Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 7th August 2010, 19:50
elorc elorc is offline
Junior Member
 
Join Date: Aug 2010
Posts: 18
Thanks: 3
Thanked 0 Times in 0 Posts
Default Forcing SMTP AUTH with Postfix 2.5.1/Ubuntu 8.04

I'm working on configuring a mail server on Ubuntu 8.04 using Postfix 2.5.1 and Courier 0.59.0. I don't want to have to open up specific networks for SMTP relaying, so I want my server to require authenticated SMTP sessions. I'm just confused on how to do this. Here's my main.cf file from Postfix:

Code:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = srv1.mydomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = srv1.mydomain.com, localhost, localhost.localdomain
relayhost = [p3smtpout.secureserver.net]
mynetworks = 127.0.0.0/8 ##.###.##.##/24 
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains = 
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = "The user you are trying to reach is over quota."
virtual_overquota_bounce = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
I'm really confused, here. I installed the mail server per instructions at http://howtoforge.com/virtual-users-...ail-ubuntu8.04. Elsewhere I was told to look into Cyrus and/or Dovecot, which I did, but the documentation I read wasn't helpful and just left me more confused. Shouldn't this just be a setting in Postfix?

The SASL readme advises that I run postconf -a, which comes back with cyrus and dovecot. However I can't find the dovecot.conf file that the readme references (I tried searching the entire server with no luck). The Cyrus part... I'm not sure where to begin. This server is set up with virtual users in a MySQL database. Under the SQL section of the SASL readme, it references a file /etc/sasl2/smtpd.conf. That file doesn't exist on my server, but I do have it under my /etc/postfix/sasl folder. The file contains:

Code:
pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
auxprop_plugin: mysql
sql_hostnames: 127.0.0.1
sql_user: (sql account)
sql_passwd: (sql account's password)
sql_database: mail
sql_select: select password from users where email = '%u'
It seems like getting this enabled is way more complicated than I expected, assuming I'm not on the wrong path. Any help you can provide would be hugely appreciated because I really need to get this thing up and running.
Reply With Quote
Sponsored Links
  #2  
Old 8th August 2010, 20:44
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

Use
Code:
mynetworks = 127.0.0.0/8
in your main.cf - that way all clients except localhost have to authenticate (except if the recipient is on the server itself).
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 8th August 2010, 21:16
elorc elorc is offline
Junior Member
 
Join Date: Aug 2010
Posts: 18
Thanks: 3
Thanked 0 Times in 0 Posts
Default

It seems to reject my login credentials. I have the Mail client set to use Password as the authentication method. Username and password are the same that I use to log in for POP and IMAP (user me@mydomain.com, same password). In the mail.log file:

Code:
Aug  8 12:10:02 ip-##-###-###-## postfix/smtpd[31991]: connect from cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]
Aug  8 12:10:04 ip-##-###-###-## postfix/smtpd[31991]: warning: SASL authentication failure: Password verification failed
Aug  8 12:10:04 ip-##-###-###-## postfix/smtpd[31991]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL PLAIN authentication failed: authentication failure
Aug  8 12:10:04 ip-##-###-###-## postfix/smtpd[31991]: lost connection after AUTH from cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]
Aug  8 12:10:04 ip-##-###-###-## postfix/smtpd[31991]: disconnect from cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]
Reply With Quote
  #4  
Old 9th August 2010, 13:39
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

What email client do you use?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 9th August 2010, 17:28
elorc elorc is offline
Junior Member
 
Join Date: Aug 2010
Posts: 18
Thanks: 3
Thanked 0 Times in 0 Posts
Default

Apple's Mail client that comes with OS X. The same thing happens when I try to use Outlook 2007 with SMTP authentication enabled.

Code:
Aug  9 08:26:58 ip-##-###-###-## postfix/smtpd[3506]: connect from cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]
Aug  9 08:27:01 ip-##-###-###-## postfix/smtpd[3506]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL LOGIN authentication failed: authentication failure
Aug  9 08:27:01 ip-##-###-###-## postfix/smtpd[3506]: lost connection after AUTH from cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]
Aug  9 08:27:01 ip-##-###-###-## postfix/smtpd[3506]: disconnect from cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]
Under the Outgoing Server tab on the account's configuration in Outlook, I have the following set:
  • My outgoing server requires authentication
  • Log on using

Require Secure Password Authentication is unchecked.

Running testsaslauthd from the server produces an error, so I'm thinking SASL isn't working for some reason:

Code:
testsaslauthd -u me@mydomain.com -p MyPassword
connect() : No such file or directory
I don't know if this helps any, but when I telnet to port 25 on the server and EHLO, it shows login plain on the output:

Quote:
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Reply With Quote
  #6  
Old 10th August 2010, 16:25
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

The mail client settings seem to be ok. Are there any sasl errors in your mail log?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 10th August 2010, 17:20
elorc elorc is offline
Junior Member
 
Join Date: Aug 2010
Posts: 18
Thanks: 3
Thanked 0 Times in 0 Posts
Default

Not in mail.log. The only SASL-related thing I see in mail.log is when I try to connect with SMTP and it gives the warning about authentication failing:

Quote:
Aug 8 12:10:04 ip-##-###-###-## postfix/smtpd[31991]: warning: SASL authentication failure: Password verification failed
There is a file under /var/log named mail.err.0 which contains this:

Code:
Aug  1 11:23:23 ip-##-###-###-## postfix[10641]: fatal: usage: postfix [-c config_dir] [-Dv] command
Aug  1 11:53:26 ip-##-###-###-## postfix[10735]: fatal: usage: postfix [-c config_dir] [-Dv] command
Aug  7 10:32:44 ip-##-###-###-## postfix/smtpd[25492]: fatal: SASL per-connection initialization failed
Aug  7 10:34:14 ip-##-###-###-## postfix/smtpd[25511]: fatal: SASL per-connection initialization failed
Aug  7 10:35:15 ip-##-###-###-## postfix/smtpd[25515]: fatal: SASL per-connection initialization failed
There doesn't appear to be anything more recent, and mail.err exists but is empty. There is also a file called mail.warn which contains the following:

Code:
Aug  8 12:18:49 ip-##-###-###-## postfix/smtpd[32025]: warning: SASL authentication failure: Password verification failed
Aug  8 12:18:49 ip-##-###-###-## postfix/smtpd[32025]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL PLAIN authentication failed: authentication failure
Aug  8 12:18:50 ip-##-###-###-## postfix/smtpd[32027]: warning: SASL authentication failure: Password verification failed
Aug  8 12:18:50 ip-##-###-###-## postfix/smtpd[32027]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL PLAIN authentication failed: authentication failure
Aug  8 12:19:01 ip-##-###-###-## postfix/smtpd[32025]: warning: SASL authentication failure: Password verification failed
Aug  8 12:19:01 ip-##-###-###-## postfix/smtpd[32025]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL PLAIN authentication failed: authentication failure
Aug  8 12:22:13 ip-##-###-###-## postfix/smtpd[32033]: warning: SASL authentication failure: Password verification failed
Aug  8 12:22:13 ip-##-###-###-## postfix/smtpd[32033]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL PLAIN authentication failed: authentication failure
Aug  9 08:27:01 ip-##-###-###-## postfix/smtpd[3506]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL LOGIN authentication failed: authentication failure
Aug  9 08:28:52 ip-##-###-###-## postfix/smtpd[3512]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL LOGIN authentication failed: authentication failure
Reply With Quote
  #8  
Old 11th August 2010, 17:58
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

Is SASL set up exactly as shown in chapter 6 on http://howtoforge.com/virtual-users-...-ubuntu8.04-p2 ?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #9  
Old 12th August 2010, 03:38
elorc elorc is offline
Junior Member
 
Join Date: Aug 2010
Posts: 18
Thanks: 3
Thanked 0 Times in 0 Posts
Default

As far as I know, yes. Here are the files I have...

/etc/default/saslauthd
Code:
#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page for general information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
/etc/pam.d/smtp
Code:
#%PAM-1.0
#------------------------------------------------------------------------
#
# /etc/pam.d/smtp
#
# Copyright (c) 2000-2003 Richard Nelson.  All Rights Reserved.
# Version:    2.0.1
# Time-stamp: <2003/05/06 12:00:00 cowboy>
#
# PAM configuration file used by SASL to authenticate a PLAIN password.
#
#------------------------------------------------------------------------
@include common-auth
@include common-account
auth    required   pam_mysql.so user=mail_admin passwd=mailadminpw host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=mail_admin passwd=mailadminpw host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
#@include common-password
/etc/postfix/sasl/smtpd.conf
Code:
pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
auxprop_plugin: mysql
sql_hostnames: 127.0.0.1
sql_user: mail_admin
sql_passwd: mailadminpw
sql_database: mail
sql_select: select password from users where email = '%u'

As far as the users DB table goes, this is how it looks:
Code:
mysql> describe users;
+----------+-------------+------+-----+----------+-------+
| Field    | Type        | Null | Key | Default  | Extra |
+----------+-------------+------+-----+----------+-------+
| email    | varchar(80) | NO   | PRI | NULL     |       |
| password | varchar(20) | NO   |     | NULL     |       |
| quota    | int(10)     | YES  |     | 10485760 |       |
+----------+-------------+------+-----+----------+-------+
3 rows in set (0.00 sec)
Reply With Quote
  #10  
Old 12th August 2010, 13:17
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
 
Default

Can you comment out all lines in /etc/pam.d/smtp except the two shown in the tutorial?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
elorc (12th August 2010)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ERROR: Connection dropped by IMAP server. [Centos 5.4, courier imap,squirrel, etc] darevil HOWTO-Related Questions 7 9th June 2010 14:49
Undelivered Mail Returned to Sender Error202 General 5 7th May 2009 11:14
localhost postfix/master: fatal: bind 127.0.0.1 port 125: Permission denied g18c Installation/Configuration 4 24th March 2009 17:39
Help configure Postfix to use alt port 465 or 587 BoloMarkIII Installation/Configuration 10 16th March 2009 17:57
Centos 4.4 32bit Hangs, High Server load 3cwired_com Server Operation 11 16th November 2006 15:47


All times are GMT +2. The time now is 21:01.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.