Re: Can't finish installation, need help

Wed, 22 Jun 2022 12:51:03 -0700 

Many thanks for the replies I've got so far. They helped, and now I have
postfix running with SASL, and both ports 587 and 465 answer on telnet. But
I still can't authenticate:

telnet localhost 25
220 server.mydomain.net ESMTP Postfix (Debian/GNU)
AUTH LOGIN
334 VXNlcm5hbWU6
c29tZXVzZXI=
334 UGFzc3dvcmQ6
c29tZXBhc3M=
454 4.7.0 Temporary authentication failure: generic failure

I created a new user/shell account for the test and I'm using PAM for
authentication, but those credentials don't work. Trying as root/password
didn't work either.

My installation method and configuration files have changed a little. I am
posting them here.

============
INSTALLATION
============
apt-get install -y certbot python3-certbot-apache
apt-get install -y libsasl2-2 libsasl2-modules sasl2-bin
apt-get install -y postfix

cp /ss/xhome/mydomain.net.conf /etc/apache2/sites-available/
a2ensite mydomain.net.conf
a2dissite 000-default
systemctl reload apache2
certbot certonly -a apache --agree-tos --no-eff-email --staple-ocsp --email
postmas...@mydomain.net -d mydomain.net
# this paragraph creates 2 files:
# /etc/letsencrypt/live/mydomain.net/fullchain.pem
# /etc/letsencrypt/live/mydomain.net/privkey.pem

systemctl reload apache2

cp /root/pfstuff/main.cf /etc/postfix/
cp /root/pfstuff/master.cf /etc/postfix/

echo 'pwcheck_method: saslauthd' > /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login CRAM-MD5 DIGEST-MD5' >>
/etc/postfix/sasl/smtpd.conf

usermod -a -G sasl postfix

systemctl restart postfix
========================


============
MAIN.CF
============
myhostname = server.mydomain.net

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2

smtpd_tls_cert_file=/etc/letsencrypt/live/mydomain.net/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mydomain.net/privkey.pem
smtpd_tls_auth_only = no
smtp_use_tls=yes
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level=may
smtpd_tls_loglevel = 1
smtpd_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = !gssapi, !login, static:all
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_sasl_path = smtpd
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, mydomain.net, server.mydomain.net,
localhost.mydomain.net, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
========================


============
MASTER.CF
============
smtp      inet  n       -       y       -       1       postscreen
smtpd     pass  -       -       y       -       -       smtpd
dnsblog   unix  -       -       y       -       0       dnsblog
tlsproxy  unix  -       -       y       -       0       tlsproxy
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_wrappermode=no
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING-TLS
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd

maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}

uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)

ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient
scalemail-backend unix - n n - 2 pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
========================



On Tue, Jun 21, 2022 at 5:17 PM Luc GMail <lucm...@gmail.com> wrote:

> Hi. I've been trying to properly install and run postfix with no success.
> I've read many recipes and instructions and made many attempts and
> something always fails.
>
> What I've accomplished so far:
> - postfix is running
> - I can send test mail from the command line (mailx) to an email account
> elsewhere and the headers confirm it was sent by postfix
> - telnet mydomain.net 25 replies and is ready for action
>
> What I still need:
> - SSL and/or TLS. Postfix does not bind to port 587 or 465 at all.
>
> After all the attempts, I made what I consider to be my own best recipe,
> the one that seems to get the closest to a working installation:
>
> ---------------- 8< ----------------
> apt-get install -y certbot python3-certbot-apache
> apt-get install -y libsasl2-2 libsasl2-modules sasl2-bin
> apt-get install -y postfix
>
> cp /home/me/postfixstuff/mydomain.net.conf /etc/apache2/sites-available/
> a2ensite mydomain.net.conf
> a2dissite 000-default
> systemctl reload apache2
> certbot certonly -a apache --agree-tos --no-eff-email --staple-ocsp
> --email postmas...@mydomain.net -d mydomain.net
>
> systemctl reload apache2
>
> cp /home/me/postfixstuff/main.cf /etc/postfix/
>
> systemctl restart postfix
> tail -n 20 /var/log/mail.log
> ---------------- >8 ----------------
>
>
>
> Here are the contents of my main.cf file:
>
>
>
> ---------------- 8< ----------------
> myhostname = server.mydomain.net
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> biff = no
>
> append_dot_mydomain = no
>
> readme_directory = no
>
> compatibility_level = 2
>
> # TLS parameters
> smtpd_tls_cert_file=/etc/letsencrypt/live/mydomain.net/fullchain.pem
> smtpd_tls_key_file=/etc/letsencrypt/live/mydomain.net/privkey.pem
> smtpd_use_tls=yes
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_tls_security_level=may
> smtpd_tls_loglevel = 1
>
> #Enable TLS Encryption when Postfix sends outgoing emails
> smtp_tls_security_level = may
> smtp_tls_loglevel = 1
>
> #Enforce TLSv1.3 or TLSv1.2
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>
> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
> defer_unauth_destination
> alias_maps = hash:/etc/aliases
> alias_database = hash:/etc/aliases
> myorigin = /etc/mailname
> mydestination = $myhostname, mydomain.net, server.mydomain.net,
> localhost.mydomain.net, localhost
> relayhost =
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
> mailbox_command = procmail -a "$EXTENSION"
> mailbox_size_limit = 0
> recipient_delimiter = +
> inet_interfaces = all
> inet_protocols = all
> ---------------- >8 ----------------
>
> What else do I need to do?
>
> Somebody help? Please?!
>
>

Reply via email to