Relay Access Denied (State 13) Postfix + Dovecot + Mysql
- by Pierre Jeptha
So we have been scratching our heads for quite some time over this relay issue that has presented itself since we re-built our mail-server after a failed Webmin update. We are running Debian Karmic with postfix 2.6.5 and Dovecot 1.1.11, sourcing from a Mysql database and authenticating with SASL2 and PAM. Here are the symptoms of our problem:
1) When users are on our local network they can send and receive 100% perfectly fine.
2) When users are off our local network and try to send to domains not of this mail server (ie. gmail) they get the "Relay Access Denied" error. However users can send to domains of this mail server when off the local network fine.
3) We host several virtual domains on this mailserver, the primary domain being airnet.ca. The rest of our virtual domains (ex. jeptha.ca) cannot receive email from domains not hosted by this mailserver (ie. gmail and such cannot send to them). They receive bounce backs of "Relay Access Denied (State 13)". This is regardless of whether they are on our local network or not, which is why it is so urgent for us to get this solved.
Here is our main.cf from postfix:
myhostname = mail.airnet.ca
mydomain = airnet.ca
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
smtpd_sasl_type = dovecot
queue_directory = /var/spool/postfix
smtpd_sasl_path = private/auth
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
smtp_sasl_auth_enable = yes
smtpd_sasl_auth_enable = yes
append_dot_mydomain = no
readme_directory = no
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_auth_only = no
alias_maps = proxy:mysql:/etc/postfix/mysql/alias.cf hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = mail.airnet.ca, airnet.ca, localhost.$mydomain
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
local_recipient_maps = $alias_maps $virtual_mailbox_maps proxy:unix:passwd.byname
home_mailbox = /var/virtual/
mail_spool_directory = /var/spool/mail
mailbox_transport = maildrop
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_etrn_restrictions = reject
smtpd_data_restrictions = reject_unauth_pipelining, permit
show_user_unknown_table_name = no
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
$relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
$virtual_mailbox_limit_maps $virtual_uid_maps $virtual_gid_maps
virtual_alias_domains =
message_size_limit = 20971520
transport_maps = proxy:mysql:/etc/postfix/mysql/vdomain.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/vmailbox.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/alias.cf hash:/etc/mailman/aliases
virtual_uid_maps = proxy:mysql:/etc/postfix/mysql/vuid.cf
virtual_gid_maps = proxy:mysql:/etc/postfix/mysql/vgid.cf
virtual_mailbox_base = /
virtual_mailbox_limit = 209715200
virtual_mailbox_extended = yes
virtual_create_maildirsize = yes
virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql/vmlimit.cf
virtual_mailbox_limit_override = yes
virtual_mailbox_limit_inbox = no
virtual_overquote_bounce = yes
virtual_minimum_uid = 1
maximal_queue_lifetime = 1d
bounce_queue_lifetime = 4h
delay_warning_time = 1h
append_dot_mydomain = no
qmgr_message_active_limit = 500
broken_sasl_auth_clients = yes
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = yes
smtp_bind_address = 142.46.193.6
relay_domains = $mydestination
mynetworks = 127.0.0.0, 142.46.193.0/25
inet_interfaces = all
inet_protocols = all
And here is the master.cf from postfix:
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
spfpolicy unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/sbin/postfix-policyd-spf-perl
smtp-amavis unix - - n - 4 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
#127.0.0.1:10025 inet n - n - - smtpd
dovecot unix - n n - - pipe
flags=DRhu user=dovecot:21pever1lcha0s argv=/usr/lib/dovecot/deliver -d ${recipient
Here is Dovecot.conf
protocols = imap imaps pop3 pop3s
disable_plaintext_auth = no
log_path = /etc/dovecot/logs/err
info_log_path = /etc/dovecot/logs/info
log_timestamp = "%Y-%m-%d %H:%M:%S ".
syslog_facility = mail
ssl_listen = 142.46.193.6
ssl_disable = no
ssl_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
mail_location = mbox:~/mail:INBOX=/var/virtual/%d/mail/%u
mail_privileged_group = mail
mail_debug = yes
protocol imap {
login_executable = /usr/lib/dovecot/imap-login
mail_executable = /usr/lib/dovecot/rawlog /usr/lib/dovecot/imap
mail_executable = /usr/lib/dovecot/gdbhelper /usr/lib/dovecot/imap
mail_executable = /usr/lib/dovecot/imap
imap_max_line_length = 65536
mail_max_userip_connections = 20
mail_plugin_dir = /usr/lib/dovecot/modules/imap
login_greeting_capability = yes
}
protocol pop3 {
login_executable = /usr/lib/dovecot/pop3-login
mail_executable = /usr/lib/dovecot/pop3
pop3_enable_last = no
pop3_uidl_format = %08Xu%08Xv
mail_max_userip_connections = 10
mail_plugin_dir = /usr/lib/dovecot/modules/pop3
}
protocol managesieve {
sieve=~/.dovecot.sieve
sieve_storage=~/sieve
}
mail_plugin_dir = /usr/lib/dovecot/modules/lda
auth_executable = /usr/lib/dovecot/dovecot-auth
auth_process_size = 256
auth_cache_ttl = 3600
auth_cache_negative_ttl = 3600
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
auth_worker_max_count = 60
auth_failure_delay = 2
auth default {
mechanisms = plain login
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
master {
path = /var/run/dovecot/auth-master
mode = 0600
}
}
}
Please, if you require anything do not hesistate, I will post it ASAP. Any help or suggestions are greatly appreciated!
Thanks,
Pierre
