Couple things I notice:
In ASSP - you have set:
listenPort:=25
smtpDestination:=127.0.0.1:10026
listenPortSSL:=
smtpDestinationSSL:=127.0.0.1:126
listenPort2:=
smtpAuthServer:=SSL:127.0.0.1:126
relayHost:=127.0.0.1:10026
relayPort:=127.0.0.1:10025
So - ASSP is globally listening on port 25, and will forward any
connection to 10026. In the clear.
You have an override for explicit SSL connections to port 126.
And an authenticated connection target of 10026 - exclusively SSL.
However - you don't declare listenPort2. So ASSP isn't explicitly
listening for authentication and, unless I'm quite wrong (which is
always a strong possibility), the smtpAuthServer setting won't be used.
ASSP is listening for connections from Postfix on 10025 and will forward
those connections back to port 10026.
So - my initial ASSP summary:
ASSP listens openly on port 25, will forward clear connections to 10026
and SSL connections to 126. However - the SSL connection to Postfix is
not "forced". Also the communication from & back to Postfix for relay
is not forced SSL either.
Next...Postfix:
127.0.0.1:10026 inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
127.0.0.1:126 inet n - n - - smtpd
-o syslog_name=assptls
-o smtpd_tls_wrappermode=yes
-o smtpd_proxy_filter=
-o myhostname=mail.bordo.com.au <http://mail.bordo.com.au>
465 inet n - n - 20 smtpd
-o smtpd_proxy_filter=127.0.0.1:10025
-o smtpd_client_connection_count_limit=100
Postfix is listening for authentication on port 10026 - without
requiring SSL (though it will support STARTTLS).
Postfix is listening for "forced" SSL connections on port 126.
And listening on port 465 where it will forward to port 10025. Again
without requiring SSL.
So...
I'm guessing your Mail.app is using STARTTLS - it connects to Postfix on
port 465, which accepts the connection, forwards to ASSP on 10025, which
returns to Postfix at 10026 - at which time Postfix checks for
authentication - and then it continues on its way.
Thunderbird is probably trying to do "forced" SSL - which isn't being
listened for.
My initial recommendations:
* Move the "-o smtpd_sasl_auth_enable=yes" to your port 465 stanza.
This is where the authentication should be.
* Add (don't move) the "-o smtpd_tls_wrappermode=yes" to the port 465
stanza. This will enable "forced" SSL.
* Change ASSP's "smtpDestinationSSL" to "SSL:127.0.0.1:126" (note the
prefix of "SSL:")
* The smtpAuthServer setting should be cleared so it's not confusing.
The new flow - port 25 continues as it was. Which means both cleartext
and STARTTLS support (but NOT "forced" SSL). Port 465 is now a
dedicated SSL listener which requires authentication before it passes
Postfix - which then forwards to ASSP via port 10025. ASSP will forward
that via port 10026.
I think after you do that...things might be a little better, although
now your Mail.app may need to be adjusted! There may be something else
we need to adjust in Postfix but this should be close.
A purist might insist on adding SSL to ports 10025 & 10026 - but let's
leave that for later when everything else is working if you really want it.
Daniel
On 12/14/2018 8:28 AM, Daniel Miller via Assp-test wrote:
Ok - so you have Postfix listening. There's a few different choices
available to have Postfix forward to ASSP. I would recommend using
Postfix's before-queue content filter method.
The entries you've setup in master.cf already are for mail that has
been processed by ASSP and now needs delivery. Again - before
proceeding further you need to verify things work - clients can
connect and authenticate and send via your existing
ASSP/Postfix/Dovecot chain.
Now in master.cf:
465 inet n - n - 20 smtpd
-osmtpd_proxy_filter
<http://www.postfix.org/postconf.5.html#smtpd_proxy_filter>=127.0.0.1:10025
-osmtpd_client_connection_count_limit
<http://www.postfix.org/postconf.5.html#smtpd_client_connection_count_limit>=10
Note the above address/port are arbitrary - pick what you want though
the localhost address is appropriate given your setup. The
"smtpd_client_connection_count_limit" may be adjusted as needed. It
is also up to you whether or not to have additional validation checks
in this Postfix listener (you should - let Postfix block out whatever
it can before it touches ASSP otherwise there's not much point in this
approach).
The "smtpd_proxy_filter" tells Postfix to forward mail to another
server for processing prior to delivery. So ASSP needs to be
listening for that connection. You can use the primary listeners
listenPort, listenPort2, and listenPortSSL but probably a better
choice is to configure ASSP with:
relayPort=127.0.0.1:10025
That matches the setting in master.cf above - and that should do it.
To make it SSL - for the master.cf entry above for 465 add
-o smtpd_tls_wrappermode=yes
and in ASSP make it
relayPort=SSL:127.0.0.1:10025
Daniel
On 12/13/2018 7:13 PM, James Brown wrote:
On 13 Dec 2018, at 5:39 am, Daniel Miller <dmil...@amfes.com
<mailto:dmil...@amfes.com>> wrote:
The "lsof -i" is a lower-case i (just confirming if it got
auto-corrected by email spellcheck).
If "lsof" (or other tools) can't confirm an open port we've got
other problems. Need to get that part first. What is expected:
# lsof -i :126
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
master 1260 root 104u IPv4 33860 0t0 TCP
localhost.localdomain:126 (LISTEN)
Daniel
Yes, Daniel, it was auto-correct in my email.
The reason I got nothing returned is because I did not run in sudo
mode. Now I get:
$ sudo lsof -i :10026
Password:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
master 89692 root 85u IPv4 0x1117b83fdbb9d20b 0t0 TCP
localhost:10026 (LISTEN)
$ sudo lsof -i :126
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
perl 32559 root 25u IPv4 0x1117b83fd26de50b 0t0 TCP
localhost:49213->localhost:nxedit (CLOSE_WAIT)
master 89692 root 88u IPv4 0x1117b83fdbb9e50b 0t0 TCP
localhost:nxedit (LISTEN)
James.
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
