Argthtjtr

Until recently I have had no problems with relays and forwards from Postfix through Sparkpost. Now I get authentication errors 530 5.7.1. The server is running Debian Stretch. The settings in Postfix main.cf are set as Sparkpost recommends.

smtpd_sasl_auth_enable = yes

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

smtpd_sasl_local_domain = $myhostname

smtpd_sasl_security_options = noanonymous

smtp_sasl_password_maps = static:SMTP_Injection:My_API_key

I have a mailbox, me@example.com that forwards to me@otheraddress.com. The message is delivered to me@example.com, but the mail log shows the following re the forward:

Dec 31 11:19:48 example postfix/smtp[19188]: 66AA357DD2: to=<me@otheraddress.com>, relay=smtp.sparkpostmail.com[52.26.175.191]:587, delay=0.38, delays=0.1/0.01/0.21/0.06, dsn=5.7.1, status=bounced (host smtp.sparkpostmail.com[52.26.175.191] said: 530 5.7.1 Authorization required. Ref. https://developers.sparkpost.com/api/index#header-smtp-relay-endpoints (in reply to MAIL FROM command))

Dec 31 11:19:48 example postfix/cleanup[19176]: EAB4957DD0: message-id=<20181231161948.EAB4957DD0@example.com>

Dec 31 11:19:49 example postfix/bounce[19189]: 66AA357DD2: sender non-delivery notification: EAB4957DD0

Dec 31 11:19:49 example postfix/qmgr[19147]: EAB4957DD0: from=<>, size=7611, nrcpt=1 (queue active)

Dec 31 11:19:49 example postfix/cleanup[19176]: 5777A57DD4: message-id=<20181231161949.5777A57DD4@example.com>

Dec 31 11:19:49 example postfix/bounce[19189]: 66AA357DD2: postmaster non-delivery notification: 5777A57DD4

I know the cert is working because I see no errors when I run

openssl s_client -connect mail.example.com:587 -starttls smtp

Output:

CONNECTED(00000003)

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3

verify return:1

depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

verify return:1

depth=0 CN = example.com

verify return:1

---

Certificate chain

 0 s:/CN=example.com

   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIGUjCCBTqgAwIBAgISBMCBEL46Fp5eG+d54abyrZxXMA0GCSqGSIb3DQEBCwUA

...

qFl1JeXAxKBW9nE9E5+ZuC+8SNF7LlqiN2bi5BMA1x0wiVXZk+fTAk3vRsTTr0CM

svdtByn4XF3UbPoBhnHv8IGXx0ZqXUWt141ZxkV2Mxaak2TyyK7IeVCqlWGIMC1z

pgOO7fdZMY1xC/TEDdxcMOyTf7C7Ih539kPoeM7wHdWNXsipbc3r6NWQ9440dCd1

yPXKfWzAPBhtqFF+T3SOFqQHr6twNRLT8ITu/PtiipxUAvO+wQrdLIrKzfpNeJW4

GXXXeV+crpGdvJa/EdYLZgx5O2DWX67VKerlVWTdcAGwvU3Jia8=

-----END CERTIFICATE-----

subject=/CN=example.com

issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

---

No client certificate CA names sent

Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 3733 bytes and written 335 bytes

Verification: OK

---

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

    Session-ID: 3987DBFA6A51B83864E89C0E8E7C24EB9536355130F8ADE266033CEAE264B6B2

    Session-ID-ctx: 

    Master-Key: DA5D77AFF4C3B173144402101F9E59AE809C120679BDA9CE577D963148E5F405F205BB4898D3754BE6608863E9A7E5C0

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    TLS session ticket lifetime hint: 7200 (seconds)

    TLS session ticket:

    0000 - 16 25 d2 8c f4 00 d3 b2-de b8 23 a8 7d 9a 07 ed   .%........#.}...

    0010 - 45 2b e1 9d 15 94 6e 9a-b7 90 4b 8b cb c8 d9 98   E+....n...K.....

    0020 - 27 b6 31 ef 65 18 de db-05 e5 f1 90 1a a9 c2 dc   '.1.e...........

    0030 - 8b c0 2b 38 21 be fd ff-85 8c a2 7a af 86 bc 72   ..+8!......z...r

    0040 - 72 22 ed 67 04 3b 25 92-45 5d 83 ba 85 0e 27 c2   r".g.;%.E]....'.

    0050 - 71 01 ba ea f5 58 11 42-81 70 08 5d e2 22 d0 63   q....X.B.p.].".c

    0060 - 59 08 4c 53 c5 a8 27 37-b2 79 eb 88 55 81 c7 1d   Y.LS..'7.y..U...

    0070 - 0e 69 b2 05 b3 83 05 41-16 e5 18 ad 25 2a 80 2f   .i.....A....%*./

    0080 - 50 c5 d6 95 e8 d4 5a 19-68 7e a0 91 f0 21 ca d2   P.....Z.h~...!..

    0090 - b5 d9 56 58 15 7f d9 71-3a 71 ae 3f 47 a3 99 e2   ..VX...q:q.?G...

    00a0 - 7f 6e 1c 5a ea 85 bb 98-d6 bb a3 6e 40 7f 34 07   .n.Z.......n@.4.



    Start Time: 1546272800

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

    Extended master secret: yes

---

250 SMTPUTF8

How can I fix this?

Perhaps I should have realized this at the beginning, and that would have saved hours of stumbling around in darkness. When an email arrives in a local mailbox and is forwarded, it retains the original sender address through the forward. IOW, an email from someone@elsewhere.com -> me@example.com that is forwarded to me@otheraddress.com arrives at smtp.sparkpostmail.com with its original sender address, someone@elsewhere.com. Sparkpost then bounces the email because elsewhere.com is not a sending domain it recognizes. The correct error message is 550 5.7.1, and should identify elsewhere.com as the configuration problem.

The solution I eventually arrived at is to configure postfix so it uses different transports and authentication credentials depending on the sender address. To do that you need to create two data files, or if you use postfix's mysql database, one data file and edit the postfix.transport table.

/etc/postfix/sasl_passwd includes local sending domains and Sparkpost login credentials:

@example.com  SMTP_Injection:<API key for example.com>

@example2.com  SMTP_Injection:<API key for example2.com>

/etc/postfix/relayhosts includes the local domains with the Sparkpost relayhost, and a catch-all for forwarded mail that passes through the server:

@example.com  [smtp.sparkpostmail.com]:587

@example2.com  [smtp.sparkpostmail.com]:587

*   smtps

Don't forget to postmap /etc/postfix/sasl_passwd, and postmap /etc/postfix/relayhosts.

If using mysql, edit the postfix.transport table, adding [smtp.sparkpostmail.com]:587 in the transport field for each local domain that uses sparkpost. If you have local domains that don't use sparkpost, add "smtps" in the transport field. Create /etc/postfix/virtual_forward.cf to pull the same data from the transport table in the mysql db:

hosts = 127.0.0.1 (or localhost)

user = mysql-login

password = mysql-pw

dbname = postfix

query = SELECT transport FROM transport WHERE domain='%s' AND LENGTH(transport) > 0 

Again, you must add a catch-all transport as the last record in the table:

*  smtps

As I understand it, smtps uses port 465 as defined in master.cf, and sends from the local server, not submission (smtpd) as defined in master.cf, which uses port 587 to send through Sparkpost.

To make all of this work, you need to add some settings to main.cf

#Unless the next line has no value, postfix cannot send from localhost

relayhost =

#Using the relayhosts file

sender_dependent_relayhosts_maps = hash:/etc/postfix/relayhosts

#Using mysql

sender_dependent_relayhosts_maps = mysql:/etc/postfix/virtual_forward.cf

smtpd_sasl_auth_enable = yes

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

smtpd_sasl_local_domain = $myhostname

smtpd_sasl_security_options = noanonymous

#Not sure the next 2 lines are absolutely necessary, but I assume they are because they relate to smtp, rather than smtpd (submission)

smtp_sasl_auth_enable = yes

smtp_sasl_security_options = noanonymous

smtp_sender_dependent_authentication = yes

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

I hope this explanation saves others from having to spend hours slogging through the arcana of mailserverdom.