# sasl doesn't work with postfix anymore

## Del Pede

I noticed that when sending mail over my postfix, it doesn't require users to authenticate anymore, which isn't very good. Furthermore non local users can send mails over the postfix to other non local users, which again, is not good. http://www.abuse.net/relay.html however, tells me that there are no open relays. I still need people to authenticate when sending mails. 

postconf -n gives

```

alias_database = hash:/etc/mail/aliases

alias_maps = hash:/etc/mail/aliases

body_checks = regexp:/etc/postfix/body_checks_map

body_checks_size_limit = 175000

broken_sasl_auth_clients = yes

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/lib/postfix

debug_peer_level = 2

default_destination_concurrency_limit = 10

hash_queue_names = deferred, defer active bounce flush incoming

home_mailbox = .maildir/

inet_interfaces = all

local_destination_concurrency_limit = 2

local_recipient_maps = unix:passwd.byname $alias_maps

mail_owner = postfix

mailq_path = /usr/bin/mailq

manpage_directory = /usr/share/man

mydestination = $myhostname, localhost.$mydomain $mydomain

mydomain = mydomain.dk

myhostname = freya.mydomain.dk

mynetworks = 192.168.0.0/24, 127.0.0.0/8

mynetworks_style = subnet

newaliases_path = /usr/bin/newaliases

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.0.9

relay_domains = $mydestination

sample_directory = /etc/postfix/sample

sendmail_path = /usr/sbin/sendmail

setgid_group = postdrop

smtpd_client_restrictions = hash:/etc/postfix/access, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client

smtpd_delay_reject = no

smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname

smtpd_recipient_restrictions = permit_sasl_authenticated,        permit mynetworks,     reject_invalid_hostname,        reject_non_fqdn_hostname,        reject_non_fqdn_sender,        reject_non_fqdn_recipient,        reject_unknown_sender_domain,        reject_unknown_recipient_domain,        reject_unauth_pipelining,        reject_unauth_destination,        reject_rbl_client zombie.dnsbl.sorbs.net,        reject_rbl_client sbl.spamhaus.org,        reject_rbl_client blackholes.easynet.nl,        reject_rbl_client unconfirmed.dsbl.org,        reject_rbl_client dynablock.njabl.org,        reject_rbl_client dialup.blacklist.jippg.org,        reject_rbl_client cbl.abuseat.org,   reject_rhsbl_client blackhole.securitysage.com, reject_rhsbl_sender blackhole.securitysage.com, check_policy_service inet:127.0.0.1:2501        permit

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain = $mydomain

smtpd_sasl_security_options = noanonymous

smtpd_sender_restrictions = permit_mynetworks, hash:/etc/postfix/access, reject_rhsbl_sender dsn.rfc-ignorant.org

transport_maps = hash:/etc/postfix/transport

unknown_local_recipient_reject_code = 550

```

/etc/sasl2/smtpd.conf

```
pwcheck_method:saslauthd

mech_list: plain login

```

/etc/conf.d/saslauthd

```

# Config file for /etc/init.d/saslauthd

# Tilføjet af admin. SMTP AUTH

SASLAUTH_MECH=shadow

#SASLAUTH_MECH=pam

SASL_RIMAP_HOSTNAME=""

SASL_TIME_OF_DAY_LOGIN_RESTRICTIONS=yes

# Initial (empty) options.

SASLAUTHD_OPTS="-a ${SASLAUTH_MECH} -V"

# Specify the authentications mechanism.

# *NOTE* For list see: saslauthd -v

# From 2.1.19, add "-r" to options for old behavior

# ie. reassemble user and realm to user@realm form.

# SASLAUTHD_OPTS="${SASLAUTH_MECH} -a pam -r"

#SASLAUTHD_OPTS="${SASLAUTH_MECH} -a pam -V"

# Specify the hostname for remote IMAP server.

# *NOTE* Only needed if rimap auth mech is used.

#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -O localhost"

# Specify the number of worker processes to create.

#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -n 5"

# Enable credential cache, cache size, and timeout.

# *NOTE* Size is measured in kilobytes 

#        Timeout is measured in seconds

#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -c -s 128 -t 30"

```

telnet mydomain.dk 25 

```

telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 freya.mydomain.dk ESMTP Postfix

ehlo mydomain.dk

250-freya.mydomain.dk

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

```

I must say, that i'm kinda baffled to why this doesn't work anymore. Postfix IS compiled with sasl support

Any help would be greatly appreciated

Del Pede

----------

## cassiol

helo..

I never do authentication with pam =(

but try modify this

add in /etc/sasl2/smtpd.conf 

```

saslauthd_version: 2

```

in /etc/conf.d/saslauthd uncomment that 

```

 #SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -n 5" 

```

for teste authetication use 

testsaslauthd

----------

## Del Pede

 *cassiol wrote:*   

> helo..
> 
> I never do authentication with pam =(
> 
> but try modify this
> ...

 

Didn't help me, unfortunately. I can still send mail, without being asked to authenticate. testsaslauthd gives me an ok, when testing with an valid user. So that seems to work. I've tried with starting sasl with both pam and shadow. Doesn't make a difference. 

I discovered a script called saslfinger, and saslfinger -c gives me

```
saslfinger -c

saslfinger - postfix Cyrus sasl configuration tir jul  1 14:22:37 CEST 2008

version: 1.0.2

mode: client-side SMTP AUTH

-- basics --

Postfix: 2.4.6

System: Gentoo Base System release 2.0.0

-- smtp is linked to --

   libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7b8d000)

-- active SMTP AUTH and TLS parameters for smtp --

No active SMTP AUTH and TLS parameters for smtp in main.cf!

SMTP AUTH can't work!

```

Eventhough i have sasl config i my main.cf, it claims there is none.

----------

## cassiol

try modify that in /etc/postfix/main.cf

```

smtpd_sasl_local_domain = $mydomain

```

replace

```

smtpd_sasl_local_domain

```

and add that lines

```

smtpd_sasl2_auth_enable = yes

broken_sasl_auth_clients = yes

```

in your mail program how you set username?

----------

## Del Pede

 *cassiol wrote:*   

> try modify that in /etc/postfix/main.cf
> 
> ```
> 
> smtpd_sasl_local_domain = $mydomain
> ...

 

I changed it so smtpd_sasl_local_domain = but it made no difference. I've sat up Thunderbird to authenticated against our smtp when sending mail, but i have disabled it. When i send mail via telnet, i don't get asked to authenticate either.  What really puzzles me, is that saslfinger says: No active SMTP AUTH and TLS parameters for smtp in main.cf!

All the other suggestion you made, i allready have in my main.cf

----------

## Del Pede

I think we have established, that saslauthd works. The problems seems to be, that postfix and sasl doesn't talk together. Or rather, it doesn't reject, or ask even, users that doesn't authenticate

----------

## cassiol

in your network not require authentication., because you have set permit_mynetwork.

try add permit_sasl_authenticated, in smtpd_sender_restrictions.

if that failed. please post error logs.

cat /var/log/messages | grep saslauthd

----------

## Del Pede

 *cassiol wrote:*   

> in your network not require authentication., because you have set permit_mynetwork.
> 
> try add permit_sasl_authenticated, in smtpd_sender_restrictions.
> 
> if that failed. please post error logs.
> ...

 

I've added permit_sasl_authenticated in smtpd_sender_restrictions, and nothing has changed. There are no saslauthd entries in /var/log/messages

----------

## cassiol

you have started saslauthd ???

----------

## Del Pede

 *cassiol wrote:*   

> you have started saslauthd ???

 

Yes, and it is working, according to testsaslauthd

Here are the full smtpd and sasl settings from main.cf

```

smtpd_sasl_auth_enable = yes

smtpd_sasl2_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

#smtpd_tls_auth_only = yes

smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname

#smtpd_client_restrictions = hash:/etc/postfix/access, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client

smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

smtpd_delay_reject = no

#smtpd_sender_restrictions = permit_mynetworks, hash:/etc/postfix/access, reject_rhsbl_sender dsn.rfc-ignorant.org

smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_rhsbl_sender dsn.rfc-ignorant.org

smtpd_recipient_restrictions =

        permit_sasl_authenticated,

        permit mynetworks,

        reject_invalid_hostname,

        reject_non_fqdn_hostname,

        reject_non_fqdn_sender,

        reject_non_fqdn_recipient,

        reject_unknown_sender_domain,

        reject_unknown_recipient_domain,

        reject_unauth_pipelining,

        reject_unauth_destination,

        reject_rbl_client zombie.dnsbl.sorbs.net,

        reject_rbl_client sbl.spamhaus.org,

        reject_rbl_client blackholes.easynet.nl,

        reject_rbl_client unconfirmed.dsbl.org,

        reject_rbl_client dynablock.njabl.org,

        reject_rbl_client dialup.blacklist.jippg.org,

        reject_rbl_client cbl.abuseat.org,

        reject_rhsbl_client blackhole.securitysage.com,

        reject_rhsbl_sender blackhole.securitysage.com,

        check_policy_service inet:127.0.0.1:2501,

        reject

```

----------

## cassiol

in smtpd_helo_restrictions add permit_sasl_authenticated,

if not work, please post postfix log.

----------

## Del Pede

 *cassiol wrote:*   

> in smtpd_helo_restrictions add permit_sasl_authenticated,
> 
> if not work, please post postfix log.

 

Didn't work unfortunately. Here is the log from when i tried to mail, via telnet

```

Jul  1 17:51:03 localhost postfix/smtpd[17001]: connect from port91.ds1-abc.adsl.cybercity.dk[xxx.xxx.xxx.xxx]

Jul  1 17:51:30 localhost postfix/smtpd[17001]: warning: restriction `mynetworks' after `permit' is ignored

Jul  1 17:51:30 localhost postfix/cleanup[17018]: warning: regexp map /etc/postfix/body_checks_map, line 2: ignoring unrecognized request

Jul  1 17:51:30 localhost postfix/smtpd[17001]: 079B847CEF9: client=host.adsl.cybercity.dk[xxx.xxx.xxx.xxx]

Jul  1 17:51:48 localhost postfix/cleanup[17018]: 079B847CEF9: message-id=<20080701155130.079B847CEF9@freya.frivillighuset.dk>

Jul  1 17:51:48 localhost postfix/qmgr[16962]: 079B847CEF9: from=<peter@mailll.dk>, size=440, nrcpt=1 (queue active)

Jul  1 17:51:49 localhost postfix/smtpd[17001]: disconnect from hostcybercity.dk[xxx.xxx.xxx.xxx]

Jul  1 17:51:51 localhost postfix/smtp[17019]: 079B847CEF9: to=<delpede@anothermail.dk>, relay=mailgate.cybercity.dk[xxx.xxx.xxx.xxx]:25, delay=27, delays=24/0.01/0.67/2.3, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 07C5F19E0C2)

Jul  1 17:51:51 localhost postfix/qmgr[16962]: 079B847CEF9: removed

```

Nothing indicates saslauthd being uses at all

----------

## cassiol

you need set smtp authentication in your mail program, or test out of your network, because you have set permit_mynetworks.

I not know how to test saslauthd, via telnet.

----------

## Del Pede

 *cassiol wrote:*   

> you need set smtp authentication in your mail program, or test out of your network, because you have set permit_mynetworks.
> 
> I not know how to test saslauthd, via telnet.

 

I have smtp auth in my mail client, but i have disabled it. Still postfix doesn't ask me to authenticate, which is my main concern

----------

## cassiol

please verify your master.cf

verify if exist in section smtps

```

-o smtpd_sasl_auth_enable=yes
```

[/code]

----------

## Del Pede

 *cassiol wrote:*   

> please verify your master.cf
> 
> verify if exist in section smtps
> 
> ```
> ...

 

```
smtp      inet  n       -       n       -       -       smtpd 

submission inet n       -       n       -       -       smtpd

  -o smtpd_sasl_auth_enable=yes

  -o smtpd_sasl_security_options=noanonymous

  -o smtpd_sasl_local_domain=freya.mydomain.dk

  -o header_checks=

  -o body_checks=

  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination

  -o smtpd_sasl_security_options=noanonymous

#submission inet n       -       n       -       -       smtpd

#  -o smtpd_enforce_tls=yes

#  -o smtpd_sasl_auth_enable=yes

#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

#smtps     inet  n       -       n       -       -       smtpd

#  -o smtpd_tls_wrappermode=yes

#  -o smtpd_sasl_auth_enable=yes

#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

#628      inet  n       -       n       -       -       qmqpd

pickup    fifo  n       -       n       60      1       pickup

cleanup   unix  n       -       n       -       0       cleanup

qmgr      fifo  n       -       n       300     1       qmgr

#qmgr     fifo  n       -       n       300     1       oqmgr

tlsmgr    unix  -       -       n       1000?   1       tlsmgr

rewrite   unix  -       -       n       -       -       trivial-rewrite

bounce    unix  -       -       n       -       0       bounce

defer     unix  -       -       n       -       0       bounce

trace     unix  -       -       n       -       0       bounce

verify    unix  -       -       n       -       1       verify

flush     unix  n       -       n       1000?   0       flush

proxymap  unix  -       -       n       -       -       proxymap

smtp      unix  -       -       n       -       -       smtp

# When relaying mail as backup MX, disable fallback_relay to avoid MX loops

relay     unix  -       -       n       -       -       smtp

        -o fallback_relay=

#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5

showq     unix  n       -       n       -       -       showq

error     unix  -       -       n       -       -       error

retry     unix  -       -       n       -       -       error

discard   unix  -       -       n       -       -       discard

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual

lmtp      unix  -       -       n       -       -       lmtp

anvil     unix  -       -       n       -       1       anvil

scache    unix  -       -       n       -       1       scache

```

A bit messy it seems :-/

----------

## darkphader

Probably not your problem but just to note that I had some issues a week or so ago due to an openssl update, postfix would no longer authenticate via sasl to some mail servers. I remerged the packages depending on openssl including the ca-certificates and all was fine.

Chris

----------

## darkphader

Looks like you're missing the proxywrite service in master.cf. Did you update postfix?

If so then stop postfix and run:

```
postfix upgrade-configuration
```

 then restart it. It will add the missing service.

----------

## Del Pede

 *darkphader wrote:*   

> Looks like you're missing the proxywrite service in master.cf. Did you update postfix?
> 
> If so then stop postfix and run:
> 
> ```
> ...

 

After i did that, everything went wrong. Now postfix is an open relay, even though i personally think my restrictions are strict enough. For good measure, i'll post them again

```
smtpd_sasl_auth_enable = yes

smtpd_sasl2_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

#smtpd_tls_auth_only = yes

smtpd_helo_restrictions = permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname

smtpd_client_restrictions = hash:/etc/postfix/access, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client

#smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

smtpd_delay_reject = no

smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, hash:/etc/postfix/access, reject_rhsbl_sender dsn.rfc-ignorant.org

#smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_rhsbl_sender dsn.rfc-ignorant.org

smtpd_recipient_restrictions =

        permit_sasl_authenticated,

        permit mynetworks,

        reject_invalid_hostname,

        reject_non_fqdn_hostname,

        reject_non_fqdn_sender,

        reject_non_fqdn_recipient,

        reject_unknown_sender_domain,

        reject_unknown_recipient_domain,

        reject_unauth_pipelining,

        reject_unauth_destination,

        reject_rbl_client zombie.dnsbl.sorbs.net,

        reject_rbl_client sbl.spamhaus.org,

        reject_rbl_client blackholes.easynet.nl,

        reject_rbl_client unconfirmed.dsbl.org,

        reject_rbl_client dynablock.njabl.org,

        reject_rbl_client dialup.blacklist.jippg.org,

        reject_rbl_client cbl.abuseat.org,

        reject_rhsbl_client blackhole.securitysage.com,

        reject_rhsbl_sender blackhole.securitysage.com,

        check_policy_service inet:127.0.0.1:2501

        permit

```

----------

## Del Pede

 *darkphader wrote:*   

> Probably not your problem but just to note that I had some issues a week or so ago due to an openssl update, postfix would no longer authenticate via sasl to some mail servers. I remerged the packages depending on openssl including the ca-certificates and all was fine.
> 
> Chris

 

I'm reinstalling those package depending on openssl that involves postfix right now. Just to see if that might have anything to do with anything

----------

## darkphader

 *Del Pede wrote:*   

> After i did that, everything went wrong. Now postfix is an open relay, even though i personally think my restrictions are strict enough.

 

That change is necessary and will not make your postfix an open relay. It's probably due to the trailing "permit" you have in smtpd_recipient_restrictions - it shouldn't be there (previously you had a "reject").

----------

## Del Pede

 *darkphader wrote:*   

>  *Del Pede wrote:*   After i did that, everything went wrong. Now postfix is an open relay, even though i personally think my restrictions are strict enough. 
> 
> That change is necessary and will not make your postfix an open relay. It's probably due to the trailing "permit" you have in smtpd_recipient_restrictions - it shouldn't be there (previously you had a "reject").

 

I have no doubt that the update was necessary. I used to have the permit before, but i tried with a reject to see if that would change anything. I've made some relay test with the permit in place. I've even had relay test, from abuse.org being succesfull, eventhough i could mail with and to non local users.

I'll give it a shot with removing the permit

EDIT: Didn't help unfortunately

----------

## Del Pede

Seems i've solved the issue with being an open relay. It was an issue with smtpd_sender_restrictions and smtpd_delay_reject = no

----------

## Del Pede

But things took a swing for the more weird late last night. At home, i disabled smtp auth in my mail client, and tried to mail via the mailserver, which is on a different IP and location, and relay'ing was rejected, untill i enabled smtp auth again. That was kinda good, but it didn't seem to ask for a password. What was even more peculiar, was that i weren't asked for any form of authentication, when telnet'ing to the smtp from home. 

So to sumarize. Thunderbird from outside with out smtp auth - reject. Telnet to smtp from outside, not asked about authentication. Relay test says the server is secure

----------

