Discussion in 'Server Operation' started by ansabhailte, Sep 10, 2012.
I'm no expert, but telnetting port 587 returns STARTTLS. Isn't that an encryption protocol?
So in trying to troubleshoot where things are failing, I have lined up the following:
Email goes from -> to:
Gmail --> Goldenoakit.com (MX DNS) --> Firewall (IPtables, 587) --> SASL --> Postfix --> MySQL --> vmail folder --> SpamAssassin/Amavis/ClamAV
Does this look right?
If so, then everything from Postfix through ClamAV work fine because I can send mail locally. And everything from Gmail to firewall work fine because I can telnet and run an ehlo. That is why I am led to believe that it is a SASL issue. That, and the error report I posted earlier about not being able to auth SASL-PAM-MySQL. When I run testsaslauthd with the user mail_admin it fails. That is the user account that is being used to auth, correct?
Mine returns the same thing. It also returns 250-AUTH LOGIN PLAIN, right?
Yes. But my mail client is configured to use STARTTLS and it pulls from the server just fine (My client's, however, is using PLAIN.)
But the problem is somewhere in the authentication, I would think, whether that's SASL, PAM, or something with MySQL. The problem is that I just can't pinpoint it, and if I did, I'm not sure I'd know exactly how to fix it.
"When I run testsaslauthd with the user mail_admin it fails. That is the user account that is being used to auth, correct? "
mail_admin is the database user name that is used by SASL to get into the MySQL database "mail" to find the user %u at domain %r.
if you type "mysql -u mail_admin -p" ... it should prompt you for a password. Copy and paste the value from the smtpd.conf and it should log you in. Type "show databases;" and one of them should be "mail". Type "use mail;" and it should switch to the mail database.
If you went on with the above, you could type something like "select * users;" and it would give you a list of the users you have set up in mysql. My point is, that when you are using the userid=mail_admin ... that is NOT being authenticated by SASL, but by mysqld. So testsaslauthd will fail on that userid ...
Yes, I've done that. What I'm asking is what user account is being used to auth with saslauthd? Is it the email address user ([email protected]) or is it root or something? Because the only users that can pass testsaslauthd are root and josh (aka local UNIX users.) To put it in other words, if these email accounts need to authenticate with SASL in order to receive email, and the only accounts that can pass the auth are local UNIX accounts, where is the break there? Why aren't the accounts defined in MySQL able to authenticate with SASL over port 587?
Ok. Let's try a different approach. Why, when I try to send an email from Gmail to an address hosted on my server, do I not get any errors or notices in mail.log or anything? Does that show where it's failing?
I'm not real familiar with testsaslauthd, so pardon my ignorance. What is being authenticated through postfix is the [email protected] stored in the MySQL database mail table user. You are testing ID's in the Unix user table which is unrelated because you are using "virtual" users (ie stored in a mysql db).
Well, it at least shows that the failure, misconfiguration, or whatever is messing up is ahead of what is doing the logging ...
Now how can we test where the emails are failing?
Ok, let me ask this: Can you set up a user that is defined in your mysql database in a client like Thunderbird or Outlook, and log in?
Yes, I have created 12 user accounts (email addresses) and can log in fine. They can receive emails from any of the other 11 emails, and they can send email to anybody (gmail, yahoo, etc) I can do this from Thunderbird, Outlook, and Squirrelmail (local)
I'm just going to throw this out there: if you can set up a user (any) user that is defined in your database, log in via a MUA (mail user agent) like TBird or Outlook, and send an email anywhere ... you can eliminate authentication as your problem.
Alright. Could it be my MX records? I checked them and I didn't notice anything out of place.
Then, unless I'm missing something, you've hit all the points where authentication comes into play. Authentication as a problem should be eliminated (that's a good thing!)
Just confirmed that my MX record is set up properly.
Also the port is open in iptables.
And again, I can telnet 587 from anywhere and run an ehlo.
Auth is working.
I can receive mail from all local addresses.
For the life of me I can't figure out where it's breaking.
Didn't see anything out of place either ...
Actually, when I built a server, I had this exact same problem until I set
inet_interfaces = all
But you already have that set ...
Also, if you were to specify mynetworks the way I have it, it would look like:
mynetworks = 127.0.0.0/8 [::1]/128 [22.214.171.124]
Not sure if that will help, but my reasoning was that I needed to allow incoming not only from localhost, but from the IP that I'm attached to (I changed the IP to yours ...)
Separate names with a comma.