Le 09/09/2023 à 19:53, Viktor Dukhovni via Postfix-users a écrit :
On Sat, Sep 09, 2023 at 07:37:13PM +0200, François Patte via Postfix-users
wrote:
As my postfix install is configured, I get only (in mail-log):
Sep 9 16:50:49 myserver postfix/qmgr[205575]: 92BEFB4BEA:
from=<r...@myserver.fqdn>, size=484, nrcpt=1 (queue active)
Sep 9 16:50:49 myserver postfix/smtp[205832]: 92BEFB4BEA:
to=<francois.pa...@gmx.fr>, relay=my-fai-smtp[x.x.x.x]:465, delay=0.22,
delays=0.04/0.08/0.08/0.02, dsn=5.0.0, status=bounced (host
my-fai-smtps[x.x.x.x] said: 530 Authentication required (in reply to
MAIL FROM command))
https://www.postfix.org/DEBUG_README.html#mail
It looks like you "tampered" with the logs. They don't match your
reported configuration below.
postconf -n
relayhost = [myfai.fqdn]:465
This is not equal to "my-fai-smtp".
smtp_tls_wrappermode = yes
Good, needed for transmission via port 465.
smtp_enforce_tls = yes
smtp_use_tls = yes
These are obsolete and redundant.
smtp_tls_security_level = encrypt
If the relay has a valid certificate, make that "secure".
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_CApath = /etc/pki/tls/certs
Otherwise, no need to bother with CAfile / CApath.
You should also have "smtp_tls_loglevel = 1".
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_verify_cert_match = myhost.fqdn
More needless tampering with the configuration. THe real setting is
surely not secret, and should be equal to what you expect to find in the
relayhost's certificate. And this is only needed if the security level
is "verify", but it is currently "encrypt" (should be "secure", with
the corresponding "cert_match" set if need be).
smtpd_sasl_auth_enable = yes
You probably don't want this.
smtpd_tls_security_level = encrypt
Nor this, except on the submission services in master.cf.
https://www.postfix.org/SASL_README.html#client_sasl
My main.cf has the same values for the smtp_xxx listed on the page;
other values are the default ones given by the postfix package.
You're obfuscating the essential hostnames, making help needlessly
difficult. Did you read the text in SASL_README that explains the
lookup key syntax for the password table, when using "[]" and/or ":port"
in the relay name?
You probably have the wrong lookup key syntax.
Hi,
I I added the cyrus-sasl-plain package and modify my main.cf:
#postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
compatibility_level = 3.7
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = localhost
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
meta_directory = /etc/postfix
mydestination =
myhostname = myhost.fqdn
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/README_FILES
relayhost = [smtp.myfai.fqdn]:465
sample_directory = /usr/share/doc/postfix/samples
sender_canonical_maps =
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib64/postfix
smtp_enforce_tls = no
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = login
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_sasl_tls_security_options = noanonymous
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_loglevel = 1
smtp_tls_security_level = encrypt
smtp_tls_verify_cert_match = myhost.fqdn
smtp_tls_wrappermode = yes
smtp_use_tls = yes
smtpd_sasl_auth_enable = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_security_level = secure
unknown_local_recipient_reject_code = 550
(reverse-i-search)`cyru': dnf install cyrus-sasl-plain
and now, if I try to send a mail the maillog says:
Sep 10 08:31:30 pingala postfix/pickup[216370]: 9A2ECB6DCF: uid=0
from=<root>
Sep 10 08:31:30 pingala postfix/cleanup[216474]: 9A2ECB6DCF:
message-id=<20230910083130.9a2ecb6...@myhost.fqdn>
Sep 10 08:31:30 pingala postfix/qmgr[216371]: 9A2ECB6DCF:
from=<r...@myhost.fqdn>, size=484, nrcpt=1 (queue active)
Sep 10 08:31:30 pingala postfix/smtp[216476]: Trusted TLS connection
established to smtp.myfai.fqdn[x.x.x.x]:465: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature RSA-PSS (2048 bits) server-digest SHA256
Sep 10 08:31:30 pingala postfix/smtp[216476]: 9A2ECB6DCF: SASL
authentication failed; server smtp.myfai.fqdn[x.x.x.x] said: 535
Authentication credentials invalid
Sep 10 08:31:30 pingala postfix/smtp[216476]: Trusted TLS connection
established to smtp.myfai.fqdn[x.x.x.x]:465: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature RSA-PSS (2048 bits) server-digest SHA256
Sep 10 08:31:30 pingala postfix/smtp[216476]: 9A2ECB6DCF:
to=<my-email-address>, relay=smtp.myfai.fqdn[x.x.x.x]:465, delay=0.32,
delays=0.03/0.06/0.24/0, dsn=4.0.0, status=deferred (SASL authentication
failed; server smtp.myfai.fqdn[x.x.x.x] said: 535 Authentication
credentials invalid)
It seems that the connection with the relay host is opened but why are
the credential rejected? These credentials work perfecctly if I use ssmtp!
Thank you for helping.
F.P.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
