On Tue, Apr 20, 2010 at 12:21:35PM +0200, Gregory BELLIER wrote: >> Try again, with a more useful log sample, and configuration settings >> for the receiving side. The log sample should include multiple lines >> of logging from the SMTP client, showing any TLS handshake, ... >> > Alright, please take a look at the end of this email for the configuration > files for mta1 and mta2. They're almost identical. > In attachments, there are the logs.
Did you read the logs? Apr 20 12:02:00 mta1 postfix/smtpd[2949]: Anonymous TLS connection established f rom unknown[10.0.0.2]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Apr 20 12:02:00 mta1 postfix/smtpd[2949]: warning: SASL authentication failure: no secret in database Apr 20 12:02:00 mta1 postfix/smtpd[2949]: warning: unknown[10.0.0.2]: SASL CRAM- MD5 authentication failed: authentication failure Apr 20 12:02:00 mta1 postfix/smtpd[2949]: warning: SASL authentication failure: no secret in database Apr 20 12:02:00 mta1 postfix/smtpd[2949]: warning: unknown[10.0.0.2]: SASL NTLM authentication failed: authentication failure Apr 20 12:02:00 mta1 postfix/smtpd[2949]: 9356961EE: client=unknown[10.0.0.2], s asl_method=PLAIN, sasl_username=dest Why are you offering CRAM-MD5 and NTLM on mta1, when only PLAIN works? > mta1:/etc/postfix# postconf -n > relayhost = [10.0.0.6] > smtp_sasl_auth_enable = yes > smtp_sasl_mechanism_filter = plain > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd > smtp_tls_security_level = encrypt > > mta2:/etc/postfix# postconf -n > relayhost = [10.0.0.5] > smtpd_sasl_auth_enable = yes > smtpd_sasl_security_options = noanonymous, noplaintext > smtpd_sasl_tls_security_options = noanonymous > smtpd_sasl_type = cyrus > Apr 20 12:02:00 mta1 xxx/pkcs11: Untrusted TLS connection established to > 10.0.0.6[10.0.0.6]:25: TLSv1 with cipher ADH-XXX-SHA (256/256 bits) > Apr 20 12:02:00 mta1 xxx/pkcs11: warning: SASL authentication failure: No > worthy mechs found The server at 10.0.0.6 is not configured to offer PLAIN, even over TLS. > Apr 20 12:02:01 mta2 postfix/smtpd[2954]: connect from mta1.local[10.0.0.5] > Apr 20 12:02:01 mta2 xxx/pkcs11: Anonymous TLS connection established from > mta1.local[10.0.0.5]: TLSv1 with cipher ADH-XXX-SHA (256/256 bits) > Apr 20 12:02:01 mta2 xxx/pkcs11: disconnect from mta1.local[10.0.0.5] Why is "smtpd" calling itself "pkcs11"? Are you loading shared libraries that call openlog() and mess-up the application's syslog name? In any case, it sure looks like no PLAIN authentication support is configured on mta2, and you are showing no evidence of which mechanisms are available on this MTA via TLS (sasl-finger does not use TLS). You need to disable verbose TLS logging, and enable verbose non-TLS logging mta2:main.cf: debug_peer_list=10.0.0.5 and see what mechanisms if any are actually offered to the peer MTA. Also look at SASL's "smtpd.conf" in the appropriate location and determine what mechanisms should be offered. -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.