HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   Diagnosing Postfix/Dovecot+SSL with Telnet (http://www.howtoforge.com/forums/showthread.php?t=53989)

CopalFreak 31st August 2011 17:07

Diagnosing Postfix/Dovecot+SSL with Telnet
 
I want to use SSL with plain auth.
Am I supposed to be seeing something OTHER than "250-STARTTLS" ?
(should it say "250- AUTH PLAIN" also ? )


Code:

>>telnet mail.mydomain.com 587
Trying xx.xx.xx.xx...
Connected to mail.mydomain.com.
Escape character is '^]'.
220 mail.mydomain.com ESMTP mail.mydomain.com (Linux/GNU)

>>ehlo MyEmail@mydomain.com
250-mail.mydomain.com
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

>>AUTH LOGIN
438 4.7.0 Encryption required for requested authentication mechanism

>>AUTH LOGIN PLAIN
438 4.7.0 Encryption required for requested authentication mechanism


Mark_NL 1st September 2011 10:09

587, submission, runs on tls not ssl
use 465 (ssmtp/smtps) for ssl

show us your config files.

CopalFreak 1st September 2011 18:24

Thanks for responding Mark!
587 for TLS, 465 for SSL...important stuff to know! Thanks!

~/postfix/master.cf
Code:

# ==========================================================================
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#              (yes)  (yes)  (yes)  (never) (100)
# ==========================================================================
smtp      inet  n      -      n      -      -      smtpd
  -o content_filter=scan:127.0.0.1:10025
# ============================================================================================
# SHOULD I LEAVE THESE SETTINGS AS-IS IF I WANT TO ALLOW
# TLS OVER 587 FOR THE MOMENT?

submission inet n      -      n      -      -      smtpd
#  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=/var/spool/postfix/private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
#  -o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/mysql_virtual_login_maps.cf
#  -o smtpd_sender_restrictions=permit
#  -o smtpd_sender_restrictions=reject_sender_login_mismatch
#  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_sender_strictions=
#  -o smtpd_recipient_restrictions=reject_unknown_recipient_domain,reject_non_fqdn_recipient,permit_sasl_authenticated,reject
#  -o smtpd_recipient_restrictions=reject_unauth_destination
#  -o smtpd_recipient_restrictions=permit
#
#
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

# ============================================================================================
# I AM GUESSING I SHOULD UN-COMMENT SOME OF THE STUFF BELOW
# AND COPY SOME OF THE STUFF FROM ABOVE TO ENABLE SSL
# ENCRYPTION FOR 465 ?

smtps inet  n      -      n      -      -      smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
# ============================================================================================
### AV scan filter (used by content_filter)
scan      unix  -      -      n      -      16      smtp
        -o smtp_send_xforward_command=yes
        -o smtp_enforce_tls=no
# ============================================================================================
#628      inet  n      -      n      -      -      qmqpd
pickup    fifo  n      -      n      60      1      pickup
cleanup  unix  n      -      n      -      0      cleanup
qmgr      fifo  n      -      n      300    1      qmgr
#qmgr    fifo  n      -      n      300    1      oqmgr
tlsmgr    unix  -      -      n      1000?  1      tlsmgr
rewrite  unix  -      -      n      -      -      trivial-rewrite
bounce    unix  -      -      n      -      0      bounce
defer    unix  -      -      n      -      0      bounce
trace    unix  -      -      n      -      0      bounce
verify    unix  -      -      n      -      1      verify
flush    unix  n      -      n      1000?  0      flush
proxymap  unix  -      -      n      -      -      proxymap
proxywrite unix -      -      n      -      1      proxymap
smtp      unix  -      -      n      -      -      smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay    unix  -      -      n      -      -      smtp
        -o smtp_fallback_relay=
        # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq    unix  n      -      n      -      -      showq
error    unix  -      -      n      -      -      error
retry    unix  -      -      n      -      -      error
discard  unix  -      -      n      -      -      discard
local    unix  -      n      n      -      -      local
virtual  unix  -      n      n      -      -      virtual
lmtp      unix  -      -      n      -      -      lmtp
anvil    unix  -      -      n      -      1      anvil
scache    unix  -      -      n      -      1      scache
# ============================================================================================
spamassassin unix -      n      n      -      -      pipe
  user=spamd argv=/usr/bin/spamc -f -e
  /usr/sbin/sendmail -oi -f ${sender} ${recipient}
# ============================================================================================
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet  n -      n      -      16      smtpd

        -o content_filter=spamassassin
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks_style=host
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8
# ============================================================================================
dovecot  unix  -      n      n      -      -      pipe
  flags=DRhu user=dovecot:dovecot argv=/usr/libexec/dovecot/deliver -d ${recipient}
# ============================================================================================
# ============================================================================================


~/postfix/main.cf
Code:

myhostname = mail.MyDomain.com
mail_name = mail.MyDomain.com
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
#debug_peer_list = XX.XX.XX.XX
append_dot_mydomain = no
#delay_warning_time = 4h
myhostname = mail.MyDomain.com
myorigin = MyDomain.com
mydomain = MyDomain.com
mailbox_command = /usr/bin/procmail
mynetworks = /etc/postfix/mynetworks
mailbox_size_limit = 0
message_size_limit = 104857600

#debugging
debug_peer_level = 4
soft_bounce = yes


disable_vrfy_command = yes

transport_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
alias_database = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
local_recipient_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf


#Virtual mailbox settings
virtual_mailbox_base = /var/vmail
virtual_minimum_uid = 202
virtual_uid_maps = static:202
virtual_gid_maps = static:202
virtual_transport = dovecot

dovecot_destination_recipient_limit = 1
#does this allow for CC and BCC?

sender_bcc_maps = hash:/etc/postfix/sender_bcc
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc

virtual_alias_domains = proxy:mysql:/etc/postfix/mysql_virtual_alias_domains.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domain_maps.cf
virtual_login_maps = proxy:mysql:/etc/postfix/mysql_virtual_login_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf

mydestination = $myhostname, $mynetworks, localhost, localhost.localdomain, proxy_read_maps
proxy_read_maps = $myhostname $mynetworks $alias_maps $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_domains $virtual_login_maps $virtual_mailbox_maps $local_recipient_maps

relay_domains = $mynetworks


#SASL Authentication
smtp_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_exceptions_networks = $mynetworks
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = $virtual_login_maps
smtpd_sasl_path = /var/spool/postfix/private/auth

smtpd_helo_required = yes

smtpd_client_restrictions =

smtpd_helo_restrictions = reject_invalid_hostname


smtpd_sender_restrictions = reject_invalid_hostname reject_unknown_sender_domain reject_unauthenticated_sender_login_mismatch permit_sasl_authenticated permit_mynetworks permit

smtpd_recipient_restrictions =
        reject_invalid_hostname,
#reject_sender_login_mismatch,
        reject_unknown_recipient_domain,
    reject_unauth_pipelining,
        permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
        check_client_access hash:/etc/postfix/rbl_client_exceptions,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client ix.dnsbl.manitu.net,
        reject_rbl_client multi.uribl.com,
        reject_rbl_client dsn.rfc-ignorant.org,
        reject_rbl_client abuse.rfc-ignorant.org,
        reject_rbl_client dul.dnsbl.sorbs.net,
        reject_rbl_client sbl-xbl.spamhaus.org,
    reject_rbl_client bl.spamcop.net,
        reject_rbl_client dnsbl.sorbs.net,
        reject_rbl_client dyna.spamrats.com,
        reject_rbl_client cbl.abuseat.org,
        reject_rbl_client rabl.nuclearelephant.com,

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20


# check_relay_domains reject_unlisted_recipient permit_sasl_authenticated reject_unauth_destination permit

# stops bulk mail senders
# smtpd_data_restictions = reject_unauth_pipelining
strict_rfc821_envelopes = no
disable_vrfy_command = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
unknown_address_reject_code = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554


#TSL Certs
smtpd_tls_cert_file = /etc/postfix/certs/MyDomain.com.pem
smtpd_tls_key_file = /etc/postfix/certs/MyDomain.com.pem
smtpd_tls_CAfile = /etc/postfix/certs/gd_bundle.pem


smtpd_tls_ask_ccert = no
smtpd_tls_req_ccert = no
# smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_session_cache
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_received_header = no
smtpd_tls_loglevel = 1
# tls_random_source = dev:/dev/urandom

smtpd_sasl_auth_enable = yes
smtpd_use_tls = yes

header_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_checks


CopalFreak 7th September 2011 18:13

Should I try something besides Postfix?


All times are GMT +2. The time now is 14:52.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.