On Sun, 06 Mar 2011 13:18:02 +0100 David Touzeau <da...@touzeau.eu> articulated:
> dear > > i would like to use submission port for authenticate users from > internet allowing them to the postfix smtpd server > > For testing purpose, i have set a network different from the LAN to be > sure that postfix allow SASL connections > > but it seems that postfix did not want to test the authentication > method and pass it's rules trough subnet rules to finally refuse the > connection with a "Client host rejected: Access denied" > We can see that there an request to saslauthd > "xsasl_cyrus_server_create: SASL service=smtp, realm=(null)" but i did > not really understand what is means.. > > > I'm using saslauthd trough LDAP to perform credentials checking and > postfix 2.8.0 > > Where i'm wrong ?? > > When using testssaslauthd > ---------------------------------------------------------------------- > testsaslauthd -u david.touzeau -p secret -f /var/run/saslauthd/mux -s > smtp > 0: OK "Success." > > Content of /etc/postfix/sasl/smtpd.conf > ---------------------------------------------------------------------- > pwcheck_method: saslauthd > mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5 > log_level: 5 > > master.cf > ---------------------------------------------------------------------- > smtp inet n - n - - > smtpd submission inet n - > n - - smtpd -o smtpd_etrn_restrictions=reject > -o smtpd_enforce_tls=yes > -o smtpd_sasl_auth_enable=yes > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > -o smtp_generic_maps= > -o sender_canonical_maps= > > Here it is a piece of debug logs : > ---------------------------------------------------------------------- > > > Mar 6 13:48:20 bigfiles postfix/smtpd[17456]: > xsasl_cyrus_server_create: SASL service=smtp, realm=(null) > Mar 6 13:48:20 bigfiles postfix/smtpd[17456]: name_mask: noanonymous > Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: start > interval Mar 6 13:45:02 > Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: address > lookup hits=5 miss=2 success=71% > Mar 6 13:48:22 bigfiles postfix/scache[19807]: statistics: max > simultaneous domains=0 addresses=1 connection=2 > Mar 6 13:48:40 bigfiles postfix/postfix-script[22489]: stopping the > Postfix mail system > Mar 6 13:48:40 bigfiles postfix/master[2548]: terminating on signal > 15 Mar 6 13:48:40 bigfiles postfix/postfix-script[22571]: starting > the Postfix mail system > Mar 6 13:48:40 bigfiles postfix/master[22572]: daemon started -- > version 2.8.0, configuration /etc/postfix > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: name_mask: ipv4 > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: inet_addr_local: > configured 3 IPv4 addresses > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: process generation: 3 > (3) Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > mynetworks ~? debug_peer_list > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > mynetworks ~? fast_flush_domains > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > mynetworks ~? mynetworks > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > relay_domains ~? debug_peer_list > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > relay_domains ~? fast_flush_domains > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > relay_domains ~? mynetworks > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > relay_domains ~? permit_mx_backup_networks > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > relay_domains ~? qmqpd_authorized_clients > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > relay_domains ~? relay_domains > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against > Berkeley DB: 4.5.20? > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against > Berkeley DB: 4.5.20? > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: > hash:/etc/postfix/relay_domains > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > permit_mx_backup_networks ~? debug_peer_list > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > permit_mx_backup_networks ~? fast_flush_domains > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > permit_mx_backup_networks ~? mynetworks > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > permit_mx_backup_networks ~? permit_mx_backup_networks > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against > Berkeley DB: 4.5.20? > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against > Berkeley DB: 4.5.20? > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: > hash:/etc/postfix/canonical > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against > Berkeley DB: 4.5.20? > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against > Berkeley DB: 4.5.20? > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: > hash:/etc/postfix/virtual > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > smtpd_access_maps ~? debug_peer_list > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > smtpd_access_maps ~? fast_flush_domains > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > smtpd_access_maps ~? mynetworks > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > smtpd_access_maps ~? permit_mx_backup_networks > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > smtpd_access_maps ~? qmqpd_authorized_clients > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > smtpd_access_maps ~? relay_domains > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > smtpd_access_maps ~? smtpd_access_maps > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against > Berkeley DB: 4.5.20? > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against > Berkeley DB: 4.5.20? > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: > hash:/etc/postfix/postfix_allowed_connections > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against > Berkeley DB: 4.5.20? > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against > Berkeley DB: 4.5.20? > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: > hash:/etc/postfix/disallow_my_domain > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: > unknown_helo_hostname_tempfail_action = defer_if_permit > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: > unknown_address_tempfail_action = defer_if_permit > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: > unverified_recipient_tempfail_action = defer_if_permit > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: > unverified_sender_tempfail_action = defer_if_permit > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: > xsasl_cyrus_server_init: SASL config file is smtpd.conf > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: auto_clnt_create: > transport=local endpoint=private/tlsmgr > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: auto_clnt_open: > connected to private/tlsmgr > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: send attr request = > seed Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: send attr size = > 32 Mar 6 13:48:54 bigfiles postfix/tlsmgr[22709]: warning: request to > update table btree:/var/spool/postfix/smtpd_tls_cache in non-postfix > directory /var/spool/postfix > Mar 6 13:48:54 bigfiles postfix/tlsmgr[22709]: warning: redirecting > the request to postfix-owned data_directory /var/lib/postfix > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: private/tlsmgr: wanted > attribute: status > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: input attribute name: > status > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: input attribute value: > 0 Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: private/tlsmgr: > wanted attribute: seed > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: input attribute name: > seed > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: input attribute value: > 8yQIuFPQO1SlOgwW34spjBxOQUBIKQviClxqsPk3HoQ= > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: private/tlsmgr: wanted > attribute: (list terminator) > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: input attribute name: > (end) > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: name_mask: > CVE-2010-4180 Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: send > attr request = policy > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: send attr cache_type = > smtpd > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: private/tlsmgr: wanted > attribute: status > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: input attribute name: > status > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: input attribute value: > 0 Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: private/tlsmgr: > wanted attribute: cachable > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: input attribute name: > cachable > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: input attribute value: > 1 Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: private/tlsmgr: > wanted attribute: (list terminator) > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: input attribute name: > (end) > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > fast_flush_domains ~? debug_peer_list > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_string: > fast_flush_domains ~? fast_flush_domains > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Compiled against > Berkeley DB: 4.5.20? > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: Run-time linked against > Berkeley DB: 4.5.20? > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: dict_open: > hash:/etc/postfix/mydestination > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: auto_clnt_create: > transport=local endpoint=private/anvil > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: connection established > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: master_notify: status 0 > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: name_mask: resource > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: name_mask: software > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: connect from > unknown[192.168.1.211] > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_list_match: > unknown: no match > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_list_match: > 192.168.1.211: no match > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_list_match: > unknown: no match > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_list_match: > 192.168.1.211: no match > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_hostname: unknown > ~? 192.168.1.0/24 > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: match_hostaddr: > 192.168.1.211 ~? 192.168.1.0/24 > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: >>> START Client host > RESTRICTIONS <<< > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: generic_checks: > name=permit_sasl_authenticated > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: generic_checks: > name=permit_sasl_authenticated status=0 > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: generic_checks: > name=reject > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: NOQUEUE: reject: > CONNECT from unknown[192.168.1.211]: 554 5.7.1 > <unknown[192.168.1.211]>: Client host rejected: Access denied; > proto=SMTP Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: > generic_checks: name=reject status=2 > Mar 6 13:48:54 bigfiles postfix/smtpd[22708]: > > unknown[192.168.1.211]: 554 5.7.1 <unknown[192.168.1.211]>: Client > host rejected: Access denied Mar 6 13:48:54 bigfiles > postfix/smtpd[22708]: xsasl_cyrus_server_create: SASL service=smtp, > realm=(null) Please follow the instructions available at: http://www.postfix.org/DEBUG_README.html#mail Particularly: Output from "postconf -n". Please do not send your main.cf file, or 500+ lines of postconf output. Better, provide output from the postfinger tool. This can be found at http://ftp.wl0.org/SOURCES/postfinger. If the problem is SASL related, consider including the output from the saslfinger tool. This can be found at http://postfix.state-of-mind.de/patrick.koetter/saslfinger/. -- Jerry ✌ postfix-u...@seibercom.net _____________________________________________________________________ TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
