MailScanner archive breaks postfix smarthost

L.P.H. van Belle belle at bazuin.nl
Mon Jun 14 07:42:30 UTC 2021 

Remco, 

As far i can see, 2 options.. Forwarding where google blocks it or the smtp relay isnt correct. 

535 5.7.0 authentication failed << this one.. 

The sending domain (yours), what is configured on it like, is any SPF/DKIM/DMARC 
done, because if not, gmail might be blocking you. 

https://support.google.com/mail/troubleshooter/2696779
* i run it with these. 
- What is the issue?
Sent emails are “Temp failed / Rejected” or classified as “Spam/Phishing”

-From where do you send messages that are blocked or filtered to Spam? 
I send from my own domain

- Messages from your domain can be flagged as spam if your servers are used as an open relay
  or have been compromised by a virus or malware. You can run a scan of your system to check for these problems.
  Was your email server compromised? 
No 

- Was the email unauthenticated? 
No

Please verify that you:

Sign messages with DKIM. Gmail doesn't authenticate messages signed with keys that use fewer than 1024 bits.
Publish a SPF Record.
Publish a DMARC policy.

After this point if you see no again.

I had a simular one last week on one of my brothers domain. 

#### 
The other option is. 
Your smtp auth setup looks bit off. 

# SMTP Client
relayhost = [smtp.xs4all.nl]:465 or [smtp.xs4all.nl]:587 try both. 
smtp_sasl_auth_enable = yes
# 
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = encrypt
smtpd_tls_auth_only = no
header_size_limit = 4096000
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes

/etc/postfix/sasl_passwd
# password file the the relay hosts and its authentication format
[smtp.xs4all.nl] user at yourdomain.org:credentials_for_domain_from_xs4all
[smtp.other.org] user2 at yourdomain.org:credentials_for_user_2
[smtp1.other.org] user2 at yourdomain.org:credentials_for_user_2

Run : postmap /etc/postfix/sasl_passwd

# enable/using SASL 
/etc/postfix/sasl/smtpd.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN


Next, we need to create the credentials for a client that will be allowed to connect to the Postfix server:
saslpasswd2 -c -u yourdomain.org user
sasldblistusers2
user at yourdomain.org: userPassword

# Postfix on Ubuntu runs in a chroot environment, 
we need to copy the password database so that Postfix can read it and adjust permissions 
cp /etc/sasldb2 /var/spool/postfix/etc/
chown postfix:sasl /var/spool/postfix/etc/sasldb2
chmod 660 /var/spool/postfix/etc/sasldb2


Settings for sasl : /etc/default/saslauthd
START=yes
PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="sasldb"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

dpkg-statoverride --force --update --add postfix sasl 750 /var/spool/postfix/var/run/saslauthd

Stop and start postfix now try again. 
Test with : saslfinger -s 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: MailScanner 
> [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.
info] Namens Remco Barendse
> Verzonden: zondag 13 juni 2021 12:58
> Aan: MailScanner mailing list
> Onderwerp: MailScanner archive breaks postfix smarthost
> 
> I use the archive function of MailScanner to send a copy 
> of inbound/outbound email  to an email address on an external server.
> Postfix is also serving as a backup for that same 
> domain/server to store 
> mail (should the server go down).
> 
> When I do not use SmartHost, mail goes out as expected :
> Jun 13 12:49:10 gw2 postfix/smtp[5226]: BBFD882A34: 
> to=<outbound at archive.com>, 
> relay=mail.my2nddomain.com[--.---.--.--]:25, 
> delay=0.76, delays=0.5/0.02/0.13/0.11, dsn=2.0.0, status=sent 
> (250 2.0.0 
> 15DAnAAT016589 Message accepted for delivery)
> Jun 13 12:49:10 gw2 MailScanner[5228]: Read 5624 hostnames from the 
> phishing blacklists
> Jun 13 12:49:11 gw2 postfix/smtp[5227]: BBFD882A34: 
> to=<someone at gmail.com>, 
> relay=gmail-smtp-in.l.google.com[108.177.119.26]:25, delay=0.92, 
> delays=0.5/0.03/0.15/0.23, dsn=2.0.0, status=sent (250 2.0.0 OK 
> 1623581351 a13si5024937edy.153 - gsmtp)
> Jun 13 12:49:11 gw2 postfix/qmgr[5207]: BBFD882A34: removed
> 
> 
> When I enable SmartHost, it seems as if postfix doesn't use the 
> smarthost byt bants to do authentication on the remote mail server to 
> deliver the archive copy of the mail, which fails.
> 
> Jun 13 12:11:20 gw2 postfix/qmgr[3600]: 88F9882A30: 
> from=<test at mydomin.com>, size=339, nrcpt=2 (queue active)
> Jun 13 12:11:23 gw2 postfix/smtp[3966]: 88F9882A30: 
> to=<remco at mytest.com>, relay=smtp.xs4all.nl[194.109.6.51]:587, 
> delay=3.3, delays=1/0.09/2.2/0.06, dsn=2.0.0, status=sent (250 2.0.0 
> smtp-cloud8.xs4all.net accepted mail sN5MlU4tIhqltsN
> 5Pliy28 for delivery)

> Jun 13 12:11:23 gw2 postfix/smtp[3964]: 88F9882A30: 
> to=<outbound at archive.com>, 
> relay=mail.my2nddomain.com[--.---.--.--]:25, 
> delay=3.1, delays=1/0.08/2/0, dsn=4.7.0, status=deferred (SASL 
> authentication failed; server 
> mail.my2nddomain.com[--.---.--.---] said: 
> 535 5.7.0 authentication failed)
> Jun 13 12:19:30 gw2 postfix/qmgr[3600]: 88F9882A30: 
> from=<test at mydomain.com>, size=339, nrcpt=2 (queue active)
> 
> 
> In my /etc/postfix/transport I have :
> archive.com     smtp:[mail.archive.com]
> 
> To enable smarthost I added this to main.cf :
> # Enable auth
> smtp_sasl_auth_enable = yes
> # Set username and password
> smtp_sasl_password_maps = 
> static:YOUR-SMTP-USER-NAME-HERE:YOUR-SMTP-SERVER-PASSWORD-HERE
> smtp_sasl_security_options = noanonymous
> # Turn on tls encryption
> smtp_tls_security_level = encrypt
> header_size_limit = 4096000
> # Set external SMTP relay host here IP or hostname accepted 
> along with a port number.
> relayhost = [YOUR-SMTP-SERVER-IP-HERE]:587
> 
> 
> Where am I going wrong?
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
>

More information about the MailScanner mailing list