Port 25 is for MTA unauthenticated traffic, with optional TLS, and
587 requires TLS and sasl auth for MUA submission. The server is
functioning fine for mail submission on 587 and MTA function on port
25, but I am seeing saslauthd authentication failures in maillog e.g.:
Apr 26 18:16:23 server04 postfix/smtpd[18323]: connect from
unknown[45.123.221.70]
Apr 26 18:16:25 server04 postfix/smtpd[18323]: setting up TLS
connection from unknown[45.123.221.70]
Apr 26 18:16:26 server04 postfix/smtpd[18323]: TLS connection
established from unknown[45.123.221.70]: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
Apr 26 18:16:27 server04 saslauthd[1953]: Authentication failed for
simon/simonandkate.net: Bind to ldap server failed (invalid
user/password or insufficient access) (-7)
Apr 26 18:16:27 server04 saslauthd[1953]: do_auth : auth
failure: [user=simon] [service=smtp] [realm=simonandkate.net]
[mech=ldap] [reason=Unknown]
Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning: SASL
authentication failure: Password verification failed
Apr 26 18:16:27 server04 postfix/smtpd[18323]: warning:
unknown[45.123.221.70]: SASL PLAIN authentication failed:
authentication failure
1. At the moment when a bot knocks on the postfix server I see
postfix/smtpd[pid] etc. in maillog: can that message show if the
knock is on port 25 or 587?
In master.cf submission entry:
-o syslog_name=postfix/submission
Aha! Just what I needed... thanks Noel.
2. Is my config correct for my desired outcome (below)?
Looks OK, but the "Bind to ldap server failed" errors would seem to
be a config error in your saslauthd.
-- Noel Jones
That's the knocker trying to auth as simon (not a bad guess given my
domain name and email address, which is guaranteed to be out there on
bot lists somewhere) and failing, so the saslauth fails. I assume so
anyway... if I auth to 587 as me properly it all works fine and binds
to LDAP no problems. testsaslauthd all works, and only auth'd users
can submit mail.
Thanks.
I'm about to migrate mail to a new server with postfix on CentOS 7,
but I need to make sure I understand this better and have it right
before changing, not just blindly changing things.
Would appreciate some advice if anyone would see fit to comment.
Thanks
Simon.
extract from master.cf:
# std port for incoming port 25. No SASL auth allowed
# smtpd_sasl_auth_enable=no is default, but left here for clarity
smtp inet n - n - - smtpd
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=no
# submission port
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
extract from main.cf:
# Enable sasl auth.
# Master.cf sets this separately for 25 and 587, so commented out here
# smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/mail-cert.pem
smtpd_tls_key_file = /etc/pki/tls/private/mail-key.pem
smtpd_tls_CAfile = /etc/pki/tls/certs/root-bundle.pem
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
----- End message from Noel Jones <njo...@megan.vbhcs.org> -----
--
Simon Wilson
M: 0400 12 11 16
