postfix config & mailclients outside of the server's internal network

[gridorian]

Hy there!
I used this tutorial http://www.howtoforge.com/perfect_setup_debian_etch (written by falko) to configure a mail server for one of my friends. Everything works well, till one point. I can't get it to work under any circumstances with a mail client (Thunderbird) from outside the network.

Can you help me please?

I modified mynetworks variable, adding my ip. With telnet I was able to send mails, but the mail client didn't react at all.

Code:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

myhostname = mail.domain.com

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# SASL parameters
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_client_restrictions = permit
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_auth_only = no
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
#smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

tls_random_source = dev:/dev/random

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

inet_interfaces = all

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = domain.com, mail.domain.com, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
mailbox_command =
#/usr/bin/procmail -a "$EXTENSION"
#-d "$HOME/Maildir/"
recipient_delimiter = +

home_mailbox = Maildir/

[till]

Please make sure that you forwarded the smtp port from your router to your server and that you enabled smtp authentication in Thunderbird. You should not change the mynetworks variable.

[gridorian]

it's not the smpt port.

I have the same configurations on two different servers, and one of them works. it seems I can't manage to configure saslauthd well...

the tutorial skiped some old steps, and everything broke apart (the first server I have configured after the tutorial for sarge. this one has a few missing steps)

[till]

Quote:

Originally Posted by gridorian

the tutorial skiped some old steps, and everything broke apart (the first server I have configured after the tutorial for sarge. this one has a few missing steps)

There is nothing missing in the tutorial. If you added steps from the sarge tutorial, then this will break sasl. Please configure sasl exactly as described in the perfect setup guide.

[gridorian]

doying like that does not allow a mail client to connect

the error I get now is: Nov 12 11:56:56 psp postfix/smtpd[6511]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied

i'm attaching the main.cf, /etc/default/saslauthd, /etc/init.d/saslauthd files. please tell me where I'm doing it rong.

Code:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

myhostname = mail.domain.com

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# SASL parameters
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_client_restrictions = permit
smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client list.dsbl.org,
        reject_rbl_client sbl.spamhaus.org,
        reject_rbl_client cbl.abuseat.org
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_auth_only = no
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
#smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

smtpd_sasl_path = smtpd

tls_random_source = dev:/dev/random

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

inet_interfaces = all

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = domain.com, localhost
relayhost =
mynetworks = 127.0.0.0/8, 82.76.110.109
mailbox_size_limit = 0
mailbox_command =

recipient_delimiter = +

home_mailbox = Maildir/

Code:

#
# Settings for saslauthd daemon
#

# Should saslauthd run automatically on startup? (default: no)
START=yes
PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c)
# See the saslauthd man page for information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian
OPTIONS="-c"

[gridorian]

Code:

#! /bin/sh
### BEGIN INIT INFO
# Provides:          saslauthd
# Required-Start:    $local_fs $remote_fs
# Required-Stop:     $local_fs $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      S 0 1 6
# Short-Description: saslauthd startup script
# Description:       This script starts the saslauthd daemon. It is
#                    configured using the file /etc/default/saslauthd.
### END INIT INFO

# Author: Fabian Fagerholm <fabbe@debian.org>

# Do NOT "set -e"

# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin

# Global variables
DAEMON=/usr/sbin/saslauthd
DEFAULT_FILES=`find /etc/default -regex '/etc/default/saslauthd[_a-zA-Z0-9\-]*$' -print | sort`
FALLBACK_RUN_DIR=/var/run/saslauthd
NAME=saslauthd

# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0

# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions

# Function that starts all saslauthd instances
# Parameters: none
# Return value: none
do_startall()
{
        for instance in $DEFAULT_FILES
        do
                start_instance $instance
        done
}

# Function that stops all saslauthd instances
# Parameters: none
# Return value: none
do_stopall()
{
        for instance in $DEFAULT_FILES
        do
                stop_instance $instance
        done
}

# Function that sends a SIGHUP to all saslauthd instances
# Parameters: none
# Return value: none
do_reloadall()
{
        for instance in $DEFAULT_FILES
        do
                reload_instance $instance
        done
}

# Function that starts a single saslauthd instance
# Parameters:
#       $1 = path of default file for this instance
# Return value:
#       0 on success (does not mean the instance started)
#       1 on failure
start_instance()
{
        # Load defaults file for this instance.
        . $1

        # If the daemon is not enabled, give the user a warning and stop.
        if [ "$START" != "yes" ]; then
                log_warning_msg "To enable $NAME, edit $1 and set START=yes"
                return 0
        fi

        # If the short name of this instance is undefined, warn the user
        # but choose a default name.
        if [ -z "$NAME" ]; then
                log_warning_msg "Short name (NAME) undefined in $1, using default"
                NAME=default
        fi

        log_daemon_msg "Starting $DESC" "$NAME"

        # Determine run directory and pid file location by looking
        # for an -m option.
        RUN_DIR=`echo "$OPTIONS" | xargs -n 1 echo | sed -n '/^-m$/{n;p}'`
        if [ -z "$RUN_DIR" ]; then
                # No run directory defined in defaults file, fail.
                #log_failure_msg "No run directory defined for $NAME, not starting"
                #return 1
                RUN_DIR=/var/log/saslauthd
                #@@ set by dr
        fi
        #PIDFILE=$RUN_DIR/saslauthd.pid
        PIDFILE="/var/spool/postfix/var/run/${NAME}/saslauthd.pid"
        #@@ set by dr

        # If no mechanisms are defined, fail.
        if [ -z "$MECHANISMS" ]; then
                log_failure_msg "No mechanisms defined in $1, not starting $NAME"
                return 1
        fi

        # If there are mechanism options defined, prepare them for use with
        # the -O flag.
        if [ -n "$MECH_OPTIONS" ]; then
                MECH_OPTIONS="-O $MECH_OPTIONS"
        fi

        # If there is a threads option defined, prepare it for use with
        # the -n flag.
        if [ -n "$THREADS" ]; then
                THREAD_OPTIONS="-n $THREADS"
        fi

        # Construct argument string.
        DAEMON_ARGS="-a $MECHANISMS $MECH_OPTIONS $OPTIONS $THREAD_OPTIONS"

        # If there is a statoverride for the run directory, then pull
        # permission and ownership information from it and create the directory.
        # Otherwise, we create the directory with default permissions and
        # ownership (root:sasl, 710).
        if dpkg-statoverride --list $RUN_DIR > /dev/null; then
                createdir `dpkg-statoverride --list $RUN_DIR`
        else
                createdir root sasl 710 $RUN_DIR
        fi

        # Start the daemon, phase 1: see if it is already running.
        start-stop-daemon --start --quiet --pidfile $PIDFILE --name $NAME \
                --exec $DAEMON --test > /dev/null
        if [ "$?" != 0 ]; then
                log_progress_msg "(already running)"
                log_end_msg 0
                return 0
        fi

        # Start the daemon, phase 2: it was not running, so actually start it now.
        start-stop-daemon --start --quiet --pidfile $PIDFILE --name $NAME \
                --exec $DAEMON -- $DAEMON_ARGS
        if [ "$?" != 0 ]; then
                log_end_msg 1
                return 1
        fi

        # Started successfully.
        log_end_msg 0
        return 0
}

[]...

[gridorian]

I modified some things back.
Still same error: Nov 12 12:45:48 psp postfix/smtpd[7620]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied

please help. execept for smtpd_recipient_restrictions, this should be the original config, as the tutorial sugested. I still get that error. what could be wrong?

main.cf:

Code:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

myhostname = mail.domain.com

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# SASL parameters
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_client_restrictions = permit
smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client list.dsbl.org,
        reject_rbl_client sbl.spamhaus.org,
        reject_rbl_client cbl.abuseat.org
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_auth_only = no
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

#smtpd_sasl_path = smtpd

tls_random_source = dev:/dev/random

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

inet_interfaces = all

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = domain.com, localhost
relayhost =
mynetworks = 127.0.0.0/8, 82.76.110.109
mailbox_size_limit = 0
mailbox_command =
recipient_delimiter = +

home_mailbox = Maildir/

/etc/default/saslauthd

Code:

#
# Settings for saslauthd daemon
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c)
# See the saslauthd man page for information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian
#OPTIONS="-c -m /var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

[falko]

What's the output of

Code:

ls -la /var/spool/postfix/var/run/saslauthd

and

Code:

ps aux | grep saslauthd

?

[gridorian]

Code:

psp:~# ls -a /var/spool/postfix/var/run/saslauthd/
.  ..  cache.flock  cache.mmap  mux  mux.accept  saslauthd.pid
psp:~# ps aux | grep saslauthd
root     10192  0.0  0.2   7888  1144 ?        Ss   Nov12   0:00 /usr/sbin/saslauthd -a shadow -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
root     10197  0.0  0.2   7888  1044 ?        S    Nov12   0:00 /usr/sbin/saslauthd -a shadow -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
root     10198  0.0  0.2   7888  1036 ?        S    Nov12   0:00 /usr/sbin/saslauthd -a shadow -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
root     10199  0.0  0.1   7768   584 ?        S    Nov12   0:00 /usr/sbin/saslauthd -a shadow -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
root     10200  0.0  0.2   7888  1032 ?        S    Nov12   0:00 /usr/sbin/saslauthd -a shadow -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
root     23828  0.0  0.1   1760   568 pts/0    R+   11:19   0:00 grep saslauthd

It might help you the fact that I'm not using the stable version, but the testing one.

Anyway... staied and investigated piece by piece and finaly found out what was wrong. The configs were OK... The problem was that sasldauth couldn't comunicate with pam. I changed the config and replaced pam with shadow, and everything worked fine .

Thanks a lot for your anwser... I'm in your debt...