Hi Edgar,
thanks for the ipv4 hint. Fixed it by removing the ipv6 addresses from
mynetworks. (no change in behaviour as far as I could see)
The cert and key files do exist, and they're sufficient since it's only
me using this mailserver. Or is there any realistic security risk to it?
@Wietse:
"First, see "Testing SASL authentication in the Postfix SMTP Server"
instructions athttp://www.postfix.org/SASL_README.html#server_test.
Run the test with port 587 or 25 as appropriate.
Second, find out whether the mail client sends the AUTH command:"
Test successful and mail client does send AUTH.
Now I did further attempts to solve the problems, changed two things:
1) in /etc/dovecot/conf.d/10-auth.conf I added "login" to the line
"auth_mechanisms = plain"
2) in postfix main.cf added "smtpd_sasl_local_domain = mydomain.com"
(And re-set the correct relayhost which was empty in yesterday's
postconf for another reason.)
With these changes, relay host authentication works and I am able to
send e-mail from my local user via the smtp host of a big e-mail
provider, thus avoiding problems with my "unknown" hostname.
I tried to undo the changes and see which one would be the one that did
the trick, but still worked then. Whatever... happy it does work.
Now the only problem I still got is authentication for external mail to
local users. This is what originally set me on the track that SASL would
not work. (Since at that point I wasn't able to send mails via
relayhost, so tried with local users.)
I can send mail from an external source (e.g. mail client on my
notebook) to a local user (local on my mailserver) without
authentication. I'm not sure, is this by design? I would like to enforce
authentication to prevent spam. But at the same time, I need to be able
to receive mail from public mail providers. Is there a way to have both?
Regards
Nathan
Am 28.12.2014 um 01:50 schrieb Edgar Pettijohn:
Doubt if this is the cause but I just noticed this and was curious if
it would cause problems. You have inet_protocols as ipv4 and have
ipv6 notation under mynetworks. Again not sure about this, but do
these exist and why can't you do better?
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
There is a lot of config to do in dovecot and thats probably where the
issue lays. What about some good ole fashioned log entries.
On 12/27/14 18:33, Jonathan Hermann wrote:
Hi Wietse and Istvan,
thanks for pointing me to my error with the version. Was too busy
digging for information and overlooked the obvious.
I realized that my real problem is that SASL auth is not working.
Would like to get it from dovecot, but as long as it works I'm fine
with cyrus, too. However, none of my attempts worked. Could you guys
please take a look? Thanks!
I read http://www.postfix.org/SASL_README.html and
http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL. The latter
seemed to me the compact version of the first, so I followed it.
This is my current config:
# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
mydestination = mydomain.com, localhost.localdomain, localhost
myhostname = mydomain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
sender_canonical_maps = hash:/etc/postfix/sender_canonical
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_sasl_security_options = noanonymous
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
# postconf -a
cyrus
dovecot
and
# grep -v "\#" /etc/dovecot/conf.d/10-master.conf
[...]
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
}
Regards and groeten
Nathan
Am 20.12.2014 um 04:22 schrieb Wietse Venema:
Jonathan Hermann:
Hi folks,
would like to ask for help with a "relay access denied" problem. We're
talking about postfix 2.9.6 on an ubuntu server.
...
smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
As documented, "This feature is available in Postix 2.10 and later."
So you need to place that in smtpd_recipient_restrictions.
So, currently I left it with recipient_restrictions.
As far as I understand, this is the point where I need to tweak my
config. But I just can't figure out what exactly I need to set.
Does Thunderbird client authenticate to Postfix with SASL? Should
it authenticate with SASL?
If Thunderbird cannot authenticate with SASL, then its IP address
needs to match "mynetworks" (look at output from the Postfix command
"postconf mynetworks", and adjust the main.cf mynetwork settings
if needed). This parameter is also described in the postconf.5.html
page.
Wietse
