Forum Datorer och system Server Tråd

Bahnhof smtp-relay med Postfix (Ubuntu)

1
Skriv svar
Permalänk
Medlem

Bahnhof smtp-relay med Postfix (Ubuntu)

Hej!

Har en mail-server som står här hemma, uppkopplad via bahnhof. Att ta emot mail går utan problem, men att skicka fungerar sämre. Kör Ubuntu 18.04 med Postfix/Dovecot/Roundcube samt en annan dator lokalt med Win 10/Thunderbird.

Har letat tips i diverse guider och forumtrådar man kört fast.

Försöker skicka mail mha Roundcube eller Thunderbird, dvs postfix kör via bahnhofs smtp-server och får följande i loggen: (har rensat en del och bytt ut namn/konton)

Read 144 chars: 250-pio-pvt-msa3.bahnhof.se??250-PIPELIN
postfix/smtp[26920]: < mailout.privat.bahnhof.se[79.136.2.55]:465: 250-pio-pvt-msa3.bahnhof.se
postfix/smtp[26920]: < mailout.privat.bahnhof.se[79.136.2.55]:465: 250-PIPELINING
postfix/smtp[26920]: < mailout.privat.bahnhof.se[79.136.2.55]:465: 250-SIZE 52428800
postfix/smtp[26920]: < mailout.privat.bahnhof.se[79.136.2.55]:465: 250-ETRN
postfix/smtp[26920]: < mailout.privat.bahnhof.se[79.136.2.55]:465: 250-AUTH PLAIN LOGIN
postfix/smtp[26920]: < mailout.privat.bahnhof.se[79.136.2.55]:465: 250-ENHANCEDSTATUSCODES
postfix/smtp[26920]: < mailout.privat.bahnhof.se[79.136.2.55]:465: 250-8BITMIME
postfix/smtp[26920]: < mailout.privat.bahnhof.se[79.136.2.55]:465: 250 DSN
postfix/smtp[26920]: server features: 0x900f size 52428800
postfix/smtp[26920]: Using ESMTP PIPELINING, TCP send buffer size is 87040, PIPELINING buffer size is 4096
postfix/smtp[26920]: smtp_stream_setup: maxtime=300 enable_deadline=0
postfix/smtp[26920]: > mailout.privat.bahnhof.se[79.136.2.55]:465: MAIL FROM:<user@domän.net> SIZE=650
postfix/smtp[26920]: > mailout.privat.bahnhof.se[79.136.2.55]:465: RCPT TO:<mitt.konto@gmail.com> ORCPT=rfc822;mitt.konto@gmail.com
postfix/smtp[26920]: > mailout.privat.bahnhof.se[79.136.2.55]:465: DATA
postfix/smtp[26920]: smtp_stream_setup: maxtime=300 enable_deadline=0
postfix/smtp[26920]: Write 120 chars: MAIL FROM:<user@domän.net> SIZE=650??
postfix/smtp[26920]: write to 561C61D88AC0 [561C61D92263] (149 bytes => 149 (0x95))
postfix/smtp[26920]: read from 561C61D88AC0 [561C61D8E113] (5 bytes => 0 (0x0))
postfix/smtp[26920]: read from 561C61D88AC0 [561C61D8E113] (5 bytes => 5 (0x5))
postfix/smtp[26920]: read from 561C61D88AC0 [561C61D8E118] (135 bytes => 135 (0x87))
postfix/smtp[26920]: Read 111 chars: 250 2.1.0 Ok??554 5.7.1 <mitt.konto@
postfix/smtp[26920]: < mailout.privat.bahnhof.se[79.136.2.55]:465: 250 2.1.0 Ok
postfix/smtp[26920]: smtp_stream_setup: maxtime=300 enable_deadline=0
postfix/smtp[26920]: < mailout.privat.bahnhof.se[79.136.2.55]:465: 554 5.7.1 <mitt.konto@gmail.com>: Relay access denied
postfix/smtp[26920]: connect to subsystem private/bounce
postfix/smtp[26920]: send attr nrequest = 0
postfix/smtp[26920]: send attr flags = 0
postfix/smtp[26920]: send attr queue_id = EFAE45C01A0
postfix/smtp[26920]: send attr original_recipient = mitt.konto@gmail.com
postfix/smtp[26920]: send attr recipient = mitt.konto@gmail.com
postfix/smtp[26920]: send attr offset = 705
postfix/smtp[26920]: send attr dsn_orig_rcpt = rfc822;mitt.konto@gmail.com
postfix/smtp[26920]: send attr notify_flags = 0
postfix/smtp[26920]: send attr status = 5.7.1
postfix/smtp[26920]: send attr diag_type = smtp
postfix/smtp[26920]: send attr diag_text = 554 5.7.1 <mitt.konto@gmail.com>: Relay access denied
postfix/smtp[26920]: send attr mta_type = dns
postfix/smtp[26920]: send attr mta_mname = mailout.privat.bahnhof.se
postfix/smtp[26920]: send attr action = failed
postfix/smtp[26920]: send attr reason = host mailout.privat.bahnhof.se[79.136.2.55] said: 554 5.7.1 <mitt.konto@gmail.com>: Relay access denied (in reply to RCPT TO command)
postfix/smtp[26920]: private/bounce socket: wanted attribute: status
postfix/smtp[26920]: input attribute name: status
postfix/smtp[26920]: input attribute value: 0
postfix/smtp[26920]: private/bounce socket: wanted attribute: (list terminator)
postfix/smtp[26920]: input attribute name: (end)
postfix/smtp[26920]: EFAE45C01A0: to=<mitt.konto@gmail.com>, relay=mailout.privat.bahnhof.se[79.136.2.55]:465, delay=0.55, delays=0.14/0.03/0.27/0.11, dsn=5.7.1, status=bounced (host mailout.privat.bahnhof.se[79.136.2.55] said: 554 5.7.1 <mitt.konto@gmail.com>: Relay access denied (in reply to RCPT TO command))
postfix/smtp[26920]: smtp_stream_setup: maxtime=120 enable_deadline=0
postfix/smtp[26920]: < mailout.privat.bahnhof.se[79.136.2.55]:465: 554 5.5.1 Error: no valid recipients
postfix/smtp[26920]: > mailout.privat.bahnhof.se[79.136.2.55]:465: RSET
postfix/smtp[26920]: > mailout.privat.bahnhof.se[79.136.2.55]:465: QUIT
postfix/smtp[26920]: smtp_stream_setup: maxtime=20 enable_deadline=0
postfix/smtp[26920]: Write 12 chars: RSET??QUIT??
postfix/smtp[26920]: write to 561C61D88AC0 [561C61D92263] (41 bytes => 41 (0x29))
postfix/smtp[26920]: read from 561C61D88AC0 [561C61D8E113] (5 bytes => 0 (0x0))
postfix/smtp[26920]: read from 561C61D88AC0 [561C61D8E113] (5 bytes => 5 (0x5))
postfix/smtp[26920]: 0000 17 03 03 00 35                                   ....5
postfix/smtp[26920]: read from 561C61D88AC0 [561C61D8E118] (53 bytes => 53 (0x35))
postfix/smtp[26920]: Read 29 chars: 250 2.0.0 Ok??221 2.0.0 Bye??
postfix/smtp[26920]: < mailout.privat.bahnhof.se[79.136.2.55]:465: 250 2.0.0 Ok
postfix/smtp[26920]: name_mask: resource
postfix/smtp[26920]: name_mask: software
postfix/smtp[26920]: write to 561C61D88AC0 [561C61D92263] (31 bytes => 31 (0x1F))
postfix/smtp[26920]: read from 561C61D88AC0 [561C61D8E113] (5 bytes => 0 (0x0))
postfix/cleanup[26917]: 87A805C025E: message-id=<20200413134237.87A805C025E@mail.domän.net>
postfix/bounce[26921]: EFAE45C01A0: sender non-delivery notification: 87A805C025E
postfix/qmgr[26642]: 87A805C025E: from=<>, size=2737, nrcpt=1 (queue active)
postfix/qmgr[26642]: EFAE45C01A0: removed

Men om jag kör telnet/openssl från servern till bahnhof så funkar det:

root@alpha:/# openssl s_client -tls1_2 -crlf -connect mailout.privat.bahnhof.se:465
CONNECTED(00000005)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = bahnhof.se
verify return:1
---
Certificate chain
 0 s:OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = bahnhof.se
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
 2 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = bahnhof.se

issuer=C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5361 bytes and written 354 bytes
Verification: OK
---
New, TLSv1.2, Cipher is 123
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 123
    Session-ID-ctx:
    Master-Key: 123
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1586782953
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
220 ste-pvt-msa1.bahnhof.se
AUTH PLAIN [anv/lösen, BASE-64]
235 2.7.0 Authentication successful
mail from: user@domän.net
250 2.1.0 Ok
RCPT TO:<mitt.konto@gmail.com> ORCPT=mitt.konto@gmail.com
RENEGOTIATING
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = bahnhof.se
verify return:1
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
subject: test
test
.
250 2.0.0 Ok: queued as 770373F516
quit
221 2.0.0 Bye
read:errno=0

Går även bra att i Thunderbird på Win10-datorn fylla i alla uppgifter till bahnhofs smtp-server och skicka mail. Men får som sagt inte postfix att bete sig. All hjälp uppskattas och behövs ytterligare info eller loggar så fixar jag det.

Redigera
Citera flera Citera
Permalänk
Medlem

Hur ser din postfix-config ut?

Redigera
Citera flera Citera
Permalänk
Medlem

/etc/postfix/main.cf: (lite rörig p.g.a. alla försök att få det att funka)

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

# GENERAL SETTINGS

smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no

# SMTP SETTINGS 
smtp_use_tls=yes
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

#smtp_sasl_auth_enable = yes
#smtp_tls_note_starttls_offer = yes
smtp_tls_loglevel = 4 


# SMTPD SETTINGS 
smtpd_use_tls=yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_cert_file=/etc/letsencrypt/live/domän.net/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/domän.net/privkey.pem
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
# SASL SETTINGS
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

# disallow methods that allow anonymous authentication.
smtp_sasl_security_options = noanonymous noplaintext
# where to find sasl_passwd
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# where to find CA certificates
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

# VIRTUAL MAIL BOX AND LMTP SETTINGS
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = /etc/postfix/virtual_mailbox_domains
# OTHER SETTINGS
myhostname = mail.domän.net
#mydomain = domän.net
myorigin = /etc/mailname
mydestination =  localhost.$mydomain, $myhostname, localhost
mynetworks = 127.0.0.0/8 192.168.1.0/32 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
alias_maps = hash:/etc/aliases

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# specify SMTP relay host
relayhost = [mailout.privat.bahnhof.se]:465

debug_peer_list = mailout.privat.bahnhof.se
debug_peer_level = 1
Redigera
Citera flera Citera
Permalänk
Medlem

Jag kan inte se att postfix utför någon autensiering innan den försöker skicka meddelandet? är det smtp_sasl_tls_security_options (som saknas) som spökar eftersom du gör det över port 456 (tls)?

smtp_sasl_tls_security_options = noanonymous noplaintext

Redigera
Citera flera Citera
Permalänk
Medlem

Helt riktigt ville inte postfix auth-a mot bahnhofs server. Det hade jag missat och efter en hel del testande funkar det nu.

smtp_sasl_security_options = noanonymous noplaintext

fanns redan i min config, men det var faktiskt där del av problemet låg. Ändrade till

smtp_sasl_security_options = noanonymous

samt lade till

smtp_sasl_auth_enable = yes

Så jag tackar för knuffen i rätt riktning och pillar vidare med något annat jag inte kan mycket om (LDAP eller en ftp-server tror jag är nästa grej)

Redigera
Citera flera Citera
1
Skriv svar