* froinds J <[email protected]>: > I made the changes you suggested and still can't authenticate. > Here is the log from maillog. Thanks
You client does not start a TLS session. p...@rick > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: connection established > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: master_notify: status 0 > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: name_mask: resource > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: name_mask: software > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: connect from > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78] > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_list_match: > adsl-012-034-567-890.sip.my.isp.net : no match > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_list_match: 12.34.56.78: > no match > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_list_match: > adsl-012-034-567-890.sip.my.isp.net : no match > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_list_match: 12.34.56.78: > no match > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostname: > adsl-012-034-567-890.sip.my.isp.net ~? 192.168.1.0/28 > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~? > 192.168.1.0/28 > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostname: > adsl-012-034-567-890.sip.my.isp.net ~? 127.0.0.0/8 > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~? > 127.0.0.0/8 > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostname: > adsl-012-034-567-890.sip.my.isp.net ~? 12.34.56.78 > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~? > 12.34.56.78 > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: >>> START Client host > RESTRICTIONS <<< > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: generic_checks: > name=permit_mynetworks > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: permit_mynetworks: > adsl-012-034-567-890.sip.my.isp.net 12.34.56.78 > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostname: > adsl-012-034-567-890.sip.my.isp.net ~? 192.168.1.0/28 > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~? > 192.168.1.0/28 > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostname: > adsl-012-034-567-890.sip.my.isp.net ~? 127.0.0.0/8 > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~? > 127.0.0.0/8 > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostname: > adsl-012-034-567-890.sip.my.isp.net ~? 12.34.56.78 > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~? > 12.34.56.78 > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: generic_checks: > name=permit_mynetworks status=1 > > Jan 2 10:14:41 fedora postfix/smtpd[17435]: > > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 220 myDomName.com ESMTP > Postfix > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: < > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: EHLO [192.168.0.105] > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: >>> START Helo command > RESTRICTIONS <<< > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: generic_checks: > name=reject_invalid_hostname > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: reject_invalid_hostaddr: > [192.168.0.105] > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: generic_checks: > name=reject_invalid_hostname status=0 > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: >>> END Helo command > RESTRICTIONS <<< > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: > > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-myDomName.com > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: > > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-PIPELINING > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: > > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-SIZE 10240000 > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: > > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-VRFY > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: > > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-ETRN > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: match_list_match: > adsl-012-034-567-890.sip.my.isp.net : no match > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: match_list_match: 12.34.56.78: > no match > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: > > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-STARTTLS > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: > > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-ENHANCEDSTATUSCODES > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: > > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-8BITMIME > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: > > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250 DSN > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: smtp_get: EOF > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: match_hostname: > adsl-012-034-567-890.sip.my.isp.net ~? 192.168.1.0/28 > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~? > 192.168.1.0/28 > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: match_hostname: > adsl-012-034-567-890.sip.my.isp.net ~? 127.0.0.0/8 > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~? > 127.0.0.0/8 > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: match_hostname: > adsl-012-034-567-890.sip.my.isp.net ~? 12.34.56.78 > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~? > 12.34.56.78 > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: lost connection after EHLO from > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78] > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: disconnect from > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78] > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: master_notify: status 1 > > Jan 2 10:14:42 fedora postfix/smtpd[17435]: connection closed > > > > > On Sat, Jan 2, 2010 at 3:50 AM, Patrick Ben Koetter > <[email protected]>wrote: > > > * froinds J <[email protected]>: > > > My problem is: if I allow TLS I cannot authenticate. Without TLS > > everything > > > works. Here is the output from saslfinger. > > > Thanks for your help. > > > > > > > > > > > > > > > > saslfinger - postfix Cyrus sasl configuration Sat Jan 2 02:12:49 EST > > 2010 > > > version: 1.0.2 > > > mode: server-side SMTP AUTH > > > > > > -- basics -- > > > Postfix: 2.6.5 > > > System: Fedora release 12 (Constantine) > > > > > > -- smtpd is linked to -- > > > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00110000) > > > > > > -- active SMTP AUTH and TLS parameters for smtpd -- > > > broken_sasl_auth_clients = yes > > > smtpd_sasl_auth_enable = yes > > > smtpd_sasl_authenticated_header = yes > > > smtpd_sasl_local_domain = $myhostname > > > smtpd_sasl_security_options = noanonymous, noplaintext > > > smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem > > > smtpd_tls_auth_only = yes > > > smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt > > > smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key > > > smtpd_tls_loglevel = 3 > > > smtpd_tls_received_header = yes > > > smtpd_tls_security_level = encrypt > > > smtpd_tls_session_cache_timeout = 3600s > > > > > > > > > -- listing of /usr/lib/sasl -- > > > total 80 > > > drwxr-xr-x. 2 root root 4096 2009-12-29 12:31 . > > > dr-xr-xr-x. 150 root root 69632 2010-01-01 16:52 .. > > > -rw-r--r--. 1 root root 70 2009-09-16 09:38 smtpd.conf > > > > Delete /usr/lib/sasl/smtpd.conf. Postfix will not use Cyrus SASL 1.x > > anymore. > > > > > > > -- listing of /usr/lib/sasl2 -- > > > total 504 > > > drwxr-xr-x. 2 root root 4096 2009-12-29 12:31 . > > > dr-xr-xr-x. 150 root root 69632 2010-01-01 16:52 .. > > > -rwxr-xr-x. 1 root root 14912 2009-09-24 06:20 libanonymous.so > > > -rwxr-xr-x. 1 root root 14912 2009-09-24 06:20 libanonymous.so.2 > > > -rwxr-xr-x. 1 root root 14912 2009-09-24 06:20 libanonymous.so.2.0.23 > > > -rwxr-xr-x. 1 root root 17596 2009-09-24 06:20 libcrammd5.so > > > -rwxr-xr-x. 1 root root 17596 2009-09-24 06:20 libcrammd5.so.2 > > > -rwxr-xr-x. 1 root root 17596 2009-09-24 06:20 libcrammd5.so.2.0.23 > > > -rwxr-xr-x. 1 root root 48032 2009-09-24 06:20 libdigestmd5.so > > > -rwxr-xr-x. 1 root root 48032 2009-09-24 06:20 libdigestmd5.so.2 > > > -rwxr-xr-x. 1 root root 48032 2009-09-24 06:20 libdigestmd5.so.2.0.23 > > > -rwxr-xr-x. 1 root root 15356 2009-09-24 06:20 liblogin.so > > > -rwxr-xr-x. 1 root root 15356 2009-09-24 06:20 liblogin.so.2 > > > -rwxr-xr-x. 1 root root 15356 2009-09-24 06:20 liblogin.so.2.0.23 > > > -rwxr-xr-x. 1 root root 15452 2009-09-24 06:20 libplain.so > > > -rwxr-xr-x. 1 root root 15452 2009-09-24 06:20 libplain.so.2 > > > -rwxr-xr-x. 1 root root 15452 2009-09-24 06:20 libplain.so.2.0.23 > > > -rwxr-xr-x. 1 root root 20872 2009-09-24 06:20 libsasldb.so > > > -rwxr-xr-x. 1 root root 20872 2009-09-24 06:20 libsasldb.so.2 > > > -rwxr-xr-x. 1 root root 20872 2009-09-24 06:20 libsasldb.so.2.0.23 > > > -rw-r--r--. 1 root root 25 2009-09-16 14:55 Sendmail.conf > > > -rw-r--r--. 1 root root 138 2010-01-02 01:22 smtpd.conf > > > > > > -- listing of /etc/sasl2 -- > > > total 16 > > > drwxr-xr-x. 2 root root 4096 2009-09-24 06:20 . > > > drwxr-xr-x. 122 root root 12288 2010-01-01 16:31 .. > > > > > > > > > -- content of /usr/lib/sasl2/smtpd.conf -- > > > pwcheck_method: auxprop > > > > Add: > > > > auxprop_plugin: sasldb > > > > > mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 > > > log_level: 4 > > > > > > > > > -- active services in /etc/postfix/master.cf -- > > > # service type private unpriv chroot wakeup maxproc command + args > > > # (yes) (yes) (yes) (never) (100) > > > 52525 inet n - n - - smtpd -v > > > > At a first glance your configuration looks sane. Maybe your problem is not > > SASL, but TLS. You are running smtpd verbose. What does the log say about > > errors? > > > > > > > pickup fifo n - n 60 1 pickup > > > cleanup unix n - n - 0 cleanup > > > qmgr fifo n - n 300 1 qmgr > > > tlsmgr unix - - n 1000? 1 tlsmgr > > > rewrite unix - - n - - trivial-rewrite > > > bounce unix - - n - 0 bounce > > > defer unix - - n - 0 bounce > > > trace unix - - n - 0 bounce > > > verify unix - - n - 1 verify > > > flush unix n - n 1000? 0 flush > > > proxymap unix - - n - - proxymap > > > proxywrite unix - - n - 1 proxymap > > > smtp unix - - n - - smtp > > > relay unix - - n - - smtp > > > -o smtp_fallback_relay= > > > showq unix n - n - - showq > > > error unix - - n - - error > > > retry unix - - n - - error > > > discard unix - - n - - discard > > > local unix - n n - - local > > > virtual unix - n n - - virtual > > > lmtp unix - - n - - lmtp > > > anvil unix - - n - 1 anvil > > > scache unix - - n - 1 scache > > > > > > > > > -- mechanisms on localhost -- > > > > > > > > > -- end of saslfinger output -- > > > > -- > > All technical questions asked privately will be automatically answered on > > the > > list and archived for public access unless privacy is explicitely required > > and > > justified. > > > > saslfinger (debugging SMTP AUTH): > > <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/> > > -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
