On Thu, Jun 23, 2022 at 03:09:36AM -0300, Viktor Dukhovni wrote:
>> telnet localhost 25
>> 220 server.mydomain.net ESMTP Postfix (Debian/GNU)
>> AUTH LOGIN
>> 334 VXNlcm5hbWU6
>> c29tZXVzZXI=
(someuser)
>> 334 UGFzc3dvcmQ6
>> c29tZXBhc3M=
(somepass)
>> 454 4.7.0 Temporary authentication failure: generic failure
> If those are "real" credentials, make sure they're
> disabled before you get SASL working, otherwise
> they're liable to get abused.
Thank you for the reply!
I was wondering if someone was going to decode them.
No, they are not real. I made those up for this message only and I actually
passed them through base64 before pasting.
Thank you for the warning.
Now I wonder what is the point of requiring b64 hashes when they can be
decoded so easily...
> As for why authentication is failing, is "saslauthd" actually installed
> and running with a sensible backend (e.g. "-a pam") specified?.
Yes.
# ps aux | grep saslauthd
root 32304 0.0 0.2 18364 2512 ? Ss 07:37 0:00
/usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 2
root 32305 0.0 0.0 18364 916 ? S 07:37 0:00
/usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 2
>> smtpd_sasl_type = cyrus
>> smtpd_sasl_path = smtpd
> These look OK, but You really should have in main.cf:
> smtpd_tls_auth_only = yes
> smtpd_sasl_auth_enable = no
I made those changes, and things became more difficult. Now I can't test
authentication on the command line.
Port 587 says:
AUTH LOGIN
530 5.7.0 Must issue a STARTTLS command first
Port 465 says:
AUTH LOGIN
Connection closed by foreign host.
Port 25 says:
AUTH LOGIN
503 5.5.1 Error: authentication not enabled
How do I test credentials now?
> and then (as you do) enable SASL only for the submission servers in
> master.cf, for which TLS is required. Your test with then be via:
> openssl s_client -starttls smtp -connect localhost:587
It works and generates a lot of output, including a certificate.
---------------------- 8< ------------------
# openssl s_client -starttls smtp -connect localhost:587
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mydomain.net
verify return:1
Certificate chain
0 s:CN = mydomain.net
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFIjCCBEqgAwIBAgISAwUfG2SSysJMtK3T8EYxHjtC0AYGCSqGSIb3DQEBCwUA
(content elided)
OgPrJFAT+GP94c6XP3JSZEwolyuEMA==
-----END CERTIFICATE-----
subject=CN = mydomain.net
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
SSL handshake has read 4814 bytes and written 396 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: E0AF(...)
Session-ID-ctx:
Resumption PSK: C49D(...)
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - d8 4c 06 08 54 c7 24 e3-54 f2 9c d2 46 3b d8 67
.L..T.$.T...F;.g
0010 - 5b e6 42 f3 e6 9d 0f 96-ec 0b 7b 0a 30 45 66 92
[.B.......{.0Ef.
(...)
00c0 - 3d 4a 15 c2 5b d3 7b d9-f7 af 60 27 d3 6a 03 e5
=J..[.{...`'.j..
Start Time: 1655987062
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---------------------- >8 ------------------
On Wed, Jun 22, 2022 at 4:50 PM Luc GMail <[email protected]> wrote:
> Many thanks for the replies I've got so far. They helped, and now I have
> postfix running with SASL, and both ports 587 and 465 answer on telnet. But
> I still can't authenticate:
>
> telnet localhost 25
> 220 server.mydomain.net ESMTP Postfix (Debian/GNU)
> AUTH LOGIN
> 334 VXNlcm5hbWU6
> c29tZXVzZXI=
> 334 UGFzc3dvcmQ6
> c29tZXBhc3M=
> 454 4.7.0 Temporary authentication failure: generic failure
>
> I created a new user/shell account for the test and I'm using PAM for
> authentication, but those credentials don't work. Trying as root/password
> didn't work either.
>
> My installation method and configuration files have changed a little. I am
> posting them here.
>
> ============
> INSTALLATION
> ============
> apt-get install -y certbot python3-certbot-apache
> apt-get install -y libsasl2-2 libsasl2-modules sasl2-bin
> apt-get install -y postfix
>
> cp /ss/xhome/mydomain.net.conf /etc/apache2/sites-available/
> a2ensite mydomain.net.conf
> a2dissite 000-default
> systemctl reload apache2
> certbot certonly -a apache --agree-tos --no-eff-email --staple-ocsp
> --email [email protected] -d mydomain.net
> # this paragraph creates 2 files:
> # /etc/letsencrypt/live/mydomain.net/fullchain.pem
> # /etc/letsencrypt/live/mydomain.net/privkey.pem
>
> systemctl reload apache2
>
> cp /root/pfstuff/main.cf /etc/postfix/
> cp /root/pfstuff/master.cf /etc/postfix/
>
> echo 'pwcheck_method: saslauthd' > /etc/postfix/sasl/smtpd.conf
> echo 'mech_list: plain login CRAM-MD5 DIGEST-MD5' >>
> /etc/postfix/sasl/smtpd.conf
>
> usermod -a -G sasl postfix
>
> systemctl restart postfix
> ========================
>
>
> ============
> MAIN.CF
> ============
> myhostname = server.mydomain.net
>
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> biff = no
> append_dot_mydomain = no
> readme_directory = no
> compatibility_level = 2
>
> smtpd_tls_cert_file=/etc/letsencrypt/live/mydomain.net/fullchain.pem
> smtpd_tls_key_file=/etc/letsencrypt/live/mydomain.net/privkey.pem
> smtpd_tls_auth_only = no
> smtp_use_tls=yes
> smtpd_use_tls=yes
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_tls_security_level=may
> smtpd_tls_loglevel = 1
> smtpd_sasl_auth_enable = yes
> smtp_sasl_mechanism_filter = !gssapi, !login, static:all
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_tls_security_options = noanonymous
> smtpd_sasl_type = cyrus
> smtpd_sasl_path = smtpd
> smtp_tls_security_level = may
> smtp_tls_loglevel = 1
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>
> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
> defer_unauth_destination
> alias_maps = hash:/etc/aliases
> alias_database = hash:/etc/aliases
> myorigin = /etc/mailname
> mydestination = $myhostname, mydomain.net, server.mydomain.net,
> localhost.mydomain.net, localhost
> relayhost =
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
> mailbox_command = procmail -a "$EXTENSION"
> mailbox_size_limit = 0
> recipient_delimiter = +
> inet_interfaces = all
> inet_protocols = all
> ========================
>
>
> ============
> MASTER.CF
> ============
> smtp inet n - y - 1 postscreen
> smtpd pass - - y - - smtpd
> dnsblog unix - - y - 0 dnsblog
> tlsproxy unix - - y - 0 tlsproxy
> submission inet n - y - - smtpd
> -o syslog_name=postfix/submission
> -o smtpd_tls_security_level=encrypt
> -o smtpd_tls_wrappermode=no
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> -o
> smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
> -o milter_macro_daemon_name=ORIGINATING
> smtps inet n - y - - smtpd
> -o syslog_name=postfix/smtps
> -o smtpd_tls_wrappermode=yes
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> -o
> smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
> -o milter_macro_daemon_name=ORIGINATING-TLS
> pickup unix n - y 60 1 pickup
> cleanup unix n - y - 0 cleanup
> qmgr unix n - n 300 1 qmgr
> tlsmgr unix - - y 1000? 1 tlsmgr
> rewrite unix - - y - - trivial-rewrite
> bounce unix - - y - 0 bounce
> defer unix - - y - 0 bounce
> trace unix - - y - 0 bounce
> verify unix - - y - 1 verify
> flush unix n - y 1000? 0 flush
> proxymap unix - - n - - proxymap
> proxywrite unix - - n - 1 proxymap
> smtp unix - - y - - smtp
> relay unix - - y - - smtp
> -o syslog_name=postfix/$service_name
> showq unix n - y - - showq
> error unix - - y - - error
> retry unix - - y - - error
> discard unix - - y - - discard
> local unix - n n - - local
> virtual unix - n n - - virtual
> lmtp unix - - y - - lmtp
> anvil unix - - y - 1 anvil
> scache unix - - y - 1 scache
> postlog unix-dgram n - n - 1 postlogd
>
> maildrop unix - n n - - pipe
> flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
>
> uucp unix - n n - - pipe
> flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
> ($recipient)
>
> ifmail unix - n n - - pipe
> flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> bsmtp unix - n n - - pipe
> flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
> $recipient
> scalemail-backend unix - n n - 2 pipe
> flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
> ${nexthop} ${user} ${extension}
> mailman unix - n n - - pipe
> flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
> ${nexthop} ${user}
> ========================
>
>
>
> On Tue, Jun 21, 2022 at 5:17 PM Luc GMail <[email protected]> wrote:
>
>> Hi. I've been trying to properly install and run postfix with no success.
>> I've read many recipes and instructions and made many attempts and
>> something always fails.
>>
>> What I've accomplished so far:
>> - postfix is running
>> - I can send test mail from the command line (mailx) to an email account
>> elsewhere and the headers confirm it was sent by postfix
>> - telnet mydomain.net 25 replies and is ready for action
>>
>> What I still need:
>> - SSL and/or TLS. Postfix does not bind to port 587 or 465 at all.
>>
>> After all the attempts, I made what I consider to be my own best recipe,
>> the one that seems to get the closest to a working installation:
>>
>> ---------------- 8< ----------------
>> apt-get install -y certbot python3-certbot-apache
>> apt-get install -y libsasl2-2 libsasl2-modules sasl2-bin
>> apt-get install -y postfix
>>
>> cp /home/me/postfixstuff/mydomain.net.conf /etc/apache2/sites-available/
>> a2ensite mydomain.net.conf
>> a2dissite 000-default
>> systemctl reload apache2
>> certbot certonly -a apache --agree-tos --no-eff-email --staple-ocsp
>> --email [email protected] -d mydomain.net
>>
>> systemctl reload apache2
>>
>> cp /home/me/postfixstuff/main.cf /etc/postfix/
>>
>> systemctl restart postfix
>> tail -n 20 /var/log/mail.log
>> ---------------- >8 ----------------
>>
>>
>>
>> Here are the contents of my main.cf file:
>>
>>
>>
>> ---------------- 8< ----------------
>> myhostname = server.mydomain.net
>> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
>> biff = no
>>
>> append_dot_mydomain = no
>>
>> readme_directory = no
>>
>> compatibility_level = 2
>>
>> # TLS parameters
>> smtpd_tls_cert_file=/etc/letsencrypt/live/mydomain.net/fullchain.pem
>> smtpd_tls_key_file=/etc/letsencrypt/live/mydomain.net/privkey.pem
>> smtpd_use_tls=yes
>> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
>> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>> smtpd_tls_security_level=may
>> smtpd_tls_loglevel = 1
>>
>> #Enable TLS Encryption when Postfix sends outgoing emails
>> smtp_tls_security_level = may
>> smtp_tls_loglevel = 1
>>
>> #Enforce TLSv1.3 or TLSv1.2
>> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>> smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>>
>> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
>> defer_unauth_destination
>> alias_maps = hash:/etc/aliases
>> alias_database = hash:/etc/aliases
>> myorigin = /etc/mailname
>> mydestination = $myhostname, mydomain.net, server.mydomain.net,
>> localhost.mydomain.net, localhost
>> relayhost =
>> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
>> mailbox_command = procmail -a "$EXTENSION"
>> mailbox_size_limit = 0
>> recipient_delimiter = +
>> inet_interfaces = all
>> inet_protocols = all
>> ---------------- >8 ----------------
>>
>> What else do I need to do?
>>
>> Somebody help? Please?!
>>
>>
