SMTP AUTH Failure: "Server Does Not Support Secure Authentication"

Discussion in 'HOWTO-Related Questions' started by jjw, Sep 8, 2006.

  1. jjw

    jjw New Member

    I've followed the how to here:
    http://www.howtoforge.com/howto_postfix_smtp_auth_tls_howto/

    And thanks to Falko for pointing out mirrors for the sources in the above tutorial.
    http://www.filewatcher.com/b/ftp/ftp.aet.tu-cottbus.de/pub/postfix_tls/related/postfix.0.0.html

    I've gone through the complete install. No errors. I've added Dovecot (1.0) so I can retreieve email using pop. I've added users and and domains, and I can send mail to and from these clients using TLS/SSL. But I cannot get the server to authenticate smtp.

    Can anyone help me? Where would I look for errors? I see nothing in messages, maillog, or the dovecot logs.

    This is driving me crazy...
     
  2. jjw

    jjw New Member

    telnet localhost 25
    ehlo localhost
    main.cf
    Code:
    virtual_mailbox_domains = domain1.com, domain2.com
    virtual_mailbox_base = /var/mail/vhosts
    virtual_mailbox_maps = hash:/etc/postfix/vmailbox
    virtual_minimum_uid = 100
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    virtual_alias_maps = hash:/etc/postfix/virtual
    queue_directory = /var/spool/postfix
    command_directory = /usr/sbin
    daemon_directory = /usr/libexec/postfix
    mail_owner = postfix
    unknown_local_recipient_reject_code = 450
    home_mailbox = Maildir/
    debug_peer_level = 2
    debugger_command =
             PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
             xxgdb $daemon_directory/$process_name $process_id & sleep 5
    sendmail_path = /usr/sbin/sendmail
    newaliases_path = /usr/bin/newaliases
    mailq_path = /usr/bin/mailq
    setgid_group = postdrop
    manpage_directory = /usr/local/man
    sample_directory = /etc/postfix
    readme_directory = no
    mydomain = wnetworks.net
    myhostname = mail.$mydomain
    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains
    inet_interfaces = all
    alias_maps = hash:/etc/aliases
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtpd_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    master.cf
    Code:
    # ==========================================================================
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (yes)   (never) (100)
    # ==========================================================================
    smtp      inet  n       -       n       -       -       smtpd   -v
    #smtps    inet  n       -       n       -       -       smtpd
    #  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
    #submission     inet    n       -       n       -       -       smtpd
    #628      inet  n       -       n       -       -       qmqpd
    pickup    fifo  n       -       n       60      1       pickup
    cleanup   unix  n       -       n       -       0       cleanup
    qmgr      fifo  n       -       n       300     1       qmgr
    #qmgr     fifo  n       -       n       300     1       nqmgr
    #tlsmgr   fifo  -       -       n       300     1       tlsmgr
    rewrite   unix  -       -       n       -       -       trivial-rewrite
    bounce    unix  -       -       n       -       0       bounce
    defer     unix  -       -       n       -       0       bounce
    flush     unix  n       -       n       1000?   0       flush
    proxymap  unix  -       -       n       -       -       proxymap
    smtp      unix  -       -       n       -       -       smtp
    relay     unix  -       -       n       -       -       smtp
    #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq     unix  n       -       n       -       -       showq
    error     unix  -       -       n       -       -       error
    local     unix  -       n       n       -       -       local
    virtual   unix  -       n       n       -       -       virtual
    lmtp      unix  -       -       n       -       -       lmtp
    #
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    #
    # maildrop. See the Postfix MAILDROP_README file for details.
    #
    maildrop  unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
    #
    # The Cyrus deliver program has changed incompatibly, multiple times.
    #
    old-cyrus unix  -       n       n       -       -       pipe
      flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
    # Cyrus 2.1.5 (Amos Gouaux)
    cyrus     unix  -       n       n       -       -       pipe
      user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
    uucp      unix  -       n       n       -       -       pipe
      flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    ifmail    unix  -       n       n       -       -       pipe
      flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp     unix  -       n       n       -       -       pipe
      flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
     
    Last edited: Sep 8, 2006
  3. jjw

    jjw New Member

    Using saslauthd to check credentials:
    Code:
    #> /usr/sbin/testsaslauthd -u user_domain.com -p userpassword 
    0: OK "Success."
    I am using Dovecot's 'auth_username_translation':
    auth_username_translation = @_

    That is why above I use user_domain.com and below I use user@domain.com

    Encoded username/password:
    Code:
    #> perl -MMIME::Base64 -e 'print encode_base64("user@domain.com\0user@domain.com\0userspassword");'
    encodedpasswordoutput
    Trying the encoded password via command prompt:
    Code:
    #> telnet localhost 25
    Trying 127.0.0.1...
    Connected to localhost.localdomain (127.0.0.1).
    Escape character is '^]'.
    220 mail.wnetworks.net ESMTP Postfix
    #> ehlo localhost
    250-mail.wnetworks.net
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-AUTH LOGIN DIGEST-MD5 PLAIN CRAM-MD5
    250-AUTH=LOGIN DIGEST-MD5 PLAIN CRAM-MD5
    250-XVERP
    250 8BITMIME
    #> AUTH PLAIN encodedpasswordoutput
    535 Error: authentication failed
     
  4. jjw

    jjw New Member

    Here is the output in my maillog re authentication when attempting from command line (the one I showed the telnet out from above):
    Code:
    Sep  8 07:53:33 mail postfix/smtpd[6790]: < localhost.localdomain[127.0.0.1]: AUTH PLAIN encodedpasswordoutput
    Sep  8 07:53:33 mail postfix/smtpd[6790]: smtpd_sasl_authenticate: sasl_method PLAIN, init_response encodedpasswordoutput
    Sep  8 07:53:33 mail postfix/smtpd[6790]: smtpd_sasl_authenticate: decoded initial response domain2.com
    Sep  8 07:53:33 mail postfix/smtpd[6790]: warning: SASL authentication failure: Password verification failed
    Sep  8 07:53:33 mail postfix/smtpd[6790]: warning: localhost.localdomain[127.0.0.1]: SASL PLAIN authentication failed
    Sep  8 07:53:33 mail postfix/smtpd[6790]: > localhost.localdomain[127.0.0.1]: 535 Error: authentication failed
     
  5. jjw

    jjw New Member

    Thinking that perhaps I should not use the '@' and use the '_' instead, I got the new encoded credentials:

    Code:
    #> perl -MMIME::Base64 -e 'print encode_base64("user_domain.com\0user_domain.com\0userspassword");'
    encodedpasswordoutput--2

    And tried to telnet in:
    Code:
    # telnet localhost 25
    Trying 127.0.0.1...
    Connected to localhost.localdomain (127.0.0.1).
    Escape character is '^]'.
    220 mail.wnetworks.net ESMTP Postfix
    ehlo localhost
    250-mail.wnetworks.net
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-AUTH LOGIN DIGEST-MD5 PLAIN CRAM-MD5
    250-AUTH=LOGIN DIGEST-MD5 PLAIN CRAM-MD5
    250-XVERP
    250 8BITMIME
    AUTH PLAIN encodedpasswordoutput--2
    235 Authentication successful

    Voila!


    The main problem however, is that the remote mail client is told that the server does not support secure authentication, before I have a chance to send a password.
     
  6. falko

    falko Super Moderator

    What are the exact error messages in your email client and in the mail log?
     
  7. jjw

    jjw New Member

    Thanks Falko.

    Exact error in mail client:
    "Mail server does not support secure authentication"

    There are no entries in the maillog.
     
  8. till

    till Super Moderator

    Please remove the # sign in front of the lines:

    and

    in your main.cf file and restart po postfix to enable secure authentication.
     
  9. jjw

    jjw New Member

    Thank you for the reply Till.

    I assume you meant master.cf, and I uncommented those lines, rebooted, and I am still getting the error message "Mail server does not support secure authentication."...
     
  10. jjw

    jjw New Member

    This is sooooo odd.

    Here it is a couple of hours later. I *think* the server is now authenticating. I did nothing at all, just walked away. :)

    I open up Thunderbird, and fired off a mail to a remote location. It was relayed OK. Then, I fired up my Outlook Express, and sent a mail, and I think it worked! /var/log/maillog shows the mail getting through!

    I'm going to keep my eye on things here, but thank you for the help, Falko and Till. I think I'll just hang out here for a while if that's ok. I'm learning a lot from all the threads here...
     
  11. jjw

    jjw New Member

    Actually, it is not authenticating. Postfix defaults to "mynetworks_style = subnet", unless specified:

    In the setup, we do not specify mynetworks_style. Just for fun, I specified mynetworks_style = host, and authentication from my lan (on the same subnet) failed. So, I guess it isn't authenticating at all, but was allowing relaying because the machines are on the same sbunet.

    And nothing at all is added to the log when I get the message "Mail server does not support secure authentication".
     
  12. falko

    falko Super Moderator

    Then I guess your email client is connecting to the wrong server, or some kind of firewall is blocking all connections, because otherwise there should be something in the mail log.

    Also comment out mynetworks_style in /etc/postfix/main.cf and put in
    Code:
    mynetworks = 127.0.0.0/8
    instead.
     
  13. jjw

    jjw New Member

    /sbin/iptables --list:
    Code:
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    If I don't check the "Use Secure Authentication" in Thunderbird, it goes through. So, I *know* the client is aimed at the right server. It just doesn't get authenticated. This is insane,. Just insane.
     
  14. jjw

    jjw New Member

    Clearly, I am not thinking straight. Of course there is no emntry in the maillog when I am checking mail. So I sent a mail this morning.

    Error message to mail client:
    maillog entries:
    Code:
    Sep 11 06:08:16 mail postfix/smtpd[2474]: resolve_clnt_query: `user@outsideDomain.com' -> t=`smtp' h=`outsideDomain.com' r=`user@outsideDomain.com'
    Sep 11 06:08:16 mail postfix/smtpd[2474]: ctable_locate: install entry key user@outsideDomain.com
    Sep 11 06:08:16 mail postfix/smtpd[2474]: BB8A689E564: reject: RCPT from unknown[192.168.0.13]: 554 <user@outsideDomain.com>: Recipient address rejected: Relay access denied; from=<postmaster@joewilk.com> to=<user@outsideDomain.com> proto=ESMTP helo=<[127.0.0.1]>
    Sep 11 06:08:16 mail postfix/smtpd[2474]: generic_checks: name=check_relay_domains status=2
    Sep 11 06:08:16 mail postfix/smtpd[2474]: > unknown[192.168.0.13]: 554 <user@outsideDomain.com>: Recipient address rejected: Relay access denied
    Sep 11 06:08:17 mail postfix/smtpd[2474]: watchdog_pat: 0x843a118
    
     
  15. jjw

    jjw New Member

    Thank you. I did this.
     
  16. falko

    falko Super Moderator

    Use "Server requires authentication." instead. What's in /etc/postfix/main.cf (please strip out the comments)?
     
  17. jjw

    jjw New Member

    Thank you falko.

    main.cf:
    Code:
    virtual_mailbox_domains = wnetworks.net, joewilk.com
    virtual_mailbox_maps = hash:/etc/postfix/vmailbox
    virtual_minimum_uid = 100
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    virtual_alias_maps = hash:/etc/postfix/virtual
    queue_directory = /var/spool/postfix
    command_directory = /usr/sbin
    daemon_directory = /usr/libexec/postfix
    mail_owner = postfix
    unknown_local_recipient_reject_code = 450
    mynetworks = 127.0.0.0/8
    home_mailbox = Maildir/
    debug_peer_level = 2
    debugger_command =
             PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
             xxgdb $daemon_directory/$process_name $process_id & sleep 5
    sendmail_path = /usr/sbin/sendmail
    newaliases_path = /usr/bin/newaliases
    mailq_path = /usr/bin/mailq
    setgid_group = postdrop
    manpage_directory = /usr/local/man
    sample_directory = /etc/postfix
    readme_directory = no
    mydomain = wnetworks.net
    myhostname = mail.$mydomain
    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions =
            permit_sasl_authenticated,
            permit_mynetworks,
            check_relay_domains
    inet_interfaces = all
    alias_maps = hash:/etc/aliases
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtpd_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
     
  18. falko

    falko Super Moderator

    Did it work with "Server requires authentication."?
     
  19. jjw

    jjw New Member

    I am sorry, I did not mean to give the impression that it worked. It did not work.
     
  20. falko

    falko Super Moderator

    Then I have no idea. Maybe it's a good idea to reinstall the whole system.
     

Share This Page