I received an email asking how do I check if TLS/PLAIN auth works since there are several mail clients with various setup procedures. So, it is difficult to tell if it is the mail client that is not working or it is the postfix setup that has a problem.
To separate any problem with mail-clients from mail-server, this is a procedure that I follow to test postfix smtp server (or sendmail smtp server):
create a test-user
#useradd testuser #passwd testuser testpass
Create Base64 encoding for user/pass combination:
#printf 'testuser\0testuser\testpass' | mmencode dGVzdHVzZXIAdGVzdHVzZXIAdGVzdHBhc3M=
[EMAIL PROTECTED] mail]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 otr.noy.com.au ESMTP Sendmail 8.13.1/8.13.1; Thu, 5 May 2005 20:59:49+1000
ehlo hdtv
250-otr.noy.com.au Hello otr.noy.com.au [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
AUTH PLAIN dGVzdHVzZXIAdGVzdHVzZXIAdGVzdHBhc3M=
235 2.0.0 OK Authenticated
O Plameras wrote:
David Fitch wrote:
O Plameras wrote:
What does this show when your do this on your postfix server ?
the AUTH stuff is there:
$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail ESMTP Postfix ehlo localhost 250-mail 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN CRAM-MD5 GSSAPI DIGEST-MD5 250-AUTH=LOGIN PLAIN CRAM-MD5 GSSAPI DIGEST-MD5 250 8BITMIME quit 221 Bye Connection closed by foreign host.
The above listings just confirm that your OPENSSL and CYRUS-SASL2 are working correctly. Now you just concentrate on setting up postfix. You just need to change a few things in your postfix setup.
The ff. are the suggested configurations:
1. smtp.conf may have: pwcheck_method:saslauthd mech_list: plain login
2. /etc/default/saslauthd shall have: <snipped> MECHANISMS=shadow </snipped>
3. /etc/postfix/main.cf shall have the ff: mydomain=<yourdomain> myhostname=<yourhostname> mynetworks=192.168.1.0/24,127.0.0.0/8 alias_maps=hash:/etc/postfix/aliases alias_database=hash:/etc/postfix/aliases # # enable sasl support smtpd_sasl_auth_enable=yes smtpd_sasl_security_options=noanonymous smtpd_sasl_local_domain=$myhostname broken_sasl_auth_clients=yes # search for relay_domains, then add smtpd_recipient_restrictions= permit_sasl_authenticated, permit_mynetworks, check_relay_domains # tls support smtpd_use_tls=yes smtpd_tls_auth_only=yes smtpd_tls_cert_file=/etc/postfix/servercrt.pem smtpd_tls_key_file=/etc/postfix/serverkey.pem smtpd_tls_CAfile=/etc/postfix/cacert.pem smtpd_tls_loglevel=3 smtpd_tls_received_header=yes smtpd_tls_session_cache_timeout=3600s tls_random_source=dev:/dev/urandom
The above setup will show this. # telnet localhost 25; ehlo localhost, will show: [EMAIL PROTECTED] RPMS]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. 220 hdtv.noy.com.au ESMTP Postfix ehlo hdtv 250-hdtv.noy.com.au 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250 8BITMIME
I can comment out # smtpd_tls_auth_only=yes and 'telnet localhost 25' and 'ehlo localhost' will show: [EMAIL PROTECTED] RPMS]# telnet localhost 25 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. 220 hdtv.noy.com.au ESMTP Postfix ehlo hdtv 250-hdtv.noy.com.au 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250 8BITMIME
I setup postfix, TLS, and SASL this morning to test.
BTW, I am using TLS and SASL on sendmail-MTA in my network. I find it easier to set-up and maintain compared to postfix because I have to deal with only one file to re-configure. This file is 'sendmail.mc'.
Have fun.
O Plameras
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
