Re: Postfix plain text authentication with SASL

2011-06-09 Thread Patrick Ben Koetter 
* Suresh Kumar Prajapati :
> No one is there to help me

You started your thread ignoring the list policy which tells how to ask for 
help.

When I asked you to follow the rules you replied to me offlist.

I looked at your configuration and replied to the list.

You replied offlist again. You did only partially answer the questions I had
asked, but you took some extra time to tell me you were in a hurry.

I am not going "to lay a Mouse in a cat`s mouth".

Consider me out unless you are willing to do your part of the work in this
free support.

p@rick


-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: Postfix plain text authentication with SASL

2011-06-09 Thread Suresh Kumar Prajapati 
Hi,

Sorry for this.

I am sending you the saslfinger output


Usage: saslfinger [-chs]
Use "saslfinger -h" to find out what the options mean.

[root@quranmail postfix]# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Thu Jun  9 11:24:25 MSD 2011
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.3.3
System: CentOS release 5.6 (Final)

-- smtpd is linked to --
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x009ad000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = 


-- listing of /usr/lib/sasl --
total 28
drwxr-xr-x  2 root root  4096 Jun  7 14:43 .
drwxr-xr-x 36 root root 20480 Jun  7 14:43 ..
-rw-r--r--  1 root root47 May 31 20:34 smtpd.conf

-- listing of /usr/lib/sasl2 --
total 3064
drwxr-xr-x  2 root root   4096 Jun  9 08:07 .
drwxr-xr-x 36 root root  20480 Jun  7 14:43 ..
-rwxr-xr-x  1 root root884 Mar 17  2010 libanonymous.la
-rwxr-xr-x  1 root root  14372 Mar 17  2010 libanonymous.so
-rwxr-xr-x  1 root root  14372 Mar 17  2010 libanonymous.so.2
-rwxr-xr-x  1 root root  14372 Mar 17  2010 libanonymous.so.2.0.22
-rwxr-xr-x  1 root root870 Mar 17  2010 libcrammd5.la
-rwxr-xr-x  1 root root  16832 Mar 17  2010 libcrammd5.so
-rwxr-xr-x  1 root root  16832 Mar 17  2010 libcrammd5.so.2
-rwxr-xr-x  1 root root  16832 Mar 17  2010 libcrammd5.so.2.0.22
-rwxr-xr-x  1 root root893 Mar 17  2010 libdigestmd5.la
-rwxr-xr-x  1 root root  47172 Mar 17  2010 libdigestmd5.so
-rwxr-xr-x  1 root root  47172 Mar 17  2010 libdigestmd5.so.2
-rwxr-xr-x  1 root root  47172 Mar 17  2010 libdigestmd5.so.2.0.22
-rwxr-xr-x  1 root root856 Mar 17  2010 liblogin.la
-rwxr-xr-x  1 root root  14752 Mar 17  2010 liblogin.so
-rwxr-xr-x  1 root root  14752 Mar 17  2010 liblogin.so.2
-rwxr-xr-x  1 root root  14752 Mar 17  2010 liblogin.so.2.0.22
-rwxr-xr-x  1 root root856 Mar 17  2010 libplain.la
-rwxr-xr-x  1 root root  14848 Mar 17  2010 libplain.so
-rwxr-xr-x  1 root root  14848 Mar 17  2010 libplain.so.2
-rwxr-xr-x  1 root root  14848 Mar 17  2010 libplain.so.2.0.22
-rwxr-xr-x  1 root root930 Mar 17  2010 libsasldb.la
-rwxr-xr-x  1 root root 905200 Mar 17  2010 libsasldb.so
-rwxr-xr-x  1 root root 905200 Mar 17  2010 libsasldb.so.2
-rwxr-xr-x  1 root root 905200 Mar 17  2010 libsasldb.so.2.0.22
-rw-r--r--  1 root root 25 Mar 31  2010 Sendmail.conf

-- listing of /var/lib/sasl2 --
total 8
drwxr-xr-x  2 root root 4096 Jun  9 08:07 .
drwxr-xr-x 18 root root 4096 Jun  9 10:54 ..

-- listing of /etc/sasl2 --
total 16
drwxr-xr-x  2 root root4096 Jun  9 08:09 .
drwxr-xr-x 54 root postfix 4096 Jun  9 10:54 ..
-rw-r--r--  1 root root  49 Jun  9 08:09 smtpd.conf
-rw-r--r--  1 root root  99 Jun  7 10:10 smtpd.conf.bak




-- content of /usr/lib/sasl/smtpd.conf --
pwcheck_method: saslauthd
saslauthd_version: 2

-- content of /etc/sasl2/smtpd.conf --
pwcheck_method: saslauthd
mech_list: plain login


-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#   (yes)   (yes)   (yes)   (never) (100)

21  inet  n   -   n   -   -   smtpd
pickupfifo  n   -   n   60  1   pickup
cleanup   unix  n   -   n   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
tlsmgrunix  -   -   n   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial-rewrite
bounceunix  -   -   n   -   0   bounce
defer unix  -   -   n   -   0   bounce
trace unix  -   -   n   -   0   bounce
verifyunix  -   -   n   -   1   verify
flush unix  n   -   n   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
smtp  unix  -   -   n   -   -   smtp
relay unix  -   -   n   -   -   smtp
-o fallback_relay=
showq unix  n   -   n   -   -   showq
error unix  -   -   n   -   -   error
discard   unix  -   -   n   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   n   -   -   lmtp
anvil unix  -   -   n   -   1   anvil
scache  unix--n-1scache
maildrop  unix  -   n   n   -   -   pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix  -   n   n   -   -   pipe
  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension}
${user}
cyrus unix  -   n   n   -   -   pipe
  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m
${extension} ${user}
uucp  unix  -   n

Re: Postfix plain text authentication with SASL

2011-06-09 Thread Stephen Ingram 
On Thu, Jun 9, 2011 at 12:16 AM, Suresh Kumar Prajapati
 wrote:
> Hi,
>
> and i dont find any saslauthd.conf file
>
> here is the /etc/sasl2/smtpd.conf
>
> pwcheck_method: saslauthd
> mech_list: plain login

That's a problem. In that file (/etc/sasl2/smtpd.conf) you are
specifying that you want to use saslauthd as the method to check
passwords, and you also say that you want to do that using only plain
and login mechanisms, yet you don't have any backend configured to
perform this function. You should read up on sasl more to know how to
do this. I would suggest http://www.postfix.org/SASL_README.html to
get you started.

Steve

Re: Postfix plain text authentication with SASL

2011-06-09 Thread Suresh Kumar Prajapati 
Hi,

I;ve gone through this and setup the things according to the config there.
please let me know if I'm wrong anywhere.



On Thu, Jun 9, 2011 at 12:57 PM, Stephen Ingram  wrote:

> On Thu, Jun 9, 2011 at 12:16 AM, Suresh Kumar Prajapati
>  wrote:
> > Hi,
> >
> > and i dont find any saslauthd.conf file
> >
> > here is the /etc/sasl2/smtpd.conf
> >
> > pwcheck_method: saslauthd
> > mech_list: plain login
>
> That's a problem. In that file (/etc/sasl2/smtpd.conf) you are
> specifying that you want to use saslauthd as the method to check
> passwords, and you also say that you want to do that using only plain
> and login mechanisms, yet you don't have any backend configured to
> perform this function. You should read up on sasl more to know how to
> do this. I would suggest http://www.postfix.org/SASL_README.html to
> get you started.
>
> Steve
>



-- 
Best Regards,
Suresh Kumar Prajapati
Linux Security Admin
E-mail: er.sureshprajap...@gmail.com

Pencils could be made with erasers at both ends, but what would be the
point?

Re: Postfix plain text authentication with SASL

2011-06-09 Thread Patrick Ben Koetter 
* Suresh Kumar Prajapati :
> [root@quranmail postfix]# saslfinger -s
> saslfinger - postfix Cyrus sasl configuration Thu Jun  9 11:24:25 MSD 2011
> version: 1.0.2
> mode: server-side SMTP AUTH
> 
> -- basics --
> Postfix: 2.3.3
> System: CentOS release 5.6 (Final)
> 
> -- smtpd is linked to --
> libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x009ad000)
> 
> -- active SMTP AUTH and TLS parameters for smtpd --
> broken_sasl_auth_clients = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = 
> 
> 
> -- listing of /usr/lib/sasl --
> total 28
> drwxr-xr-x  2 root root  4096 Jun  7 14:43 .
> drwxr-xr-x 36 root root 20480 Jun  7 14:43 ..
> -rw-r--r--  1 root root47 May 31 20:34 smtpd.conf


Please remove /usr/lib/sasl/smtpd.conf. Cyrus SASL 2 will not use it.


> -- listing of /usr/lib/sasl2 --
> total 3064
> drwxr-xr-x  2 root root   4096 Jun  9 08:07 .
> drwxr-xr-x 36 root root  20480 Jun  7 14:43 ..
> -rwxr-xr-x  1 root root884 Mar 17  2010 libanonymous.la
> -rwxr-xr-x  1 root root  14372 Mar 17  2010 libanonymous.so
> -rwxr-xr-x  1 root root  14372 Mar 17  2010 libanonymous.so.2
> -rwxr-xr-x  1 root root  14372 Mar 17  2010 libanonymous.so.2.0.22
> -rwxr-xr-x  1 root root870 Mar 17  2010 libcrammd5.la
> -rwxr-xr-x  1 root root  16832 Mar 17  2010 libcrammd5.so
> -rwxr-xr-x  1 root root  16832 Mar 17  2010 libcrammd5.so.2
> -rwxr-xr-x  1 root root  16832 Mar 17  2010 libcrammd5.so.2.0.22
> -rwxr-xr-x  1 root root893 Mar 17  2010 libdigestmd5.la
> -rwxr-xr-x  1 root root  47172 Mar 17  2010 libdigestmd5.so
> -rwxr-xr-x  1 root root  47172 Mar 17  2010 libdigestmd5.so.2
> -rwxr-xr-x  1 root root  47172 Mar 17  2010 libdigestmd5.so.2.0.22
> -rwxr-xr-x  1 root root856 Mar 17  2010 liblogin.la
> -rwxr-xr-x  1 root root  14752 Mar 17  2010 liblogin.so
> -rwxr-xr-x  1 root root  14752 Mar 17  2010 liblogin.so.2
> -rwxr-xr-x  1 root root  14752 Mar 17  2010 liblogin.so.2.0.22
> -rwxr-xr-x  1 root root856 Mar 17  2010 libplain.la
> -rwxr-xr-x  1 root root  14848 Mar 17  2010 libplain.so
> -rwxr-xr-x  1 root root  14848 Mar 17  2010 libplain.so.2
> -rwxr-xr-x  1 root root  14848 Mar 17  2010 libplain.so.2.0.22
> -rwxr-xr-x  1 root root930 Mar 17  2010 libsasldb.la
> -rwxr-xr-x  1 root root 905200 Mar 17  2010 libsasldb.so
> -rwxr-xr-x  1 root root 905200 Mar 17  2010 libsasldb.so.2
> -rwxr-xr-x  1 root root 905200 Mar 17  2010 libsasldb.so.2.0.22
> -rw-r--r--  1 root root 25 Mar 31  2010 Sendmail.conf
> 
> -- listing of /var/lib/sasl2 --
> total 8
> drwxr-xr-x  2 root root 4096 Jun  9 08:07 .
> drwxr-xr-x 18 root root 4096 Jun  9 10:54 ..
> 
> -- listing of /etc/sasl2 --
> total 16
> drwxr-xr-x  2 root root4096 Jun  9 08:09 .
> drwxr-xr-x 54 root postfix 4096 Jun  9 10:54 ..
> -rw-r--r--  1 root root  49 Jun  9 08:09 smtpd.conf
> -rw-r--r--  1 root root  99 Jun  7 10:10 smtpd.conf.bak
> 
> 
> -- content of /usr/lib/sasl/smtpd.conf --
> pwcheck_method: saslauthd
> saslauthd_version: 2
> 
> -- content of /etc/sasl2/smtpd.conf --
> pwcheck_method: saslauthd
> mech_list: plain login

OK. Did you check for whitespace? There must be no trailing whitespace.

> -- active services in /etc/postfix/master.cf --
> # service type  private unpriv  chroot  wakeup  maxproc command + args
> #   (yes)   (yes)   (yes)   (never) (100)
> 
> 21  inet  n   -   n   -   -   smtpd

I leave it up to you to run the Postfix smtpd server on a different port. For
the moment please disable the line above and follow the standard:

smtp  inet  n   -   n   -   -   smtpd


> -- mechanisms on localhost --
> 
> -- end of saslfinger output --
> 
> Please let me know if anything else is required.

Can you test if authenication works without Postfix? Use the testsaslauthd
command to prove it works:

% testsaslauthd -u username -p password

If that doesn't work we need to fix more than only Postfix configuration.

p@rick

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: Postfix plain text authentication with SASL

2011-06-09 Thread Patrick Ben Koetter 
Stephen,

* Stephen Ingram :
> On Thu, Jun 9, 2011 at 12:16 AM, Suresh Kumar Prajapati
>  wrote:
> > Hi,
> >
> > and i dont find any saslauthd.conf file
> >
> > here is the /etc/sasl2/smtpd.conf
> >
> > pwcheck_method: saslauthd
> > mech_list: plain login
> 
> That's a problem. In that file (/etc/sasl2/smtpd.conf) you are
> specifying that you want to use saslauthd as the method to check
> passwords, and you also say that you want to do that using only plain
> and login mechanisms, yet you don't have any backend configured to
> perform this function. You should read up on sasl more to know how to
> do this. I would suggest http://www.postfix.org/SASL_README.html to
> get you started.

the debug output tells a different story. The required libraries to offer
PLAIN and LOGIN are there:

-- listing of /usr/lib/sasl2 --
total 3064
drwxr-xr-x  2 root root   4096 Jun  9 08:07 .
drwxr-xr-x 36 root root  20480 Jun  7 14:43 ..
-rwxr-xr-x  1 root root884 Mar 17  2010 libanonymous.la
-rwxr-xr-x  1 root root  14372 Mar 17  2010 libanonymous.so
-rwxr-xr-x  1 root root  14372 Mar 17  2010 libanonymous.so.2
-rwxr-xr-x  1 root root  14372 Mar 17  2010 libanonymous.so.2.0.22
-rwxr-xr-x  1 root root870 Mar 17  2010 libcrammd5.la
-rwxr-xr-x  1 root root  16832 Mar 17  2010 libcrammd5.so
-rwxr-xr-x  1 root root  16832 Mar 17  2010 libcrammd5.so.2
-rwxr-xr-x  1 root root  16832 Mar 17  2010 libcrammd5.so.2.0.22
-rwxr-xr-x  1 root root893 Mar 17  2010 libdigestmd5.la
-rwxr-xr-x  1 root root  47172 Mar 17  2010 libdigestmd5.so
-rwxr-xr-x  1 root root  47172 Mar 17  2010 libdigestmd5.so.2
-rwxr-xr-x  1 root root  47172 Mar 17  2010 libdigestmd5.so.2.0.22
-rwxr-xr-x  1 root root856 Mar 17  2010 liblogin.la
-rwxr-xr-x  1 root root  14752 Mar 17  2010 liblogin.so
-rwxr-xr-x  1 root root  14752 Mar 17  2010 liblogin.so.2
-rwxr-xr-x  1 root root  14752 Mar 17  2010 liblogin.so.2.0.22
-rwxr-xr-x  1 root root856 Mar 17  2010 libplain.la
-rwxr-xr-x  1 root root  14848 Mar 17  2010 libplain.so
-rwxr-xr-x  1 root root  14848 Mar 17  2010 libplain.so.2
-rwxr-xr-x  1 root root  14848 Mar 17  2010 libplain.so.2.0.22
-rwxr-xr-x  1 root root930 Mar 17  2010 libsasldb.la
-rwxr-xr-x  1 root root 905200 Mar 17  2010 libsasldb.so
-rwxr-xr-x  1 root root 905200 Mar 17  2010 libsasldb.so.2
-rwxr-xr-x  1 root root 905200 Mar 17  2010 libsasldb.so.2.0.22
-rw-r--r--  1 root root 25 Mar 31  2010 Sendmail.conf

Suresh also started saslauthd as he told me in an offlist mail.

Everything is there and it should work if we put the pieces together
correctly.

p@rick

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: Postfix plain text authentication with SASL

2011-06-09 Thread Suresh Kumar Prajapati 
Hi,

I've follow all the info you have give and the command show the following
output

[root@hostname postfix]# testsaslauthd -u tom -p redhat
0: NO "authentication failed"



On Thu, Jun 9, 2011 at 1:03 PM, Patrick Ben Koetter 
wrote:

> * Suresh Kumar Prajapati :
> > [root@quranmail postfix]# saslfinger -s
> > saslfinger - postfix Cyrus sasl configuration Thu Jun  9 11:24:25 MSD
> 2011
> > version: 1.0.2
> > mode: server-side SMTP AUTH
> >
> > -- basics --
> > Postfix: 2.3.3
> > System: CentOS release 5.6 (Final)
> >
> > -- smtpd is linked to --
> > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x009ad000)
> >
> > -- active SMTP AUTH and TLS parameters for smtpd --
> > broken_sasl_auth_clients = yes
> > smtpd_sasl_auth_enable = yes
> > smtpd_sasl_local_domain = 
> >
> >
> > -- listing of /usr/lib/sasl --
> > total 28
> > drwxr-xr-x  2 root root  4096 Jun  7 14:43 .
> > drwxr-xr-x 36 root root 20480 Jun  7 14:43 ..
> > -rw-r--r--  1 root root47 May 31 20:34 smtpd.conf
>
>
> Please remove /usr/lib/sasl/smtpd.conf. Cyrus SASL 2 will not use it.
>
>
> > -- listing of /usr/lib/sasl2 --
> > total 3064
> > drwxr-xr-x  2 root root   4096 Jun  9 08:07 .
> > drwxr-xr-x 36 root root  20480 Jun  7 14:43 ..
> > -rwxr-xr-x  1 root root884 Mar 17  2010 libanonymous.la
> > -rwxr-xr-x  1 root root  14372 Mar 17  2010 libanonymous.so
> > -rwxr-xr-x  1 root root  14372 Mar 17  2010 libanonymous.so.2
> > -rwxr-xr-x  1 root root  14372 Mar 17  2010 libanonymous.so.2.0.22
> > -rwxr-xr-x  1 root root870 Mar 17  2010 libcrammd5.la
> > -rwxr-xr-x  1 root root  16832 Mar 17  2010 libcrammd5.so
> > -rwxr-xr-x  1 root root  16832 Mar 17  2010 libcrammd5.so.2
> > -rwxr-xr-x  1 root root  16832 Mar 17  2010 libcrammd5.so.2.0.22
> > -rwxr-xr-x  1 root root893 Mar 17  2010 libdigestmd5.la
> > -rwxr-xr-x  1 root root  47172 Mar 17  2010 libdigestmd5.so
> > -rwxr-xr-x  1 root root  47172 Mar 17  2010 libdigestmd5.so.2
> > -rwxr-xr-x  1 root root  47172 Mar 17  2010 libdigestmd5.so.2.0.22
> > -rwxr-xr-x  1 root root856 Mar 17  2010 liblogin.la
> > -rwxr-xr-x  1 root root  14752 Mar 17  2010 liblogin.so
> > -rwxr-xr-x  1 root root  14752 Mar 17  2010 liblogin.so.2
> > -rwxr-xr-x  1 root root  14752 Mar 17  2010 liblogin.so.2.0.22
> > -rwxr-xr-x  1 root root856 Mar 17  2010 libplain.la
> > -rwxr-xr-x  1 root root  14848 Mar 17  2010 libplain.so
> > -rwxr-xr-x  1 root root  14848 Mar 17  2010 libplain.so.2
> > -rwxr-xr-x  1 root root  14848 Mar 17  2010 libplain.so.2.0.22
> > -rwxr-xr-x  1 root root930 Mar 17  2010 libsasldb.la
> > -rwxr-xr-x  1 root root 905200 Mar 17  2010 libsasldb.so
> > -rwxr-xr-x  1 root root 905200 Mar 17  2010 libsasldb.so.2
> > -rwxr-xr-x  1 root root 905200 Mar 17  2010 libsasldb.so.2.0.22
> > -rw-r--r--  1 root root 25 Mar 31  2010 Sendmail.conf
> >
> > -- listing of /var/lib/sasl2 --
> > total 8
> > drwxr-xr-x  2 root root 4096 Jun  9 08:07 .
> > drwxr-xr-x 18 root root 4096 Jun  9 10:54 ..
> >
> > -- listing of /etc/sasl2 --
> > total 16
> > drwxr-xr-x  2 root root4096 Jun  9 08:09 .
> > drwxr-xr-x 54 root postfix 4096 Jun  9 10:54 ..
> > -rw-r--r--  1 root root  49 Jun  9 08:09 smtpd.conf
> > -rw-r--r--  1 root root  99 Jun  7 10:10 smtpd.conf.bak
> >
> >
> > -- content of /usr/lib/sasl/smtpd.conf --
> > pwcheck_method: saslauthd
> > saslauthd_version: 2
> >
> > -- content of /etc/sasl2/smtpd.conf --
> > pwcheck_method: saslauthd
> > mech_list: plain login
>
> OK. Did you check for whitespace? There must be no trailing whitespace.
>
> > -- active services in /etc/postfix/master.cf --
> > # service type  private unpriv  chroot  wakeup  maxproc command + args
> > #   (yes)   (yes)   (yes)   (never) (100)
> >
> > 21  inet  n   -   n   -   -   smtpd
>
> I leave it up to you to run the Postfix smtpd server on a different port.
> For
> the moment please disable the line above and follow the standard:
>
> smtp  inet  n   -   n   -   -   smtpd
>
>
> > -- mechanisms on localhost --
> >
> > -- end of saslfinger output --
> >
> > Please let me know if anything else is required.
>
> Can you test if authenication works without Postfix? Use the testsaslauthd
> command to prove it works:
>
> % testsaslauthd -u username -p password
>
> If that doesn't work we need to fix more than only Postfix configuration.
>
> p@rick
>
> --
> All technical questions asked privately will be automatically answered on
> the
> list and archived for public access unless privacy is explicitely required
> and
> justified.
>
> saslfinger (debugging SMTP AUTH):
> 
>



-- 
Best Regards,
Suresh Kumar Prajapati
Linux Security Admin
E-mail: er.sureshprajap...@gmail.com

Pencils could be made with erasers at both ends, but what would be the
point?

Re: Postfix plain text authentication with SASL

2011-06-09 Thread Suresh Kumar Prajapati 
Hi,

Here is the interactive session output

[root@quranmail postfix]#  telnet  217.23.4.146 25
Trying 217.23.4.146...
Connected to 217.23.4.146.
Escape character is '^]'.
220  ESMTP
ehlo google.com
250-
250-PIPELINING
250-SIZE 10485760
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
auth loginm
535 5.7.0 Error: authentication failed: no mechanism available
auth login
334 VXNlcm5hbWU6

334 UGFzc3dvcmQ6

535 5.7.0 Error: authentication failed: authentication failure



On Thu, Jun 9, 2011 at 1:17 PM, Suresh Kumar Prajapati <
er.sureshprajap...@gmail.com> wrote:

> Hi,
>
> I've follow all the info you have give and the command show the following
> output
>
> [root@hostname postfix]# testsaslauthd -u tom -p redhat
> 0: NO "authentication failed"
>
>
>
>
> On Thu, Jun 9, 2011 at 1:03 PM, Patrick Ben Koetter 
> wrote:
>
>> * Suresh Kumar Prajapati :
>> > [root@quranmail postfix]# saslfinger -s
>> > saslfinger - postfix Cyrus sasl configuration Thu Jun  9 11:24:25 MSD
>> 2011
>> > version: 1.0.2
>> > mode: server-side SMTP AUTH
>> >
>> > -- basics --
>> > Postfix: 2.3.3
>> > System: CentOS release 5.6 (Final)
>> >
>> > -- smtpd is linked to --
>> > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x009ad000)
>> >
>> > -- active SMTP AUTH and TLS parameters for smtpd --
>> > broken_sasl_auth_clients = yes
>> > smtpd_sasl_auth_enable = yes
>> > smtpd_sasl_local_domain = 
>> >
>> >
>> > -- listing of /usr/lib/sasl --
>> > total 28
>> > drwxr-xr-x  2 root root  4096 Jun  7 14:43 .
>> > drwxr-xr-x 36 root root 20480 Jun  7 14:43 ..
>> > -rw-r--r--  1 root root47 May 31 20:34 smtpd.conf
>>
>>
>> Please remove /usr/lib/sasl/smtpd.conf. Cyrus SASL 2 will not use it.
>>
>>
>> > -- listing of /usr/lib/sasl2 --
>> > total 3064
>> > drwxr-xr-x  2 root root   4096 Jun  9 08:07 .
>> > drwxr-xr-x 36 root root  20480 Jun  7 14:43 ..
>> > -rwxr-xr-x  1 root root884 Mar 17  2010 libanonymous.la
>> > -rwxr-xr-x  1 root root  14372 Mar 17  2010 libanonymous.so
>> > -rwxr-xr-x  1 root root  14372 Mar 17  2010 libanonymous.so.2
>> > -rwxr-xr-x  1 root root  14372 Mar 17  2010 libanonymous.so.2.0.22
>> > -rwxr-xr-x  1 root root870 Mar 17  2010 libcrammd5.la
>> > -rwxr-xr-x  1 root root  16832 Mar 17  2010 libcrammd5.so
>> > -rwxr-xr-x  1 root root  16832 Mar 17  2010 libcrammd5.so.2
>> > -rwxr-xr-x  1 root root  16832 Mar 17  2010 libcrammd5.so.2.0.22
>> > -rwxr-xr-x  1 root root893 Mar 17  2010 libdigestmd5.la
>> > -rwxr-xr-x  1 root root  47172 Mar 17  2010 libdigestmd5.so
>> > -rwxr-xr-x  1 root root  47172 Mar 17  2010 libdigestmd5.so.2
>> > -rwxr-xr-x  1 root root  47172 Mar 17  2010 libdigestmd5.so.2.0.22
>> > -rwxr-xr-x  1 root root856 Mar 17  2010 liblogin.la
>> > -rwxr-xr-x  1 root root  14752 Mar 17  2010 liblogin.so
>> > -rwxr-xr-x  1 root root  14752 Mar 17  2010 liblogin.so.2
>> > -rwxr-xr-x  1 root root  14752 Mar 17  2010 liblogin.so.2.0.22
>> > -rwxr-xr-x  1 root root856 Mar 17  2010 libplain.la
>> > -rwxr-xr-x  1 root root  14848 Mar 17  2010 libplain.so
>> > -rwxr-xr-x  1 root root  14848 Mar 17  2010 libplain.so.2
>> > -rwxr-xr-x  1 root root  14848 Mar 17  2010 libplain.so.2.0.22
>> > -rwxr-xr-x  1 root root930 Mar 17  2010 libsasldb.la
>> > -rwxr-xr-x  1 root root 905200 Mar 17  2010 libsasldb.so
>> > -rwxr-xr-x  1 root root 905200 Mar 17  2010 libsasldb.so.2
>> > -rwxr-xr-x  1 root root 905200 Mar 17  2010 libsasldb.so.2.0.22
>> > -rw-r--r--  1 root root 25 Mar 31  2010 Sendmail.conf
>> >
>> > -- listing of /var/lib/sasl2 --
>> > total 8
>> > drwxr-xr-x  2 root root 4096 Jun  9 08:07 .
>> > drwxr-xr-x 18 root root 4096 Jun  9 10:54 ..
>> >
>> > -- listing of /etc/sasl2 --
>> > total 16
>> > drwxr-xr-x  2 root root4096 Jun  9 08:09 .
>> > drwxr-xr-x 54 root postfix 4096 Jun  9 10:54 ..
>> > -rw-r--r--  1 root root  49 Jun  9 08:09 smtpd.conf
>> > -rw-r--r--  1 root root  99 Jun  7 10:10 smtpd.conf.bak
>> >
>> >
>> > -- content of /usr/lib/sasl/smtpd.conf --
>> > pwcheck_method: saslauthd
>> > saslauthd_version: 2
>> >
>> > -- content of /etc/sasl2/smtpd.conf --
>> > pwcheck_method: saslauthd
>> > mech_list: plain login
>>
>> OK. Did you check for whitespace? There must be no trailing whitespace.
>>
>> > -- active services in /etc/postfix/master.cf --
>> > # service type  private unpriv  chroot  wakeup  maxproc command + args
>> > #   (yes)   (yes)   (yes)   (never) (100)
>> >
>> > 21  inet  n   -   n   -   -   smtpd
>>
>> I leave it up to you to run the Postfix smtpd server on a different port.
>> For
>> the moment please disable the line above and follow the standard:
>>
>> smtp  inet  n   -   n   -   -   smtpd
>>
>>
>> > -- mechanisms on localhost --
>> >
>> > -- end of saslfinger output --
>> >
>> > Please let me know if anything else is required.
>>
>> Can you test if authenication works without Postfix? Use the testsaslauthd
>> command to prove it works:

Re: virtual aliases and unlisted email addresses

2011-06-09 Thread Patrick Proniewski 
On 8 juin 2011, at 18:15, Victor Duchovni wrote:

> On Wed, Jun 08, 2011 at 11:33:48AM +0200, Patrick Proniewski wrote:
> 
>> After the period of double delivery is over, we will deliver emails only to 
>> Google servers. So the virtual aliases map is to look like:
>> 
>>  public-addr...@univ-lyon2.frpublic-addr...@univ-lyon2.fr
>>  some-al...@univ-lyon2.frpublic-addr...@univ-lyon2.fr
>>  ...
>> 
>> The first line looks pretty silly to me. Is there any way to tell that 
>> addresses not listed in virtual aliases map are to be forwarded "as is" ?
> 
> Your gateway needs a table of valid recipients, the domain in question
> is presumably configured as a "relay domain" by being listed in
> $relay_domains.


In fact I've tried this. But this domain being already in 
virtual_alias_domains, it looks like it's not a good idea to put it also in 
relay_domains: postfix complains about this for every email passing thru:

Jun  7 15:24:18 ru postfix-mailgw/trivial-rewrite[64375]: warning: do not list 
domain univ-lyon2.fr in BOTH virtual_alias_domains and relay_domains
Jun  7 15:24:18 ru postfix-mailgw/trivial-rewrite[64375]: warning: do not list 
domain univ-lyon2.fr in BOTH virtual_alias_domains and relay_domains
Jun  7 15:24:19 ru postfix-mailgw/trivial-rewrite[64375]: warning: do not list 
domain univ-lyon2.fr in BOTH virtual_alias_domains and relay_domains


>  If you don't want to have identity mappings in
> virtual_alias_maps, you need to add entries to relay_recipient_maps:
> 
>main.cf:
>   # Use "cdb" if you have it.
>   default_database_type = hash
>   indexed = ${default_database_type}:${config_directory}/
>   relay_recipient_maps = ${indexed}relay_rcpts
> 
>relay_rcpts:
>   public-addr...@univ-lyon2.frvalid
>   ...
> 
> where the word "valid" on "the right hand side" of the table can be
> replaced by any non-empty value that makes sense to you. Postfix
> only needs the lookup key to map to a non-empty result.


I'm using this on MX, so that my servers are not acting as backscatters: only 
valid recipients are accepted by MX and transfered to MailGW. But as postfix 
won't accept using both virtual_alias_domains and relay_domains, I think this 
won't do the trick.


> This said, the identity virtual_alias_maps mappings are a fine way
> to achieve the same result. The lookup will be done anyway, and you
> already have a virtual alias table, so it may in fact be simpler to
> keep using the identity mappings, but you MUST make sure that 
> relay_recipient_maps (assuming the domain is a relay domain) is
> set to some table (be it one with no entries).

Ok

Thank you Viktor.

Patrick PRONIEWSKI
-- 
Administrateur Système - DSI - Université Lumière Lyon 2



smime.p7s
Description: S/MIME cryptographic signature

Re: Postfix plain text authentication with SASL

2011-06-09 Thread Patrick Ben Koetter 
* Suresh Kumar Prajapati :
> I've follow all the info you have give and the command show the following
> output
> 
> [root@hostname postfix]# testsaslauthd -u tom -p redhat
> 0: NO "authentication failed"

IIRC you use saslauthd with PAM as backend.

Please try this:
% testsaslauthd -s pam -u tom -p redhat

If that doesn't work configure saslauthd in /etc/sysconfig/saslauthd to use
"shadow" and try testsaslauthd with a system account like this:

% testsaslauthd -s shadow -u tom -p redhat

p@rick

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: Postfix plain text authentication with SASL

2011-06-09 Thread Patrick Ben Koetter 
* Suresh Kumar Prajapati :
> Here is the interactive session output
> 
> [root@quranmail postfix]#  telnet  217.23.4.146 25
> Trying 217.23.4.146...
> Connected to 217.23.4.146.
> Escape character is '^]'.
> 220  ESMTP
> ehlo google.com
> 250-
> 250-PIPELINING
> 250-SIZE 10485760
> 250-VRFY
> 250-ETRN
> 250-AUTH LOGIN PLAIN
> 250-AUTH=LOGIN PLAIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> auth loginm
> 535 5.7.0 Error: authentication failed: no mechanism available
> auth login
> 334 VXNlcm5hbWU6
> 
> 334 UGFzc3dvcmQ6
> 
> 535 5.7.0 Error: authentication failed: authentication failure

Yep. We need to fix the backend first. When we're done with the backend we
will return to the SMTP session.

p@rick

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: Postfix plain text authentication with SASL

2011-06-09 Thread Suresh Kumar Prajapati 
Hi
following is the output from the command you have
[root@ ~]# testsaslauthd -s pam -u tom -p redhat
0: NO "authentication failed"

and then i change /etc/sysconfig/saslauthd
fiel MECH=shadow
and then run the following command

[root@ ~]# testsaslauthd -s shadow -u tom -p redhat
0: OK "Success."


On Thu, Jun 9, 2011 at 1:44 PM, Patrick Ben Koetter 
wrote:

> * Suresh Kumar Prajapati :
> > Here is the interactive session output
> >
> > [root@quranmail postfix]#  telnet  217.23.4.146 25
> > Trying 217.23.4.146...
> > Connected to 217.23.4.146.
> > Escape character is '^]'.
> > 220  ESMTP
> > ehlo google.com
> > 250-
> > 250-PIPELINING
> > 250-SIZE 10485760
> > 250-VRFY
> > 250-ETRN
> > 250-AUTH LOGIN PLAIN
> > 250-AUTH=LOGIN PLAIN
> > 250-ENHANCEDSTATUSCODES
> > 250-8BITMIME
> > 250 DSN
> > auth loginm
> > 535 5.7.0 Error: authentication failed: no mechanism available
> > auth login
> > 334 VXNlcm5hbWU6
> > 
> > 334 UGFzc3dvcmQ6
> > 
> > 535 5.7.0 Error: authentication failed: authentication failure
>
> Yep. We need to fix the backend first. When we're done with the backend we
> will return to the SMTP session.
>
> p@rick
>
> --
> All technical questions asked privately will be automatically answered on
> the
> list and archived for public access unless privacy is explicitely required
> and
> justified.
>
> saslfinger (debugging SMTP AUTH):
> 
>



-- 
Best Regards,
Suresh Kumar Prajapati
Linux Security Admin
E-mail: er.sureshprajap...@gmail.com

Pencils could be made with erasers at both ends, but what would be the
point?

Re: Postfix plain text authentication with SASL

2011-06-09 Thread Patrick Ben Koetter 
* Suresh Kumar Prajapati :
> Hi
> following is the output from the command you have
> [root@ ~]# testsaslauthd -s pam -u tom -p redhat
> 0: NO "authentication failed"
> 
> and then i change /etc/sysconfig/saslauthd
> fiel MECH=shadow
> and then run the following command
> 
> [root@ ~]# testsaslauthd -s shadow -u tom -p redhat
> 0: OK "Success."

Great. We're one step further.

Where do you store the identities mail senders should use to authenticate? Are
all your senders system accounts? Are they in a database?

p@rick


-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: Postfix plain text authentication with SASL

2011-06-09 Thread Patrick Ben Koetter 
* Suresh Kumar Prajapati :
> Both are system users and I've assigned password to them using
> passwd user_name
> command as well
> saslpasswd2 user_name

So we have two ways to go: system accounts or separate mail user database.

I recommend using the separate database, because compromised accounts would
only affect your mail service but not the system (if you use different
usernames and passwords...).

Which way do you want to go?

p@rick



> 
> 
> 
> On Thu, Jun 9, 2011 at 2:12 PM, Patrick Ben Koetter 
> wrote:
> 
> > * Suresh Kumar Prajapati :
> > > Hi
> > > following is the output from the command you have
> > > [root@ ~]# testsaslauthd -s pam -u tom -p redhat
> > > 0: NO "authentication failed"
> > >
> > > and then i change /etc/sysconfig/saslauthd
> > > fiel MECH=shadow
> > > and then run the following command
> > >
> > > [root@ ~]# testsaslauthd -s shadow -u tom -p redhat
> > > 0: OK "Success."
> >
> > Great. We're one step further.
> >
> > Where do you store the identities mail senders should use to authenticate?
> > Are
> > all your senders system accounts? Are they in a database?
> >
> > p@rick
> >
> >
> > --
> > All technical questions asked privately will be automatically answered on
> > the
> > list and archived for public access unless privacy is explicitely required
> > and
> > justified.
> >
> > saslfinger (debugging SMTP AUTH):
> > 
> >
> 
> 
> 
> -- 
> Best Regards,
> Suresh Kumar Prajapati
> Linux Security Admin
> E-mail: er.sureshprajap...@gmail.com
> 
> Pencils could be made with erasers at both ends, but what would be the
> point?

-- 
state of mind ()
Digitale Kommunikation

http://www.state-of-mind.de

Franziskanerstraße 15  Telefon +49 89 3090 4664
81669 München  Telefax +49 89 3090 4666

Amtsgericht MünchenPartnerschaftsregister PR 563

Re: Postfix plain text authentication with SASL

2011-06-09 Thread Suresh Kumar Prajapati 
Hi,

For the time being I just want to go with system accounts,once this is set ,
I can catch up with second option.



On Thu, Jun 9, 2011 at 2:23 PM, Patrick Ben Koetter 
wrote:

> * Suresh Kumar Prajapati :
> > Both are system users and I've assigned password to them using
> > passwd user_name
> > command as well
> > saslpasswd2 user_name
>
> So we have two ways to go: system accounts or separate mail user database.
>
> I recommend using the separate database, because compromised accounts would
> only affect your mail service but not the system (if you use different
> usernames and passwords...).
>
> Which way do you want to go?
>
> p@rick
>
>
>
> >
> >
> >
> > On Thu, Jun 9, 2011 at 2:12 PM, Patrick Ben Koetter  >wrote:
> >
> > > * Suresh Kumar Prajapati :
> > > > Hi
> > > > following is the output from the command you have
> > > > [root@ ~]# testsaslauthd -s pam -u tom -p redhat
> > > > 0: NO "authentication failed"
> > > >
> > > > and then i change /etc/sysconfig/saslauthd
> > > > fiel MECH=shadow
> > > > and then run the following command
> > > >
> > > > [root@ ~]# testsaslauthd -s shadow -u tom -p redhat
> > > > 0: OK "Success."
> > >
> > > Great. We're one step further.
> > >
> > > Where do you store the identities mail senders should use to
> authenticate?
> > > Are
> > > all your senders system accounts? Are they in a database?
> > >
> > > p@rick
> > >
> > >
> > > --
> > > All technical questions asked privately will be automatically answered
> on
> > > the
> > > list and archived for public access unless privacy is explicitely
> required
> > > and
> > > justified.
> > >
> > > saslfinger (debugging SMTP AUTH):
> > > 
> > >
> >
> >
> >
> > --
> > Best Regards,
> > Suresh Kumar Prajapati
> > Linux Security Admin
> > E-mail: er.sureshprajap...@gmail.com
> >
> 
> > Pencils could be made with erasers at both ends, but what would be the
> > point?
>
> --
> state of mind ()
> Digitale Kommunikation
>
> http://www.state-of-mind.de
>
> Franziskanerstraße 15  Telefon +49 89 3090 4664
> 81669 München  Telefax +49 89 3090 4666
>
> Amtsgericht MünchenPartnerschaftsregister PR 563
>
>


-- 
Best Regards,
Suresh Kumar Prajapati
Linux Security Admin
E-mail: er.sureshprajap...@gmail.com

Pencils could be made with erasers at both ends, but what would be the
point?

Re: Postfix plain text authentication with SASL

2011-06-09 Thread Patrick Ben Koetter 
* Suresh Kumar Prajapati :
> For the time being I just want to go with system accounts,once this is set ,
> I can catch up with second option.

Fine.

Run saslauthd with "-a shadow".
Run testsaslauthd and verify you have a user for whom authenication works.
Drop "smtpd_sasl_local_domain" in main.cf.
Reload postfix.
Download http://jetmore.org/john/code/gen-auth, make it executable and run it
like this:

% ./gen-auth plain username password
Auth String: AGZvbwBiYXI=

Use the Auth String: (here: AGZvbwBiYXI=) in a telnet session. Do not use
"LOGIN" as in your previous test. Send PLAIN like this:

AUTH PLAIN AGZvbwBiYXI=

It *should* work...

p@rick




> 
> 
> 
> On Thu, Jun 9, 2011 at 2:23 PM, Patrick Ben Koetter 
> wrote:
> 
> > * Suresh Kumar Prajapati :
> > > Both are system users and I've assigned password to them using
> > > passwd user_name
> > > command as well
> > > saslpasswd2 user_name
> >
> > So we have two ways to go: system accounts or separate mail user database.
> >
> > I recommend using the separate database, because compromised accounts would
> > only affect your mail service but not the system (if you use different
> > usernames and passwords...).
> >
> > Which way do you want to go?
> >
> > p@rick
> >
> >
> >
> > >
> > >
> > >
> > > On Thu, Jun 9, 2011 at 2:12 PM, Patrick Ben Koetter  > >wrote:
> > >
> > > > * Suresh Kumar Prajapati :
> > > > > Hi
> > > > > following is the output from the command you have
> > > > > [root@ ~]# testsaslauthd -s pam -u tom -p redhat
> > > > > 0: NO "authentication failed"
> > > > >
> > > > > and then i change /etc/sysconfig/saslauthd
> > > > > fiel MECH=shadow
> > > > > and then run the following command
> > > > >
> > > > > [root@ ~]# testsaslauthd -s shadow -u tom -p redhat
> > > > > 0: OK "Success."
> > > >
> > > > Great. We're one step further.
> > > >
> > > > Where do you store the identities mail senders should use to
> > authenticate?
> > > > Are
> > > > all your senders system accounts? Are they in a database?
> > > >
> > > > p@rick
> > > >
> > > >
> > > > --
> > > > All technical questions asked privately will be automatically answered
> > on
> > > > the
> > > > list and archived for public access unless privacy is explicitely
> > required
> > > > and
> > > > justified.
> > > >
> > > > saslfinger (debugging SMTP AUTH):
> > > > 
> > > >
> > >
> > >
> > >
> > > --
> > > Best Regards,
> > > Suresh Kumar Prajapati
> > > Linux Security Admin
> > > E-mail: er.sureshprajap...@gmail.com
> > >
> > 
> > > Pencils could be made with erasers at both ends, but what would be the
> > > point?
> >
> > --
> > state of mind ()
> > Digitale Kommunikation
> >
> > http://www.state-of-mind.de
> >
> > Franziskanerstraße 15  Telefon +49 89 3090 4664
> > 81669 München  Telefax +49 89 3090 4666
> >
> > Amtsgericht MünchenPartnerschaftsregister PR 563
> >
> >
> 
> 
> -- 
> Best Regards,
> Suresh Kumar Prajapati
> Linux Security Admin
> E-mail: er.sureshprajap...@gmail.com
> 
> Pencils could be made with erasers at both ends, but what would be the
> point?

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: Postfix plain text authentication with SASL

2011-06-09 Thread Suresh Kumar Prajapati 
Hi,

Followed your steps and this is output

warning: SASL authentication failure: Password verification failed
Jun  9 13:12:26 domain.com postfix/smtpd[1391]: warning:
fdsakjfhbdskj.fdsakjfhbdskj.com[ip_address]: SASL plain authentication
failed: authentication failure


testsaslauthd -s pam -u tom -p redhat
0: NO "authentication failed"


testsaslauthd -s pam -u tom -p redhat
0: NO "authentication failed"



On Thu, Jun 9, 2011 at 2:36 PM, Patrick Ben Koetter 
wrote:

> * Suresh Kumar Prajapati :
> > For the time being I just want to go with system accounts,once this is
> set ,
> > I can catch up with second option.
>
> Fine.
>
> Run saslauthd with "-a shadow".
> Run testsaslauthd and verify you have a user for whom authenication works.
> Drop "smtpd_sasl_local_domain" in main.cf.
> Reload postfix.
> Download http://jetmore.org/john/code/gen-auth, make it executable and run
> it
> like this:
>
> % ./gen-auth plain username password
> Auth String: AGZvbwBiYXI=
>
> Use the Auth String: (here: AGZvbwBiYXI=) in a telnet session. Do not use
> "LOGIN" as in your previous test. Send PLAIN like this:
>
> AUTH PLAIN AGZvbwBiYXI=
>
> It *should* work...
>
> p@rick
>
>
>
>
> >
> >
> >
> > On Thu, Jun 9, 2011 at 2:23 PM, Patrick Ben Koetter  >wrote:
> >
> > > * Suresh Kumar Prajapati :
> > > > Both are system users and I've assigned password to them using
> > > > passwd user_name
> > > > command as well
> > > > saslpasswd2 user_name
> > >
> > > So we have two ways to go: system accounts or separate mail user
> database.
> > >
> > > I recommend using the separate database, because compromised accounts
> would
> > > only affect your mail service but not the system (if you use different
> > > usernames and passwords...).
> > >
> > > Which way do you want to go?
> > >
> > > p@rick
> > >
> > >
> > >
> > > >
> > > >
> > > >
> > > > On Thu, Jun 9, 2011 at 2:12 PM, Patrick Ben Koetter <
> p...@state-of-mind.de
> > > >wrote:
> > > >
> > > > > * Suresh Kumar Prajapati :
> > > > > > Hi
> > > > > > following is the output from the command you have
> > > > > > [root@ ~]# testsaslauthd -s pam -u tom -p redhat
> > > > > > 0: NO "authentication failed"
> > > > > >
> > > > > > and then i change /etc/sysconfig/saslauthd
> > > > > > fiel MECH=shadow
> > > > > > and then run the following command
> > > > > >
> > > > > > [root@ ~]# testsaslauthd -s shadow -u tom -p redhat
> > > > > > 0: OK "Success."
> > > > >
> > > > > Great. We're one step further.
> > > > >
> > > > > Where do you store the identities mail senders should use to
> > > authenticate?
> > > > > Are
> > > > > all your senders system accounts? Are they in a database?
> > > > >
> > > > > p@rick
> > > > >
> > > > >
> > > > > --
> > > > > All technical questions asked privately will be automatically
> answered
> > > on
> > > > > the
> > > > > list and archived for public access unless privacy is explicitely
> > > required
> > > > > and
> > > > > justified.
> > > > >
> > > > > saslfinger (debugging SMTP AUTH):
> > > > > 
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Best Regards,
> > > > Suresh Kumar Prajapati
> > > > Linux Security Admin
> > > > E-mail: er.sureshprajap...@gmail.com
> > > >
> > >
> 
> > > > Pencils could be made with erasers at both ends, but what would be
> the
> > > > point?
> > >
> > > --
> > > state of mind ()
> > > Digitale Kommunikation
> > >
> > > http://www.state-of-mind.de
> > >
> > > Franziskanerstraße 15  Telefon +49 89 3090 4664
> > > 81669 München  Telefax +49 89 3090 4666
> > >
> > > Amtsgericht MünchenPartnerschaftsregister PR 563
> > >
> > >
> >
> >
> > --
> > Best Regards,
> > Suresh Kumar Prajapati
> > Linux Security Admin
> > E-mail: er.sureshprajap...@gmail.com
> >
> 
> > Pencils could be made with erasers at both ends, but what would be the
> > point?
>
> --
> All technical questions asked privately will be automatically answered on
> the
> list and archived for public access unless privacy is explicitely required
> and
> justified.
>
> saslfinger (debugging SMTP AUTH):
> 
>



-- 
Best Regards,
Suresh Kumar Prajapati
Linux Security Admin
E-mail: er.sureshprajap...@gmail.com

Pencils could be made with erasers at both ends, but what would be the
point?

Re: fqrdns.regexp

2011-06-09 Thread Бак Микаел 
Stan Hoeppner wrote:
> On 6/8/2011 7:35 AM, Бак Микаел wrote:
>> Oh, thanks. The maintainer must have renamed it.
> 
> Yes, I renamed it quite a long time ago (in internet time) when it was
> suggested running it through the pcre engine was more optimal.  If
> memory serves me correctly, I made the change something like a year ago,
> or more, maybe much more.
> 

I see.

>> I don't know if the author reads this, but I'd suggest a smallish change
>> for the next release: Put only REJECT alone on each line instead of
>> having custom text. This makes it easier for anyone to change that
>> (using sed) to a custom restriction class.
> 
> The custom text exists for the benefit of victims of false positives,
> and for easy log parsing/statistics generation.  Changing it is trivial
> with sed, as Brian mentioned.
> 

Yep, Brian's sed hack solved my problem.

Thanks for a nice contribution!
Mikael

Re: Postfix plain text authentication with SASL

2011-06-09 Thread Suresh Kumar Prajapati 
Hi,

Can anyone help me...


On Thu, Jun 9, 2011 at 2:45 PM, Suresh Kumar Prajapati <
er.sureshprajap...@gmail.com> wrote:

> Hi,
>
> Followed your steps and this is output
>
> warning: SASL authentication failure: Password verification failed
> Jun  9 13:12:26 domain.com postfix/smtpd[1391]: warning:
> fdsakjfhbdskj.fdsakjfhbdskj.com[ip_address]: SASL plain authentication
> failed: authentication failure
>
>
>
> testsaslauthd -s pam -u tom -p redhat
> 0: NO "authentication failed"
>
>
> testsaslauthd -s pam -u tom -p redhat
> 0: NO "authentication failed"
>
>
>
> On Thu, Jun 9, 2011 at 2:36 PM, Patrick Ben Koetter 
> wrote:
>
>> * Suresh Kumar Prajapati :
>> > For the time being I just want to go with system accounts,once this is
>> set ,
>> > I can catch up with second option.
>>
>> Fine.
>>
>> Run saslauthd with "-a shadow".
>> Run testsaslauthd and verify you have a user for whom authenication works.
>> Drop "smtpd_sasl_local_domain" in main.cf.
>> Reload postfix.
>> Download http://jetmore.org/john/code/gen-auth, make it executable and
>> run it
>> like this:
>>
>> % ./gen-auth plain username password
>> Auth String: AGZvbwBiYXI=
>>
>> Use the Auth String: (here: AGZvbwBiYXI=) in a telnet session. Do not use
>> "LOGIN" as in your previous test. Send PLAIN like this:
>>
>> AUTH PLAIN AGZvbwBiYXI=
>>
>> It *should* work...
>>
>> p@rick
>>
>>
>>
>>
>> >
>> >
>> >
>> > On Thu, Jun 9, 2011 at 2:23 PM, Patrick Ben Koetter > >wrote:
>> >
>> > > * Suresh Kumar Prajapati :
>> > > > Both are system users and I've assigned password to them using
>> > > > passwd user_name
>> > > > command as well
>> > > > saslpasswd2 user_name
>> > >
>> > > So we have two ways to go: system accounts or separate mail user
>> database.
>> > >
>> > > I recommend using the separate database, because compromised accounts
>> would
>> > > only affect your mail service but not the system (if you use different
>> > > usernames and passwords...).
>> > >
>> > > Which way do you want to go?
>> > >
>> > > p@rick
>> > >
>> > >
>> > >
>> > > >
>> > > >
>> > > >
>> > > > On Thu, Jun 9, 2011 at 2:12 PM, Patrick Ben Koetter <
>> p...@state-of-mind.de
>> > > >wrote:
>> > > >
>> > > > > * Suresh Kumar Prajapati :
>> > > > > > Hi
>> > > > > > following is the output from the command you have
>> > > > > > [root@ ~]# testsaslauthd -s pam -u tom -p redhat
>> > > > > > 0: NO "authentication failed"
>> > > > > >
>> > > > > > and then i change /etc/sysconfig/saslauthd
>> > > > > > fiel MECH=shadow
>> > > > > > and then run the following command
>> > > > > >
>> > > > > > [root@ ~]# testsaslauthd -s shadow -u tom -p redhat
>> > > > > > 0: OK "Success."
>> > > > >
>> > > > > Great. We're one step further.
>> > > > >
>> > > > > Where do you store the identities mail senders should use to
>> > > authenticate?
>> > > > > Are
>> > > > > all your senders system accounts? Are they in a database?
>> > > > >
>> > > > > p@rick
>> > > > >
>> > > > >
>> > > > > --
>> > > > > All technical questions asked privately will be automatically
>> answered
>> > > on
>> > > > > the
>> > > > > list and archived for public access unless privacy is explicitely
>> > > required
>> > > > > and
>> > > > > justified.
>> > > > >
>> > > > > saslfinger (debugging SMTP AUTH):
>> > > > > 
>> > > > >
>> > > >
>> > > >
>> > > >
>> > > > --
>> > > > Best Regards,
>> > > > Suresh Kumar Prajapati
>> > > > Linux Security Admin
>> > > > E-mail: er.sureshprajap...@gmail.com
>> > > >
>> > >
>> 
>> > > > Pencils could be made with erasers at both ends, but what would be
>> the
>> > > > point?
>> > >
>> > > --
>> > > state of mind ()
>> > > Digitale Kommunikation
>> > >
>> > > http://www.state-of-mind.de
>> > >
>> > > Franziskanerstraße 15  Telefon +49 89 3090 4664
>> > > 81669 München  Telefax +49 89 3090 4666
>> > >
>> > > Amtsgericht MünchenPartnerschaftsregister PR 563
>> > >
>> > >
>> >
>> >
>> > --
>> > Best Regards,
>> > Suresh Kumar Prajapati
>> > Linux Security Admin
>> > E-mail: er.sureshprajap...@gmail.com
>> >
>> 
>> > Pencils could be made with erasers at both ends, but what would be the
>> > point?
>>
>> --
>> All technical questions asked privately will be automatically answered on
>> the
>> list and archived for public access unless privacy is explicitely required
>> and
>> justified.
>>
>> saslfinger (debugging SMTP AUTH):
>> 
>>
>
>
>
> --
> Best Regards,
> Suresh Kumar Prajapati
> Linux Security Admin
> E-mail: er.sureshprajap...@gmail.com
>
> 
> Pencils could be made with erasers at both ends, but what would be the
> point?
>



-- 
Best Regards,
Suresh Kumar Prajapati
Linux Securi

Re: Postfix plain text authentication with SASL

2011-06-09 Thread Patrick Ben Koetter 
* Suresh Kumar Prajapati :
> Followed your steps and this is output
> 
> warning: SASL authentication failure: Password verification failed
> Jun  9 13:12:26 domain.com postfix/smtpd[1391]: warning:
> fdsakjfhbdskj.fdsakjfhbdskj.com[ip_address]: SASL plain authentication
> failed: authentication failure
> 
> 
> testsaslauthd -s pam -u tom -p redhat
> 0: NO "authentication failed"

testsaslauthd -s shadow -u tom -p redhat

p@rick


-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Sender dependent authentication issue

2011-06-09 Thread Dragan Zubac 
Hello

I'm trying to achieve sender dependent authentication.
Please find corresponding configuration files in attachment.
Although the sender dependent authentication is configured,for some
reason postfix don't follow those rules,but is checking virtual table
instead and rejects the incoming email.

Anybody can help what am I missing here ?

Sincerely
Jun  9 12:29:12 kanta postfix2/smtpd[11850]: connect from 
mail-fx0-f43.google.com[209.85.161.43]
Jun  9 12:29:12 kanta postfix2/smtpd[11850]: NOQUEUE: reject: RCPT from 
mail-fx0-f43.google.com[209.85.161.43]: 550 5.1.1 <38163632...@domain.net>: 
Recipient address rejected: User unknown in local recipient table; 
from= to=<38163632...@domain.net> proto=ESMTP 
helo=
Jun  9 12:29:12 kanta postfix2/smtpd[11850]: disconnect from 
mail-fx0-f43.google.com[209.85.161.43]
smtpd_banner = Welcome to A wasting time laboratory MTA
biff = no

append_dot_mydomain = no

readme_directory = no

myhostname = mail.domain.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname2
mydestination = domain.net,mail.domain.net
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = 5.5.5.5

virtual_alias_maps = hash:/etc/postfix2/virtual

smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix2/sender_relay
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix2/sasl_passwd

alternate_config_directories = /etc/postfix
syslog_name = postfix2
queue_directory = /var/spool/postfix2
data_directory = /var/lib/postfix2

smtp_bind_address = 5.5.5.5

smtp_host_lookup = dns, native

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==
# service type  private unpriv  chroot  wakeup  maxproc command + args
#   (yes)   (yes)   (yes)   (never) (100)
# ==
5.5.5.5:smtp  inet  n   -   -   -   -   smtpd 
#submission inet n   -   -   -   -   smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps inet  n   -   -   -   -   smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628   inet  n   -   -   -   -   qmqpd
pickupfifo  n   -   -   60  1   pickup
cleanup   unix  n   -   -   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
#qmgr fifo  n   -   -   300 1   oqmgr
tlsmgrunix  -   -   -   1000?   1   tlsmgr
rewrite   unix  -   -   -   -   -   trivial-rewrite
bounceunix  -   -   -   -   0   bounce
defer unix  -   -   -   -   0   bounce
trace unix  -   -   -   -   0   bounce
verifyunix  -   -   -   -   1   verify
flush unix  n   -   -   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   -   -   -   smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix  -   -   -   -   -   smtp
-o smtp_fallback_relay=
#   -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix  n   -   -   -   -   showq
error unix  -   -   -   -   -   error
retry unix  -   -   -   -   -   error
discard   unix  -   -   -   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   -   -   -   lmtp
anvil unix  -   -   -   -   1   anvil
scacheunix  -   -   -   -   1   scache
#
# 
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# 
#
# maildrop. See the Postfix MAILDROP_README file for det

Re: Sender dependent authentication issue

2011-06-09 Thread Jerry 
On Thu, 09 Jun 2011 15:00:56 +0200
Dragan Zubac  articulated:

> Hello
> 
> I'm trying to achieve sender dependent authentication.
> Please find corresponding configuration files in attachment.
> Although the sender dependent authentication is configured,for some
> reason postfix don't follow those rules,but is checking virtual table
> instead and rejects the incoming email.

That is not how to report a problem. Please read the documentation at:

http://www.postfix.org/DEBUG_README.html#mail

In particular:

Output from "postconf -n". Please do not send your main.cf file, or
500+ lines of postconf output.

Better, provide output from the postfinger tool. This can be found at
http://ftp.wl0.org/SOURCES/postfinger.

-- 
Jerry ✌
postfix-u...@seibercom.net
_
TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Re: virtual aliases and unlisted email addresses

2011-06-09 Thread Victor Duchovni 
On Thu, Jun 09, 2011 at 10:12:17AM +0200, Patrick Proniewski wrote:

> On 8 juin 2011, at 18:15, Victor Duchovni wrote:
> 
> > On Wed, Jun 08, 2011 at 11:33:48AM +0200, Patrick Proniewski wrote:
> > 
> >> After the period of double delivery is over, we will deliver emails only 
> >> to Google servers. So the virtual aliases map is to look like:
> >> 
> >>public-addr...@univ-lyon2.frpublic-addr...@univ-lyon2.fr
> >>some-al...@univ-lyon2.frpublic-addr...@univ-lyon2.fr
> >>...
> >> 
> >> The first line looks pretty silly to me. Is there any way to tell that 
> >> addresses not listed in virtual aliases map are to be forwarded "as is" ?
> > 
> > Your gateway needs a table of valid recipients, the domain in question
> > is presumably configured as a "relay domain" by being listed in
> > $relay_domains.
> 
> 
> In fact I've tried this. But this domain being already in
> virtual_alias_domains, it looks like it's not a good idea to put it
> also in relay_domains: postfix complains about this for every email
> passing thru:

You MUST remove the domain from the list of virtual alias domains.

> Jun  7 15:24:19 ru postfix-mailgw/trivial-rewrite[64375]: warning:
> do not list domain univ-lyon2.fr in BOTH virtual_alias_domains and
> relay_domains

You MUST remove the domain from the list of virtual alias
domains. Otherwise, addresses in this domain will not be deliverable
as-is.

> >  If you don't want to have identity mappings in
> > virtual_alias_maps, you need to add entries to relay_recipient_maps:
> > 
> >main.cf:
> > # Use "cdb" if you have it.
> > default_database_type = hash
> > indexed = ${default_database_type}:${config_directory}/
> > relay_recipient_maps = ${indexed}relay_rcpts
> > 
> >relay_rcpts:
> > public-addr...@univ-lyon2.frvalid
> > ...
> > 
> > where the word "valid" on "the right hand side" of the table can be
> > replaced by any non-empty value that makes sense to you. Postfix
> > only needs the lookup key to map to a non-empty result.
> 
> I'm using this on MX, so that my servers are not acting as backscatters:
> only valid recipients are accepted by MX and transfered to MailGW. But as
> postfix won't accept using both virtual_alias_domains and relay_domains,
> I think this won't do the trick.

You MUST remove the domain from the list of virtual alias domains.
Note virtual alias mappings apply to all envelope recipient addresses,
regardless of address class, so there is no need to declare your domain
a virtual alias domain, unless it is truly just a set of alias mailboxes
that always forward to a *different* domain.

-- 
Viktor.

Expansion limit issue with MSFT AD LDAP

2011-06-09 Thread Victor Duchovni 
On Thu, Jun 09, 2011 at 06:19:30AM -, ross.sysadm wrote:

> I have problems with "expansion_limit".
> 
> Postfix + Dovecot + AD + multiple email domains.

What Postfix feature is the table below supposed to support?

http://www.postfix.org/DEBUG_README.html#mail

> server_host = srv-ad.cn.energy
> search_base = dc=cn,dc=energy
> version = 3
> bind = yes
> bind_dn = ldapmail@cn.energy
> bind_pw = passwd
> chase_referrals = no
> query_filter = 
> (&(objectCategory=person)(|(mail=%s)(proxyAddresses=%s))(!(userAccountControl=514)))

Remove the "proxyAddresses=%s" clause from the query, it is useless.
The values of "proxyAddresses" attribute in MSFT AD are not rfc822
addresses. Rather, these are "protocol:protocol-specific-address"
type:value strings. No l

> result_attribute = mail, proxyAddresses

Likewise, remove proxyAddresses from the result attribute list, its
data type is different from "mail", so you're returning "apples and
oranges".

> expansion_limit = 1
> result_format = %d/%u

Perhaps you're trying to build a virtual_mailbox_maps table, if so,
indeed you need exactly one result. All the more reason to return just
one attribute.

Temporarily comment out the "expansion_limit = 1" parameter, and repeat
the postmap query. If multiple values are returned you have multiple
objects in MSFT AD that satisfy the query, fix that, then go back to
using "expansion_limit = 1".

> 
> postmap -v -q system@cn.energy ldap:/etc/postfix/ldap-users.cf
> postmap: dict_ldap_get_values[1]: Search found 1 match(es)
> postmap: warning: dict_ldap_get_values[1]: /etc/postfix/ldap-users.cf: 
> Expansion limit exceeded for key: 'system@cn.energy'
> postmap: dict_ldap_get_values[1]: Leaving dict_ldap_get_values
> postmap: dict_ldap_lookup: Search returned 
> oblr.cn.energy.gov.ua/simbios,cn.energy/system
> 
> I not understand how resolve this situation.
> Please help me.
> 
> 

-- 
Viktor.

Re: expensive checks first

2011-06-09 Thread John 

Is there something that shows the "expense" associated with each check.
I have looked through the documentation on the postfix site but could 
not find anything.


John A

--
"All that is necessary for the triumph of evil is that good men do nothing." 
(Edmund Burke)

Re: expensive checks first

2011-06-09 Thread Victor Duchovni 
On Thu, Jun 09, 2011 at 12:59:53PM -0400, John wrote:

> Is there something that shows the "expense" associated with each check.
> I have looked through the documentation on the postfix site but could not 
> find anything.

Just common sense. Expense is mostly a question of latency and not over-using
free remote RBLs.

-- 
Viktor.

Re: Sender dependent authentication issue

2011-06-09 Thread Dragan Zubac 
Hello

Sorry,I'll try to report a problem again following your instructions.

Summary

I'm trying to achieve the following :

- email arrives
- postfix checks the sender address
- postfix looks up username/password and relay host for that sender address
- postfix SMTP client connects to the appropriate relay using that
username/password to forward that incoming email

The problem is I think I configured postfix in proper manner,hence when
I send an email with configured sender address,postfix rejects it with
an error :

Jun  9 12:29:12 kanta postfix2/smtpd[11850]: NOQUEUE: reject: RCPT from
mail-fx0-f43.google.com[209.85.161.43]: 550 5.1.1
<38163632...@domain.net>: Recipient address rejected: User unknown in
local recipient table; from=
to=<38163632...@domain.net> proto=ESMTP helo=

The "postconf -n" output is :

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
alternate_config_directories = /etc/postfix
append_dot_mydomain = no  
biff = no
config_directory = /etc/postfix2/
data_directory = /var/lib/postfix2
inet_interfaces = 5.5.5.5
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = domain.net,mail.domain.net
myhostname = mail.domain.net
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname2
queue_directory = /var/spool/postfix2
readme_directory = no
recipient_delimiter = +
sender_dependent_relayhost_maps = hash:/etc/postfix2/sender_relay
smtp_bind_address = 5.5.5.5
smtp_host_lookup = dns, native
smtp_sasl_auth_enable = yes  
smtp_sasl_password_maps = hash:/etc/postfix2/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtpd_banner = Welcome to A wasting time laboratory MTA
syslog_name = postfix2

This is the output from "postfinger" tool :

postfinger - postfix configuration on Thu Jun  9 20:54:06 BST 2011
version: 1.30

Warning: postfinger output may show private configuration information,
such as ip addresses and/or domain names which you do not want to show
to the public.  If this is the case it is your responsibility to modify
the output to hide this private information.  [Remove this warning with
the --nowarn option.]

--System Parameters--
mail_version = 2.7.1
hostname = kanta
uname = Linux kanta 2.6.32-5-amd64 #1 SMP Wed Jan 12 03:40:32 UTC 2011
x86_64 GNU/Linux

--Packaging information--
looks like this postfix comes from deb package: postfix-2.7.1-1

--main.cf non-default parameters--
alias_maps = hash:/etc/aliases
alternate_config_directories = /etc/postfix
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix2/
data_directory = /var/lib/postfix2
inet_interfaces = 5.5.5.5
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = domain.net,mail.domain.net
myhostname = mail.domain.net
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname2
queue_directory = /var/spool/postfix2
readme_directory = no 
recipient_delimiter = +
sender_dependent_relayhost_maps = hash:/etc/postfix2/sender_relay
smtp_bind_address = 5.5.5.5  
smtp_host_lookup = dns, native
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix2/sasl_passwd
smtp_sasl_security_options = noanonymous 
smtp_sender_dependent_authentication = yes
smtpd_banner = Welcome to A wasting time laboratory MTA
syslog_name = postfix2

--master.cf--
5.5.5.5:smtp  inet  n   -   -   -   -   smtpd
pickupfifo  n   -   -   60  1   pickup
cleanup   unix  n   -   -   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr  
tlsmgrunix  -   -   -   1000?   1   tlsmgr
rewrite   unix  -   -   -   -   -   trivial-rewrite
bounceunix  -   -   -   -   0   bounce
defer unix  -   -   -   -   0   bounce
trace unix  -   -   -   -   0   bounce
verifyunix  -   -   -   -   1   verify
flush unix  n   -   -   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   -   -   -   smtp
relay unix  -   -   -   -   -   smtp
-o smtp_fallback_relay=
showq unix  n   -   -   -   -   showq
error unix  -   -   -   -   -   error
retry unix  -   -   -   -   -   error
discard   unix  -   -   -   -   -   discard
local unix  -   n   n   -   -   local 
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   -   -   -   lmtp  
anvil unix  -   -   -   -   1   anvil 
scacheunix  -   -   -   -   1   scache
maildrop  unix  -   n   n   -   -   pipe  
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp  unix  -

Re: Sender dependent authentication issue

2011-06-09 Thread Brian Evans - Postfix List 
On 6/9/2011 4:09 PM, Dragan Zubac wrote:
> Hello
>
> Sorry,I'll try to report a problem again following your instructions.
>
> Summary
>
> I'm trying to achieve the following :
>
> - email arrives
> - postfix checks the sender address
> - postfix looks up username/password and relay host for that sender address
> - postfix SMTP client connects to the appropriate relay using that
> username/password to forward that incoming email
>
> The problem is I think I configured postfix in proper manner,hence when
> I send an email with configured sender address,postfix rejects it with
> an error :
>
> Jun  9 12:29:12 kanta postfix2/smtpd[11850]: NOQUEUE: reject: RCPT from
> mail-fx0-f43.google.com[209.85.161.43]: 550 5.1.1
> <38163632...@domain.net>: Recipient address rejected: User unknown in
> local recipient table; from=
> to=<38163632...@domain.net> proto=ESMTP helo=

This log has nothing to do with sender dependent relayhost.

The log says:
1. mail-fx0-f43.google.com wants to send a mail to 38163632...@domain.net
2. According to the postconf below, "domain.net" is in mynetworks.
3. However, 38163632914 is not a valid local user, so reject the email.


Note: if you want to hide the domain in question, please use
example.(net|org|com) as they are reserved for that purpose.

Brian

> The "postconf -n" output is :
>
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> alternate_config_directories = /etc/postfix
> append_dot_mydomain = no  
> biff = no
> config_directory = /etc/postfix2/
> data_directory = /var/lib/postfix2
> inet_interfaces = 5.5.5.5
> mailbox_command = procmail -a "$EXTENSION"
> mailbox_size_limit = 0
> mydestination = domain.net,mail.domain.net
> myhostname = mail.domain.net
> mynetworks = 127.0.0.0/8
> myorigin = /etc/mailname2
> queue_directory = /var/spool/postfix2
> readme_directory = no
> recipient_delimiter = +
> sender_dependent_relayhost_maps = hash:/etc/postfix2/sender_relay
> smtp_bind_address = 5.5.5.5
> smtp_host_lookup = dns, native
> smtp_sasl_auth_enable = yes  
> smtp_sasl_password_maps = hash:/etc/postfix2/sasl_passwd
> smtp_sasl_security_options = noanonymous
> smtp_sender_dependent_authentication = yes
> smtpd_banner = Welcome to A wasting time laboratory MTA
> syslog_name = postfix2

Re: Sender dependent authentication issue

2011-06-09 Thread Dragan Zubac 
Hello

I've sent en email with sender address specified on corresponding config
files,and postfix did not process that email according to its
specification. I just send logs captured at the moment the postfix was
receiving that email that should processed in different manner than
rejecting it.

Sincerely

On 06/09/11 22:18, Brian Evans - Postfix List wrote:
> On 6/9/2011 4:09 PM, Dragan Zubac wrote:
>> Hello
>>
>> Sorry,I'll try to report a problem again following your instructions.
>>
>> Summary
>>
>> I'm trying to achieve the following :
>>
>> - email arrives
>> - postfix checks the sender address
>> - postfix looks up username/password and relay host for that sender address
>> - postfix SMTP client connects to the appropriate relay using that
>> username/password to forward that incoming email
>>
>> The problem is I think I configured postfix in proper manner,hence when
>> I send an email with configured sender address,postfix rejects it with
>> an error :
>>
>> Jun  9 12:29:12 kanta postfix2/smtpd[11850]: NOQUEUE: reject: RCPT from
>> mail-fx0-f43.google.com[209.85.161.43]: 550 5.1.1
>> <38163632...@domain.net>: Recipient address rejected: User unknown in
>> local recipient table; from=
>> to=<38163632...@domain.net> proto=ESMTP helo=
> This log has nothing to do with sender dependent relayhost.
>
> The log says:
> 1. mail-fx0-f43.google.com wants to send a mail to 38163632...@domain.net
> 2. According to the postconf below, "domain.net" is in mynetworks.
> 3. However, 38163632914 is not a valid local user, so reject the email.
>
>
> Note: if you want to hide the domain in question, please use
> example.(net|org|com) as they are reserved for that purpose.
>
> Brian
>
>> The "postconf -n" output is :
>>
>> alias_database = hash:/etc/aliases
>> alias_maps = hash:/etc/aliases
>> alternate_config_directories = /etc/postfix
>> append_dot_mydomain = no  
>> biff = no
>> config_directory = /etc/postfix2/
>> data_directory = /var/lib/postfix2
>> inet_interfaces = 5.5.5.5
>> mailbox_command = procmail -a "$EXTENSION"
>> mailbox_size_limit = 0
>> mydestination = domain.net,mail.domain.net
>> myhostname = mail.domain.net
>> mynetworks = 127.0.0.0/8
>> myorigin = /etc/mailname2
>> queue_directory = /var/spool/postfix2
>> readme_directory = no
>> recipient_delimiter = +
>> sender_dependent_relayhost_maps = hash:/etc/postfix2/sender_relay
>> smtp_bind_address = 5.5.5.5
>> smtp_host_lookup = dns, native
>> smtp_sasl_auth_enable = yes  
>> smtp_sasl_password_maps = hash:/etc/postfix2/sasl_passwd
>> smtp_sasl_security_options = noanonymous
>> smtp_sender_dependent_authentication = yes
>> smtpd_banner = Welcome to A wasting time laboratory MTA
>> syslog_name = postfix2
>

Re: Sender dependent authentication issue

2011-06-09 Thread Jeroen Geilman 

On 06/09/2011 11:00 PM, Dragan Zubac wrote:


sender_dependent_relayhost_maps = hash:/etc/postfix2/sender_relay



/etc/postfix2 seems to be from a separate instance.


--
J.

Re: Sender dependent authentication issue

2011-06-09 Thread Dragan Zubac 
Hello

Yes,I have two instances of postfix.
One is in /etc/postfix and another one is in /etc/postfix2 and both
works fine.
The problem is with sender dependent authentication that is configured
on the second instance and which seems inactive,meaning when second
instance of postfix receives an email that should be processed according
to those specific rules it does not for some reason.
 
Sincerely

On 06/09/11 23:03, Jeroen Geilman wrote:
> On 06/09/2011 11:00 PM, Dragan Zubac wrote:
>
 sender_dependent_relayhost_maps = hash:/etc/postfix2/sender_relay
>
>
> /etc/postfix2 seems to be from a separate instance.
>
>

Re: Sender dependent authentication issue

2011-06-09 Thread Noel Jones 

On 6/9/2011 4:22 PM, Dragan Zubac wrote:

Hello

Yes,I have two instances of postfix.
One is in /etc/postfix and another one is in /etc/postfix2 and both
works fine.
The problem is with sender dependent authentication that is configured
on the second instance and which seems inactive,meaning when second
instance of postfix receives an email that should be processed according
to those specific rules it does not for some reason.



You seem to have missed the point that sender dependent relay 
is for sending mail.


The log snippet you shared earlier shows postfix not receiving 
the mail, due to an invalid recipient.


This has nothing to do with the sender.

Fix the recipient first.

unverified_recipient_tempfail_action = permit

2011-06-09 Thread Wiebe Cazemier 
Hi, 

I don't really know where to post feature ideas, but this seems the only viable 
option. 

I was setting up a fallback MX server with Postfix and was struggling with 
preventing backscatter mail. I thought I found a good solution, but it turned 
out to be an illegal option. 

Postfix has the ability to do recipient address verification. When postfix acts 
as a relay server, this prevents backscatter mail (bounces of messages because 
the server that is relayed to doesn't accept the user). Backscatter is usually 
caused by spam of course, because spam is sent to all kinds of users 
@example.com. 

I had in mind to use recipient address verification to avoid that and then set 
"unverified_recipient_tempfail_action = permit". The idea behind this was: 

- Prevent backscatter mail when the primary host is up because every address is 
verified first. 
- Accept all mail when the primary host is down, so that incoming messages 
aren't deferred. 

But permit is not a valid option for unverified_recipient_tempfail_action. 
Would it be an idea to implement this? 

I know I can use permit_mx_backup and permit_mx_backup_networks, but I'd rather 
not have to maintain a list of networks on the fallback server, partly because 
I want to be a fallback server for servers that I don't maintain and of which I 
have no idea if the address changes. 

Regards, 

Wiebe

Re: unverified_recipient_tempfail_action = permit

2011-06-09 Thread Ansgar Wiechers 
On 2011-06-09 Wiebe Cazemier wrote:
> I was setting up a fallback MX server with Postfix and was struggling
> with preventing backscatter mail. I thought I found a good solution,
> but it turned out to be an illegal option. 
> 
> Postfix has the ability to do recipient address verification. When
> postfix acts as a relay server, this prevents backscatter mail
> (bounces of messages because the server that is relayed to doesn't
> accept the user). Backscatter is usually caused by spam of course,
> because spam is sent to all kinds of users @example.com. 
> 
> I had in mind to use recipient address verification to avoid that and
> then set "unverified_recipient_tempfail_action = permit". The idea
> behind this was: 
> 
> - Prevent backscatter mail when the primary host is up because every
>   address is verified first.
> - Accept all mail when the primary host is down, so that incoming
>   messages aren't deferred. 

Why? What issue in particular do you see with simply doing recipient
verification (and rejection of messages to invalid recipients) on bot
MXs?

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Re: Sender dependent authentication issue

2011-06-09 Thread Dragan Zubac 
Hello

Just to make clear here,so postfix feature to 'route' emails based on
the sender address is valid only for outgoing emails not for incoming ones ?

Sincerely

On 06/09/11 23:33, Noel Jones wrote:
> On 6/9/2011 4:22 PM, Dragan Zubac wrote:
>> Hello
>>
>> Yes,I have two instances of postfix.
>> One is in /etc/postfix and another one is in /etc/postfix2 and both
>> works fine.
>> The problem is with sender dependent authentication that is configured
>> on the second instance and which seems inactive,meaning when second
>> instance of postfix receives an email that should be processed according
>> to those specific rules it does not for some reason.
>>
>
> You seem to have missed the point that sender dependent relay is for
> sending mail.
>
> The log snippet you shared earlier shows postfix not receiving the
> mail, due to an invalid recipient.
>
> This has nothing to do with the sender.
>
> Fix the recipient first.
>
>
>

Re: Sender dependent authentication issue

2011-06-09 Thread Noel Jones 
Of course. It's a two-step process (well, really more, but 
we'll call it two here).


1. - mail is received.  There are lots of controls for 
receiving mail based on recipient, originating network, or 
authentication.  None of the decisions to accept mail are 
based on the sender (you can decide to REJECT mail based on 
the sender, but not accept).


2. - mail is delivered.  There are lots of controls for where 
and how mail is delivered, a few of which depend on the sender.


You're not getting past step 1.

http://www.postfix.org/BASIC_CONFIGURATION_README.html





On 6/9/2011 5:04 PM, Dragan Zubac wrote:

Hello

Just to make clear here,so postfix feature to 'route' emails based on
the sender address is valid only for outgoing emails not for incoming ones ?

Sincerely

On 06/09/11 23:33, Noel Jones wrote:

On 6/9/2011 4:22 PM, Dragan Zubac wrote:

Hello

Yes,I have two instances of postfix.
One is in /etc/postfix and another one is in /etc/postfix2 and both
works fine.
The problem is with sender dependent authentication that is configured
on the second instance and which seems inactive,meaning when second
instance of postfix receives an email that should be processed according
to those specific rules it does not for some reason.



You seem to have missed the point that sender dependent relay is for
sending mail.

The log snippet you shared earlier shows postfix not receiving the
mail, due to an invalid recipient.

This has nothing to do with the sender.

Fix the recipient first.

Re: unverified_recipient_tempfail_action = permit

2011-06-09 Thread Wiebe Cazemier 
Well, when the primar is down, all incoming messages on the fallback are 
deferred, because it can't do the verification. This means the result is the 
same as having no fallback at all.


Ansgar Wiechers  wrote:

On 2011-06-09 Wiebe Cazemier wrote:
> I was setting up a fallback MX server with Postfix and was struggling
> with preventing backscatter mail. I thought I found a good solution,
> but it turned out to be an illegal option. 
> 
> Postfix has the ability to do recipient address verification. When
> postfix acts as a relay server, this prevents backscatter mail
> (bounces of messages because the server that is relayed to doesn't
> accept the user). Backscatter is usually caused by spam of course,
> because spam is sent to all kinds of users @example.com. 
> 
> I had in mind to use recipient address verification to avoid that and
> then set "unverified_recipient_tempfail_action = permit". The idea
> behind this was: 
> 
> - Prevent backscatter mail when the primary host is up because every
> address is verified first.
> - Accept all mail when the primary host is down, so that incoming
> messages aren't deferred. 

Why? What issue in particular do you see with simply doing recipient
verification (and rejection of messages to invalid recipients) on bot
MXs?

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Re: unverified_recipient_tempfail_action = permit

2011-06-09 Thread Ansgar Wiechers 
On 2011-06-10 Wiebe Cazemier wrote:
> Ansgar Wiechers  wrote:
>> On 2011-06-09 Wiebe Cazemier wrote:
>>> I was setting up a fallback MX server with Postfix and was struggling
>>> with preventing backscatter mail. I thought I found a good solution,
>>> but it turned out to be an illegal option. 
>>> 
>>> Postfix has the ability to do recipient address verification. When
>>> postfix acts as a relay server, this prevents backscatter mail
>>> (bounces of messages because the server that is relayed to doesn't
>>> accept the user). Backscatter is usually caused by spam of course,
>>> because spam is sent to all kinds of users @example.com. 
>>> 
>>> I had in mind to use recipient address verification to avoid that and
>>> then set "unverified_recipient_tempfail_action = permit". The idea
>>> behind this was: 
>>> 
>>> - Prevent backscatter mail when the primary host is up because every
>>>   address is verified first.
>>> - Accept all mail when the primary host is down, so that incoming
>>>   messages aren't deferred. 
>> 
>> Why? What issue in particular do you see with simply doing recipient
>> verification (and rejection of messages to invalid recipients) on bot
>> MXs?
> 
> Well, when the primar is down, all incoming messages on the fallback
> are deferred, because it can't do the verification. This means the
> result is the same as having no fallback at all.

There's more than one way to do recipient verification. Use
$relay_recipient_maps on the backup MX. And don't top-post.

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Re: Sender dependent authentication issue

2011-06-09 Thread Dragan Zubac 
Hello

Thank you,this clarify things a little bit.

Sincerely

On 06/10/11 00:25, Noel Jones wrote:
> Of course. It's a two-step process (well, really more, but we'll call
> it two here).
>
> 1. - mail is received.  There are lots of controls for receiving mail
> based on recipient, originating network, or authentication.  None of
> the decisions to accept mail are based on the sender (you can decide
> to REJECT mail based on the sender, but not accept).
>
> 2. - mail is delivered.  There are lots of controls for where and how
> mail is delivered, a few of which depend on the sender.
>
> You're not getting past step 1.
>
> http://www.postfix.org/BASIC_CONFIGURATION_README.html
>
>
>
>
>
> On 6/9/2011 5:04 PM, Dragan Zubac wrote:
>> Hello
>>
>> Just to make clear here,so postfix feature to 'route' emails based on
>> the sender address is valid only for outgoing emails not for incoming
>> ones ?
>>
>> Sincerely
>>
>> On 06/09/11 23:33, Noel Jones wrote:
>>> On 6/9/2011 4:22 PM, Dragan Zubac wrote:
 Hello

 Yes,I have two instances of postfix.
 One is in /etc/postfix and another one is in /etc/postfix2 and both
 works fine.
 The problem is with sender dependent authentication that is configured
 on the second instance and which seems inactive,meaning when second
 instance of postfix receives an email that should be processed
 according
 to those specific rules it does not for some reason.

>>>
>>> You seem to have missed the point that sender dependent relay is for
>>> sending mail.
>>>
>>> The log snippet you shared earlier shows postfix not receiving the
>>> mail, due to an invalid recipient.
>>>
>>> This has nothing to do with the sender.
>>>
>>> Fix the recipient first.
>>>
>>>
>>>
>
>

always_bcc for sepcific sender and recipient only

2011-06-09 Thread kshitij mali 
Hi All,

i want only specific list of sender and specific list of recipient email
need to archive how to achive with it
where always_bcc will rediect all email . please any one can help me with
syntax or exmaple .


Regards,
Kshitij

Re: unverified_recipient_tempfail_action = permit

2011-06-09 Thread Wiebe Cazemier 
- Original Message -
> From: "Ansgar Wiechers" 
> To: postfix-users@postfix.org
> Sent: Friday, 10 June, 2011 12:47:35 AM
> Subject: Re: unverified_recipient_tempfail_action = permit
> 
> On 2011-06-10 Wiebe Cazemier wrote:
> > Ansgar Wiechers  wrote:
> >> On 2011-06-09 Wiebe Cazemier wrote:
> >>> I was setting up a fallback MX server with Postfix and was
> >>> struggling
> >>> with preventing backscatter mail. I thought I found a good
> >>> solution,
> >>> but it turned out to be an illegal option.
> >>> 
> >>> Postfix has the ability to do recipient address verification.
> >>> When
> >>> postfix acts as a relay server, this prevents backscatter mail
> >>> (bounces of messages because the server that is relayed to
> >>> doesn't
> >>> accept the user). Backscatter is usually caused by spam of
> >>> course,
> >>> because spam is sent to all kinds of users @example.com.
> >>> 
> >>> I had in mind to use recipient address verification to avoid that
> >>> and
> >>> then set "unverified_recipient_tempfail_action = permit". The
> >>> idea
> >>> behind this was:
> >>> 
> >>> - Prevent backscatter mail when the primary host is up because
> >>> every
> >>>   address is verified first.
> >>> - Accept all mail when the primary host is down, so that incoming
> >>>   messages aren't deferred.
> >> 
> >> Why? What issue in particular do you see with simply doing
> >> recipient
> >> verification (and rejection of messages to invalid recipients) on
> >> bot
> >> MXs?
> > 
> > Well, when the primar is down, all incoming messages on the
> > fallback
> > are deferred, because it can't do the verification. This means the
> > result is the same as having no fallback at all.
> 
> There's more than one way to do recipient verification. Use
> $relay_recipient_maps on the backup MX. And don't top-post.
> 
> Regards
> Ansgar Wiechers
> 


Sorry, I forgot to mention. I can't use recipient maps because:

- The server acts also as incoming mail handler for another machine which it 
relays to. That target machine has dynamically created addresses by users on a 
control panel.
- The server is backup MX for mail hosts that I don't know anything about.

Re: always_bcc for sepcific sender and recipient only

2011-06-09 Thread Mihira Fernando 

On 06/10/2011 10:40 AM, kshitij mali wrote:

Hi All,
i want only specific list of sender and specific list of recipient 
email need to archive how to achive with it
where always_bcc will rediect all email . please any one can help me 
with syntax or exmaple .

Regards,
Kshitij

Use :
sender_bcc_maps - http://www.postfix.org/postconf.5.html#sender_bcc_maps
recipient_bcc_maps - 
http://www.postfix.org/postconf.5.html#recipient_bcc_maps