Smtp auth

From Finninday
Revision as of 04:15, 24 October 2008 by Rday (Talk | contribs)

Jump to: navigation, search

When I upgrade to Hardy Heron, it looks like I'll have an easier time getting mail to work.

Here is an Ubuntu-specific recipe that looks like it will do the job:

https://help.ubuntu.com/7.04/server/C/postfix.html

Currently, my mail service is working as long as I don't try to send mail from a remote machine. For instance, if I have a laptop configured to send mail outgoing mail to my server and am connecting through an untrusted network in a coffee shop or a friend's house, I am unable to connect to the server. This must be fixed.

There are several differences between my existing /etc/postfix/main.cf config and the recipe linked above:

Current Proposed
smtpd_sasl2_auth_enable = yes smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = finninday.net smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes


However, my server currently generates the correct list of available services when starting a transaction: 

root@weasel:/etc/default# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 weasel.finninday.net ESMTP Postfix (Ubuntu)
ehlo weasel.finninday.net
250-weasel.finninday.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250 8BITMIME
quit

It even offers the correct services to remote machines: 

[rday@snapper ~]$ telnet finninday.net 25
Trying 24.21.185.50...
Connected to finninday.net.
Escape character is '^]'.
220 weasel.finninday.net ESMTP Postfix (Ubuntu)
ehlo weasel.finninday.net
250-weasel.finninday.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250 8BITMIME
quit

I found another recipe that said it was actually tested on Dapper Drake and correctly identified the sasl2 package that I stumbled over before.

https://help.ubuntu.com/community/Postfix

So I followed that recipe and made these changes to my main.cf: 

root@weasel:/etc/postfix# diff main.cf.orig main.cf
40,41c40,41
< #smtpd_sasl_auth_enable = yes
< smtpd_sasl2_auth_enable = yes
---
> smtpd_sasl_auth_enable = yes
> #smtpd_sasl2_auth_enable = yes
55c55
< smtpd_sasl_local_domain = $mydomain
---
> smtpd_sasl_local_domain = 
59a60,61
> smtp_use_tls = yes
> smtp_tls_note_starttls_offer = yes

And restarted postfix.

When I try to send an email, I get this in the logs: 

Apr 21 15:52:15 localhost postfix/smtpd[26421]: connect from PSMFC-fwgt.psmfc.org[205.230.28.193]
Apr 21 15:52:15 localhost postfix/smtpd[26421]: setting up TLS connection from PSMFC-fwgt.psmfc.org[205.230.28.193]
Apr 21 15:52:15 localhost postfix/smtpd[26421]: TLS connection established from PSMFC-fwgt.psmfc.org[205.230.28.193]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: SASL authentication failure: no secret in database
Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: PSMFC-fwgt.psmfc.org[205.230.28.193]: SASL CRAM-MD5 authentication failed
Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: SASL authentication failure: Password verification failed
Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: PSMFC-fwgt.psmfc.org[205.230.28.193]: SASL PLAIN authentication failed
Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Apr 21 15:52:23 localhost postfix/smtpd[26421]: warning: PSMFC-fwgt.psmfc.org[205.230.28.193]: SASL LOGIN authentication failed
Apr 21 15:52:46 localhost postfix/smtpd[26421]: disconnect from PSMFC-fwgt.psmfc.org[205.230.28.193]


Made a few other changes to /etc/default/saslauthd: 

root@weasel:/etc/default# diff saslauthd.orig saslauthd
3a4,7
> PWDIR="/var/spool/postfix/var/run/saslauthd"
> PARAMS="-m ${PWDIR}"
> PIDFILE="${PWDIR}/saslauthd.pid"
> 
10,11c14,15
< #PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"
< PARAMS="-m /var/run/saslauthd"
---
> 
> OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

That got things working and I could suddenly see that my certificate is expired. But I found that attempts to send TLS to my upstream provider, comcast were failing, so I took out the smtp_enable_tls.

This is the config that I've wanted. Now I can configure our Thunderbird on the laptop to be able to send mail wherever it is on the net:

outgoing server: weasel.finninday.net
port: 25
secure connection: TLS
Use username and password.

Going further, I took out md5 from the ciphers listed in /etc/postfix/sasl/smtpd.conf and commented out 

#allow_plaintext:true

Another postfix reload.

Looks good. Now the logs are pretty clean: 

Apr 21 16:22:02 localhost postfix/smtpd[28590]: connect from PSMFC-fwgt.psmfc.org[205.230.28.193]
Apr 21 16:22:02 localhost postfix/smtpd[28590]: setting up TLS connection from PSMFC-fwgt.psmfc.org[205.230.28.193]
Apr 21 16:22:04 localhost postfix/smtpd[28590]: TLS connection established from PSMFC-fwgt.psmfc.org[205.230.28.193]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Apr 21 16:22:05 localhost postfix/smtpd[28590]: 18DBC1334439: client=PSMFC-fwgt.psmfc.org[205.230.28.193], sasl_method=PLAIN, sasl_username=xxxx
Apr 21 16:22:05 localhost postfix/cleanup[28597]: 18DBC1334439: message-id=<480D2198.6020507@finninday.net>
Apr 21 16:22:05 localhost postfix/qmgr[28565]: 18DBC1334439: from=<xxxx@finninday.net>, size=649, nrcpt=1 (queue active)
Apr 21 16:22:05 localhost postfix/smtpd[28590]: disconnect from PSMFC-fwgt.psmfc.org[205.230.28.193]
Apr 21 16:22:19 localhost postfix/smtpd[28607]: connect from localhost.localdomain[127.0.0.1]
Apr 21 16:22:19 localhost postfix/smtpd[28607]: 9676713348D9: client=localhost.localdomain[127.0.0.1]
Apr 21 16:22:19 localhost postfix/cleanup[28597]: 9676713348D9: message-id=<480D2198.6020507@finninday.net>
Apr 21 16:22:19 localhost postfix/qmgr[28565]: 9676713348D9: from=<xxxx@finninday.net>, size=1112, nrcpt=1 (queue active)
Apr 21 16:22:19 localhost postfix/smtpd[28607]: disconnect from localhost.localdomain[127.0.0.1]
Apr 21 16:22:19 localhost amavis[19645]: (19645-06) Passed CLEAN, [205.230.28.193] [205.230.28.193] <xxxx@finninday.net> -> <xxxx@psmfc.org>, Message-ID: <480D2198.6020507@finninday.net>, mail_id: o1siW-0+w6ed, Hits: -3.343, 14426 ms
Apr 21 16:22:19 localhost postfix/smtp[28598]: 18DBC1334439: to=<xxxx@psmfc.org>, relay=127.0.0.1[127.0.0.1], delay=15, status=sent (250 2.6.0 Ok, id=19645-06, from MTA([127.0.0.1]:10025): 250 Ok: queued as 9676713348D9)
Apr 21 16:22:19 localhost postfix/qmgr[28565]: 18DBC1334439: removed
Apr 21 16:22:20 localhost postfix/smtp[28608]: Host offered STARTTLS: [smtp.g.comcast.net]
Apr 21 16:22:20 localhost postfix/smtp[28608]: 9676713348D9: to=<xxxx@psmfc.org>, relay=smtp.g.comcast.net[76.96.30.117], delay=1, status=sent (250 2.0.0 GPNK1Z00P15fmCg8U00000 mail accepted for delivery)
Apr 21 16:22:20 localhost postfix/qmgr[28565]: 9676713348D9: removed

Troubleshooting

Can't send mail from Dad's house in San Diego

Attempts to send mail from remote locations just hang and eventually time out. There are no entries in the mail logs about failures. The connection must be not even reaching the machine. The firewall is set to allow connections to port 25, but nmap says this: 

Interesting ports on c-24-21-185-50.hsd1.mn.comcast.net (24.21.185.50):
Not shown: 1706 filtered ports
PORT    STATE  SERVICE
21/tcp  open   ftp
22/tcp  open   ssh
80/tcp  open   http
143/tcp open   imap
389/tcp open   ldap
443/tcp open   https
445/tcp closed microsoft-ds
993/tcp open   imaps

So the firewall isn't really allowing port 25 through.

Ahah, the problem was that the ISP that my father-in-law uses is blocking outbound port 25 traffic. Does it actually reduce spam or just annoy people? They also block outbound traffic on all unprivileged ports. My proposed solution is to use one of the ports they don't block, like ftp, and try to redirect smtp from that port to my port 25. SSH has a way to do this: 

ssh -R 21:localhost:25 rday@localhost

But that doesn't quite work since it is a privileged port, so I have to be root, but then there is some config option that is preventing root from redirecting ports. If I can't figure out the ssh config, I'll have to use some other option.

Redirecting to a non-privileged port works just fine: 

ssh -R 2025:localhost:25 rday@localhost

But unfortunately, that is blocked by the ISP.

I may resort to using iptables to do the redirect using something like this: 

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j REDIRECT --to-port 25

Blocked by my own ISP

For my own protection, Comcast shut off my email. 

ACTION REQUIRED: Comcast has determined that your computer(s) have been used to send 
unsolicited email ("spam"), which is generally an indicator of a virus. For your own 
protection and that of other Comcast customers, we have taken steps to prevent further
transmission of spam from your computer(s).

I had been sending mail to smtp.comcast.net and receiving mail on port 25 of my own machine. Now when I try to connect to comcast to send mail, it looks like this: 

rday@weasel:~$ telnet smtp.comcast.net 25
Trying 76.96.30.117...

But if I try the same thing from work, I get this: 

[rday@snapper bin]$ telnet smtp.comcast.net 25
Trying 76.96.30.117...
Connected to smtp.comcast.net.
Escape character is '^]'.
ehlo localhost
220 OMTA09.emeryville.ca.mail.comcast.net comcast ESMTP server ready
250-OMTA09.emeryville.ca.mail.comcast.net hello [69.30.63.162], pleased to meet you
250-HELP
250-AUTH LOGIN PLAIN CRAM-MD5
250-SIZE 15728640
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-STARTTLS
250 OK
quit
221 2.0.0 OMTA09.emeryville.ca.mail.comcast.net comcast closing connection
Connection closed by foreign host.

So I'm on some kind of blacklist for talking to port 25. Current Comcast documentation says that you should use port 587 for sending mail. But I can't find it on their website.

I was able to verify that my home machine can connect to smtp.comcast.net:587 if I authenticate via TLS: 

rday@weasel:~$ telnet smtp.comcast.net 587
Trying 76.96.62.117...
Connected to smtp.g.comcast.net.
Escape character is '^]'.
220 OMTA04.westchester.pa.mail.comcast.net comcast ESMTP server ready
ehlo localhost
250-OMTA04.westchester.pa.mail.comcast.net hello [24.21.185.50], pleased to meet you
250-HELP
250-AUTH LOGIN PLAIN CRAM-MD5
250-SIZE 15728640
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-STARTTLS
250 OK
auth plain {magic-mmencoded-token}
235 2.7.0 ... authentication succeeded
quit
221 2.0.0 OMTA04.westchester.pa.mail.comcast.net comcast closing connection
Connection closed by foreign host.

To come up with the magic auth token, I used this formula: 

[rday@snapper bin]$ perl -MMIME::Base64 -e \
> 'print encode_base64("\0username\0password");'

Now I need to tell postfix to connect that way for sending mail. In order to receive mail, I'll have to probably buy a port deflector service like they describe in this post: http://www.lockergnome.com/usrbingeek/2007/04/12/comcast-blocking-port-25/ Here is a better link to the no-ip reflector service: http://www.no-ip.com/support/guides/email/blocked_port_25.html

I spent a quick $40 on no-ip.com reflector service, repointed the MX records for my domain to no-ip.com, and started up mail service on a non-standard port. And it works! Now Comcast has to go to a lot more trouble to shut off my email. And in the mean time, it looks like it will be feasible to switch to business class DSL with a static IP address and non-filtered ports and everything. Yay. Thanks Comcast, for finally pushing me into better, cheaper service with a different provider.

Retrieved from "https://finninday.net/wiki/index.php?title=Smtp_auth&oldid=2609"