Cannot send/receive email (Sender address rejected: not owned by user)

Discussion in 'Server Operation' started by teer26, Jan 9, 2020.

  1. teer26

    teer26 New Member

    I FUBAR'd a working system when I added another virtual domain to my email server, now I cannot even revert to its old state. I've tried everything I could find online, but nothing seemed to work.
    I'm currently running a Postfix (3.4.3) /Dovecot (2.2.36) setup on CentOS 7 with MariaDB, and a RoundCube client as webmail. LetsEncrypt for SSL certs.

    My questions are:
    1. How do I get it working again with just one domain? (urgrent, is my primary personal account)
    2. How do I make Postfix/Dovecot acknowledge SSL certs for each additional virtual domain?

    I login to RoundCube at webmail.mydomain.com, which works without issue. But trying to send mail results in:
    Code:
    NOQUEUE: reject: RCPT from example12345.hostwindsdns.com[111.222.222.111]: 553 5.7.1 <[email protected]>: Sender address rejected: not owned by user [email protected]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<webmail.mydomain.com>
    My doveconf -n
    Code:
    auth_mechanisms = plain login
    default_login_user = vmail
    first_valid_gid = 2000
    first_valid_uid = 2000
    listen = *
    log_timestamp = "%Y-%m-%d %H:%M:%S "
    mail_access_groups = vmail
    mail_location = maildir:/var/www/mail/vmail/%d/%n
    namespace inbox {
      inbox = yes
      location =
      mailbox Drafts {
        auto = subscribe
        special_use = \Drafts
      }
      mailbox Junk {
        auto = subscribe
        special_use = \Junk
      }
      mailbox Sent {
        auto = subscribe
        special_use = \Sent
      }
      mailbox Trash {
        auto = subscribe
        special_use = \Trash
      }
      prefix =
      separator = /
      type = private
    }
    passdb {
      args = /etc/dovecot/dovecot-sql.conf
      driver = sql
    }
    protocols = imap lmtp pop3
    service auth {
      unix_listener /var/spool/postfix/private/auth {
        group = postfix
        mode = 0600
        user = postfix
      }
      user = root
    }
    service imap-login {
      inet_listener imaps {
        port = 993
      }
      process_min_avail = 1
      user = vmail
    }
    service lmtp {
      unix_listener /var/spool/postfix/private/dovecot-lmtp {
        group = postfix
        mode = 0600
        user = postfix
      }
    }
    service pop3-login {
      inet_listener pop3s {
        port = 995
      }
      process_min_avail = 1
      user = vmail
    }
    ssl = required
    ssl_cert = </etc/ssl/private/mydomain_com_fullchain.pem
    ssl_key =  </etc/ssl/private/mydomain_com_privkey.pem
    userdb {
      args = /etc/dovecot/dovecot-sql.conf
      driver = static
    }
    verbose_ssl = yes
    
    My postconf -n:
    Code:
    alias_database = $alias_maps
    alias_maps = hash:/etc/postfix/aliases
    biff = no
    broken_sasl_auth_clients = yes
    command_directory = /usr/sbin
    compatibility_level = 2
    daemon_directory = /usr/libexec/postfix
    data_directory = /var/lib/postfix
    debug_peer_level = 2
    debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
    html_directory = no
    inet_interfaces = all
    inet_protocols = ipv4
    mail_owner = postfix
    mailq_path = /usr/bin/mailq.postfix
    manpage_directory = /usr/share/man
    meta_directory = /etc/postfix
    milter_default_action = accept
    milter_protocol = 2
    mydestination = $myhostname, localhost.$mydomain, localhost
    newaliases_path = /usr/bin/newaliases.postfix
    non_smtpd_milters = unix:/var/run/opendkim/opendkim.socket, unix:/var/run/opendmarc/opendmarc.socket, unix:/var/run/spamass-milter/spamass-milter.socket
    queue_directory = /var/spool/postfix
    readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
    relay_domains = *
    sample_directory = /usr/share/doc/postfix-2.6.6/samples
    sendmail_path = /usr/sbin/sendmail.postfix
    setgid_group = postdrop
    shlib_directory = no
    smtp_tls_loglevel = 1
    smtp_tls_security_level = may
    smtp_use_tls = yes
    smtpd_milters = unix:/var/run/opendkim/opendkim.socket, unix:/var/run/opendmarc/opendmarc.socket, unix:/var/run/spamass-milter/spamass-milter.socket
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient
    smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_local_domain = $mydomain
    smtpd_sasl_path = /var/run/dovecot/auth-client
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
    smtpd_sasl_type = dovecot
    smtpd_tls_auth_only = yes
    smtpd_tls_cert_file = /etc/ssl/private/mydomain_com_fullchain.pem
    smtpd_tls_key_file = /etc/ssl/private/mydomain_com_privkey.pem
    smtpd_tls_loglevel = 3
    smtpd_tls_received_header = yes
    smtpd_tls_security_level = may
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtpd_tls_session_cache_timeout = 3600s
    smtpd_use_tls = yes
    tls_random_source = dev:/dev/urandom
    unknown_local_recipient_reject_code = 550
    virtual_alias_maps = proxy:mysql:/etc/postfix/sql/virtual_alias_maps.cf
    virtual_gid_maps = static:2000
    virtual_mailbox_base = /var/www/mail/vmail
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/virtual_domains_maps.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/virtual_mailbox_maps.cf
    virtual_minimum_uid = 2000
    virtual_transport = lmtp:unix:private/dovecot-lmtp
    virtual_uid_maps = static:2000
    My config.inc.php
    Code:
    $config['db_dsnw'] = 'mysql://roundcube:password@localhost/roundcubemail_db';
    $config['default_host'] = 'imaps://mydomain.com/';
    $config['default_port'] = 993;
    
    $config['smtp_server'] = 'tls://mydomain.com/';
    
    $config['support_url'] = '[email protected]';
    $config['des_key'] = 'abcdefghijklmnopqrstuvwxyz';
    $config['product_name'] = 'MyDomain.com Webmail';
    $config['language'] = 'en_US';
    $config['draft_autosave'] = 60;
    $config['spellcheck_engine'] = 'pspell';
    Thanks in advance for any help anyone can provide!
     
  2. Steini86

    Steini86 Active Member

    The error comes from "reject_sender_login_mismatch", probably in your master.cf file. As an immediate workaround, you could remove that restriction.
    You need a certificate, that is valid for all domains you are using. Usually you use a single (sub)domain for everything mail related.
    For example mail.domain.com. This domain is used in your certificate, as your mailname/mydestination, for all clients to connect to your server, your MX/rnds enries, etc ...
     
    teer26 likes this.
  3. teer26

    teer26 New Member

    Nope, still got the same error unfortunately.
    Could it have something to do with [email protected] not technically being part of webmail.mydomain.com? So it expects [email protected], because that what Roundcube exists on?
     
  4. Steini86

    Steini86 Active Member

    Well, if the error comes, you have that restriction somewhere ;) Have you restarted the postfix service after the change?
    It does not have anything to with the host roundcube is set up on. Roundcube is just an IMAP client. The question is if postfix knows that the user which is used to authenticate when sending mail is connected to the "from" address of the mail. However, that check is done when reject_sender_login_mismatch is set => http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
     
    teer26 likes this.
  5. teer26

    teer26 New Member

    Always, religiously, probably to the point of excessiveness :)

    Alright, so here is where things stand:
    • As per your suggestion, I took all my mail subdomains (mail.domain.com, pop3.domain.com, smtp.domain.com, imap.domain.com) for my two domains out of their domain-specific certs and combined them into one multi-domain email cert. I'm keeping the non-email on their own certs for Nginx (since this server is primarily a webserver).
    • I can send email that gets received by my various other emails (Gmail, Outlook, Verizon.net, etc).
    • But when I reply to the email from those aforementioned other emails, it does not go through. Nor have I yet received a "bounced back" email message.

    Now /var/log/maillog shows:
    I'm guessing permission is denied because of
    Code:
    smtpd_sasl_security_options        = noanonymous
    What are the security repercussions of changing this?


    My Postfix main.cf:
    Code:
    smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    ...
    smtpd_sender_login_maps         = proxy:mysql:/etc/postfix/sql/virtual_domains_maps.cf
    smtpd_sender_restrictions        = permit_mynetworks,reject_non_fqdn_sender,reject_unknown_sender_domain,permit
    
    
    My Postfix master.cf:
    Code:
    smtp      inet  n       -       n       -       -       smtpd -o content_filter=spamassassin
    spamassassin unix -     n       n       -       -       pipe user=spamassassin argv=/usr/bin/spamc -f -e  /usr/sbin/sendmail -oi -f ${sender} ${recipient}
    submission inet n       -       n       -       -       smtpd
      -o smtpd_tls_wrappermode=no
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_sasl_type=dovecot
      -o smtpd_sasl_path=private/auth
      -o smtpd_sasl_security_options=noanonymous
      -o smtpd_sasl_local_domain=$myhostname
      -o smtpd_sasl_security_options=noanonymous
    #  -o milter_macro_daemon_name=ORIGINATING
    
    Roundcube config is unchanged.
    The only thing changed about Dovecot's dovecot.conf is the (mail-specific) cert.
     
  6. Steini86

    Steini86 Active Member

    You probably have a line like this in your postfix config:"smtpd_sasl_path = /var/run/dovecot/auth-client"
    However, it looks like postfix has no rights to read the file or it does not exist.
    What option have you set in dovecot for "service auth"? It should match the postifx config ;)
     
    teer26 likes this.
  7. teer26

    teer26 New Member

    Right, so I finally fixed it, and can now send and receive emails on the primary domain.
    Steini86 may have literally been a lifesaver, as it was only so much longer before I gave up and became a Luddite.

    Your solution was spot on, but for future generations entering the (very surprisingly) maddeningly complex world of email servers I will post exactly what I did here.

    Changed dovecot.conf
    (this might have been the original config, but I switched so many things so many times I cannot remember anymore. In any event, it looks like this now)
    Code:
    service auth {
        unix_listener /var/spool/postfix/private/auth {
            group = postfix
            mode = 0600
            user = postfix
        }
        user = root
    }
    Changed Postfix main.cf:
    Somehow, my previous config worked despite the two bolded lines being different?
    Code:
    smtpd_client_restrictions        = permit_mynetworks, permit_sasl_authenticated
    smtpd_recipient_restrictions         = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    smtpd_relay_restrictions         = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    ...
    smtpd_sasl_path                = /var/spool/postfix/private/auth
    smtpd_sasl_security_options        = noanonymous
    smtpd_sasl_tls_security_options        = $smtpd_sasl_security_options
    smtpd_sasl_type                = dovecot
    
    smtpd_sender_restrictions        = permit_mynetworks,reject_non_fqdn_sender,reject_unknown_sender_domain,permit
    smtpd_sender_login_maps         = proxy:mysql:/etc/postfix/sql/virtual_domains_maps.cf
    Changed Postfix master.cf:
    Note: master.cf overrides anything set in main.cf, so any duplicate entries between those two files may confuse troubleshooting.
    Code:
    submission inet n       -       n       -       -       smtpd
      -o smtpd_tls_wrappermode=no
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_sasl_type=dovecot
      -o smtpd_sasl_path=private/auth
      -o smtpd_sasl_security_options=noanonymous
      -o smtpd_sasl_local_domain=$myhostname
      -o smtpd_sasl_security_options=noanonymous
    
    But wait, there's more!
    Once you change the auth in Dovecot and Postfix (as shown above), it still may not work because of permissions. Mine did not, I kept getting (among several others):
    Code:
    fatal: scan_dir_push: open directory maildrop: Permission denied 
    The solution to this is to run
    Code:
    sudo postfix set-permissions
    But on CentOS 7 (or at least, my server) it will say
    Code:
    chown: cannot access '/etc/postfix/postfix-files.d': No such file or directory
    I'm not sure if this is a bug, but while there is a postfix-files in that location there is no postfix-files.d.
    So I copied it with
    Code:
    sudo cp /etc/postfix/postfix-files /etc/postfix/postfix-files.d
    I restarted Postfix, and then voila! it worked.

    Thanks again to Steini86 for saving my butt :D
     
    Steini86 and till like this.

Share This Page