[pfx] Re: Authentication question
Am 22.02.24 um 18:29 schrieb Matus UHLAR - fantomas via Postfix-users: Am 22.02.24 um 15:58 schrieb Wietse Venema via Postfix-users: michaelof--- via Postfix-users: 2024-02-22T13:56:15.715392+01:00 vserver postfix/submission/smtpd[150038]: connect from 2024-02-22T13:56:15.715607+01:00 vserver postfix/submission/smtpd[150038]: improper command pipelining after CONNECT from : \026\003\001\001 \001\000\001\034\003\003o\365\274\337\000\246\346\341\276\270\237\233\021p\314S\312\371\3149\231\202d\201?\241\332\357\214\330\313\301 \255\357\251\234m\024\225\250Yx\344oa\207\342p\354\0261B\347\223m\224Q\td\276n:#\n\000>\023\002\023\003\023\001\300,\3000\000\237\314\251\314\250\314\252\300+\300/ 2024-02-22T13:56:15.715853+01:00 vserver postfix/submission/smtpd[150038]: disconnect from commands=0/0 Configure the client to onnect to port 465 instead of 578. With Postfix, uncomment the smtps(submissions) service in the Postfix master.cf file. It should have the same "-o" options lines as the submission service, plus a line that says "-o smtpd_tls_wrappermode=yes". Then execute the command "postfix reload". You may need to open port 465 with a firewall rule. On 22.02.24 18:10, michaelof--- via Postfix-users wrote: Opened smtps service in firewalld. Changed email user config for testing in Thunderbird from port 578 to 465, and from "STARTTLS" to "SSL/TLS". Sending from Thunderbird works at once. You can leave both services running. 587/submission will use (explicit) STARTTLS, port 465/smtps (implicit) SSL/TLS - different MUAs often call those protocols differently. Sending from NVR still fails, new msgs in log: 2024-02-22T17:49:57.074140+01:00 vserver postfix/smtps/smtpd[165894]: connect from 2024-02-22T17:49:57.177663+01:00 vserver postfix/smtps/smtpd[165894]: warning: : SASL LOGIN authentication failed: Invalid authentication mechanism your sasl server does not support LOGIN authentication mechanism. with dovecot, you need to set up in dovecot config e.g.: auth_mechanisms = plain login and with cyrus sasl, your smtpd config needs e.g.: mech_list: PLAIN LOGIN THANK YOU VERY MUCH, Matus and Wietse, in fact it was the missing "LOGIN" option in dovecot's auth settings, was "auth_mechanisms = plain" and now with "auth_mechanisms = plain login" everything works fine. Kind regards, Michael ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Authentication question
michaelof--- via Postfix-users: > 2024-02-22T17:49:57.074140+01:00 vserver postfix/smtps/smtpd[165894]: connect > from > 2024-02-22T17:49:57.177663+01:00 vserver postfix/smtps/smtpd[165894]: > warning: : SASL LOGIN authentication failed: > Invalid authentication mechanism Your smtpd_sasl_security_options setting appears to allow plaintext mechanisms: > -o smtpd_sasl_security_options=noanonymous But with TLS turned on, Postfix is supposed to use smtpd_sasl_tls_security_options. The default setting is smtpd_sasl_tls_security_options = $smtpd_sasl_security_options which would allow plaintext mechanisms, with y9our smtpd_sasl_security_options=noanonymous setting. What could be wrong: 1) You nay have smtpd_sasl_tls_security_options in main.cf 2) Your SASL backend may not support the LOGIN plaintext mechanism. 3) You may have an smtpd_sasl_mechanism_filter setting that does not allow "login". The default seting is smtpd_sasl_mechanism_filter = !external, static:rest which allows all mechanisms except 'external'. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Authentication question
Am 22.02.24 um 15:58 schrieb Wietse Venema via Postfix-users: michaelof--- via Postfix-users: 2024-02-22T13:56:15.715392+01:00 vserver postfix/submission/smtpd[150038]: connect from 2024-02-22T13:56:15.715607+01:00 vserver postfix/submission/smtpd[150038]: improper command pipelining after CONNECT from : \026\003\001\001 \001\000\001\034\003\003o\365\274\337\000\246\346\341\276\270\237\233\021p\314S\312\371\3149\231\202d\201?\241\332\357\214\330\313\301 \255\357\251\234m\024\225\250Yx\344oa\207\342p\354\0261B\347\223m\224Q\td\276n:#\n\000>\023\002\023\003\023\001\300,\3000\000\237\314\251\314\250\314\252\300+\300/ 2024-02-22T13:56:15.715853+01:00 vserver postfix/submission/smtpd[150038]: disconnect from commands=0/0 Configure the client to onnect to port 465 instead of 578. With Postfix, uncomment the smtps(submissions) service in the Postfix master.cf file. It should have the same "-o" options lines as the submission service, plus a line that says "-o smtpd_tls_wrappermode=yes". Then execute the command "postfix reload". You may need to open port 465 with a firewall rule. On 22.02.24 18:10, michaelof--- via Postfix-users wrote: Opened smtps service in firewalld. Changed email user config for testing in Thunderbird from port 578 to 465, and from "STARTTLS" to "SSL/TLS". Sending from Thunderbird works at once. You can leave both services running. 587/submission will use (explicit) STARTTLS, port 465/smtps (implicit) SSL/TLS - different MUAs often call those protocols differently. Sending from NVR still fails, new msgs in log: 2024-02-22T17:49:57.074140+01:00 vserver postfix/smtps/smtpd[165894]: connect from 2024-02-22T17:49:57.177663+01:00 vserver postfix/smtps/smtpd[165894]: warning: : SASL LOGIN authentication failed: Invalid authentication mechanism your sasl server does not support LOGIN authentication mechanism. with dovecot, you need to set up in dovecot config e.g.: auth_mechanisms = plain login and with cyrus sasl, your smtpd config needs e.g.: mech_list: PLAIN LOGIN -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Authentication question
michaelof--- via Postfix-users wrote: > > Thank you so much for answering, Wietse! > > Followed your recommendations, master.cf for submission and smtps now looks > as follows: > > > Opened smtps service in firewalld. > > Changed email user config for testing in Thunderbird from port 578 to 465, > and from "STARTTLS" to "SSL/TLS". Sending from Thunderbird works at once. > > Sending from NVR still fails, new msgs in log: > > 2024-02-22T17:49:57.074140+01:00 vserver postfix/smtps/smtpd[165894]: connect > from > 2024-02-22T17:49:57.177663+01:00 vserver postfix/smtps/smtpd[165894]: > warning: : SASL LOGIN authentication failed: > Invalid authentication mechanism > 2024-02-22T17:49:57.215718+01:00 vserver postfix/smtps/smtpd[165894]: > NOQUEUE: reject: RCPT from : 554 5.7.1 > < >: Client host rejected: Access denied; > from= to= proto=ESMTP helo= > 2024-02-22T17:49:57.225190+01:00 vserver postfix/smtps/smtpd[165894]: lost > connection after RCPT from > 2024-02-22T17:49:57.225497+01:00 vserver postfix/smtps/smtpd[165894]: > disconnect from ehlo=1 auth=0/1 mail=1 > rcpt=0/1 commands=2/4 > > Any idea what's wrong or missing? Can you set any other settings regarding authentication in your NVR besides user/password? Could enable verbose logging for the smtpd service on 465 or use notify_classes to get a transcript of the session. I am curious as to what authentication mechanism your NRV is trying. Cheers, Simon signature.asc Description: PGP signature ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Authentication question
Am 22.02.24 um 15:58 schrieb Wietse Venema via Postfix-users: michaelof--- via Postfix-users: 2024-02-22T13:56:15.715392+01:00 vserver postfix/submission/smtpd[150038]: connect from 2024-02-22T13:56:15.715607+01:00 vserver postfix/submission/smtpd[150038]: improper command pipelining after CONNECT from : \026\003\001\001 \001\000\001\034\003\003o\365\274\337\000\246\346\341\276\270\237\233\021p\314S\312\371\3149\231\202d\201?\241\332\357\214\330\313\301 \255\357\251\234m\024\225\250Yx\344oa\207\342p\354\0261B\347\223m\224Q\td\276n:#\n\000>\023\002\023\003\023\001\300,\3000\000\237\314\251\314\250\314\252\300+\300/ 2024-02-22T13:56:15.715853+01:00 vserver postfix/submission/smtpd[150038]: disconnect from commands=0/0 Configure the client to onnect to port 465 instead of 578. With Postfix, uncomment the smtps(submissions) service in the Postfix master.cf file. It should have the same "-o" options lines as the submission service, plus a line that says "-o smtpd_tls_wrappermode=yes". Then execute the command "postfix reload". You may need to open port 465 with a firewall rule. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org Thank you so much for answering, Wietse! Followed your recommendations, master.cf for submission and smtps now looks as follows: submission inetn -- - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cf -o smtpd_sender_restrictions=reject_sender_login_mismatch -o smtpd_sasl_local_domain=$myhostname -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cf -o smtpd_sender_restrictions=reject_sender_login_mismatch -o smtpd_sasl_local_domain=$myhostname -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject Opened smtps service in firewalld. Changed email user config for testing in Thunderbird from port 578 to 465, and from "STARTTLS" to "SSL/TLS". Sending from Thunderbird works at once. Sending from NVR still fails, new msgs in log: 2024-02-22T17:49:57.074140+01:00 vserver postfix/smtps/smtpd[165894]: connect from 2024-02-22T17:49:57.177663+01:00 vserver postfix/smtps/smtpd[165894]: warning: : SASL LOGIN authentication failed: Invalid authentication mechanism 2024-02-22T17:49:57.215718+01:00 vserver postfix/smtps/smtpd[165894]: NOQUEUE: reject: RCPT from : 554 5.7.1 < >: Client host rejected: Access denied; from= to= proto=ESMTP helo= 2024-02-22T17:49:57.225190+01:00 vserver postfix/smtps/smtpd[165894]: lost connection after RCPT from 2024-02-22T17:49:57.225497+01:00 vserver postfix/smtps/smtpd[165894]: disconnect from ehlo=1 auth=0/1 mail=1 rcpt=0/1 commands=2/4 Any idea what's wrong or missing? Thanks in advance, Michael ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Authentication question
michaelof--- via Postfix-users: > 2024-02-22T13:56:15.715392+01:00 vserver postfix/submission/smtpd[150038]: > connect from > 2024-02-22T13:56:15.715607+01:00 vserver postfix/submission/smtpd[150038]: > improper command pipelining after CONNECT from sender-dns-name[IPv4]>: \026\003\001\001 > \001\000\001\034\003\003o\365\274\337\000\246\346\341\276\270\237\233\021p\314S\312\371\3149\231\202d\201?\241\332\357\214\330\313\301 > > \255\357\251\234m\024\225\250Yx\344oa\207\342p\354\0261B\347\223m\224Q\td\276n:#\n\000>\023\002\023\003\023\001\300,\3000\000\237\314\251\314\250\314\252\300+\300/ > 2024-02-22T13:56:15.715853+01:00 vserver postfix/submission/smtpd[150038]: > disconnect from commands=0/0 Configure the client to onnect to port 465 instead of 578. With Postfix, uncomment the smtps(submissions) service in the Postfix master.cf file. It should have the same "-o" options lines as the submission service, plus a line that says "-o smtpd_tls_wrappermode=yes". Then execute the command "postfix reload". You may need to open port 465 with a firewall rule. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Authentication question
On 22.02.24 15:28, michaelof--- via Postfix-users wrote: Postfix 3.7.3 on OpenSuse Leap 15.5 I've set up my private Postfix for outgoing SMTP traffic with authentication, port 587, starttls, password normal. Works fine for years now (2016 or so) for outgoing email sent via Thunderbird, Roundcube Webmail, K9-Mail on Android etc. pp. Now I want to tell my new Hikvision CCTV NVR to sent event based email via my own Postfix. Created a designated email adress for this, works fine with Email clients mentioned above. NVR's config options are looking pretty usual, have to specify SMTP-server, port, "SSL/TLS" true/false, "Authenticate" true/false and user/pw if "Authenticate" is set to true. But test option simply says "failed". Looking into my Postfix's server logs, I'm seeing the following log entries for a SUCCESFUL (Thunderbird) sent: 2024-02-22T14:00:49.478132+01:00 vserver postfix/submission/smtpd[150293]: connect from 2024-02-22T14:00:50.026993+01:00 vserver postfix/submission/smtpd[150293]: 066DC4D74DC: client=, sasl_method=PLAIN, sasl_username=c...@tufar.at 2024-02-22T14:00:50.069519+01:00 vserver postfix/cleanup[150298]: 066DC4D74DC: message-id= 2024-02-22T14:00:50.124765+01:00 vserver postfix/qmgr[1644]: 066DC4D74DC: from=, size=810, nrcpt=1 (queue active) 2024-02-22T14:00:50.386658+01:00 vserver postfix/smtp[150299]: 066DC4D74DC: to=, relay=..., delay=0.39, delays=0.13/0.01/0.1/0.15, dsn=2.0.0, status=sent (250 2.0.0 Message accepted.) 2024-02-22T14:00:50.386891+01:00 vserver postfix/qmgr[1644]: 066DC4D74DC: removed and the following log entries for NVR's UNSUCCESFUL sent: 2024-02-22T13:56:15.715392+01:00 vserver postfix/submission/smtpd[150038]: connect from 2024-02-22T13:56:15.715607+01:00 vserver postfix/submission/smtpd[150038]: improper command pipelining after CONNECT from : \026\003\001\001 \001\000\001\034\003\003o\365\274\337\000\246\346\341\276\270\237\233\021p\314S\312\371\3149\231\202d\201?\241\332\357\214\330\313\301 \255\357\251\234m\024\225\250Yx\344oa\207\342p\354\0261B\347\223m\224Q\td\276n:#\n\000>\023\002\023\003\023\001\300,\3000\000\237\314\251\314\250\314\252\300+\300/ 2024-02-22T13:56:15.715853+01:00 vserver postfix/submission/smtpd[150038]: disconnect from commands=0/0 2024-02-22T13:56:15.740078+01:00 vserver postfix/submission/smtpd[150038]: connect from 2024-02-22T13:56:15.857410+01:00 vserver postfix/submission/smtpd[150038]: warning: : SASL LOGIN authentication failed: Invalid authentication mechanism 2024-02-22T13:56:15.867110+01:00 vserver postfix/submission/smtpd[150038]: lost connection after AUTH from 2024-02-22T13:56:15.867404+01:00 vserver postfix/submission/smtpd[150038]: disconnect from ehlo=2 starttls=1 auth=0/1 commands=3/4 Any hints, would be great, if this might be a firmware bug from NVR, our could maybe be solved by changing my SASL etc. config. this looks like encryption problem. Someone is trying to use port 587 as implicit SSL, instead of explitic (STARTTLS). implicit SSL should be used on port 465 (aka smtps/submissions service) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org