On Thu, Jun 23, 2022 at 13:03:02PM -0300, Viktor Dukhovni wrote:
> Your Postfix SMTP service chrooted, you need to provide a mux socket
> *inside* the chroot jail, or else (simpler) turn off chroot for the
> submission services in master.cf.
I researched and changed a few 'y' options to 'n' in master.conforme so now
a few processes are no longer chrooted.
I sent out a test message from claws-mail and it worked!
But I'm not so sure I am a happy camper.
Shouldn't I be running everything chrooted for better security? Isn't
turning that off a bad idea?
> Your Postfix SMTP service chrooted, you need to provide a mux socket
> *inside* the chroot jail, or else (simpler) turn off chroot for the
> submission services in master.cf.
And how exactly do I do that? I found many discussions involving this
so-called mux file, but none of them explains how to make a chrooted mailer
find the mux file.
On Thu, Jun 23, 2022 at 9:34 AM Luc GMail <lucm...@gmail.com> wrote:
> On Thu, Jun 23, 2022 at 03:09:36AM -0300, Viktor Dukhovni wrote:
>
> >> telnet localhost 25
> >> 220 server.mydomain.net ESMTP Postfix (Debian/GNU)
> >> AUTH LOGIN
> >> 334 VXNlcm5hbWU6
> >> c29tZXVzZXI=
> (someuser)
> >> 334 UGFzc3dvcmQ6
> >> c29tZXBhc3M=
> (somepass)
> >> 454 4.7.0 Temporary authentication failure: generic failure
>
> > If those are "real" credentials, make sure they're
> > disabled before you get SASL working, otherwise
> > they're liable to get abused.
>
> Thank you for the reply!
>
> I was wondering if someone was going to decode them.
> No, they are not real. I made those up for this message only and I
> actually passed them through base64 before pasting.
> Thank you for the warning.
> Now I wonder what is the point of requiring b64 hashes when they can be
> decoded so easily...
>
> > As for why authentication is failing, is "saslauthd" actually installed
> > and running with a sensible backend (e.g. "-a pam") specified?.
>
> Yes.
>
> # ps aux | grep saslauthd
> root 32304 0.0 0.2 18364 2512 ? Ss 07:37 0:00
> /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 2
> root 32305 0.0 0.0 18364 916 ? S 07:37 0:00
> /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 2
>
> >> smtpd_sasl_type = cyrus
> >> smtpd_sasl_path = smtpd
>
> > These look OK, but You really should have in main.cf:
> > smtpd_tls_auth_only = yes
> > smtpd_sasl_auth_enable = no
>
> I made those changes, and things became more difficult. Now I can't test
> authentication on the command line.
>
> Port 587 says:
> AUTH LOGIN
> 530 5.7.0 Must issue a STARTTLS command first
>
> Port 465 says:
> AUTH LOGIN
> Connection closed by foreign host.
>
> Port 25 says:
> AUTH LOGIN
> 503 5.5.1 Error: authentication not enabled
>
> How do I test credentials now?
>
> > and then (as you do) enable SASL only for the submission servers in
> > master.cf, for which TLS is required. Your test with then be via:
>
> > openssl s_client -starttls smtp -connect localhost:587
>
> It works and generates a lot of output, including a certificate.
>
>
> ---------------------- 8< ------------------
>
> # openssl s_client -starttls smtp -connect localhost:587
> CONNECTED(00000003)
> Can't use SSL_get_servername
> depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3
> verify return:1
> depth=0 CN = mydomain.net
> verify return:1
> Certificate chain
> 0 s:CN = mydomain.net
> i:C = US, O = Let's Encrypt, CN = R3
> 1 s:C = US, O = Let's Encrypt, CN = R3
> i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
> 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
> i:O = Digital Signature Trust Co., CN = DST Root CA X3
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIFIjCCBEqgAwIBAgISAwUfG2SSysJMtK3T8EYxHjtC0AYGCSqGSIb3DQEBCwUA
> (content elided)
> OgPrJFAT+GP94c6XP3JSZEwolyuEMA==
> -----END CERTIFICATE-----
> subject=CN = mydomain.net
>
> issuer=C = US, O = Let's Encrypt, CN = R3
>
> ---
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> SSL handshake has read 4814 bytes and written 396 bytes
> Verification: OK
> ---
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 0 (ok)
> ---
> 250 CHUNKING
> ---
> Post-Handshake New Session Ticket arrived:
> SSL-Session:
> Protocol : TLSv1.3
> Cipher : TLS_AES_256_GCM_SHA384
> Session-ID: E0AF(...)
> Session-ID-ctx:
> Resumption PSK: C49D(...)
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> TLS session ticket lifetime hint: 7200 (seconds)
> TLS session ticket:
> 0000 - d8 4c 06 08 54 c7 24 e3-54 f2 9c d2 46 3b d8 67
> .L..T.$.T...F;.g
> 0010 - 5b e6 42 f3 e6 9d 0f 96-ec 0b 7b 0a 30 45 66 92
> [.B.......{.0Ef.
> (...)
> 00c0 - 3d 4a 15 c2 5b d3 7b d9-f7 af 60 27 d3 6a 03 e5
> =J..[.{...`'.j..
>
> Start Time: 1655987062
> Timeout : 7200 (sec)
> Verify return code: 0 (ok)
> Extended master secret: no
> Max Early Data: 0
> ---
> read R BLOCK
>
> ---------------------- >8 ------------------
>
> On Wed, Jun 22, 2022 at 4:50 PM Luc GMail <lucm...@gmail.com> wrote:
>
>> Many thanks for the replies I've got so far. They helped, and now I have
>> postfix running with SASL, and both ports 587 and 465 answer on telnet. But
>> I still can't authenticate:
>>
>> telnet localhost 25
>> 220 server.mydomain.net ESMTP Postfix (Debian/GNU)
>> AUTH LOGIN
>> 334 VXNlcm5hbWU6
>> c29tZXVzZXI=
>> 334 UGFzc3dvcmQ6
>> c29tZXBhc3M=
>> 454 4.7.0 Temporary authentication failure: generic failure
>>
>> I created a new user/shell account for the test and I'm using PAM for
>> authentication, but those credentials don't work. Trying as root/password
>> didn't work either.
>>
>> My installation method and configuration files have changed a little. I
>> am posting them here.
>>
>> ============
>> INSTALLATION
>> ============
>> apt-get install -y certbot python3-certbot-apache
>> apt-get install -y libsasl2-2 libsasl2-modules sasl2-bin
>> apt-get install -y postfix
>>
>> cp /ss/xhome/mydomain.net.conf /etc/apache2/sites-available/
>> a2ensite mydomain.net.conf
>> a2dissite 000-default
>> systemctl reload apache2
>> certbot certonly -a apache --agree-tos --no-eff-email --staple-ocsp
>> --email postmas...@mydomain.net -d mydomain.net
>> # this paragraph creates 2 files:
>> # /etc/letsencrypt/live/mydomain.net/fullchain.pem
>> # /etc/letsencrypt/live/mydomain.net/privkey.pem
>>
>> systemctl reload apache2
>>
>> cp /root/pfstuff/main.cf /etc/postfix/
>> cp /root/pfstuff/master.cf /etc/postfix/
>>
>> echo 'pwcheck_method: saslauthd' > /etc/postfix/sasl/smtpd.conf
>> echo 'mech_list: plain login CRAM-MD5 DIGEST-MD5' >>
>> /etc/postfix/sasl/smtpd.conf
>>
>> usermod -a -G sasl postfix
>>
>> systemctl restart postfix
>> ========================
>>
>>
>> ============
>> MAIN.CF
>> ============
>> myhostname = server.mydomain.net
>>
>> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
>> biff = no
>> append_dot_mydomain = no
>> readme_directory = no
>> compatibility_level = 2
>>
>> smtpd_tls_cert_file=/etc/letsencrypt/live/mydomain.net/fullchain.pem
>> smtpd_tls_key_file=/etc/letsencrypt/live/mydomain.net/privkey.pem
>> smtpd_tls_auth_only = no
>> smtp_use_tls=yes
>> smtpd_use_tls=yes
>> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
>> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>> smtpd_tls_security_level=may
>> smtpd_tls_loglevel = 1
>> smtpd_sasl_auth_enable = yes
>> smtp_sasl_mechanism_filter = !gssapi, !login, static:all
>> smtpd_sasl_security_options = noanonymous
>> smtpd_sasl_tls_security_options = noanonymous
>> smtpd_sasl_type = cyrus
>> smtpd_sasl_path = smtpd
>> smtp_tls_security_level = may
>> smtp_tls_loglevel = 1
>> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>> smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>>
>> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
>> defer_unauth_destination
>> alias_maps = hash:/etc/aliases
>> alias_database = hash:/etc/aliases
>> myorigin = /etc/mailname
>> mydestination = $myhostname, mydomain.net, server.mydomain.net,
>> localhost.mydomain.net, localhost
>> relayhost =
>> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
>> mailbox_command = procmail -a "$EXTENSION"
>> mailbox_size_limit = 0
>> recipient_delimiter = +
>> inet_interfaces = all
>> inet_protocols = all
>> ========================
>>
>>
>> ============
>> MASTER.CF
>> ============
>> smtp inet n - y - 1 postscreen
>> smtpd pass - - y - - smtpd
>> dnsblog unix - - y - 0 dnsblog
>> tlsproxy unix - - y - 0 tlsproxy
>> submission inet n - y - - smtpd
>> -o syslog_name=postfix/submission
>> -o smtpd_tls_security_level=encrypt
>> -o smtpd_tls_wrappermode=no
>> -o smtpd_sasl_auth_enable=yes
>> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>> -o
>> smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
>> -o milter_macro_daemon_name=ORIGINATING
>> smtps inet n - y - - smtpd
>> -o syslog_name=postfix/smtps
>> -o smtpd_tls_wrappermode=yes
>> -o smtpd_sasl_auth_enable=yes
>> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>> -o
>> smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
>> -o milter_macro_daemon_name=ORIGINATING-TLS
>> pickup unix n - y 60 1 pickup
>> cleanup unix n - y - 0 cleanup
>> qmgr unix n - n 300 1 qmgr
>> tlsmgr unix - - y 1000? 1 tlsmgr
>> rewrite unix - - y - - trivial-rewrite
>> bounce unix - - y - 0 bounce
>> defer unix - - y - 0 bounce
>> trace unix - - y - 0 bounce
>> verify unix - - y - 1 verify
>> flush unix n - y 1000? 0 flush
>> proxymap unix - - n - - proxymap
>> proxywrite unix - - n - 1 proxymap
>> smtp unix - - y - - smtp
>> relay unix - - y - - smtp
>> -o syslog_name=postfix/$service_name
>> showq unix n - y - - showq
>> error unix - - y - - error
>> retry unix - - y - - error
>> discard unix - - y - - discard
>> local unix - n n - - local
>> virtual unix - n n - - virtual
>> lmtp unix - - y - - lmtp
>> anvil unix - - y - 1 anvil
>> scache unix - - y - 1 scache
>> postlog unix-dgram n - n - 1 postlogd
>>
>> maildrop unix - n n - - pipe
>> flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
>>
>> uucp unix - n n - - pipe
>> flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
>> ($recipient)
>>
>> ifmail unix - n n - - pipe
>> flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
>> bsmtp unix - n n - - pipe
>> flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
>> $recipient
>> scalemail-backend unix - n n - 2 pipe
>> flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
>> ${nexthop} ${user} ${extension}
>> mailman unix - n n - - pipe
>> flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
>> ${nexthop} ${user}
>> ========================
>>
>>
>>
>> On Tue, Jun 21, 2022 at 5:17 PM Luc GMail <lucm...@gmail.com> wrote:
>>
>>> Hi. I've been trying to properly install and run postfix with no
>>> success. I've read many recipes and instructions and made many attempts and
>>> something always fails.
>>>
>>> What I've accomplished so far:
>>> - postfix is running
>>> - I can send test mail from the command line (mailx) to an email account
>>> elsewhere and the headers confirm it was sent by postfix
>>> - telnet mydomain.net 25 replies and is ready for action
>>>
>>> What I still need:
>>> - SSL and/or TLS. Postfix does not bind to port 587 or 465 at all.
>>>
>>> After all the attempts, I made what I consider to be my own best recipe,
>>> the one that seems to get the closest to a working installation:
>>>
>>> ---------------- 8< ----------------
>>> apt-get install -y certbot python3-certbot-apache
>>> apt-get install -y libsasl2-2 libsasl2-modules sasl2-bin
>>> apt-get install -y postfix
>>>
>>> cp /home/me/postfixstuff/mydomain.net.conf /etc/apache2/sites-available/
>>> a2ensite mydomain.net.conf
>>> a2dissite 000-default
>>> systemctl reload apache2
>>> certbot certonly -a apache --agree-tos --no-eff-email --staple-ocsp
>>> --email postmas...@mydomain.net -d mydomain.net
>>>
>>> systemctl reload apache2
>>>
>>> cp /home/me/postfixstuff/main.cf /etc/postfix/
>>>
>>> systemctl restart postfix
>>> tail -n 20 /var/log/mail.log
>>> ---------------- >8 ----------------
>>>
>>>
>>>
>>> Here are the contents of my main.cf file:
>>>
>>>
>>>
>>> ---------------- 8< ----------------
>>> myhostname = server.mydomain.net
>>> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
>>> biff = no
>>>
>>> append_dot_mydomain = no
>>>
>>> readme_directory = no
>>>
>>> compatibility_level = 2
>>>
>>> # TLS parameters
>>> smtpd_tls_cert_file=/etc/letsencrypt/live/mydomain.net/fullchain.pem
>>> smtpd_tls_key_file=/etc/letsencrypt/live/mydomain.net/privkey.pem
>>> smtpd_use_tls=yes
>>> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
>>> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>>> smtpd_tls_security_level=may
>>> smtpd_tls_loglevel = 1
>>>
>>> #Enable TLS Encryption when Postfix sends outgoing emails
>>> smtp_tls_security_level = may
>>> smtp_tls_loglevel = 1
>>>
>>> #Enforce TLSv1.3 or TLSv1.2
>>> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>>> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>>> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>>> smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>>>
>>> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
>>> defer_unauth_destination
>>> alias_maps = hash:/etc/aliases
>>> alias_database = hash:/etc/aliases
>>> myorigin = /etc/mailname
>>> mydestination = $myhostname, mydomain.net, server.mydomain.net,
>>> localhost.mydomain.net, localhost
>>> relayhost =
>>> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
>>> mailbox_command = procmail -a "$EXTENSION"
>>> mailbox_size_limit = 0
>>> recipient_delimiter = +
>>> inet_interfaces = all
>>> inet_protocols = all
>>> ---------------- >8 ----------------
>>>
>>> What else do I need to do?
>>>
>>> Somebody help? Please?!
>>>
>>>
