Re: Postfix and SASL authentication.
On 2014-08-25 Mon 21:40 PM |, giacomo wrote: Join the Postfix users mailing list (http://www.postfix.org/lists.html) Send them a problem description the output of both: $ postconf -nf $ postconf -Mf REALLY: Join the Postfix users mailing list and send them the output. Sorry I can help further as I don't use SSL with SMTP as it can't be enforced throughout a message's life - therefore I consider it a false sense of security. Which is a solution, for you, to increase the security for connections from the outside , for example with a portable device (laptop,smartphone, etc) using a OpenBSD system? SMTP is not a point to point protocol, it is a redundant store forward protocol. SSL/TLS was an afterthought, and may be optionally negotiated for each hop. The security of the channel is never guaranteed for each leg of the journey. And the next hop never promises to encrypt the onward connection. Mail gateways may accept an encrypted connection forward it in clear text to a LAN M$ exchange, Solaris or Loonix box. You don't know. Some organisations also use 3rd party off-site MX backup boxes as well. Who knows what they do with mail, and what route they forward it onwards by. Want proof? Send me a mail from your SSL/TLS MTA watch the logs as the message is sent in clear text to Scotland. I'll reply and you'll see from your logs that your fancy SSL set up is ignored, and the message is accepted by your box in plain text. Even if the message does (by random chance) happen to travel via an encrypted channel, it then sits in clear text on Goatmail, Snotmail, Yahtwits or AOL.con's servers for government agencies around the world to read - years after it is 'deleted'. SMTP is resilient, but insecure. The best that can be done is to have the user PGP encrypt their message before sending. To protect the user's authentication credentials on port 587 is to use rather weak digest auth. e.g: 250-AUTH CRAM-MD5 NOT: 250-AUTH PLAIN 250-AUTH LOGIN Using SSL for SMTP-submission, IMAP or POP is to deceive users into thinking their mail is secure. It is a lie. Otherwise, both ssh to a box chat locally. Or use something like SILC: http://en.wikipedia.org/wiki/SILC_%28protocol%29
Re: Postfix and SASL authentication.
Hi. On 26.08.14, 12:25, Craig R. Skinner wrote: On 2014-08-25 Mon 21:40 PM |, giacomo wrote: Join the Postfix users mailing list (http://www.postfix.org/lists.html) Send them a problem description the output of both: $ postconf -nf $ postconf -Mf REALLY: Join the Postfix users mailing list and send them the output. Excuse me I don't read carefully this part. Ok, I send it on postfix mailing list. Sorry I can help further as I don't use SSL with SMTP as it can't be enforced throughout a message's life - therefore I consider it a false sense of security. Which is a solution, for you, to increase the security for connections from the outside , for example with a portable device (laptop,smartphone, etc) using a OpenBSD system? SMTP is not a point to point protocol, it is a redundant store forward protocol. SSL/TLS was an afterthought, and may be optionally negotiated for each hop. The security of the channel is never guaranteed for each leg of the journey. And the next hop never promises to encrypt the onward connection. Mail gateways may accept an encrypted connection forward it in clear text to a LAN M$ exchange, Solaris or Loonix box. You don't know. Some organisations also use 3rd party off-site MX backup boxes as well. Who knows what they do with mail, and what route they forward it onwards by. Want proof? Send me a mail from your SSL/TLS MTA watch the logs as the message is sent in clear text to Scotland. I'll reply and you'll see from your logs that your fancy SSL set up is ignored, and the message is accepted by your box in plain text. Even if the message does (by random chance) happen to travel via an encrypted channel, it then sits in clear text on Goatmail, Snotmail, Yahtwits or AOL.con's servers for government agencies around the world to read - years after it is 'deleted'. SMTP is resilient, but insecure. The best that can be done is to have the user PGP encrypt their message before sending. To protect the user's authentication credentials on port 587 is to use rather weak digest auth. e.g: 250-AUTH CRAM-MD5 NOT: 250-AUTH PLAIN 250-AUTH LOGIN Using SSL for SMTP-submission, IMAP or POP is to deceive users into thinking their mail is secure. It is a lie. Otherwise, both ssh to a box chat locally. Or use something like SILC: http://en.wikipedia.org/wiki/SILC_%28protocol%29 Many thanks for the explanation. -- Isaia Luciano -- Le informazioni contenute nella presente e-mail e nei documenti/files eventualmente allegati sono confidenziali. Essi sono riservati esclusivamente al destinatario della stessa. La loro eventuale comunicazione, diffusione o, comunque, rivelazione a terzi, nonche' la copiatura e/o conservazione e' vietata. Se avete ricevuto questa e-mail per errore, Vi preghiamo cortesemente di informare immediatamente il mittente della stessa e di distruggerla o, comunque, cancellarla dal Vostro sistema. This e-mail contains confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error), please notify the sender immediately and destroy this e-mail. Any unauthorised communication, diffusion, disclosure and copy of the material in this e-mail is strictly forbidden. --
Re: Postfix and SASL authentication.
On 2014-08-24 Sun 18:44 PM |, giacomo wrote: Hi. Here there are other informations about the configuration of mail system. 1. The mail system use virtual users. 2. The postfix main.cf is: # Enable SASL authentication in the Postfix SMTP server smtpd_sasl_auth_enable = yes # Postfix 2.3 and later #smtpd_sasl_path = smtpd # Only accept mail from trusted networks, authenticated clients or mail with # a 'RCPT TO' address that Postfix is forwarder or final destination for smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_invalid_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client zombie.dnsbl.sorbs.net, reject_rbl_client list.dsbl.org, DSBL is GONE and highly unlikely to return. Please remove it from your mail server configuration. ( 03/09/2009 http://dsbl.org/) reject_rbl_client sbl.spamhaus.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, The blacklists on the easynet.nl domain discontinued on 1/12/2003 (http://vamsoft.com/company/news/easynet-nl-blacklists-discontinued) reject_rbl_client combined.njabl.org, njabl.org OFFLINE since 1/3/2013 (http://www.dnsbl.info/dnsbl-njabl-org.php) reject_rbl_client dul.dnsbl.sorbs.net, permit Join the Postfix users mailing list (http://www.postfix.org/lists.html) Send them a problem description the output of both: $ postconf -nf $ postconf -Mf Sorry I can help further as I don't use SSL with SMTP as it can't be enforced throughout a message's life - therefore I consider it a false sense of security.
Re: Postfix and SASL authentication.
On 25.08.14, 10:06, Craig R. Skinner wrote: DSBL is GONE and highly unlikely to return. Please remove it from your mail server configuration. ( 03/09/2009 http://dsbl.org/) reject_rbl_client sbl.spamhaus.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, The blacklists on the easynet.nl domain discontinued on 1/12/2003 (http://vamsoft.com/company/news/easynet-nl-blacklists-discontinued) reject_rbl_client combined.njabl.org, njabl.org OFFLINE since 1/3/2013 (http://www.dnsbl.info/dnsbl-njabl-org.php) reject_rbl_client dul.dnsbl.sorbs.net, permit Join the Postfix users mailing list (http://www.postfix.org/lists.html) OK! I'm sorry but I found this option on an old configuration. I delete them. Send them a problem description the output of both: $ postconf -nf alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases broken_sasl_auth_clients = yes command_directory = /usr/local/sbin config_directory = /etc/postfix daemon_directory = /usr/local/libexec/postfix data_directory = /var/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id sleep 5 header_checks = pcre:/etc/postfix/header_checks html_directory = /usr/local/share/doc/postfix/html inet_interfaces = all inet_protocols = all mail_owner = _postfix mailq_path = /usr/local/sbin/mailq manpage_directory = /usr/local/man mydestination = $myhostname, localhost.$mydomain, localhost mydomain = domain.com myhostname = mail2.domain.com mynetworks = 127.0.0.0/8, 192.168.1.0/24, 192.168.3.0/24 myorigin = $myhostname newaliases_path = /usr/local/sbin/newaliases qdeliver_destination_concurrency_limit = 1 qdeliver_destination_recipient_limit = 1 queue_directory = /var/spool/postfix readme_directory = /usr/local/share/doc/postfix/readme relay_domains = $mydestination sample_directory = /etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = _postdrop smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtpd_banner = $myhostname ESMTP $mail_name smtpd_milters = unix:/var/spool/postfix/var/run/milter-spamd/spamd.sock unix:/var/spool/postfix/var/run/milter-clamav/clamav.sock smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_invalid_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client zombie.dnsbl.sorbs.net, reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client combined.njabl.org, reject_rbl_client dul.dnsbl.sorbs.net, permit smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain smtpd_sasl_security_options = smtpd_tls_CAfile = /etc/ssl/ca.crt smtpd_tls_cert_file = /etc/postfix/ssl/server.crt smtpd_tls_key_file = /etc/postfix/ssl/private/server.key smtpd_tls_loglevel = 1 smtpd_tls_security_level = may tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:2000 virtual_mailbox_base = /var/mail/vhosts virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailboxes.cf virtual_minimum_uid = 2000 virtual_transport = qdeliver virtual_uid_maps = static:2000 $ postconf -Mf smtp inet n - n - - smtpd smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING pickup unix n - - 60 1 pickup cleanupunix n - - - 0 cleanup qmgr unix n - - 300 1 qmgr tlsmgr unix - - - 1000? 1 tlsmgr rewriteunix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp
Re: Postfix and SASL authentication.
Hi. Here there are other informations about the configuration of mail system. 1. The mail system use virtual users. 2. The postfix main.cf is: # Enable SASL authentication in the Postfix SMTP server smtpd_sasl_auth_enable = yes # Postfix 2.3 and later #smtpd_sasl_path = smtpd # Only accept mail from trusted networks, authenticated clients or mail with # a 'RCPT TO' address that Postfix is forwarder or final destination for smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_invalid_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client zombie.dnsbl.sorbs.net, reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client combined.njabl.org, reject_rbl_client dul.dnsbl.sorbs.net, permit # Enable inter-operability with old SMTP clients broken_sasl_auth_clients = yes # Name of the Postfix SMTP server's local SASL authentication realm smtpd_sasl_local_domain = $mydomain smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd #smtpd_sasl_security_options = noanonymous smtpd_sasl_security_options = # Quota e delivery virtual_transport = qdeliver qdeliver_destination_concurrency_limit = 1 qdeliver_destination_recipient_limit = 1 3. The master.cf is: smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING 4. The /var/local/lib/sasl2/smtpd.conf is: pwcheck_method: saslauthd mech_list: PLAIN LOGIN #authdaemond_path: /var/sasl2/socket authdaemond_path: /var/run/courier-auth/socket log_level: 7 Thanks. Luciano. On 22.08.14, 16:23, giacomo wrote: Hello everyone. I recently created a mail server based on Postfix with MySQL and SASL authentication and TLS. I have problems to use authentication SASL. The errors are: telnet 192.168.1.242 25 Trying 192.168.1.242... Connected to 192.168.1.242. Escape character is '^]'. 220 mail2.domain.com ESMTP Postfix ehlo tin.it 250-mail2.domain.com 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH PLAIN AGQubGlzYWlhQGdydXBwb2lzaWwuY29tAGxpc2FpYQ== 535 5.7.8 Error: authentication failed: generic failure /var/maillog Jul 5 23:11:19 mail2 postfix/smtpd[3717]: warning: SASL authentication failure: could not verify password Jul 5 23:11:19 mail2 postfix/smtpd[3717]: warning: SASL authentication failure: Password verification failed Jul 5 23:11:19 mail2 postfix/smtpd[3717]: warning: unknown[192.168.1.248]: SASL PLAIN authentication failed: generic failure System OpenBSD v. 5.5 Packages: courier-authlib-0.65.0p2 courier-authlib-mysql-0.65.0p5 courier-imap-4.13p0 courier-pop3-4.13p0 cyrus-sasl-2.1.26p10-mysql mysql-client-5.1.73v0 mysql-server-5.1.73v0 Port: postfix-2.12.20140109-sasl2-mysql (compilated to enable SASL e MySQL) In the old version of OpenBSD it seam to work. Any suggestions? Thanks. -- Isaia Luciano -- Le informazioni contenute nella presente e-mail e nei documenti/files eventualmente allegati sono confidenziali. Essi sono riservati esclusivamente al destinatario della stessa. La loro eventuale comunicazione, diffusione o, comunque, rivelazione a terzi, nonche' la copiatura e/o conservazione e' vietata. Se avete ricevuto questa e-mail per errore, Vi preghiamo cortesemente di informare immediatamente il mittente della stessa e di distruggerla o, comunque, cancellarla dal Vostro sistema. This e-mail contains confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error), please notify the sender immediately and destroy this e-mail. Any unauthorised
Postfix and SASL authentication.
Hello everyone. I recently created a mail server based on Postfix with MySQL and SASL authentication and TLS. I have problems to use authentication SASL. The errors are: telnet 192.168.1.242 25 Trying 192.168.1.242... Connected to 192.168.1.242. Escape character is '^]'. 220 mail2.domain.com ESMTP Postfix ehlo tin.it 250-mail2.domain.com 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH PLAIN AGQubGlzYWlhQGdydXBwb2lzaWwuY29tAGxpc2FpYQ== 535 5.7.8 Error: authentication failed: generic failure /var/maillog Jul 5 23:11:19 mail2 postfix/smtpd[3717]: warning: SASL authentication failure: could not verify password Jul 5 23:11:19 mail2 postfix/smtpd[3717]: warning: SASL authentication failure: Password verification failed Jul 5 23:11:19 mail2 postfix/smtpd[3717]: warning: unknown[192.168.1.248]: SASL PLAIN authentication failed: generic failure System OpenBSD v. 5.5 Packages: courier-authlib-0.65.0p2 courier-authlib-mysql-0.65.0p5 courier-imap-4.13p0 courier-pop3-4.13p0 cyrus-sasl-2.1.26p10-mysql mysql-client-5.1.73v0 mysql-server-5.1.73v0 Port: postfix-2.12.20140109-sasl2-mysql (compilated to enable SASL e MySQL) In the old version of OpenBSD it seam to work. Any suggestions? Thanks. -- Isaia Luciano -- Le informazioni contenute nella presente e-mail e nei documenti/files eventualmente allegati sono confidenziali. Essi sono riservati esclusivamente al destinatario della stessa. La loro eventuale comunicazione, diffusione o, comunque, rivelazione a terzi, nonche' la copiatura e/o conservazione e' vietata. Se avete ricevuto questa e-mail per errore, Vi preghiamo cortesemente di informare immediatamente il mittente della stessa e di distruggerla o, comunque, cancellarla dal Vostro sistema. This e-mail contains confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error), please notify the sender immediately and destroy this e-mail. Any unauthorised communication, diffusion, disclosure and copy of the material in this e-mail is strictly forbidden. --