Score:1

Configure postfix to relay from machines on subnet

kw flag

I'm trying to set up postfix as a relay, for some ancient equipment inside our netwrok which can't be upgraded to use current security protocols to send email.

At this stage I'm just trying to prove access using telnet.

The current state is that using telnet, on the machine where postfix is running, using 127.0.0.1, works:

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220-cogapp.com ESMTP Postfix
quit

But attempting it from that machine using its actual IP, or from another machine on the same subnet, fails:

Trying 192.168.1.14...
telnet: connect to address 192.168.1.14: Connection refused
telnet: Unable to connect to remote host

I don't believe that there is any blocking of port 25 on the machine. I can telnet to other services on it.

The postfix configurations that I'm aware of as being relevant are currently set as follows:

inet_interfaces = all

mynetworks = 127.0.0.0/8,192.168.1.0/24
mynetworks_style = subnet

smtpd_recipient_restrictions = permit_mynetworks

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination

I assume that there are some other postfix config parameters that are I need to change. Can you help me figure out which these are?

TIA - Pat.

Edit - more complete dumps of config per advice from anx in the first reply:

$ postconf -n
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
mail_owner = _postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 10485760
myhostname = cogapp.com
mynetworks = 127.0.0.0/8,192.168.1.0/23
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit
smtpd_recipient_restrictions = permit_mynetworks
smtpd_tls_ciphers = medium
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550

$ postconf -M
smtp       inet  n       -       n       -       1       postscreen
smtpd      pass  -       -       n       -       -       smtpd
dnsblog    unix  -       -       n       -       0       dnsblog
tlsproxy   unix  -       -       n       -       0       tlsproxy
submission inet  n       -       n       -       -       smtpd -o smtpd_tls_security_level=encrypt
smtp       unix  -       -       n       -       -       smtp
pickup     fifo  n       -       n       60      1       pickup -o content_filter=
cleanup    unix  n       -       n       -       0       cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
sacl-cache unix  -       -       n       -       1       sacl-cache
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
relay      unix  -       -       n       -       -       smtp -o smtp_fallback_relay=
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
dovecot    unix  -       n       n       -       25      pipe flags=DRhu user=_dovecot:mail argv=/usr/libexec/dovecot/dovecot-lda -d ${user}
policy     unix  -       n       n       -       -       spawn user=nobody:mail argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
anx avatar
fr flag
anx
a) Run `ss -tlpn` and `ip -4 a l` on the mail server to confirm it is listening on the expected IPv4 address. b) Use `postconf -n` and `postconf -M` to dump your configuration instead of quoting from the `.cf` files - if you just look at the *effective* non-default configuration you would more easily notice overridden/misleading syntax. (Preferably do not comment: [improve question directly](https://serverfault.com/posts/1117151/edit). You may [mask private details (globally routable IP addresses, DNS names)](https://meta.serverfault.com/a/6063), but make sure it stays consistent.)
anx avatar
fr flag
anx
The client, the mail server, or any device in between might be setup to refuse TCP connections to port 25. You can dump the rules active for the commonly used firewall by calling `iptables -vnL`. If the person managing your network insists on leaving port 25 unusable, yet the device you wish to receive mail from offers such choice, you might want to use port 465 (reserved for SMTP mail submission via TLS) or port 587 (reserved for SMTP mail submission with optional transport security) instead.
Patscat avatar
kw flag
Hi anx, thanks for replying. I've edited the question as you suggested with postconf output. This machine is running macOS (10.10.5), not using iptables. The Firewall control panel on the machine confirms "Firewall: Off. This computer's firewall is currently turned off. All incoming connections to this computer are allowed." I'm working on the presumption that this is correct.
anx avatar
fr flag
anx
Cant spot anything wrong, did you test whether port 587 (spelled as `submission` in your config) is reachable, so that it is definitely a problem only with port 25? Did you call `netstat` (with probably similar options as i suggested for `ss` for dumping numeric info on listening tcp sockets) to confirm the open port?
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.