Smtp auth: Difference between revisions

From finninday
Jump to navigation Jump to search
No edit summary
Line 167: Line 167:


====Troubleshooting====
====Troubleshooting====
Attempts to send mail from remote locations just hang and eventually time out.  There are not entries in the mail logs about failures.  The connection must be not even reaching the machine.  The firewall is set to allow connections to port 25, but nmap says this:
Attempts to send mail from remote locations just hang and eventually time out.  There are no entries in the mail logs about failures.  The connection must be not even reaching the machine.  The firewall is set to allow connections to port 25, but nmap says this:
<pre>
<pre>
Interesting ports on c-24-21-185-50.hsd1.mn.comcast.net (24.21.185.50):
Interesting ports on c-24-21-185-50.hsd1.mn.comcast.net (24.21.185.50):

Revision as of 16:43, 1 August 2008

When I upgrade to Hardy Heron, it looks like I'll have an easier time getting mail to work.

Here is an Ubuntu-specific recipe that looks like it will do the job:

https://help.ubuntu.com/7.04/server/C/postfix.html

Currently, my mail service is working as long as I don't try to send mail from a remote machine. For instance, if I have a laptop configured to send mail outgoing mail to my server and am connecting through an untrusted network in a coffee shop or a friend's house, I am unable to connect to the server. This must be fixed.

There are several differences between my existing /etc/postfix/main.cf config and the recipe linked above:

Current Proposed
smtpd_sasl2_auth_enable = yes smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = finninday.net smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes


However, my server currently generates the correct list of available services when starting a transaction: 

root@weasel:/etc/default# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 weasel.finninday.net ESMTP Postfix (Ubuntu)
ehlo weasel.finninday.net
250-weasel.finninday.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250 8BITMIME
quit

It even offers the correct services to remote machines: 

[rday@snapper ~]$ telnet finninday.net 25
Trying 24.21.185.50...
Connected to finninday.net.
Escape character is '^]'.
220 weasel.finninday.net ESMTP Postfix (Ubuntu)
ehlo weasel.finninday.net
250-weasel.finninday.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250 8BITMIME
quit

I found another recipe that said it was actually tested on Dapper Drake and correctly identified the sasl2 package that I stumbled over before.

https://help.ubuntu.com/community/Postfix

So I followed that recipe and made these changes to my main.cf: 

root@weasel:/etc/postfix# diff main.cf.orig main.cf
40,41c40,41
< #smtpd_sasl_auth_enable = yes
< smtpd_sasl2_auth_enable = yes
---
> smtpd_sasl_auth_enable = yes
> #smtpd_sasl2_auth_enable = yes
55c55
< smtpd_sasl_local_domain = $mydomain
---
> smtpd_sasl_local_domain = 
59a60,61
> smtp_use_tls = yes
> smtp_tls_note_starttls_offer = yes

And restarted postfix.

When I try to send an email, I get this in the logs: 

Apr 21 15:52:15 localhost postfix/smtpd[26421]: connect from PSMFC-fwgt.psmfc.org[205.230.28.193]
Apr 21 15:52:15 localhost postfix/smtpd[26421]: setting up TLS connection from PSMFC-fwgt.psmfc.org[205.230.28.193]
Apr 21 15:52:15 localhost postfix/smtpd[26421]: TLS connection established from PSMFC-fwgt.psmfc.org[205.230.28.193]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: SASL authentication failure: no secret in database
Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: PSMFC-fwgt.psmfc.org[205.230.28.193]: SASL CRAM-MD5 authentication failed
Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: SASL authentication failure: Password verification failed
Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: PSMFC-fwgt.psmfc.org[205.230.28.193]: SASL PLAIN authentication failed
Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: PSMFC-fwgt.psmfc.org[205.230.28.193]: SASL LOGIN authentication failed
Apr 21 15:52:46 localhost postfix/smtpd[26421]: disconnect from PSMFC-fwgt.psmfc.org[205.230.28.193]


Made a few other changes to /etc/default/saslauthd: 

root@weasel:/etc/default# diff saslauthd.orig saslauthd
3a4,7
> PWDIR="/var/spool/postfix/var/run/saslauthd"
> PARAMS="-m ${PWDIR}"
> PIDFILE="${PWDIR}/saslauthd.pid"
> 
10,11c14,15
< #PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"
< PARAMS="-m /var/run/saslauthd"
---
> 
> OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

That got things working and I could suddenly see that my certificate is expired. But I found that attempts to send TLS to my upstream provider, comcast were failing, so I took out the smtp_enable_tls.

This is the config that I've wanted. Now I can configure our Thunderbird on the laptop to be able to send mail wherever it is on the net:

outgoing server: weasel.finninday.net
port: 25
secure connection: TLS
Use username and password.

Going further, I took out md5 from the ciphers listed in /etc/postfix/sasl/smtpd.conf and commented out 

#allow_plaintext:true

Another postfix reload.

Looks good. Now the logs are pretty clean: 

Apr 21 16:22:02 localhost postfix/smtpd[28590]: connect from PSMFC-fwgt.psmfc.org[205.230.28.193]
Apr 21 16:22:02 localhost postfix/smtpd[28590]: setting up TLS connection from PSMFC-fwgt.psmfc.org[205.230.28.193]
Apr 21 16:22:04 localhost postfix/smtpd[28590]: TLS connection established from PSMFC-fwgt.psmfc.org[205.230.28.193]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Apr 21 16:22:05 localhost postfix/smtpd[28590]: 18DBC1334439: client=PSMFC-fwgt.psmfc.org[205.230.28.193], sasl_method=PLAIN, sasl_username=xxxx
Apr 21 16:22:05 localhost postfix/cleanup[28597]: 18DBC1334439: message-id=<480D2198.6020507@finninday.net>
Apr 21 16:22:05 localhost postfix/qmgr[28565]: 18DBC1334439: from=<xxxx@finninday.net>, size=649, nrcpt=1 (queue active)
Apr 21 16:22:05 localhost postfix/smtpd[28590]: disconnect from PSMFC-fwgt.psmfc.org[205.230.28.193]
Apr 21 16:22:19 localhost postfix/smtpd[28607]: connect from localhost.localdomain[127.0.0.1]
Apr 21 16:22:19 localhost postfix/smtpd[28607]: 9676713348D9: client=localhost.localdomain[127.0.0.1]
Apr 21 16:22:19 localhost postfix/cleanup[28597]: 9676713348D9: message-id=<480D2198.6020507@finninday.net>
Apr 21 16:22:19 localhost postfix/qmgr[28565]: 9676713348D9: from=<xxxx@finninday.net>, size=1112, nrcpt=1 (queue active)
Apr 21 16:22:19 localhost postfix/smtpd[28607]: disconnect from localhost.localdomain[127.0.0.1]
Apr 21 16:22:19 localhost amavis[19645]: (19645-06) Passed CLEAN, [205.230.28.193] [205.230.28.193] <xxxx@finninday.net> -> <xxxx@psmfc.org>, Message-ID: <480D2198.6020507@finninday.net>, mail_id: o1siW-0+w6ed, Hits: -3.343, 14426 ms
Apr 21 16:22:19 localhost postfix/smtp[28598]: 18DBC1334439: to=<xxxx@psmfc.org>, relay=127.0.0.1[127.0.0.1], delay=15, status=sent (250 2.6.0 Ok, id=19645-06, from MTA([127.0.0.1]:10025): 250 Ok: queued as 9676713348D9)
Apr 21 16:22:19 localhost postfix/qmgr[28565]: 18DBC1334439: removed
Apr 21 16:22:20 localhost postfix/smtp[28608]: Host offered STARTTLS: [smtp.g.comcast.net]
Apr 21 16:22:20 localhost postfix/smtp[28608]: 9676713348D9: to=<xxxx@psmfc.org>, relay=smtp.g.comcast.net[76.96.30.117], delay=1, status=sent (250 2.0.0 GPNK1Z00P15fmCg8U00000 mail accepted for delivery)
Apr 21 16:22:20 localhost postfix/qmgr[28565]: 9676713348D9: removed

Troubleshooting

Attempts to send mail from remote locations just hang and eventually time out. There are no entries in the mail logs about failures. The connection must be not even reaching the machine. The firewall is set to allow connections to port 25, but nmap says this: 

Interesting ports on c-24-21-185-50.hsd1.mn.comcast.net (24.21.185.50):
Not shown: 1706 filtered ports
PORT    STATE  SERVICE
21/tcp  open   ftp
22/tcp  open   ssh
80/tcp  open   http
143/tcp open   imap
389/tcp open   ldap
443/tcp open   https
445/tcp closed microsoft-ds
993/tcp open   imaps

So the firewall isn't really allowing port 25 through.

Retrieved from "https://finninday.net/wiki/index.php?title=Smtp_auth&oldid=2559"