Re: [SLUG] postfix with TLS/SASL on debian woody

O Plameras Thu, 05 May 2005 08:42:23 -0700

David Fitch wrote:

O Plameras wrote:


The ff. are the suggested configurations:

1. smtp.conf may have:
pwcheck_method:saslauthd
mech_list: plain login

# cat sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
#log_level: 7
saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux

2. /etc/default/saslauthd shall have:
<snipped>
MECHANISMS=shadow
</snipped>

# cat /etc/default/saslauthd
START=yes
MECHANISMS="shadow"
PARAMS="-m /var/spool/postfix/var/run/saslauthd"

3. /etc/postfix/main.cf shall have the ff:
mydomain=<yourdomain>
myhostname=<yourhostname>
mynetworks=192.168.1.0/24,127.0.0.0/8

I have mynetworks commented out, so using the default as
I want it to listen on all interfaces anyway (incl ippp0)

alias_maps=hash:/etc/postfix/aliases
alias_database=hash:/etc/postfix/aliases
#
# enable sasl support
smtpd_sasl_auth_enable=yes
smtpd_sasl_security_options=noanonymous
smtpd_sasl_local_domain=$myhostname
broken_sasl_auth_clients=yes
# search for relay_domains, then add
smtpd_recipient_restrictions=
  permit_sasl_authenticated,
  permit_mynetworks,
  check_relay_domains
# tls support
smtpd_use_tls=yes
smtpd_tls_auth_only=yes
smtpd_tls_cert_file=/etc/postfix/servercrt.pem
smtpd_tls_key_file=/etc/postfix/serverkey.pem
smtpd_tls_CAfile=/etc/postfix/cacert.pem
smtpd_tls_loglevel=3
smtpd_tls_received_header=yes
smtpd_tls_session_cache_timeout=3600s
tls_random_source=dev:/dev/urandom

got all that

The above setup will show this.
# telnet localhost 25; ehlo localhost, will show:
[EMAIL PROTECTED] RPMS]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
220 hdtv.noy.com.au ESMTP Postfix
ehlo hdtv
250-hdtv.noy.com.au
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250 8BITMIME

yep

I can comment out
# smtpd_tls_auth_only=yes
and 'telnet localhost 25' and
'ehlo localhost' will show:
[EMAIL PROTECTED] RPMS]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
220 hdtv.noy.com.au ESMTP Postfix
ehlo hdtv
250-hdtv.noy.com.au
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250 8BITMIME

yep, except for me it's:
AUTH LOGIN PLAIN CRAM-MD5 GSSAPI DIGEST-MD5


This is strange. What displays here is controlled
by 'smtp.conf' and '#smtpd_tls_auth_only=yes'.

# cat sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login

AUTH PLAIN LOGIN

should be listed and no more. I can't explain this.
Something is wrong somewhere.

As a matter of fact, CRAM-MD5, GSSAPI, and DIGEST-MD5 should'nt
be used at all in your case because you are already using TLS.
TLS and anyone of these are mutually exclusive. You use TLS
of one of this.

I setup postfix, TLS, and SASL this morning to test.

BTW, I am using TLS and SASL on sendmail-MTA in my
network. I find it easier to set-up and maintain
compared to postfix because I have to deal with
only one file to re-configure. This file
is 'sendmail.mc'.

I dislike sendmail and much prefer postfix, anyway...

the above settings all work, and my mailserver keeps functioning
accepting normal mail and so on.  Problem is I still can't
relay through it remotely.


I think it is your,

inet_interfaces = localhost

You're telling postfix to accept 'SMTP' connections from 'localhost'
only.

Consult README and change 'localhost' to something else

I dialed in via another ISP like as if I was "on the road"
and trying to send mail out through my mailserver.  Note
I can connect with imaps and receive fine.

I'm using thunderbird, first I set the smtp server settings
to use tls but didn't tick "use name and passwd".


I tried a number of mail-clients. One of them is 'thunderbird'
and they all work. For thunderbird the setting is:

Tools->Account Settings->Outgoing Server(SMTP)

Tick username and password
Tick TLS for 'Use secure connection:'. Not SSL.

errors are:
May 5 21:01:12 gw postfix/smtpd[15992]: connect from 203-217-6-209.dyn.iinet.net.au[203.217.6.209] May 5 21:01:29 gw postfix/smtpd[15992]: warning: support for restriction "reject_maps_rbl" will be removed from Postfix; use "reject_rbl_client domain-name" instead May 5 21:01:34 gw postfix/smtpd[15992]: warning: support for restriction "check_relay_domains" will be removed from Postfix; use "reject_unauth_destination" instead May 5 21:01:34 gw postfix/smtpd[15992]: NOQUEUE: reject: RCPT from 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: 554 <[EMAIL PROTECTED]>: Recipient address rejected: Relay access denied; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP helo=<[203.217.6.209]> May 5 21:01:43 gw postfix/smtpd[15992]: lost connection after RCPT from 203-217-6-209.dyn.iinet.net.au[203.217.6.209] May 5 21:01:43 gw postfix/smtpd[15992]: disconnect from 203-217-6-209.dyn.iinet.net.au[203.217.6.209]
So then I ticked the "use name and passwd" box and entered
my username "davidf".  It kept popping up a box asking for
my passwd, which I entered.
errors are:
May 5 21:02:13 gw postfix/smtpd[15992]: connect from 203-217-6-209.dyn.iinet.net.au[203.217.6.209] May 5 21:02:34 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL CRAM-MD5 authentication failed May 5 21:02:35 gw postfix/smtpd[15992]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 5 21:02:35 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL PLAIN authentication failed May 5 21:02:39 gw postfix/smtpd[15992]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 5 21:02:39 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL LOGIN authentication failed May 5 21:02:50 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL CRAM-MD5 authentication failed May 5 21:02:51 gw postfix/smtpd[15992]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 5 21:02:51 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL PLAIN authentication failed May 5 21:02:55 gw postfix/smtpd[15992]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 5 21:02:55 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL LOGIN authentication failed May 5 21:03:06 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL CRAM-MD5 authentication failed May 5 21:03:07 gw postfix/smtpd[15992]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 5 21:03:07 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL PLAIN authentication failed May 5 21:03:11 gw postfix/smtpd[15992]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd May 5 21:03:11 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL LOGIN authentication failed May 5 21:03:19 gw postfix/smtpd[15992]: warning: 203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL CRAM-MD5 authentication failed May 5 21:03:19 gw postfix/smtpd[15992]: too many errors after AUTH from 203-217-6-209.dyn.iinet.net.au[203.217.6.209] May 5 21:03:19 gw postfix/smtpd[15992]: disconnect from 203-217-6-209.dyn.iinet.net.au[203.217.6.209]

(I'm not ticking the "ssl" box, cos then it uses port 465)


Try ticking 'TLS'.

Dave.


--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] postfix with TLS/SASL on debian woody

Reply via email to