Then, follow the instructions in the mailing list welcome message.

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail

TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Thank you for using Postfix.

relay_transport must specify a transport name from master.cf,
NOT a map. Remove the above setting.
http://www.postfix.org/postconf.5.html#relay_transport

Anyway, this setting controls outgoing mail for relay_domains.
This doesn't appear to be something you need, so remove it.
Remove this too.
No indication that the user authenticated. When someone
authenticates you'll get a log line something like
Feb 12 09:24:06 mgate2 postfix/smtpd[93626]: E4E077978A8:
client=user.example.org[192.168.1.163], sasl_method=CRAM-MD5,
sasl_username=username

Test your SASL setup as described in
http://www.postfix.org/SASL_README.html#server_test
Make sure you use "smtpd_tls_auth_only = no" so you can test
unencrypted with telnet.

If you need more help, please see
http://www.postfix.org/DEBUG_README.html#mail

-- Noel Jones

Ive been looking at this for a couple days now, still having
problems. Im getting the following now:

Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: connect from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: setting up TLS connection from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: TLS cipher list "ALL:+RC4:@STRENGTH"
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:before/accept initialization
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: looking up session 8B580343BBAB1CDFF37061B0F6
AADCBFAE2FC46F96A7BB40B0A73D14C60B7A23&s=44116 in smtpd cache
Feb 17 13:29:05 202010-1 postfix/tlsmgr[21554]: lookup smtpd session id=8B580343BBAB1CDFF37061B0F6AADCBFAE2FC46F96A7BB40B0A73D14C60B7A23&s=44116
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 read client hello B
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 write server hello A
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 write certificate A
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 write key exchange A
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 write server done A
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 flush data
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 read client key exchange A
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 read finished A
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 write change cipher spec A
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 write finished A
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: SSL_accept:SSLv3 flush data
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: save session 4C77493FCAD703043FECE8FEC020E207
78D68D4E951E4EFAE169E18779AE884F&s=44116 to smtpd cache
Feb 17 13:29:05 202010-1 postfix/tlsmgr[21554]: put smtpd session id=4C77493FCAD703043FECE8FEC020E20778D68D4E951E4EFAE169E18779AE884F&s=44116 [data 127 by
tes]
Feb 17 13:29:05 202010-1 postfix/tlsmgr[21554]: write smtpd TLS cache entry 4C77493FCAD703043FECE8FEC020E20778D68D4E951E4EFAE169E18779AE884F&s=44116: time
=1266431345 [data 127 bytes]
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: Anonymous TLS connection established from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: TLS
v1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Feb 17 13:29:05 202010-1 dovecot: auth(default): client in: AUTH 2 PLAIN service=smtp nologin lip=204.12.98.91 rip=99.74.xxx.xxxr
esp=<hidden>
Feb 17 13:29:05 202010-1 dovecot: auth(default): passwd-file(jeff,99.74.xxx.xxx): lookup: user=jeff file=/etc/shadow
Feb 17 13:29:05 202010-1 dovecot: auth(default): client out: OK 2 user=jeff
Feb 17 13:29:05 202010-1 postfix/smtpd[21553]: NOQUEUE: reject: RCPT from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]: 554 5.7.1 <***@ra
hul.net>: Relay access denied; from=<***@mydomain.com> to=<***@rahul.net> proto=ESMTP helo=<[192.168.2.11]>
Feb 17 13:29:06 202010-1 postfix/smtpd[21553]: disconnect from 99-74-xxx-xxx.lightspeed.cicril.sbcglobal.net[99.74.xxx.xxx]

It appears (afaik) that Im authenticating from the log file above.
I also set 'smtpd_tls_auth_only = no' and manually tested the
authentication as working via telnet.

250-PIPELINING
250-SIZE 15000000
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
auth plain AGplZmYAYkhrb3FhMjI=
235 2.7.0 Authentication successful
quit
221 2.0.0 Bye

I still cant seem to get remote relay access (smtp relaying)
to work for single users (***@mydomain.com). Ive used
mynetworks to relay for static ip's just fine, however I
need it to work with my users who can be located anywhere,
not just from a single static IP address.

Ive gone through the docs several times (and possibly
missed things), but as far as I can tell, Im suppossed to
use:

relay_recipient_maps = hash:/etc/postfix/relay_recipients
relay_domains = hash:/etc/postfix/relay_domains

to get this to work.

relay_recipients contains:
***@mydomain.com ok

relay_domains contains:
mydomain.com relay

Sorry if this is getting old (it is for me also) :)
Im just trying to understand how this thing is suppossed
to work, especially so I dont become an open relay.

I appreciate your patience.
Jeff

Jeff Lacki(***@rahul.net)@Tue, Feb 16, 2010 at 10:37:24AM -0800:
(stuff)
I think you know this, but just in case: that password is trivially
decodable. If it's a real one, go change it quick :)
Do you have something like this in your main.cf:

smtpd_recipient_restrictions =
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
permit_mynetworks,
permit_sasl_authenticated,

?

That "permit_sasl_authenticated" is what makes it work for my site.

Also, you're saying to allow relaying with a recipient of
"***@mydomain.com", but your test email is to "***@rahul.net". A =/= B.

How about some "postconf -n" output for us? Apologies if you've sent it
before, but it sounds like you've been making some changes.

I still don't see an authentication line from postfix. Turn
off the TLS debug, you don't need it.
And did postfix log that this session authenticated?

After you authenticate you need to type in MAIL FROM and RCPT
TO commands to see if you get relaying denied or OK. That
will tell you if the problem is your client or postfix.

and everyone knows that user/password now, so change it.
No, relay_domains and relay_recipients_maps is to define
domains you are responsible for, nothing to do with sasl
authentication.
Remove those settings.
Show your current "postconf -n".

-- Noel Jones

No....and I think I see the problem, but not sure where it is.
When I telnet localhost 25 and authenticate I get:

Feb 17 15:19:42 202010-1 postfix/smtpd[23113]: connect from
localhost.localdomain[127.0.0.1]
Feb 17 15:20:12 202010-1 dovecot: auth(default): client in: AUTH
2 plain service=smtp nologin lip=127.0.0.1 rip=127.0.0.1
resp=<hidden>
Feb 17 15:20:12 202010-1 dovecot: auth(default):
passwd-file(jeff,127.0.0.1): lookup: user=jeff file=/etc/shadow
Feb 17 15:20:12 202010-1 dovecot: auth(default): client out: OK 2
user=jeff

Feb 17 15:20:32 202010-1 postfix/smtpd[23113]: 4C4486581D2:
client=localhost.localdomain[127.0.0.1], sasl_method=plain,
sasl_username=jeff
Feb 17 15:20:44 202010-1 postfix/smtpd[23113]: disconnect from
localhost.localdomain[127.0.0.1]

Which appears to authenticate I believe.

But when I add MAIL FROM and RCPT TO
I dont see anything more and the telnet session just says 250 2.5.x Ok
for both. It sounds like my relay issue could just be that Im not
authenticating properly....but unsure how to debug from here.

Earlier question about emails:

I have a server which has websites of users.
Those users have thier own virtual
domain names. They also have local logins on the server
and will be setting up their pop emails to my server:
They also need an smtp server to use (I want it also to be
on my server, not their own for ease of use for them
to setup):

smtp.mydomain.com

So Im trying to validate them (Im assuming) by their login
name and their /etc/shadow password (CentOS).
Yeah, I read that and forgot, brain fried already. Changed.
alias_maps = hash:/etc/postfix/aliases
allow_percent_hack = yes
append_at_myorigin = yes
append_dot_mydomain = yes
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_transport = smtp
disable_vrfy_command = yes
ignore_mx_lookup_error = no
in_flow_delay = 1s
inet_interfaces = all
local_recipient_maps =
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mydestination = $myhostname, localhost.$mydomain $mydomain
myhostname = mydomain.com
mynetworks = 127.0.0.1
mynetworks_style = host
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
notify_classes = resource,software
parent_domain_matches_subdomains =
queue_directory = /var/spool/postfix
setgid_group = postdrop
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_skip_5xx_greeting = yes
smtp_skip_quit_response = yes
smtp_tls_note_starttls_offer = yes
smtpd_client_restrictions = permit_mynetworks, check_client_access
hash:/etc/postfix/client_access
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_hard_error_limit = 6
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_client_access
hash:/etc/postfix/good_clients, hash:/etc/post
fix/access, hash:/etc/postfix/bad_ips,
reject_unknown_helo_hostname, reject_non_fqdn_hostname, reject
_unauth_destination, reject_unauth_pipelining,
reject_invalid_hostname, reject_unknown_hostname
smtpd_recipient_restrictions = permit_mynetworks,
check_client_access hash:/etc/postfix/client_access, permit
_sasl_authenticated, reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender, reject
_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_unlisted_recipi
ent, reject_unlisted_sender, reject_unauth_destination,
reject_rbl_client opm.blitzed.org, reject_rbl_cli
ent sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org,
reject_rbl_client dnsbl.njabl.org, reject_rbl_cli
ent dul.dnsbl.sorbs.net, check_policy_service
inet:127.0.0.1:9998, permit
smtpd_restriction_classes = restrictive, permissive
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_soft_error_limit = 4
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_always_issue_session_ids = no
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
virtual_alias_domains = anotherdomain.com
virtual_alias_maps = hash:/etc/postfix/virtual

Yes, authentication was successful above.
This should be left at the default so that local recipients
are validated. Otherwise you'll get loads of undeliverable
mail clogging your queue and will eventually get blacklisted
as a backscatter source.

Just remove it from your main.cf.
change "permit_mynetworks" to
"permit_mynetworks, permit_sasl_authenticated"

Do this for all your smtpd_*_restrictions entries.
This should really have "permit_mynetworks,
permit_sasl_authenticated" to prevent accidentally rejecting
mail from your own users.
again, "permit_mynetworks, permit_sasl_authenticated, "
again, "permit_mynetworks, permit_sasl_authenticated, "
Nothing else jumps out at me as an error. You might want to
review your list of RBLs and make sure they're all still active.


-- Noel Jones

That fixed it. I knew it would be something
simple, in the end it usually is.

Thanks so much Noel!

On Tue, 16 Feb 2010 15:20:56 -0800 (PST)
aka: Occam's razor