Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 20th July 2009, 23:39
atjensen11 atjensen11 is offline
Senior Member
 
Join Date: Dec 2007
Posts: 199
Thanks: 9
Thanked 6 Times in 6 Posts
Default ISPConfig 3 & Roundcube

I am attempting to install and configure Roundcube. I have used many posts here the forums to aid so far.

My server is a Debian Lenny 64 Install using the Perfect Server install on this site. I further installed dkimproxy which signs outgoing emails with DKIM and DomainKeys signatures. Emails are signed using incoming port 587.

As part of the Perfect Server setup, Squirrelmail is installed. In the Squirrelmail configuration, I changed the SMTP settings to use port 587 and all outgoing emails were signed as intended.

I have now installed Roundcube and attempting to replicate the success I had with Squirrelmail. I changed the SMTP port to use 587. However, Roundcube cannot send emails. If I change the SMTP port to 25, emails are sent but are not signed by dkimproxy.

I first looked to the Roundcube error logs. There were entries that said something to the effect that an invalid response was received. I dug further and found the error message below in the syslog file. I have sanitized the error messages shown below:

Code:
Jul 20 16:21:42 server postfix/smtpd[2954]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Jul 20 16:21:42 server postfix/smtpd[2954]: warning: server.example.com[192.168.XX.XX]: SASL LOGIN authentication failed: generic failure
Any ideas why this would work with other email clients and not Roundcube?

I have tried the Roundcube forum as well. But upon posting the error messages above, the response I received is that it is not a Roundcube issue.

Any help would be appreciated.
Reply With Quote
Sponsored Links
  #2  
Old 21st July 2009, 08:16
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,488
Thanks: 813
Thanked 5,259 Times in 4,123 Posts
Default

Quote:
But upon posting the error messages above, the response I received is that it is not a Roundcube issue.
If it works with other clients and not roundcube, it is definately a roundcube issue Please disable smtp authentication in roundcube, it is not needed for connections on localhost.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 21st July 2009, 16:52
atjensen11 atjensen11 is offline
Senior Member
 
Join Date: Dec 2007
Posts: 199
Thanks: 9
Thanked 6 Times in 6 Posts
Default

Till,

Thanks for the reply. I can disable the SMTP authentication and Roundcube will send outgoing emails. But those emails will not be signed by dkimproxy which is the real intent I am striving to obtain with this setup.

Do you think it might be a permissions issue?

Squirrelmail is installed in /usr/share/squirrelmail and all files appear to be root:root. Then, /var/www/webmail is a symlink to this location.

When I installed Roundcube, I created a new folder under /var/www/client#/web/webmail and created a subdomain pointing to this location in ISPConfig. I uploaded the Roundcube files there and did the configuration.

The ownership of those files though are web#:client#. Could that difference perhaps lead to the problem I am experiencing?

Thanks.
Reply With Quote
  #4  
Old 31st August 2009, 04:55
atjensen11 atjensen11 is offline
Senior Member
 
Join Date: Dec 2007
Posts: 199
Thanks: 9
Thanked 6 Times in 6 Posts
Default

OK, I ran into another problem recently and it brought this thread back to mind.

I was testing dkim-proxy on my server which signs mail on port 587 for email users using external email clients for domains hosted on the ISPConfig3 server.

I had configured Outlook as well as Live Mail for use of the IMAP/SMTP server and was able to send and receive emails just fine. Further testing showed that mail sent from these two programs did not get signed by dkim-proxy. Further digging found that I had not configured them to send on port 587, but rather on port 25.

When I changed both programs to send on port 587, they both failed. The following error message is a tail from one of those attempts:

Code:
Aug 28 23:43:17 server postfix/smtpd[4483]: connect from unknown[192.168.XX.XXX]
Aug 28 23:43:17 server postfix/smtpd[4483]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Aug 28 23:43:17 server postfix/smtpd[4483]: warning: unknown[192.168.XX.XXX]: SASL LOGIN authentication failed: generic failure
Aug 28 23:43:17 server postfix/smtpd[4483]: lost connection after AUTH from unknown[192.168.XX.XXX]
Aug 28 23:43:17 server postfix/smtpd[4483]: disconnect from unknown[192.168.XX.XXX]
This error message is almost identical to the one I was receiving from Roundcube. So currently, Squirrelmail can send on port 587. But Outlook and Roundcube generate the error above.
Reply With Quote
  #5  
Old 31st August 2009, 11:42
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,488
Thanks: 813
Thanked 5,259 Times in 4,123 Posts
Default

Quote:
The ownership of those files though are web#:client#. Could that difference perhaps lead to the problem I am experiencing?
No. The ownership of the files ahs nothing to do with smtp auth.

Quote:
This error message is almost identical to the one I was receiving from Roundcube. So currently, Squirrelmail can send on port 587. But Outlook and Roundcube generate the error above.
And you configured sasl for this port too? I dont use dekim, so I can not tell you the exact confihuration. But it looks to me as if you have to configure this port to connect to the same sasl socket then it is used by port 25.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 2nd September 2009, 06:42
atjensen11 atjensen11 is offline
Senior Member
 
Join Date: Dec 2007
Posts: 199
Thanks: 9
Thanked 6 Times in 6 Posts
Default

Till,

I can assure you that I did not do any additional configuration of the SASL port...primarily because I have no idea how to do it now, let alone two years ago when the old production server was configured.

The only difference is that the old production server was an Ubuntu 7.04 machine upgraded to 7.10 and eventually to 8.04 LTS. The new production server is Debian Lenny.

As a side note, I would like to know how the bigger providers are handling DKIM and domainkeys signatures, if at all.

Here is the portion of my /etc/postfix/master.cf file that deals with dkimproxy and the signing of outgoing emails:

Code:
### dkimproxy filter - see http://dkimproxy.sourceforge.net/postfix-outbound-howto.html
#
# modify the default submission service to specify a content filter
# and restrict it to local clients and SASL authenticated clients only
#
submission  inet  n     -       n       -       -       smtpd
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o content_filter=dksign:[127.0.0.1]:10028
    -o receive_override_options=no_address_mappings
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

# specify the location of the DKIM signing proxy
# Note: the smtp_discard_ehlo_keywords option requires a recent version of
# Postfix. Leave it off if your version does not support it.
dksign    unix  -       -       n       -       10      smtp
    -o smtp_send_xforward_command=yes
    -o smtp_discard_ehlo_keywords=8bitmime,starttls

# service for accepting messages FROM the DKIM signing proxy
127.0.0.1:10029 inet  n  -      n       -       10      smtpd
    -o content_filter=
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
As I understand the message flow, an outgoing email enters the Postfix server from an email client on the submission port. Then, the message is forward to the dkimproxy signing service on port 10028. Once signed, dkimproxy reinjects the message to Postfix on port 10029. From there, the message is sent out to the recipient.

If email clients are configured to use port 25 for SMTP, they bypass this whole logic since it relies on incoming messages on the submission port (587).

Currently, two of the three email clients I have configured to sent SMTP mail on the submission port generate the error posted previously. Only Squirrelmail is signing email messages through dkimproxy on the submission port.
Reply With Quote
  #7  
Old 2nd September 2009, 10:10
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,488
Thanks: 813
Thanked 5,259 Times in 4,123 Posts
Default

ISPConfig uses already a filtering daemon which does the spam and virus filtering and can also do the dkim signing:

http://www.ijs.si/software/amavisd/a...docs.html#dkim
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #8  
Old 3rd September 2009, 16:22
atjensen11 atjensen11 is offline
Senior Member
 
Join Date: Dec 2007
Posts: 199
Thanks: 9
Thanked 6 Times in 6 Posts
Default

Thanks for the information Till on the capabilities of amavisd-new. In the small amount of reading on the topic, it looks like it would be a simplier solution than my current configuration with dkimproxy.

However, the root issue I have is that some email clients are not able to send to port 587 on the email server. Authentication fails, according to the logs, for some reason.

Does anyone have suggestions how to troubleshoot the cause of this error?
Reply With Quote
  #9  
Old 3rd September 2009, 16:34
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,488
Thanks: 813
Thanked 5,259 Times in 4,123 Posts
Default

Please post the complete master.cf file.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #10  
Old 3rd September 2009, 19:34
atjensen11 atjensen11 is offline
Senior Member
 
Join Date: Dec 2007
Posts: 199
Thanks: 9
Thanked 6 Times in 6 Posts
 
Default

master.cf:

Code:
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#submission inet n       -       -       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
    -o content_filter=dksign:[127.0.0.1]:10028
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
        -o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=R user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}


amavis unix - - - - 2 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_bind_address=127.0.0.1

### dkimproxy filter - see http://dkimproxy.sourceforge.net/postfix-outbound-howto.html
#
# modify the default submission service to specify a content filter
# and restrict it to local clients and SASL authenticated clients only
#
submission  inet  n     -       n       -       -       smtpd
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o content_filter=dksign:[127.0.0.1]:10028
    -o receive_override_options=no_address_mappings
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

# specify the location of the DKIM signing proxy
# Note: the smtp_discard_ehlo_keywords option requires a recent version of
# Postfix. Leave it off if your version does not support it.
dksign    unix  -       -       n       -       10      smtp
    -o smtp_send_xforward_command=yes
    -o smtp_discard_ehlo_keywords=8bitmime,starttls

# service for accepting messages FROM the DKIM signing proxy
127.0.0.1:10029 inet  n  -      n       -       10      smtpd
    -o content_filter=
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to setup RoundCube to work with ISPConfig 3? quentusrex Developers' Forum 14 29th December 2010 20:27
ISPConfig 3.0.0.8 RC1 released till General 92 22nd February 2010 09:52
security patch for RoundCube 0.2 Beta for ISPCOnfig 2 Hans General 2 3rd January 2009 10:12
https ISPConfig + Roundcube.. ports question Acidus Server Operation 2 25th June 2008 15:52
SP-Server Setup - Ubuntu 5.10 "Breezy Badger" - Page 6 (changes) LuisC-SM HOWTO-Related Questions 0 21st April 2006 15:16


All times are GMT +2. The time now is 16:13.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.