1

Topic: domain relay not working, user relay working

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9 PGSQL edition.
- Deployed with iRedMail Easy or the downloadable installer? Downloadable installer
- Linux/BSD distribution name and version: CentOS Linux release 7.7.1908 (Core)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PGSQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,
we are experiencing an issue with relay settings.
We need to relay all emails of the domain we are using to office 365, so they are not sent internally
Using the global relay (account/domains -> click on domain name -> relay) it does not work.
the relay setup is--->  smtp:mydomain-tld.mail.protection.outlook.com:25
the log show

postfix/submission/smtpd[129721]: connect from unknown[IP]
postfix/submission/smtpd[129721]: Anonymous TLS connection established from unknown[IP]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
postfix/submission/smtpd[129721]: warning: unknown[IP]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Npostfix/submission/smtpd[129721]: lost connection after AUTH from unknown[IP]
postfix/submission/smtpd[129721]: disconnect from unknown[IP]

Using the single user account relay works:
the log show:

postfix/submission/smtpd[129874]: connect from unknown[IP]
postfix/submission/smtpd[129874]: Anonymous TLS connection established from unknown[IP]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
postfix/submission/smtpd[129874]: 47GrT60Lv1z7Tm6K: client=unknown[IP], sasl_method=LOGIN, sasl_username=noreply@mydomain.tld
postfix/cleanup[129889]: 47GrT60Lv1z7Tm6K: message-id=<hidjQDfPX3P9qXUjm2iC0080aMVHqumb4I1IU35TkY@myclient.tld>
postfix/qmgr[38234]: 47GrT60Lv1z7Tm6K: from=<noreply@mydomain.tld>, size=1212, nrcpt=1 (queue active)
postfix/submission/smtpd[129874]: disconnect from unknown[IP]
postfix/10025/smtpd[129898]: connect from localhost[127.0.0.1]
postfix/10025/smtpd[129898]: 47GrT64RHCz7Tm6N: client=localhost[127.0.0.1]
postfix/cleanup[129889]: 47GrT64RHCz7Tm6N: message-id=<hidjQDfPX3P9qXUjm2iC0080aMVHqumb4I1IU35TkY@myclient.tld>
postfix/qmgr[38234]: 47GrT64RHCz7Tm6N: from=<noreply@mydomain.tld>, size=2378, nrcpt=1 (queue active)
postfix/10025/smtpd[129898]: disconnect from localhost[127.0.0.1]
amavis[123614]: (123614-01) Passed CLEAN {RelayedInternal}, ORIGINATING LOCAL [IP]:37036 [IP] <noreply@mydomain.tld> -> <testaccount@mydomain.tld>, Queue-ID: 47GrT60Lv1z7Tm6K, Message-ID: <hidjQDfPX3P9qXUjm2iC0080aMVHqumb4I1IU35TkY@myclient.tld>, mail_id: oICWg_SaI2Kp, Hits: -0.999, size: 1250, queued_as: 47GrT64RHCz7Tm6N, dkim_new=dkim:trustsvr.com, 521 ms, Tests: [ALL_TRUSTED=-1,HTML_MESSAGE=0.001]
amavis[123614]: (123614-01) Passed CLEAN, <noreply@mydomain.tld> -> <testaccount@mydomain.tld>, Hits: -0.999, tag=2, tag2=6.2, kill=6.9, queued_as: 47GrT64RHCz7Tm6N, L/0/0/0
postfix/amavis/smtp[129894]: 47GrT60Lv1z7Tm6K: to=<testaccount@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.66, delays=0.12/0.01/0.01/0.52, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 47GrT64RHCz7Tm6N)
postfix/qmgr[38234]: 47GrT60Lv1z7Tm6K: removed
postfix/smtp[129899]: Untrusted TLS connection established to mydomain-tld.mail.protection.outlook.com[104.47.10.36]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
postfix/smtp[129899]: 47GrT64RHCz7Tm6N: to=<testaccount@mydomain.tld>, relay=mydomain-tld.mail.protection.outlook.com[104.47.10.36]:25, delay=1.7, delays=0.01/0.01/0.68/1, dsn=2.6.0, status=sent (250 2.6.0 <hidjQDfPX3P9qXUjm2iC0080aMVHqumb4I1IU35TkY@myclient.tld> [InternalId=1894080578723, Hostname=AM6PR02MB5560.eurprd02.prod.outlook.com] 11321 bytes in 0.293, 37.689 KB/sec Queued mail for delivery)
postfix/qmgr[38234]: 47GrT64RHCz7Tm6N: removed

the system used to send the email is the same for both test.
I think that if it works per user it should work globally.

Thanks for your support.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: domain relay not working, user relay working

Per-user relay has higher priority than per-domain relay. If you have both per-user and per-domain relay, only per-user relay will work.

3 (edited by scibile 2019-11-19 23:38:41)

Re: domain relay not working, user relay working

Hi ZhangHuangbin,
thank you for reply.

To test the behaviour I used only one config at once.
First the per-domain relay, and seem that there is a auth problem.
The second test (with same data,  user and pass) only with config  per user-relay.

Seem strange that the global does not work (auth problem)

4

Re: domain relay not working, user relay working

What auth problem? Did you try this tutorial to set the authentication (smtp_sasl_*)?
https://docs.iredmail.org/relayhost.html

5 (edited by scibile 2019-11-21 01:11:17)

Re: domain relay not working, user relay working

yes, i used the per-domain setup as wrote on iRedAdmin-Pro: Per-domain relay setting:
https://docs.iredmail.org/images/iredad … _relay.png

I need it per domain use, dovecot is replaced with office365 smtp and checked to not verify local users.
The office365 SMTP accept connection without requiring an auth with my server IP.
but reading the log seem that there is a disconnection after the unsuccessful auth.

postfix/submission/smtpd[129721]: connect from unknown[IP]
postfix/submission/smtpd[129721]: Anonymous TLS connection established from unknown[IP]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
postfix/submission/smtpd[129721]: warning: unknown[IP]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
postfix/submission/smtpd[129721]: lost connection after AUTH from unknown[IP]
postfix/submission/smtpd[129721]: disconnect from unknown[IP]

6

Re: domain relay not working, user relay working

This is incoming connection from port 587. Is this correct?

7

Re: domain relay not working, user relay working

Yes, it's correct.
The same i used to send with per-user relay (that works)

8

Re: domain relay not working, user relay working

scibile wrote:

postfix/submission/smtpd[129721]: warning: unknown[IP]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

But the log shows this user didn't correctly authenticate at all, either username or password is incorrect. It didn't enter mail queue to reach the relay stage yet.

9

Re: domain relay not working, user relay working

in fact that's what's strange. With the same user/password i can send email with the per-user relay setup or without relay at all.
If i setup the per-domain relay then the auth problema appear

10

Re: domain relay not working, user relay working

Are the per-domain relay server same as per-user relay server? Could you please copy and paste here?

11

Re: domain relay not working, user relay working

yes, are the same
per-domain --> smtp:scibile-ch.mail.protection.outlook.com:25
per user --> smtp:scibile-ch.mail.protection.outlook.com:25

12

Re: domain relay not working, user relay working

In reply #8, i mentioned that the smtp authentication failed while user trying to send email, it didn't reach the relay yet.

Did you try with same user while testing per-user and per-domain relay?

The mail flow should look like below, starts from user submits message, until relay to the relay server:

1) Your user performs SMTP AUTH against your iRedMail server by sending email with webmail or other MUA.
2) SMTP AUTH succeeded (the log lines with "postfix/submission/smtpd[<pid>]")
3) Postfix accepts the submitted message after succeeded smtp auth (and passed all other checks)
4) Postfix pipes the mail to Amavisd for spam/virus scanning.
5) Amavisd re-injects the scanned mail back to Postfix queue.
6) Postfix checks the per-user or per-domain or global relay settings, and connect to relay server, and sends the message to relay server...

With pasted log with per-domain relay, it failed at step 2, not related to relay setting at all.

13

Re: domain relay not working, user relay working

Did you try with same user while testing per-user and per-domain relay?

Yes, i tried with the same user.

Thank you for the flow explanation. To be more secure i'll retry all steps (obviously with the same user) I'll update the post.