Smtp auth: Difference between revisions

From finninday
Jump to navigation Jump to search
Line 332: Line 332:
  smtp_tls_cert_file = /etc/postfix/newcert.pem
  smtp_tls_cert_file = /etc/postfix/newcert.pem
  smtp_tls_key_file = /etc/postfix/newreq.pem
  smtp_tls_key_file = /etc/postfix/newreq.pem
====update sasl_passwd====
I added my gmail username and password to the sasl_password file and then did a postmap on it to create the sasl_passwd.db.  I verified that the permissions on these two files allow root and postfix to read them and no one else.

Revision as of 22:03, 18 August 2009

Postfix config for smtp auth

Here is an Ubuntu-specific recipe that looks like it will do the job:

https://help.ubuntu.com/7.04/server/C/postfix.html

Currently, my mail service is working as long as I don't try to send mail from a remote machine. For instance, if I have a laptop configured to send mail outgoing mail to my server and am connecting through an untrusted network in a coffee shop or a friend's house, I am unable to connect to the server. This must be fixed.

There are several differences between my existing /etc/postfix/main.cf config and the recipe linked above:

Current Proposed
smtpd_sasl2_auth_enable = yes smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = finninday.net smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes


However, my server currently generates the correct list of available services when starting a transaction: 

root@weasel:/etc/default# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 weasel.finninday.net ESMTP Postfix (Ubuntu)
ehlo weasel.finninday.net
250-weasel.finninday.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250 8BITMIME
quit

It even offers the correct services to remote machines: 

[rday@snapper ~]$ telnet finninday.net 25
Trying 24.21.185.50...
Connected to finninday.net.
Escape character is '^]'.
220 weasel.finninday.net ESMTP Postfix (Ubuntu)
ehlo weasel.finninday.net
250-weasel.finninday.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250 8BITMIME
quit

I found another recipe that said it was actually tested on Dapper Drake and correctly identified the sasl2 package that I stumbled over before.

https://help.ubuntu.com/community/Postfix

So I followed that recipe and made these changes to my main.cf: 

root@weasel:/etc/postfix# diff main.cf.orig main.cf
40,41c40,41
< #smtpd_sasl_auth_enable = yes
< smtpd_sasl2_auth_enable = yes
---
> smtpd_sasl_auth_enable = yes
> #smtpd_sasl2_auth_enable = yes
55c55
< smtpd_sasl_local_domain = $mydomain
---
> smtpd_sasl_local_domain = 
59a60,61
> smtp_use_tls = yes
> smtp_tls_note_starttls_offer = yes

And restarted postfix.

When I try to send an email, I get this in the logs: 

Apr 21 15:52:15 localhost postfix/smtpd[26421]: connect from PSMFC-fwgt.psmfc.org[205.230.28.193]
Apr 21 15:52:15 localhost postfix/smtpd[26421]: setting up TLS connection from PSMFC-fwgt.psmfc.org[205.230.28.193]
Apr 21 15:52:15 localhost postfix/smtpd[26421]: TLS connection established from PSMFC-fwgt.psmfc.org[205.230.28.193]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: SASL authentication failure: no secret in database
Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: PSMFC-fwgt.psmfc.org[205.230.28.193]: SASL CRAM-MD5 authentication failed
Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: SASL authentication failure: Password verification failed
Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: PSMFC-fwgt.psmfc.org[205.230.28.193]: SASL PLAIN authentication failed
Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: PSMFC-fwgt.psmfc.org[205.230.28.193]: SASL LOGIN authentication failed
Apr 21 15:52:46 localhost postfix/smtpd[26421]: disconnect from PSMFC-fwgt.psmfc.org[205.230.28.193]


Made a few other changes to /etc/default/saslauthd: 

root@weasel:/etc/default# diff saslauthd.orig saslauthd
3a4,7
> PWDIR="/var/spool/postfix/var/run/saslauthd"
> PARAMS="-m ${PWDIR}"
> PIDFILE="${PWDIR}/saslauthd.pid"
> 
10,11c14,15
< #PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"
< PARAMS="-m /var/run/saslauthd"
---
> 
> OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

That got things working and I could suddenly see that my certificate is expired. But I found that attempts to send TLS to my upstream provider, comcast were failing, so I took out the smtp_enable_tls.

This is the config that I've wanted. Now I can configure our Thunderbird on the laptop to be able to send mail wherever it is on the net:

outgoing server: weasel.finninday.net
port: 25
secure connection: TLS
Use username and password.

Going further, I took out md5 from the ciphers listed in /etc/postfix/sasl/smtpd.conf and commented out 

#allow_plaintext:true

Another postfix reload.

Looks good. Now the logs are pretty clean: 

Apr 21 16:22:02 localhost postfix/smtpd[28590]: connect from PSMFC-fwgt.psmfc.org[205.230.28.193]
Apr 21 16:22:02 localhost postfix/smtpd[28590]: setting up TLS connection from PSMFC-fwgt.psmfc.org[205.230.28.193]
Apr 21 16:22:04 localhost postfix/smtpd[28590]: TLS connection established from PSMFC-fwgt.psmfc.org[205.230.28.193]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Apr 21 16:22:05 localhost postfix/smtpd[28590]: 18DBC1334439: client=PSMFC-fwgt.psmfc.org[205.230.28.193], sasl_method=PLAIN, sasl_username=xxxx
Apr 21 16:22:05 localhost postfix/cleanup[28597]: 18DBC1334439: message-id=<480D2198.6020507@finninday.net>
Apr 21 16:22:05 localhost postfix/qmgr[28565]: 18DBC1334439: from=<xxxx@finninday.net>, size=649, nrcpt=1 (queue active)
Apr 21 16:22:05 localhost postfix/smtpd[28590]: disconnect from PSMFC-fwgt.psmfc.org[205.230.28.193]
Apr 21 16:22:19 localhost postfix/smtpd[28607]: connect from localhost.localdomain[127.0.0.1]
Apr 21 16:22:19 localhost postfix/smtpd[28607]: 9676713348D9: client=localhost.localdomain[127.0.0.1]
Apr 21 16:22:19 localhost postfix/cleanup[28597]: 9676713348D9: message-id=<480D2198.6020507@finninday.net>
Apr 21 16:22:19 localhost postfix/qmgr[28565]: 9676713348D9: from=<xxxx@finninday.net>, size=1112, nrcpt=1 (queue active)
Apr 21 16:22:19 localhost postfix/smtpd[28607]: disconnect from localhost.localdomain[127.0.0.1]
Apr 21 16:22:19 localhost amavis[19645]: (19645-06) Passed CLEAN, [205.230.28.193] [205.230.28.193] <xxxx@finninday.net> -> <xxxx@psmfc.org>, Message-ID: <480D2198.6020507@finninday.net>, mail_id: o1siW-0+w6ed, Hits: -3.343, 14426 ms
Apr 21 16:22:19 localhost postfix/smtp[28598]: 18DBC1334439: to=<xxxx@psmfc.org>, relay=127.0.0.1[127.0.0.1], delay=15, status=sent (250 2.6.0 Ok, id=19645-06, from MTA([127.0.0.1]:10025): 250 Ok: queued as 9676713348D9)
Apr 21 16:22:19 localhost postfix/qmgr[28565]: 18DBC1334439: removed
Apr 21 16:22:20 localhost postfix/smtp[28608]: Host offered STARTTLS: [smtp.g.comcast.net]
Apr 21 16:22:20 localhost postfix/smtp[28608]: 9676713348D9: to=<xxxx@psmfc.org>, relay=smtp.g.comcast.net[76.96.30.117], delay=1, status=sent (250 2.0.0 GPNK1Z00P15fmCg8U00000 mail accepted for delivery)
Apr 21 16:22:20 localhost postfix/qmgr[28565]: 9676713348D9: removed

Troubleshooting

Can't send mail from Dad's house in San Diego

Attempts to send mail from remote locations just hang and eventually time out. There are no entries in the mail logs about failures. The connection must be not even reaching the machine. The firewall is set to allow connections to port 25, but nmap says this: 

Interesting ports on c-24-21-185-50.hsd1.mn.comcast.net (24.21.185.50):
Not shown: 1706 filtered ports
PORT    STATE  SERVICE
21/tcp  open   ftp
22/tcp  open   ssh
80/tcp  open   http
143/tcp open   imap
389/tcp open   ldap
443/tcp open   https
445/tcp closed microsoft-ds
993/tcp open   imaps

So the firewall isn't really allowing port 25 through.

Ahah, the problem was that the ISP that my father-in-law uses is blocking outbound port 25 traffic. Does it actually reduce spam or just annoy people? They also block outbound traffic on all unprivileged ports. My proposed solution is to use one of the ports they don't block, like ftp, and try to redirect smtp from that port to my port 25. SSH has a way to do this: 

ssh -R 21:localhost:25 rday@localhost

But that doesn't quite work since it is a privileged port, so I have to be root, but then there is some config option that is preventing root from redirecting ports. If I can't figure out the ssh config, I'll have to use some other option.

Redirecting to a non-privileged port works just fine: 

ssh -R 2025:localhost:25 rday@localhost

But unfortunately, that is blocked by the ISP.

I may resort to using iptables to do the redirect using something like this: 

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j REDIRECT --to-port 25

Blocked by my own ISP

For my own protection, Comcast shut off my email. 

Subject: Customer Security Assurance Notice

ACTION REQUIRED: Comcast has determined that your computer(s) have been used to send 
unsolicited email ("spam"), which is generally an indicator of a virus. For your own 
protection and that of other Comcast customers, we have taken steps to prevent further
transmission of spam from your computer(s).

According to my mail server logs I've sent 100 emails in the previous 24 hours. The email says nothing of the amount of mail that triggers the spam warning, but I've heard other people say it is 1000 in a 24 hour period. All my anti-virus reports are clean. I think the problem was that I've been sending mail to smtp.comcast.net:25 for the past few years. At some point they changed policy and said that mail should go to port 587, but I didn't get the memo.

By the way, I talked to Comcast tech support before I knew what was happening and he told me that the problem was my yahoo mail account (which I don't have) or my home mail server. I asked if it might have something to do with being blacklisted for sending spam and he said no, definitely not that. He asked if I had checked the message boards to answer this problem and I said yes, everyone else with my symptoms has been blocked for sending too many emails. He said Comcast has a policy of not filtering ports. One useful thing (that is, one thing that wasn't completely false) that I got out of him was the details I needed to log into my long-unused Comcast webmail account which was how I found the email that I quoted above.

Now when I try to connect to comcast to send mail, it looks like this: 

rday@weasel:~$ telnet smtp.comcast.net 25
Trying 76.96.30.117...

But if I try the same thing from work, I get this: 

[rday@snapper bin]$ telnet smtp.comcast.net 25
Trying 76.96.30.117...
Connected to smtp.comcast.net.
Escape character is '^]'.
ehlo localhost
220 OMTA09.emeryville.ca.mail.comcast.net comcast ESMTP server ready
250-OMTA09.emeryville.ca.mail.comcast.net hello [69.30.63.162], pleased to meet you
250-HELP
250-AUTH LOGIN PLAIN CRAM-MD5
250-SIZE 15728640
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-STARTTLS
250 OK
quit
221 2.0.0 OMTA09.emeryville.ca.mail.comcast.net comcast closing connection
Connection closed by foreign host.

So I'm on some kind of blacklist for talking to port 25. Current Comcast documentation says that you should use port 587 for sending mail. But I can't find their instructions on how to do that on their website.

I was able to verify that my home machine can connect to smtp.comcast.net:587 if I authenticate via TLS: 

rday@weasel:~$ telnet smtp.comcast.net 587
Trying 76.96.62.117...
Connected to smtp.g.comcast.net.
Escape character is '^]'.
220 OMTA04.westchester.pa.mail.comcast.net comcast ESMTP server ready
ehlo localhost
250-OMTA04.westchester.pa.mail.comcast.net hello [24.21.185.50], pleased to meet you
250-HELP
250-AUTH LOGIN PLAIN CRAM-MD5
250-SIZE 15728640
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-STARTTLS
250 OK
auth plain {magic-mmencoded-token}
235 2.7.0 ... authentication succeeded
quit
221 2.0.0 OMTA04.westchester.pa.mail.comcast.net comcast closing connection
Connection closed by foreign host.

To come up with the magic auth token, I used this formula: 

[rday@snapper bin]$ perl -MMIME::Base64 -e \
> 'print encode_base64("\0username\0password");'

Now I need to tell postfix to connect that way for sending mail. I was able to direct postfix to use that port by these directives in main.cf (note the key word "submission" to indicate port 587): 

relayhost = [smtp.comcast.net]:submission
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_auth_enable = yes

After putting the username and password in sasl_password, I had to make it a db file like so: 

postmap /etc/postfix/sasl_passwd

More details about how that works are here: http://www.postfix.org/SASL_README.html#client_sasl

In order to receive mail, I'll have to probably buy a port deflector service like they describe in this post: http://www.lockergnome.com/usrbingeek/2007/04/12/comcast-blocking-port-25/ Here is a better link to the no-ip reflector service: http://www.no-ip.com/support/guides/email/blocked_port_25.html

I spent a quick $40 on no-ip.com reflector service, repointed the MX records for my domain to no-ip.com, and started up mail service on a non-standard port. And it works! Now Comcast has to go to a lot more trouble to shut off my email. And in the mean time, it looks like it will be feasible to switch to business class DSL with a static IP address and non-filtered ports and everything. Yay. Thanks Comcast, for finally pushing me into better, cheaper service with a different provider.

After a few weeks of using the mail reflector service, I was considering using it even after I switch to a non-filtered ISP because the spam filtering they do made a drastic reduction in the spam filtering I had to do. I was bouncing around 95% of all inbound mail because it didn't follow mail specifications. Now I am bouncing between 0 and 1%. But alas, a real email was bounced by the mail reflector, so I guess I'll have to save my $40 and do my own filtering so I don't have to worry about false positives.

postfix config for relaying outbound mail to gmail

My ISP (TDS) is dropping mail relaying service for my business-class account. And, by they way, they block all outbound port 25 traffic that doesn't go to their mail relay. So I'm screwed^H^H^H^H^H^H^H motivated to come up with a different way to inject my outbound mail into the internets.

My strategy is to instruct postfix to deliver mail to gmail like this: 

main.cf:
relayhost = [smtp.gmail.com]:587

But it is not quite so easy as that, since I have to authenticate to gmail. Hopefully the following steps will take care of all the fiddly details of doing the authentication properly.

My recipe is based on these documents:

First step, does my current ISP block outbound port 587?

I wouldn't put it past them, but this looks like it is not a problem. 

rday@weasel:~$ nc smtp.gmail.com 587
220 mx.google.com ESMTP n9sm13393068wag.23

changes to main.cf

These are the relevant differences between my current main.cf and the proposed main.cf: 

smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/FOO-cert.pem
smtp_tls_key_file = /etc/postfix/FOO-key.pem
smtp_tls_loglevel = 1
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtpd_enforce_tls = no
smtpd_sasl_application_name = smtpd
smtpd_sasl_auth_enable = no
smtpd_sasl_local_domain = $myhostname
smtpd_tls_ask_ccert = yes
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
transport_maps = hash:/etc/postfix/transport

changes to master.cf

I'm assuming that no changes are necessary to master.cf, but I'm not sure about this: 

relay     unix  -       -       n       -       -       smtp
       -o smtp_generic_maps=

I don't have any other mail servers on my network, so I'm not going to make any changes to master.cf. I want all outbound mail to go to gmail and to have the address translation happen appropriately.

certificates

I'm assuming that I can continue to use my existing certificates, with the small addition of the Thawte credentials. 

smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_key_file = /etc/postfix/newreq.pem

I'll just add the following entries to main.cf: 

smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/newcert.pem
smtp_tls_key_file = /etc/postfix/newreq.pem

update sasl_passwd

I added my gmail username and password to the sasl_password file and then did a postmap on it to create the sasl_passwd.db. I verified that the permissions on these two files allow root and postfix to read them and no one else.

Retrieved from "https://finninday.net/wiki/index.php?title=Smtp_auth&oldid=2837"