Solved

SMTP AUTH using Postfix

Posted on 2004-03-25
14
1,347 Views
Last Modified: 2013-12-16
I'm trying to get SMTP AUTH working in Postfix, but I'm not having any success.

here is my main.cf file:

command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
program_directory = /usr/lib/postfix
sample_directory = /usr/share/doc/postfix/examples
readme_directory = /usr/share/doc/postfix
manpage_directory = /usr/share/man
setgid_group = postdrop

# appending .domain is the MUA's job.
append_dot_mydomain = no

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# Uncomment the next line to generate delayed mail warnings
delay_warning_time = 4h

myhostname = namelesswonder.domain.co.uk
mydomain = domain.co.uk
#smtpd_sasl_local_domain = domain.co.uk
#smtpd_sasl_auth_enable = yes
#smtpd_sasl_security_options = noanonymous
#broken_sasl_auth_clients = yes
#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/sasl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/sasl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/sasl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
myorigin = /etc/mailname
mydestination = domain.co.uk, namelesswonder.domain.co.uk, localhost.domain.co.uk
relayhost = relay.isp.net
mynetworks = 172.16.0.0/16, 127.0.0.0/8
mailbox_command =
mailbox_size_limit = 0
recipient_delimiter = +
home_mailbox = Maildir/

------------------------

I've commented out the lines that cause my SMTP server to freeze.

Without them, I get:
root@namelesswonder [19:45:53 Thu Mar 25]
/etc/postfix>telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 namelesswonder.domain.co.uk ESMTP Postfix (Debian/GNU)
QUIT
Connection closed by foreign host.

With them, I get:
root@namelesswonder [19:45:53 Thu Mar 25]
/etc/postfix>telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

---------------------------------

I am using Debian-3.0, and using the unstable sources for apt.

I installed sasl using apt-get install sasl2-bin

----------------------------------

I'm offering the points to the person who can help me get SMTP AUTH working on this server.
0
Comment
Question by:neur0maniak
  • 8
  • 6
14 Comments
 
LVL 9

Expert Comment

by:Alf666
ID: 10681023
Get rid of all line like with smtp_*tls*. They enable auth on smtp sending to other sites.


What should be enough :

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous

smtpd_tls_key_file = /etc/postfix/sasl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/sasl/smtpd.crt
smtpd_use_tls = yes

smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600
broken_sasl_auth_clients = yes
0
 
LVL 1

Author Comment

by:neur0maniak
ID: 10682108
I've tried your log, removed all lines with smtpd and replaced then with ones you've shown, and the connection closes immediately.

I don't think this is as much a configuration error, as it is SASL not doing what it's supposed to.

It seems that only when SASL is been told to AUTH_ENABLE that the config causes the smtp server to not do anything when connected to. As if the SMTP server is trying to use SASL but it's broken and SMTP just hangs.

I've reverted back to the working version of the main.cf I have (listed in the question). As it's the closest thing I have to working how I want.

Is there any way to see if SASL is working like it should be?
0
 
LVL 9

Expert Comment

by:Alf666
ID: 10682281
Hardly. But you might want to check /var/log/messages and /var/log/mail.log.

There's a good chance postfix will tell you why it's not working.

Did you configure sasl ?

In /usr/lib/sasl, you should find libraries.
You should create a file named smtpd.conf containing the following line :

pwcheck_method: pam

(unless you want to work against ldap, but that's another issue/question).

Then, you should have a file named smtp in /etc/pam.d containing
auth    required        /lib/security/pam_unix.so
account required        /lib/security/pam_unix.so
0
 
LVL 1

Author Comment

by:neur0maniak
ID: 10682949
I've been following a load of HOWTO's on the subject, I'm not really sure if SASL is configured or not.

But I've created a file called /usr/lib/sasl/smtpd.conf containing "pwcheck_method: pam" - Is that correct for comparing against local unix users?
I already had a /etc/pam.d but had 'sufficient' instead of 'required'. I've changed that now.

Also, something that hasn't changed but might be worth a note:

contents of: /etc/default/saslauthd
# This needs to be uncommented before saslauthd will be run automatically
START=yes

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"

MECHANISMS="shadow pam"
--------

Is that correct?



Even with all these changes, when I enable the commentted AUTH lines of the main.cf,  I still get no response from my smtp server, but is fine without them.
0
 
LVL 9

Expert Comment

by:Alf666
ID: 10682998
Your config looks fine.
Did you check the logfiles I mentioned ?
0
 
LVL 1

Author Comment

by:neur0maniak
ID: 10683045
/var/log/messages:  nothing to do with mail is in there... kernel driver information stuff...

/var/log/mail.log:

Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: unable to get private key from '/etc/postfix/sasl/smtpd.key'
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: 1473:error:0906406D:PEM routines:DEF_CALLBACK:problems getting password:pem_lib.c:105:
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: 1473:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:401:
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: 1473:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:709:
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: TLS engine: cannot load RSA cert/key data
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: fatal: no SASL authentication mechanisms
Mar 25 23:57:40 namelesswonder postfix/master[1451]: warning: process /usr/lib/postfix/smtpd pid 1473 exit status 1
Mar 25 23:57:40 namelesswonder postfix/master[1451]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling

/var/log/mail.err:
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: fatal: no SASL authentication mechanisms

-----
could this be related to having a passkey protected smtpd.key file? Can I fix that?

-----
in /user/lib/postfix/smtpd:
[]ELF[][][]

I could have sworn that wasn't there originally...



0
 
LVL 1

Author Comment

by:neur0maniak
ID: 10683142
Another thing to note is that

using testsaslauthd works fine for checking authentication...
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 9

Accepted Solution

by:
Alf666 earned 235 total points
ID: 10685501
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: TLS engine: cannot load RSA cert/key data
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: fatal: no SASL authentication mechanisms

That's your problem.

You did not generate your certificates,  did you ?
You can not inititiate an SSL secured channel withouth having a server public/private key pair.

I suggest the following page (among others) :

http://ezine.daemonnews.org/200306/postfix-sasl.html

The interesting chapter is "TLS configuration".

The specific method puts all your certificates infos in a single file. You'll have to modify your main.cf accordingly

After that, you should not be far from a working postfix/TLS.

But, please, take away these two lines (or comment them out) :

smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes


0
 
LVL 9

Expert Comment

by:Alf666
ID: 10685504
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: TLS engine: cannot load RSA cert/key data
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: fatal: no SASL authentication mechanisms

That's your problem.

You did not generate your certificates,  did you ?
You can not inititiate an SSL secured channel withouth having a server public/private key pair.

I suggest the following page (among others) :

http://ezine.daemonnews.org/200306/postfix-sasl.html

The interesting chapter is "TLS configuration".

The specific method puts all your certificates infos in a single file. You'll have to modify your main.cf accordingly

After that, you should not be far from a working postfix/TLS.

But, please, take away these two lines (or comment them out) :

smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes


0
 
LVL 9

Expert Comment

by:Alf666
ID: 10685505
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: TLS engine: cannot load RSA cert/key data
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: fatal: no SASL authentication mechanisms

That's your problem.

You did not generate your certificates,  did you ?
You can not inititiate an SSL secured channel withouth having a server public/private key pair.

I suggest the following page (among others) :

http://ezine.daemonnews.org/200306/postfix-sasl.html

The interesting chapter is "TLS configuration".

The specific method puts all your certificates infos in a single file. You'll have to modify your main.cf accordingly

After that, you should not be far from a working postfix/TLS.

But, please, take away these two lines (or comment them out) :

smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes


0
 
LVL 9

Expert Comment

by:Alf666
ID: 10685507
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: TLS engine: cannot load RSA cert/key data
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: fatal: no SASL authentication mechanisms

That's your problem.

You did not generate your certificates,  did you ?
You can not inititiate an SSL secured channel withouth having a server public/private key pair.

I suggest the following page (among others) :

http://ezine.daemonnews.org/200306/postfix-sasl.html

The interesting chapter is "TLS configuration".

The specific method puts all your certificates infos in a single file. You'll have to modify your main.cf accordingly

After that, you should not be far from a working postfix/TLS.

But, please, take away these two lines (or comment them out) :

smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes


0
 
LVL 9

Expert Comment

by:Alf666
ID: 10685761
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: TLS engine: cannot load RSA cert/key data
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: fatal: no SASL authentication mechanisms

That's your problem.

You did not generate your certificates,  did you ?
You can not inititiate an SSL secured channel withouth having a server public/private key pair.

I suggest the following page (among others) :

http://ezine.daemonnews.org/200306/postfix-sasl.html

The interesting chapter is "TLS configuration".

The specific method puts all your certificates infos in a single file. You'll have to modify your main.cf accordingly

After that, you should not be far from a working postfix/TLS.

But, please, take away these two lines (or comment them out) :

smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes


0
 
LVL 1

Author Comment

by:neur0maniak
ID: 10686865
now without using TLS or any certificates at all (until plain old AUTH works..)

I'm getting this in /var/log/mail.log:

Mar 26 13:28:54 namelesswonder postfix/smtpd[4489]: fatal: no SASL authentication mechanisms
Mar 26 13:28:55 namelesswonder postfix/master[4484]: warning: process /usr/lib/postfix/smtpd pid 4489 exit status 1
Mar 26 13:28:55 namelesswonder postfix/master[4484]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling

----

Although:
in /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login

Once this is working I feel confident that I'll be able to get TLS back on my own...
0
 
LVL 1

Author Comment

by:neur0maniak
ID: 10686975
I think I have found a solution
----

apt-get install libsasl2-modules

----
once I installed this, it started to work. I would have assumed APT would have included it when getting sasl...

Thanks for your help Alf666
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I am a long time windows user and for me it is normal to have spaces in directory and file names. Changing to Linux I found myself frustrated when I moved my windows data over to my new Linux computer. The problem occurs when at the command line.…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now