Relay access denied

Web, mail, IRC, IM, hálózatok

Sziasztok!

A következő gondom van:
Debian rendszeren levelező szervert telepítettünk (postfix, courier), ami működött is. Át kellett nevezni a levelező szervert és azóta nem fogad leveleket se küldeni tudunk.
Érdekes, hogy azok a domainek, amik nincsenek a szerverre irányítva, csak az MX record-juk működnek.
A következő hibát kapjuk:

Reporting-MTA: dns; mail00d.mail.t-online.hu
X-Postfix-Queue-ID: 3VDrc11ffwz173X1
X-Postfix-Sender: rfc822; xxxxx@gmail.com
Arrival-Date: Fri, 23 Mar 2012 18:00:49 +0100 (CET)

Final-Recipient: rfc822; info@xxxx.hu
Original-Recipient: rfc822;info@xxxx.hu
Action: failed
Status: 5.7.1
Remote-MTA: dns; mail.rackhost.hu
Diagnostic-Code: smtp; 554 5.7.1 : Relay access denied

Mi lehet a hiba? A potfix main.cf-je:
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = mail.floridonet.hu
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = floridonet.hu, h2999.vps0.rackhost.hu, h2999, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 91.227.139.67 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_tls_security_level = may
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = maildrop
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings

Előre is köszi a segíséget

  • 19515 megtekintés

A mail.log-ban, a következő van:

Mar 23 19:39:02 h2999 postfix/smtp[18114]: F2B5B3B653: to=, orig_to=, relay=127.0.0.1[127.0.0.1]:10024, delay=0.38, delays=0.05/0.01/0/0.31, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=12000-06, from MTA([
127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4C8783B677)

de h2999.vps0.rackhost.hu az a cím, amit át akartunk írni floridonet.hu-ra

Működik a levelezés kliens programmal, de a webmail nem tud küldeni csak fogadni levelet:
mail.log:Mar 23 21:21:15 h2999 postfix/smtp[22419]: 4217C3B699: to=, relay=none, delay=2716, delays=2674/0.04/42/0, dsn=4.4.1, status=deferred (connect to gmail.com[74.125.232.245]:25: Connection timed out)

Ha nem külső szerverre akarok email-t küldeni, akkor a következő hibát kapom:
Mar 24 08:25:01 h2999 postfix/smtpd[10664]: connect from localhost[127.0.0.1]
Mar 24 08:25:01 h2999 postfix/smtpd[10664]: lost connection after CONNECT from localhost[127.0.0.1]
Mar 24 08:25:01 h2999 postfix/smtpd[10664]: disconnect from localhost[127.0.0.1]

de csak a webmail nem működik.

Én azt csinálnám, hogy letesztelném telnet-el localhost-on a dolgot:
http://thedaneshproject.com/posts/send-mail-through-smtp-using-telnet/

A roundcube logokba is érdemes belenézni:
http://trac.roundcube.net/wiki/Howto_ReportIssues#Howtousethelogs

Aztán az értelmes részeket idemásolni.

Szerk:
Ja és jól megnézném a roundcube SMTP beállításait, SSL, TLS, ...
Első körben simán TLS nélkül menjen minden jelszó nélkül (mynetworks) a 25-ös porton localhost-on keresztül, aztán ezen majd később csiszolsz.

Valószínűleg nem a roundcubea van gond mert a mókusposta és a php levelezője (pl joomla regisztációs levelek) sem jönnek.
A telnet a következőt adta:

# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.floridonet.hu ESMTP Postfix (Debian/GNU)
# telnet gmail-smtp-in.l.google.com 25
Trying 173.194.70.27...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP e48si11061514wed.53

nmap ereddmény:

nmap -A -p 10025 localhost

Starting Nmap 5.00 ( http://nmap.org ) at 2012-03-24 10:16 CET
Interesting ports on localhost (127.0.0.1):
PORT STATE SERVICE VERSION
10025/tcp open smtp Postfix smtpd
|_ smtp-commands: EHLO mail.floridonet.hu, PIPELINING, SIZE, VRFY, ETRN, STARTTLS, AUTH LOGIN PLAIN, AUTH=LOGIN PLAIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|WAP|storage-misc|webcam
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (98%), Gemtek embedded (91%), Siemens embedded (91%), Nokia Linux 2.6.X (90%), Aastra embedded (89%), AXIS Linux 2.6.X (89%)
Aggressive OS guesses: Linux 2.6.26 (98%), Linux 2.6.17 - 2.6.28 (97%), Linux 2.6.19 - 2.6.26 (97%), Linux 2.6.19 - 2.6.24 (96%), Linux 2.6.20-grml (96%), Linux 2.6.22 (96%), Linux 2.6.22 (Ubuntu 7.10, x86_64) (94%), Linux 2.6.15 - 2.6.27 (94%), Linux 2.6.17 - 2.6.27 (94%), Linux 2.6.17 - 2.6.26 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 0 hops
Service Info: Host: mail.floridonet.hu

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.03 seconds

nem megy:

#telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.floridonet.hu ESMTP Postfix (Debian/GNU)
helo floridonet.hu
250 mail.floridonet.hu
MAIL FROM:info@floridonet.hu
250 2.1.0 Ok
RCPT TO:virag@gmail.com
250 2.1.5 Ok
SUBJECT:yoursubject
221 2.7.0 Error: I can break rules, too. Goodbye.
Connection closed by foreign host.

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.floridonet.hu ESMTP Postfix (Debian/GNU)
helo mail.floridonet.hu
250 mail.floridonet.hu
MAIL FROM:info@floridonet.hu
250 2.1.0 Ok
RCPT TO:simon.virag@gmail.com
250 2.1.5 Ok
SUBJECT: teszt
221 2.7.0 Error: I can break rules, too. Goodbye.
Connection closed by foreign host.

Valami el van ott sztem rontva: 


$ dig gmail.com MX

; <<>> DiG 9.7.3 <<>> gmail.com MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7028
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;gmail.com.			IN	MX

;; ANSWER SECTION:
gmail.com.		3543	IN	MX	30 alt3.gmail-smtp-in.l.google.com.
gmail.com.		3543	IN	MX	20 alt2.gmail-smtp-in.l.google.com.
gmail.com.		3543	IN	MX	40 alt4.gmail-smtp-in.l.google.com.
gmail.com.		3543	IN	MX	5 gmail-smtp-in.l.google.com.
gmail.com.		3543	IN	MX	10 alt1.gmail-smtp-in.l.google.com.

;; Query time: 22 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sat Mar 24 11:53:58 2012
;; MSG SIZE  rcvd: 150

$ telnet gmail.com 25
Trying 209.85.148.18...
^C
$ telnet 74.125.232.246 25
Trying 74.125.232.246...
^C
$ telnet alt3.gmail-smtp-in.l.google.com 25
Trying 173.194.77.26...
Connected to alt3.gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP k3si6146700obl.56
quit
221 2.0.0 closing connection k3si6146700obl.56
Connection closed by foreign host.

Ennek nem a gmail.com-hoz kéne kapcsolódni, hanem valamelyik gmail smtp-hez.

Csak tipp:
grep -Ri gmail.com /etc
Esetleg:
grep -Ri 74.125.232.246 /etc

Ha ez nem ad semmit akkor nemtudom mi van ott elcseszve.

Milyen DNS szervert használsz? Csak mert a 74.125.232.246-on tényleg nincs smtp szerver, no meg ha a konfig file-okban sincs erről infó, akkor csak ott kéne lenni a problémának. Esetleg a dns szerveren lekérdezhetnéd a gmail mx-ét, hogy tényleg ezt adja.

upd: rakd be majd a hostnevet is a mydestinationbe, ez mail.floridonet.hu? Ha igen azt rakd be, a floridonet.hu domain pedig ne legyen benne, ha mysql-ben fel van véve.

upd2: Nem gmail-re sem tudsz küldeni?

így sem egy belüről ki a levél

Mar 24 12:32:07 h2999 imapd: LOGIN, user=info@floridonet.hu, ip=[::ffff:91.227.139.67], port=[53343], protocol=IMAP
Mar 24 12:32:07 h2999 imapd: LOGOUT, user=info@floridonet.hu, ip=[::ffff:91.227.139.67], headers=0, body=0, rcvd=95, sent=463, time=0
Mar 24 12:32:13 h2999 postfix/smtp[22246]: connect to gmail.com[74.125.232.246]:25: Connection timed out
Mar 24 12:32:13 h2999 postfix/smtp[22246]: 1AFF329F9B: to=, relay=none, delay=42, delays=0.01/0/42/0, dsn=4.4.1, status=deferred (connect to gmail.com[74.125.232.246]:25: Connection timed out)
Mar 24 12:32:13 h2999 postfix/cleanup[22083]: 26D6429F9C: message-id=<20120324113213.26D6429F9C@mail.floridonet.hu>
Mar 24 12:32:13 h2999 postfix/qmgr[21085]: 26D6429F9C: from=<>, size=2363, nrcpt=1 (queue active)
Mar 24 12:32:13 h2999 postfix/bounce[22253]: 1AFF329F9B: sender non-delivery notification: 26D6429F9C
Mar 24 12:32:13 h2999 postfix/smtp[22252]: 26D6429F9C: to=, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=5.4.6, status=bounced (mail for mail.floridonet.hu loops back to myself)
Mar 24 12:32:13 h2999 postfix/qmgr[21085]: 26D6429F9C: removed

iptables -L -v -n

Chain INPUT (policy ACCEPT 278K packets, 173M bytes)
pkts bytes target prot opt in out source destination
169K 12M fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
1044K 60M fail2ban-pureftpd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21
198K 14M fail2ban-dovecot-pop3imap tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 110,995,143,993

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 242K packets, 59M bytes)
pkts bytes target prot opt in out source destination

Chain fail2ban-dovecot-pop3imap (1 references)
pkts bytes target prot opt in out source destination
198K 14M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-pureftpd (1 references)
pkts bytes target prot opt in out source destination
1044K 60M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
162K 11M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0