Re: local authentification problem
But when the open xchange webmail try the same (with an ip adress = 127.0.0.1) postfix try to authenticate with SASL. NO! The CLIENT tries to authenticate and fails, and the CLIENT disconnects. You need to configure the CLIENT to not attempt authentication OR (better) fix the CLIENT's authentication credentials. It might be helpful to tell postfix to not offer AUTH on localhost, but I'm guessing the client will still disconnect until you configure the client to not attempt AUTH. http://www.postfix.org/postconf.5.html#smtpd_sasl_exceptions_networks At any rate, the best course of action is to require webmail to AUTH even though it's on localhost. Unfortunately, it's not unusual for webmail systems to be compromised -- often through phishing -- and the AUTH logging gives you a little more information about where the breach is. -- Noel Jones You're right, webmail was issuing an AUTH smtp command and then authentification failed. I have fix my problem. Many thanks for help. Alain Deseine.
Re: local authentification problem
On 6/15/2012 10:22 AM, Alain Deseine wrote: > And local IP address are defined by the $mynetworks variable. As > mynetworks_style = host, 127.0.0.0/8 is included in $mynetworks. Correct. > > So when i do la local telnet WITHOUT AUTH postfix accept to relay > mail, and that's ok. Correct. > > But when the open xchange webmail try the same (with an ip adress = > 127.0.0.1) postfix try to authenticate with SASL. NO! The CLIENT tries to authenticate and fails, and the CLIENT disconnects. You need to configure the CLIENT to not attempt authentication OR (better) fix the CLIENT's authentication credentials. It might be helpful to tell postfix to not offer AUTH on localhost, but I'm guessing the client will still disconnect until you configure the client to not attempt AUTH. http://www.postfix.org/postconf.5.html#smtpd_sasl_exceptions_networks At any rate, the best course of action is to require webmail to AUTH even though it's on localhost. Unfortunately, it's not unusual for webmail systems to be compromised -- often through phishing -- and the AUTH logging gives you a little more information about where the breach is. -- Noel Jones
Re: local authentification problem
Le 15/06/2012 16:51, Brian Evans - Postfix List a écrit : On 6/15/2012 9:26 AM, Alain Deseine wrote: When i try locally, using telnet, it's ok again : *ks3094730:~ # telnet localhost 25 Trying ::1... Connected to localhost. Escape character is '^]'. 220 xxx..fr ESMTP Postfix EHLO TETE 250-AUTH GSSAPI LOGIN PLAIN DIGEST-MD5 * Notice that AUTH is offered in your basic test. *250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN * But ignored. Yes, i agree, but it's for verification that postfix accept mail from localohost, without any identification. And it work. The problem begin when i try to use the webmail installed on the same host. Here is the logs i get : *Jun 15 15:15:44 dovecot: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=14359, TLS Jun 15 15:15:44 postfix/smtpd[14241]: connect from localhost[127.0.0.1] Jun 15 15:15:44 postfix/smtpd[14241]: warning: localhost[127.0.0.1]: SASL LOGIN authentication failed: authentication failure Jun 15 15:15:44 postfix/smtpd[14241]: lost connection after AUTH from localhost[127.0.0.1] Jun 15 15:15:44 postfix/smtpd[14241]: disconnect from localhost[127.0.0.1] * The CLIENT disconnects after the AUTH failed, not POSTFIX. Here again i agree with you, but if the client disconnect, that's because postfis tell that the authentication fail. I don't understand because i setup postfix to NOT use SASL authentication for localhost : That statement is incorrect. You ALLOW localhost OR SASL authenticated to relay but nothing says disable for localhost. There is something i don't understand. Tell me if i'm wrong : permit_mynetworks in the smtpd_recipient_restrictions configuration item is for telling postfix to relay FROM client that use local IP adress. And local IP address are defined by the $mynetworks variable. As mynetworks_style = host, 127.0.0.0/8 is included in $mynetworks. So when i do la local telnet WITHOUT AUTH postfix accept to relay mail, and that's ok. But when the open xchange webmail try the same (with an ip adress = 127.0.0.1) postfix try to authenticate with SASL. At this point i don't understand why in same conditions (client send mail from 127.0.0.1 to some outside e-mail) postfix in one case authorise relaying, and in the other case try to do SMTP AUTH ...
Re: local authentification problem
On 6/15/2012 9:26 AM, Alain Deseine wrote: > When i try locally, using telnet, it's ok again : > > *ks3094730:~ # telnet localhost 25 > Trying ::1... > Connected to localhost. > Escape character is '^]'. > 220 xxx..fr ESMTP Postfix > EHLO TETE > 250-AUTH GSSAPI LOGIN PLAIN DIGEST-MD5 > * Notice that AUTH is offered in your basic test. > *250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250 DSN > * But ignored. > *MAIL FROM:eaz...@ezaezae.eu > 250 2.1.0 Ok > RCPT TO:zzz.ee...@gmail.com > 250 2.1.5 Ok > DATA > 354 End data with . > test > . > 250 2.0.0 Ok: queued as E0DA123AEB > QUIT > 221 2.0.0 Bye > Connection closed by foreign host. > ks3094730:~ #* > > > The problem begin when i try to use the webmail installed on the same > host. > > Here is the logs i get : > > *Jun 15 15:15:44 dovecot: imap-login: Login: user=, > method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=14359, TLS > Jun 15 15:15:44 postfix/smtpd[14241]: connect from > localhost[127.0.0.1] > Jun 15 15:15:44 postfix/smtpd[14241]: warning: > localhost[127.0.0.1]: SASL LOGIN authentication failed: authentication > failure > Jun 15 15:15:44 postfix/smtpd[14241]: lost connection after AUTH > from localhost[127.0.0.1] > Jun 15 15:15:44 postfix/smtpd[14241]: disconnect from > localhost[127.0.0.1] > * The CLIENT disconnects after the AUTH failed, not POSTFIX. > I don't understand because i setup postfix to NOT use SASL > authentication for localhost : > That statement is incorrect. You ALLOW localhost OR SASL authenticated to relay but nothing says disable for localhost. > *mynetworks_style = host > smtpd_recipient_restrictions = > permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination > * > I certainly miss something, but don't know why and the fact it's work > through a simple telnet session and not from the webmail seems very > strange to me. > > The webmail is open xchange. > > Any idea ? I think you should FIX the authentication of webmail. Webmail is a source of exploits especially if it is public facing. The more information you have of which account is leaking, the better you will be in the future. Brian
local authentification problem
Hi, Got a strange problem with a new postfix installation. I got a well working postfix installation with SMTP AUTH (saslauthd installation). When i try to send mail from outside with a mail client like thunderbird, everythings ok and mail is relayed. *Jun 15 15:02:42 xxx postfix/smtpd[12725]: connect from .abo.wanadoo.fr[xxx.Xxx.xxx.xxx] Jun 15 15:02:44 xxx postfix/smtpd[12725]: 5D9D723AEB: client=.abo.wanadoo.fr[xxx.Xxx.xxx.xxx], sasl_method=PLAIN, sasl_username=user Jun 15 15:02:44 xxx postfix/cleanup[13338]: 5D9D723AEB: message-id=<4fdb326a.5050...@.eu> Jun 15 15:02:44 xxx postfix/qmgr[12183]: 5D9D723AEB: from=, size=618, nrcpt=1 (queue active) Jun 15 15:02:44 xxx postfix/smtpd[12725]: disconnect from z.abo.wanadoo.fr[xxx.Xxx.xxx.xxx] Jun 15 15:02:44 xxx postfix/smtp[13339]: connect to gmail-smtp-in-v4v6.l.google.com[2a00:1450:8005::1a]:25: Network is unreachable Jun 15 15:02:45 xxx postfix/smtp[13339]: 5D9D723AEB: to=, relay=gmail-smtp-in-v4v6.l.google.com[173.194.70.26]:25, delay=1.3, delays=0.17/0.02/0.1/1, dsn=2.0.0, status=sent (250 2.0.0 OK 1339765349 dz2si2818397wib.14) Jun 15 15:02:45 xxx postfix/qmgr[12183]: 5D9D723AEB: removed * When i try locally, using telnet, it's ok again : *ks3094730:~ # telnet localhost 25 Trying ::1... Connected to localhost. Escape character is '^]'. 220 xxx..fr ESMTP Postfix EHLO TETE 250-..fr 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-AUTH GSSAPI LOGIN PLAIN DIGEST-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN MAIL FROM:eaz...@ezaezae.eu 250 2.1.0 Ok RCPT TO:zzz.ee...@gmail.com 250 2.1.5 Ok DATA 354 End data with . test . 250 2.0.0 Ok: queued as E0DA123AEB QUIT 221 2.0.0 Bye Connection closed by foreign host. ks3094730:~ #* Which result in this in the log : *Jun 15 15:08:24 xxx postfix/smtpd[13755]: connect from localhost[::1] Jun 15 15:09:09 **xxx **postfix/smtpd[13755]: E0DA123AEB: client=localhost[::1] Jun 15 15:09:16 **xxx **postfix/cleanup[13763]: E0DA123AEB: message-id=<20120615130909.e0da123...@ddd..fr> Jun 15 15:09:16 **xxx **postfix/qmgr[12183]: E0DA123AEB: from=, size=345, nrcpt=1 (queue active) Jun 15 15:09:16 **xxx **postfix/smtp[13943]: connect to gmail-smtp-in-v4v6.l.google.com[2a00:1450:8005::1b]:25: Network is unreachable Jun 15 15:09:18 **xxx **postfix/smtp[13943]: E0DA123AEB: to=, relay=gmail-smtp-in-v4v6.l.google.com[173.194.70.26]:25, delay=23, delays=21/0.02/0.08/1.9, dsn=2.0.0, status=sent (250 2.0.0 OK 1339765742 s4si2837809wiy.33) Jun 15 15:09:18 **xxx **postfix/qmgr[12183]: E0DA123AEB: removed Jun 15 15:09:19 **xxx **postfix/smtpd[13755]: disconnect from localhost[::1] * The problem begin when i try to use the webmail installed on the same host. Here is the logs i get : *Jun 15 15:15:44 dovecot: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=14359, TLS Jun 15 15:15:44 postfix/smtpd[14241]: connect from localhost[127.0.0.1] Jun 15 15:15:44 postfix/smtpd[14241]: warning: localhost[127.0.0.1]: SASL LOGIN authentication failed: authentication failure Jun 15 15:15:44 postfix/smtpd[14241]: lost connection after AUTH from localhost[127.0.0.1] Jun 15 15:15:44 postfix/smtpd[14241]: disconnect from localhost[127.0.0.1] * I don't understand because i setup postfix to NOT use SASL authentication for localhost : *mynetworks_style = host smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination smtp_sasl_auth_enable = no smtpd_sasl_auth_enable = yes smtpd_use_tls = no smtp_use_tls = no smtp_enforce_tls = no smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_client_restrictions = smtpd_helo_required = no smtpd_helo_restrictions = strict_rfc821_envelopes = no* I certainly miss something, but don't know why and the fact it's work through a simple telnet session and not from the webmail seems very strange to me. The webmail is open xchange. Any idea ? Many thanks for responses. Best regards, Alain Deseine.