postfix config & mailclients outside of the server's internal network

Discussion in 'Installation/Configuration' started by gridorian, Nov 11, 2007.

  1. gridorian

    gridorian New Member

    Hy there!
    I used this tutorial http://www.howtoforge.com/perfect_setup_debian_etch (written by falko) to configure a mail server for one of my friends. Everything works well, till one point. I can't get it to work under any circumstances with a mail client (Thunderbird) from outside the network.

    Can you help me please?

    I modified mynetworks variable, adding my ip. With telnet I was able to send mails, but the mail client didn't react at all.

    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    myhostname = mail.domain.com
    
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    # SASL parameters
    smtpd_sasl_local_domain = $myhostname
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_client_restrictions = permit
    smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtp_tls_note_starttls_offer = yes
    smtp_use_tls = yes
    smtpd_use_tls = yes
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_auth_only = no
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    #smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    #smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
    
    tls_random_source = dev:/dev/random
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    inet_interfaces = all
    
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination = domain.com, mail.domain.com, localhost
    relayhost =
    mynetworks = 127.0.0.0/8
    mailbox_size_limit = 0
    mailbox_command =
    #/usr/bin/procmail -a "$EXTENSION"
    #-d "$HOME/Maildir/"
    recipient_delimiter = +
    
    home_mailbox = Maildir/
     
  2. till

    till Super Moderator

    Please make sure that you forwarded the smtp port from your router to your server and that you enabled smtp authentication in Thunderbird. You should not change the mynetworks variable.
     
  3. gridorian

    gridorian New Member

    it's not the smpt port.

    I have the same configurations on two different servers, and one of them works. it seems I can't manage to configure saslauthd well...

    the tutorial skiped some old steps, and everything broke apart (the first server I have configured after the tutorial for sarge. this one has a few missing steps)
     
  4. till

    till Super Moderator

    There is nothing missing in the tutorial. If you added steps from the sarge tutorial, then this will break sasl. Please configure sasl exactly as described in the perfect setup guide.
     
  5. gridorian

    gridorian New Member

    doying like that does not allow a mail client to connect :(

    the error I get now is: Nov 12 11:56:56 psp postfix/smtpd[6511]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied

    i'm attaching the main.cf, /etc/default/saslauthd, /etc/init.d/saslauthd files. please tell me where I'm doing it rong.

    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    myhostname = mail.domain.com
    
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    # SASL parameters
    smtpd_sasl_local_domain = $myhostname
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_client_restrictions = permit
    smtpd_recipient_restrictions =
            permit_sasl_authenticated,
            permit_mynetworks,
            reject_unauth_destination,
            reject_rbl_client bl.spamcop.net,
            reject_rbl_client list.dsbl.org,
            reject_rbl_client sbl.spamhaus.org,
            reject_rbl_client cbl.abuseat.org
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtp_tls_note_starttls_offer = yes
    smtp_use_tls = yes
    smtpd_use_tls = yes
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_auth_only = no
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    #smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    #smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
    
    smtpd_sasl_path = smtpd
    
    tls_random_source = dev:/dev/random
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    inet_interfaces = all
    
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination = domain.com, localhost
    relayhost =
    mynetworks = 127.0.0.0/8, 82.76.110.109
    mailbox_size_limit = 0
    mailbox_command =
    
    recipient_delimiter = +
    
    home_mailbox = Maildir/
    
    Code:
    #
    # Settings for saslauthd daemon
    #
    
    # Should saslauthd run automatically on startup? (default: no)
    START=yes
    PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"
    
    # Which authentication mechanisms should saslauthd use? (default: pam)
    #
    # Available options in this Debian package:
    # getpwent  -- use the getpwent() library function
    # kerberos5 -- use Kerberos 5
    # pam       -- use PAM
    # rimap     -- use a remote IMAP server
    # shadow    -- use the local shadow password file
    # sasldb    -- use the local sasldb database file
    # ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
    #
    # Only one option may be used at a time. See the saslauthd man page
    # for more information.
    #
    # Example: MECHANISMS="pam"
    MECHANISMS="pam"
    
    # Additional options for this mechanism. (default: none)
    # See the saslauthd man page for information about mech-specific options.
    MECH_OPTIONS=""
    
    # How many saslauthd processes should we run? (default: 5)
    # A value of 0 will fork a new process for each connection.
    THREADS=5
    
    # Other options (default: -c)
    # See the saslauthd man page for information about these options.
    #
    # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
    # Note: See /usr/share/doc/sasl2-bin/README.Debian
    OPTIONS="-c"
     
  6. gridorian

    gridorian New Member

    Code:
    #! /bin/sh
    ### BEGIN INIT INFO
    # Provides:          saslauthd
    # Required-Start:    $local_fs $remote_fs
    # Required-Stop:     $local_fs $remote_fs
    # Default-Start:     2 3 4 5
    # Default-Stop:      S 0 1 6
    # Short-Description: saslauthd startup script
    # Description:       This script starts the saslauthd daemon. It is
    #                    configured using the file /etc/default/saslauthd.
    ### END INIT INFO
    
    # Author: Fabian Fagerholm <fabbe@debian.org>
    
    # Do NOT "set -e"
    
    # PATH should only include /usr/* if it runs after the mountnfs.sh script
    PATH=/sbin:/usr/sbin:/bin:/usr/bin
    
    # Global variables
    DAEMON=/usr/sbin/saslauthd
    DEFAULT_FILES=`find /etc/default -regex '/etc/default/saslauthd[_a-zA-Z0-9\-]*$' -print | sort`
    FALLBACK_RUN_DIR=/var/run/saslauthd
    NAME=saslauthd
    
    # Exit if the package is not installed
    [ -x "$DAEMON" ] || exit 0
    
    # Load the VERBOSE setting and other rcS variables
    . /lib/init/vars.sh
    
    # Define LSB log_* functions.
    # Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
    . /lib/lsb/init-functions
    
    # Function that starts all saslauthd instances
    # Parameters: none
    # Return value: none
    do_startall()
    {
            for instance in $DEFAULT_FILES
            do
                    start_instance $instance
            done
    }
    
    # Function that stops all saslauthd instances
    # Parameters: none
    # Return value: none
    do_stopall()
    {
            for instance in $DEFAULT_FILES
            do
                    stop_instance $instance
            done
    }
    
    # Function that sends a SIGHUP to all saslauthd instances
    # Parameters: none
    # Return value: none
    do_reloadall()
    {
            for instance in $DEFAULT_FILES
            do
                    reload_instance $instance
            done
    }
    
    # Function that starts a single saslauthd instance
    # Parameters:
    #       $1 = path of default file for this instance
    # Return value:
    #       0 on success (does not mean the instance started)
    #       1 on failure
    start_instance()
    {
            # Load defaults file for this instance.
            . $1
    
            # If the daemon is not enabled, give the user a warning and stop.
            if [ "$START" != "yes" ]; then
                    log_warning_msg "To enable $NAME, edit $1 and set START=yes"
                    return 0
            fi
    
            # If the short name of this instance is undefined, warn the user
            # but choose a default name.
            if [ -z "$NAME" ]; then
                    log_warning_msg "Short name (NAME) undefined in $1, using default"
                    NAME=default
            fi
    
            log_daemon_msg "Starting $DESC" "$NAME"
    
            # Determine run directory and pid file location by looking
            # for an -m option.
            RUN_DIR=`echo "$OPTIONS" | xargs -n 1 echo | sed -n '/^-m$/{n;p}'`
            if [ -z "$RUN_DIR" ]; then
                    # No run directory defined in defaults file, fail.
                    #log_failure_msg "No run directory defined for $NAME, not starting"
                    #return 1
                    RUN_DIR=/var/log/saslauthd
                    #@@ set by dr
            fi
            #PIDFILE=$RUN_DIR/saslauthd.pid
            PIDFILE="/var/spool/postfix/var/run/${NAME}/saslauthd.pid"
            #@@ set by dr
    
            # If no mechanisms are defined, fail.
            if [ -z "$MECHANISMS" ]; then
                    log_failure_msg "No mechanisms defined in $1, not starting $NAME"
                    return 1
            fi
    
            # If there are mechanism options defined, prepare them for use with
            # the -O flag.
            if [ -n "$MECH_OPTIONS" ]; then
                    MECH_OPTIONS="-O $MECH_OPTIONS"
            fi
    
            # If there is a threads option defined, prepare it for use with
            # the -n flag.
            if [ -n "$THREADS" ]; then
                    THREAD_OPTIONS="-n $THREADS"
            fi
    
            # Construct argument string.
            DAEMON_ARGS="-a $MECHANISMS $MECH_OPTIONS $OPTIONS $THREAD_OPTIONS"
    
            # If there is a statoverride for the run directory, then pull
            # permission and ownership information from it and create the directory.
            # Otherwise, we create the directory with default permissions and
            # ownership (root:sasl, 710).
            if dpkg-statoverride --list $RUN_DIR > /dev/null; then
                    createdir `dpkg-statoverride --list $RUN_DIR`
            else
                    createdir root sasl 710 $RUN_DIR
            fi
    
            # Start the daemon, phase 1: see if it is already running.
            start-stop-daemon --start --quiet --pidfile $PIDFILE --name $NAME \
                    --exec $DAEMON --test > /dev/null
            if [ "$?" != 0 ]; then
                    log_progress_msg "(already running)"
                    log_end_msg 0
                    return 0
            fi
    
            # Start the daemon, phase 2: it was not running, so actually start it now.
            start-stop-daemon --start --quiet --pidfile $PIDFILE --name $NAME \
                    --exec $DAEMON -- $DAEMON_ARGS
            if [ "$?" != 0 ]; then
                    log_end_msg 1
                    return 1
            fi
    
            # Started successfully.
            log_end_msg 0
            return 0
    }
    
    []...
    
    
     
  7. gridorian

    gridorian New Member

    I modified some things back.
    Still same error: Nov 12 12:45:48 psp postfix/smtpd[7620]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied

    please help. execept for smtpd_recipient_restrictions, this should be the original config, as the tutorial sugested. I still get that error. what could be wrong?

    main.cf:
    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    myhostname = mail.domain.com
    
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    # SASL parameters
    smtpd_sasl_local_domain = $myhostname
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_client_restrictions = permit
    smtpd_recipient_restrictions =
            permit_sasl_authenticated,
            permit_mynetworks,
            reject_unauth_destination,
            reject_rbl_client bl.spamcop.net,
            reject_rbl_client list.dsbl.org,
            reject_rbl_client sbl.spamhaus.org,
            reject_rbl_client cbl.abuseat.org
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtp_tls_note_starttls_offer = yes
    smtp_use_tls = yes
    smtpd_use_tls = yes
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_auth_only = no
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
    
    #smtpd_sasl_path = smtpd
    
    tls_random_source = dev:/dev/random
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    inet_interfaces = all
    
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination = domain.com, localhost
    relayhost =
    mynetworks = 127.0.0.0/8, 82.76.110.109
    mailbox_size_limit = 0
    mailbox_command =
    recipient_delimiter = +
    
    home_mailbox = Maildir/
    /etc/default/saslauthd
    Code:
    #
    # Settings for saslauthd daemon
    #
    
    # Should saslauthd run automatically on startup? (default: no)
    START=yes
    
    # Which authentication mechanisms should saslauthd use? (default: pam)
    #
    # Available options in this Debian package:
    # getpwent  -- use the getpwent() library function
    # kerberos5 -- use Kerberos 5
    # pam       -- use PAM
    # rimap     -- use a remote IMAP server
    # shadow    -- use the local shadow password file
    # sasldb    -- use the local sasldb database file
    # ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
    #
    # Only one option may be used at a time. See the saslauthd man page
    # for more information.
    #
    # Example: MECHANISMS="pam"
    MECHANISMS="pam"
    
    # Additional options for this mechanism. (default: none)
    # See the saslauthd man page for information about mech-specific options.
    MECH_OPTIONS=""
    
    # How many saslauthd processes should we run? (default: 5)
    # A value of 0 will fork a new process for each connection.
    THREADS=5
    
    # Other options (default: -c)
    # See the saslauthd man page for information about these options.
    #
    # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
    # Note: See /usr/share/doc/sasl2-bin/README.Debian
    #OPTIONS="-c -m /var/run/saslauthd"
    OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
     
  8. falko

    falko Super Moderator

    What's the output of
    Code:
    ls -la /var/spool/postfix/var/run/saslauthd
    and
    Code:
    ps aux | grep saslauthd
    ?
     
  9. gridorian

    gridorian New Member

    Code:
    psp:~# ls -a /var/spool/postfix/var/run/saslauthd/
    .  ..  cache.flock  cache.mmap  mux  mux.accept  saslauthd.pid
    psp:~# ps aux | grep saslauthd
    root     10192  0.0  0.2   7888  1144 ?        Ss   Nov12   0:00 /usr/sbin/saslauthd -a shadow -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
    root     10197  0.0  0.2   7888  1044 ?        S    Nov12   0:00 /usr/sbin/saslauthd -a shadow -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
    root     10198  0.0  0.2   7888  1036 ?        S    Nov12   0:00 /usr/sbin/saslauthd -a shadow -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
    root     10199  0.0  0.1   7768   584 ?        S    Nov12   0:00 /usr/sbin/saslauthd -a shadow -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
    root     10200  0.0  0.2   7888  1032 ?        S    Nov12   0:00 /usr/sbin/saslauthd -a shadow -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
    root     23828  0.0  0.1   1760   568 pts/0    R+   11:19   0:00 grep saslauthd
    
    It might help you the fact that I'm not using the stable version, but the testing one.

    Anyway... staied and investigated piece by piece and finaly found out what was wrong. The configs were OK... The problem was that sasldauth couldn't comunicate with pam. I changed the config and replaced pam with shadow, and everything worked fine :D.

    Thanks a lot for your anwser... I'm in your debt...
     

Share This Page