RE: Newbie SASL Auth with Dovecot problem
> > > I also tried port 25 and 587 from a separate machine that has an IP > > address > > in mynetworks. In that case, EHLO is not even recognized: > > > > telnet 587 > > 220 ESMTP Postfix (Ubuntu) > > EHLO client.example.com > > 502 5.5.2 Error: command not recognized > > HELO client.example.com > > 250 > > QUIT > > FWIW: that's sometimes a symptom of a broken firewall that thinks it > knows SMTP but does not, with the canonical example being a Cisco PIX in > its default configuration. > > That particular form doesn't look exactly like PIX-mangling, and I don't > think PIX (or its ASA spawn) interfere with port 587 by default, so it's > probably something else, but that something else may be something > claiming to be providing you network security while in the process > directly breaking the spec for port 587 mail submission. A port 587 > service that doesn't support EHLO is just antique SMTP on a weird port. Thanks Bill, I discovered it was actually due to a setting in PuTTY . Under the Telnet settings, the default for "Telnet negotiation mode" is "Active". Setting it to "Passive" cleared the problem. Also, issuing a second EHLO also worked (which led me to check the telnet settings). Michael
Re: Newbie SASL Auth with Dovecot problem
On 28 Jun 2016, at 2:39, Michael Fox wrote: I also tried port 25 and 587 from a separate machine that has an IP address in mynetworks. In that case, EHLO is not even recognized: telnet 587 220 ESMTP Postfix (Ubuntu) EHLO client.example.com 502 5.5.2 Error: command not recognized HELO client.example.com 250 QUIT FWIW: that's sometimes a symptom of a broken firewall that thinks it knows SMTP but does not, with the canonical example being a Cisco PIX in its default configuration. That particular form doesn't look exactly like PIX-mangling, and I don't think PIX (or its ASA spawn) interfere with port 587 by default, so it's probably something else, but that something else may be something claiming to be providing you network security while in the process directly breaking the spec for port 587 mail submission. A port 587 service that doesn't support EHLO is just antique SMTP on a weird port.
RE: Newbie SASL Auth with Dovecot problem
> > I don't see any > > smtpd_sasl_auth_enable = yes > > in your `postconf -n` output although you claim to have set it. The > default would be "no". > > Matthias Oh, jeez. How embarrassing. Thanks Matthias. I had entered smtp_... instead of smtpd_... And no matter how many times I looked, I just didn't see it. Michael
Re: Newbie SASL Auth with Dovecot problem
I don't see any
smtpd_sasl_auth_enable = yes
in your `postconf -n` output although you claim to have set it. The
default would be "no".
Matthias
On 2016-06-28 05:15, Michael Fox wrote:
I've been using Postfix for a while with no client submission. I'm
trying to set up SASL for the first time, using Dovecot, to support
virtual users.
When I connect with EHLO, I do NOT see "AUTH" capabilities.
Of course, I'm following: http://www.postfix.org/SASL_README.html
First of all, Dovecot is installed and authentication works
$ telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
+OK Dovecot ready.
user @
+OK
pass secret
+OK Logged in.
quit
+OK Logging out.
Connection closed by foreign host.
$
And mail is delivered to the virtual mailboxes just fine. This tells
me that the Dovecot passdb and userdb are working.
Now, following the SASL_README:
$ postconf -a
cyrus
dovecot
$ postconf -A
cyrus
I followed the instructions in SASL_README for "Configuring Dovecot
SASL", plus …
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
The socket exists
~$ sudo ls -l /var/spool/postfix/private
total 0
…
srw-rw 1 postfix postfix 0 Jun 27 18:55 auth
…
$
After reload, the next step in the README is to try a connection. But
I don't get any AUTH options:
$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 x ESMTP Postfix (Ubuntu)
EHLO client.example.com
250-x
250-PIPELINING
250-SIZE 102400
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
$
I don't know what to do next. Thanks for any help.
Thanks,
Michael
$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_rate_time_unit = 60s
append_at_myorigin = yes
append_dot_mydomain = yes
biff = no
bounce_queue_lifetime = 8h
bounce_template_file = /etc/postfix/bounce.cf
broken_sasl_auth_clients = yes
canonical_maps = pcre:/etc/postfix/canonical.pcre
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
delay_warning_time = 2h
fast_flush_domains = $relay_domains
header_checks = pcre:/etc/postfix/header_checks.pcre
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mailbox_size_limit = 512
maximal_queue_lifetime = 8h
message_size_limit = 102400
mydestination = $myhostname localhost.$mydomain localhost.localdomain
localhost
mydomain =
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
192.168.8.0/24
myorigin = /etc/mailname
postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.spameatingmonkey.net*2
psbl.surriel.com*2 bl.spamcop.net
hostkarma.junkemailfilter.com=127.0.0.2 dnsbl.sorbs.net
bl.mailspike.net swl.spamhaus.org*-4 list.dnswl.org=127.0.[0..255].0*-1
list.dnswl.org=127.0.[0..255].1*-2 list.dnswl.org=127.0.[0..255].2*-3
list.dnswl.org=127.0.[0..255].3*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_ttl = 5m
postscreen_greet_action = enforce
proxy_interfaces =
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = n6mef.ampr.org
relay_recipient_maps = pcre:/etc/postfix/relay_recipients.pcre
relay_restrictions = check_sender_access
pcre:/etc/postfix/relay_sender_access.pcre
remote_header_rewrite_domain = invalid.domain
smtp_host_lookup = native
smtp_sasl_auth_enable = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 10
smtpd_client_restrictions = permit_mynetworks
reject_unknown_reverse_client_hostname check_client_access
pcre:/etc/postfix/client_access.pcre reject_rbl_client zen.spamhaus.org
permit
smtpd_data_restrictions = reject_unauth_pipelining
reject_multi_recipient_bounce permit
smtpd_delay_reject = yes
smtpd_error_sleep_time = 5s
smtpd_etrn_restrictions = permit_mynetworks reject
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname permit_mynetworks
reject_unknown_helo_hostname check_helo_access
pcre:/etc/postfix/helo_access.pcre permit
smtpd_junk_command_limit = 2
smtpd_recipient_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain permit_mynetworks
reject_unauth_destination check_recipient_access
pcre:/etc/postfix/recipient_access.pcre check_recipient_access
pcre:/etc/postfix/relay_recipient_access.pcre permit
smtpd_reject_unlisted_recipient = yes
smtpd_restriction_classes = relay_restrictions
RE: Newbie SASL Auth with Dovecot problem
> > There is no AUTH on port 25, take 587. > > Suomi According to http://www.postfix.org/SASL_README.html#server_sasl_authc I should see AUTH on port 25. I also tried port 587. Same result. $ telnet localhost 587 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. 220 ESMTP Postfix (Ubuntu) EHLO client.example.com 250- 250-PIPELINING 250-SIZE 102400 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host. $ I also tried port 25 and 587 from a separate machine that has an IP address in mynetworks. In that case, EHLO is not even recognized: telnet 587 220 ESMTP Postfix (Ubuntu) EHLO client.example.com 502 5.5.2 Error: command not recognized HELO client.example.com 250 QUIT Mail.log: Jun 27 23:23:32 n6mef-gw postfix/smtpd[28356]: connect from unknown[192.168.7.180] Jun 27 23:24:32 n6mef-gw postfix/smtpd[28356]: disconnect from unknown[192.168.7.180] Jun 27 23:27:29 n6mef-gw postfix/submission/smtpd[28387]: connect from unknown[192.168.7.180] Jun 27 23:28:10 n6mef-gw postfix/submission/smtpd[28387]: disconnect from unknown[192.168.7.180] Apparently there's something more fundamental that I'm missing. But I sure can't figure it out. Michael
Re: Newbie SASL Auth with Dovecot problem
There is no AUTH on port 25, take 587.
suomi
On 06/28/2016 05:15 AM, Michael Fox wrote:
I’ve been using Postfix for a while with no client submission. I’m
trying to set up SASL for the first time, using Dovecot, to support
virtual users.
When I connect with EHLO, I do NOT see “AUTH” capabilities.
Of course, I’m following: http://www.postfix.org/SASL_README.html
First of all, Dovecot is installed and authentication works
$ telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
+OK Dovecot ready.
user @
+OK
pass secret
+OK Logged in.
quit
+OK Logging out.
Connection closed by foreign host.
$
And mail is delivered to the virtual mailboxes just fine. This tells me
that the Dovecot passdb and userdb are working.
Now, following the SASL_README:
$ postconf -a
cyrus
dovecot
$ postconf -A
cyrus
I followed the instructions in SASL_README for “Configuring Dovecot
SASL”, plus …
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
The socket exists
~$ sudo ls -l /var/spool/postfix/private
total 0
…
srw-rw 1 postfix postfix 0 Jun 27 18:55 auth
…
$
After reload, the next step in the README is to try a connection. But I
don’t get any AUTH options:
$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 x ESMTP Postfix (Ubuntu)
EHLO client.example.com
250-x
250-PIPELINING
250-SIZE 102400
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
$
I don’t know what to do next. Thanks for any help.
Thanks,
Michael
$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_rate_time_unit = 60s
append_at_myorigin = yes
append_dot_mydomain = yes
biff = no
bounce_queue_lifetime = 8h
bounce_template_file = /etc/postfix/bounce.cf
broken_sasl_auth_clients = yes
canonical_maps = pcre:/etc/postfix/canonical.pcre
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
delay_warning_time = 2h
fast_flush_domains = $relay_domains
header_checks = pcre:/etc/postfix/header_checks.pcre
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mailbox_size_limit = 512
maximal_queue_lifetime = 8h
message_size_limit = 102400
mydestination = $myhostname localhost.$mydomain localhost.localdomain
localhost
mydomain =
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 192.168.8.0/24
myorigin = /etc/mailname
postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.spameatingmonkey.net*2
psbl.surriel.com*2 bl.spamcop.net
hostkarma.junkemailfilter.com=127.0.0.2 dnsbl.sorbs.net bl.mailspike.net
swl.spamhaus.org*-4 list.dnswl.org=127.0.[0..255].0*-1
list.dnswl.org=127.0.[0..255].1*-2 list.dnswl.org=127.0.[0..255].2*-3
list.dnswl.org=127.0.[0..255].3*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_ttl = 5m
postscreen_greet_action = enforce
proxy_interfaces =
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = n6mef.ampr.org
relay_recipient_maps = pcre:/etc/postfix/relay_recipients.pcre
relay_restrictions = check_sender_access
pcre:/etc/postfix/relay_sender_access.pcre
remote_header_rewrite_domain = invalid.domain
smtp_host_lookup = native
smtp_sasl_auth_enable = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 10
smtpd_client_restrictions = permit_mynetworks
reject_unknown_reverse_client_hostname check_client_access
pcre:/etc/postfix/client_access.pcre reject_rbl_client zen.spamhaus.org
permit
smtpd_data_restrictions = reject_unauth_pipelining
reject_multi_recipient_bounce permit
smtpd_delay_reject = yes
smtpd_error_sleep_time = 5s
smtpd_etrn_restrictions = permit_mynetworks reject
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname permit_mynetworks
reject_unknown_helo_hostname check_helo_access
pcre:/etc/postfix/helo_access.pcre permit
smtpd_junk_command_limit = 2
smtpd_recipient_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain permit_mynetworks
reject_unauth_destination check_recipient_access
pcre:/etc/postfix/recipient_access.pcre check_recipient_access
pcre:/etc/postfix/relay_recipient_access.pcre permit
smtpd_reject_unlisted_recipient = yes
smtpd_restriction_classes = relay_restrictions
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_non_fqdn_sender
