Solved

SMTP AUTH using Postfix

Posted on 2004-03-25
14
1,344 Views
Last Modified: 2013-12-16
I'm trying to get SMTP AUTH working in Postfix, but I'm not having any success.

here is my main.cf file:

command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
program_directory = /usr/lib/postfix
sample_directory = /usr/share/doc/postfix/examples
readme_directory = /usr/share/doc/postfix
manpage_directory = /usr/share/man
setgid_group = postdrop

# appending .domain is the MUA's job.
append_dot_mydomain = no

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# Uncomment the next line to generate delayed mail warnings
delay_warning_time = 4h

myhostname = namelesswonder.domain.co.uk
mydomain = domain.co.uk
#smtpd_sasl_local_domain = domain.co.uk
#smtpd_sasl_auth_enable = yes
#smtpd_sasl_security_options = noanonymous
#broken_sasl_auth_clients = yes
#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/sasl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/sasl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/sasl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
myorigin = /etc/mailname
mydestination = domain.co.uk, namelesswonder.domain.co.uk, localhost.domain.co.uk
relayhost = relay.isp.net
mynetworks = 172.16.0.0/16, 127.0.0.0/8
mailbox_command =
mailbox_size_limit = 0
recipient_delimiter = +
home_mailbox = Maildir/

------------------------

I've commented out the lines that cause my SMTP server to freeze.

Without them, I get:
root@namelesswonder [19:45:53 Thu Mar 25]
/etc/postfix>telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 namelesswonder.domain.co.uk ESMTP Postfix (Debian/GNU)
QUIT
Connection closed by foreign host.

With them, I get:
root@namelesswonder [19:45:53 Thu Mar 25]
/etc/postfix>telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

---------------------------------

I am using Debian-3.0, and using the unstable sources for apt.

I installed sasl using apt-get install sasl2-bin

----------------------------------

I'm offering the points to the person who can help me get SMTP AUTH working on this server.
0
Comment
Question by:neur0maniak
  • 8
  • 6
14 Comments
 
LVL 9

Expert Comment

by:Alf666
ID: 10681023
Get rid of all line like with smtp_*tls*. They enable auth on smtp sending to other sites.


What should be enough :

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous

smtpd_tls_key_file = /etc/postfix/sasl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/sasl/smtpd.crt
smtpd_use_tls = yes

smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600
broken_sasl_auth_clients = yes
0
 
LVL 1

Author Comment

by:neur0maniak
ID: 10682108
I've tried your log, removed all lines with smtpd and replaced then with ones you've shown, and the connection closes immediately.

I don't think this is as much a configuration error, as it is SASL not doing what it's supposed to.

It seems that only when SASL is been told to AUTH_ENABLE that the config causes the smtp server to not do anything when connected to. As if the SMTP server is trying to use SASL but it's broken and SMTP just hangs.

I've reverted back to the working version of the main.cf I have (listed in the question). As it's the closest thing I have to working how I want.

Is there any way to see if SASL is working like it should be?
0
 
LVL 9

Expert Comment

by:Alf666
ID: 10682281
Hardly. But you might want to check /var/log/messages and /var/log/mail.log.

There's a good chance postfix will tell you why it's not working.

Did you configure sasl ?

In /usr/lib/sasl, you should find libraries.
You should create a file named smtpd.conf containing the following line :

pwcheck_method: pam

(unless you want to work against ldap, but that's another issue/question).

Then, you should have a file named smtp in /etc/pam.d containing
auth    required        /lib/security/pam_unix.so
account required        /lib/security/pam_unix.so
0
 
LVL 1

Author Comment

by:neur0maniak
ID: 10682949
I've been following a load of HOWTO's on the subject, I'm not really sure if SASL is configured or not.

But I've created a file called /usr/lib/sasl/smtpd.conf containing "pwcheck_method: pam" - Is that correct for comparing against local unix users?
I already had a /etc/pam.d but had 'sufficient' instead of 'required'. I've changed that now.

Also, something that hasn't changed but might be worth a note:

contents of: /etc/default/saslauthd
# This needs to be uncommented before saslauthd will be run automatically
START=yes

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"

MECHANISMS="shadow pam"
--------

Is that correct?



Even with all these changes, when I enable the commentted AUTH lines of the main.cf,  I still get no response from my smtp server, but is fine without them.
0
 
LVL 9

Expert Comment

by:Alf666
ID: 10682998
Your config looks fine.
Did you check the logfiles I mentioned ?
0
 
LVL 1

Author Comment

by:neur0maniak
ID: 10683045
/var/log/messages:  nothing to do with mail is in there... kernel driver information stuff...

/var/log/mail.log:

Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: unable to get private key from '/etc/postfix/sasl/smtpd.key'
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: 1473:error:0906406D:PEM routines:DEF_CALLBACK:problems getting password:pem_lib.c:105:
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: 1473:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:401:
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: 1473:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:709:
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: TLS engine: cannot load RSA cert/key data
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: fatal: no SASL authentication mechanisms
Mar 25 23:57:40 namelesswonder postfix/master[1451]: warning: process /usr/lib/postfix/smtpd pid 1473 exit status 1
Mar 25 23:57:40 namelesswonder postfix/master[1451]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling

/var/log/mail.err:
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: fatal: no SASL authentication mechanisms

-----
could this be related to having a passkey protected smtpd.key file? Can I fix that?

-----
in /user/lib/postfix/smtpd:
[]ELF[][][]

I could have sworn that wasn't there originally...



0
 
LVL 1

Author Comment

by:neur0maniak
ID: 10683142
Another thing to note is that

using testsaslauthd works fine for checking authentication...
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 9

Accepted Solution

by:
Alf666 earned 235 total points
ID: 10685501
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: TLS engine: cannot load RSA cert/key data
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: fatal: no SASL authentication mechanisms

That's your problem.

You did not generate your certificates,  did you ?
You can not inititiate an SSL secured channel withouth having a server public/private key pair.

I suggest the following page (among others) :

http://ezine.daemonnews.org/200306/postfix-sasl.html

The interesting chapter is "TLS configuration".

The specific method puts all your certificates infos in a single file. You'll have to modify your main.cf accordingly

After that, you should not be far from a working postfix/TLS.

But, please, take away these two lines (or comment them out) :

smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes


0
 
LVL 9

Expert Comment

by:Alf666
ID: 10685504
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: TLS engine: cannot load RSA cert/key data
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: fatal: no SASL authentication mechanisms

That's your problem.

You did not generate your certificates,  did you ?
You can not inititiate an SSL secured channel withouth having a server public/private key pair.

I suggest the following page (among others) :

http://ezine.daemonnews.org/200306/postfix-sasl.html

The interesting chapter is "TLS configuration".

The specific method puts all your certificates infos in a single file. You'll have to modify your main.cf accordingly

After that, you should not be far from a working postfix/TLS.

But, please, take away these two lines (or comment them out) :

smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes


0
 
LVL 9

Expert Comment

by:Alf666
ID: 10685505
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: TLS engine: cannot load RSA cert/key data
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: fatal: no SASL authentication mechanisms

That's your problem.

You did not generate your certificates,  did you ?
You can not inititiate an SSL secured channel withouth having a server public/private key pair.

I suggest the following page (among others) :

http://ezine.daemonnews.org/200306/postfix-sasl.html

The interesting chapter is "TLS configuration".

The specific method puts all your certificates infos in a single file. You'll have to modify your main.cf accordingly

After that, you should not be far from a working postfix/TLS.

But, please, take away these two lines (or comment them out) :

smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes


0
 
LVL 9

Expert Comment

by:Alf666
ID: 10685507
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: TLS engine: cannot load RSA cert/key data
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: fatal: no SASL authentication mechanisms

That's your problem.

You did not generate your certificates,  did you ?
You can not inititiate an SSL secured channel withouth having a server public/private key pair.

I suggest the following page (among others) :

http://ezine.daemonnews.org/200306/postfix-sasl.html

The interesting chapter is "TLS configuration".

The specific method puts all your certificates infos in a single file. You'll have to modify your main.cf accordingly

After that, you should not be far from a working postfix/TLS.

But, please, take away these two lines (or comment them out) :

smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes


0
 
LVL 9

Expert Comment

by:Alf666
ID: 10685761
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: TLS engine: cannot load RSA cert/key data
Mar 25 23:57:39 namelesswonder postfix/smtpd[1473]: fatal: no SASL authentication mechanisms

That's your problem.

You did not generate your certificates,  did you ?
You can not inititiate an SSL secured channel withouth having a server public/private key pair.

I suggest the following page (among others) :

http://ezine.daemonnews.org/200306/postfix-sasl.html

The interesting chapter is "TLS configuration".

The specific method puts all your certificates infos in a single file. You'll have to modify your main.cf accordingly

After that, you should not be far from a working postfix/TLS.

But, please, take away these two lines (or comment them out) :

smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes


0
 
LVL 1

Author Comment

by:neur0maniak
ID: 10686865
now without using TLS or any certificates at all (until plain old AUTH works..)

I'm getting this in /var/log/mail.log:

Mar 26 13:28:54 namelesswonder postfix/smtpd[4489]: fatal: no SASL authentication mechanisms
Mar 26 13:28:55 namelesswonder postfix/master[4484]: warning: process /usr/lib/postfix/smtpd pid 4489 exit status 1
Mar 26 13:28:55 namelesswonder postfix/master[4484]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling

----

Although:
in /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login

Once this is working I feel confident that I'll be able to get TLS back on my own...
0
 
LVL 1

Author Comment

by:neur0maniak
ID: 10686975
I think I have found a solution
----

apt-get install libsasl2-modules

----
once I installed this, it started to work. I would have assumed APT would have included it when getting sasl...

Thanks for your help Alf666
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

In this tutorial I will explain how to make squid prevent malwares in five easy steps: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-…
Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now