# Postfix and sasl

## rsmereka

Hi There,

I'm new to Gentoo but not to Linux. I have been installing a mail server on 2.4.28-gentoo-r8 according to the guidelines in:

http://www.gentoo.org/doc/en/virt-mail-howto.xml

and I have a couple of issues that I need help with. I am just at the end of section six where the author gets me to verify sasl and TLS support. When I try:

   # telnet localhost 25

to connect to the smtp server, I get 'connection refused'. I am, however, able to send and retreive mail using a another client machine. I checked the logs in /var/log and it clearly shows postfix smtp running and responding. Here is an except:

connect from unknown[192.168.0.93]

Mar 22 15:38:15 nereid postfix/smtpd[1863]: match_list_match: unknown: no match

Mar 22 15:38:15 nereid postfix/smtpd[1863]: match_list_match: 192.168.0.93: no match

Mar 22 15:38:15 nereid postfix/smtpd[1863]: match_list_match: unknown: no match

Mar 22 15:38:15 nereid postfix/smtpd[1863]: match_list_match: 192.168.0.93: no match

Mar 22 15:38:15 nereid postfix/smtpd[1863]: > unknown[192.168.0.93]: 220 nereid.mydomain.com ESMTP Postfix

Mar 22 15:38:15 nereid postfix/smtpd[1863]: watchdog_pat: 0x80a4180

Mar 22 15:38:15 nereid postfix/smtpd[1863]: < unknown[192.168.0.93]: HELO administrator

Mar 22 15:38:15 nereid postfix/smtpd[1863]: > unknown[192.168.0.93]: 250 nereid.mydomain.com

Mar 22 15:38:15 nereid postfix/smtpd[1863]: watchdog_pat: 0x80a4180

Mar 22 15:38:15 nereid postfix/smtpd[1863]: < unknown[192.168.0.93]: MAIL FROM: <root@mydomain.com>

The second issue is with sasl. When I was was snooping in /var/log/messages, I discovered this:

warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled in

Mar 22 15:38:15 nereid postfix/smtpd[1863]: starting TLS engine

Mar 22 15:38:15 nereid postfix/smtpd[1863]: match_string: fast_flush_domains ~? debug_peer_list

Mar 22 15:38:15 nereid postfix/smtpd[1863]: match_string: fast_flush_domains ~? fast_flush_domains

Mar 22 15:38:15 nereid postfix/smtpd[1863]: watchdog_create: 0x80a4180 18000

Mar 22 15:38:15 nereid postfix/smtpd[1863]: watchdog_stop: 0x80a4180

Mar 22 15:38:15 nereid postfix/smtpd[1863]: watchdog_start: 0x80a4180

Mar 22 15:38:15 nereid postfix/smtpd[1863]: connection established

Mar 22 15:38:15 nereid postfix/smtpd[1863]: master_notify: status 0

Mar 22 15:38:15 nereid postfix/smtpd[1863]: name_mask: resource

Mar 22 15:38:15 nereid postfix/smtpd[1863]: name_mask: software

Mar 22 15:38:15 nereid postfix/smtpd[1863]: connect from unknown[192.168.0.93]

and again here:

Mar 22 15:38:15 nereid postfix/smtpd[1863]: >>> START Recipient address RESTRICTIONS <<<

Mar 22 15:38:15 nereid postfix/smtpd[1863]: generic_checks: name=permit_sasl_authenticated

Mar 22 15:38:15 nereid postfix/smtpd[1863]: warning: restriction `permit_sasl_authenticated' ignored: no SASL support

Mar 22 15:38:15 nereid postfix/smtpd[1863]: generic_checks: name=permit_sasl_authenticated status=0

Mar 22 15:38:15 nereid postfix/smtpd[1863]: generic_checks: name=permit_mynetworks

Mar 22 15:38:15 nereid postfix/smtpd[1863]: permit_mynetworks: unknown 192.168.0.93

Mar 22 15:38:15 nereid postfix/smtpd[1863]: match_hostname: unknown ~? my.ip.net.work/24

Mar 22 15:38:15 nereid postfix/smtpd[1863]: match_hostaddr: 192.168.0.93 ~? my.ip.net.work/24

Mar 22 15:38:15 nereid postfix/smtpd[1863]: warning: std_addr_pattern: invalid address pattern "my.ip.net.work"

Mar 22 15:38:15 nereid postfix/smtpd[1863]: match_hostname: unknown ~? 127.0.0.0/8

Mar 22 15:38:15 nereid postfix/smtpd[1863]: match_hostaddr: 192.168.0.93 ~? 127.0.0.0/8

Mar 22 15:38:15 nereid postfix/smtpd[1863]: match_list_match: unknown: no match

Mar 22 15:38:15 nereid postfix/smtpd[1863]: match_list_match: 192.168.0.93: no match

Mar 22 15:38:15 nereid postfix/smtpd[1863]: generic_checks: name=permit_mynetworks status=0

This seems to indicate that sasl is not active and further that postfix needs to have sasl support compiled into it. Is this correct? Does this involve modifying USE in /etc/make.conf?

Any and all help is greatly apprecriated. :Very Happy: 

Rick

----------

## langthang

please post your `emerge postfix cyrus-sasl -vp` and `postconf -n`

----------

## rsmereka

OK, here is the output from those two commands. Can you tell me what these two commands show?

** emerge postfix cyrus-sasl -vp

These are the packages that I would merge, in order:

Calculating dependencies   ...done!

[ebuild   R   ] mail-mta/postfix-2.1.5-r2  +ipv6 -ldap -mailwrapper -mbox -mysql +pam -postgres -sasl (-selinux) +ssl -vda 0 kB 

[ebuild   R   ] dev-libs/cyrus-sasl-2.1.20  -authdaemond +berkdb -debug +gdbm -java -kerberos -ldap -mysql +pam -postgres +ssl -static 0 kB 

** postconf -n

Total size of downloads: 0 kB

alias_database = hash:/etc/mail/aliases

alias_maps = hash:/etc/mail/aliases

broken_sasl_auth_clients = yes

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/lib/postfix

debug_peer_level = 2

default_destination_concurrency_limit = 2

home_mailbox = .maildir/

html_directory = no

inet_interfaces = all

local_destination_concurrency_limit = 2

mail_owner = postfix

mailq_path = /usr/bin/mailq

manpage_directory = /usr/share/man

mydestination = $myhostname, localhost.$mydomain $mydomain

mydomain = smthome.com

myhostname = nereid.smthome.com

mynetworks = 192.168.0/24, 127.0.0.0/8

newaliases_path = /usr/bin/newaliases

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.1.5-r2/readme

sample_directory = /etc/postfix

sendmail_path = /usr/sbin/sendmail

setgid_group = postdrop

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain = 

smtpd_sasl_security_options = noanonymous

smtpd_tls_CAfile = /etc/postfix/cacert.pem

smtpd_tls_auth_only = yes

smtpd_tls_cert_file = /etc/postfix/newcert.pem

smtpd_tls_key_file = /etc/postfix/newreq.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

smtpd_use_tls = yes

tls_random_source = dev:/dev/urandom

unknown_local_recipient_reject_code = 550

TIA

Rick

----------

## langthang

 *Quote:*   

> OK, here is the output from those two commands. Can you tell me what these two commands show?

 

`emerge foo -vp` is short for `emerge foo --verbose --pretend`, it would tell you what USE flags you have when you emerged foo.

```
[ebuild R ] mail-mta/postfix-2.1.5-r2 +ipv6 -ldap -mailwrapper -mbox -mysql +pam -postgres -sasl (-selinux) +ssl -vda 0 kB
```

means you have ipv6, pam,ssl enable but sasl.

the `postconf -n` is postfix command to output the new parameters you have changed in /etc/postfix/main.cf.

you need to reemerge postfix with sasl USE, then try again. You can add sasl to /etc/make.conf or add those USE flags you wanted for postfix to /etc/portage/package.use

```
# echo "mail-mta/postfix pam sasl ssl" >> /etc/portage/package.use
```

----------

## rsmereka

In short, your suggestion worked perfectly.

I updated my USE (you can tell it's a build from scratch when there is no USE present), and re-emerged as you suggested.

I tested by:

```
telnet localhost 25
```

and watching the output of the smtp server. One interesting thing is that the other issue I had getting a connection refused when trying to telnet to the smtp server is gone. I still need to test against some mail clients to make sure and then it's on to part 7 (mysql installation).

According to the guide I am using, the other components I will be installing are:

mysql, apache, mod_php, phpmyadmin, pam_mysql, squirrelmail, mailman and strace

I would like to update USE so that I do not run into this same issue later on. What modifications to USE do you suggest?

I would also like to post a suggestion regarding updating the virutal mail hosting guide to include USE and also adding the various daemons installed to the default run level using rc-update (this is also absent from the doc). Any suggestions on where to post the suggestion?

Your help has been a great benefit. Thank you.

Rick

----------

## langthang

there are USE flags depend very much on how you like to setup your mail server up. Like you want apache-1 instead of apache-2, authenticate with PAM or without, etc ...

Anyway here is my USE for those packages, note that I am running ~x86 profile, the versions may not match with yours, but the USE flags should be very much the same.

```
# emerge mysql apache mod_php phpmyadmin pam_mysql squirrelmail mailman -vp

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild   R   ] dev-db/mysql-4.0.24-r1  +berkdb -debug -doc -minimal +perl +readline (-selinux) +ssl -static +tcpd 0 kB

[ebuild   R   ] net-www/apache-2.0.53  +apache2 -debug -doc -ldap -mpm-leader -mpm-peruser -mpm-prefork -mpm-threadpool -mpm-worker -no-suexec +ssl -static-modules -threads 0 kB

[ebuild   R   ] dev-php/mod_php-5.0.3-r1  -adabas +apache2 -bcmath +berkdb -birdstep -bzlib -calendar -cdb -cpdflib +crypt -ctype +curl -curlwrappers -db2 +dba -dbase -dbm -dbmaker -dbx -debug -dio -empress -empress-bcs -esoob -exif +fam -fdftk -filepro -flatfile -frontbase -ftp +gd +gd-external +gdbm -gmp -hyperwave-api -iconv +imap -informix -ingres -inifile -interbase -iodbc -jpeg -kerberos -ldap -libedit -mcve -memlimit -mhash -mime -ming -mnogosearch -msession -msql -mssql +mysql -mysqli +ncurses -nis +nls -oci8 -odbc -oracle7 -ovrimos -pcntl -pcre -pfpro +png -posix -postgres -qdbm +readline -recode -sapdb -sasl +session -sharedext -sharedmem -simplexml -snmp -soap -sockets -solid +spell -spl -sqlite +ssl -sybase -sybase-ct -sysvipc -tidy -tiff -tokenizer +truetype -wddx +xml2 -xmlrpc -xpm -xsl +zlib 0 kB

[ebuild   R   ] dev-db/phpmyadmin-2.6.1_p2-r1  -vhosts 0 kB

[ebuild   R   ] sys-libs/pam_mysql-0.5  11 kB

[ebuild   R   ] mail-client/squirrelmail-1.4.4  +crypt -ldap +ssl -vhosts +virus-scan 0 kB

[ebuild   R   ] net-mail/mailman-2.1.6_beta4  +apache2 0 kB [1]
```

----------

## rsmereka

Thanks for the info. I am not sure whether I will use apache-1 or 2 at this point.

What you have installed brings up a couple of related issues like using Perl with mysql (right now, there is no Perl on my machine).

What is 'crypt'? I noticed it in mod_php and squirrelmail. Also what is 'virus-scan' used in squirrelmail. Also, what is 'curl'?

Rick

----------

## langthang

You are new to Gentoo, so here is a query tool that could help you.

```
# emerge gentoolkit

$ equery -h #look up usage

Usage: equery <global-opts> command <local-opts>

where <global-opts> is one of

 -q, --quiet   - minimal output

 -C, --nocolor - turn off colours

 -h, --help    - this help screen

 -V, --version - display version info

where command(short) is one of

 belongs(b) <local-opts> files... - list all packages owning files...

 changes(c)  - not implemented yet

 check(k) pkgspec - check MD5sums and timestamps of pkgspec's files

 depends(d) <local-opts> pkgspec - list all direct dependencies matching pkgspec

 depgraph(g) <local-opts> pkgspec - display a dependency tree for pkgspec

 files(f) <local-opts> pkgspec - list files owned by pkgspec

 glsa(a)  - not implemented yet

 hasuse(h) <local-opts> pkgspec - list all packages with useflag

 list(l) <local-opts> pkgspec - list all packages matching pkgspec

 size(s) <local-opts> pkgspec - print size of files contained in package pkgspec

 stats(t)  - not implemented yet

 uses(u) <local-opts> pkgspec - display USE flags for pkgspec

 which(w) pkgspec - print full path to ebuild for package pkgspec

$ equery u -h #lookup syntax for uses command

Display USE flags for a given package

Syntax:

  uses <local-opts> pkgspec

<local-opts> is either of:

  -a, --all     - include non-installed packages

$ equery u -a squirrelmail #Display USE flags for squirrelmail

[ Searching for packages matching squirrelmail... ]

[ Colour Code : set unset ]

[ Legend    : Left column  (U) - USE flags from make.conf              ]

[           : Right column (I) - USE flags packages was installed with ]

[ Found these USE variables for mail-client/squirrelmail-1.4.4 ]

 U I

 + + crypt      : Add support for encryption -- using mcrypt or gpg where applicable

 - - ldap       : Adds LDAP support (Lightweight Directory Access Protocol)

 + + ssl        : Adds support for Secure Socket Layer connections

 - - virus-scan : Install plugin to support virus scanning of email attachments

 - - vhosts     : Adds support for installing web-based applications into a virtual-hosting environment
```

WRT perl USE flag for mysql, you don't need it for virtual mailhosting setup. perl is the default USE flag in my profile and I just don't bother to change it.

----------

## rsmereka

Before I read your last post, I figured it was a good idea to have Perl on the machine and I emerge'd it and added it to USE.

Gentoolkit sounds like something I could use that would make things much easier. I was using a combination of:

```
emerge --search curl | less
```

and then

```
emerge curl -pv
```

like you suggested and then looking up the USE flag in /usr/portage/profiles/use.desc but equery gives me all that information.

Thanks again for your help. :Very Happy: 

Rick

----------

