postfix virtual users and authentication problems

Discussion in 'Server Operation' started by CopalFreak, May 9, 2011.

  1. CopalFreak

    CopalFreak New Member

    I have been trying to get postfix up and going with virtual users and am having a very hard time with it. I have posted in various forums on the web to no avail, but I am hoping somebody here can help.

    I can receive mail fine.
    In my maillog, when I try to SEND an email from an email client(or webmail), several things are happening.

    Code:
    NOQUEUE: reject: connect from localhost: client host rejected : access denied; proto=SMTP
    
    xsasl_dovecot_server_connect: Connecting
    warning: SASL: Connect to private/auth failed: Permission denied
    fatal: no SASL authentication mechanisms
    
    There is another post that is ALMOST like this, but the solutions there did not help. Originally I was not getting this error, just a 'client access denied' from my IP address, but after trying to fix it via instructions from the other post, this started happening. Following the example from a post for THIS problem made things worse and I could no longer receive emails.
    I started over from scratch and now have it to this point.

    I am not sure what I need to post...entire main.cf and master.cf? (pretty long)

    postconf -a says
    Code:
    dovecot
    
    postconf -A says nothing (empty)
    (which I am sure is part of the problem, but not sure what to do about it)

    postconf -d | grep nis says
    Code:
    alias_maps = hash:/etc/aliases, nis:mail.aliases
    lmtp_sasl_mechanism_filter =
    smtp_sasl_mechanism_filter
    
    ..which is odd.. alias_maps is for 'local delivery' correct?
    Since I am using virtual users (from mysql), I would think it should be something like :
    Code:
    local_transport = virtual
    alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
    
    ..which is exactly what I currently have in my /etc/postfix/main.cf..

    Any help would be appreciated.
     
  2. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    What's the output of
    Code:
    postconf -n
    ?

    Which tutorial (URL) did you use?
     
  3. CopalFreak

    CopalFreak New Member

    falco,
    thank you for responding.
    i used several different tutorials and resources. Started out with one, had problems I couldn't solve, went to another. Been working on this for a while so its hard to pin down just one.

    http://wiki.dovecot.org/HowTo/DovecotLDAPostfixAdminMySQL
    http://www.postfix.org/SASL_README.html
    http://ubuntuforums.org/showthread.php?t=142263
    and a ton posts in various forums.

    At this point I am considering trying to remove all traces of postfix and dovecot and starting over..again..just to have a 'clean slate'.
    Good idea or bad idea?


    output of postconf -n
    Code:
    alias_database =
    alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
    broken_sasl_auth_clients = yes
    config_directory = /etc/postfix
    debug_peer_level = 1
    default_privs = mail
    disable_vrfy_command = yes
    inet_interfaces = localhost, $myhostname
    invalid_hostname_reject_code = 450
    local_transport = virtual
    maps_rbl_reject_code = 450
    mydestination = localhost.$mydomain, localhost, $myhostname
    myhostname = rockhouseinc.com
    mynetworks = /etc/postfix/mynetworks
    non_fqdn_reject_code = 450
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps $virtual_login_maps
    smtp_sasl_security_options = noanonymous
    smtp_sasl_type = doovecot
    smtp_tls_CAfile = /etc/postfix/DigiCertCA.pem
    smtp_tls_cert_file = /etc/postfix/mail_rockhouseinc_com.pem
    smtp_tls_key_file = /etc/postfix/mail_rockhouseinc_com.key
    smtp_tls_security_level = may
    smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
    smtpd_data_restrictions = reject_unauth_pipelining,        reject_multi_recipient_bounce,        permit
    smtpd_delay_reject = no
    smtpd_helo_required = yes
    smtpd_recipient_restrictions = permit_mynetworks,        permit_sasl_authenticated,        reject_unauth_destination,        reject_invalid_helo_hostname,        warn_if_reject reject_non_fqdn_helo_hostname,        warn_if_reject reject_unknown_helo_hostname,        warn_if_reject reject_unknown_client,        reject_non_fqdn_sender,        reject_non_fqdn_recipient,        reject_unknown_sender_domain,        reject_unknown_recipient_domain,        reject_rbl_client zen.spamhaus.org,        reject_rbl_client bl.spamcop.net,        reject_rbl_client dnsbl.sorbs.net=127.0.0.2,        reject_rbl_client dnsbl.sorbs.net=127.0.0.3,        reject_rbl_client dnsbl.sorbs.net=127.0.0.4,        reject_rbl_client dnsbl.sorbs.net=127.0.0.5,        reject_rbl_client dnsbl.sorbs.net=127.0.0.7,        reject_rbl_client dnsbl.sorbs.net=127.0.0.9,        reject_rbl_client dnsbl.sorbs.net=127.0.0.11,        reject_rbl_client dnsbl.sorbs.net=127.0.0.12,        warn_if_reject reject_rhsbl_sender dsn.rfc-ignorant.org,        warn_if_reject reject_rhsbl_sender abuse.rfc-ignorant.org,        warn_if_reject reject_rhsbl_sender whois.rfc-ignorant.org,        warn_if_reject reject_rhsbl_sender bogusmx.rfc-ignorant.org,        warn_if_reject reject_rhsbl_sender postmaster.rfc-ignorant.org,        permit
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_exceptions_networks = $mynetworks
    smtpd_sasl_path = /var/spool/postfix/private/auth
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_type = dovecot
    smtpd_tls_CAfile = /etc/postfix/DigiCertCA.pem
    smtpd_tls_ask_ccert = yes
    smtpd_tls_cert_file = /etc/postfix/mail_rockhouseinc_com.pem
    smtpd_tls_dh1024_param_file = $config_directory/dh_1024.pem
    smtpd_tls_dh512_param_file = $config_directory/dh_512.pem
    smtpd_tls_key_file = /etc/postfix/mail_rockhouseinc_com.key
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_security_level = may
    smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
    tls_random_source = dev:/dev/urandom
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
    virtual_gid_maps = static:202
    virtual_mailbox_base = /var/vmail
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
    virtual_minimum_uid = 202
    virtual_transport = dovecot
    virtual_uid_maps = static:202
    
    Here is what I am attempting:
    email will be stored in /var/vmail/{domain}/{user}
    can be accessed by VIRTUAL users (from mysql) via https(webmail) and/or email client which should be using some sort of encryption..but I want the passwords for the virtual users stored in mysql to be 'plaintext' (for the moment).

    Thanks a ton for your help!!
     
  4. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

  5. CopalFreak

    CopalFreak New Member

    That tutorial seems to use courier rather than dovecot.
    Is couurier more robust? (going to have 300+ virtual users and some might be getting upwards of 50 emails per day and probably won't manage them correctly. I chose dovecot because of the advanced individualized quota and auto-pruning+notification features it supposedly has)

    Also, it uses encrypted passwords instead of plaintext.
    I wanted to start out with plaintext passwords in mysql because I am going to need to be able to retrieve them at first. (once I setup all the users, I have to know what password to setup for their email client). I could make a separate list or db, but that's same same security risk.
    Isn't there a way to have a setting that it can be PLAIN, and then just change the setting to use encryption, and then encrypt the passwords once I have verified that it's all working correctly?

    It starts out with an alias file rather than virtual users in mysql, and then goes to mysql..once completed (IF it works), is it ok to delete virtual.db (and referenced to it)?

    Thanks!
     
  6. CopalFreak

    CopalFreak New Member

    OK.. following your tutorial..almost there.. (i think)
    ..modified a bit for dovecot though.

    Getting a silly error..I suspect because of something I did towards the beginning of the tutorial that was for Courier.

    Code:
    warning: request for unapproved table: "unix:passwd.byname"
    ...to approve this table for proxymap access list proxy:unix:oasswd.byname in main.cf:proxy_read_maps
    
    but I am using MySQL..so it should not be looking for that..
    in my main.cf, I DO have proxy_read_maps
    Code:
    alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
    virtual_alias_domains = proxy:mysql:/etc/postfix/mysql_virtual_alias_domains.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domain_maps.cf
    virtual_login_maps = proxy:mysql:/etc/postfix/mysql_virtual_login_maps.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
    
    mydestination = $myhostname $mynetworks $alias_maps $virtual_mailbox_domains $virtual_login_maps $virtual_mailbox_maps $virtual_alias_maps
    proxy_read_maps = $mydestination
    
    
    One weird things I DID do was in the mysql_virtual files
    Code:
    hosts = unix:/var/run/mysql/mysql.sock, 127.0.0.1
    
    I did that because I was getting other errors...not sure it helped though.

    Any ideas what is causing this? (and maybe how to fix)?

    Thanks!
     
    Last edited: May 11, 2011
  7. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    I think it's better to use Courier because I didn't test this setup with Dovecot, and I've never had any problems with Courier.
     

Share This Page