ssmtp and spamassassin

Discussion in 'Server Operation' started by Andie, Feb 20, 2020.

  1. Andie

    Andie New Member

    I am running postfix, dovecot, and am now running spamassassin. When I got to receive mail, I get these errors in my maillog file:
    Code:
     postfix/submission/smtpd[12415]: warning: unknown[<ip>]: SASL LOGIN authentication failed: <hash>
    sSMTP[12413]: Authorization failed (535 5.7.8 Error: authentication failed: <hash>)
    lost connection after AUTH from unknown[<ip>]
     disconnect from unknown[<ip>]
    to=<email>, relay=spamassassin, delay=4.3, delays=0.28/0.01/0/4, dsn=5.3.0, status=bounced (Command died with status 1: "/usr/bin/spamc". Command output: sendmail: Authorization failed (535 5.7.8 Error: authentication failed: <hash>) )
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    If your mail system worked previously, and stopped working after spamassassin was installed, I guess the spamassassin configuration is wrong.
     
  3. Andie

    Andie New Member

    I would appreciate guidance on how to resolve this error.
     
  4. Andie

    Andie New Member

    For some reason, the password, decoded, is turning out to be: "Password:" Any ideas why?
     
  5. Steini86

    Steini86 Active Member

    UGFzc3dvcmQ6 decodes to "Password:" This is postfix not writing the used password into the logfile. Just some bots trying to log in. It is as old as the internet, everyone sees this attempts.
    Which error?
    This is just a warning, that someone tried to log in and used a wrong password. Was that you? -> Make sure to use the right password, if it is still not working, increase verbosity of logging. If it wasn't you, then everything is working as intended (unknown connection was not able to log in).
     
    Last edited: Feb 21, 2020
  6. Andie

    Andie New Member

    Here is verbose logging:
    Code:
    Feb 23 05:58:47 mail sSMTP[25404]: Creating SSL connection to host
    Feb 23 05:58:47 mail postfix/submission/smtpd[25408]: connect from unknown[<IP>]
    Feb 23 05:58:47 mail sSMTP[25404]: SSL connection using ECDHE-RSA-AES256-GCM-SHA384
    Feb 23 05:58:47 mail dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth
    Feb 23 05:58:47 mail dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
    Feb 23 05:58:47 mail dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so
    Feb 23 05:58:47 mail dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so
    Feb 23 05:58:47 mail dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat
    Feb 23 05:58:47 mail dovecot: auth: Debug: auth client connected (pid=0)
    Feb 23 05:58:47 mail dovecot: auth: Debug: client in: AUTH#0111#011LOGIN#011service=smtp#011nologin#011lip=<IP>#011rip=<IP>#011secured
    Feb 23 05:58:47 mail dovecot: auth: Debug: client passdb out: CONT#<random value>
    Feb 23 05:58:47 mail dovecot: auth: Debug: client in: CONT<hidden>
    Feb 23 05:58:47 mail dovecot: auth: Debug: client passdb out: CONT#0111#<random value>
    Feb 23 05:58:47 mail dovecot: auth: Debug: client in: CONT<hidden>
    Feb 23 05:58:47 mail dovecot: auth-worker(25414): Debug: Loading modules from directory: /usr/lib64/dovecot/auth
    Feb 23 05:58:47 mail dovecot: auth-worker(25414): Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
    Feb 23 05:58:47 mail dovecot: auth-worker(25414): Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so
    Feb 23 05:58:47 mail dovecot: auth-worker(25414): Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so
    Feb 23 05:58:47 mail dovecot: auth-worker(25414): Debug: pam(<user email>,<IP>): lookup service=dovecot
    Feb 23 05:58:47 mail dovecot: auth-worker(25414): Debug: pam(<user email>,<IP>): #1/1 style=1 msg=Password:
    Feb 23 05:58:49 mail dovecot: auth-worker(25414): pam(<user email>,<IP>): unknown user
    Feb 23 05:58:49 mail dovecot: auth-worker(25414): Debug: sql(<user email>,<IP>): query: SELECT email as user, password FROM virtual_users WHERE email='<user email>';
    Feb 23 05:58:49 mail dovecot: auth-worker(25414): sql(<user email>,<IP>): Password mismatch
    Feb 23 05:58:51 mail postfix/submission/smtpd[25408]: warning: unknown[<IP>]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Feb 23 05:58:51 mail dovecot: auth: Debug: client passdb out: FAIL#0111#011user=<user email>
    Feb 23 05:58:51 mail sSMTP[25404]: Authorization failed (535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6)
    Feb 23 05:58:51 mail postfix/submission/smtpd[25408]: lost connection after AUTH from unknown[<IP>]
    Feb 23 05:58:51 mail postfix/submission/smtpd[25408]: disconnect from unknown[<IP>]
    Feb 23 05:58:51 mail sSMTP[25422]: Creating SSL connection to host
    Feb 23 05:58:51 mail postfix/submission/smtpd[25408]: connect from unknown[<IP>]
    Feb 23 05:58:51 mail sSMTP[25422]: SSL connection using ECDHE-RSA-AES256-GCM-SHA384
    Feb 23 05:58:51 mail dovecot: auth: Debug: client in: AUTH#0112#011LOGIN#011service=smtp#011nologin#011lip=<IP>#011rip=<IP>#011secured
    Feb 23 05:58:55 mail dovecot: auth: Debug: client passdb out: CONT#0112#<random value>
    Feb 23 05:58:55 mail dovecot: auth: Debug: client in: CONT<hidden>
    
    I know my credentials are correct, because I can log in from else where. So maybe something is mis-configured? If so, how do I find out where that is?
     
  7. Steini86

    Steini86 Active Member

    I am still not sure what you try to do and how you do it. In the first post you wrote something about receiving. Now you post a log about sending a mail. You have an "unknown user" error.
    You did not write if this is the first setup or if it worked before and you changed something?
    You have not posted any config files (have you followed a guide, etc..). It could be that the format of your username does not fit what dovecot expects but with the provided information I can't help you. The only thing would be to search google for your error and suggest these solutions. But that you can do for yourself.
    Can you send mails with the same credentials with a different client? Do you use ssmtp on localhost?
     
  8. Andie

    Andie New Member

  9. Steini86

    Steini86 Active Member

    Your log does not show the attempt from a remote server to send mails to you. It shows a client trying to send mails from your server and is denied because of a wrong password.
     
  10. Andie

    Andie New Member

    ok, I have a feeling these issues are related. I thought sending emails works, but it looks like installing spamassasin may have broke that too. As for receiving an email, here is what I get:
    Code:
    Mar  1 08:00:26 mail postfix/smtpd[10241]: connect from mail-yw1-f41.google.com[209.85.161.41]
    Mar  1 08:00:27 mail postfix/smtpd[10241]: 79F7960823: client=mail-yw1-f41.google.com[209.85.161.41]
    Mar  1 08:00:27 mail postfix/cleanup[10252]: 79F7960823: <myip>ssage-id=<<id>@mail.gmail.com>
    Mar  1 08:00:27 mail postfix/qmgr[29134]: 79F7960823: from=<[email protected]>, size=3277, nrcpt=1 (queue active)
    Mar  1 08:00:27 mail spamd[19454]: spamd: connection from localhost [::1]:42066 to port 783, fd 6
    Mar  1 08:00:27 mail spamd[19454]: spamd: setuid to spamd succeeded
    Mar  1 08:00:27 mail spamd[19454]: spamd: processing <myip>ssage <<id>@mail.gmail.com> for spamd:5001
    Mar  1 08:00:27 mail postfix/smtpd[10241]: disconnect from mail-yw1-f41.google.com[209.85.161.41]
    Mar  1 08:00:27 mail spamd[19454]: spamd: clean <myip>ssage (0.1/5.0) for spamd:5001 in 0.2 seconds, 3250 bytes.
    Mar  1 08:00:27 mail spamd[19454]: spamd: result: . 0 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_<myip>SSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS scanti<myip>=0.2,size=3250,user=spamd,uid=5001,required_score=5.0,rhost=localhost,raddr=::1,rport=42066,mid=<<id>@mail.gmail.com>,autolearn=no autolearn_force=no
    Mar  1 08:00:27 mail sSMTP[10258]: Creating SSL connection to host
    Mar  1 08:00:28 mail postfix/submission/smtpd[10260]: connect from unknown[<myip>]
    Mar  1 08:00:28 mail sSMTP[10258]: SSL connection using ECDHE-RSA-AES256-GCM-SHA384
    Mar  1 08:00:28 mail dovecot: auth: Debug: auth client connected (pid=0)
    Mar  1 08:00:28 mail dovecot: auth: Debug: client in: AUTH#0111#011LOGIN#011service=smtp#011nologin#011lip=<myip>#011rip=<myip>#011secured
    Mar  1 08:00:28 mail dovecot: auth: Debug: client passdb out: CONT#0111#<value>
    Mar  1 08:00:28 mail dovecot: auth: Debug: client in: CONT<hidden>
    Mar  1 08:00:28 mail dovecot: auth: Debug: client passdb out: CONT#0111#<value>
    Mar  1 08:00:28 mail dovecot: auth: Debug: client in: CONT<hidden>
    Mar  1 08:00:28 mail dovecot: auth-worker(22911): Debug: pam([email protected],<myip>): lookup service=dovecot
    Mar  1 08:00:28 mail dovecot: auth-worker(22911): Debug: pam([email protected],<myip>): #1/1 style=1 msg=Password:
    Mar  1 08:00:28 mail spamd[19451]: prefork: child states: II
    Mar  1 08:00:29 mail dovecot: auth-worker(22911): pam([email protected],<myip>): unknown user
    Mar  1 08:00:29 mail dovecot: auth-worker(22911): Debug: sql([email protected],<myip>): query: SELECT email as user, password FROM virtual_users WHERE email='[email protected]';
    Mar  1 08:00:29 mail dovecot: auth-worker(22911): sql([email protected],<myip>): Password mismatch
    Mar  1 08:00:31 mail postfix/submission/smtpd[10260]: warning: unknown[<myip>]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Mar  1 08:00:31 mail dovecot: auth: Debug: client passdb out: FAIL#0111#[email protected]
    Mar  1 08:00:31 mail sSMTP[10258]: Authorization failed (535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6)
    Mar  1 08:00:31 mail postfix/submission/smtpd[10260]: lost connection after AUTH from unknown[<myip>]
    Mar  1 08:00:31 mail postfix/submission/smtpd[10260]: disconnect from unknown[<myip>]
    Mar  1 08:00:31 mail postfix/pipe[10257]: 79F7960823: to=<[email protected]>, relay=spamassassin, delay=4, delays=0.29/0.01/0/3.7, dsn=5.3.0, status=bounced (Command died with status 1: "/usr/bin/spamc". Command output: sendmail: Authorization failed (535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6) )
    Mar  1 08:00:31 mail postfix/cleanup[10252]: 6CF2260825: <myip>ssage-id=<<id>@mydomain.com>
    Mar  1 08:00:31 mail postfix/qmgr[29134]: 6CF2260825: from=<>, size=5224, nrcpt=1 (queue active)
    Mar  1 08:00:31 mail postfix/bounce[10264]: 79F7960823: sender non-delivery notification: 6CF2260825
    Mar  1 08:00:31 mail postfix/qmgr[29134]: 79F7960823: removed
    
     
    Last edited: Mar 1, 2020
  11. Steini86

    Steini86 Active Member

  12. Andie

    Andie New Member

    I get this error right away: " send-mail: Authorization failed (535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6)"
    As a side note, I learned that logging into mariadb, the username "[email protected]" vs "[email protected]" is different". I did a "SELECT host, user FROM mysql.user;", and noticed this. I also noticed I have several users in there, and was wondering how that could be, but I guess that's because the "host" field is different for each user.
    Here is my dovecot-sql.conf.ext file:
    driver = mysql
    connect = host=localhost dbname=<server db name> user=<user> password=<password>
    default_pass_scheme = SHA512-CRYPT
    password_query = SELECT email as user, password FROM virtual_users WHERE email='%u';
    I ran the "query" command in mariadb, and it returned the right record.
     
  13. Steini86

    Steini86 Active Member

    So the credentials in your dovecot file for mysql are correct (127.0.0.1 instead of localhost?), and your mail user exists in the database ("SELECT * FROM mailserver.virtual_users;")? Your password is actually saved as "SHA512-CRYPT" (Hash begins with $6$)
    1. Verify, your user is recognized with "doveadm user [email protected]"
    2. Verify that you get the same password hash as database with "doveadm pw -s SHA512-CRYPT"
     
  14. Andie

    Andie New Member

    Yes and yes.
    1. this worked fine.
    2. It asks me for my "new password" twice. I did this several times, and it seems to always return a different hash value... is it suppose to do this?
     
  15. Steini86

    Steini86 Active Member

    Strange, I don't know why you get an "unknown user" error then
    Yes, my fault. The hashes are salted.
    You can verify your password in the database with "doveadm pw -t 'hash' "
    (the ticks ( ' ) are important around the hash)
     
    Last edited: Mar 3, 2020
  16. Andie

    Andie New Member

    I put in upon the prompt "{SHA512-CRYPT}value.here", taken from the output in my maillog file from this line: mail dovecot: auth-worker(3914): Debug: sql(<email>,<ip>): SHA512-CRYPT() != '<value.here>'
    But it just errors out, saying "Fatal: Missing {scheme} prefix from hash"
     
  17. Steini86

    Steini86 Active Member

    Should work like this for pw "test":
    Code:
    doveadm pw -p test -t '{SHA512-CRYPT}$6$IJR44psm9VBHRMkD$YaqRN4VYvl0opow4bhBGsuXpE4uH/whFvv0AMvTJnMSWjwntIiPGsuokaOYNgf9f7iuRUvDoRorHK3R6UFPlH1'
    
    
    Prints hash and "(verified)"

    Has created with:
    Code:
    doveadm pw -s SHA512-CRYPT -p test
    {SHA512-CRYPT}$6$IJR44psm9VBHRMkD$YaqRN4VYvl0opow4bhBGsuXpE4uH/whFvv0AMvTJnMSWjwntIiPGsuokaOYNgf9f7iuRUvDoRorHK3R6UFPlH1
     
  18. Andie

    Andie New Member

    ok, so I took the value from maillog, and put in the password I am using in the file, and it says "verified".
     
  19. Steini86

    Steini86 Active Member

    Have you compared this to the value in the database? If that is correct, I don't know oO
     
  20. Andie

    Andie New Member

    Yes, it does match what I have.
     

Share This Page