I've followed the how to here: http://www.howtoforge.com/howto_postfix_smtp_auth_tls_howto/ And thanks to Falko for pointing out mirrors for the sources in the above tutorial. http://www.filewatcher.com/b/ftp/ftp.aet.tu-cottbus.de/pub/postfix_tls/related/postfix.0.0.html I've gone through the complete install. No errors. I've added Dovecot (1.0) so I can retreieve email using pop. I've added users and and domains, and I can send mail to and from these clients using TLS/SSL. But I cannot get the server to authenticate smtp. Can anyone help me? Where would I look for errors? I see nothing in messages, maillog, or the dovecot logs. This is driving me crazy...
telnet localhost 25 ehlo localhost main.cf Code: virtual_mailbox_domains = domain1.com, domain2.com virtual_mailbox_base = /var/mail/vhosts virtual_mailbox_maps = hash:/etc/postfix/vmailbox virtual_minimum_uid = 100 virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 virtual_alias_maps = hash:/etc/postfix/virtual queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix mail_owner = postfix unknown_local_recipient_reject_code = 450 home_mailbox = Maildir/ debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq setgid_group = postdrop manpage_directory = /usr/local/man sample_directory = /etc/postfix readme_directory = no mydomain = wnetworks.net myhostname = mail.$mydomain smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains inet_interfaces = all alias_maps = hash:/etc/aliases smtpd_tls_auth_only = no smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom master.cf Code: # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd -v #smtps inet n - n - - smtpd # -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes #submission inet n - n - - smtpd #628 inet n - n - - qmqpd pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 nqmgr #tlsmgr fifo - - n 300 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - n - - smtp relay unix - - n - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp # # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # maildrop. See the Postfix MAILDROP_README file for details. # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} # # The Cyrus deliver program has changed incompatibly, multiple times. # old-cyrus unix - n n - - pipe flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # Cyrus 2.1.5 (Amos Gouaux) cyrus unix - n n - - pipe user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
Using saslauthd to check credentials: Code: #> /usr/sbin/testsaslauthd -u user_domain.com -p userpassword 0: OK "Success." I am using Dovecot's 'auth_username_translation': auth_username_translation = @_ That is why above I use user_domain.com and below I use user@domain.com Encoded username/password: Code: #> perl -MMIME::Base64 -e 'print encode_base64("[email protected]\[email protected]\0userspassword");' encodedpasswordoutput Trying the encoded password via command prompt: Code: #> telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 mail.wnetworks.net ESMTP Postfix #> ehlo localhost 250-mail.wnetworks.net 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN DIGEST-MD5 PLAIN CRAM-MD5 250-AUTH=LOGIN DIGEST-MD5 PLAIN CRAM-MD5 250-XVERP 250 8BITMIME #> AUTH PLAIN encodedpasswordoutput 535 Error: authentication failed
Here is the output in my maillog re authentication when attempting from command line (the one I showed the telnet out from above): Code: Sep 8 07:53:33 mail postfix/smtpd[6790]: < localhost.localdomain[127.0.0.1]: AUTH PLAIN encodedpasswordoutput Sep 8 07:53:33 mail postfix/smtpd[6790]: smtpd_sasl_authenticate: sasl_method PLAIN, init_response encodedpasswordoutput Sep 8 07:53:33 mail postfix/smtpd[6790]: smtpd_sasl_authenticate: decoded initial response domain2.com Sep 8 07:53:33 mail postfix/smtpd[6790]: warning: SASL authentication failure: Password verification failed Sep 8 07:53:33 mail postfix/smtpd[6790]: warning: localhost.localdomain[127.0.0.1]: SASL PLAIN authentication failed Sep 8 07:53:33 mail postfix/smtpd[6790]: > localhost.localdomain[127.0.0.1]: 535 Error: authentication failed
Thinking that perhaps I should not use the '@' and use the '_' instead, I got the new encoded credentials: Code: #> perl -MMIME::Base64 -e 'print encode_base64("user_domain.com\0user_domain.com\0userspassword");' encodedpasswordoutput--2 And tried to telnet in: Code: # telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 mail.wnetworks.net ESMTP Postfix ehlo localhost 250-mail.wnetworks.net 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN DIGEST-MD5 PLAIN CRAM-MD5 250-AUTH=LOGIN DIGEST-MD5 PLAIN CRAM-MD5 250-XVERP 250 8BITMIME AUTH PLAIN encodedpasswordoutput--2 235 Authentication successful Voila! The main problem however, is that the remote mail client is told that the server does not support secure authentication, before I have a chance to send a password.
Thanks Falko. Exact error in mail client: "Mail server does not support secure authentication" There are no entries in the maillog.
Please remove the # sign in front of the lines: and in your main.cf file and restart po postfix to enable secure authentication.
Thank you for the reply Till. I assume you meant master.cf, and I uncommented those lines, rebooted, and I am still getting the error message "Mail server does not support secure authentication."...
This is sooooo odd. Here it is a couple of hours later. I *think* the server is now authenticating. I did nothing at all, just walked away. I open up Thunderbird, and fired off a mail to a remote location. It was relayed OK. Then, I fired up my Outlook Express, and sent a mail, and I think it worked! /var/log/maillog shows the mail getting through! I'm going to keep my eye on things here, but thank you for the help, Falko and Till. I think I'll just hang out here for a while if that's ok. I'm learning a lot from all the threads here...
Actually, it is not authenticating. Postfix defaults to "mynetworks_style = subnet", unless specified: In the setup, we do not specify mynetworks_style. Just for fun, I specified mynetworks_style = host, and authentication from my lan (on the same subnet) failed. So, I guess it isn't authenticating at all, but was allowing relaying because the machines are on the same sbunet. And nothing at all is added to the log when I get the message "Mail server does not support secure authentication".
Then I guess your email client is connecting to the wrong server, or some kind of firewall is blocking all connections, because otherwise there should be something in the mail log. Also comment out mynetworks_style in /etc/postfix/main.cf and put in Code: mynetworks = 127.0.0.0/8 instead.
/sbin/iptables --list: Code: Chain FORWARD (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination If I don't check the "Use Secure Authentication" in Thunderbird, it goes through. So, I *know* the client is aimed at the right server. It just doesn't get authenticated. This is insane,. Just insane.
Clearly, I am not thinking straight. Of course there is no emntry in the maillog when I am checking mail. So I sent a mail this morning. Error message to mail client: maillog entries: Code: Sep 11 06:08:16 mail postfix/smtpd[2474]: resolve_clnt_query: `[email protected]' -> t=`smtp' h=`outsideDomain.com' r=`[email protected]' Sep 11 06:08:16 mail postfix/smtpd[2474]: ctable_locate: install entry key [email protected] Sep 11 06:08:16 mail postfix/smtpd[2474]: BB8A689E564: reject: RCPT from unknown[192.168.0.13]: 554 <[email protected]>: Recipient address rejected: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[127.0.0.1]> Sep 11 06:08:16 mail postfix/smtpd[2474]: generic_checks: name=check_relay_domains status=2 Sep 11 06:08:16 mail postfix/smtpd[2474]: > unknown[192.168.0.13]: 554 <[email protected]>: Recipient address rejected: Relay access denied Sep 11 06:08:17 mail postfix/smtpd[2474]: watchdog_pat: 0x843a118
Use "Server requires authentication." instead. What's in /etc/postfix/main.cf (please strip out the comments)?
Thank you falko. main.cf: Code: virtual_mailbox_domains = wnetworks.net, joewilk.com virtual_mailbox_maps = hash:/etc/postfix/vmailbox virtual_minimum_uid = 100 virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 virtual_alias_maps = hash:/etc/postfix/virtual queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix mail_owner = postfix unknown_local_recipient_reject_code = 450 mynetworks = 127.0.0.0/8 home_mailbox = Maildir/ debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq setgid_group = postdrop manpage_directory = /usr/local/man sample_directory = /etc/postfix readme_directory = no mydomain = wnetworks.net myhostname = mail.$mydomain smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains inet_interfaces = all alias_maps = hash:/etc/aliases smtpd_tls_auth_only = no smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom