I am attempting to install and configure Roundcube. I have used many posts here the forums to aid so far. My server is a Debian Lenny 64 Install using the Perfect Server install on this site. I further installed dkimproxy which signs outgoing emails with DKIM and DomainKeys signatures. Emails are signed using incoming port 587. As part of the Perfect Server setup, Squirrelmail is installed. In the Squirrelmail configuration, I changed the SMTP settings to use port 587 and all outgoing emails were signed as intended. I have now installed Roundcube and attempting to replicate the success I had with Squirrelmail. I changed the SMTP port to use 587. However, Roundcube cannot send emails. If I change the SMTP port to 25, emails are sent but are not signed by dkimproxy. I first looked to the Roundcube error logs. There were entries that said something to the effect that an invalid response was received. I dug further and found the error message below in the syslog file. I have sanitized the error messages shown below: Code: Jul 20 16:21:42 server postfix/smtpd[2954]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory Jul 20 16:21:42 server postfix/smtpd[2954]: warning: server.example.com[192.168.XX.XX]: SASL LOGIN authentication failed: generic failure Any ideas why this would work with other email clients and not Roundcube? I have tried the Roundcube forum as well. But upon posting the error messages above, the response I received is that it is not a Roundcube issue. Any help would be appreciated.
If it works with other clients and not roundcube, it is definately a roundcube issue Please disable smtp authentication in roundcube, it is not needed for connections on localhost.
Till, Thanks for the reply. I can disable the SMTP authentication and Roundcube will send outgoing emails. But those emails will not be signed by dkimproxy which is the real intent I am striving to obtain with this setup. Do you think it might be a permissions issue? Squirrelmail is installed in /usr/share/squirrelmail and all files appear to be root:root. Then, /var/www/webmail is a symlink to this location. When I installed Roundcube, I created a new folder under /var/www/client#/web/webmail and created a subdomain pointing to this location in ISPConfig. I uploaded the Roundcube files there and did the configuration. The ownership of those files though are web#:client#. Could that difference perhaps lead to the problem I am experiencing? Thanks.
OK, I ran into another problem recently and it brought this thread back to mind. I was testing dkim-proxy on my server which signs mail on port 587 for email users using external email clients for domains hosted on the ISPConfig3 server. I had configured Outlook as well as Live Mail for use of the IMAP/SMTP server and was able to send and receive emails just fine. Further testing showed that mail sent from these two programs did not get signed by dkim-proxy. Further digging found that I had not configured them to send on port 587, but rather on port 25. When I changed both programs to send on port 587, they both failed. The following error message is a tail from one of those attempts: Code: Aug 28 23:43:17 server postfix/smtpd[4483]: connect from unknown[192.168.XX.XXX] Aug 28 23:43:17 server postfix/smtpd[4483]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory Aug 28 23:43:17 server postfix/smtpd[4483]: warning: unknown[192.168.XX.XXX]: SASL LOGIN authentication failed: generic failure Aug 28 23:43:17 server postfix/smtpd[4483]: lost connection after AUTH from unknown[192.168.XX.XXX] Aug 28 23:43:17 server postfix/smtpd[4483]: disconnect from unknown[192.168.XX.XXX] This error message is almost identical to the one I was receiving from Roundcube. So currently, Squirrelmail can send on port 587. But Outlook and Roundcube generate the error above.
No. The ownership of the files ahs nothing to do with smtp auth. And you configured sasl for this port too? I dont use dekim, so I can not tell you the exact confihuration. But it looks to me as if you have to configure this port to connect to the same sasl socket then it is used by port 25.
Till, I can assure you that I did not do any additional configuration of the SASL port...primarily because I have no idea how to do it now, let alone two years ago when the old production server was configured. The only difference is that the old production server was an Ubuntu 7.04 machine upgraded to 7.10 and eventually to 8.04 LTS. The new production server is Debian Lenny. As a side note, I would like to know how the bigger providers are handling DKIM and domainkeys signatures, if at all. Here is the portion of my /etc/postfix/master.cf file that deals with dkimproxy and the signing of outgoing emails: Code: ### dkimproxy filter - see http://dkimproxy.sourceforge.net/postfix-outbound-howto.html # # modify the default submission service to specify a content filter # and restrict it to local clients and SASL authenticated clients only # submission inet n - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_sasl_auth_enable=yes -o content_filter=dksign:[127.0.0.1]:10028 -o receive_override_options=no_address_mappings -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject # specify the location of the DKIM signing proxy # Note: the smtp_discard_ehlo_keywords option requires a recent version of # Postfix. Leave it off if your version does not support it. dksign unix - - n - 10 smtp -o smtp_send_xforward_command=yes -o smtp_discard_ehlo_keywords=8bitmime,starttls # service for accepting messages FROM the DKIM signing proxy 127.0.0.1:10029 inet n - n - 10 smtpd -o content_filter= -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o smtpd_authorized_xforward_hosts=127.0.0.0/8 As I understand the message flow, an outgoing email enters the Postfix server from an email client on the submission port. Then, the message is forward to the dkimproxy signing service on port 10028. Once signed, dkimproxy reinjects the message to Postfix on port 10029. From there, the message is sent out to the recipient. If email clients are configured to use port 25 for SMTP, they bypass this whole logic since it relies on incoming messages on the submission port (587). Currently, two of the three email clients I have configured to sent SMTP mail on the submission port generate the error posted previously. Only Squirrelmail is signing email messages through dkimproxy on the submission port.
ISPConfig uses already a filtering daemon which does the spam and virus filtering and can also do the dkim signing: http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
Thanks for the information Till on the capabilities of amavisd-new. In the small amount of reading on the topic, it looks like it would be a simplier solution than my current configuration with dkimproxy. However, the root issue I have is that some email clients are not able to send to port 587 on the email server. Authentication fails, according to the logs, for some reason. Does anyone have suggestions how to troubleshoot the cause of this error?
master.cf: Code: # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - - - - smtpd #submission inet n - - - - smtpd # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - - - - smtpd # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - - - - qmqpd pickup fifo n - n 60 1 pickup -o content_filter=dksign:[127.0.0.1]:10028 cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - - 300 1 oqmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - - - - smtp -o smtp_fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=R user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender} # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_bind_address=127.0.0.1 ### dkimproxy filter - see http://dkimproxy.sourceforge.net/postfix-outbound-howto.html # # modify the default submission service to specify a content filter # and restrict it to local clients and SASL authenticated clients only # submission inet n - n - - smtpd -o smtpd_etrn_restrictions=reject -o smtpd_sasl_auth_enable=yes -o content_filter=dksign:[127.0.0.1]:10028 -o receive_override_options=no_address_mappings -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject # specify the location of the DKIM signing proxy # Note: the smtp_discard_ehlo_keywords option requires a recent version of # Postfix. Leave it off if your version does not support it. dksign unix - - n - 10 smtp -o smtp_send_xforward_command=yes -o smtp_discard_ehlo_keywords=8bitmime,starttls # service for accepting messages FROM the DKIM signing proxy 127.0.0.1:10029 inet n - n - 10 smtpd -o content_filter= -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o smtpd_authorized_xforward_hosts=127.0.0.0/8
Add a line like: 587 inet n - - - - smtpd and restart postfix. Port 587 is a non default port and mailservers are normally not listening in this port.
Please forget the last post, the line is already specified there and named submission. 1) Remove everything you added for your dkim proxy. 2) Add the following lines instead: Code: submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject and restart postfix.