Yet another relay access denied question

Hi!,
I've seen a lot of this questions here. None of the answers had
helped me. So, here is my problem,
I'm using my postfix box to relay to a exchange server, everything
works ok until someone tries to send mail from outside my network to
other than $mydomain. If the users sends the mail from my internal
network, the mail goes ok to the external domain.

If I put the IP address of the external network where the user sends
the email in $mynetworks, everything works ok, but since I don't know
all the ip addresses where my users will send mail from this is not a
valid solution

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/postfix/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10025
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
delay_warning_time = 4h
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
local_recipient_maps =
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maps_rbl_domains = sbl.spamhaus.org, relays.ordb.org, opm.blitzed.org,
dun,dnsrbl.net
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = <mydomain>
myhostname = <myhost>.<mydomain>
mynetworks = 10.0.0.0/8, $mydomain, 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
owner_request_special = no
queue_directory = /var/spool/postfix
queue_minfree = 0
readme_directory = /usr/share/doc/postfix-2.2.8/README_FILES
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains =
<all_the_domains_the_exchange_is_hosting>,$mydesti nation,127.0.0.1
relay_recipient_maps = hash:/etc/postfix/exchange_recipients
sample_directory = /usr/share/doc/postfix-2.2.8/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtpd_banner = <my_domain> ESMTP
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject,
reject_maps_rbl
smtpd_recipient_restrictions = reject_unauth_destination,
reject_non_fqdn_recipient
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550

thanks in advance for any help..
regards,
-eduardo s.m.

eduardo wrote:

> If I put the IP address of the external network where the user sends
> the email in $mynetworks, everything works ok, but since I don't know
> all the ip addresses where my users will send mail from this is not a
> valid solution

There's two methods commonly used to grant SMTP relay privileges for
remote users. SMTP AUTH is the best, and then there is pop-before-smtp.


Some references:

http://postfix.state-of-mind.de/patr...tter/smtpauth/

http://www.stahl.bau.tu-bs.de/~hilde...-smtp_en.shtml

--
Greg

En 07/09/2006 01:11 eduardo ha escrito:
> I'm using my postfix box to relay to a exchange server, everything
> works ok until someone tries to send mail from outside my network to
> other than $mydomain. If the users sends the mail from my internal
> network, the mail goes ok to the external domain.
>
> If I put the IP address of the external network where the user sends
> the email in $mynetworks, everything works ok, but since I don't know
> all the ip addresses where my users will send mail from this is not a
> valid solution

Okay, what's your logfile showing (the error response numbers and
descriptions)?

grep 'NOQUEUE' /var/log/maillog

> maps_rbl_domains = sbl.spamhaus.org, relays.ordb.org, opm.blitzed.org,
> dun,dnsrbl.net

dun,dnsrbl.net? Besides the comma, that list is dead anyway.
You may want to check active lists at http://www.openrbl.org

Bas S.Th. Verdult wrote:
> Okay, what's your logfile showing (the error response numbers and
> descriptions)?
>
> grep 'NOQUEUE' /var/log/maillog
>
> > maps_rbl_domains = sbl.spamhaus.org, relays.ordb.org, opm.blitzed.org,
> > dun,dnsrbl.net

Hi Bas,

This is the message I receive in maillog:
NOQUEUE: reject: RCPT from unknown[<external_ip_address>]: 554
<ejsanchez@myexternalaccount.com>: Relay access denied;
from=<esanchez@mydomain.com> to=<ejsanchez@myexternalaccount.com>
proto=ESMTP helo=<galahad.local>

thanks in advance for any hint,
regards,
-eduardo s.m.

I was able to configure Postfix + SASL2 with the following lines in
main.cf:
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
reject_non_fqdn_recipient,
reject_rbl_client list.dsbl.org,
reject_rbl_client relays.ordb.org,
reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org,
reject_rhsbl_sender dsn.rfc-ignorant.org
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =

but...as this is a relay for a exchange server, it does not
authenticaete with user/password of the active directory, I must type a
real unix user/password so it can send mail.
Any idea on how to glue this with the active directory?

regards,
-eduardo s.m.

eduardo wrote:
> but...as this is a relay for a exchange server, it does not
> authenticaete with user/password of the active directory, I must type a
> real unix user/password so it can send mail.
> Any idea on how to glue this with the active directory?

Well, I'll post this here, in case someone was interested on how to do
it,
I followed this guy how-to:

http://stoilis.blogspot.com/2005/09/...n-against.html

works very well.

regards,
-eduardo s.m.