On Tue, Apr 20, 2010 at 12:21:35PM +0200, Gregory BELLIER wrote:
>> Try again, with a more useful log sample, and configuration settings
>> for the receiving side. The log sample should include multiple lines
>> of logging from the SMTP client, showing any TLS handshake, ...
>>
> Alright, please take a look at the end of this email for the configuration
> files for mta1 and mta2. They're almost identical.
> In attachments, there are the logs.
Did you read the logs?
Apr 20 12:02:00 mta1 postfix/smtpd[2949]: Anonymous TLS connection established f
rom unknown[10.0.0.2]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Apr 20 12:02:00 mta1 postfix/smtpd[2949]: warning: SASL authentication failure:
no secret in database
Apr 20 12:02:00 mta1 postfix/smtpd[2949]: warning: unknown[10.0.0.2]: SASL CRAM-
MD5 authentication failed: authentication failure
Apr 20 12:02:00 mta1 postfix/smtpd[2949]: warning: SASL authentication failure:
no secret in database
Apr 20 12:02:00 mta1 postfix/smtpd[2949]: warning: unknown[10.0.0.2]: SASL NTLM
authentication failed: authentication failure
Apr 20 12:02:00 mta1 postfix/smtpd[2949]: 9356961EE: client=unknown[10.0.0.2], s
asl_method=PLAIN, sasl_username=dest
Why are you offering CRAM-MD5 and NTLM on mta1, when only PLAIN works?
> mta1:/etc/postfix# postconf -n
> relayhost = [10.0.0.6]
> smtp_sasl_auth_enable = yes
> smtp_sasl_mechanism_filter = plain
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_tls_security_level = encrypt
>
> mta2:/etc/postfix# postconf -n
> relayhost = [10.0.0.5]
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous, noplaintext
> smtpd_sasl_tls_security_options = noanonymous
> smtpd_sasl_type = cyrus
> Apr 20 12:02:00 mta1 xxx/pkcs11: Untrusted TLS connection established to
> 10.0.0.6[10.0.0.6]:25: TLSv1 with cipher ADH-XXX-SHA (256/256 bits)
> Apr 20 12:02:00 mta1 xxx/pkcs11: warning: SASL authentication failure: No
> worthy mechs found
The server at 10.0.0.6 is not configured to offer PLAIN, even over TLS.
> Apr 20 12:02:01 mta2 postfix/smtpd[2954]: connect from mta1.local[10.0.0.5]
> Apr 20 12:02:01 mta2 xxx/pkcs11: Anonymous TLS connection established from
> mta1.local[10.0.0.5]: TLSv1 with cipher ADH-XXX-SHA (256/256 bits)
> Apr 20 12:02:01 mta2 xxx/pkcs11: disconnect from mta1.local[10.0.0.5]
Why is "smtpd" calling itself "pkcs11"? Are you loading shared libraries
that call openlog() and mess-up the application's syslog name?
In any case, it sure looks like no PLAIN authentication support is configured
on mta2, and you are showing no evidence of which mechanisms are available
on this MTA via TLS (sasl-finger does not use TLS).
You need to disable verbose TLS logging, and enable verbose non-TLS logging
mta2:main.cf:
debug_peer_list=10.0.0.5
and see what mechanisms if any are actually offered to the peer MTA. Also
look at SASL's "smtpd.conf" in the appropriate location and determine what
mechanisms should be offered.
--
Viktor.
P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.
