> On 17 Dec 2018, at 1:12 pm, Daniel Miller <dmil...@amfes.com > <mailto:dmil...@amfes.com>> wrote: > Couple things I notice: > > In ASSP - you have set: > > listenPort:=25 > smtpDestination:=127.0.0.1:10026 > listenPortSSL:= > smtpDestinationSSL:=127.0.0.1:126 > listenPort2:= > smtpAuthServer:=SSL:127.0.0.1:126 > relayHost:=127.0.0.1:10026 > relayPort:=127.0.0.1:10025 > So - ASSP is globally listening on port 25, and will forward any connection > to 10026. In the clear. > > You have an override for explicit SSL connections to port 126. > > And an authenticated connection target of 10026 - exclusively SSL. However - > you don't declare listenPort2. So ASSP isn't explicitly listening for > authentication and, unless I'm quite wrong (which is always a strong > possibility), the smtpAuthServer setting won't be used. > > ASSP is listening for connections from Postfix on 10025 and will forward > those connections back to port 10026. > > So - my initial ASSP summary: > > ASSP listens openly on port 25, will forward clear connections to 10026 and > SSL connections to 126. However - the SSL connection to Postfix is not > "forced". Also the communication from & back to Postfix for relay is not > forced SSL either. > > Next...Postfix: > > > 127.0.0.1:10026 inet n - n - - smtpd > -o smtpd_sasl_auth_enable=yes > 127.0.0.1:126 inet n - n - - smtpd > -o syslog_name=assptls > -o smtpd_tls_wrappermode=yes > -o smtpd_proxy_filter= > -o myhostname=mail.bordo.com.au <http://mail.bordo.com.au/> > 465 inet n - n - 20 smtpd > -o smtpd_proxy_filter=127.0.0.1:10025 > -o smtpd_client_connection_count_limit=100 > > Postfix is listening for authentication on port 10026 - without requiring SSL > (though it will support STARTTLS). > > Postfix is listening for "forced" SSL connections on port 126. > > And listening on port 465 where it will forward to port 10025. Again without > requiring SSL. > > So... > > I'm guessing your Mail.app is using STARTTLS - it connects to Postfix on port > 465, which accepts the connection, forwards to ASSP on 10025, which returns > to Postfix at 10026 - at which time Postfix checks for authentication - and > then it continues on its way. > > Thunderbird is probably trying to do "forced" SSL - which isn't being > listened for. > > My initial recommendations: > > * Move the "-o smtpd_sasl_auth_enable=yes" to your port 465 stanza. This is > where the authentication should be. > > * Add (don't move) the "-o smtpd_tls_wrappermode=yes" to the port 465 stanza. > This will enable "forced" SSL. > > * Change ASSP's "smtpDestinationSSL" to "SSL:127.0.0.1:126" (note the prefix > of "SSL:") > > * The smtpAuthServer setting should be cleared so it's not confusing. > > The new flow - port 25 continues as it was. Which means both cleartext and > STARTTLS support (but NOT "forced" SSL). Port 465 is now a dedicated SSL > listener which requires authentication before it passes Postfix - which then > forwards to ASSP via port 10025. ASSP will forward that via port 10026. > > I think after you do that...things might be a little better, although now > your Mail.app may need to be adjusted! There may be something else we need > to adjust in Postfix but this should be close. > > A purist might insist on adding SSL to ports 10025 & 10026 - but let's leave > that for later when everything else is working if you really want it. Fantastic - thanks Daniel.
Much better. Flow seems to all be working now. Getting an ‘unsupported 8BITMIME’ error, but at least things are moving as they should: Postfix: 2018-12-17 14:07:43.307573+1100 0x23afe Activity 0x13c80 7456 0 smtpd: (libsystem_info.dylib) Retrieve User by Name 2018-12-17 14:07:43.308955+1100 0x23afe Activity 0x13c81 7456 0 smtpd: (libsystem_info.dylib) Retrieve User by Name 2018-12-17 14:07:43.309674+1100 0x23afe Activity 0x13c82 7456 0 smtpd: (libsystem_info.dylib) Retrieve Group by Name 2018-12-17 14:07:43.324655+1100 0x23afe Info 0x0 7456 0 smtpd: initializing the server-side TLS engine 2018-12-17 14:07:43.329393+1100 0x23afe Activity 0x13c83 7456 0 smtpd: (libsystem_info.dylib) Resolve user group list 2018-12-17 14:07:43.331755+1100 0x23afe Info 0x0 7456 0 smtpd: connect from localhost[127.0.0.1] 2018-12-17 14:07:43.331802+1100 0x23afe Info 0x0 7456 0 smtpd: setting up TLS connection from localhost[127.0.0.1] 2018-12-17 14:07:43.331900+1100 0x23afe Info 0x0 7456 0 smtpd: localhost[127.0.0.1]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH" 2018-12-17 14:07:43.332153+1100 0x23afe Info 0x0 7456 0 smtpd: SSL_accept:before SSL initialization 2018-12-17 14:07:43.332228+1100 0x23afe Info 0x0 7456 0 smtpd: SSL_accept:before SSL initialization 2018-12-17 14:07:43.332382+1100 0x23afe Info 0x0 7456 0 smtpd: localhost[127.0.0.1]: Decrypting session ticket, key expiration: 1545017636 2018-12-17 14:07:43.332484+1100 0x23afe Info 0x0 7456 0 smtpd: SSL_accept:SSLv3/TLS read client hello 2018-12-17 14:07:43.332554+1100 0x23afe Info 0x0 7456 0 smtpd: SSL_accept:SSLv3/TLS write server hello 2018-12-17 14:07:43.332651+1100 0x23afe Info 0x0 7456 0 smtpd: SSL_accept:SSLv3/TLS write change cipher spec 2018-12-17 14:07:43.332755+1100 0x23afe Info 0x0 7456 0 smtpd: SSL_accept:SSLv3/TLS write finished 2018-12-17 14:07:43.332931+1100 0x23afe Info 0x0 7456 0 smtpd: SSL_accept:SSLv3/TLS write finished 2018-12-17 14:07:43.332973+1100 0x23afe Info 0x0 7456 0 smtpd: SSL_accept:SSLv3/TLS read change cipher spec 2018-12-17 14:07:43.333053+1100 0x23afe Info 0x0 7456 0 smtpd: SSL_accept:SSLv3/TLS read finished 2018-12-17 14:07:43.333108+1100 0x23afe Info 0x0 7456 0 smtpd: localhost[127.0.0.1]: Reusing old session (RFC 5077 session ticket) 2018-12-17 14:07:43.333147+1100 0x23afe Info 0x0 7456 0 smtpd: Anonymous TLS connection established from localhost[127.0.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) 2018-12-17 14:07:50.159699+1100 0x23b42 Default 0x0 7459 0 trivial-rewrite: warning: database /usr/local/etc/postfix/transport.db is older than source file /usr/local/etc/postfix/transport 2018-12-17 14:07:50.238231+1100 0x23afe Activity 0x13c84 7456 0 smtpd: (libsystem_info.dylib) Retrieve service by name 2018-12-17 14:07:50.303206+1100 0x23b45 Activity 0x13d20 7460 0 smtpd: (libsystem_info.dylib) Retrieve User by Name 2018-12-17 14:07:50.303759+1100 0x23b45 Activity 0x13d21 7460 0 smtpd: (libsystem_info.dylib) Retrieve User by Name 2018-12-17 14:07:50.304287+1100 0x23b45 Activity 0x13d22 7460 0 smtpd: (libsystem_info.dylib) Retrieve Group by Name 2018-12-17 14:07:50.306555+1100 0x23b45 Info 0x0 7460 0 smtpd: initializing the server-side TLS engine 2018-12-17 14:07:50.308883+1100 0x23b45 Activity 0x13d23 7460 0 smtpd: (libsystem_info.dylib) Resolve user group list 2018-12-17 14:07:50.310888+1100 0x23b45 Info 0x0 7460 0 smtpd: connect from localhost[127.0.0.1] 2018-12-17 14:07:50.665219+1100 0x23afe Default 0x0 7456 0 smtpd: warning: proxy 127.0.0.1:10025 rejected "MAIL FROM:<jlbr...@bordo.com.au <mailto:jlbr...@bordo.com.au>> BODY=8BITMIME SIZE=1632": "502 MAIL FROM BODY=8BITMIME not supported" 2018-12-17 14:07:50.696493+1100 0x23b45 Info 0x0 7460 0 smtpd: disconnect from localhost[127.0.0.1] ehlo=1 quit=1 commands=2 2018-12-17 14:09:31.803134+1100 0x23afe Info 0x0 7456 0 smtpd: lost connection after RCPT from localhost[127.0.0.1] 2018-12-17 14:09:31.803280+1100 0x23afe Info 0x0 7456 0 smtpd: disconnect from localhost[127.0.0.1] ehlo=1 auth=1 mail=1 rcpt=0/1 commands=3/4 ASSP: Dec-17-18 14:07:50 [Worker_1] Info: try to connect to server at 127.0.0.1:10026 Dec-17-18 14:07:50 [Worker_1] Info: connected to server at 127.0.0.1:10026 Dec-17-18 14:07:50 [Worker_1] Connected: session:7FCD7D357A88 127.0.0.1:50567 > 127.0.0.1:10025 > 127.0.0.1:50569 > 127.0.0.1:10026 , 21-22 Dec-17-18 14:07:50 [Worker_1] 127.0.0.1 info: injected '250-STARTTLS' offer in to EHLO reply Dec-17-18 14:07:50 [Worker_1] 127.0.0.1 info: send '250-STARTTLS' - injected for 127.0.0.1 Dec-17-18 14:07:50 [Worker_1] 127.0.0.1 info: removed '250-STARTTLS' - it was already injected Dec-17-18 14:07:50 [Worker_1] [unsupported_8BITMIME] 127.0.0.1 MAIL FROM BODY=8BITMIME not allowed Dec-17-18 14:07:50 [Worker_1] 127.0.0.1 info: no (more) data readable from 127.0.0.1 (connection closed by peer) - last command was 'QUIT' Dec-17-18 14:07:50 [Worker_1] 127.0.0.1 disconnected: session:7FCD7D357A88 127.0.0.1 - command list was 'EHLO,MAIL FROM,QUIT' - used 4 SocketCalls - processing time 0 seconds Outlook says: "Authentication failed because Outlook doesn't support any of the available authentication methods.” Nothing in ASSP log. Mail.app: 2018-12-17 14:17:55.732061+1100 0x25f42 Activity 0x14490 7548 0 smtpd: (libsystem_info.dylib) Retrieve User by Name 2018-12-17 14:17:55.733971+1100 0x25f42 Activity 0x14491 7548 0 smtpd: (libsystem_info.dylib) Retrieve User by Name 2018-12-17 14:17:55.734962+1100 0x25f42 Activity 0x14492 7548 0 smtpd: (libsystem_info.dylib) Retrieve Group by Name 2018-12-17 14:17:55.742827+1100 0x25f42 Info 0x0 7548 0 smtpd: initializing the server-side TLS engine 2018-12-17 14:17:55.752790+1100 0x25f42 Activity 0x14493 7548 0 smtpd: (libsystem_info.dylib) Resolve user group list 2018-12-17 14:17:55.756158+1100 0x25f42 Info 0x0 7548 0 smtpd: connect from localhost[127.0.0.1] 2018-12-17 14:17:55.756223+1100 0x25f42 Info 0x0 7548 0 smtpd: setting up TLS connection from localhost[127.0.0.1] 2018-12-17 14:17:55.756444+1100 0x25f42 Info 0x0 7548 0 smtpd: localhost[127.0.0.1]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH" 2018-12-17 14:17:55.756876+1100 0x25f42 Info 0x0 7548 0 smtpd: SSL_accept:before SSL initialization 2018-12-17 14:19:18.302683+1100 0x2555b Info 0x0 7501 0 smtpd: disconnect from localhost[127.0.0.1] ehlo=1 quit=1 commands=2 Nothing in ASSP log. So close! James > On 17 Dec 2018, at 1:12 pm, Daniel Miller <dmil...@amfes.com > <mailto:dmil...@amfes.com>> wrote: > > Couple things I notice: > > In ASSP - you have set: > > listenPort:=25 > smtpDestination:=127.0.0.1:10026 > listenPortSSL:= > smtpDestinationSSL:=127.0.0.1:126 > listenPort2:= > smtpAuthServer:=SSL:127.0.0.1:126 > relayHost:=127.0.0.1:10026 > relayPort:=127.0.0.1:10025 > So - ASSP is globally listening on port 25, and will forward any connection > to 10026. In the clear. > > You have an override for explicit SSL connections to port 126. > > And an authenticated connection target of 10026 - exclusively SSL. However - > you don't declare listenPort2. So ASSP isn't explicitly listening for > authentication and, unless I'm quite wrong (which is always a strong > possibility), the smtpAuthServer setting won't be used. > > ASSP is listening for connections from Postfix on 10025 and will forward > those connections back to port 10026. > > So - my initial ASSP summary: > > ASSP listens openly on port 25, will forward clear connections to 10026 and > SSL connections to 126. However - the SSL connection to Postfix is not > "forced". Also the communication from & back to Postfix for relay is not > forced SSL either. > > Next...Postfix: > > > 127.0.0.1:10026 inet n - n - - smtpd > -o smtpd_sasl_auth_enable=yes > 127.0.0.1:126 inet n - n - - smtpd > -o syslog_name=assptls > -o smtpd_tls_wrappermode=yes > -o smtpd_proxy_filter= > -o myhostname=mail.bordo.com.au <http://mail.bordo.com.au/> > 465 inet n - n - 20 smtpd > -o smtpd_proxy_filter=127.0.0.1:10025 > -o smtpd_client_connection_count_limit=100 > > Postfix is listening for authentication on port 10026 - without requiring SSL > (though it will support STARTTLS). > > Postfix is listening for "forced" SSL connections on port 126. > > And listening on port 465 where it will forward to port 10025. Again without > requiring SSL. > > So... > > I'm guessing your Mail.app is using STARTTLS - it connects to Postfix on port > 465, which accepts the connection, forwards to ASSP on 10025, which returns > to Postfix at 10026 - at which time Postfix checks for authentication - and > then it continues on its way. > > Thunderbird is probably trying to do "forced" SSL - which isn't being > listened for. > > My initial recommendations: > > * Move the "-o smtpd_sasl_auth_enable=yes" to your port 465 stanza. This is > where the authentication should be. > > * Add (don't move) the "-o smtpd_tls_wrappermode=yes" to the port 465 stanza. > This will enable "forced" SSL. > > * Change ASSP's "smtpDestinationSSL" to "SSL:127.0.0.1:126" (note the prefix > of "SSL:") > > * The smtpAuthServer setting should be cleared so it's not confusing. > > The new flow - port 25 continues as it was. Which means both cleartext and > STARTTLS support (but NOT "forced" SSL). Port 465 is now a dedicated SSL > listener which requires authentication before it passes Postfix - which then > forwards to ASSP via port 10025. ASSP will forward that via port 10026. > > I think after you do that...things might be a little better, although now > your Mail.app may need to be adjusted! There may be something else we need > to adjust in Postfix but this should be close. > > A purist might insist on adding SSL to ports 10025 & 10026 - but let's leave > that for later when everything else is working if you really want it. > > > Daniel > > On 12/14/2018 8:28 AM, Daniel Miller via Assp-test wrote: >> Ok - so you have Postfix listening. There's a few different choices >> available to have Postfix forward to ASSP. I would recommend using >> Postfix's before-queue content filter method. >> >> The entries you've setup in master.cf already are for mail that has been >> processed by ASSP and now needs delivery. Again - before proceeding further >> you need to verify things work - clients can connect and authenticate and >> send via your existing ASSP/Postfix/Dovecot chain. >> >> Now in master.cf: >> >> 465 inet n - n - 20 smtpd >> -o smtpd_proxy_filter >> <http://www.postfix.org/postconf.5.html#smtpd_proxy_filter>=127.0.0.1:10025 >> -o smtpd_client_connection_count_limit >> <http://www.postfix.org/postconf.5.html#smtpd_client_connection_count_limit>=10 >> Note the above address/port are arbitrary - pick what you want though the >> localhost address is appropriate given your setup. The >> "smtpd_client_connection_count_limit" may be adjusted as needed. It is also >> up to you whether or not to have additional validation checks in this >> Postfix listener (you should - let Postfix block out whatever it can before >> it touches ASSP otherwise there's not much point in this approach). >> >> The "smtpd_proxy_filter" tells Postfix to forward mail to another server for >> processing prior to delivery. So ASSP needs to be listening for that >> connection. You can use the primary listeners listenPort, listenPort2, and >> listenPortSSL but probably a better choice is to configure ASSP with: >> >> relayPort=127.0.0.1:10025 >> That matches the setting in master.cf above - and that should do it. To >> make it SSL - for the master.cf entry above for 465 add >> >> -o smtpd_tls_wrappermode=yes >> and in ASSP make it >> >> relayPort=SSL:127.0.0.1:10025 >> Daniel >> >> On 12/13/2018 7:13 PM, James Brown wrote: >>>> On 13 Dec 2018, at 5:39 am, Daniel Miller <dmil...@amfes.com >>>> <mailto:dmil...@amfes.com>> wrote: >>>> >>>> The "lsof -i" is a lower-case i (just confirming if it got auto-corrected >>>> by email spellcheck). >>>> >>>> If "lsof" (or other tools) can't confirm an open port we've got other >>>> problems. Need to get that part first. What is expected: >>>> >>>> # lsof -i :126 >>>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >>>> master 1260 root 104u IPv4 33860 0t0 TCP >>>> localhost.localdomain:126 (LISTEN) >>>> >>>> Daniel >>> Yes, Daniel, it was auto-correct in my email. >>> >>> The reason I got nothing returned is because I did not run in sudo mode. >>> Now I get: >>> >>> $ sudo lsof -i :10026 >>> Password: >>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >>> master 89692 root 85u IPv4 0x1117b83fdbb9d20b 0t0 TCP >>> localhost:10026 (LISTEN) >>> >>> $ sudo lsof -i :126 >>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >>> perl 32559 root 25u IPv4 0x1117b83fd26de50b 0t0 TCP >>> localhost:49213->localhost:nxedit (CLOSE_WAIT) >>> master 89692 root 88u IPv4 0x1117b83fdbb9e50b 0t0 TCP >>> localhost:nxedit (LISTEN) >>> >>> James. >> >> >> >> _______________________________________________ >> Assp-test mailing list >> Assp-test@lists.sourceforge.net <mailto:Assp-test@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/assp-test >> <https://lists.sourceforge.net/lists/listinfo/assp-test> >>
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
