Linode Forum
https://forum.linode.com/

can't get smtp auth in postfix
https://forum.linode.com/viewtopic.php?f=11&t=8077		 Page 1 of 1
Author:  kp_mastermind [ Sat Nov 19, 2011 10:35 am ]
Post subject:  can't get smtp auth in postfix
Command: telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 terabug.terabug.com ESMTP Postfix (Ubuntu)
ehlo localhost
250-terabug.terabug.com
250-PIPELINING
250-SIZE 30720000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN


I have done all sasl setting files as per this guide:
http://library.linode.com/email/postfix ... 0.04-lucid

Dovecot was having error yesterday, somehow it got fixed. Dovecot is working fine ( I guess because of I installed dovecot-postfix)

My sasl files:
/etc/default/saslauthd
Code:
#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
#
# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
# then your Postfix is running in a chroot.
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
# running in a chroot.
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"


file:/etc/pam.d/smtp
Code:
auth    required   pam_mysql.so user=mail_admin passwd=mail_admin_pass host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=mail_admin passwd=mail_admin_pass  host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1


file:/etc/postfix/sasl/smtpd.conf
Code:
pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
auxprop_plugin: mysql
sql_hostnames: 127.0.0.1
sql_user: mail_admin
sql_passwd: mail_admin_pass
sql_database: mail
sql_select: select password from users where email = '%u'


file:/etc/postfix/master.cf
Code:
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
submission inet n       -       -       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  inet_interfaces = all 
  #  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
   -o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix   -   n   n   -   2   pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
dovecot   unix  -       n       n       -       -       pipe
    flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient}


file:/etc/postfix/main.cf
Code:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = terabug.terabug.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = terabug.terabug.com, localhost, localhost.localdomain
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_protocols = all
message_size_limit = 30720000
virtual_alias_domains = 
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_local_domain = $myhostname
smtpd_sender_restrictions = reject_unknown_sender_domain
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/conf.d/01-mail-stack-delivery.conf -m "${EXTENSION}"
smtp_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_auth_only = yes
tls_random_source = dev:/dev/urandom


file:/etc/dovecot/dovecot.conf
Code:
protocols = imap imaps pop3 pop3s
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_location = maildir:/home/vmail/%d/%n/Maildir

ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem

namespace private {
    separator = .
    prefix = INBOX.
    inbox = yes
}

protocol lda {
    log_path = /home/vmail/dovecot-deliver.log
    auth_socket_path = /var/run/dovecot/auth-master
    postmaster_address = postmaster@terabug.com
    mail_plugins = sieve
    #global_script_path = /home/vmail/globalsieverc
}

protocol pop3 {
    pop3_uidl_format = %08Xu%08Xv
}

auth default {
    user = root

    passdb sql {
        args = /etc/dovecot/dovecot-sql.conf
    }

    userdb static {
        args = uid=5000 gid=5000 home=/home/vmail/%d/%n allow_all_users=yes
    }

    socket listen {
        master {
            path = /var/run/dovecot/auth-master
            mode = 0600
            user = vmail
        }

        client {
            path = /var/spool/postfix/private/auth
            mode = 0660
            user = postfix
            group = postfix
        }
    }
}


Please let me know steps to get
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
in smtp outgoing mail. Thanks in advance.
Author:  derfy [ Sat Nov 19, 2011 11:12 am ]
Post subject: 
You *might* be ok; my server won't display SASL options until a remote server tries to STARTTLS, and you've got that handled:
Quote:
derfy@derfy:~$ openssl s_client -starttls smtp -crlf -connect terabug.terabug.com:25
CONNECTED(00000003)
depth=0 /C=IN/ST=Gujarat/L=Ahmedabad/O=TeraBug/OU=Email Services/CN=terabug.terabug.com/emailAddress=<snip for spam>
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=IN/ST=Gujarat/L=Ahmedabad/O=TeraBug/OU=Email Services/CN=terabug.terabug.com/emailAddress=<snip for spam>
verify return:1
---
Certificate chain
0 s:/C=IN/ST=Gujarat/L=Ahmedabad/O=TeraBug/OU=Email Services/CN=terabug.terabug.com/emailAddress=<snip for spam>
i:/C=IN/ST=Gujarat/L=Ahmedabad/O=TeraBug/OU=Email Services/CN=terabug.terabug.com/emailAddress=<snip for spam>
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEETCCAvmgAwIBAgIJALkz1oDOPUbNMA0GCSqGSIb3DQEBBQUAMIGeMQswCQYD
VQQGEwJJTjEQMA4GA1UECAwHR3VqYXJhdDESMBAGA1UEBwwJQWhtZWRhYmFkMRAw
DgYDVQQKDAdUZXJhQnVnMRcwFQYDVQQLDA5FbWFpbCBTZXJ2aWNlczEcMBoGA1UE
AwwTdGVyYWJ1Zy50ZXJhYnVnLmNvbTEgMB4GCSqGSIb3DQEJARYRa3VuYWxAdGVy
YWJ1Zy5jb20wHhcNMTExMTE5MTE1NzI5WhcNMTIxMTE4MTE1NzI5WjCBnjELMAkG
A1UEBhMCSU4xEDAOBgNVBAgMB0d1amFyYXQxEjAQBgNVBAcMCUFobWVkYWJhZDEQ
MA4GA1UECgwHVGVyYUJ1ZzEXMBUGA1UECwwORW1haWwgU2VydmljZXMxHDAaBgNV
BAMME3RlcmFidWcudGVyYWJ1Zy5jb20xIDAeBgkqhkiG9w0BCQEWEWt1bmFsQHRl
cmFidWcuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0cAyEip1
w7P5f7wuibfzQUsPt5cPTgA0TDXUdlWsgoqunt+cAvQNO5lQCVBkdrhqAu61espb
ZZt7MFWkxszz009jZl6Mnce0ljaJYfbOkfxL5q0Gy8SSW4jgZcFnk/sIy6uwmZJv
sJc79Ng4i07Xlx2jyVdLA0BXslPUP1rMEbgNzvdb7TjmiQVG8D2BMv1z/sBlyyv2
TILLTLY5Nh+xCRzgCoO2W1/oD6yp8/6NwkstHlS76N/wCXizaTipfu6jjqQWNoVF
Nyzpm7/GZihrcsPoXNE325ZRiCPWNsqegMDWcoHASEYx2fckQYz5tvt3Wx7dv4o1
oe8EmynCtcRytwIDAQABo1AwTjAdBgNVHQ4EFgQUyRE2c6SNSLIk2cRC5qCHdZ2L
uBAwHwYDVR0jBBgwFoAUyRE2c6SNSLIk2cRC5qCHdZ2LuBAwDAYDVR0TBAUwAwEB
/zANBgkqhkiG9w0BAQUFAAOCAQEARpvCZpqsJdOFHsM+3pN57WaEdrWGxSqb8wy8
4NaIMJRxhZ6Fy1ly2Zz3/ItHHqnwACRMKUVsVg380M9fApHBmCKrWc33oz6/syRr
uYRwNybzXR+4UJM9JhBd3u7pVsIM6Wbf69I6+1J3P/CZYI7Ok7VBTAG7VwKB0RQz
91icJA8qoEM9ir4cvlURX8lkEbkYbGryqEdyBs/RuW/wOqA4Y19wI5OTXazfKzym
pm62MPcS0odGXWj7mCf9oXJ5z0k53RJLLE5sL2H3QhZ4DC8Z9gs9xxO7WqF1oPu8
qp8MPtXRKrG1+pQIt1bx0J908MlYf4z+EvGGQmSRxva/gNnZyA==
-----END CERTIFICATE-----
subject=/C=IN/ST=Gujarat/L=Ahmedabad/O=TeraBug/OU=Email Services/CN=terabug.terabug.com/emailAddress=<snip for spam>
issuer=/C=IN/ST=Gujarat/L=Ahmedabad/O=TeraBug/OU=Email Services/CN=terabug.terabug.com/emailAddress=<snip for spam>
---
No client certificate CA names sent
---
SSL handshake has read 1964 bytes and written 354 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 254552E12B923EA82F9AD59F505E096A3A02B5A54F1B081E9F20C3BAC3022E64
Session-ID-ctx:
Master-Key: EBA91626733D04272F74601CAD8FD47CAE3739816AA51BC5F98A9F5C1159BB4FFEDBC02F80A982035F4DC45D0879085B
Key-Arg : None
Start Time: 1321715217
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
250 DSN
ehread:errno=0
derfy@derfy:~$

However, you'll probably want to wait until someone more qualified can help. :)
Author:  kp_mastermind [ Sat Nov 19, 2011 11:19 am ]
Post subject: 
Is this means anyone can send mail from my server?
When I send a mail from windows live mail it does not ask/promote from login id password.
It gives me following relay error
Code:
The message could not be sent. The setting for your outgoing email [SMTP] server might need to be configured. To find the server settings for 'a***d@k**s**ts.com', please contact your email service provider.

Subject 'hey999'
Server Error: 554
Server Response: 554 5.7.1 <a***d@k**s**ts.com>: Relay access denied
Server: 'terabug.terabug.com'
Windows Live Mail Error ID: 0x800CCC79
Protocol: SMTP
Port: 25
Secure(SSL): No
Author:  derfy [ Sat Nov 19, 2011 11:30 am ]
Post subject: 
Try setting it to use port 465 and/or TLS on port 25 in Windows Live Mail (I do not use it so have no idea how). From the log you posted, it looks like it's not even trying to STARTTLS.
Author:  kp_mastermind [ Sat Nov 19, 2011 11:36 am ]
Post subject: 
Tried to set Secured connection. Connection got rejected.
Tried to change port. Connection got rejected.
ehlo localhost is not showing
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
so sasl is not set.

Also tell me is this mean anyone can send mail using my server?
Author:  derfy [ Sat Nov 19, 2011 4:01 pm ]
Post subject: 
http://www.postfix.org/TLS_README.html wrote:
Supporting AUTH over TLS only

Sending AUTH data over an unencrypted channel poses a security risk. When TLS layer encryption is required ("smtpd_tls_security_level = encrypt" or the obsolete "smtpd_enforce_tls = yes"), the Postfix SMTP server will announce and accept AUTH only after the TLS layer has been activated with STARTTLS. When TLS layer encryption is optional ("smtpd_tls_security_level = may" or the obsolete "smtpd_enforce_tls = no"), it may however still be useful to only offer AUTH when TLS is active. To maintain compatibility with non-TLS clients, the default is to accept AUTH without encryption. In order to change this behavior, set "smtpd_tls_auth_only = yes".

By your first post, you do have this set and as such, the postfix server will not announce 250 AUTH... without a STARTTLS.

Your master.cf shows that submission/smtps is functional; however you may need to open these ports in your firewall.

Also no, your server cannot be used to relay (unless of course you or your users have easily crackable username/passwords)
Author:  kp_mastermind [ Sun Nov 20, 2011 9:03 am ]
Post subject: 
Someone please help me. Tried everything but didn't help.
Can't send mail from Live mail client. Please go through all posts.
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/