MailScanner archive breaks postfix smarthost

Remco Barendse mailscanner at barendse.to
Mon Jun 14 11:21:11 UTC 2021 

Mark Sapiro and you nailed it exactly.

I think postfix doesn't like when authentication is enabled but there are 
transport mappings for servers that do not need authentication to receive 
the mail. Removing the transport mapping like Mark suggested would probably fix it 
but the server would then also stop working as a backup to queue mail in 
case the destination server goes down. Probably the easiest is as you 
suggested to enable authentication on the other server and deliver it to 
port 587.

I'll go through your instructions below and see how things go. First have 
to fix MailScanner which is not processing mail, will open a new thread 
for that.

Thanks!!



On Mon, 14 Jun 2021, L.P.H. van Belle via MailScanner wrote:

> Remco,
>
> As far i can see, 2 options.. Forwarding where google blocks it or the smtp relay isnt correct.
>
> 535 5.7.0 authentication failed << this one..
>
> The sending domain (yours), what is configured on it like, is any SPF/DKIM/DMARC
> done, because if not, gmail might be blocking you.
>
> https://support.google.com/mail/troubleshooter/2696779
> * i run it with these.
> - What is the issue?
> Sent emails are “Temp failed / Rejected” or classified as “Spam/Phishing”
>
> -From where do you send messages that are blocked or filtered to Spam?
> I send from my own domain
>
> - Messages from your domain can be flagged as spam if your servers are used as an open relay
>  or have been compromised by a virus or malware. You can run a scan of your system to check for these problems.
>  Was your email server compromised?
> No
>
> - Was the email unauthenticated?
> No
>
> Please verify that you:
>
> Sign messages with DKIM. Gmail doesn't authenticate messages signed with keys that use fewer than 1024 bits.
> Publish a SPF Record.
> Publish a DMARC policy.
>
> After this point if you see no again.
>
> I had a simular one last week on one of my brothers domain.
>
> ####
> The other option is.
> Your smtp auth setup looks bit off.
>
> # SMTP Client
> relayhost = [smtp.xs4all.nl]:465 or [smtp.xs4all.nl]:587 try both.
> smtp_sasl_auth_enable = yes
> #
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_sasl_security_options = noanonymous
> smtp_sasl_tls_security_options = noanonymous
> smtp_tls_security_level = encrypt
> smtpd_tls_auth_only = no
> header_size_limit = 4096000
> broken_sasl_auth_clients = yes
> smtpd_sasl_auth_enable = yes
>
> /etc/postfix/sasl_passwd
> # password file the the relay hosts and its authentication format
> [smtp.xs4all.nl] user at yourdomain.org:credentials_for_domain_from_xs4all
> [smtp.other.org] user2 at yourdomain.org:credentials_for_user_2
> [smtp1.other.org] user2 at yourdomain.org:credentials_for_user_2
>
> Run : postmap /etc/postfix/sasl_passwd
>
> # enable/using SASL
> /etc/postfix/sasl/smtpd.conf
> pwcheck_method: auxprop
> auxprop_plugin: sasldb
> mech_list: PLAIN LOGIN
>
>
> Next, we need to create the credentials for a client that will be allowed to connect to the Postfix server:
> saslpasswd2 -c -u yourdomain.org user
> sasldblistusers2
> user at yourdomain.org: userPassword
>
> # Postfix on Ubuntu runs in a chroot environment,
> we need to copy the password database so that Postfix can read it and adjust permissions
> cp /etc/sasldb2 /var/spool/postfix/etc/
> chown postfix:sasl /var/spool/postfix/etc/sasldb2
> chmod 660 /var/spool/postfix/etc/sasldb2
>
>
> Settings for sasl : /etc/default/saslauthd
> START=yes
> PWDIR="/var/spool/postfix/var/run/saslauthd"
> PARAMS="-m ${PWDIR}"
> PIDFILE="${PWDIR}/saslauthd.pid"
> DESC="SASL Authentication Daemon"
> NAME="saslauthd"
> MECHANISMS="sasldb"
> MECH_OPTIONS=""
> THREADS=5
> OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
>
> dpkg-statoverride --force --update --add postfix sasl 750 /var/spool/postfix/var/run/saslauthd
>
> Stop and start postfix now try again.
> Test with : saslfinger -s
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: MailScanner
>> [mailto:mailscanner-bounces+belle=bazuin.nl at lists.mailscanner.
> info] Namens Remco Barendse
>> Verzonden: zondag 13 juni 2021 12:58
>> Aan: MailScanner mailing list
>> Onderwerp: MailScanner archive breaks postfix smarthost
>>
>> I use the archive function of MailScanner to send a copy
>> of inbound/outbound email  to an email address on an external server.
>> Postfix is also serving as a backup for that same
>> domain/server to store
>> mail (should the server go down).
>>
>> When I do not use SmartHost, mail goes out as expected :
>> Jun 13 12:49:10 gw2 postfix/smtp[5226]: BBFD882A34:
>> to=<outbound at archive.com>,
>> relay=mail.my2nddomain.com[--.---.--.--]:25,
>> delay=0.76, delays=0.5/0.02/0.13/0.11, dsn=2.0.0, status=sent
>> (250 2.0.0
>> 15DAnAAT016589 Message accepted for delivery)
>> Jun 13 12:49:10 gw2 MailScanner[5228]: Read 5624 hostnames from the
>> phishing blacklists
>> Jun 13 12:49:11 gw2 postfix/smtp[5227]: BBFD882A34:
>> to=<someone at gmail.com>,
>> relay=gmail-smtp-in.l.google.com[108.177.119.26]:25, delay=0.92,
>> delays=0.5/0.03/0.15/0.23, dsn=2.0.0, status=sent (250 2.0.0 OK
>> 1623581351 a13si5024937edy.153 - gsmtp)
>> Jun 13 12:49:11 gw2 postfix/qmgr[5207]: BBFD882A34: removed
>>
>>
>> When I enable SmartHost, it seems as if postfix doesn't use the
>> smarthost byt bants to do authentication on the remote mail server to
>> deliver the archive copy of the mail, which fails.
>>
>> Jun 13 12:11:20 gw2 postfix/qmgr[3600]: 88F9882A30:
>> from=<test at mydomin.com>, size=339, nrcpt=2 (queue active)
>> Jun 13 12:11:23 gw2 postfix/smtp[3966]: 88F9882A30:
>> to=<remco at mytest.com>, relay=smtp.xs4all.nl[194.109.6.51]:587,
>> delay=3.3, delays=1/0.09/2.2/0.06, dsn=2.0.0, status=sent (250 2.0.0
>> smtp-cloud8.xs4all.net accepted mail sN5MlU4tIhqltsN
>> 5Pliy28 for delivery)
>
>> Jun 13 12:11:23 gw2 postfix/smtp[3964]: 88F9882A30:
>> to=<outbound at archive.com>,
>> relay=mail.my2nddomain.com[--.---.--.--]:25,
>> delay=3.1, delays=1/0.08/2/0, dsn=4.7.0, status=deferred (SASL
>> authentication failed; server
>> mail.my2nddomain.com[--.---.--.---] said:
>> 535 5.7.0 authentication failed)
>> Jun 13 12:19:30 gw2 postfix/qmgr[3600]: 88F9882A30:
>> from=<test at mydomain.com>, size=339, nrcpt=2 (queue active)
>>
>>
>> In my /etc/postfix/transport I have :
>> archive.com     smtp:[mail.archive.com]
>>
>> To enable smarthost I added this to main.cf :
>> # Enable auth
>> smtp_sasl_auth_enable = yes
>> # Set username and password
>> smtp_sasl_password_maps =
>> static:YOUR-SMTP-USER-NAME-HERE:YOUR-SMTP-SERVER-PASSWORD-HERE
>> smtp_sasl_security_options = noanonymous
>> # Turn on tls encryption
>> smtp_tls_security_level = encrypt
>> header_size_limit = 4096000
>> # Set external SMTP relay host here IP or hostname accepted
>> along with a port number.
>> relayhost = [YOUR-SMTP-SERVER-IP-HERE]:587
>>
>>
>> Where am I going wrong?
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>
>
>
>
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>

More information about the MailScanner mailing list