Postfix Reject

  • Hab Postfix und Imap über divere Anleitung an LDAP angehängt.
    Allerdings läuft momentan das senden noch nicht.
    Als Meldung erhalte ich immer nur:


    "==> /var/log/syslog <==
    Nov 22 18:15:21 xxxxx postfix/smtpd[23339]: NOQUEUE: reject: RCPT from xxxxxxxxxxxx.dynamic.kabel-deutschland.de[xxxxxxxxxxxxxxxxx]: 450 4.7.1 <chris@xxxxxxxxx.xxxxxxxxx>: Recipient address rejected: Access denied; from=<chris@xxxxxxxxx.xxxxxxxxx> to=<chris@xxxxxxxxx.xxxxxxxxx> proto=ESMTP helo=<nightfurry>


    ==> /var/log/mail.log <==
    Nov 22 18:15:21 xxxxx postfix/smtpd[23339]: NOQUEUE: reject: RCPT from xxxxxxxxxxxx.dynamic.kabel-deutschland.de[xxxxxxxxxxxxxxxxx]: 450 4.7.1 <chris@xxxxxx.xxxxxxx>: Recipient address rejected: Access denied; from=<chris@xxxxxxxxx.xxxxxxxxx> to=<chris@xxxxxxxxx.xxxxxxxxx> proto=ESMTP helo=<nightfurry>
    "



    Config Postfix:


    "# See /usr/share/postfix/main.cf.dist for a commented, more complete version



    # Debian specific: Specifying a file name will cause the first
    # line of that file to be used as the name. The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname


    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no


    # appending .domain is the MUA's job.
    append_dot_mydomain = no


    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h


    readme_directory = no


    # TLS parameters
    smtpd_tls_cert_file = /etc/ssl/xxxxx/certificate.pm
    smtpd_tls_key_file = /etc/ssl/xxxxx/new.xxxxx.xxxxx.key
    smtpd_use_tls=yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache


    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.


    myhostname = xxxxx.xxxxx.xxxxx
    alias_maps = hash:/etc/postfix/aliases
    alias_database = hash:/etc/postfix/aliases
    myorigin = xxxxx.xxxxx.xxxxx
    mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname xxxxx.xxxxx.xxxxx
    relayhost =
    mynetworks = 127.0.0.0/8 [::1]/128
    mailbox_command = /usr/lib/dovecot/deliver
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =
    allow_percent_hack = no
    swap_bangpath = no
    mydomain = xxxxx.xxxxx
    mynetworks_style = host
    smtpd_data_restrictions = reject_unauth_pipelining
    smtpd_reject_unlisted_recipient = yes
    smtpd_reject_unlisted_sender = yes
    smtp_tls_security_level = may
    smtp_tls_CAfile = $smtpd_tls_CAfile
    smtp_tls_loglevel = 0
    smtp_tls_note_starttls_offer = yes
    smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated
    delay_warning_time = 0h
    maximal_queue_lifetime = 4h
    bounce_queue_lifetime = 4h
    proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
    smtp_data_init_timeout = 240s
    smtp_data_xfer_timeout = 600s
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
    queue_run_delay = 300s
    minimal_backoff_time = 300s
    maximal_backoff_time = 4000s
    enable_original_recipient = no
    disable_vrfy_command = yes
    home_mailbox = Maildir/
    allow_min_user = no
    message_size_limit = 15728640
    virtual_minimum_uid = 2000
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    virtual_mailbox_base = /home/mail
    transport_maps = proxy:ldap:/home/mail/postfix/ldap/transport_maps_user.cf, proxy:ldap:/home/mail/postfix/ldap/transport_maps_domain.cf
    virtual_alias_maps = proxy:ldap:/home/mail/postfix/ldap/virtual_alias_maps.cf, proxy:ldap:/home/mail/postfix/ldap/virtual_group_maps.cf, proxy:ldap:/home/mail/postfix/ldap/virtual_group_members_maps.cf, proxy:ldap:/home/mail/postfix/ldap/catchall_maps.cf
    virtual_mailbox_domains = proxy:ldap:/home/mail/postfix/ldap/virtual_mailbox_domains.cf
    virtual_mailbox_maps = proxy:ldap:/home/mail/postfix/ldap/virtual_mailbox_maps.cf
    sender_bcc_maps = proxy:ldap:/home/mail/postfix/ldap/sender_bcc_maps_user.cf, proxy:ldap:/home/mail/postfix/ldap/sender_bcc_maps_domain.cf
    recipient_bcc_maps = proxy:ldap:/home/mail/postfix/ldap/recipient_bcc_maps_user.cf, proxy:ldap:/home/mail/postfix/ldap/recipient_bcc_maps_domain.cf
    relay_domains = $mydestination, proxy:ldap:/home/mail/postfix/ldap/relay_domains.cf
    smtpd_sender_login_maps = proxy:ldap:/home/mail/postfix/ldap/sender_login_maps.cf
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_local_domain =
    smtpd_sasl_authenticated_header = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_security_options = noanonymous
    smtpd_tls_auth_only = yes
    smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
    smtpd_tls_security_level = may
    smtpd_tls_loglevel = 0
    smtpd_tls_CAfile = /etc/ssl/xxxxx.xxxxx/certificate.pm
    tls_random_source = dev:/dev/urandom
    virtual_transport = dovecot
    dovecot_destination_recipient_limit = 1
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/dovecot-auth
    content_filter = smtp-amavis:[127.0.0.1]:10024
    smtp-amavis_destination_recipient_limit = 1
    smtpd_client_message_rate_limit = 100
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    "



    Hat vielleicht jemand ne idee an was es liegen könnte?

  • Zugreifen kann er ohne Probleme dahin gehend erhalte ich bisher keine Fehlermeldungen.
    Ich mußte die Dateien verschieben, da ich dem Config Directory (/etc) keine Ausführ Privilegien geben wollte.


    Es existieren verschiedene Config Dateien.


    Hier beispielsweise:


    virtual_mailbox_domains.cf




    server_host = 127.0.0.1
    server_port = 389
    bind = yes
    start_tls = no
    version = 3
    bind_dn = cn=postfix,ou=specialUsers,dc=ldap,dc=xxxx,dc=xxxx
    bind_pw = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    search_base = o=domains,dc=ldap,dc=xxxx,dc=xxxx
    scope = one
    query_filter = (&(objectClass=mailDomain)(|(domainName=%s)(&(enabledService=domainalias)(domainAliasName=%s)))(!(domainBackupMX=yes))(accountStatus=active)(enabledService=mail))
    result_attribute= domainName
    debuglevel = 0



    Andere auf anfrage.
    Auch die Queries laufen.
    Ich hab Sie über postmap -q getestet.
    Es ergeben sich keine Fehlermeldungen.


    Das mit dem Transport wäre ein nächster Schritt. Erstmal muß der Versand über SMTP funktionieren.


    danke für die Hilfe

  • Ich nehme an, du führst postmap als anderen Benutzer aus, als für Postfix verwendet wird?
    Welche Rechte haben denn die Dateien (ls -l) in /etc/postfix und /home/mail/postfix/ldap und auch die Überordner?
    Erscheinen weitere Infos im Log, wenn du Postfix neu startest?
    Welche Distribution verwendest du?


    Konfigurationsdateien wie deine LDAP-Lookup-Tables brauchen keine Ausführreche, es reicht wenn Postfix diese lesen kann. Schau dir einfach mal die anderen Konfigurationsdateien in /etc/postfix an.

  • Ich habe mir deine Konfiguration mal näher angeschaut. Um ehrlich zu sein, die ist extrem wüst.
    Scheinbar hast du bereits einen Transport für dovecot definiert, der auch mittels virtual_transport aufgerufen wird. Trotzdem aber noch ein mailbox_command, der ebenfalls auf dovecot zeigt?
    Wofür brauchst du virtual_uid_maps, wenn die mails doch an Dovecot weitergereicht werden?
    Was sollen die die beiden Zeilen mit maildrop bewirken?


    Bitte arbeite dich vernünftig in Postfix, Dovecot, usw. ein und erste dann selbst eine Konfiguration nach deinen Anforderungen. Howtos sind als Grundlage und ersten Kontakt ganz nützlich, sich blind und ohne das nötige Hintergrundwissen darauf zu verlassen ist aber sehr gefährlich.

  • Die Konfig war mehr als nur wüst, aber das ist einem Älteren Admin Panel geschuldet das noch, genauso wir der Mailserver, auf einem Debian 7.7 Server läuft.


    Hab die Konfigurations Datei ein wenig aufgeräumt und zusammen gefasst, was zusammen gehört.


    "# See /usr/share/postfix/main.cf.dist for a commented, more complete version



    # Debian specific: Specifying a file name will cause the first
    # line of that file to be used as the name. The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no


    #Hosts
    myhostname = xxxxxx.xxxxxxxx.xxx
    myorigin = xxxxxx.xxxxxxxx.xxx
    mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname xxxxxx.xxxxxxxx.xxx
    relayhost =
    mynetworks_style = host


    #Domains
    mydomain = xxxxxxxx.xxx


    #Netzwerk
    mynetworks = 127.0.0.0/8 [::1]/128
    inet_interfaces = all
    inet_protocols = all


    # appending .domain is the MUA's job.
    append_dot_mydomain = no


    # Uncomment the next line to generate "delayed mail" warnings
    # delay_warning_time = 4h
    readme_directory = no


    #Alias
    alias_maps = hash:/etc/postfix/aliases
    alias_database = hash:/etc/postfix/aliases
    virtual_alias_domains =


    #SSL


    #SMTP HELO Command
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre


    #TLS
    smtpd_tls_cert_file = /etc/ssl/xxxxxxxx/certificate.pm
    smtpd_tls_key_file = /etc/ssl/xxxxxxxx/new.xxxxxxxx.xxx.key
    smtpd_use_tls=yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtp_tls_security_level = may
    smtp_tls_CAfile = $smtpd_tls_CAfile
    smtp_tls_loglevel = 0
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_auth_only = yes
    smtpd_tls_security_level = may
    smtpd_tls_loglevel = 0
    smtpd_tls_CAfile = /etc/ssl/xxxxxxxx/certificate.pm
    tls_random_source = dev:/dev/urandom


    #Restrictions
    smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
    content_filter = smtp-amavis:[127.0.0.1]:10024
    smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated
    smtpd_data_restrictions = reject_unauth_pipelining
    smtpd_reject_unlisted_recipient = yes
    smtpd_reject_unlisted_sender = yes


    #SASL Auth
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_local_domain =
    smtpd_sasl_authenticated_header = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/dovecot-auth


    #Transport and Maps
    transport_maps = proxy:ldap:/home/postfix/ldap/transport_maps_user.cf, proxy:ldap:/home/postfix/ldap/transport_maps_domain.cf
    virtual_transport =
    virtual_alias_maps = proxy:ldap:/home/postfix/ldap/virtual_alias_maps.cf, proxy:ldap:/home/postfix/ldap/virtual_group_maps.cf, proxy:ldap:/home/postfix/ldap/virtual_group_members_maps.cf, proxy:ldap:/home/postfix/ldap/catchall_maps.cf
    virtual_mailbox_domains = proxy:ldap:/home/postfix/ldap/virtual_mailbox_domains.cf
    virtual_mailbox_maps = proxy:ldap:/home/postfix/ldap/virtual_mailbox_maps.cf
    sender_bcc_maps = proxy:ldap:/home/postfix/ldap/sender_bcc_maps_user.cf, proxy:ldap:/home/postfix/ldap/sender_bcc_maps_domain.cf
    recipient_bcc_maps = proxy:ldap:/home/postfix/ldap/recipient_bcc_maps_user.cf, proxy:ldap:/home/postfix/ldap/recipient_bcc_maps_domain.cf
    relay_domains = $mydestination, proxy:ldap:/home/postfix/ldap/relay_domains.cf
    smtpd_sender_login_maps = proxy:ldap:/home/postfix/ldap/sender_login_maps.cf
    proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions


    #Settings
    mailbox_size_limit = 0
    recipient_delimiter = +
    html_directory = /usr/share/doc/postfix/html
    allow_percent_hack = no
    swap_bangpath = no
    smtp-amavis_destination_recipient_limit = 1
    smtpd_client_message_rate_limit = 100
    dovecot_destination_recipient_limit = 1
    queue_run_delay = 300s
    minimal_backoff_time = 300s
    maximal_backoff_time = 4000s
    enable_original_recipient = no
    disable_vrfy_command = yes
    home_mailbox = Maildir/
    allow_min_user = no
    message_size_limit = 15728640
    virtual_minimum_uid = 5000
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    virtual_mailbox_base = /home/mail
    smtp_data_init_timeout = 240s
    smtp_data_xfer_timeout = 600s
    delay_warning_time = 0h
    maximal_queue_lifetime = 4h
    bounce_queue_lifetime = 4h


    #Disabled
    #mailbox_command = /usr/lib/dovecot/deliver"
    #maildrop_destination_concurrency_limit = 1
    #maildrop_destination_recipient_limit = 1


    Die Dateien hab ich verschoben, weil ich in den Logs gesehen hab, das postfix keine Zugriffsrechte darauf hat.
    Und es stimmt auch. Die Dateien werden zum Ausführungszeitpunkt über einen proxy call ldap:... gerufen.
    Seit ich sie in das Homeverzeichnis verschoben hab, laufen sie auch. Ich hab auch abfragen gegen die Datei ausgeführt und hab valide ergebnisse bekommen.
    ^^

  • So hab jetzt mal die LDAP Debuging auf den einzelnen Dateien aktiviert.
    Kann allerdings auf Anhieb nicht sehen wo es schief läuft:


    Log findet sich im Anhang


    Vielleicht sieht ja jeman anderes mehr.
    Danke für die Hilfe ;(