I'm working on configuring a mail server on Ubuntu 8.04 using Postfix 2.5.1 and Courier 0.59.0. I don't want to have to open up specific networks for SMTP relaying, so I want my server to require authenticated SMTP sessions. I'm just confused on how to do this. Here's my main.cf file from Postfix: Code: # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # TLS parameters smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = srv1.mydomain.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = srv1.mydomain.com, localhost, localhost.localdomain relayhost = [p3smtpout.secureserver.net] mynetworks = 127.0.0.0/8 ##.###.##.##/24 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all html_directory = /usr/share/doc/postfix/html virtual_alias_domains = virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /home/vmail virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf virtual_create_maildirsize = yes virtual_maildir_extended = yes virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf virtual_mailbox_limit_override = yes virtual_maildir_limit_message = "The user you are trying to reach is over quota." virtual_overquota_bounce = yes proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings I'm really confused, here. I installed the mail server per instructions at http://howtoforge.com/virtual-users-domains-postfix-courier-mysql-squirrelmail-ubuntu8.04. Elsewhere I was told to look into Cyrus and/or Dovecot, which I did, but the documentation I read wasn't helpful and just left me more confused. Shouldn't this just be a setting in Postfix? The SASL readme advises that I run postconf -a, which comes back with cyrus and dovecot. However I can't find the dovecot.conf file that the readme references (I tried searching the entire server with no luck). The Cyrus part... I'm not sure where to begin. This server is set up with virtual users in a MySQL database. Under the SQL section of the SASL readme, it references a file /etc/sasl2/smtpd.conf. That file doesn't exist on my server, but I do have it under my /etc/postfix/sasl folder. The file contains: Code: pwcheck_method: saslauthd mech_list: plain login allow_plaintext: true auxprop_plugin: mysql sql_hostnames: 127.0.0.1 sql_user: (sql account) sql_passwd: (sql account's password) sql_database: mail sql_select: select password from users where email = '%u' It seems like getting this enabled is way more complicated than I expected, assuming I'm not on the wrong path. Any help you can provide would be hugely appreciated because I really need to get this thing up and running.
Use Code: mynetworks = 127.0.0.0/8 in your main.cf - that way all clients except localhost have to authenticate (except if the recipient is on the server itself).
It seems to reject my login credentials. I have the Mail client set to use Password as the authentication method. Username and password are the same that I use to log in for POP and IMAP (user [email protected], same password). In the mail.log file: Code: Aug 8 12:10:02 ip-##-###-###-## postfix/smtpd[31991]: connect from cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444] Aug 8 12:10:04 ip-##-###-###-## postfix/smtpd[31991]: warning: SASL authentication failure: Password verification failed Aug 8 12:10:04 ip-##-###-###-## postfix/smtpd[31991]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL PLAIN authentication failed: authentication failure Aug 8 12:10:04 ip-##-###-###-## postfix/smtpd[31991]: lost connection after AUTH from cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444] Aug 8 12:10:04 ip-##-###-###-## postfix/smtpd[31991]: disconnect from cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]
Apple's Mail client that comes with OS X. The same thing happens when I try to use Outlook 2007 with SMTP authentication enabled. Code: Aug 9 08:26:58 ip-##-###-###-## postfix/smtpd[3506]: connect from cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444] Aug 9 08:27:01 ip-##-###-###-## postfix/smtpd[3506]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL LOGIN authentication failed: authentication failure Aug 9 08:27:01 ip-##-###-###-## postfix/smtpd[3506]: lost connection after AUTH from cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444] Aug 9 08:27:01 ip-##-###-###-## postfix/smtpd[3506]: disconnect from cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444] Under the Outgoing Server tab on the account's configuration in Outlook, I have the following set: My outgoing server requires authentication Log on using User Name: [email protected] Password: same password as used for POP3/IMAP Require Secure Password Authentication is unchecked. Running testsaslauthd from the server produces an error, so I'm thinking SASL isn't working for some reason: Code: testsaslauthd -u [email protected] -p MyPassword connect() : No such file or directory I don't know if this helps any, but when I telnet to port 25 on the server and EHLO, it shows login plain on the output:
Not in mail.log. The only SASL-related thing I see in mail.log is when I try to connect with SMTP and it gives the warning about authentication failing: There is a file under /var/log named mail.err.0 which contains this: Code: Aug 1 11:23:23 ip-##-###-###-## postfix[10641]: fatal: usage: postfix [-c config_dir] [-Dv] command Aug 1 11:53:26 ip-##-###-###-## postfix[10735]: fatal: usage: postfix [-c config_dir] [-Dv] command Aug 7 10:32:44 ip-##-###-###-## postfix/smtpd[25492]: fatal: SASL per-connection initialization failed Aug 7 10:34:14 ip-##-###-###-## postfix/smtpd[25511]: fatal: SASL per-connection initialization failed Aug 7 10:35:15 ip-##-###-###-## postfix/smtpd[25515]: fatal: SASL per-connection initialization failed There doesn't appear to be anything more recent, and mail.err exists but is empty. There is also a file called mail.warn which contains the following: Code: Aug 8 12:18:49 ip-##-###-###-## postfix/smtpd[32025]: warning: SASL authentication failure: Password verification failed Aug 8 12:18:49 ip-##-###-###-## postfix/smtpd[32025]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL PLAIN authentication failed: authentication failure Aug 8 12:18:50 ip-##-###-###-## postfix/smtpd[32027]: warning: SASL authentication failure: Password verification failed Aug 8 12:18:50 ip-##-###-###-## postfix/smtpd[32027]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL PLAIN authentication failed: authentication failure Aug 8 12:19:01 ip-##-###-###-## postfix/smtpd[32025]: warning: SASL authentication failure: Password verification failed Aug 8 12:19:01 ip-##-###-###-## postfix/smtpd[32025]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL PLAIN authentication failed: authentication failure Aug 8 12:22:13 ip-##-###-###-## postfix/smtpd[32033]: warning: SASL authentication failure: Password verification failed Aug 8 12:22:13 ip-##-###-###-## postfix/smtpd[32033]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL PLAIN authentication failed: authentication failure Aug 9 08:27:01 ip-##-###-###-## postfix/smtpd[3506]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL LOGIN authentication failed: authentication failure Aug 9 08:28:52 ip-##-###-###-## postfix/smtpd[3512]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL LOGIN authentication failed: authentication failure
Is SASL set up exactly as shown in chapter 6 on http://howtoforge.com/virtual-users-domains-postfix-courier-mysql-squirrelmail-ubuntu8.04-p2 ?
As far as I know, yes. Here are the files I have... /etc/default/saslauthd Code: # # Settings for saslauthd daemon # Please read /usr/share/doc/sasl2-bin/README.Debian for details. # # Should saslauthd run automatically on startup? (default: no) START=yes # Description of this saslauthd instance. Recommended. # (suggestion: SASL Authentication Daemon) DESC="SASL Authentication Daemon" # Short name of this saslauthd instance. Strongly recommended. # (suggestion: saslauthd) NAME="saslauthd" # Which authentication mechanisms should saslauthd use? (default: pam) # # Available options in this Debian package: # getpwent -- use the getpwent() library function # kerberos5 -- use Kerberos 5 # pam -- use PAM # rimap -- use a remote IMAP server # shadow -- use the local shadow password file # sasldb -- use the local sasldb database file # ldap -- use LDAP (configuration is in /etc/saslauthd.conf) # # Only one option may be used at a time. See the saslauthd man page # for more information. # # Example: MECHANISMS="pam" MECHANISMS="pam" # Additional options for this mechanism. (default: none) # See the saslauthd man page for information about mech-specific options. MECH_OPTIONS="" # How many saslauthd processes should we run? (default: 5) # A value of 0 will fork a new process for each connection. THREADS=5 # Other options (default: -c -m /var/run/saslauthd) # Note: You MUST specify the -m option or saslauthd won't run! # # See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information. # See the saslauthd man page for general information about these options. # # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd" OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r" /etc/pam.d/smtp Code: #%PAM-1.0 #------------------------------------------------------------------------ # # /etc/pam.d/smtp # # Copyright (c) 2000-2003 Richard Nelson. All Rights Reserved. # Version: 2.0.1 # Time-stamp: <2003/05/06 12:00:00 cowboy> # # PAM configuration file used by SASL to authenticate a PLAIN password. # #------------------------------------------------------------------------ @include common-auth @include common-account auth required pam_mysql.so user=mail_admin passwd=mailadminpw host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1 account sufficient pam_mysql.so user=mail_admin passwd=mailadminpw host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1 #@include common-password /etc/postfix/sasl/smtpd.conf Code: pwcheck_method: saslauthd mech_list: plain login allow_plaintext: true auxprop_plugin: mysql sql_hostnames: 127.0.0.1 sql_user: mail_admin sql_passwd: mailadminpw sql_database: mail sql_select: select password from users where email = '%u' As far as the users DB table goes, this is how it looks: Code: mysql> describe users; +----------+-------------+------+-----+----------+-------+ | Field | Type | Null | Key | Default | Extra | +----------+-------------+------+-----+----------+-------+ | email | varchar(80) | NO | PRI | NULL | | | password | varchar(20) | NO | | NULL | | | quota | int(10) | YES | | 10485760 | | +----------+-------------+------+-----+----------+-------+ 3 rows in set (0.00 sec)
Ok, it looks like that did it. In my installation, the /etc/pam.d/smtp file already existed so I didn't know if the other stuff had to be there. Thanks for all of your help.
