postfix + amavis = relay access denied

[snowball]

Hallo zusammen,
nachdem ich in meiner Testumgebung schon einiges gebastelt und ausprobiert habe, habe ich mich eben dazu entschlossen das ganze jetzt auch auf meinem produktivsever zu machen... Und siehe da. Doch noch 'nen Fehler gefunden, auf bei dem ich nicht weiter komme. Vielleicht hat ja einer von Euch den rettenden Tipp für mich.

Lange Rede kurzer Sinn. Wenn ich amavis aus der master.cf raus nehme, geht alles. Wenn es drinn ist, kann ich nicht mit smtp_auth über den Server relayen. Als Antwort bekomme ich ne schöne Mail von einem der sich MAILER-DAEMON nennt Ich habe auch schon ein mit der mynetworks Variable gespielt, aber alles was ich bei google gefunden habe hat nicht mit smtp_auth zu tun, sondern mit festen IPs.

Code: Select all

Sep 19 21:29:30 mail postfix/smtpd[8992]: B21F7A3B21: client=p50830A28.dip0.t-ipconnect.de[80.131.10.40], sasl_method=PLAIN, sasl_username=jochen@bigblade.de
Sep 19 21:29:30 mail postfix/cleanup[9001]: B21F7A3B21: message-id=<451045C8.5020408@bigblade.de>
Sep 19 21:29:30 mail postfix/qmgr[8981]: B21F7A3B21: from=<jochen@bigblade.de>, size=544, nrcpt=1 (queue active)
Sep 19 21:29:31 mail postfix/smtpd[8992]: disconnect from p50830A28.dip0.t-ipconnect.de[80.131.10.40]
Sep 19 21:29:31 mail amavis[8917]: (08917-01) WARN: all primary virus scanners failed, considering backups
Sep 19 21:29:31 mail postfix/smtpd[9004]: connect from localhost[127.0.0.1]
Sep 19 21:29:31 mail postfix/smtpd[9004]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <snowfun81@gmx.de>: Relay access denied; from=<jochen@bigblade.de> to=<snowfun81@gmx.de> proto=ESMTP helo=<localhost>
Sep 19 21:29:31 mail amavis[8917]: (08917-01) mail_via_smtp: DATA skipped, no valid recips, 0
Sep 19 21:29:31 mail postfix/smtpd[9004]: disconnect from localhost[127.0.0.1]
Sep 19 21:29:31 mail amavis[8917]: (08917-01) mail_via_smtp: 554 5.7.1 <snowfun81@gmx.de>: Relay access denied
Sep 19 21:29:31 mail amavis[8917]: (08917-01) Blocked CLEAN, [80.131.10.40] <jochen@bigblade.de> -> <snowfun81@gmx.de>, Message-ID: <451045C8.5020408@bigblade.de>, Hits: -, 177 ms
Sep 19 21:29:31 mail postfix/smtp[9003]: B21F7A3B21: to=<snowfun81@gmx.de>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.55, delays=0.35/0.01/0.02/0.17, dsn=5.7.1, status=bounced (host 127.0.0.1[127.0.0.1] said: 554 5.7.1 <snowfun81@gmx.de>: Relay access denied (in reply to end of DATA command))
Sep 19 21:29:31 mail postfix/cleanup[9001]: 6274CA3B28: message-id=<20060919192931.6274CA3B28@mail.dieler.ws>
Sep 19 21:29:31 mail postfix/qmgr[8981]: 6274CA3B28: from=<>, size=2409, nrcpt=1 (queue active)
Sep 19 21:29:31 mail postfix/bounce[9006]: B21F7A3B21: sender non-delivery notification: 6274CA3B28
Sep 19 21:29:31 mail postfix/qmgr[8981]: B21F7A3B21: removed
Sep 19 21:29:31 mail postfix/virtual[9007]: 6274CA3B28: to=<jochen@bigblade.de>, relay=virtual, delay=0.3, delays=0.11/0.01/0/0.17, dsn=2.0.0, status=sent (delivered to maildir)

Hier noch meine main.cf

Code: Select all

alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_dns_lookups = no
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 0
mydestination = $myhostname, localhost.$mydomain
myhostname = mail.dieler.ws
mynetworks = host
myorigin = mail.dieler.ws
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_recipient_restrictions = permit_mynetworks,  permit_sasl_authenticated,  reject_non_fqdn_recipient,  reject_unauth_destination,  reject_unauth_pipelining,  reject_rbl_client opm.blitzed.org,  reject_rbl_client list.dsbl.org,  reject_rbl_client bl.spamcop.net,  reject_rbl_client sbl-xbl.spamhaus.org
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = cyrus
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:1001
virtual_mailbox_base = /usr/local/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 0
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 1001
virtual_transport = virtual
virtual_uid_maps = static:1001

Hat jemand 'ne Richtung in der ich suchen muss?

Danke schonmal.

Cheers,
Jochen

[Roger Wilco]

Zeig mal deine master.cf und die relevanten Teile der amavis-Konfiguration.
Vermutlich kippst du die Mail wieder beim normalen smtpd ein, der dann natürlich eine Anmeldung via SMTP-Auth will, die amavis nicht macht.

[snowball]

Hier ist sie...
btw gibt es eigentlich ne Möglichkeit die auch ohne Kommentare zu sehen so wie postconf -n bei der main.cf???

Code: Select all

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
#smtp      inet  n       -       n       -       -       smtpd -o content_filter=smtp:[127.0.0.1]:10024
#localhost:10025 inet    n       -       n       -       -       smtpd -o content_filter=
smtp      inet  n       -       n       -       -       smtpd
#submission inet n       -       n       -       -       smtpd
#  -o smtpd_enforce_tls=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps     inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

Tja, welches ist den der relevante teil der amavisd.conf?

Code: Select all

use strict;

# a minimalistic configuration file for amavisd-new with all necessary settings
#
#   see amavisd.conf-default for a list of all variables with their defaults;
#   see amavisd.conf-sample for a traditional-style commented file;
#   for more details see documentation in INSTALL, README_FILES/*
#   and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html


# COMMONLY ADJUSTED SETTINGS:

# @bypass_virus_checks_maps = (1);  # uncomment to DISABLE anti-virus code
@bypass_spam_checks_maps  = (1);  # uncomment to DISABLE anti-spam code

$max_servers = 2;            # number of pre-forked children (2..15 is common)
$daemon_user = 'vscan';
$daemon_group = 'vscan';

$mydomain = 'dieler.ws';

$MYHOME = '/var/spool/amavis';
$TEMPBASE = "$MYHOME/tmp";   # working directory, needs to be created manually
$ENV{TMPDIR} = $TEMPBASE;    # environment variable TMPDIR
$QUARANTINEDIR = '/var/spool/amavis/virusmails';

# $daemon_chroot_dir = $MYHOME;   # chroot directory or undef

# $db_home   = "$MYHOME/db";
# $helpers_home = "$MYHOME/var";  # prefer $MYHOME clean and owned by root?
# $pid_file  = "$MYHOME/var/amavisd.pid";
# $lock_file = "$MYHOME/var/amavisd.lock";
#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually

@local_domains_maps = ( [".$mydomain"] );
#@mynetworks = qw( 127.0.0.0/8 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );

$log_level = 0;              # verbosity 0..5
$log_recip_templ = undef;    # disable by-recipient level-0 log entries
$DO_SYSLOG = 1;              # log via syslogd (preferred)
$SYSLOG_LEVEL = 'mail.debug';

$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1

$inet_socket_port = 10024;   # listen on this local TCP port(s) (see $protocol)
$unix_socketname = "$MYHOME/amavisd.sock";  # when using sendmail milter

$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 5.0;
$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent

$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
$sa_local_tests_only = 0;    # only tests which do not require internet access?
$sa_auto_whitelist = 1;      # turn on AWL in SA 2.63 or older (irrelevant
                             # for SA 3.0, cf option is 'use_auto_whitelist')

# @lookup_sql_dsn =
#   ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'],
#     ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'] );

#$virus_admin               = "virusalert@$mydomain";  # notifications recip.

#$mailfrom_notify_admin     = "virusalert@$mydomain";  # notifications sender
#$mailfrom_notify_recip     = "virusalert@$mydomain";  # notifications sender
#$mailfrom_notify_spamadmin = "spam.police@$mydomain"; # notifications sender
$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef

@addr_extension_virus_maps      = ('virus');
@addr_extension_spam_maps       = ('spam');
@addr_extension_banned_maps     = ('banned');
@addr_extension_bad_header_maps = ('badh');
# $recipient_delimiter = '+';  # undef disables address extensions altogether
# when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+

$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
$file   = 'file';   # file(1) utility; use recent versions
[SNIP]...[/SNIP]
# OTHER MORE COMMON SETTINGS (defaults may suffice):

$myhostname = 'mail.dieler.ws';  # must be a fully-qualified domain name!

# $notify_method  = 'smtp:[127.0.0.1]:10025';
# $forward_method = 'smtp:[127.0.0.1]:10025';  # set to undef with milter!

# $final_virus_destiny      = D_DISCARD;
# $final_banned_destiny     = D_BOUNCE;
$final_spam_destiny = D_PASS;
# $final_bad_header_destiny = D_PASS;

Danke
Jochen

[rootsvr]

In der master brauchst Du (copy aus meinem Setup), vielleicht anpassen.

Code: Select all

127.0.0.1:10025 inet    n       -       y       -       -       smtpd
        -o content_filter=
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8

smtp-amavis     unix    -       -       y       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o disable_dns_lookups=yes
        -o smtp_send_xforward_command=yes

in der main.cf:

Code: Select all

content_filter = smtp-amavis:[localhost]:10026

in der amavisd.conf:

Code: Select all

$inet_socket_port = 10026;        # accept SMTP on this local TCP port
                                  # (default is undef, i.e. disabled)

$inet_socket_bind = '127.0.0.1';  # limit socket bind to loopback interface
                                  # (default is '127.0.0.1')
@inet_acl = qw( 127.0.0.1 );      # allow SMTP access only from localhost IP
                                  # (default is qw( 127.0.0.1 ) )

renentry von amavis ist default (solang Du nichts geändert hast localhost:10025 (vergleiche Eintrag master.cf)

Im Endeffect sollte es reichen die Zeile localhost:10025 bei dir wieder einzukommentieren und postfix zu restarten..

[snowball]

Super, das war es.

Vielen Dank für die schnelle Hilfe.