dovecot - Jul 2010 - relay access denied problem thru iphone imap auth

I'm using postfix smtpd / dovecot. Running imaps, imap, pop3s, pop3. I 
have a ssl certificate setup. Everything works fine via IMAP except 
sending to an email from outside the network to a recipient outside the 
network.

The problem is when someone (and this is being tested thru the iphone 
email client configured to use imap) logs in, they can read messages but 
cannot send to an address outside my network, assuming they are logged 
in outside the network. If you they are logged in inside the network, 
they can send to anyone just fine.

The Log:

Jul 29 20:09:41 ubuntu dovecot: imap-login: Login: user=<amit>, 
method=PLAIN, rip=166.205.142.84, l
ip=192.168.1.68, TLS
Jul 29 20:10:02 ubuntu postfix/smtpd[28892]: warning: 166.205.142.84: 
hostname 166-205-142-084.mobi
le.mymmode.com verification failed: No address associated with hostname
Jul 29 20:10:02 ubuntu postfix/smtpd[28892]: connect from 
unknown[166.205.142.84]
Jul 29 20:10:06 ubuntu postfix/smtpd[28892]: NOQUEUE: reject: RCPT from 
unknown[166.205.142.84]: 55
4 5.7.1 <xxx at gmail.com>: Relay access denied; 
from=<amit at outsidedomain.com> to=<xxx at gmail.c
om> proto=ESMTP helo=<[10.67.168.110]>
Jul 29 20:10:06 ubuntu postfix/smtpd[28892]: disconnect from 
unknown[166.205.142.84]

*/etc/postfix/main.cf:*

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = mydomain.com
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mydomain.com, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
relay_domains = lists.mydomain.com   # I use this as I have mailman also 
running
transport_maps = hash:/etc/postfix/transport
mailman_destination_recipient_limit = 1
relayhost inet_protocols = ipv4


smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth-client
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = 
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

On 07/30/2010 04:33 AM Allen Walker wrote:
>   I'm using postfix smtpd / dovecot. Running imaps, imap, pop3s, pop3.
I
> have a ssl certificate setup. Everything works fine via IMAP except 
> sending to an email from outside the network to a recipient outside the 
> network.
> 
> The problem is when someone (and this is being tested thru the iphone 
> email client configured to use imap) logs in, they can read messages but 
> cannot send to an address outside my network, assuming they are logged 
> in outside the network. If you they are logged in inside the network, 
> they can send to anyone just fine.
> 
> The Log:
> 
> Jul 29 20:09:41 ubuntu dovecot: imap-login: Login: user=<amit>, 
> method=PLAIN, rip=166.205.142.84, l
> ip=192.168.1.68, TLS
> Jul 29 20:10:02 ubuntu postfix/smtpd[28892]: warning: 166.205.142.84: 
> hostname 166-205-142-084.mobi
> le.mymmode.com verification failed: No address associated with hostname
> Jul 29 20:10:02 ubuntu postfix/smtpd[28892]: connect from 
> unknown[166.205.142.84]
> Jul 29 20:10:06 ubuntu postfix/smtpd[28892]: NOQUEUE: reject: RCPT from 
> unknown[166.205.142.84]: 55
> 4 5.7.1 <xxx at gmail.com>: Relay access denied; 
> from=<amit at outsidedomain.com> to=<xxx at gmail.c
> om> proto=ESMTP helo=<[10.67.168.110]>
> Jul 29 20:10:06 ubuntu postfix/smtpd[28892]: disconnect from 
> unknown[166.205.142.84]
> 
> */etc/postfix/main.cf:*
> 
> smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
> biff = no
> 
> # appending .domain is the MUA's job.
> append_dot_mydomain = no
> 
> # Uncomment the next line to generate "delayed mail" warnings
> #delay_warning_time = 4h
> 
> readme_directory = no
> 
> # TLS parameters
> smtpd_tls_cert_file = /etc/ssl/certs/server.crt
> smtpd_tls_key_file = /etc/ssl/private/server.key
> smtpd_use_tls=yes
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> 
> # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
> # information on enabling SSL in the smtp client.
> 
> myhostname = mydomain.com
> alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
> alias_database = hash:/etc/aliases
> myorigin = /etc/mailname
> mydestination = mydomain.com, localhost
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
> mailbox_command = procmail -a "$EXTENSION"
> mailbox_size_limit = 0
> recipient_delimiter = +
> inet_interfaces = all
> relay_domains = lists.mydomain.com   # I use this as I have mailman also 
> running
> transport_maps = hash:/etc/postfix/transport
> mailman_destination_recipient_limit = 1
> relayhost > inet_protocols = ipv4
> 
> 
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = private/auth-client
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> broken_sasl_auth_clients = yes
> smtpd_recipient_restrictions = 
> permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
> 
hm, it's a Postfix/client issue.

Don't cat and paste your main.cf, show the output of `postconf -n`
instead (when posting to the postfix-users list).
But your configuration looks OK so far.

Now configure smtp authentication settings in your gameboy^Wiphone and
try again. Google my be helpful.


Regards,
Pascal
-- 
The trapper recommends today:
	http://kopfkrebs.de/mitarbeiter/mitarbeiter_der_woche.html

Here is the relevant portions of my postconf -n output. I am using
dovecot 1.1 as LDA which is a little different than your setup. I am
using the iPhone with this and it works perfectly. Never had a
problem.

broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = etc/example.com.crt.pem
smtpd_tls_key_file = etc/example.com.key.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_mailbox_domains = example.com, example.net, example.org
virtual_transport = dovecot


Some relevant lines from master.cf as well:

smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       -       -       -       smtpd
1025      inet n       -       -       -       -       smtpd
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject



In my situation, all SMTP AUTH is sent through port 465 (smtps) using
TLS. I hope that helps.

Bryan

Bryan Vyhmeister wrote:
> In my situation, all SMTP AUTH is sent through port 465 (smtps) using
> TLS. I hope that helps.
First, smtps (port 465) is deprecated, so you should use the
STARTTLS+submission port (587) unless there is a specific reason to use
smtps. The iPhone supports SARTTLS fine.

Next - there is absolutely no evidence that SMTP_AUTH is attempted in
your log snippet:
> Jul 29 20:10:02 ubuntu postfix/smtpd[28892]: connect from
> unknown[166.205.142.84]
> Jul 29 20:10:06 ubuntu postfix/smtpd[28892]: NOQUEUE: reject: RCPT
> from unknown[166.205.142.84]: 554 5.7.1 <xxx at gmail.com>: Relay
access
> denied; from=<amit at outsidedomain.com> to=<xxx at gmail.com>
proto=ESMTP
> helo=<[10.67.168.110]>
> Jul 29 20:10:06 ubuntu postfix/smtpd[28892]: disconnect from
> unknown[166.205.142.84]
Enable the submission port in postfix (just uncomment the example), and
tell your iPhone to use SARTTLS on port 587.

-- 

Best regards,

Charles