Postfix and Sparkpost relay authentication failures












0















Until recently I have had no problems with relays and forwards from Postfix through Sparkpost. Now I get authentication errors 530 5.7.1. The server is running Debian Stretch. The settings in Postfix main.cf are set as Sparkpost recommends.



smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtp_sasl_password_maps = static:SMTP_Injection:My_API_key


I have a mailbox, me@example.com that forwards to me@otheraddress.com. The message is delivered to me@example.com, but the mail log shows the following re the forward:



Dec 31 11:19:48 example postfix/smtp[19188]: 66AA357DD2: to=<me@otheraddress.com>, relay=smtp.sparkpostmail.com[52.26.175.191]:587, delay=0.38, delays=0.1/0.01/0.21/0.06, dsn=5.7.1, status=bounced (host smtp.sparkpostmail.com[52.26.175.191] said: 530 5.7.1 Authorization required. Ref. https://developers.sparkpost.com/api/index#header-smtp-relay-endpoints (in reply to MAIL FROM command))
Dec 31 11:19:48 example postfix/cleanup[19176]: EAB4957DD0: message-id=<20181231161948.EAB4957DD0@example.com>
Dec 31 11:19:49 example postfix/bounce[19189]: 66AA357DD2: sender non-delivery notification: EAB4957DD0
Dec 31 11:19:49 example postfix/qmgr[19147]: EAB4957DD0: from=<>, size=7611, nrcpt=1 (queue active)
Dec 31 11:19:49 example postfix/cleanup[19176]: 5777A57DD4: message-id=<20181231161949.5777A57DD4@example.com>
Dec 31 11:19:49 example postfix/bounce[19189]: 66AA357DD2: postmaster non-delivery notification: 5777A57DD4


I know the cert is working because I see no errors when I run



openssl s_client -connect mail.example.com:587 -starttls smtp


Output:



CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = example.com
verify return:1
---
Certificate chain
0 s:/CN=example.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGUjCCBTqgAwIBAgISBMCBEL46Fp5eG+d54abyrZxXMA0GCSqGSIb3DQEBCwUA
...
qFl1JeXAxKBW9nE9E5+ZuC+8SNF7LlqiN2bi5BMA1x0wiVXZk+fTAk3vRsTTr0CM
svdtByn4XF3UbPoBhnHv8IGXx0ZqXUWt141ZxkV2Mxaak2TyyK7IeVCqlWGIMC1z
pgOO7fdZMY1xC/TEDdxcMOyTf7C7Ih539kPoeM7wHdWNXsipbc3r6NWQ9440dCd1
yPXKfWzAPBhtqFF+T3SOFqQHr6twNRLT8ITu/PtiipxUAvO+wQrdLIrKzfpNeJW4
GXXXeV+crpGdvJa/EdYLZgx5O2DWX67VKerlVWTdcAGwvU3Jia8=
-----END CERTIFICATE-----
subject=/CN=example.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3733 bytes and written 335 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 3987DBFA6A51B83864E89C0E8E7C24EB9536355130F8ADE266033CEAE264B6B2
Session-ID-ctx:
Master-Key: DA5D77AFF4C3B173144402101F9E59AE809C120679BDA9CE577D963148E5F405F205BB4898D3754BE6608863E9A7E5C0
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 16 25 d2 8c f4 00 d3 b2-de b8 23 a8 7d 9a 07 ed .%........#.}...
0010 - 45 2b e1 9d 15 94 6e 9a-b7 90 4b 8b cb c8 d9 98 E+....n...K.....
0020 - 27 b6 31 ef 65 18 de db-05 e5 f1 90 1a a9 c2 dc '.1.e...........
0030 - 8b c0 2b 38 21 be fd ff-85 8c a2 7a af 86 bc 72 ..+8!......z...r
0040 - 72 22 ed 67 04 3b 25 92-45 5d 83 ba 85 0e 27 c2 r".g.;%.E]....'.
0050 - 71 01 ba ea f5 58 11 42-81 70 08 5d e2 22 d0 63 q....X.B.p.].".c
0060 - 59 08 4c 53 c5 a8 27 37-b2 79 eb 88 55 81 c7 1d Y.LS..'7.y..U...
0070 - 0e 69 b2 05 b3 83 05 41-16 e5 18 ad 25 2a 80 2f .i.....A....%*./
0080 - 50 c5 d6 95 e8 d4 5a 19-68 7e a0 91 f0 21 ca d2 P.....Z.h~...!..
0090 - b5 d9 56 58 15 7f d9 71-3a 71 ae 3f 47 a3 99 e2 ..VX...q:q.?G...
00a0 - 7f 6e 1c 5a ea 85 bb 98-d6 bb a3 6e 40 7f 34 07 .n.Z.......n@.4.

Start Time: 1546272800
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
250 SMTPUTF8


How can I fix this?










share|improve this question


















  • 1





    The authorization problem is at the SMTP level, not at the TLS level. Thus checking if the certificate fits with openssl s_client is irrelevant - check the SMTP user and password instead.

    – Steffen Ullrich
    Dec 31 '18 at 17:53











  • You are correct. But it took some time to figure that out, and Sparkpost's error message 530 5.7.1 wasn't helpful. In fact, their suggested settings, only work in a limited set of circumstances, where all emails sent originate locally, and no user forward's email originating outside the local system.

    – RS Becker
    Jan 7 at 14:40


















0















Until recently I have had no problems with relays and forwards from Postfix through Sparkpost. Now I get authentication errors 530 5.7.1. The server is running Debian Stretch. The settings in Postfix main.cf are set as Sparkpost recommends.



smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtp_sasl_password_maps = static:SMTP_Injection:My_API_key


I have a mailbox, me@example.com that forwards to me@otheraddress.com. The message is delivered to me@example.com, but the mail log shows the following re the forward:



Dec 31 11:19:48 example postfix/smtp[19188]: 66AA357DD2: to=<me@otheraddress.com>, relay=smtp.sparkpostmail.com[52.26.175.191]:587, delay=0.38, delays=0.1/0.01/0.21/0.06, dsn=5.7.1, status=bounced (host smtp.sparkpostmail.com[52.26.175.191] said: 530 5.7.1 Authorization required. Ref. https://developers.sparkpost.com/api/index#header-smtp-relay-endpoints (in reply to MAIL FROM command))
Dec 31 11:19:48 example postfix/cleanup[19176]: EAB4957DD0: message-id=<20181231161948.EAB4957DD0@example.com>
Dec 31 11:19:49 example postfix/bounce[19189]: 66AA357DD2: sender non-delivery notification: EAB4957DD0
Dec 31 11:19:49 example postfix/qmgr[19147]: EAB4957DD0: from=<>, size=7611, nrcpt=1 (queue active)
Dec 31 11:19:49 example postfix/cleanup[19176]: 5777A57DD4: message-id=<20181231161949.5777A57DD4@example.com>
Dec 31 11:19:49 example postfix/bounce[19189]: 66AA357DD2: postmaster non-delivery notification: 5777A57DD4


I know the cert is working because I see no errors when I run



openssl s_client -connect mail.example.com:587 -starttls smtp


Output:



CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = example.com
verify return:1
---
Certificate chain
0 s:/CN=example.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGUjCCBTqgAwIBAgISBMCBEL46Fp5eG+d54abyrZxXMA0GCSqGSIb3DQEBCwUA
...
qFl1JeXAxKBW9nE9E5+ZuC+8SNF7LlqiN2bi5BMA1x0wiVXZk+fTAk3vRsTTr0CM
svdtByn4XF3UbPoBhnHv8IGXx0ZqXUWt141ZxkV2Mxaak2TyyK7IeVCqlWGIMC1z
pgOO7fdZMY1xC/TEDdxcMOyTf7C7Ih539kPoeM7wHdWNXsipbc3r6NWQ9440dCd1
yPXKfWzAPBhtqFF+T3SOFqQHr6twNRLT8ITu/PtiipxUAvO+wQrdLIrKzfpNeJW4
GXXXeV+crpGdvJa/EdYLZgx5O2DWX67VKerlVWTdcAGwvU3Jia8=
-----END CERTIFICATE-----
subject=/CN=example.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3733 bytes and written 335 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 3987DBFA6A51B83864E89C0E8E7C24EB9536355130F8ADE266033CEAE264B6B2
Session-ID-ctx:
Master-Key: DA5D77AFF4C3B173144402101F9E59AE809C120679BDA9CE577D963148E5F405F205BB4898D3754BE6608863E9A7E5C0
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 16 25 d2 8c f4 00 d3 b2-de b8 23 a8 7d 9a 07 ed .%........#.}...
0010 - 45 2b e1 9d 15 94 6e 9a-b7 90 4b 8b cb c8 d9 98 E+....n...K.....
0020 - 27 b6 31 ef 65 18 de db-05 e5 f1 90 1a a9 c2 dc '.1.e...........
0030 - 8b c0 2b 38 21 be fd ff-85 8c a2 7a af 86 bc 72 ..+8!......z...r
0040 - 72 22 ed 67 04 3b 25 92-45 5d 83 ba 85 0e 27 c2 r".g.;%.E]....'.
0050 - 71 01 ba ea f5 58 11 42-81 70 08 5d e2 22 d0 63 q....X.B.p.].".c
0060 - 59 08 4c 53 c5 a8 27 37-b2 79 eb 88 55 81 c7 1d Y.LS..'7.y..U...
0070 - 0e 69 b2 05 b3 83 05 41-16 e5 18 ad 25 2a 80 2f .i.....A....%*./
0080 - 50 c5 d6 95 e8 d4 5a 19-68 7e a0 91 f0 21 ca d2 P.....Z.h~...!..
0090 - b5 d9 56 58 15 7f d9 71-3a 71 ae 3f 47 a3 99 e2 ..VX...q:q.?G...
00a0 - 7f 6e 1c 5a ea 85 bb 98-d6 bb a3 6e 40 7f 34 07 .n.Z.......n@.4.

Start Time: 1546272800
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
250 SMTPUTF8


How can I fix this?










share|improve this question


















  • 1





    The authorization problem is at the SMTP level, not at the TLS level. Thus checking if the certificate fits with openssl s_client is irrelevant - check the SMTP user and password instead.

    – Steffen Ullrich
    Dec 31 '18 at 17:53











  • You are correct. But it took some time to figure that out, and Sparkpost's error message 530 5.7.1 wasn't helpful. In fact, their suggested settings, only work in a limited set of circumstances, where all emails sent originate locally, and no user forward's email originating outside the local system.

    – RS Becker
    Jan 7 at 14:40
















0












0








0








Until recently I have had no problems with relays and forwards from Postfix through Sparkpost. Now I get authentication errors 530 5.7.1. The server is running Debian Stretch. The settings in Postfix main.cf are set as Sparkpost recommends.



smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtp_sasl_password_maps = static:SMTP_Injection:My_API_key


I have a mailbox, me@example.com that forwards to me@otheraddress.com. The message is delivered to me@example.com, but the mail log shows the following re the forward:



Dec 31 11:19:48 example postfix/smtp[19188]: 66AA357DD2: to=<me@otheraddress.com>, relay=smtp.sparkpostmail.com[52.26.175.191]:587, delay=0.38, delays=0.1/0.01/0.21/0.06, dsn=5.7.1, status=bounced (host smtp.sparkpostmail.com[52.26.175.191] said: 530 5.7.1 Authorization required. Ref. https://developers.sparkpost.com/api/index#header-smtp-relay-endpoints (in reply to MAIL FROM command))
Dec 31 11:19:48 example postfix/cleanup[19176]: EAB4957DD0: message-id=<20181231161948.EAB4957DD0@example.com>
Dec 31 11:19:49 example postfix/bounce[19189]: 66AA357DD2: sender non-delivery notification: EAB4957DD0
Dec 31 11:19:49 example postfix/qmgr[19147]: EAB4957DD0: from=<>, size=7611, nrcpt=1 (queue active)
Dec 31 11:19:49 example postfix/cleanup[19176]: 5777A57DD4: message-id=<20181231161949.5777A57DD4@example.com>
Dec 31 11:19:49 example postfix/bounce[19189]: 66AA357DD2: postmaster non-delivery notification: 5777A57DD4


I know the cert is working because I see no errors when I run



openssl s_client -connect mail.example.com:587 -starttls smtp


Output:



CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = example.com
verify return:1
---
Certificate chain
0 s:/CN=example.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGUjCCBTqgAwIBAgISBMCBEL46Fp5eG+d54abyrZxXMA0GCSqGSIb3DQEBCwUA
...
qFl1JeXAxKBW9nE9E5+ZuC+8SNF7LlqiN2bi5BMA1x0wiVXZk+fTAk3vRsTTr0CM
svdtByn4XF3UbPoBhnHv8IGXx0ZqXUWt141ZxkV2Mxaak2TyyK7IeVCqlWGIMC1z
pgOO7fdZMY1xC/TEDdxcMOyTf7C7Ih539kPoeM7wHdWNXsipbc3r6NWQ9440dCd1
yPXKfWzAPBhtqFF+T3SOFqQHr6twNRLT8ITu/PtiipxUAvO+wQrdLIrKzfpNeJW4
GXXXeV+crpGdvJa/EdYLZgx5O2DWX67VKerlVWTdcAGwvU3Jia8=
-----END CERTIFICATE-----
subject=/CN=example.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3733 bytes and written 335 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 3987DBFA6A51B83864E89C0E8E7C24EB9536355130F8ADE266033CEAE264B6B2
Session-ID-ctx:
Master-Key: DA5D77AFF4C3B173144402101F9E59AE809C120679BDA9CE577D963148E5F405F205BB4898D3754BE6608863E9A7E5C0
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 16 25 d2 8c f4 00 d3 b2-de b8 23 a8 7d 9a 07 ed .%........#.}...
0010 - 45 2b e1 9d 15 94 6e 9a-b7 90 4b 8b cb c8 d9 98 E+....n...K.....
0020 - 27 b6 31 ef 65 18 de db-05 e5 f1 90 1a a9 c2 dc '.1.e...........
0030 - 8b c0 2b 38 21 be fd ff-85 8c a2 7a af 86 bc 72 ..+8!......z...r
0040 - 72 22 ed 67 04 3b 25 92-45 5d 83 ba 85 0e 27 c2 r".g.;%.E]....'.
0050 - 71 01 ba ea f5 58 11 42-81 70 08 5d e2 22 d0 63 q....X.B.p.].".c
0060 - 59 08 4c 53 c5 a8 27 37-b2 79 eb 88 55 81 c7 1d Y.LS..'7.y..U...
0070 - 0e 69 b2 05 b3 83 05 41-16 e5 18 ad 25 2a 80 2f .i.....A....%*./
0080 - 50 c5 d6 95 e8 d4 5a 19-68 7e a0 91 f0 21 ca d2 P.....Z.h~...!..
0090 - b5 d9 56 58 15 7f d9 71-3a 71 ae 3f 47 a3 99 e2 ..VX...q:q.?G...
00a0 - 7f 6e 1c 5a ea 85 bb 98-d6 bb a3 6e 40 7f 34 07 .n.Z.......n@.4.

Start Time: 1546272800
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
250 SMTPUTF8


How can I fix this?










share|improve this question














Until recently I have had no problems with relays and forwards from Postfix through Sparkpost. Now I get authentication errors 530 5.7.1. The server is running Debian Stretch. The settings in Postfix main.cf are set as Sparkpost recommends.



smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtp_sasl_password_maps = static:SMTP_Injection:My_API_key


I have a mailbox, me@example.com that forwards to me@otheraddress.com. The message is delivered to me@example.com, but the mail log shows the following re the forward:



Dec 31 11:19:48 example postfix/smtp[19188]: 66AA357DD2: to=<me@otheraddress.com>, relay=smtp.sparkpostmail.com[52.26.175.191]:587, delay=0.38, delays=0.1/0.01/0.21/0.06, dsn=5.7.1, status=bounced (host smtp.sparkpostmail.com[52.26.175.191] said: 530 5.7.1 Authorization required. Ref. https://developers.sparkpost.com/api/index#header-smtp-relay-endpoints (in reply to MAIL FROM command))
Dec 31 11:19:48 example postfix/cleanup[19176]: EAB4957DD0: message-id=<20181231161948.EAB4957DD0@example.com>
Dec 31 11:19:49 example postfix/bounce[19189]: 66AA357DD2: sender non-delivery notification: EAB4957DD0
Dec 31 11:19:49 example postfix/qmgr[19147]: EAB4957DD0: from=<>, size=7611, nrcpt=1 (queue active)
Dec 31 11:19:49 example postfix/cleanup[19176]: 5777A57DD4: message-id=<20181231161949.5777A57DD4@example.com>
Dec 31 11:19:49 example postfix/bounce[19189]: 66AA357DD2: postmaster non-delivery notification: 5777A57DD4


I know the cert is working because I see no errors when I run



openssl s_client -connect mail.example.com:587 -starttls smtp


Output:



CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = example.com
verify return:1
---
Certificate chain
0 s:/CN=example.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGUjCCBTqgAwIBAgISBMCBEL46Fp5eG+d54abyrZxXMA0GCSqGSIb3DQEBCwUA
...
qFl1JeXAxKBW9nE9E5+ZuC+8SNF7LlqiN2bi5BMA1x0wiVXZk+fTAk3vRsTTr0CM
svdtByn4XF3UbPoBhnHv8IGXx0ZqXUWt141ZxkV2Mxaak2TyyK7IeVCqlWGIMC1z
pgOO7fdZMY1xC/TEDdxcMOyTf7C7Ih539kPoeM7wHdWNXsipbc3r6NWQ9440dCd1
yPXKfWzAPBhtqFF+T3SOFqQHr6twNRLT8ITu/PtiipxUAvO+wQrdLIrKzfpNeJW4
GXXXeV+crpGdvJa/EdYLZgx5O2DWX67VKerlVWTdcAGwvU3Jia8=
-----END CERTIFICATE-----
subject=/CN=example.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3733 bytes and written 335 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 3987DBFA6A51B83864E89C0E8E7C24EB9536355130F8ADE266033CEAE264B6B2
Session-ID-ctx:
Master-Key: DA5D77AFF4C3B173144402101F9E59AE809C120679BDA9CE577D963148E5F405F205BB4898D3754BE6608863E9A7E5C0
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 16 25 d2 8c f4 00 d3 b2-de b8 23 a8 7d 9a 07 ed .%........#.}...
0010 - 45 2b e1 9d 15 94 6e 9a-b7 90 4b 8b cb c8 d9 98 E+....n...K.....
0020 - 27 b6 31 ef 65 18 de db-05 e5 f1 90 1a a9 c2 dc '.1.e...........
0030 - 8b c0 2b 38 21 be fd ff-85 8c a2 7a af 86 bc 72 ..+8!......z...r
0040 - 72 22 ed 67 04 3b 25 92-45 5d 83 ba 85 0e 27 c2 r".g.;%.E]....'.
0050 - 71 01 ba ea f5 58 11 42-81 70 08 5d e2 22 d0 63 q....X.B.p.].".c
0060 - 59 08 4c 53 c5 a8 27 37-b2 79 eb 88 55 81 c7 1d Y.LS..'7.y..U...
0070 - 0e 69 b2 05 b3 83 05 41-16 e5 18 ad 25 2a 80 2f .i.....A....%*./
0080 - 50 c5 d6 95 e8 d4 5a 19-68 7e a0 91 f0 21 ca d2 P.....Z.h~...!..
0090 - b5 d9 56 58 15 7f d9 71-3a 71 ae 3f 47 a3 99 e2 ..VX...q:q.?G...
00a0 - 7f 6e 1c 5a ea 85 bb 98-d6 bb a3 6e 40 7f 34 07 .n.Z.......n@.4.

Start Time: 1546272800
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
250 SMTPUTF8


How can I fix this?







email ssl postfix debian-stretch






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 31 '18 at 16:37









RS BeckerRS Becker

12




12








  • 1





    The authorization problem is at the SMTP level, not at the TLS level. Thus checking if the certificate fits with openssl s_client is irrelevant - check the SMTP user and password instead.

    – Steffen Ullrich
    Dec 31 '18 at 17:53











  • You are correct. But it took some time to figure that out, and Sparkpost's error message 530 5.7.1 wasn't helpful. In fact, their suggested settings, only work in a limited set of circumstances, where all emails sent originate locally, and no user forward's email originating outside the local system.

    – RS Becker
    Jan 7 at 14:40
















  • 1





    The authorization problem is at the SMTP level, not at the TLS level. Thus checking if the certificate fits with openssl s_client is irrelevant - check the SMTP user and password instead.

    – Steffen Ullrich
    Dec 31 '18 at 17:53











  • You are correct. But it took some time to figure that out, and Sparkpost's error message 530 5.7.1 wasn't helpful. In fact, their suggested settings, only work in a limited set of circumstances, where all emails sent originate locally, and no user forward's email originating outside the local system.

    – RS Becker
    Jan 7 at 14:40










1




1





The authorization problem is at the SMTP level, not at the TLS level. Thus checking if the certificate fits with openssl s_client is irrelevant - check the SMTP user and password instead.

– Steffen Ullrich
Dec 31 '18 at 17:53





The authorization problem is at the SMTP level, not at the TLS level. Thus checking if the certificate fits with openssl s_client is irrelevant - check the SMTP user and password instead.

– Steffen Ullrich
Dec 31 '18 at 17:53













You are correct. But it took some time to figure that out, and Sparkpost's error message 530 5.7.1 wasn't helpful. In fact, their suggested settings, only work in a limited set of circumstances, where all emails sent originate locally, and no user forward's email originating outside the local system.

– RS Becker
Jan 7 at 14:40







You are correct. But it took some time to figure that out, and Sparkpost's error message 530 5.7.1 wasn't helpful. In fact, their suggested settings, only work in a limited set of circumstances, where all emails sent originate locally, and no user forward's email originating outside the local system.

– RS Becker
Jan 7 at 14:40












1 Answer
1






active

oldest

votes


















0














Perhaps I should have realized this at the beginning, and that would have saved hours of stumbling around in darkness. When an email arrives in a local mailbox and is forwarded, it retains the original sender address through the forward. IOW, an email from someone@elsewhere.com -> me@example.com that is forwarded to me@otheraddress.com arrives at smtp.sparkpostmail.com with its original sender address, someone@elsewhere.com. Sparkpost then bounces the email because elsewhere.com is not a sending domain it recognizes. The correct error message is 550 5.7.1, and should identify elsewhere.com as the configuration problem.



The solution I eventually arrived at is to configure postfix so it uses different transports and authentication credentials depending on the sender address. To do that you need to create two data files, or if you use postfix's mysql database, one data file and edit the postfix.transport table.



/etc/postfix/sasl_passwd includes local sending domains and Sparkpost login credentials:



@example.com  SMTP_Injection:<API key for example.com>
@example2.com SMTP_Injection:<API key for example2.com>


/etc/postfix/relayhosts includes the local domains with the Sparkpost relayhost, and a catch-all for forwarded mail that passes through the server:



@example.com  [smtp.sparkpostmail.com]:587
@example2.com [smtp.sparkpostmail.com]:587
* smtps


Don't forget to postmap /etc/postfix/sasl_passwd, and postmap /etc/postfix/relayhosts.



If using mysql, edit the postfix.transport table, adding [smtp.sparkpostmail.com]:587 in the transport field for each local domain that uses sparkpost. If you have local domains that don't use sparkpost, add "smtps" in the transport field. Create /etc/postfix/virtual_forward.cf to pull the same data from the transport table in the mysql db:



hosts = 127.0.0.1 (or localhost)
user = mysql-login
password = mysql-pw
dbname = postfix
query = SELECT transport FROM transport WHERE domain='%s' AND LENGTH(transport) > 0


Again, you must add a catch-all transport as the last record in the table:



*  smtps


As I understand it, smtps uses port 465 as defined in master.cf, and sends from the local server, not submission (smtpd) as defined in master.cf, which uses port 587 to send through Sparkpost.



To make all of this work, you need to add some settings to main.cf



#Unless the next line has no value, postfix cannot send from localhost
relayhost =
#Using the relayhosts file
sender_dependent_relayhosts_maps = hash:/etc/postfix/relayhosts
#Using mysql
sender_dependent_relayhosts_maps = mysql:/etc/postfix/virtual_forward.cf
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
#Not sure the next 2 lines are absolutely necessary, but I assume they are because they relate to smtp, rather than smtpd (submission)
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd


I hope this explanation saves others from having to spend hours slogging through the arcana of mailserverdom.






share|improve this answer

























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1389323%2fpostfix-and-sparkpost-relay-authentication-failures%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    Perhaps I should have realized this at the beginning, and that would have saved hours of stumbling around in darkness. When an email arrives in a local mailbox and is forwarded, it retains the original sender address through the forward. IOW, an email from someone@elsewhere.com -> me@example.com that is forwarded to me@otheraddress.com arrives at smtp.sparkpostmail.com with its original sender address, someone@elsewhere.com. Sparkpost then bounces the email because elsewhere.com is not a sending domain it recognizes. The correct error message is 550 5.7.1, and should identify elsewhere.com as the configuration problem.



    The solution I eventually arrived at is to configure postfix so it uses different transports and authentication credentials depending on the sender address. To do that you need to create two data files, or if you use postfix's mysql database, one data file and edit the postfix.transport table.



    /etc/postfix/sasl_passwd includes local sending domains and Sparkpost login credentials:



    @example.com  SMTP_Injection:<API key for example.com>
    @example2.com SMTP_Injection:<API key for example2.com>


    /etc/postfix/relayhosts includes the local domains with the Sparkpost relayhost, and a catch-all for forwarded mail that passes through the server:



    @example.com  [smtp.sparkpostmail.com]:587
    @example2.com [smtp.sparkpostmail.com]:587
    * smtps


    Don't forget to postmap /etc/postfix/sasl_passwd, and postmap /etc/postfix/relayhosts.



    If using mysql, edit the postfix.transport table, adding [smtp.sparkpostmail.com]:587 in the transport field for each local domain that uses sparkpost. If you have local domains that don't use sparkpost, add "smtps" in the transport field. Create /etc/postfix/virtual_forward.cf to pull the same data from the transport table in the mysql db:



    hosts = 127.0.0.1 (or localhost)
    user = mysql-login
    password = mysql-pw
    dbname = postfix
    query = SELECT transport FROM transport WHERE domain='%s' AND LENGTH(transport) > 0


    Again, you must add a catch-all transport as the last record in the table:



    *  smtps


    As I understand it, smtps uses port 465 as defined in master.cf, and sends from the local server, not submission (smtpd) as defined in master.cf, which uses port 587 to send through Sparkpost.



    To make all of this work, you need to add some settings to main.cf



    #Unless the next line has no value, postfix cannot send from localhost
    relayhost =
    #Using the relayhosts file
    sender_dependent_relayhosts_maps = hash:/etc/postfix/relayhosts
    #Using mysql
    sender_dependent_relayhosts_maps = mysql:/etc/postfix/virtual_forward.cf
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth
    smtpd_sasl_local_domain = $myhostname
    smtpd_sasl_security_options = noanonymous
    #Not sure the next 2 lines are absolutely necessary, but I assume they are because they relate to smtp, rather than smtpd (submission)
    smtp_sasl_auth_enable = yes
    smtp_sasl_security_options = noanonymous
    smtp_sender_dependent_authentication = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd


    I hope this explanation saves others from having to spend hours slogging through the arcana of mailserverdom.






    share|improve this answer






























      0














      Perhaps I should have realized this at the beginning, and that would have saved hours of stumbling around in darkness. When an email arrives in a local mailbox and is forwarded, it retains the original sender address through the forward. IOW, an email from someone@elsewhere.com -> me@example.com that is forwarded to me@otheraddress.com arrives at smtp.sparkpostmail.com with its original sender address, someone@elsewhere.com. Sparkpost then bounces the email because elsewhere.com is not a sending domain it recognizes. The correct error message is 550 5.7.1, and should identify elsewhere.com as the configuration problem.



      The solution I eventually arrived at is to configure postfix so it uses different transports and authentication credentials depending on the sender address. To do that you need to create two data files, or if you use postfix's mysql database, one data file and edit the postfix.transport table.



      /etc/postfix/sasl_passwd includes local sending domains and Sparkpost login credentials:



      @example.com  SMTP_Injection:<API key for example.com>
      @example2.com SMTP_Injection:<API key for example2.com>


      /etc/postfix/relayhosts includes the local domains with the Sparkpost relayhost, and a catch-all for forwarded mail that passes through the server:



      @example.com  [smtp.sparkpostmail.com]:587
      @example2.com [smtp.sparkpostmail.com]:587
      * smtps


      Don't forget to postmap /etc/postfix/sasl_passwd, and postmap /etc/postfix/relayhosts.



      If using mysql, edit the postfix.transport table, adding [smtp.sparkpostmail.com]:587 in the transport field for each local domain that uses sparkpost. If you have local domains that don't use sparkpost, add "smtps" in the transport field. Create /etc/postfix/virtual_forward.cf to pull the same data from the transport table in the mysql db:



      hosts = 127.0.0.1 (or localhost)
      user = mysql-login
      password = mysql-pw
      dbname = postfix
      query = SELECT transport FROM transport WHERE domain='%s' AND LENGTH(transport) > 0


      Again, you must add a catch-all transport as the last record in the table:



      *  smtps


      As I understand it, smtps uses port 465 as defined in master.cf, and sends from the local server, not submission (smtpd) as defined in master.cf, which uses port 587 to send through Sparkpost.



      To make all of this work, you need to add some settings to main.cf



      #Unless the next line has no value, postfix cannot send from localhost
      relayhost =
      #Using the relayhosts file
      sender_dependent_relayhosts_maps = hash:/etc/postfix/relayhosts
      #Using mysql
      sender_dependent_relayhosts_maps = mysql:/etc/postfix/virtual_forward.cf
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_type = dovecot
      smtpd_sasl_path = private/auth
      smtpd_sasl_local_domain = $myhostname
      smtpd_sasl_security_options = noanonymous
      #Not sure the next 2 lines are absolutely necessary, but I assume they are because they relate to smtp, rather than smtpd (submission)
      smtp_sasl_auth_enable = yes
      smtp_sasl_security_options = noanonymous
      smtp_sender_dependent_authentication = yes
      smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd


      I hope this explanation saves others from having to spend hours slogging through the arcana of mailserverdom.






      share|improve this answer




























        0












        0








        0







        Perhaps I should have realized this at the beginning, and that would have saved hours of stumbling around in darkness. When an email arrives in a local mailbox and is forwarded, it retains the original sender address through the forward. IOW, an email from someone@elsewhere.com -> me@example.com that is forwarded to me@otheraddress.com arrives at smtp.sparkpostmail.com with its original sender address, someone@elsewhere.com. Sparkpost then bounces the email because elsewhere.com is not a sending domain it recognizes. The correct error message is 550 5.7.1, and should identify elsewhere.com as the configuration problem.



        The solution I eventually arrived at is to configure postfix so it uses different transports and authentication credentials depending on the sender address. To do that you need to create two data files, or if you use postfix's mysql database, one data file and edit the postfix.transport table.



        /etc/postfix/sasl_passwd includes local sending domains and Sparkpost login credentials:



        @example.com  SMTP_Injection:<API key for example.com>
        @example2.com SMTP_Injection:<API key for example2.com>


        /etc/postfix/relayhosts includes the local domains with the Sparkpost relayhost, and a catch-all for forwarded mail that passes through the server:



        @example.com  [smtp.sparkpostmail.com]:587
        @example2.com [smtp.sparkpostmail.com]:587
        * smtps


        Don't forget to postmap /etc/postfix/sasl_passwd, and postmap /etc/postfix/relayhosts.



        If using mysql, edit the postfix.transport table, adding [smtp.sparkpostmail.com]:587 in the transport field for each local domain that uses sparkpost. If you have local domains that don't use sparkpost, add "smtps" in the transport field. Create /etc/postfix/virtual_forward.cf to pull the same data from the transport table in the mysql db:



        hosts = 127.0.0.1 (or localhost)
        user = mysql-login
        password = mysql-pw
        dbname = postfix
        query = SELECT transport FROM transport WHERE domain='%s' AND LENGTH(transport) > 0


        Again, you must add a catch-all transport as the last record in the table:



        *  smtps


        As I understand it, smtps uses port 465 as defined in master.cf, and sends from the local server, not submission (smtpd) as defined in master.cf, which uses port 587 to send through Sparkpost.



        To make all of this work, you need to add some settings to main.cf



        #Unless the next line has no value, postfix cannot send from localhost
        relayhost =
        #Using the relayhosts file
        sender_dependent_relayhosts_maps = hash:/etc/postfix/relayhosts
        #Using mysql
        sender_dependent_relayhosts_maps = mysql:/etc/postfix/virtual_forward.cf
        smtpd_sasl_auth_enable = yes
        smtpd_sasl_type = dovecot
        smtpd_sasl_path = private/auth
        smtpd_sasl_local_domain = $myhostname
        smtpd_sasl_security_options = noanonymous
        #Not sure the next 2 lines are absolutely necessary, but I assume they are because they relate to smtp, rather than smtpd (submission)
        smtp_sasl_auth_enable = yes
        smtp_sasl_security_options = noanonymous
        smtp_sender_dependent_authentication = yes
        smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd


        I hope this explanation saves others from having to spend hours slogging through the arcana of mailserverdom.






        share|improve this answer















        Perhaps I should have realized this at the beginning, and that would have saved hours of stumbling around in darkness. When an email arrives in a local mailbox and is forwarded, it retains the original sender address through the forward. IOW, an email from someone@elsewhere.com -> me@example.com that is forwarded to me@otheraddress.com arrives at smtp.sparkpostmail.com with its original sender address, someone@elsewhere.com. Sparkpost then bounces the email because elsewhere.com is not a sending domain it recognizes. The correct error message is 550 5.7.1, and should identify elsewhere.com as the configuration problem.



        The solution I eventually arrived at is to configure postfix so it uses different transports and authentication credentials depending on the sender address. To do that you need to create two data files, or if you use postfix's mysql database, one data file and edit the postfix.transport table.



        /etc/postfix/sasl_passwd includes local sending domains and Sparkpost login credentials:



        @example.com  SMTP_Injection:<API key for example.com>
        @example2.com SMTP_Injection:<API key for example2.com>


        /etc/postfix/relayhosts includes the local domains with the Sparkpost relayhost, and a catch-all for forwarded mail that passes through the server:



        @example.com  [smtp.sparkpostmail.com]:587
        @example2.com [smtp.sparkpostmail.com]:587
        * smtps


        Don't forget to postmap /etc/postfix/sasl_passwd, and postmap /etc/postfix/relayhosts.



        If using mysql, edit the postfix.transport table, adding [smtp.sparkpostmail.com]:587 in the transport field for each local domain that uses sparkpost. If you have local domains that don't use sparkpost, add "smtps" in the transport field. Create /etc/postfix/virtual_forward.cf to pull the same data from the transport table in the mysql db:



        hosts = 127.0.0.1 (or localhost)
        user = mysql-login
        password = mysql-pw
        dbname = postfix
        query = SELECT transport FROM transport WHERE domain='%s' AND LENGTH(transport) > 0


        Again, you must add a catch-all transport as the last record in the table:



        *  smtps


        As I understand it, smtps uses port 465 as defined in master.cf, and sends from the local server, not submission (smtpd) as defined in master.cf, which uses port 587 to send through Sparkpost.



        To make all of this work, you need to add some settings to main.cf



        #Unless the next line has no value, postfix cannot send from localhost
        relayhost =
        #Using the relayhosts file
        sender_dependent_relayhosts_maps = hash:/etc/postfix/relayhosts
        #Using mysql
        sender_dependent_relayhosts_maps = mysql:/etc/postfix/virtual_forward.cf
        smtpd_sasl_auth_enable = yes
        smtpd_sasl_type = dovecot
        smtpd_sasl_path = private/auth
        smtpd_sasl_local_domain = $myhostname
        smtpd_sasl_security_options = noanonymous
        #Not sure the next 2 lines are absolutely necessary, but I assume they are because they relate to smtp, rather than smtpd (submission)
        smtp_sasl_auth_enable = yes
        smtp_sasl_security_options = noanonymous
        smtp_sender_dependent_authentication = yes
        smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd


        I hope this explanation saves others from having to spend hours slogging through the arcana of mailserverdom.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Jan 7 at 15:46

























        answered Jan 7 at 15:37









        RS BeckerRS Becker

        12




        12






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1389323%2fpostfix-and-sparkpost-relay-authentication-failures%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

            Alcedinidae

            Origin of the phrase “under your belt”?