subject:"RE\: SASL Error on Submission port"

RE: SASL Error on Submission port

2011-04-07 Thread Simon Brereton

> From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> us...@postfix.org] On Behalf Of Victor Duchovni
> On Thu, Apr 07, 2011 at 07:37:50PM +0200, Simon Brereton wrote:
> 
> > > From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> > > us...@postfix.org] On Behalf Of Patrick Ben Koetter
> > > * Simon Brereton
> > > > Hi
> > > >
> > > > Running 2.3.8 Debian package (I'll be upgrading shortly), I was
> > > already supporting TLS and SASL auth.  One of my users recently
> > > moved to RCN and they block port 25 so I'm trying to open 587.
> > > >
> > > > I added this to my master.cf
> > > >
> > > >
> > > > submission inet n   -   -   -   -   smtpd
> > >
> > > Is the saslauthd socket in the Postfix chroot? If not edit
> > > /etc/default/saslauthd.
> >
> > I'm not sure.  I'm pretty sure I don't have postfix running
> chrooted - I think I thought that was too complex.
> >
> 
> It is chrooted. A non-chrooted smtpd looks like:
> 
> smtp  inet  n   -   n   -   -   smtpd

Probably because this was installed using apt-get..  Thanks.

So, I sat looking at this mail for a while wondering if you were telling me 
more, or if I should wait for a reply to my other email, and then I thought, 
well, it can't hurt to try..  So I changed master.cf

And lo and behold..

Apr  7 17:12:16 donald postfix/smtpd[24257]: connect from 
3.myvzw.com[174.255.113.31]
Apr  7 17:12:17 donald postfix/smtpd[24257]: setting up TLS connection from 
3.myvzw.com[174.255.113.31]
Apr  7 17:12:17 donald postfix/smtpd[24257]: TLS connection established from 
3.myvzw.com[174.255.113.31]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Apr  7 17:12:18 donald postfix/smtpd[24257]: disconnect from 
3.myvzw.com[174.255.113.31]

No error on the client's parameter's checks.  This looks hopeful...

Apr  7 17:13:05 donald postfix/smtpd[24257]: connect from 
3.myvzw.com[174.255.113.31]
Apr  7 17:13:06 donald postfix/smtpd[24257]: setting up TLS connection from 
3.myvzw.com[174.255.113.31]
Apr  7 17:13:08 donald postfix/smtpd[24257]: TLS connection established from 
3.myvzw.com[174.255.113.31]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Apr  7 17:13:11 donald postfix/smtpd[24257]: 4970CA94109: 
client=3.myvzw.com[174.255.113.31], sasl_method=PLAIN, 
sasl_username=myu...@mydomain.net
Apr  7 17:13:14 donald postfix/cleanup[24263]: 4970CA94109: 
message-id=
Apr  7 17:13:14 donald postfix/qmgr[24255]: 4970CA94109: 
from=, size=923, nrcpt=1 (queue active)

Success!

Thanks guys.  Once again the support on this list is amazing (so long as you 
listen to it and not try blindly to go against it).

Can anyone educate me as to why it needs to be outside the jail when it works 
normally?  The two lines from my master.cf look like:


  9 smtp  inet  n   -   -   -   -   smtpd -v
 10 submission inet n   -   n   -   -   smtpd
 11   -o smtpd_enforce_tls=yes
 12   -o smtpd_tls_auth_only=yes
 13   -o smtpd_sasl_auth_enable=yes
 14   -o smtpd_sasl_security_options=noanonymous
 15   -o smtpd_client_restrictions=permit_sasl_authenticated,reject

Thanks.

Re: SASL Error on Submission port

2011-04-07 Thread Victor Duchovni

On Thu, Apr 07, 2011 at 07:37:50PM +0200, Simon Brereton wrote:

> > From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> > us...@postfix.org] On Behalf Of Patrick Ben Koetter
> > * Simon Brereton 
> > > Hi
> > >
> > > Running 2.3.8 Debian package (I'll be upgrading shortly), I was
> > already supporting TLS and SASL auth.  One of my users recently moved
> > to RCN and they block port 25 so I'm trying to open 587.
> > >
> > > I added this to my master.cf
> > >
> > >
> > > submission inet n   -   -   -   -   smtpd
> > 
> > Is the saslauthd socket in the Postfix chroot? If not edit
> > /etc/default/saslauthd.
> 
> I'm not sure.  I'm pretty sure I don't have postfix running chrooted - I 
> think I thought that was too complex.
> 

It is chrooted. A non-chrooted smtpd looks like:

smtp  inet  n   -   n   -   -   smtpd

-- 
Viktor.

RE: SASL Error on Submission port

2011-04-07 Thread Simon Brereton

> From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> us...@postfix.org] On Behalf Of Patrick Ben Koetter
> * Simon Brereton 
> > Hi
> >
> > Running 2.3.8 Debian package (I'll be upgrading shortly), I was
> already supporting TLS and SASL auth.  One of my users recently moved
> to RCN and they block port 25 so I'm trying to open 587.
> >
> > I added this to my master.cf
> >
> >
> > submission inet n   -   -   -   -   smtpd
> 
> Is the saslauthd socket in the Postfix chroot? If not edit
> /etc/default/saslauthd.

I'm not sure.  I'm pretty sure I don't have postfix running chrooted - I think 
I thought that was too complex.

/etc/default/saslauthd says:

OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

And as my other mail shows SASL auth is working fine when the connection is 
made on port 25.  Just not when it comes in on the submission port..

Simon

RE: Re: SASL Error on Submission port

2011-04-07 Thread Simon Brereton

> From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> us...@postfix.org] On Behalf Of Victor Duchovni
> On Thu, Apr 07, 2011 at 04:53:59PM +0200, Simon Brereton wrote:
> 
> > However, when I test I get a SASL auth error.  If I switch my
> client back to port 25, there is no SASL error.
> >
> > Connecting to port 25
> > Apr  7 10:00:30 donald postfix/smtpd[21028]: connect from
> > 18.myvzw.com[174.252.18.98] Apr  7 10:00:31 donald
> > postfix/smtpd[21028]: setting up TLS connection from
> > 18.myvzw.com[174.252.18.98] Apr  7 10:00:32 donald
> > postfix/smtpd[21028]: TLS connection established from
> > 18.myvzw.com[174.252.18.98]: TLSv1 with cipher DHE-RSA-AES256-SHA
> > (256/256 bits) Apr  7 10:00:34 donald postfix/smtpd[21028]:
> disconnect
> > from 18.myvzw.com[174.252.18.98]
> 
> Did you actually login here? I see no evidence of SASL, send a
> message and show the logging.

That's because the software (on my phone) doesn't actually send a message  - 
it's simply confirms that the parameters are correct.  The only difference 
between the two is to change the port number.  All the username and password 
details remained untouched.

But since you ask, here's the test actually sending a message:

Apr  7 12:38:50 donald postfix/smtpd[22046]: connect from 
3.myvzw.com[174.252.3.219]
Apr  7 12:38:51 donald postfix/smtpd[22046]: setting up TLS connection from 
3.myvzw.com[174.252.3.219]
Apr  7 12:38:53 donald postfix/smtpd[22046]: TLS connection established from 
3.myvzw.com[174.252.3.219]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Apr  7 12:38:55 donald postfix/smtpd[22046]: disconnect from 
3.myvzw.com[174.252.3.219]
Apr  7 12:40:00 donald postfix/smtpd[22046]: connect from 
3.myvzw.com[174.252.3.219]
Apr  7 12:40:01 donald postfix/smtpd[22046]: setting up TLS connection from 
3.myvzw.com[174.252.3.219]
Apr  7 12:40:02 donald postfix/smtpd[22046]: TLS connection established from 
3.myvzw.com[174.252.3.219]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Apr  7 12:40:03 donald postfix/smtpd[22046]: B7BADA940A5: 
client=3.myvzw.com[174.252.3.219], sasl_method=PLAIN, 
sasl_username=myu...@mydomain.net
Apr  7 12:40:06 donald postfix/cleanup[22072]: B7BADA940A5: 
message-id=
Apr  7 12:40:06 donald postfix/qmgr[22038]: B7BADA940A5: 
from=, size=920, nrcpt=1 (queue active)

> > Connecting from port 587
> > Apr  7 10:01:04 donald postfix/smtpd[21032]: connect from
> > 18.myvzw.com[174.252.18.98] Apr  7 10:01:06 donald
> > postfix/smtpd[21032]: setting up TLS connection from
> > 18.myvzw.com[174.252.18.98] Apr  7 10:01:07 donald
> > postfix/smtpd[21032]: TLS connection established from
> > 18.myvzw.com[174.252.18.98]: TLSv1 with cipher DHE-RSA-AES256-SHA
> > (256/256 bits) Apr  7 10:01:09 donald postfix/smtpd[21032]:
> warning:
> > SASL authentication failure: Password verification failed Apr  7
> > 10:01:09 donald postfix/smtpd[21032]: warning:
> > 18.myvzw.com[174.252.18.98]: SASL PLAIN authentication failed:
> > authentication failure

I attempted to increase logging before doing this.  Changing the value in 
/etc/postfix/sasl/smtpd.conf didn't appear to have an effect.  Adding -v to the 
submission line in master.cf created far too much logging.  However, I have -v 
on the smtpd line in master.cf and I don't get the same amount of logging when 
I connect to port 25 (I assume because it's not specified twice and therefore 
increasing the verbosity).

However, here's the sending test on port 587 (even though the client says it 
won't work).

Apr  7 12:37:24 donald postfix/smtpd[22019]: smtp_get: EOF
Apr  7 12:37:24 donald postfix/smtpd[22019]: match_hostname: 3.myvzw.com ~? 
127.0.0.0/8
Apr  7 12:37:24 donald postfix/smtpd[22019]: match_hostaddr: 174.252.3.219 ~? 
127.0.0.0/8
Apr  7 12:37:24 donald postfix/smtpd[22019]: match_list_match: 3.myvzw.com: no 
match
Apr  7 12:37:24 donald postfix/smtpd[22019]: match_list_match: 174.252.3.219: 
no match
Apr  7 12:37:24 donald postfix/smtpd[22019]: warning: problem talking to server 
private/anvil: Success
Apr  7 12:37:25 donald postfix/smtpd[22019]: auto_clnt_close: disconnect 
private/anvil stream
Apr  7 12:37:25 donald postfix/smtpd[22019]: auto_clnt_open: connected to 
private/anvil
Apr  7 12:37:25 donald postfix/smtpd[22019]: send attr request = disconnect
Apr  7 12:37:25 donald postfix/smtpd[22019]: send attr ident = 
submission:174.252.3.219
Apr  7 12:37:25 donald postfix/smtpd[22019]: private/anvil: wanted attribute: 
status
Apr  7 12:37:25 donald postfix/smtpd[22019]: input attribute name: status
Apr  7 12:37:25 donald postfix/smtpd[22019]: input attribute value: 0
Apr  7 12:37:25 donald postfix/smtpd[22019]: private/anvil: wanted attribute: 
(list terminator)
Apr  7 12:37:25 donald postfix/smtpd[22019]: input attribute name: (end)
Apr  7 12:37:25 donald postfix/smtpd[22019]: lost connection after AUTH from 
3.myvzw.com[174.252.3.219]
Apr  7 12:37:25 donald postfix/smtpd[22019]: disconnect from 
3.myvzw.com[174.252.3.219]
Apr  7 12:37:25

Re: SASL Error on Submission port

2011-04-07 Thread Patrick Ben Koetter

* Simon Brereton :
> Hi
> 
> Running 2.3.8 Debian package (I'll be upgrading shortly), I was already 
> supporting TLS and SASL auth.  One of my users recently moved to RCN and they 
> block port 25 so I'm trying to open 587.  
> 
> I added this to my master.cf
> 
> 
> submission inet n   -   -   -   -   smtpd

Is the saslauthd socket in the Postfix chroot? If not edit
/etc/default/saslauthd.

p@rick

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: SASL Error on Submission port

2011-04-07 Thread Victor Duchovni

On Thu, Apr 07, 2011 at 04:53:59PM +0200, Simon Brereton wrote:

> However, when I test I get a SASL auth error.  If I switch my client back to 
> port 25, there is no SASL error.
> 
> Connecting to port 25
> Apr  7 10:00:30 donald postfix/smtpd[21028]: connect from 
> 18.myvzw.com[174.252.18.98]
> Apr  7 10:00:31 donald postfix/smtpd[21028]: setting up TLS connection from 
> 18.myvzw.com[174.252.18.98]
> Apr  7 10:00:32 donald postfix/smtpd[21028]: TLS connection established from 
> 18.myvzw.com[174.252.18.98]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 
> bits)
> Apr  7 10:00:34 donald postfix/smtpd[21028]: disconnect from 
> 18.myvzw.com[174.252.18.98]

Did you actually login here? I see no evidence of SASL, send a message and
show the logging.

> Connecting from port 587
> Apr  7 10:01:04 donald postfix/smtpd[21032]: connect from 
> 18.myvzw.com[174.252.18.98]
> Apr  7 10:01:06 donald postfix/smtpd[21032]: setting up TLS connection from 
> 18.myvzw.com[174.252.18.98]
> Apr  7 10:01:07 donald postfix/smtpd[21032]: TLS connection established from 
> 18.myvzw.com[174.252.18.98]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 
> bits)
> Apr  7 10:01:09 donald postfix/smtpd[21032]: warning: SASL authentication 
> failure: Password verification failed
> Apr  7 10:01:09 donald postfix/smtpd[21032]: warning: 
> 18.myvzw.com[174.252.18.98]: SASL PLAIN authentication failed: authentication 
> failure
> 

Most likely, you are sending the wrong username or the wrong password.

> Why is your software bro..  What did I do wrong? :)  I assumed that
> main.cf sasl parameters would apply to any port that used sasl.
> 
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = mydomain.net
> smtpd_sasl_security_options = noanonymous
> 
> Let me know if you want the whole thing.

Are you using Cyrus SASL or Dovecot SASL? What backends are configured
for the PLAIN mechanism?

-- 
Viktor.

RE: SASL Error on Submission port

Re: SASL Error on Submission port

RE: SASL Error on Submission port

RE: Re: SASL Error on Submission port

Re: SASL Error on Submission port

Re: SASL Error on Submission port

6 matches

Site Navigation

Mail list logo

Footer information