I am not able to get postfix to authenticate on port 465 or 587 to allow account holders to relay via this server.
Everything else works. That is, we can use the account name and password to log into Cyrus IMAP, though I know it
isn't postfix that makes that connection, it does mean that SASL is working and accepts the mail account creds used
in all the tests in the attachment.
Thunderbird is set up to user SSL/TLS with normal password on port 465 for
outgoing email.
It looks to me like postfix is not getting a positive response from SASL, so I
expect something is not configured correctly. I've spent the last two days
trying to find the issue and have run out of ideas. Any help would be
appreciated.
Regards,
Emmett
I am not able to get postfix to authenticate on port 465 or 587 to allow
account holders to relay via this server.
Everything else works. That is, we can use the account name and password to
log into Cyrus IMAP, though I know it
isn't postfix that makes that connection, it does mean that SASL is working and
accepts the mail account creds used
in all the tests shown below.
Thunderbird is set up to user SSL/TLS with normal password on port 465 for
outgoing email.
It looks to me like postfix is not getting a positive response from SASL, so I
expect something is not configured correctly. Any help would be appreciated.
------ saslfinger --------------
saslfinger - postfix Cyrus sasl configuration Sun Apr 15 13:07:50 PDT 2018
version: 1.0.2
mode: server-side SMTP AUTH
-- basics --
Postfix: 2.10.1
System: CentOS Linux release 7.4.1708 (Core)
-- smtpd is linked to --
libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007f0f3265e000)
-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = smptd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_tls_CAfile = /etc/pki/comodo.ca-bundle
smtpd_tls_cert_file = /etc/pki/n=mail-domain.info/n=mail-domain.crt
smtpd_tls_key_file = /etc/pki/n=mail-domain.info/n=mail-domain.key
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
-- listing of /usr/lib64/sasl2 --
total 856
drwxr-xr-x. 2 root root 4096 Sep 21 2017 .
dr-xr-xr-x. 123 root root 90112 Apr 12 08:18 ..
-rwxr-xr-x 1 root root 19968 Aug 2 2017 libanonymous.so
-rwxr-xr-x 1 root root 19968 Aug 2 2017 libanonymous.so.3
-rwxr-xr-x 1 root root 19968 Aug 2 2017 libanonymous.so.3.0.0
-rwxr-xr-x 1 root root 24176 Aug 2 2017 libcrammd5.so
-rwxr-xr-x 1 root root 24176 Aug 2 2017 libcrammd5.so.3
-rwxr-xr-x 1 root root 24176 Aug 2 2017 libcrammd5.so.3.0.0
-rwxr-xr-x 1 root root 57904 Aug 2 2017 libdigestmd5.so
-rwxr-xr-x 1 root root 57904 Aug 2 2017 libdigestmd5.so.3
-rwxr-xr-x 1 root root 57904 Aug 2 2017 libdigestmd5.so.3.0.0
-rwxr-xr-x 1 root root 36936 Aug 2 2017 libgssapiv2.so
-rwxr-xr-x 1 root root 36936 Aug 2 2017 libgssapiv2.so.3
-rwxr-xr-x 1 root root 36936 Aug 2 2017 libgssapiv2.so.3.0.0
-rwxr-xr-x 1 root root 20000 Aug 2 2017 liblogin.so
-rwxr-xr-x 1 root root 20000 Aug 2 2017 liblogin.so.3
-rwxr-xr-x 1 root root 20000 Aug 2 2017 liblogin.so.3.0.0
-rwxr-xr-x 1 root root 19992 Aug 2 2017 libplain.so
-rwxr-xr-x 1 root root 19992 Aug 2 2017 libplain.so.3
-rwxr-xr-x 1 root root 19992 Aug 2 2017 libplain.so.3.0.0
-rwxr-xr-x 1 root root 28208 Aug 2 2017 libsasldb.so
-rwxr-xr-x 1 root root 28208 Aug 2 2017 libsasldb.so.3
-rwxr-xr-x 1 root root 28208 Aug 2 2017 libsasldb.so.3.0.0
-rwxr-xr-x 1 root root 28328 Aug 2 2017 libsql.so
-rwxr-xr-x 1 root root 28328 Aug 2 2017 libsql.so.3
-rwxr-xr-x 1 root root 28328 Aug 2 2017 libsql.so.3.0.0
-- listing of /etc/sasl2 --
total 16
drwxr-xr-x. 2 root root 23 Apr 15 07:10 .
drwxr-xr-x. 141 root root 8192 Apr 12 08:18 ..
-rw-rw-r-- 1 root root 49 Apr 15 07:10 smtpd.conf
-- content of /etc/sasl2/smtpd.conf --
pwcheck_method: saslauthd
mech_list: plain login
-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
192.198.208.222:smtp inet n - n - - smtpd
-o smtpd_sasl_auth_enable=no
127.0.0.1:smtp inet n - n - - smtpd
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_header_body_checks
smtps inet n - n - - smtpd
-o content_filter=amavisfeed:[127.0.0.1]:10044
-o smtpd_enforce_tls=yes
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
pickup fifo n - n 60 1 pickup
-o content_filter=amavisfeed:[127.0.0.1]:10043
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 discard
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
-o smtp_send_xforward_command=yes
-o header_checks=
relay unix - - n - - smtp
-o fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
-o smtp_send_xforward_command=yes
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
tlsmgr unix - - n 300 1 tlsmgr
587 inet n - n - - smtpd
-o content_filter=amavisfeed:[127.0.0.1]:10044
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_wrappermode=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
amavisfeed unix - - n - 20 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
spamfilter unix - n n - - pipe
user=amavis argv=/etc/postfix/spamfilter.sh -f ${sender} -- ${recipient}
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
polite unix - - n - - smtp
-o syslog_name=postfix-polite
turtle unix - - n - - smtp
-o syslog_name=postfix-turtle
yahoo unix - - n - - smtp
-o syslog_name=postfix-yahoo
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus-imapd/deliver -r ${sender} -m ${extension}
${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/var/spool/postfix/private/ifmail -r $nexthop
($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/var/spool/postfix/private/bsmtp -f $sender $nexthop
$recipient
retry unix - - n - - error
proxywrite unix - - n - 1 proxymap
-- mechanisms on localhost --
250-AUTH GSS-SPNEGO GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-AUTH=GSS-SPNEGO GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
-- end of saslfinger output --
debug_peer_level = 5
debug_peer_list = xx.xxx.xx.xx
-------------------------------- Log Session of attempt to send email from
Thunderbird via port 465 -----------------------------------------
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: connect from
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: match_hostname:
xx-xxx-xx-xx-static.net ~? xx.xxx.xx.0/29
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: match_hostaddr: xx.xxx.xx.xx
~? xx.xxx.xx.0/29
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: milter8_conn_event: milter
inet:127.0.0.1:8891: connect xx-xxx-xx-xx-static.net/xx.xxx.xx.xx
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: >
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: 220 mail-domain.info ESMTP Postfix
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: <
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: EHLO testdomain.com
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: match_list_match:
xx-xxx-xx-xx-static.net: no match
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: match_list_match:
xx.xxx.xx.xx: no match
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: >
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: 250-mail-domain.info
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: >
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: 250-PIPELINING
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: >
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: 250-SIZE 900000000
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: >
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: 250-VRFY
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: >
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: 250-ETRN
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: >
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: 250-AUTH GSS-SPNEGO GSSAPI DIGEST-MD5
CRAM-MD5 LOGIN PLAIN
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: >
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: 250-AUTH=GSS-SPNEGO GSSAPI DIGEST-MD5
CRAM-MD5 LOGIN PLAIN
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: >
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: 250-ENHANCEDSTATUSCODES
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: >
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: 250-8BITMIME
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: >
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: 250 DSN
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: <
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: AUTH PLAIN xxxyyyxxxyyyxxxyyyxxxxx=
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: warning:
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: SASL PLAIN authentication failed:
authentication failure
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: >
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: 535 5.7.8 Error: authentication failed:
authentication failure
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: <
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: AUTH LOGIN
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: >
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: 334 yyyssttnnnt
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: <
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: yyynnntttlklltmmm
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: >
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: 334 kkkiiiejnma
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: <
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: yyehjjerkkr=
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: warning:
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: SASL LOGIN authentication failed:
authentication failure
Apr 15 08:53:24 mail-domain postfix/smtpd[19628]: >
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: 535 5.7.8 Error: authentication failed:
authentication failure
Apr 15 08:54:09 mail-domain postfix/smtpd[19628]: >
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]: 421 4.4.2 mail-domain.info Error:
timeout exceeded
Apr 15 08:54:09 mail-domain postfix/smtpd[19628]: match_hostname:
xx-xxx-xx-xx-static.net ~? xx.xxx.xx.0/29
Apr 15 08:54:09 mail-domain postfix/smtpd[19628]: match_hostaddr: xx.xxx.xx.xx
~? xx.xxx.xx.0/29
Apr 15 08:54:09 mail-domain postfix/smtpd[19628]: timeout after AUTH from
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]
Apr 15 08:59:09 mail-domain postfix/smtpd[19628]: disconnect from
xx-xxx-xx-xx-static.net[xx.xxx.xx.xx]
---------------------SASL test of account user name and password -----
[root@mail-domain ~]# testsaslauthd -u test.mail-domain.com -p password -s smtp
0: OK "Success."
--- Noting that starttls does not respond. Don't know if this is how it should
work -----
[root@mail-domain ~]# openssl s_client -connect localhost:465 -starttls smtp
CONNECTED(00000003)
-------------------- openssl connect attempt transscript ---------
[root@mail-domain ~]# openssl s_client -connect localhost:465
CONNECTED(00000003)
depth=0 C = US, ST = Santana, L = MArkleville, O = Farseer Publishing, CN =
mail-domain.info
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = Santana, L = MArkleville, O = Farseer Publishing, CN =
mail-domain.info
verify return:1
---
Certificate chain
0 s:/C=US/ST=Santana/L=MArkleville/O=Farseer Publishing/CN=mail-domain.info
i:/C=US/ST=Santana/L=MArkleville/O=Farseer Publishing/CN=mail-domain.info
---
Server certificate
-----BEGIN CERTIFICATE-----
dkdkjpoeiurpoqjerj
-----END CERTIFICATE-----
subject=/C=US/ST=Santana/L=MArkleville/O=Farseer Publishing/CN=mail-domain.info
issuer=/C=US/ST=Santana/L=MArkleville/O=Farseer Publishing/CN=mail-domain.info
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1604 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 1925uuoiuiuporqw
Session-ID-ctx:
Master-Key: 1925;llk;lskjflkl al; sdffadfdfas
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 3600 (seconds)
TLS session ticket:
0000 - 42 b5 bb 2f 99 08 5a 0e-af 14 be 5d 1e 12 bd 2b B../..Z....]...+
Start Time: 1523818952
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
220 mail-domain.info ESMTP Postfix
ehlo <>
250-mail-domain.info
250-PIPELINING
250-SIZE 900000000
250-VRFY
250-ETRN
250-AUTH GSS-SPNEGO GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-AUTH=GSS-SPNEGO GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN sshlhlerpp709lkjdfkjads==
535 5.7.8 Error: authentication failed: authentication failure
----- The above seems to match what we see in the log --------------
