smtps process chrooted, which is really only necessary for a site with high security required, then set it to "n".

All my sites only have access to smtp/pop3 behind the firewall. External access is limited to Squirrelmail through https which gives me much better security -- something you might want to consider if you're setting up a small site.

 

[Child of Wonder]

Doh! I just noticed your smtpd_recipient_restrictions is not terminated with a "permit" as in:

smtpd_recipient_restrictions = permit_mynetworks permit_inet_interfaces permit_sasl_authenticated reject_unauth_destination permit_inet_interfaces reject_unknown_reverse_client_hostname permit

All Postfix xxx_restrictions configuration lines should end with "permit" as the last parameter, otherwise Postfix won't allow the transaction.

Unless something has changed recently, a "permit" is not needed at the end of each restriction. It's there by default but can be inputed manually just for the viewer's sake.

 

[killerbobjr]

When I first started messing around with Postfix years ago, "permit" was the default when there were no parameters. As soon as I put a parameter in, I had to explicitly terminate with "permit", otherwise the transaction didn't complete. The docs used to be inconsistent about this, but looking over the latest docs shows no requirement for "permit" in the current version, so I'll rescind my advice above.