[Dovecot] unable to send mails via postfix/dovecot SASL
Hello,
I have a freshly setup postfix/dovecot mail server (after a server upgrade I decided to change my sendmail/popper conf to something more modern :)
It mostly works, there is no problem in sending/receiving mails in local network, both using text clients like mutt or pine dealing with the incoming/outcoming mail directly. Also dovecot works fine with SSL authentication from the outside world (home computers etc) but only for reading the mail.
I have been struggling for several days already to get postfix/dovecot/SSL trio to work for sending (relaying) mail from the home computers (but also from local network) via my server to the final recipients, using authenticated connections. I followed http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL hints for the configuration of postfix and dovecot (see output of dovecot -n and postconf -n commands below). I also uncommented "smtps" line in /etc/postfix/master.cf file (otherwise postfix was refusing any connections to secure SMTP port). For a while, I uncommented also "submission" line there but to no success either.
Now when I try to send a mail from my home PC, using Thuinderbird 2.0.0.21, with SSL connection configured for outgoing smtp server (port 465), using username/password, it shows "Connected to server..." message but after a minute or so, it fails saying that the connection to SMTP server failed.
The server log shows: 11:51:24 sirius postfix/smtpd[15126]: connect from my_home_pc_name/ip Jun 11 11:52:25 sirius postfix/smtpd[15126]: lost connection after UNKNOWN from from my_home_pc_name/ip Jun 11 11:52:25 sirius postfix/smtpd[15126]: disconnect from my_home_pc_name/ip
There are no dovecot-related messages in the log regarding such an attempt.
I am not sure whether this is dovecot or postfix problem but, being no expert on either of those, I am asking help to resolve this annoying problem.
with best regards, Michal.
-------------- dovecon -n -------------------------- # 1.0.7: /etc/dovecot.conf ssl_cert_file: /etc/pki/dovecot/certs/sirius.pem ssl_key_file: /etc/pki/dovecot/private/sirius.key login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login mail_location: mbox:~/Mail:INBOX=/var/spool/mail/%u mmap_disable: yes mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib64/dovecot/imap mail_plugin_dir(imap): /usr/lib64/dovecot/imap mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3 imap_client_workarounds(default): delay-newmail outlook-idle netscape-eoh imap_client_workarounds(imap): delay-newmail outlook-idle netscape-eoh imap_client_workarounds(pop3): outlook-idle pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh auth default: mechanisms: plain login verbose: yes passdb: driver: pam userdb: driver: passwd socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix
----------------- postconf -n ---------------------------- alias_database = hash:/etc/mail/aliases alias_maps = hash:/etc/mail/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 header_checks = regexp:/etc/postfix/header_checks html_directory = no inet_interfaces = all mail_owner = postfix mailbox_command = /usr/bin/procmail mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man masquerade_domains = astrouw.edu.pl mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain, www.$mydomain, ftp.$mydomain, /etc/mail/local-host-names myhostname = sirius.astrouw.edu.pl newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_generic_maps = hash:/etc/postfix/generic smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/access, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot unknown_local_recipient_reject_code = 550
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On 6/11/2009, Michal Szymanski (msz@astrouw.edu.pl) wrote:
(after a server upgrade I decided to change my sendmail/popper conf to something more modern :)
Then why install a version that is well over a year old?
1.1.16 is the current stable version, but 1.2 is at rc5 stage and release is imminent... I'd start with that.
--
Best regards,
Charles
On Thu, Jun 11, 2009 at 06:27:23AM -0400, Charles Marcus wrote:
On 6/11/2009, Michal Szymanski (msz@astrouw.edu.pl) wrote:
(after a server upgrade I decided to change my sendmail/popper conf to something more modern :)
Then why install a version that is well over a year old?
1.1.16 is the current stable version, but 1.2 is at rc5 stage and release is imminent... I'd start with that.
Well, that was what the repositories for my CentOS 5.3 (Final) were offering. I found the 1.1.16 RPM in atrpms (advertised as "testing package" - strangely enough as it is "stable" fot RHEL/CentOS 4) so I upgraded but did not help. I am not sure, however, if the settings for "auth default" are now compatible with the (apparently new) way the authentication is done now (auth, auth-worker).
The current 'dovecot -n' output below.
regards, Michal.
# 1.1.16: /etc/dovecot.conf # OS: Linux 2.6.18-128.1.6.el5 x86_64 CentOS release 5.3 (Final) ssl_cert_file: /etc/pki/dovecot/certs/sirius.pem ssl_key_file: /etc/pki/dovecot/private/sirius.key login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login mail_location: mbox:~/Mail:INBOX=/var/spool/mail/%u mmap_disable: yes mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib64/dovecot/imap mail_plugin_dir(imap): /usr/lib64/dovecot/imap mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3 imap_client_workarounds(default): delay-newmail outlook-idle netscape-eoh imap_client_workarounds(imap): delay-newmail outlook-idle netscape-eoh imap_client_workarounds(pop3): pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh auth default: mechanisms: plain login debug: yes passdb: driver: pam userdb: driver: passwd socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On Thu, Jun 11, 2009 at 5:02 AM, Michal Szymanski<msz@astrouw.edu.pl> wrote:
Now when I try to send a mail from my home PC, using Thuinderbird 2.0.0.21, with SSL connection configured for outgoing smtp server (port 465), using username/password, it shows "Connected to server..." message but after a minute or so, it fails saying that the connection to SMTP server failed.
The server log shows: 11:51:24 sirius postfix/smtpd[15126]: connect from my_home_pc_name/ip Jun 11 11:52:25 sirius postfix/smtpd[15126]: lost connection after UNKNOWN from from my_home_pc_name/ip Jun 11 11:52:25 sirius postfix/smtpd[15126]: disconnect from my_home_pc_name/ip
This looks as if you didn't enable SSL wrappermode in postfix's master.cf for port 465.
In postfix master.cf, make sure the section for port 465/smtps contains -o smtpd_tls_wrappermode=yes
With a modern email client like TBird, it's generally preferred to use STARTTLS (that's the TLS button in TBird) on the "submission" port 587.
-- Noel Jones
On Thu, Jun 11, 2009 at 5:02 AM, Michal Szymanski<msz@astrouw.edu.pl> wrote:
----------------- postconf -n ---------------------------- alias_database = hash:/etc/mail/aliases alias_maps = hash:/etc/mail/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 header_checks = regexp:/etc/postfix/header_checks html_directory = no inet_interfaces = all mail_owner = postfix mailbox_command = /usr/bin/procmail mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man masquerade_domains = astrouw.edu.pl mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain, www.$mydomain, ftp.$mydomain, /etc/mail/local-host-names myhostname = sirius.astrouw.edu.pl newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_generic_maps = hash:/etc/postfix/generic smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/access, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot unknown_local_recipient_reject_code = 550
I don't see any references to tls in your postconf -n output. Has postfix been built with openssl?
Also, postfix 2.3 is quite old, for a new installation consider a more recent version.
-- Noel Jones
I don't see any references to tls in your postconf -n output. Has postfix been built with openssl?
I guess so. 'ldd /usr/sbin/postfix' gives, amoung others:
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00002b71e8eea000)
libssl.so.6 => /lib64/libssl.so.6 (0x00002b71e9103000)I did not put any 'tls' options into main.cf (nor the -o smtpd_tls_wrappermode option in master.cf) as the postfix/dovecot/SASL howto on dovecot's wiki does not mention it at all. So I thought that TLS is not required to make SASL authetication. Am I wrong?
I have actually enabled the smtpd_tls_wrappermode option for a while while trying to make it work but it resulted in immediate postfix failure (probably this would require other tls options enabled, too), so I backed off.
I have the SMTP outgoing server in T'bird set to SSL which makes the default port 465 to be used. When I change this to TLS, the default seems to be the "plain" port #25.
Also, postfix 2.3 is quite old, for a new installation consider a more recent version.
Well, that may be worth trying but I guess (as it has already happened with dovecot update from 1.0.6 to 1.1.16 version) that, although it may be a good idea in general, it will not help with my current problem. I think that properly configured postfix/dovecot (in versions generally available for RHEL/CentOS 5.3) should work with authentication.
regards, Michal.
-- Michal Szymanski (msz at astrouw dot edu dot pl) Warsaw University Observatory, Warszawa, POLAND
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On Thu, Jun 11, 2009 at 10:36 AM, Michal Szymanski<msz@astrouw.edu.pl> wrote:
I don't see any references to tls in your postconf -n output. Has postfix been built with openssl?
I guess so. 'ldd /usr/sbin/postfix' gives, amoung others:
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00002b71e8eea000) libssl.so.6 => /lib64/libssl.so.6 (0x00002b71e9103000)
I did not put any 'tls' options into main.cf (nor the -o smtpd_tls_wrappermode option in master.cf) as the postfix/dovecot/SASL howto on dovecot's wiki does not mention it at all. So I thought that TLS is not required to make SASL authetication. Am I wrong?
TLS is not required for SASL, but is highly recommended to protect plain-text credentials from eavesdroppers.
At any rate, don't configure TBird to submit mail to postfix via TLS/SSL unless you enable TLS/SSL in postfix.
For easy setup of postfix TLS, see http://www.postfix.org/TLS_README.html#quick-start (but be sure to read the whole document, not just the quick-start section).
-- Noel Jones
On Thu, Jun 11, 2009 at 12:48:29PM -0500, Noel Jones wrote:
On Thu, Jun 11, 2009 at 10:36 AM, Michal Szymanski<msz@astrouw.edu.pl> wrote:
I don't see any references to tls in your postconf -n output. Has postfix been built with openssl?
I guess so. 'ldd /usr/sbin/postfix' gives, amoung others:
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00002b71e8eea000) libssl.so.6 => /lib64/libssl.so.6 (0x00002b71e9103000)
I did not put any 'tls' options into main.cf (nor the -o smtpd_tls_wrappermode option in master.cf) as the postfix/dovecot/SASL howto on dovecot's wiki does not mention it at all. So I thought that TLS is not required to make SASL authetication. Am I wrong?
TLS is not required for SASL, but is highly recommended to protect plain-text credentials from eavesdroppers.
At any rate, don't configure TBird to submit mail to postfix via TLS/SSL unless you enable TLS/SSL in postfix.
For easy setup of postfix TLS, see http://www.postfix.org/TLS_README.html#quick-start (but be sure to read the whole document, not just the quick-start section).
Thanks a lot! It has worked, finally!
Maybe it would be worth adding to that Postfix/Dovecot/SASL HowTo that apart from the configuration changes it lists, one has to configure Postfix to accept authenticated connections. It would save newbies like me many headaches.
regards, Michal.
-- Michal Szymanski (msz at astrouw dot edu dot pl) Warsaw University Observatory, Warszawa, POLAND
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
participants (3)
-
Charles Marcus
-
Michal Szymanski
-
Noel Jones