1

Topic: relay mail through iRedMail with Auth

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):  1.2.1
- Deployed with iRedMail Easy or the downloadable installer? DL
- Linux/BSD distribution name and version:  Debian 10.4
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hi,

I am trying to relay mail through the iredmail Server. Basically I set up a Debian satelite System. I have a user configured on iredmail which the satelites should use to authenticate for sending.
I used this before successfully but with iRedMail the authentication does not take place.

It works when I whitelist the IP in Postfix main.cf and iredapd config, but then auth is not neccesarry, so that's not really the solution. It should work just authenticating, right?

I think it could have to do with postscreen running on Port 25 but then on the other hand, delivering mail for local account works and normal clients don't have a problem, so why should the satelites have one?

main.cf from iredmail Server:

#debug_peer_list = x.x.x.x

# --------------------
# INSTALL-TIME CONFIGURATION INFORMATION
#
# location of the Postfix queue. Default is /var/spool/postfix.
queue_directory = /var/spool/postfix

# location of all postXXX commands. Default is /usr/sbin.
command_directory = /usr/sbin

# location of all Postfix daemon programs (i.e. programs listed in the
# master.cf file). This directory must be owned by root.
# Default is /usr/libexec/postfix
daemon_directory = /usr/lib/postfix/sbin

# location of Postfix-writable data files (caches, random numbers).
# This directory must be owned by the mail_owner account (see below).
# Default is /var/lib/postfix.
data_directory = /var/lib/postfix

# owner of the Postfix queue and of most Postfix daemon processes.
# Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID
# WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.
# In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER.
# Default is postfix.
mail_owner = postfix

# The following parameters are used when installing a new Postfix version.
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
#
sendmail_path = /usr/sbin/sendmail

# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
#
newaliases_path = /usr/bin/newaliases

# full pathname of the Postfix mailq command.  This is the Sendmail-compatible
# mail queue listing command.
mailq_path = /usr/bin/mailq

# group for mail submission and queue management commands.
# This must be a group name with a numerical group ID that is not shared with
# other accounts, not even with the Postfix account.
setgid_group = postdrop

# external command that is executed when a Postfix daemon program is run with
# the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
#
debugger_command =
    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
    ddd $daemon_directory/$process_name $process_id & sleep 5

debug_peer_level = 2

# --------------------
# CUSTOM SETTINGS
#

# SMTP server response code when recipient or domain not found.
unknown_local_recipient_reject_code = 550

# Do not notify local user.
biff = no

# Disable the rewriting of "site!user" into "user@site".
swap_bangpath = no

# Disable the rewriting of the form "user%domain" to "user@domain".
allow_percent_hack = no

# Allow recipient address start with '-'.
allow_min_user = no

# Disable the SMTP VRFY command. This stops some techniques used to
# harvest email addresses.
disable_vrfy_command = yes

# Enable both IPv4 and/or IPv6: ipv4, ipv6, all.
inet_protocols = all

# Enable all network interfaces.
inet_interfaces = all

#
# TLS settings.
#
# SSL key, certificate, CA
#
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt

#
# Disable SSLv2, SSLv3
#
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3

#
# Fix 'The Logjam Attack'.
#
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem

tls_random_source = dev:/dev/urandom

# Log only a summary message on TLS handshake completion — no logging of client
# certificate trust-chain verification errors if client certificate
# verification is not required. With Postfix 2.8 and earlier, log the summary
# message, peer certificate summary information and unconditionally log
# trust-chain verification errors.
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1

# Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do
# not require that clients use TLS encryption.
smtpd_tls_security_level = may

# Produce `Received:` message headers that include information about the
# protocol and cipher used, as well as the remote SMTP client CommonName and
# client certificate issuer CommonName.
# This is disabled by default, as the information may be modified in transit
# through other mail servers. Only information that was recorded by the final
# destination can be trusted.
#smtpd_tls_received_header = yes

# Opportunistic TLS, used when Postfix sends email to remote SMTP server.
# Use TLS if this is supported by the remote SMTP server, otherwise use
# plaintext.
# References:
#   - http://www.postfix.org/TLS_README.html#client_tls_may
#   - http://www.postfix.org/postconf.5.html#smtp_tls_security_level
smtp_tls_security_level = may

# Use the same CA file as smtpd.
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_note_starttls_offer = yes

# Enable long, non-repeating, queue IDs (queue file names).
# The benefit of non-repeating names is simpler logfile analysis and easier
# queue migration (there is no need to run "postsuper" to change queue file
# names that don't match their message file inode number).
#enable_long_queue_ids = yes

# Reject unlisted sender and recipient
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes

# Header and body checks with PCRE table
header_checks = pcre:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks.pcre

# A mechanism to transform commands from remote SMTP clients.
# This is a last-resort tool to work around client commands that break
# interoperability with the Postfix SMTP server. Other uses involve fault
# injection to test Postfix's handling of invalid commands.
# Requires Postfix-2.7+.
#smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre

# enable SRS as of https://docs.iredmail.org/srs.html
sender_canonical_maps = tcp:127.0.0.1:7778
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:127.0.0.1:7779
recipient_canonical_classes= envelope_recipient,header_recipient

# HELO restriction
smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    check_helo_access pcre:/etc/postfix/helo_access.pcre
    reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname

# Sender restrictions
smtpd_sender_restrictions =
    reject_non_fqdn_sender
    reject_unlisted_sender
    permit_mynetworks
    permit_sasl_authenticated
    check_sender_access pcre:/etc/postfix/sender_access.pcre
    reject_unknown_sender_domain

# Recipient restrictions
smtpd_recipient_restrictions =
    reject_unknown_recipient_domain
    reject_non_fqdn_recipient
    reject_unlisted_recipient
    check_policy_service inet:127.0.0.1:7777
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
    check_policy_service inet:127.0.0.1:12340

# END-OF-MESSAGE restrictions
smtpd_end_of_data_restrictions =
    check_policy_service inet:127.0.0.1:7777

# Data restrictions
smtpd_data_restrictions = reject_unauth_pipelining

proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps

# Avoid duplicate recipient messages. Default is 'yes'.
enable_original_recipient = no

# Virtual support.
virtual_minimum_uid = 2000
virtual_uid_maps = static:2000
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail

# Do not set virtual_alias_domains.
virtual_alias_domains =

#
# Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication.
# WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should
#          be forced to submit email through port 587 instead.
#
#smtpd_sasl_auth_enable = yes
#smtpd_sasl_security_options = noanonymous
#smtpd_tls_auth_only = yes

# hostname
myhostname = iredmail.server.com
myorigin =  iredmail.server.com
mydomain =  iredmail.server.com

# trusted SMTP clients which are allowed to relay mail through Postfix.
#
# Note: additional IP addresses/networks listed in mynetworks should be listed
#       in iRedAPD setting 'MYNETWORKS' (in `/opt/iredapd/settings.py`) too.
#       for example:
#
#       MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...]
#
mynetworks = 127.0.0.1 [::1] 

# Accepted local emails
mydestination = $myhostname, localhost, localhost.localdomain satelite.server.com

alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases

# Default message_size_limit.
message_size_limit = 104857600

# The set of characters that can separate a user name from its extension
# (example: user+foo), or a .forward file name from its extension (example:
# .forward+foo).
# Postfix 2.11 and later supports multiple characters.
recipient_delimiter = +

# The time after which the sender receives a copy of the message headers of
# mail that is still queued. Default setting is disabled (0h) by Postfix.
#delay_warning_time = 1h
compatibility_level = 2
#
# Lookup virtual mail accounts
#
transport_maps =
    proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf
    proxy:mysql:/etc/postfix/mysql/transport_maps_maillist.cf
    proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf

sender_dependent_relayhost_maps =
    proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf

# Lookup table with the SASL login names that own the sender (MAIL FROM) addresses.
smtpd_sender_login_maps =
    proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf

virtual_mailbox_domains =
    proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf

relay_domains =
    $mydestination
    proxy:mysql:/etc/postfix/mysql/relay_domains.cf

virtual_mailbox_maps =
    proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf

virtual_alias_maps =
    proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf
    proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf
    proxy:mysql:/etc/postfix/mysql/catchall_maps.cf
    proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf

sender_bcc_maps =
    proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf
    proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf

recipient_bcc_maps =
    proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf
    proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf

#
# Postscreen
#
postscreen_greet_action = drop
postscreen_blacklist_action = drop
postscreen_dnsbl_action = drop
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_sites =
  zen.spamhaus.org=127.0.0.[2..11]*3
  bl.mailspike.net*3
  b.barracudacentral.org*2
  spamtrap.trblspam.com
  dnsbl.sorbs.net
  ix.dnsbl.manitu.net*2
  bl.blocklist.de
  #whitelist
  list.dnswl.org=127.0.[2..14].[2..3]*-4
  iadb.isipp.com=127.0.[0..255].[0..255]*-2
  iadb.isipp.com=127.3.100.[6..200]*-2
  wl.mailspike.net=127.0.0.[17;18]*-1
  wl.mailspike.net=127.0.0.[19;20]*-2

postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr

# Require Postfix-2.11+
### This is the killer feature of Postfix 2.11 and later, which
### removes most of the pain associated with the after-220 tests, q.v.
### When a connecting host is at or below this score, the after-220
### tests are bypassed.
postscreen_dnsbl_whitelist_threshold = -2
### End of before-220 tests
### After-220 tests
### WARNING -- See http://www.postfix.org/POSTSCREEN_README.html#after_220 in the
### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
### following tests!
postscreen_bare_newline_action = enforce
#postscreen_bare_newline_enable = yes
#postscreen_non_smtp_command_enable = yes
#postscreen_pipelining_enable = yes
### ADDENDUM: Any one of the foregoing three *_enable settings may cause
### significant and annoying mail delays.

#
# Dovecot SASL support.
#
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

#
# Amavisd + SpamAssassin + ClamAV
#
content_filter = smtp-amavis:[127.0.0.1]:10024

# Concurrency per recipient limit.
smtp-amavis_destination_recipient_limit = 1
mailbox_size_limit = 104857601

mlmmj_destination_recipient_limit = 1

main.cf from satelite Server:

# File is managed by PUPPET
# your changes are at risk therefor!
#
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

# https://cisofy.com/controls/MAIL-8818/
smtpd_banner = $myhostname ESMTP
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.keysmtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
# default: fully-qualified domain name (FQDN) from gethostname()
myhostname = satelite.server.com

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localhost.$mydomain, localhost.localdomain, localhost
relayhost = [iredmail.server.com]
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
inet_protocols = all

# Enable STARTTLS encryption
smtp_sasl_auth_enable = yes
# noplaintext weglassen, wenn Passwörter im Klartext übertragen werden müssen:
# (nicht empfohlen, nur wenn's anders nicht funktioniert)
#smtp_sasl_security_options = noplaintext noanonymous
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password

smtp_tls_security_level = encrypt

/etc/postfix/sasl_password:

[iredmail.server.com] satelite@server.com:########

postmap was executed on the sasl_password file.

Committing mail for users hosted at the iredmail server works, but not relaying. Mail get's bounced

Log on iredmail server

Jul 29 17:49:38 iredmail postfix/postscreen[5336]: CONNECT from [####]:41870 to [###]:25
Jul 29 17:49:38 iredmail postfix/dnsblog[12606]: addr 88.198.205.9 listed by domain spamtrap.trblspam.com as 104.247.81.131
Jul 29 17:49:38 iredmail postfix/dnsblog[12605]: warning: dnsblog_query: lookup error for DNS query 9.205.198.88.zen.spamhaus.org: Host or domain name not found. Name service error for name=9.205.198.88.zen.spamhaus.org type=A: Host not found, try again
Jul 29 17:49:40 iredmail postfix/postscreen[5336]: PASS OLD [####]:41870
Jul 29 17:49:40 iredmail postfix/smtpd[9743]: connect from satelite.server.com[###]
Jul 29 17:49:40 iredmail postfix/smtpd[9743]: Anonymous TLS connection established from satelite.server.com[###]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
Jul 29 17:49:40 iredmail postfix/smtpd[9743]: NOQUEUE: reject: RCPT from satelite.server.com[###]: 554 5.7.1 <jochen.haeberle@gmail.com>: Relay access denied; from=<root@server.server.com> to=<###@gmail.com> proto=ESMTP helo=<server.server.com>
Jul 29 17:49:40 iredmail postfix/smtpd[9743]: disconnect from satelite.server.com[###] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8

Log from satelite system

Jul 29 17:49:38 labor05 postfix/pickup[5271]: 74B9A383200: uid=0 from=<root>
Jul 29 17:49:38 labor05 postfix/cleanup[11237]: 74B9A383200: message-id=<20200729154938.74B9A383200@satelite.server.com>
Jul 29 17:49:38 labor05 postfix/qmgr[5272]: 74B9A383200: from=<root@satelite.server.com>, size=445, nrcpt=1 (queue active)
Jul 29 17:49:40 labor05 postfix/smtp[11239]: 74B9A383200: to=<###@gmail.com>, relay=iredmail.server.com[###]:25, delay=1.8, delays=0.04/0.01/1.7/0.06, dsn=5.7.1, status=bounced (host iredmail.server.com[###] said: 554 5.7.1 <###@gmail.com>: Relay access denied (in reply to RCPT TO command))
Jul 29 17:49:40 labor05 postfix/cleanup[11237]: 49C80383215: message-id=<20200729154940.49C80383215@satelite.server.com>
Jul 29 17:49:40 labor05 postfix/bounce[11240]: 74B9A383200: sender non-delivery notification: 49C80383215
Jul 29 17:49:40 labor05 postfix/qmgr[5272]: 49C80383215: from=<>, size=2598, nrcpt=1 (queue active)
Jul 29 17:49:40 labor05 postfix/qmgr[5272]: 74B9A383200: removed

I don't see any signs of a SASL Login - why?
Additionally, why do the two servers use TLS 1.3, although it's disabled on the iredmail server?

Thanks in advance, regards

Jochen

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: relay mail through iRedMail with Auth

Jochen wrote:

relayhost = [iredmail.server.com]

Please specify the port 587. Otherwise it uses port 25 by default.