ISPConfig 3 & Roundcube

I am attempting to install and configure Roundcube. I have used many posts here the forums to aid so far.

My server is a Debian Lenny 64 Install using the Perfect Server install on this site. I further installed dkimproxy which signs outgoing emails with DKIM and DomainKeys signatures. Emails are signed using incoming port 587.

As part of the Perfect Server setup, Squirrelmail is installed. In the Squirrelmail configuration, I changed the SMTP settings to use port 587 and all outgoing emails were signed as intended.

I have now installed Roundcube and attempting to replicate the success I had with Squirrelmail. I changed the SMTP port to use 587. However, Roundcube cannot send emails. If I change the SMTP port to 25, emails are sent but are not signed by dkimproxy.

I first looked to the Roundcube error logs. There were entries that said something to the effect that an invalid response was received. I dug further and found the error message below in the syslog file. I have sanitized the error messages shown below:

Code:

Jul 20 16:21:42 server postfix/smtpd[2954]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Jul 20 16:21:42 server postfix/smtpd[2954]: warning: server.example.com[192.168.XX.XX]: SASL LOGIN authentication failed: generic failure

Any ideas why this would work with other email clients and not Roundcube?

I have tried the Roundcube forum as well. But upon posting the error messages above, the response I received is that it is not a Roundcube issue.

Any help would be appreciated.

 

Till,

Thanks for the reply. I can disable the SMTP authentication and Roundcube will send outgoing emails. But those emails will not be signed by dkimproxy which is the real intent I am striving to obtain with this setup.

Do you think it might be a permissions issue?

Squirrelmail is installed in /usr/share/squirrelmail and all files appear to be root:root. Then, /var/www/webmail is a symlink to this location.

When I installed Roundcube, I created a new folder under /var/www/client#/web/webmail and created a subdomain pointing to this location in ISPConfig. I uploaded the Roundcube files there and did the configuration.

The ownership of those files though are web#:client#. Could that difference perhaps lead to the problem I am experiencing?

Thanks.

 

OK, I ran into another problem recently and it brought this thread back to mind.

I was testing dkim-proxy on my server which signs mail on port 587 for email users using external email clients for domains hosted on the ISPConfig3 server.

I had configured Outlook as well as Live Mail for use of the IMAP/SMTP server and was able to send and receive emails just fine. Further testing showed that mail sent from these two programs did not get signed by dkim-proxy. Further digging found that I had not configured them to send on port 587, but rather on port 25.

When I changed both programs to send on port 587, they both failed. The following error message is a tail from one of those attempts:

Code:

Aug 28 23:43:17 server postfix/smtpd[4483]: connect from unknown[192.168.XX.XXX]
Aug 28 23:43:17 server postfix/smtpd[4483]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Aug 28 23:43:17 server postfix/smtpd[4483]: warning: unknown[192.168.XX.XXX]: SASL LOGIN authentication failed: generic failure
Aug 28 23:43:17 server postfix/smtpd[4483]: lost connection after AUTH from unknown[192.168.XX.XXX]
Aug 28 23:43:17 server postfix/smtpd[4483]: disconnect from unknown[192.168.XX.XXX]

This error message is almost identical to the one I was receiving from Roundcube. So currently, Squirrelmail can send on port 587. But Outlook and Roundcube generate the error above.

 

Till,

I can assure you that I did not do any additional configuration of the SASL port...primarily because I have no idea how to do it now, let alone two years ago when the old production server was configured.

The only difference is that the old production server was an Ubuntu 7.04 machine upgraded to 7.10 and eventually to 8.04 LTS. The new production server is Debian Lenny.

As a side note, I would like to know how the bigger providers are handling DKIM and domainkeys signatures, if at all.

Here is the portion of my /etc/postfix/master.cf file that deals with dkimproxy and the signing of outgoing emails:

Code:

### dkimproxy filter - see http://dkimproxy.sourceforge.net/postfix-outbound-howto.html
#
# modify the default submission service to specify a content filter
# and restrict it to local clients and SASL authenticated clients only
#
submission  inet  n     -       n       -       -       smtpd
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o content_filter=dksign:[127.0.0.1]:10028
    -o receive_override_options=no_address_mappings
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

# specify the location of the DKIM signing proxy
# Note: the smtp_discard_ehlo_keywords option requires a recent version of
# Postfix. Leave it off if your version does not support it.
dksign    unix  -       -       n       -       10      smtp
    -o smtp_send_xforward_command=yes
    -o smtp_discard_ehlo_keywords=8bitmime,starttls

# service for accepting messages FROM the DKIM signing proxy
127.0.0.1:10029 inet  n  -      n       -       10      smtpd
    -o content_filter=
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8

As I understand the message flow, an outgoing email enters the Postfix server from an email client on the submission port. Then, the message is forward to the dkimproxy signing service on port 10028. Once signed, dkimproxy reinjects the message to Postfix on port 10029. From there, the message is sent out to the recipient.

If email clients are configured to use port 25 for SMTP, they bypass this whole logic since it relies on incoming messages on the submission port (587).

Currently, two of the three email clients I have configured to sent SMTP mail on the submission port generate the error posted previously. Only Squirrelmail is signing email messages through dkimproxy on the submission port.

 

Thanks for the information Till on the capabilities of amavisd-new. In the small amount of reading on the topic, it looks like it would be a simplier solution than my current configuration with dkimproxy.

However, the root issue I have is that some email clients are not able to send to port 587 on the email server. Authentication fails, according to the logs, for some reason.

Does anyone have suggestions how to troubleshoot the cause of this error?

 

master.cf:

Code:

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#submission inet n       -       -       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
    -o content_filter=dksign:[127.0.0.1]:10028
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
        -o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=R user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}


amavis unix - - - - 2 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_bind_address=127.0.0.1

### dkimproxy filter - see http://dkimproxy.sourceforge.net/postfix-outbound-howto.html
#
# modify the default submission service to specify a content filter
# and restrict it to local clients and SASL authenticated clients only
#
submission  inet  n     -       n       -       -       smtpd
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o content_filter=dksign:[127.0.0.1]:10028
    -o receive_override_options=no_address_mappings
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

# specify the location of the DKIM signing proxy
# Note: the smtp_discard_ehlo_keywords option requires a recent version of
# Postfix. Leave it off if your version does not support it.
dksign    unix  -       -       n       -       10      smtp
    -o smtp_send_xforward_command=yes
    -o smtp_discard_ehlo_keywords=8bitmime,starttls

# service for accepting messages FROM the DKIM signing proxy
127.0.0.1:10029 inet  n  -      n       -       10      smtpd
    -o content_filter=
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8