RE: Newbie SASL Auth with Dovecot problem
> > > I also tried port 25 and 587 from a separate machine that has an IP > > address > > in mynetworks. In that case, EHLO is not even recognized: > > > > telnet 587 > > 220 ESMTP Postfix (Ubuntu) > > EHLO client.example.com > > 502 5.5.2 Error: command not recognized > > HELO client.example.com > > 250 > > QUIT > > FWIW: that's sometimes a symptom of a broken firewall that thinks it > knows SMTP but does not, with the canonical example being a Cisco PIX in > its default configuration. > > That particular form doesn't look exactly like PIX-mangling, and I don't > think PIX (or its ASA spawn) interfere with port 587 by default, so it's > probably something else, but that something else may be something > claiming to be providing you network security while in the process > directly breaking the spec for port 587 mail submission. A port 587 > service that doesn't support EHLO is just antique SMTP on a weird port. Thanks Bill, I discovered it was actually due to a setting in PuTTY . Under the Telnet settings, the default for "Telnet negotiation mode" is "Active". Setting it to "Passive" cleared the problem. Also, issuing a second EHLO also worked (which led me to check the telnet settings). Michael
Re: Newbie SASL Auth with Dovecot problem
On 28 Jun 2016, at 2:39, Michael Fox wrote: I also tried port 25 and 587 from a separate machine that has an IP address in mynetworks. In that case, EHLO is not even recognized: telnet 587 220 ESMTP Postfix (Ubuntu) EHLO client.example.com 502 5.5.2 Error: command not recognized HELO client.example.com 250 QUIT FWIW: that's sometimes a symptom of a broken firewall that thinks it knows SMTP but does not, with the canonical example being a Cisco PIX in its default configuration. That particular form doesn't look exactly like PIX-mangling, and I don't think PIX (or its ASA spawn) interfere with port 587 by default, so it's probably something else, but that something else may be something claiming to be providing you network security while in the process directly breaking the spec for port 587 mail submission. A port 587 service that doesn't support EHLO is just antique SMTP on a weird port.
RE: Newbie SASL Auth with Dovecot problem
> > I don't see any > > smtpd_sasl_auth_enable = yes > > in your `postconf -n` output although you claim to have set it. The > default would be "no". > > Matthias Oh, jeez. How embarrassing. Thanks Matthias. I had entered smtp_... instead of smtpd_... And no matter how many times I looked, I just didn't see it. Michael
Re: Newbie SASL Auth with Dovecot problem
I don't see any smtpd_sasl_auth_enable = yes in your `postconf -n` output although you claim to have set it. The default would be "no". Matthias On 2016-06-28 05:15, Michael Fox wrote: I've been using Postfix for a while with no client submission. I'm trying to set up SASL for the first time, using Dovecot, to support virtual users. When I connect with EHLO, I do NOT see "AUTH" capabilities. Of course, I'm following: http://www.postfix.org/SASL_README.html First of all, Dovecot is installed and authentication works $ telnet localhost 110 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. +OK Dovecot ready. user @ +OK pass secret +OK Logged in. quit +OK Logging out. Connection closed by foreign host. $ And mail is delivered to the virtual mailboxes just fine. This tells me that the Dovecot passdb and userdb are working. Now, following the SASL_README: $ postconf -a cyrus dovecot $ postconf -A cyrus I followed the instructions in SASL_README for "Configuring Dovecot SASL", plus … smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes The socket exists ~$ sudo ls -l /var/spool/postfix/private total 0 … srw-rw 1 postfix postfix 0 Jun 27 18:55 auth … $ After reload, the next step in the README is to try a connection. But I don't get any AUTH options: $ telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. 220 x ESMTP Postfix (Ubuntu) EHLO client.example.com 250-x 250-PIPELINING 250-SIZE 102400 250-VRFY 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN QUIT 221 2.0.0 Bye Connection closed by foreign host. $ I don't know what to do next. Thanks for any help. Thanks, Michael $ postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases anvil_rate_time_unit = 60s append_at_myorigin = yes append_dot_mydomain = yes biff = no bounce_queue_lifetime = 8h bounce_template_file = /etc/postfix/bounce.cf broken_sasl_auth_clients = yes canonical_maps = pcre:/etc/postfix/canonical.pcre config_directory = /etc/postfix content_filter = amavisfeed:[127.0.0.1]:10024 delay_warning_time = 2h fast_flush_domains = $relay_domains header_checks = pcre:/etc/postfix/header_checks.pcre html_directory = /usr/share/doc/postfix/html inet_interfaces = all mailbox_size_limit = 512 maximal_queue_lifetime = 8h message_size_limit = 102400 mydestination = $myhostname localhost.$mydomain localhost.localdomain localhost mydomain = mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 192.168.8.0/24 myorigin = /etc/mailname postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce postscreen_dnsbl_reply_map = pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.spameatingmonkey.net*2 psbl.surriel.com*2 bl.spamcop.net hostkarma.junkemailfilter.com=127.0.0.2 dnsbl.sorbs.net bl.mailspike.net swl.spamhaus.org*-4 list.dnswl.org=127.0.[0..255].0*-1 list.dnswl.org=127.0.[0..255].1*-2 list.dnswl.org=127.0.[0..255].2*-3 list.dnswl.org=127.0.[0..255].3*-4 postscreen_dnsbl_threshold = 3 postscreen_dnsbl_ttl = 5m postscreen_greet_action = enforce proxy_interfaces = readme_directory = /usr/share/doc/postfix recipient_delimiter = + relay_domains = n6mef.ampr.org relay_recipient_maps = pcre:/etc/postfix/relay_recipients.pcre relay_restrictions = check_sender_access pcre:/etc/postfix/relay_sender_access.pcre remote_header_rewrite_domain = invalid.domain smtp_host_lookup = native smtp_sasl_auth_enable = yes smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_client_connection_count_limit = 10 smtpd_client_connection_rate_limit = 10 smtpd_client_restrictions = permit_mynetworks reject_unknown_reverse_client_hostname check_client_access pcre:/etc/postfix/client_access.pcre reject_rbl_client zen.spamhaus.org permit smtpd_data_restrictions = reject_unauth_pipelining reject_multi_recipient_bounce permit smtpd_delay_reject = yes smtpd_error_sleep_time = 5s smtpd_etrn_restrictions = permit_mynetworks reject smtpd_hard_error_limit = 10 smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname permit_mynetworks reject_unknown_helo_hostname check_helo_access pcre:/etc/postfix/helo_access.pcre permit smtpd_junk_command_limit = 2 smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination check_recipient_access pcre:/etc/postfix/recipient_access.pcre check_recipient_access pcre:/etc/postfix/relay_recipient_access.pcre permit smtpd_reject_unlisted_recipient = yes smtpd_restriction_classes = relay_restrictions
RE: Newbie SASL Auth with Dovecot problem
> > There is no AUTH on port 25, take 587. > > Suomi According to http://www.postfix.org/SASL_README.html#server_sasl_authc I should see AUTH on port 25. I also tried port 587. Same result. $ telnet localhost 587 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. 220 ESMTP Postfix (Ubuntu) EHLO client.example.com 250- 250-PIPELINING 250-SIZE 102400 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host. $ I also tried port 25 and 587 from a separate machine that has an IP address in mynetworks. In that case, EHLO is not even recognized: telnet 587 220 ESMTP Postfix (Ubuntu) EHLO client.example.com 502 5.5.2 Error: command not recognized HELO client.example.com 250 QUIT Mail.log: Jun 27 23:23:32 n6mef-gw postfix/smtpd[28356]: connect from unknown[192.168.7.180] Jun 27 23:24:32 n6mef-gw postfix/smtpd[28356]: disconnect from unknown[192.168.7.180] Jun 27 23:27:29 n6mef-gw postfix/submission/smtpd[28387]: connect from unknown[192.168.7.180] Jun 27 23:28:10 n6mef-gw postfix/submission/smtpd[28387]: disconnect from unknown[192.168.7.180] Apparently there's something more fundamental that I'm missing. But I sure can't figure it out. Michael
Re: Newbie SASL Auth with Dovecot problem
There is no AUTH on port 25, take 587. suomi On 06/28/2016 05:15 AM, Michael Fox wrote: I’ve been using Postfix for a while with no client submission. I’m trying to set up SASL for the first time, using Dovecot, to support virtual users. When I connect with EHLO, I do NOT see “AUTH” capabilities. Of course, I’m following: http://www.postfix.org/SASL_README.html First of all, Dovecot is installed and authentication works $ telnet localhost 110 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. +OK Dovecot ready. user @ +OK pass secret +OK Logged in. quit +OK Logging out. Connection closed by foreign host. $ And mail is delivered to the virtual mailboxes just fine. This tells me that the Dovecot passdb and userdb are working. Now, following the SASL_README: $ postconf -a cyrus dovecot $ postconf -A cyrus I followed the instructions in SASL_README for “Configuring Dovecot SASL”, plus … smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes The socket exists ~$ sudo ls -l /var/spool/postfix/private total 0 … srw-rw 1 postfix postfix 0 Jun 27 18:55 auth … $ After reload, the next step in the README is to try a connection. But I don’t get any AUTH options: $ telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. 220 x ESMTP Postfix (Ubuntu) EHLO client.example.com 250-x 250-PIPELINING 250-SIZE 102400 250-VRFY 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN QUIT 221 2.0.0 Bye Connection closed by foreign host. $ I don’t know what to do next. Thanks for any help. Thanks, Michael $ postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases anvil_rate_time_unit = 60s append_at_myorigin = yes append_dot_mydomain = yes biff = no bounce_queue_lifetime = 8h bounce_template_file = /etc/postfix/bounce.cf broken_sasl_auth_clients = yes canonical_maps = pcre:/etc/postfix/canonical.pcre config_directory = /etc/postfix content_filter = amavisfeed:[127.0.0.1]:10024 delay_warning_time = 2h fast_flush_domains = $relay_domains header_checks = pcre:/etc/postfix/header_checks.pcre html_directory = /usr/share/doc/postfix/html inet_interfaces = all mailbox_size_limit = 512 maximal_queue_lifetime = 8h message_size_limit = 102400 mydestination = $myhostname localhost.$mydomain localhost.localdomain localhost mydomain = mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 192.168.8.0/24 myorigin = /etc/mailname postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce postscreen_dnsbl_reply_map = pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.spameatingmonkey.net*2 psbl.surriel.com*2 bl.spamcop.net hostkarma.junkemailfilter.com=127.0.0.2 dnsbl.sorbs.net bl.mailspike.net swl.spamhaus.org*-4 list.dnswl.org=127.0.[0..255].0*-1 list.dnswl.org=127.0.[0..255].1*-2 list.dnswl.org=127.0.[0..255].2*-3 list.dnswl.org=127.0.[0..255].3*-4 postscreen_dnsbl_threshold = 3 postscreen_dnsbl_ttl = 5m postscreen_greet_action = enforce proxy_interfaces = readme_directory = /usr/share/doc/postfix recipient_delimiter = + relay_domains = n6mef.ampr.org relay_recipient_maps = pcre:/etc/postfix/relay_recipients.pcre relay_restrictions = check_sender_access pcre:/etc/postfix/relay_sender_access.pcre remote_header_rewrite_domain = invalid.domain smtp_host_lookup = native smtp_sasl_auth_enable = yes smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_client_connection_count_limit = 10 smtpd_client_connection_rate_limit = 10 smtpd_client_restrictions = permit_mynetworks reject_unknown_reverse_client_hostname check_client_access pcre:/etc/postfix/client_access.pcre reject_rbl_client zen.spamhaus.org permit smtpd_data_restrictions = reject_unauth_pipelining reject_multi_recipient_bounce permit smtpd_delay_reject = yes smtpd_error_sleep_time = 5s smtpd_etrn_restrictions = permit_mynetworks reject smtpd_hard_error_limit = 10 smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname permit_mynetworks reject_unknown_helo_hostname check_helo_access pcre:/etc/postfix/helo_access.pcre permit smtpd_junk_command_limit = 2 smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination check_recipient_access pcre:/etc/postfix/recipient_access.pcre check_recipient_access pcre:/etc/postfix/relay_recipient_access.pcre permit smtpd_reject_unlisted_recipient = yes smtpd_restriction_classes = relay_restrictions smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = reject_non_fqdn_sender