can't get smtp auth in postfix
Trying 127.0.0.1…
Connected to localhost.
Escape character is '^]'.
220 terabug.terabug.com ESMTP Postfix (Ubuntu)
ehlo localhost
250-terabug.terabug.com
250-PIPELINING
250-SIZE 30720000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
I have done all sasl setting files as per this guide:
Dovecot was having error yesterday, somehow it got fixed. Dovecot is working fine ( I guess because of I installed dovecot-postfix)
My sasl files:
/etc/default/saslauthd
#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#
# Should saslauthd run automatically on startup? (default: no)
START=yes
# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"
# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"
# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"
# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""
# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5
# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
#
# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
# then your Postfix is running in a chroot.
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
# running in a chroot.
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
file:/etc/pam.d/smtp
auth required pam_mysql.so user=mail_admin passwd=mail_admin_pass host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=mail_admin passwd=mail_admin_pass host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
file:/etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
auxprop_plugin: mysql
sql_hostnames: 127.0.0.1
sql_user: mail_admin
sql_passwd: mail_admin_pass
sql_database: mail
sql_select: select password from users where email = '%u'
file:/etc/postfix/master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
submission inet n - - - - smtpd
# -o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
inet_interfaces = all
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
# -o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient}
file:/etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = terabug.terabug.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = terabug.terabug.com, localhost, localhost.localdomain
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_protocols = all
message_size_limit = 30720000
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_local_domain = $myhostname
smtpd_sender_restrictions = reject_unknown_sender_domain
mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/conf.d/01-mail-stack-delivery.conf -m "${EXTENSION}"
smtp_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_auth_only = yes
tls_random_source = dev:/dev/urandom
file:/etc/dovecot/dovecot.conf
protocols = imap imaps pop3 pop3s
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_location = maildir:/home/vmail/%d/%n/Maildir
ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem
namespace private {
separator = .
prefix = INBOX.
inbox = yes
}
protocol lda {
log_path = /home/vmail/dovecot-deliver.log
auth_socket_path = /var/run/dovecot/auth-master
postmaster_address = postmaster@terabug.com
mail_plugins = sieve
#global_script_path = /home/vmail/globalsieverc
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
}
auth default {
user = root
passdb sql {
args = /etc/dovecot/dovecot-sql.conf
}
userdb static {
args = uid=5000 gid=5000 home=/home/vmail/%d/%n allow_all_users=yes
}
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0600
user = vmail
}
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
Please let me know steps to get
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
in smtp outgoing mail. Thanks in advance.
6 Replies
> derfy@derfy:~$ openssl s_client -starttls smtp -crlf -connect terabug.terabug.com:25
CONNECTED(00000003)
depth=0 /C=IN/ST=Gujarat/L=Ahmedabad/O=TeraBug/OU=Email Services/CN=terabug.terabug.com/emailAddress=
verify error:num=18:self signed certificate verify return:1
depth=0 /C=IN/ST=Gujarat/L=Ahmedabad/O=TeraBug/OU=Email Services/CN=terabug.terabug.com/emailAddress=
verify return:1 –-
Certificate chain
0 s:/C=IN/ST=Gujarat/L=Ahmedabad/O=TeraBug/OU=Email Services/CN=terabug.terabug.com/emailAddress=
i:/C=IN/ST=Gujarat/L=Ahmedabad/O=TeraBug/OU=Email Services/CN=terabug.terabug.com/emailAddress= --- Server certificate
-----BEGIN CERTIFICATE-----
MIIEETCCAvmgAwIBAgIJALkz1oDOPUbNMA0GCSqGSIb3DQEBBQUAMIGeMQswCQYD
VQQGEwJJTjEQMA4GA1UECAwHR3VqYXJhdDESMBAGA1UEBwwJQWhtZWRhYmFkMRAw
DgYDVQQKDAdUZXJhQnVnMRcwFQYDVQQLDA5FbWFpbCBTZXJ2aWNlczEcMBoGA1UE
AwwTdGVyYWJ1Zy50ZXJhYnVnLmNvbTEgMB4GCSqGSIb3DQEJARYRa3VuYWxAdGVy
YWJ1Zy5jb20wHhcNMTExMTE5MTE1NzI5WhcNMTIxMTE4MTE1NzI5WjCBnjELMAkG
A1UEBhMCSU4xEDAOBgNVBAgMB0d1amFyYXQxEjAQBgNVBAcMCUFobWVkYWJhZDEQ
MA4GA1UECgwHVGVyYUJ1ZzEXMBUGA1UECwwORW1haWwgU2VydmljZXMxHDAaBgNV
BAMME3RlcmFidWcudGVyYWJ1Zy5jb20xIDAeBgkqhkiG9w0BCQEWEWt1bmFsQHRl
cmFidWcuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0cAyEip1
w7P5f7wuibfzQUsPt5cPTgA0TDXUdlWsgoqunt+cAvQNO5lQCVBkdrhqAu61espb
ZZt7MFWkxszz009jZl6Mnce0ljaJYfbOkfxL5q0Gy8SSW4jgZcFnk/sIy6uwmZJv
sJc79Ng4i07Xlx2jyVdLA0BXslPUP1rMEbgNzvdb7TjmiQVG8D2BMv1z/sBlyyv2
TILLTLY5Nh+xCRzgCoO2W1/oD6yp8/6NwkstHlS76N/wCXizaTipfu6jjqQWNoVF
Nyzpm7/GZihrcsPoXNE325ZRiCPWNsqegMDWcoHASEYx2fckQYz5tvt3Wx7dv4o1
oe8EmynCtcRytwIDAQABo1AwTjAdBgNVHQ4EFgQUyRE2c6SNSLIk2cRC5qCHdZ2L
uBAwHwYDVR0jBBgwFoAUyRE2c6SNSLIk2cRC5qCHdZ2LuBAwDAYDVR0TBAUwAwEB
/zANBgkqhkiG9w0BAQUFAAOCAQEARpvCZpqsJdOFHsM+3pN57WaEdrWGxSqb8wy8
4NaIMJRxhZ6Fy1ly2Zz3/ItHHqnwACRMKUVsVg380M9fApHBmCKrWc33oz6/syRr
uYRwNybzXR+4UJM9JhBd3u7pVsIM6Wbf69I6+1J3P/CZYI7Ok7VBTAG7VwKB0RQz
91icJA8qoEM9ir4cvlURX8lkEbkYbGryqEdyBs/RuW/wOqA4Y19wI5OTXazfKzym
pm62MPcS0odGXWj7mCf9oXJ5z0k53RJLLE5sL2H3QhZ4DC8Z9gs9xxO7WqF1oPu8
qp8MPtXRKrG1+pQIt1bx0J908MlYf4z+EvGGQmSRxva/gNnZyA==
-----END CERTIFICATE-----
subject=/C=IN/ST=Gujarat/L=Ahmedabad/O=TeraBug/OU=Email Services/CN=terabug.terabug.com/emailAddress=
issuer=/C=IN/ST=Gujarat/L=Ahmedabad/O=TeraBug/OU=Email Services/CN=terabug.terabug.com/emailAddress= --- No client certificate CA names sent
SSL handshake has read 1964 bytes and written 354 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 254552E12B923EA82F9AD59F505E096A3A02B5A54F1B081E9F20C3BAC3022E64
Session-ID-ctx:
Master-Key: EBA91626733D04272F74601CAD8FD47CAE3739816AA51BC5F98A9F5C1159BB4FFEDBC02F80A982035F4DC45D0879085B
Key-Arg : None
Start Time: 1321715217
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
250 DSN
ehread:errno=0
derfy@derfy:~$
However, you'll probably want to wait until someone more qualified can help. :)
When I send a mail from windows live mail it does not ask/promote from login id password.
It gives me following relay error
The message could not be sent. The setting for your outgoing email [SMTP] server might need to be configured. To find the server settings for 'a***d@k**s**ts.com', please contact your email service provider.
Subject 'hey999'
Server Error: 554
Server Response: 554 5.7.1 <a***d@k**s**ts.com>: Relay access denied
Server: 'terabug.terabug.com'
Windows Live Mail Error ID: 0x800CCC79
Protocol: SMTP
Port: 25
Secure(SSL): No</a***d@k**s**ts.com>
Tried to change port. Connection got rejected.
ehlo localhost is not showing
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
so sasl is not set.
Also tell me is this mean anyone can send mail using my server?
~~@http://www.postfix.org/TLS_README.html:~~
Supporting AUTH over TLS only
Sending AUTH data over an unencrypted channel poses a security risk. When TLS layer encryption is required ("smtpdtlssecuritylevel = encrypt" or the obsolete "smtpdenforcetls = yes"), the Postfix SMTP server will announce and accept AUTH only after the TLS layer has been activated with STARTTLS. When TLS layer encryption is optional ("smtpdtlssecuritylevel = may" or the obsolete "smtpdenforcetls = no"), it may however still be useful to only offer AUTH when TLS is active. To maintain compatibility with non-TLS clients, the default is to accept AUTH without encryption. In order to change this behavior, set "smtpdtlsauth_only = yes".
By your first post, you do have this set and as such, the postfix server will not announce 250 AUTH… without a STARTTLS.
Your master.cf shows that submission/smtps is functional; however you may need to open these ports in your firewall.
Also no, your server cannot be used to relay (unless of course you or your users have easily crackable username/passwords)
Can't send mail from Live mail client. Please go through all posts.