Difference between revisions of "Smtp auth"
From Finninday
| Line 133: | Line 133: | ||
This is the config that I've wanted. Now I can configure our Thunderbird on the laptop to be able to send mail wherever it is on the net: | This is the config that I've wanted. Now I can configure our Thunderbird on the laptop to be able to send mail wherever it is on the net: | ||
| − | outgoing server: weasel.finninday.net | + | :outgoing server: weasel.finninday.net |
| − | port: 25 | + | :port: 25 |
| − | secure connection: TLS | + | :secure connection: TLS |
| − | Use username and password. | + | :Use username and password. |
| + | |||
| + | Going further, I took out md5 from the ciphers listed in /etc/postfix/sasl/smtpd.conf and commented out | ||
| + | #allow_plaintext:true | ||
| + | |||
| + | Another postfix reload. | ||
| + | |||
| + | Looks good. Now the logs are pretty clean: | ||
| + | |||
| + | <pre> | ||
| + | Apr 21 16:22:02 localhost postfix/smtpd[28590]: connect from PSMFC-fwgt.psmfc.org[205.230.28.193] | ||
| + | Apr 21 16:22:02 localhost postfix/smtpd[28590]: setting up TLS connection from PSMFC-fwgt.psmfc.org[205.230.28.193] | ||
| + | Apr 21 16:22:04 localhost postfix/smtpd[28590]: TLS connection established from PSMFC-fwgt.psmfc.org[205.230.28.193]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) | ||
| + | Apr 21 16:22:05 localhost postfix/smtpd[28590]: 18DBC1334439: client=PSMFC-fwgt.psmfc.org[205.230.28.193], sasl_method=PLAIN, sasl_username=xxxx | ||
| + | Apr 21 16:22:05 localhost postfix/cleanup[28597]: 18DBC1334439: message-id=<480D2198.6020507@finninday.net> | ||
| + | Apr 21 16:22:05 localhost postfix/qmgr[28565]: 18DBC1334439: from=<xxxx@finninday.net>, size=649, nrcpt=1 (queue active) | ||
| + | Apr 21 16:22:05 localhost postfix/smtpd[28590]: disconnect from PSMFC-fwgt.psmfc.org[205.230.28.193] | ||
| + | Apr 21 16:22:19 localhost postfix/smtpd[28607]: connect from localhost.localdomain[127.0.0.1] | ||
| + | Apr 21 16:22:19 localhost postfix/smtpd[28607]: 9676713348D9: client=localhost.localdomain[127.0.0.1] | ||
| + | Apr 21 16:22:19 localhost postfix/cleanup[28597]: 9676713348D9: message-id=<480D2198.6020507@finninday.net> | ||
| + | Apr 21 16:22:19 localhost postfix/qmgr[28565]: 9676713348D9: from=<xxxx@finninday.net>, size=1112, nrcpt=1 (queue active) | ||
| + | Apr 21 16:22:19 localhost postfix/smtpd[28607]: disconnect from localhost.localdomain[127.0.0.1] | ||
| + | Apr 21 16:22:19 localhost amavis[19645]: (19645-06) Passed CLEAN, [205.230.28.193] [205.230.28.193] <xxxx@finninday.net> -> <xxxx@psmfc.org>, Message-ID: <480D2198.6020507@finninday.net>, mail_id: o1siW-0+w6ed, Hits: -3.343, 14426 ms | ||
| + | Apr 21 16:22:19 localhost postfix/smtp[28598]: 18DBC1334439: to=<xxxx@psmfc.org>, relay=127.0.0.1[127.0.0.1], delay=15, status=sent (250 2.6.0 Ok, id=19645-06, from MTA([127.0.0.1]:10025): 250 Ok: queued as 9676713348D9) | ||
| + | Apr 21 16:22:19 localhost postfix/qmgr[28565]: 18DBC1334439: removed | ||
| + | Apr 21 16:22:20 localhost postfix/smtp[28608]: Host offered STARTTLS: [smtp.g.comcast.net] | ||
| + | Apr 21 16:22:20 localhost postfix/smtp[28608]: 9676713348D9: to=<xxxx@psmfc.org>, relay=smtp.g.comcast.net[76.96.30.117], delay=1, status=sent (250 2.0.0 GPNK1Z00P15fmCg8U00000 mail accepted for delivery) | ||
| + | Apr 21 16:22:20 localhost postfix/qmgr[28565]: 9676713348D9: removed | ||
| + | </pre> | ||
Revision as of 23:28, 21 April 2008
When I upgrade to Hardy Heron, it looks like I'll have an easier time getting mail to work.
Here is an Ubuntu-specific recipe that looks like it will do the job:
https://help.ubuntu.com/7.04/server/C/postfix.html
Currently, my mail service is working as long as I don't try to send mail from a remote machine. For instance, if I have a laptop configured to send mail outgoing mail to my server and am connecting through an untrusted network in a coffee shop or a friend's house, I am unable to connect to the server. This must be fixed.
There are several differences between my existing /etc/postfix/main.cf config and the recipe linked above:
| Current | Proposed |
|---|---|
| smtpd_sasl2_auth_enable = yes | smtpd_sasl_auth_enable = yes |
| smtpd_sasl_local_domain = finninday.net | smtpd_sasl_local_domain = |
| broken_sasl_auth_clients = yes | |
| smtp_use_tls = yes | |
| smtp_tls_note_starttls_offer = yes |
However, my server currently generates the correct list of available services when starting a transaction:
root@weasel:/etc/default# telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. 220 weasel.finninday.net ESMTP Postfix (Ubuntu) ehlo weasel.finninday.net 250-weasel.finninday.net 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5 250 8BITMIME quit
It even offers the correct services to remote machines:
[rday@snapper ~]$ telnet finninday.net 25 Trying 24.21.185.50... Connected to finninday.net. Escape character is '^]'. 220 weasel.finninday.net ESMTP Postfix (Ubuntu) ehlo weasel.finninday.net 250-weasel.finninday.net 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5 250 8BITMIME quit
I found another recipe that said it was actually tested on Dapper Drake and correctly identified the sasl2 package that I stumbled over before.
https://help.ubuntu.com/community/Postfix
So I followed that recipe and made these changes to my main.cf:
root@weasel:/etc/postfix# diff main.cf.orig main.cf 40,41c40,41 < #smtpd_sasl_auth_enable = yes < smtpd_sasl2_auth_enable = yes --- > smtpd_sasl_auth_enable = yes > #smtpd_sasl2_auth_enable = yes 55c55 < smtpd_sasl_local_domain = $mydomain --- > smtpd_sasl_local_domain = 59a60,61 > smtp_use_tls = yes > smtp_tls_note_starttls_offer = yes
And restarted postfix.
When I try to send an email, I get this in the logs:
Apr 21 15:52:15 localhost postfix/smtpd[26421]: connect from PSMFC-fwgt.psmfc.org[205.230.28.193] Apr 21 15:52:15 localhost postfix/smtpd[26421]: setting up TLS connection from PSMFC-fwgt.psmfc.org[205.230.28.193] Apr 21 15:52:15 localhost postfix/smtpd[26421]: TLS connection established from PSMFC-fwgt.psmfc.org[205.230.28.193]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: SASL authentication failure: no secret in database Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: PSMFC-fwgt.psmfc.org[205.230.28.193]: SASL CRAM-MD5 authentication failed Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: SASL authentication failure: Password verification failed Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: PSMFC-fwgt.psmfc.org[205.230.28.193]: SASL PLAIN authentication failed Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: PSMFC-fwgt.psmfc.org[205.230.28.193]: SASL LOGIN authentication failed Apr 21 15:52:46 localhost postfix/smtpd[26421]: disconnect from PSMFC-fwgt.psmfc.org[205.230.28.193]
Made a few other changes to /etc/default/saslauthd:
root@weasel:/etc/default# diff saslauthd.orig saslauthd
3a4,7
> PWDIR="/var/spool/postfix/var/run/saslauthd"
> PARAMS="-m ${PWDIR}"
> PIDFILE="${PWDIR}/saslauthd.pid"
>
10,11c14,15
< #PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"
< PARAMS="-m /var/run/saslauthd"
---
>
> OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
That got things working and I could suddenly see that my certificate is expired. But I found that attempts to send TLS to my upstream provider, comcast were failing, so I took out the smtp_enable_tls.
This is the config that I've wanted. Now I can configure our Thunderbird on the laptop to be able to send mail wherever it is on the net:
- outgoing server: weasel.finninday.net
- port: 25
- secure connection: TLS
- Use username and password.
Going further, I took out md5 from the ciphers listed in /etc/postfix/sasl/smtpd.conf and commented out
#allow_plaintext:true
Another postfix reload.
Looks good. Now the logs are pretty clean:
Apr 21 16:22:02 localhost postfix/smtpd[28590]: connect from PSMFC-fwgt.psmfc.org[205.230.28.193] Apr 21 16:22:02 localhost postfix/smtpd[28590]: setting up TLS connection from PSMFC-fwgt.psmfc.org[205.230.28.193] Apr 21 16:22:04 localhost postfix/smtpd[28590]: TLS connection established from PSMFC-fwgt.psmfc.org[205.230.28.193]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Apr 21 16:22:05 localhost postfix/smtpd[28590]: 18DBC1334439: client=PSMFC-fwgt.psmfc.org[205.230.28.193], sasl_method=PLAIN, sasl_username=xxxx Apr 21 16:22:05 localhost postfix/cleanup[28597]: 18DBC1334439: message-id=<480D2198.6020507@finninday.net> Apr 21 16:22:05 localhost postfix/qmgr[28565]: 18DBC1334439: from=<xxxx@finninday.net>, size=649, nrcpt=1 (queue active) Apr 21 16:22:05 localhost postfix/smtpd[28590]: disconnect from PSMFC-fwgt.psmfc.org[205.230.28.193] Apr 21 16:22:19 localhost postfix/smtpd[28607]: connect from localhost.localdomain[127.0.0.1] Apr 21 16:22:19 localhost postfix/smtpd[28607]: 9676713348D9: client=localhost.localdomain[127.0.0.1] Apr 21 16:22:19 localhost postfix/cleanup[28597]: 9676713348D9: message-id=<480D2198.6020507@finninday.net> Apr 21 16:22:19 localhost postfix/qmgr[28565]: 9676713348D9: from=<xxxx@finninday.net>, size=1112, nrcpt=1 (queue active) Apr 21 16:22:19 localhost postfix/smtpd[28607]: disconnect from localhost.localdomain[127.0.0.1] Apr 21 16:22:19 localhost amavis[19645]: (19645-06) Passed CLEAN, [205.230.28.193] [205.230.28.193] <xxxx@finninday.net> -> <xxxx@psmfc.org>, Message-ID: <480D2198.6020507@finninday.net>, mail_id: o1siW-0+w6ed, Hits: -3.343, 14426 ms Apr 21 16:22:19 localhost postfix/smtp[28598]: 18DBC1334439: to=<xxxx@psmfc.org>, relay=127.0.0.1[127.0.0.1], delay=15, status=sent (250 2.6.0 Ok, id=19645-06, from MTA([127.0.0.1]:10025): 250 Ok: queued as 9676713348D9) Apr 21 16:22:19 localhost postfix/qmgr[28565]: 18DBC1334439: removed Apr 21 16:22:20 localhost postfix/smtp[28608]: Host offered STARTTLS: [smtp.g.comcast.net] Apr 21 16:22:20 localhost postfix/smtp[28608]: 9676713348D9: to=<xxxx@psmfc.org>, relay=smtp.g.comcast.net[76.96.30.117], delay=1, status=sent (250 2.0.0 GPNK1Z00P15fmCg8U00000 mail accepted for delivery) Apr 21 16:22:20 localhost postfix/qmgr[28565]: 9676713348D9: removed
