problem with posfix/smtp-auth and tls

Discussion in 'Server Operation' started by mmistroni, Jan 13, 2008.

  1. mmistroni

    mmistroni New Member

    hello all,
    i have followed a good tutorial here

    http://www.howtoforge.com/perfect_setup_ubuntu704_p5

    to install a mail server on my ubuntu VPS.

    However, at this step

    telnet localhost 25

    my screen just show this:

    Trying 127.0.0.1...
    Connected to locahost
    Escape characters is '^]'

    and that's it. even if i enter ehlo locahost, nothing happened

    i had a look at mail.err, and here's output

    it's full of 'fatal: SASL per-process initialization failed'

    and i don't know where to look for problems...
    could anyone help me out?

    thanks an dregards
    Marco
     
  2. mmistroni

    mmistroni New Member

    hello,
    i forgot to post the content of my postfix main.conf file and sasl/smtpd.conf

    ********** mail.cf **************
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version


    # Debian specific: Specifying a file name will cause the first
    # line of that file to be used as the name. The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname

    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no

    # appending .domain is the MUA's job.
    append_dot_mydomain = no

    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h

    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.

    myhostname = www.worldcorpservices.com
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination = www.worldcorpservices.com, localhost.worldcorpservices.com, , localhost
    relayhost =
    mynetworks = 127.0.0.0/8
    mailbox_command =
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    home_mailbox = Maildir/

    ************smtpd.conf ***************
    pwcheck_method: saslauthd
    mech_list : plain login

    anyone could help?

    thanks and regards
    marco
     
  3. falko

    falko Super Moderator ISPConfig Developer

    What's in /etc/mailname and /etc/hosts? What's the output of
    Code:
    hostname
    and
    Code:
    hostname -f
    ?
     
  4. mmistroni

    mmistroni New Member

    Hello Falko,
    thanks for the reply
    thing is, my host ws already configured with VPS, so whil einstalling postfix i left as input what was given to me.
    my hostname is www.worldcorpservices.com
    it's the sam entry in etc/mailname

    shall i have put instead server1.worldcorpservices.com instead of accepting what was on the screen (www.worldcorpservices.com) ?

    thanks and regards
    Marco
     
  5. falko

    falko Super Moderator ISPConfig Developer

    That's ok. Did you configure saslauthd exactly as shown in the tutorial?
     
  6. mmistroni

    mmistroni New Member

    Hello,
    well i thought so...
    below is my saslauthd from /etc/default

    Code:
    #
    # Settings for saslauthd daemon
    #
    
    # Should saslauthd run automatically on startup? (default: no)
    START=yes
    
    
    PWDIR="/var/spool/postfix/var/run/saslauthd"
    PARAMS="-m ${PWDIR}"
    PIDFILE="${PWDIR}/saslauthd.pid"
    # Which authentication mechanisms should saslauthd use? (default: pam)
    #
    # Available options in this Debian package:
    # getpwent  -- use the getpwent() library function
    # kerberos5 -- use Kerberos 5
    # pam       -- use PAM
    # rimap     -- use a remote IMAP server
    # shadow    -- use the local shadow password file
    # sasldb    -- use the local sasldb database file
    # ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
    #
    # Only one option may be used at a time. See the saslauthd man page
    # for more information.
    #
    # Example: MECHANISMS="pam"
    MECHANISMS="pam"
    
    # Additional options for this mechanism. (default: none)
    # See the saslauthd man page for information about mech-specific options.
    MECH_OPTIONS=""
    
    # How many saslauthd processes should we run? (default: 5)
    # A value of 0 will fork a new process for each connection.
    THREADS=5
    
    # Other options (default: -c)
    # See the saslauthd man page for information about these options.
    #
    # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
    # Note: See /usr/share/doc/sasl2-bin/README.Debian
    OPTIONS="-c "
    
    Note that i tried also, as explained in thetutorial to add this

    -m /var/spool/postfix/var/run/saslauthd

    but still got same result..
    additionally, as i m here i'd lk eto ask u few questions about email...
    once i everything is setup, can i send mail to [email protected]? or what do i need? to create an info user?
    or, mail will be [email protected] ...?

    sorry but i m a newbie in this , i m taking opportunity of learning server stuff....

    thanks for your patience and regards
    marco
     
  7. falko

    falko Super Moderator ISPConfig Developer

    Make it look exactly as follows:
    Code:
    #
    # Settings for saslauthd daemon
    #
    
    # Should saslauthd run automatically on startup? (default: no)
    START=yes
    
    # Which authentication mechanisms should saslauthd use? (default: pam)
    #
    # Available options in this Debian package:
    # getpwent  -- use the getpwent() library function
    # kerberos5 -- use Kerberos 5
    # pam       -- use PAM
    # rimap     -- use a remote IMAP server
    # shadow    -- use the local shadow password file
    # sasldb    -- use the local sasldb database file
    # ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
    #
    # Only one option may be used at a time. See the saslauthd man page
    # for more information.
    #
    # Example: MECHANISMS="pam"
    MECHANISMS="pam"
    
    # Additional options for this mechanism. (default: none)
    # See the saslauthd man page for information about mech-specific options.
    MECH_OPTIONS=""
    
    # How many saslauthd processes should we run? (default: 5)
    # A value of 0 will fork a new process for each connection.
    THREADS=5
    
    # Other options (default: -c)
    # See the saslauthd man page for information about these options.
    #
    # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
    # Note: See /usr/share/doc/sasl2-bin/README.Debian
    OPTIONS="-c  -m /var/spool/postfix/var/run/saslauthd -r"
    You can either install ISPConfig and use it to create email addresses, or you do it as shown here: http://www.howtoforge.com/forums/showthread.php?t=2
     
  8. mmistroni

    mmistroni New Member

    Falko,
    thanks for help but i am still at square 1....
    here is again /etc/default/saslauthd

    Code:
    #
    # Settings for saslauthd daemon
    #
    
    # Should saslauthd run automatically on startup? (default: no)
    START=yes
    
    
    # Which authentication mechanisms should saslauthd use? (default: pam)
    #
    # Available options in this Debian package:
    # getpwent  -- use the getpwent() library function
    # kerberos5 -- use Kerberos 5
    # pam       -- use PAM
    # rimap     -- use a remote IMAP server
    # shadow    -- use the local shadow password file
    # sasldb    -- use the local sasldb database file
    # ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
    #
    # Only one option may be used at a time. See the saslauthd man page
    # for more information.
    #
    # Example: MECHANISMS="pam"
    MECHANISMS="pam"
    
    # Additional options for this mechanism. (default: none)
    # See the saslauthd man page for information about mech-specific options.
    MECH_OPTIONS=""
    
    # How many saslauthd processes should we run? (default: 5)
    # A value of 0 will fork a new process for each connection.
    THREADS=5
    
    # Other options (default: -c)
    # See the saslauthd man page for information about these options.
    #
    # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
    # Note: See /usr/share/doc/sasl2-bin/README.Debian
    OPTIONS="-c  -m /var/spool/postfix/var/run/saslauthd -r"
    
    here's again my mail.err
    Code:
    Jan 20 18:59:37 ubuntu-7 postfix/smtpd[715]: fatal: SASL per-process initialization failed
    Jan 20 19:00:38 ubuntu-7 postfix/smtpd[718]: fatal: SASL per-process initialization failed
    Jan 20 19:01:39 ubuntu-7 postfix/smtpd[721]: fatal: SASL per-process initialization failed
    
    in the setup example, it shows basically two main config file, postfix's main.cf plus saslauthd.
    below again is the main.cf
    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    myhostname = www.worldcorpservices.com
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination = www.worldcorpservices.com, localhost.worldcorpservices.com, , localhost
    relayhost = 
    mynetworks = 127.0.0.0/8
    mailbox_command = 
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    smtpd_sasl_local_domain = 
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    home_mailbox = Maildir/
    
    how can i narrow down the problem?
    shall i just tell postfix not touse saslauth ?

    thanks and regards

    marco
     
  9. mmistroni

    mmistroni New Member

    falko,
    by googling thep roblem i got pointed to another thread where you were suggesting to check for proper libraries installed. it's here

    http://www.howtoforge.com/forums/showthread.php?t=3060

    when i try to install postfix-tls, i got this message from my server

    Package postfix-tls is a virtual package provided by:
    postfix-2.4.5-3~feisty1
    You should explicitly select one to install
    E: package postfix-tls has no installation candidate

    can that be the problem?

    thanks an dregards
    marco
     
  10. mmistroni

    mmistroni New Member

    Falko,
    noticed that if configure postfix so taht it does not use tls everything works fine when i do telnet localhost 25

    my guess is that i somehow screw up when i create the certificate.... i'll post here all steps i do to create certiifcate, i might be doing something wrong

    on the other end, what are the risks/threats if i dont use sasl/tls together with postfix?

    thanks and regards
    marco
     
  11. falko

    falko Super Moderator ISPConfig Developer

    TLS is included in newer Postfix versions, so you don't have to install it.

    Please recreate the certificate and accept all default values.
     
  12. mmistroni

    mmistroni New Member

    Falko,
    thanks for still being ont he thread :)

    i m going to do what u suggest ASAP

    i must inform you that in creating a certificate, multiple times system asked me to enter a password (well, at least 3 times). shall i enter 'nothing' as password?

    i'll post asap steps (including ALL values i entered in the process)

    regards
    marco
     
  13. falko

    falko Super Moderator ISPConfig Developer

    Yes, simply press ENTER.
     
  14. mmistroni

    mmistroni New Member

    falko,
    when i entered the first command
    Code:
    openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
    
    at the end it is asking me a pwd, and it will continue unless i enter at least 4 chars......

    is this normal?

    thanks an dregards
    marco
     
  15. mmistroni

    mmistroni New Member

    forgot to mention..
    i m on Feisty Fawn, using openssh 1.4.3.....
     
  16. mmistroni

    mmistroni New Member

    sorry.. got confused, posted openssh instead of openssl

    i have openssl version 0.9.8c
     
  17. falko

    falko Super Moderator ISPConfig Developer

    Oh, you mean _that_ password... Yes, simply enter a password you like.
     
  18. mmistroni

    mmistroni New Member

    Falko,
    just to try i entered the string 'aaaa' ... and i entered for every subsequent
    operation where it was asking me a password

    but at the end , when i did telnet localhost 25 and typed the string to verify (think it was ehlo something..) i got no 'answer'..... nothing got displayed on the screen

    somehow, i might be doing something wrong somewhere.. coz if the differenc ebetween using tls/saslauth and not using it is just the certificate, then i suspect there's something wrong in way i create certificates....

    i'll retry one more time.. i m going to use exactly the same password whenever i am asked for one....

    i'll post here result. thanks falko for being patient.. i realize i m a pain :(

    regards
    marco
     
  19. falko

    falko Super Moderator ISPConfig Developer

    What's in /etc/postfix/sasl/smtpd.conf?
     
  20. mmistroni

    mmistroni New Member

    falko,
    here's my /etc/postfix/sasl/smtpd.conf
    Code:
    pwcheck_method: saslauthd
    mech_list : plain login
    

    thanks and regards
    marco
     

Share This Page