Forcing SMTP AUTH with Postfix 2.5.1/Ubuntu 8.04

Discussion in 'Server Operation' started by elorc, Aug 7, 2010.

  1. elorc

    elorc New Member

    I'm working on configuring a mail server on Ubuntu 8.04 using Postfix 2.5.1 and Courier 0.59.0. I don't want to have to open up specific networks for SMTP relaying, so I want my server to require authenticated SMTP sessions. I'm just confused on how to do this. Here's my main.cf file from Postfix:

    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = /usr/share/doc/postfix
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    myhostname = srv1.mydomain.com
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination = srv1.mydomain.com, localhost, localhost.localdomain
    relayhost = [p3smtpout.secureserver.net]
    mynetworks = 127.0.0.0/8 ##.###.##.##/24 
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains = 
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /home/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    virtual_create_maildirsize = yes
    virtual_maildir_extended = yes
    virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
    virtual_mailbox_limit_override = yes
    virtual_maildir_limit_message = "The user you are trying to reach is over quota."
    virtual_overquota_bounce = yes
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    I'm really confused, here. I installed the mail server per instructions at http://howtoforge.com/virtual-users-domains-postfix-courier-mysql-squirrelmail-ubuntu8.04. Elsewhere I was told to look into Cyrus and/or Dovecot, which I did, but the documentation I read wasn't helpful and just left me more confused. Shouldn't this just be a setting in Postfix?

    The SASL readme advises that I run postconf -a, which comes back with cyrus and dovecot. However I can't find the dovecot.conf file that the readme references (I tried searching the entire server with no luck). The Cyrus part... I'm not sure where to begin. This server is set up with virtual users in a MySQL database. Under the SQL section of the SASL readme, it references a file /etc/sasl2/smtpd.conf. That file doesn't exist on my server, but I do have it under my /etc/postfix/sasl folder. The file contains:

    Code:
    pwcheck_method: saslauthd
    mech_list: plain login
    allow_plaintext: true
    auxprop_plugin: mysql
    sql_hostnames: 127.0.0.1
    sql_user: (sql account)
    sql_passwd: (sql account's password)
    sql_database: mail
    sql_select: select password from users where email = '%u'
    It seems like getting this enabled is way more complicated than I expected, assuming I'm not on the wrong path. Any help you can provide would be hugely appreciated because I really need to get this thing up and running.
     
  2. falko

    falko Super Moderator

    Use
    Code:
    mynetworks = 127.0.0.0/8
    in your main.cf - that way all clients except localhost have to authenticate (except if the recipient is on the server itself).
     
  3. elorc

    elorc New Member

    It seems to reject my login credentials. I have the Mail client set to use Password as the authentication method. Username and password are the same that I use to log in for POP and IMAP (user me@mydomain.com, same password). In the mail.log file:

    Code:
    Aug  8 12:10:02 ip-##-###-###-## postfix/smtpd[31991]: connect from cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]
    Aug  8 12:10:04 ip-##-###-###-## postfix/smtpd[31991]: warning: SASL authentication failure: Password verification failed
    Aug  8 12:10:04 ip-##-###-###-## postfix/smtpd[31991]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL PLAIN authentication failed: authentication failure
    Aug  8 12:10:04 ip-##-###-###-## postfix/smtpd[31991]: lost connection after AUTH from cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]
    Aug  8 12:10:04 ip-##-###-###-## postfix/smtpd[31991]: disconnect from cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]
     
  4. falko

    falko Super Moderator

    What email client do you use?
     
  5. elorc

    elorc New Member

    Apple's Mail client that comes with OS X. The same thing happens when I try to use Outlook 2007 with SMTP authentication enabled.

    Code:
    Aug  9 08:26:58 ip-##-###-###-## postfix/smtpd[3506]: connect from cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]
    Aug  9 08:27:01 ip-##-###-###-## postfix/smtpd[3506]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL LOGIN authentication failed: authentication failure
    Aug  9 08:27:01 ip-##-###-###-## postfix/smtpd[3506]: lost connection after AUTH from cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]
    Aug  9 08:27:01 ip-##-###-###-## postfix/smtpd[3506]: disconnect from cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]
    Under the Outgoing Server tab on the account's configuration in Outlook, I have the following set:

    • My outgoing server requires authentication
    • Log on using

    Require Secure Password Authentication is unchecked.

    Running testsaslauthd from the server produces an error, so I'm thinking SASL isn't working for some reason:

    Code:
    testsaslauthd -u me@mydomain.com -p MyPassword
    connect() : No such file or directory
    I don't know if this helps any, but when I telnet to port 25 on the server and EHLO, it shows login plain on the output:

     
  6. falko

    falko Super Moderator

    The mail client settings seem to be ok. Are there any sasl errors in your mail log?
     
  7. elorc

    elorc New Member

    Not in mail.log. The only SASL-related thing I see in mail.log is when I try to connect with SMTP and it gives the warning about authentication failing:

    There is a file under /var/log named mail.err.0 which contains this:

    Code:
    Aug  1 11:23:23 ip-##-###-###-## postfix[10641]: fatal: usage: postfix [-c config_dir] [-Dv] command
    Aug  1 11:53:26 ip-##-###-###-## postfix[10735]: fatal: usage: postfix [-c config_dir] [-Dv] command
    Aug  7 10:32:44 ip-##-###-###-## postfix/smtpd[25492]: fatal: SASL per-connection initialization failed
    Aug  7 10:34:14 ip-##-###-###-## postfix/smtpd[25511]: fatal: SASL per-connection initialization failed
    Aug  7 10:35:15 ip-##-###-###-## postfix/smtpd[25515]: fatal: SASL per-connection initialization failed
    There doesn't appear to be anything more recent, and mail.err exists but is empty. There is also a file called mail.warn which contains the following:

    Code:
    Aug  8 12:18:49 ip-##-###-###-## postfix/smtpd[32025]: warning: SASL authentication failure: Password verification failed
    Aug  8 12:18:49 ip-##-###-###-## postfix/smtpd[32025]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL PLAIN authentication failed: authentication failure
    Aug  8 12:18:50 ip-##-###-###-## postfix/smtpd[32027]: warning: SASL authentication failure: Password verification failed
    Aug  8 12:18:50 ip-##-###-###-## postfix/smtpd[32027]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL PLAIN authentication failed: authentication failure
    Aug  8 12:19:01 ip-##-###-###-## postfix/smtpd[32025]: warning: SASL authentication failure: Password verification failed
    Aug  8 12:19:01 ip-##-###-###-## postfix/smtpd[32025]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL PLAIN authentication failed: authentication failure
    Aug  8 12:22:13 ip-##-###-###-## postfix/smtpd[32033]: warning: SASL authentication failure: Password verification failed
    Aug  8 12:22:13 ip-##-###-###-## postfix/smtpd[32033]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL PLAIN authentication failed: authentication failure
    Aug  9 08:27:01 ip-##-###-###-## postfix/smtpd[3506]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL LOGIN authentication failed: authentication failure
    Aug  9 08:28:52 ip-##-###-###-## postfix/smtpd[3512]: warning: cpe-11-222-33-444.nycap.res.rr.com[11.222.33.444]: SASL LOGIN authentication failed: authentication failure
     
  8. falko

    falko Super Moderator

  9. elorc

    elorc New Member

    As far as I know, yes. Here are the files I have...

    /etc/default/saslauthd
    Code:
    #
    # Settings for saslauthd daemon
    # Please read /usr/share/doc/sasl2-bin/README.Debian for details.
    #
    
    # Should saslauthd run automatically on startup? (default: no)
    START=yes
    
    # Description of this saslauthd instance. Recommended.
    # (suggestion: SASL Authentication Daemon)
    DESC="SASL Authentication Daemon"
    
    # Short name of this saslauthd instance. Strongly recommended.
    # (suggestion: saslauthd)
    NAME="saslauthd"
    
    # Which authentication mechanisms should saslauthd use? (default: pam)
    #
    # Available options in this Debian package:
    # getpwent  -- use the getpwent() library function
    # kerberos5 -- use Kerberos 5
    # pam       -- use PAM
    # rimap     -- use a remote IMAP server
    # shadow    -- use the local shadow password file
    # sasldb    -- use the local sasldb database file
    # ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
    #
    # Only one option may be used at a time. See the saslauthd man page
    # for more information.
    #
    # Example: MECHANISMS="pam"
    MECHANISMS="pam"
    
    # Additional options for this mechanism. (default: none)
    # See the saslauthd man page for information about mech-specific options.
    MECH_OPTIONS=""
    
    # How many saslauthd processes should we run? (default: 5)
    # A value of 0 will fork a new process for each connection.
    THREADS=5
    
    # Other options (default: -c -m /var/run/saslauthd)
    # Note: You MUST specify the -m option or saslauthd won't run!
    #
    # See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
    # See the saslauthd man page for general information about these options.
    #
    # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
    OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
    /etc/pam.d/smtp
    Code:
    #%PAM-1.0
    #------------------------------------------------------------------------
    #
    # /etc/pam.d/smtp
    #
    # Copyright (c) 2000-2003 Richard Nelson.  All Rights Reserved.
    # Version:    2.0.1
    # Time-stamp: <2003/05/06 12:00:00 cowboy>
    #
    # PAM configuration file used by SASL to authenticate a PLAIN password.
    #
    #------------------------------------------------------------------------
    @include common-auth
    @include common-account
    auth    required   pam_mysql.so user=mail_admin passwd=mailadminpw host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
    account sufficient pam_mysql.so user=mail_admin passwd=mailadminpw host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
    #@include common-password
    /etc/postfix/sasl/smtpd.conf
    Code:
    pwcheck_method: saslauthd
    mech_list: plain login
    allow_plaintext: true
    auxprop_plugin: mysql
    sql_hostnames: 127.0.0.1
    sql_user: mail_admin
    sql_passwd: mailadminpw
    sql_database: mail
    sql_select: select password from users where email = '%u'

    As far as the users DB table goes, this is how it looks:
    Code:
    mysql> describe users;
    +----------+-------------+------+-----+----------+-------+
    | Field    | Type        | Null | Key | Default  | Extra |
    +----------+-------------+------+-----+----------+-------+
    | email    | varchar(80) | NO   | PRI | NULL     |       |
    | password | varchar(20) | NO   |     | NULL     |       |
    | quota    | int(10)     | YES  |     | 10485760 |       |
    +----------+-------------+------+-----+----------+-------+
    3 rows in set (0.00 sec)
     
  10. falko

    falko Super Moderator

    Can you comment out all lines in /etc/pam.d/smtp except the two shown in the tutorial?
     
  11. elorc

    elorc New Member

    Ok, it looks like that did it. In my installation, the /etc/pam.d/smtp file already existed so I didn't know if the other stuff had to be there.

    Thanks for all of your help. :)
     

Share This Page