This might be of some use, I turned on MySQL logging for all queries.
Postfix calls to these three files (I'll include their contents as well and
have omitted sensitive information):
mysql_virtual_domains_maps.cf
user = USER
password = PASSWORD
hosts = localhost
dbname = DBNAME
query = SELECT domain FROM domain WHERE domain='%u'
mysql_virtual_alias_maps.cf
user = USER
password = PASSWORD
hosts = localhost
dbname = DBNAME
query = SELECT goto FROM alias WHERE address='%s' AND active = '1'
mysql_virtual_mailbox_maps.cf
user = USER
password = PASSWORD
hosts = localhost
dbname = DBNAME
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'
I've run all the queries from the MySQL CLI and get results when I query a
valid username, email address, or domain.
After turning on MySQL logging, and trying to use Outlook Express to send a
mail to a gmail account, this is what my /var/log/mysql-query.log looks
like:
090228 21:08:22 13 Connect u...@localhost on DBNAME
13 Query SELECT goto FROM alias WHERE address='
yyy.com' AND active = '1'
14 Connect u...@localhost on DBNAME
14 Query SELECT domain FROM domain WHERE domain='
yyy.com'
13 Query SELECT goto FROM alias WHERE address='
gmail.com' AND active = '1'
14 Query SELECT domain FROM domain WHERE domain='
gmail.com'
My /usr/lib/sasl2/smtpd.conf looks like this:
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
I have saslauthd started, however all the documentation I read on how to
install Postfix, Dovecot, MySQL, and SASL never mentioned starting it up.
I've tested both with it started and with it not.
What in the world am I overlooking? Any suggestions?
On Sat, Feb 28, 2009 at 6:16 PM, Big Pizzle <[email protected]> wrote:
>
>
> On Sat, Feb 28, 2009 at 12:15 PM, Sahil Tandon <[email protected]> wrote:
>
>> On Sat, 28 Feb 2009, Big Pizzle wrote:
>>
>> > On Sat, Feb 28, 2009 at 11:47 AM, Sahil Tandon <[email protected]>
>> wrote:
>> >
>> > > On Sat, 28 Feb 2009, Big Pizzle wrote:
>> > >
>> > > > Hi all,
>> > > >
>> > > > I've just set up Postfix 2.3.3 to authenticate against a MySQL
>> database
>> > > to
>> > > > support Virtual Domains, and I'm able to send mail to any domain
>> which
>> > > > Postfix knows about, but when I send an e-mail to an outside address
>> such
>> > > as
>> > > > hotmail, yahoo, etc. I get the following error message in the logs:
>> > > >
>> > > > Feb 27 22:09:52 juter1 postfix/smtpd[27104]: NOQUEUE: reject: RCPT
>> from
>> > > > h-68-167-178-13.snid.cod.net[xx.xxx.xxx.xx]: 554 5.7.1 <
>> > > [email protected]>:
>> > > > Relay access denied; from=<[email protected]> to=<[email protected]>
>> > > > proto=SMTP helo=<homebase>
>> > >
>> > > If you're going to obfuscate the IP, at least take care to similarly
>> cloak
>> > > your client's hostname!
>> > >
>> > > % host h-68-167-178-13.snid.cod.net
>> > > h-68-167-178-13.snid.cod.net has address 82.98.86.161
>> > >
>> >
>> > Thanks, but that isn't my IP - guess I did a pretty good job eh? If you
>> > want me to point out WHERE you can find my IP, it's in the first portion
>> of
>> > that hostname - cod.net isn't my provider. :)
>>
>> Why obfuscate your *covad* IP when it is in the hostname?
>>
>> > > > Here are my main.cf configs:
>> > >
>> > > Instead, follow the directions in the DBEUG_README, and paste the
>> output of
>> > > 'postconf -n'.
>> >
>> >
>> > alias_maps =
>> > broken_sasl_auth_clients = yes
>> > command_directory = /usr/sbin
>> > config_directory = /etc/postfix
>> > daemon_directory = /usr/libexec/postfix
>> > debug_peer_level = 2
>> > disable_vrfy_command = yes
>> > html_directory = no
>> > inet_interfaces = localhost, $myhostname
>>
>> $myhostname is not an interface. See:
>> http://www.postfix.org/postconf.5.html#inet_interfaces
>>
>> > invalid_hostname_reject_code = 450
>> > local_transport = virtual
>> > mail_owner = postfix
>> > mailq_path = /usr/bin/mailq.postfix
>> > manpage_directory = /usr/share/man
>> > maps_rbl_reject_code = 450
>> > mydestination = $myhostname, localhost.$mydomain, localhost
>> > myhostname = xxx.yyy.com
>> > mynetworks = 127.0.0.0/8
>> > newaliases_path = /usr/bin/newaliases.postfix
>> > non_fqdn_reject_code = 450
>> > queue_directory = /var/spool/postfix
>> > readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
>> > sample_directory = /usr/share/doc/postfix-2.3.3/samples
>> > sendmail_path = /usr/sbin/sendmail.postfix
>> > setgid_group = postdrop
>> > show_user_unknown_table_name = no
>> > smtpd_helo_required = yes
>> > smtpd_recipient_restrictions = permit_mynetworks
>> > permit_sasl_authenticated reject_unauth_destination
>> > smtpd_sasl_auth_enable = yes
>> > smtpd_sasl_exceptions_networks = $mynetworks
>> > smtpd_sasl_local_domain = $myhostname
>> > smtpd_sasl_path = /var/spool/postfix/private/auth
>> > smtpd_sasl_security_options = noanonymous
>> > smtpd_sasl_type = dovecot
>> > unknown_local_recipient_reject_code = 550
>> > virtual_alias_maps = proxy:mysql:/etc/postfix/
>> mysql_virtual_alias_maps.cf
>> > virtual_gid_maps = static:10000
>> > virtual_mailbox_base = /home/vmail
>> > virtual_mailbox_domains = mysql:/etc/postfix/
>> mysql_virtual_domains_maps.cf
>> > virtual_mailbox_maps = proxy:mysql:/etc/postfix/
>> > mysql_virtual_mailbox_maps.cf
>> > virtual_minimum_uid = 10000
>> > virtual_transport = virtual
>> > virtual_uid_maps = static:10000
>> >
>> > > > When telnetting to port 25, and issuing the EHLO command, I get the
>> > > > following:
>> > > >
>> > > > 250-jupiter1.national.com
>> > > > 250-PIPELINING
>> > > > 250-SIZE 10240000
>> > > > 250-ETRN
>> > > > 250-ENHANCEDSTATUSCODES
>> > > > 250-8BITMIME
>> > > > 250 DSN
>> > > >
>> > > > I don't see anywhere where it shows what authentication mechanism I
>> am
>> > > > using. Could this be the issue? I want people to be required to
>> > > > authenticate if they are going to be sending mail from this server
>> to
>> > > > external addresses. 'My Server Requires Authentication' is checked
>> in my
>> > > > mail client.
>> > >
>> > > Your server appears configured to support SASL but not TLS (following
>> EHLO,
>> > > it does not announce STARTTLS support to the SMTP client). You need
>> to
>> > > show
>> > > your postconf output, specifically the smtpd_mumble_restrictions,
>> which is
>> > > where you can require SASL authentication to relay mail externally.
>> From
>> > > your question, I suspect you are conflating SASL and TLS. See:
>> > > http://www.postfix.org/TLS_README.html
>> > > http://www.postfix.org/SASL_README.html
>> >
>> >
>> > It was my understanding that TLS was for secure connections - do I need
>> TLS
>> > as well in order for SASL to work?
>>
>> Nay, but don't look for special announcements after EHLO to tell you that
>> the
>> server supports SASL. Testing SASL setup on the server is documented in
>> the
>> link I pasted above. Here it is again, this time with a specific section:
>> http://www.postfix.org/SASL_README.html#server_test
>>
>> --
>> Sahil Tandon <[email protected]>
>>
>
>
> Thanks for the link Sahil. I've run sasl2-sample-server and
> sasl2-sample-client, here are the outputs from both (I made a few changes,
> adding TLS per mouss' suggestion but I'm sitll getting relay access
> denied). Here's a quick legend as to what means what:
>
> xxx = hostname
> yyy.com = domain name
> fff.com = one of the virtual domains hosted on the xxx.yyy.com machine.
>
>
> sasl2-sample-server:
> [r...@xxx postfix]# sasl2-sample-server
> trying 2, 1, 6
> trying 10, 1, 6
> socket: Address family not supported by protocol
> accepted new connection
> send: {9}
> ANONYMOUS
> recv: {9}
> ANONYMOUS
> recv: {1}
> Y
> recv: {32}
> [email protected]@xxx
> successful authentication 'anonymous'
> closing connection
> accepted new connection
> send: {9}
> ANONYMOUS
> recv: {9}
> ANONYMOUS
> recv: {1}
> Y
> recv: {12}
> g...@xxx
> successful authentication 'anonymous'
> closing connection
>
>
>
> sasl2-sample-client:
> [r...@xxx sample]# sasl2-sample-client localhost
> receiving capability list... recv: {9}
> ANONYMOUS
> ANONYMOUS
> please enter an authorization id: [email protected]
> send: {9}
> ANONYMOUS
> send: {1}
> Y
> send: {32}
> [email protected]@xxx
> successful authentication
> closing connection
> [r...@xxx sample]# sasl2-sample-client localhost
> receiving capability list... recv: {9}
> ANONYMOUS
> ANONYMOUS
> please enter an authorization id: ger
> send: {9}
> ANONYMOUS
> send: {1}
> Y
> send: {12}
> g...@xxx
> successful authentication
> closing connection
>
>
> This is what I see in the logs:
> Feb 28 17:45:09 xxx sasl2-sample-server: sql_select option missing
> Feb 28 17:45:09 xxx sasl2-sample-server: auxpropfunc error no mechanism
> available
> Feb 28 17:45:09 xxx sasl2-sample-server: _sasl_plugin_load failed on
> sasl_auxprop_plug_init for plugin: sql
>
>
> *I notice that it's attaching @xxx to whatever username I enter - could
> that be (one of) the issue(s) at hand? *
>
>
> I'm using Dovecot's SASL mechanism inside Postfix. I will post my
> dovecot.conf configuration as well as the output of postfix -n below:
>
> /etc/dovecot.conf:
>
> protocols = imap pop3
> disable_plaintext_auth = no
> mail_location = maildir:/var/mail/%d/%u
> first_valid_uid = 10000
> last_valid_uid = 10000
> maildir_copy_with_hardlinks = yes
>
> protocol imap {
> imap_client_workarounds = outlook-idle delay-newmail
> }
>
> protocol pop3 {
> pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
> }
>
> protocol lda {
> postmaster_address = [email protected]
> log_path = /var/log/dovecot-deliver.log
> info_log_path = /var/log/dovecot-deliver.log
> }
>
> auth default {
> mechanisms = plain login
>
> passdb sql {
> args = /etc/dovecot/sql.conf
> }
>
> userdb passwd {
> }
>
> userdb sql {
> args = /etc/dovecot/sql.conf
> }
>
> userdb prefetch {
> }
>
> user = root
>
> socket listen {
> master {
> path = /var/run/dovecot/auth-master
> mode = 0600
> user = vmail
> group = vmail
> }
> client {
> path = /var/spool/postfix/private/auth
> mode = 0660
> user = postfix
> group = postfix
> }
> }
> }
>
> dict {
> }
>
> plugin {
> }
>
>
>
>
>
> postfix -n output:
>
> alias_maps =
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> debug_peer_level = 2
> disable_vrfy_command = yes
> html_directory = no
> inet_interfaces = all
> invalid_hostname_reject_code = 450
> local_transport = virtual
> mail_owner = postfix
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> maps_rbl_reject_code = 450
> mydestination = $myhostname, localhost.$mydomain, localhost
> myhostname = xxx.yyy.com
> mynetworks = 127.0.0.0/8
> newaliases_path = /usr/bin/newaliases.postfix
> non_fqdn_reject_code = 450
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
> sample_directory = /usr/share/doc/postfix-2.3.3/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> show_user_unknown_table_name = no
> smtp_use_tls = no
> smtpd_helo_required = yes
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated, reject_unauth_destination
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_path = private/auth
> smtpd_sasl_type = dovecot
> smtpd_tls_auth_only = no
> smtpd_tls_cert_file = /usr/local/ssl/xxx.yyy.com.crt
> smtpd_tls_key_file = /usr/local/ssl/xxx.yyy.com.key
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_database = btree:/etc/postfix/tls_smtpd_scache
> smtpd_use_tls = yes
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
> virtual_gid_maps = static:10000
> virtual_mailbox_base = /home/vmail
> virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
> virtual_mailbox_maps = proxy:mysql:/etc/postfix/
> mysql_virtual_mailbox_maps.cf
> virtual_minimum_uid = 10000
> virtual_transport = virtual
> virtual_uid_maps = static:10000
>
>
>
> my /etc/postfix/master.cf has the following:
> smtp inet n - n - - smtpd
> smtps inet n - n - - smtpd
> -o smtpd_sasl_auth_enable=yes
>
>
> Here's a telnet output to port 25:
> xxx:~# telnet xxx.yyy.com 25
> Trying 123.123.123.123...
> Connected to xxx.
> Escape character is '^]'.
> 220 xxx.yyy.com ESMTP Postfix
> ehlo local
> 250-xxx.yyy.com
> 250-PIPELINING
> 250-SIZE 10240000
> 250-ETRN
> 250-STARTTLS
> 250-AUTH PLAIN LOGIN
> 250-AUTH=PLAIN LOGIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> quit
> 221 2.0.0 Bye
> Connection closed by foreign host.
> Exit 1
>
>
>
> Dovecot works just fine - I'm able to telnet to port 110 and authenticate
> with a legitimate username and password (using [email protected] as the
> username).
>
> Thanks for all the help. Hopefully someone can see something I can't.
>
