HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)

- Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)

- - ISPConfig 3 & Roundcube (http://www.howtoforge.com/forums/showthread.php?t=37583)

ISPConfig 3 & Roundcube

I am attempting to install and configure Roundcube. I have used many posts here the forums to aid so far.

My server is a Debian Lenny 64 Install using the Perfect Server install on this site. I further installed dkimproxy which signs outgoing emails with DKIM and DomainKeys signatures. Emails are signed using incoming port 587.

As part of the Perfect Server setup, Squirrelmail is installed. In the Squirrelmail configuration, I changed the SMTP settings to use port 587 and all outgoing emails were signed as intended.

I have now installed Roundcube and attempting to replicate the success I had with Squirrelmail. I changed the SMTP port to use 587. However, Roundcube cannot send emails. If I change the SMTP port to 25, emails are sent but are not signed by dkimproxy.

I first looked to the Roundcube error logs. There were entries that said something to the effect that an invalid response was received. I dug further and found the error message below in the syslog file. I have sanitized the error messages shown below:

Code:

Jul 20 16:21:42 server postfix/smtpd[2954]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory

Jul 20 16:21:42 server postfix/smtpd[2954]: warning: server.example.com[192.168.XX.XX]: SASL LOGIN authentication failed: generic failure

Any ideas why this would work with other email clients and not Roundcube?

I have tried the Roundcube forum as well. But upon posting the error messages above, the response I received is that it is not a Roundcube issue.

Any help would be appreciated.

Quote:

But upon posting the error messages above, the response I received is that it is not a Roundcube issue.

If it works with other clients and not roundcube, it is definately a roundcube issue ;) Please disable smtp authentication in roundcube, it is not needed for connections on localhost.

Till,

Thanks for the reply. I can disable the SMTP authentication and Roundcube will send outgoing emails. But those emails will not be signed by dkimproxy which is the real intent I am striving to obtain with this setup.

Do you think it might be a permissions issue?

Squirrelmail is installed in /usr/share/squirrelmail and all files appear to be root:root. Then, /var/www/webmail is a symlink to this location.

When I installed Roundcube, I created a new folder under /var/www/client#/web/webmail and created a subdomain pointing to this location in ISPConfig. I uploaded the Roundcube files there and did the configuration.

The ownership of those files though are web#:client#. Could that difference perhaps lead to the problem I am experiencing?

Thanks.

OK, I ran into another problem recently and it brought this thread back to mind.

I was testing dkim-proxy on my server which signs mail on port 587 for email users using external email clients for domains hosted on the ISPConfig3 server.

I had configured Outlook as well as Live Mail for use of the IMAP/SMTP server and was able to send and receive emails just fine. Further testing showed that mail sent from these two programs did not get signed by dkim-proxy. Further digging found that I had not configured them to send on port 587, but rather on port 25.

When I changed both programs to send on port 587, they both failed. The following error message is a tail from one of those attempts:

Code:

Aug 28 23:43:17 server postfix/smtpd[4483]: connect from unknown[192.168.XX.XXX]

Aug 28 23:43:17 server postfix/smtpd[4483]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory

Aug 28 23:43:17 server postfix/smtpd[4483]: warning: unknown[192.168.XX.XXX]: SASL LOGIN authentication failed: generic failure

Aug 28 23:43:17 server postfix/smtpd[4483]: lost connection after AUTH from unknown[192.168.XX.XXX]

Aug 28 23:43:17 server postfix/smtpd[4483]: disconnect from unknown[192.168.XX.XXX]

This error message is almost identical to the one I was receiving from Roundcube. So currently, Squirrelmail can send on port 587. But Outlook and Roundcube generate the error above.

Quote:

The ownership of those files though are web#:client#. Could that difference perhaps lead to the problem I am experiencing?

No. The ownership of the files ahs nothing to do with smtp auth.

Quote:

This error message is almost identical to the one I was receiving from Roundcube. So currently, Squirrelmail can send on port 587. But Outlook and Roundcube generate the error above.

And you configured sasl for this port too? I dont use dekim, so I can not tell you the exact confihuration. But it looks to me as if you have to configure this port to connect to the same sasl socket then it is used by port 25.

Till,

I can assure you that I did not do any additional configuration of the SASL port...primarily because I have no idea how to do it now, let alone two years ago when the old production server was configured.

The only difference is that the old production server was an Ubuntu 7.04 machine upgraded to 7.10 and eventually to 8.04 LTS. The new production server is Debian Lenny.

As a side note, I would like to know how the bigger providers are handling DKIM and domainkeys signatures, if at all.

Here is the portion of my /etc/postfix/master.cf file that deals with dkimproxy and the signing of outgoing emails:

Code:

### dkimproxy filter - see http://dkimproxy.sourceforge.net/postfix-outbound-howto.html

#

# modify the default submission service to specify a content filter

# and restrict it to local clients and SASL authenticated clients only

#

submission  inet  n     -       n       -       -       smtpd

    -o smtpd_etrn_restrictions=reject

    -o smtpd_sasl_auth_enable=yes

    -o content_filter=dksign:[127.0.0.1]:10028

    -o receive_override_options=no_address_mappings

    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject



# specify the location of the DKIM signing proxy

# Note: the smtp_discard_ehlo_keywords option requires a recent version of

# Postfix. Leave it off if your version does not support it.

dksign    unix  -       -       n       -       10      smtp

    -o smtp_send_xforward_command=yes

    -o smtp_discard_ehlo_keywords=8bitmime,starttls



# service for accepting messages FROM the DKIM signing proxy

127.0.0.1:10029 inet  n  -      n       -       10      smtpd

    -o content_filter=

    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

    -o smtpd_helo_restrictions=

    -o smtpd_client_restrictions=

    -o smtpd_sender_restrictions=

    -o smtpd_recipient_restrictions=permit_mynetworks,reject

    -o mynetworks=127.0.0.0/8

    -o smtpd_authorized_xforward_hosts=127.0.0.0/8

As I understand the message flow, an outgoing email enters the Postfix server from an email client on the submission port. Then, the message is forward to the dkimproxy signing service on port 10028. Once signed, dkimproxy reinjects the message to Postfix on port 10029. From there, the message is sent out to the recipient.

If email clients are configured to use port 25 for SMTP, they bypass this whole logic since it relies on incoming messages on the submission port (587).

Currently, two of the three email clients I have configured to sent SMTP mail on the submission port generate the error posted previously. Only Squirrelmail is signing email messages through dkimproxy on the submission port.

ISPConfig uses already a filtering daemon which does the spam and virus filtering and can also do the dkim signing:

http://www.ijs.si/software/amavisd/a...docs.html#dkim

Thanks for the information Till on the capabilities of amavisd-new. In the small amount of reading on the topic, it looks like it would be a simplier solution than my current configuration with dkimproxy.

However, the root issue I have is that some email clients are not able to send to port 587 on the email server. Authentication fails, according to the logs, for some reason.

Does anyone have suggestions how to troubleshoot the cause of this error?

Please post the complete master.cf file.

master.cf:

Code:

#

# Postfix master process configuration file.  For details on the format

# of the file, see the master(5) manual page (command: "man 5 master").

#

# Do not forget to execute "postfix reload" after editing this file.

#

# ==========================================================================

# service type  private unpriv  chroot  wakeup  maxproc command + args

#               (yes)   (yes)   (yes)   (never) (100)

# ==========================================================================

smtp      inet  n       -       -       -       -       smtpd

#submission inet n       -       -       -       -       smtpd

#  -o smtpd_tls_security_level=encrypt

#  -o smtpd_sasl_auth_enable=yes

#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

#  -o milter_macro_daemon_name=ORIGINATING

#smtps     inet  n       -       -       -       -       smtpd

#  -o smtpd_tls_wrappermode=yes

#  -o smtpd_sasl_auth_enable=yes

#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

#  -o milter_macro_daemon_name=ORIGINATING

#628      inet  n       -       -       -       -       qmqpd

pickup    fifo  n       -       n       60      1       pickup

    -o content_filter=dksign:[127.0.0.1]:10028

cleanup   unix  n       -       -       -       0       cleanup

qmgr      fifo  n       -       n       300     1       qmgr

#qmgr     fifo  n       -       -       300     1       oqmgr

tlsmgr    unix  -       -       -       1000?   1       tlsmgr

rewrite   unix  -       -       -       -       -       trivial-rewrite

bounce    unix  -       -       -       -       0       bounce

defer     unix  -       -       -       -       0       bounce

trace     unix  -       -       -       -       0       bounce

verify    unix  -       -       -       -       1       verify

flush     unix  n       -       -       1000?   0       flush

proxymap  unix  -       -       n       -       -       proxymap

proxywrite unix -       -       n       -       1       proxymap

smtp      unix  -       -       -       -       -       smtp

# When relaying mail as backup MX, disable fallback_relay to avoid MX loops

relay     unix  -       -       -       -       -       smtp

        -o smtp_fallback_relay=

#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5

showq     unix  n       -       -       -       -       showq

error     unix  -       -       -       -       -       error

retry     unix  -       -       -       -       -       error

discard   unix  -       -       -       -       -       discard

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual

lmtp      unix  -       -       -       -       -       lmtp

anvil     unix  -       -       -       -       1       anvil

scache    unix  -       -       -       -       1       scache

#

# ====================================================================

# Interfaces to non-Postfix software. Be sure to examine the manual

# pages of the non-Postfix software to find out what options it wants.

#

# Many of the following services use the Postfix pipe(8) delivery

# agent.  See the pipe(8) man page for information about ${recipient}

# and other message envelope options.

# ====================================================================

#

# maildrop. See the Postfix MAILDROP_README file for details.

# Also specify in main.cf: maildrop_destination_recipient_limit=1

#

maildrop  unix  -       n       n       -       -       pipe

  flags=R user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}

#

# See the Postfix UUCP_README file for configuration details.

#

uucp      unix  -       n       n       -       -       pipe

  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

#

# Other external delivery methods.

#

ifmail    unix  -       n       n       -       -       pipe

  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)

bsmtp     unix  -       n       n       -       -       pipe

  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient

scalemail-backend unix  -       n       n       -       2       pipe

  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}

mailman   unix  -       n       n       -       -       pipe

  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py

  ${nexthop} ${user}





amavis unix - - - - 2 smtp

        -o smtp_data_done_timeout=1200

        -o smtp_send_xforward_command=yes



127.0.0.1:10025 inet n - - - - smtpd

        -o content_filter=

        -o local_recipient_maps=

        -o relay_recipient_maps=

        -o smtpd_restriction_classes=

        -o smtpd_client_restrictions=

        -o smtpd_helo_restrictions=

        -o smtpd_sender_restrictions=

        -o smtpd_recipient_restrictions=permit_mynetworks,reject

        -o mynetworks=127.0.0.0/8

        -o strict_rfc821_envelopes=yes

        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

        -o smtpd_bind_address=127.0.0.1



### dkimproxy filter - see http://dkimproxy.sourceforge.net/postfix-outbound-howto.html

#

# modify the default submission service to specify a content filter

# and restrict it to local clients and SASL authenticated clients only

#

submission  inet  n     -       n       -       -       smtpd

    -o smtpd_etrn_restrictions=reject

    -o smtpd_sasl_auth_enable=yes

    -o content_filter=dksign:[127.0.0.1]:10028

    -o receive_override_options=no_address_mappings

    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject



# specify the location of the DKIM signing proxy

# Note: the smtp_discard_ehlo_keywords option requires a recent version of

# Postfix. Leave it off if your version does not support it.

dksign    unix  -       -       n       -       10      smtp

    -o smtp_send_xforward_command=yes

    -o smtp_discard_ehlo_keywords=8bitmime,starttls



# service for accepting messages FROM the DKIM signing proxy

127.0.0.1:10029 inet  n  -      n       -       10      smtpd

    -o content_filter=

    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

    -o smtpd_helo_restrictions=

    -o smtpd_client_restrictions=

    -o smtpd_sender_restrictions=

    -o smtpd_recipient_restrictions=permit_mynetworks,reject

    -o mynetworks=127.0.0.0/8

    -o smtpd_authorized_xforward_hosts=127.0.0.0/8