SLUG Mailing List Archives - Re: [SLUG] postfix with TLS/SASL on debian woody

To: oscarp@xxxxxxxxxxx
Subject: Re: [SLUG] postfix with TLS/SASL on debian woody
From: David Fitch <davidf@xxxxxxxxxxxxxx>
Date: Thu, 05 May 2005 21:25:26 +0930
Cc: slug@xxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317)

O Plameras wrote:


The ff. are the suggested configurations:

1. smtp.conf may have:
pwcheck_method:saslauthd
mech_list: plain login


# cat sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
#log_level: 7
saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux

2. /etc/default/saslauthd shall have:
<snipped>
MECHANISMS=shadow
</snipped>


# cat /etc/default/saslauthd
START=yes
MECHANISMS="shadow"
PARAMS="-m /var/spool/postfix/var/run/saslauthd"

3. /etc/postfix/main.cf shall have the ff:
mydomain=<yourdomain>
myhostname=<yourhostname>
mynetworks=192.168.1.0/24,127.0.0.0/8


I have mynetworks commented out, so using the default as
I want it to listen on all interfaces anyway (incl ippp0)

alias_maps=hash:/etc/postfix/aliases
alias_database=hash:/etc/postfix/aliases
#
# enable sasl support
smtpd_sasl_auth_enable=yes
smtpd_sasl_security_options=noanonymous
smtpd_sasl_local_domain=$myhostname
broken_sasl_auth_clients=yes
# search for relay_domains, then add
smtpd_recipient_restrictions=
  permit_sasl_authenticated,
  permit_mynetworks,
  check_relay_domains
# tls support
smtpd_use_tls=yes
smtpd_tls_auth_only=yes
smtpd_tls_cert_file=/etc/postfix/servercrt.pem
smtpd_tls_key_file=/etc/postfix/serverkey.pem
smtpd_tls_CAfile=/etc/postfix/cacert.pem
smtpd_tls_loglevel=3
smtpd_tls_received_header=yes
smtpd_tls_session_cache_timeout=3600s
tls_random_source=dev:/dev/urandom


got all that

The above setup will show this.
# telnet localhost 25; ehlo localhost, will show:
[root@hdtv RPMS]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
220 hdtv.noy.com.au ESMTP Postfix
ehlo hdtv
250-hdtv.noy.com.au
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250 8BITMIME

yep

I can comment out
# smtpd_tls_auth_only=yes
and 'telnet localhost 25' and
'ehlo localhost' will show:
[root@hdtv RPMS]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
220 hdtv.noy.com.au ESMTP Postfix
ehlo hdtv
250-hdtv.noy.com.au
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250 8BITMIME


yep, except for me it's:
AUTH LOGIN PLAIN CRAM-MD5 GSSAPI DIGEST-MD5

I setup postfix, TLS, and SASL this morning to test.

BTW, I am using TLS and SASL on sendmail-MTA in my
network. I find it easier to set-up and maintain
compared to postfix because I have to deal with
only one file to re-configure. This file
is 'sendmail.mc'.


I dislike sendmail and much prefer postfix, anyway...

the above settings all work, and my mailserver keeps functioning
accepting normal mail and so on.  Problem is I still can't
relay through it remotely.

I dialed in via another ISP like as if I was "on the road"
and trying to send mail out through my mailserver.  Note
I can connect with imaps and receive fine.

I'm using thunderbird, first I set the smtp server settings
to use tls but didn't tick "use name and passwd".

errors are:

May 5 21:01:12 gw postfix/smtpd[15992]: connect from203-217-6-209.dyn.iinet.net.au[203.217.6.209]May 5 21:01:29 gw postfix/smtpd[15992]: warning: support forrestriction "reject_maps_rbl" will be removed from Postfix; use"reject_rbl_client domain-name" insteadMay 5 21:01:34 gw postfix/smtpd[15992]: warning: support forrestriction "check_relay_domains" will be removed from Postfix; use"reject_unauth_destination" insteadMay 5 21:01:34 gw postfix/smtpd[15992]: NOQUEUE: reject: RCPT from203-217-6-209.dyn.iinet.net.au[203.217.6.209]: 554 <abuse@xxxxxxxxxxx>:Recipient address rejected: Relay access denied;from=<davidf@xxxxxxxxxxxxxx> to=<davidf@xxxxxxxxxxx> proto=ESMTPhelo=<[203.217.6.209]>May 5 21:01:43 gw postfix/smtpd[15992]: lost connection after RCPT from203-217-6-209.dyn.iinet.net.au[203.217.6.209]May 5 21:01:43 gw postfix/smtpd[15992]: disconnect from203-217-6-209.dyn.iinet.net.au[203.217.6.209]



So then I ticked the "use name and passwd" box and entered
my username "davidf".  It kept popping up a box asking for
my passwd, which I entered.

errors are:

May 5 21:02:13 gw postfix/smtpd[15992]: connect from203-217-6-209.dyn.iinet.net.au[203.217.6.209]May 5 21:02:34 gw postfix/smtpd[15992]: warning:203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL CRAM-MD5authentication failedMay 5 21:02:35 gw postfix/smtpd[15992]: warning: SASL authenticationproblem: unrecognized plaintext verifier saslauthdMay 5 21:02:35 gw postfix/smtpd[15992]: warning:203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL PLAIN authenticationfailedMay 5 21:02:39 gw postfix/smtpd[15992]: warning: SASL authenticationproblem: unrecognized plaintext verifier saslauthdMay 5 21:02:39 gw postfix/smtpd[15992]: warning:203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL LOGIN authenticationfailedMay 5 21:02:50 gw postfix/smtpd[15992]: warning:203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL CRAM-MD5authentication failedMay 5 21:02:51 gw postfix/smtpd[15992]: warning: SASL authenticationproblem: unrecognized plaintext verifier saslauthdMay 5 21:02:51 gw postfix/smtpd[15992]: warning:203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL PLAIN authenticationfailedMay 5 21:02:55 gw postfix/smtpd[15992]: warning: SASL authenticationproblem: unrecognized plaintext verifier saslauthdMay 5 21:02:55 gw postfix/smtpd[15992]: warning:203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL LOGIN authenticationfailedMay 5 21:03:06 gw postfix/smtpd[15992]: warning:203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL CRAM-MD5authentication failedMay 5 21:03:07 gw postfix/smtpd[15992]: warning: SASL authenticationproblem: unrecognized plaintext verifier saslauthdMay 5 21:03:07 gw postfix/smtpd[15992]: warning:203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL PLAIN authenticationfailedMay 5 21:03:11 gw postfix/smtpd[15992]: warning: SASL authenticationproblem: unrecognized plaintext verifier saslauthdMay 5 21:03:11 gw postfix/smtpd[15992]: warning:203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL LOGIN authenticationfailedMay 5 21:03:19 gw postfix/smtpd[15992]: warning:203-217-6-209.dyn.iinet.net.au[203.217.6.209]: SASL CRAM-MD5authentication failedMay 5 21:03:19 gw postfix/smtpd[15992]: too many errors after AUTH from203-217-6-209.dyn.iinet.net.au[203.217.6.209]May 5 21:03:19 gw postfix/smtpd[15992]: disconnect from203-217-6-209.dyn.iinet.net.au[203.217.6.209]


(I'm not ticking the "ssl" box, cos then it uses port 465)

Dave.

Follow-Ups:
- Re: [SLUG] postfix with TLS/SASL on debian woody
  - From: O Plameras

References:
- [SLUG] postfix with TLS/SASL on debian woody
  - From: David Fitch
- Re: [SLUG] postfix with TLS/SASL on debian woody
  - From: O Plameras
- Re: [SLUG] postfix with TLS/SASL on debian woody
  - From: David Fitch
- Re: [SLUG] postfix with TLS/SASL on debian woody
  - From: O Plameras
- Re: [SLUG] postfix with TLS/SASL on debian woody
  - From: David Fitch
- Re: [SLUG] postfix with TLS/SASL on debian woody
  - From: O Plameras
- Re: [SLUG] postfix with TLS/SASL on debian woody
  - From: David Fitch
- Re: [SLUG] postfix with TLS/SASL on debian woody
  - From: O Plameras
- Re: [SLUG] postfix with TLS/SASL on debian woody
  - From: David Fitch
- Re: [SLUG] postfix with TLS/SASL on debian woody
  - From: O Plameras

Messages sorted by: [ date | thread ]
Prev by Date: Re: [SLUG] postfix with TLS/SASL on debian woody
Next by Date: Re: [SLUG] DVD iso img - how to play?
Previous by thread: Re: [SLUG] postfix with TLS/SASL on debian woody
Next by thread: Re: [SLUG] postfix with TLS/SASL on debian woody