# Postfix smtp auth problem

## Gokee2

I have been trying for days to get postfix to send out through smtp to another server when emailing to juno and a few others that won`t accept my dynamic ip (testing with gmail).  I have transport maps working but can`t get auth to work.  I asked in #gentoo on Freenode a few days ago about the msg in my postfix mail.info log "postfix/smtp[31555]: warning: smtp_sasl_auth_enable is true, but SASL support is not compiled in" I wanted to know how to make gentoo compile that in I got an reply along the lines of {gentoo does not do it that way, go read the pages on the gentoo site about it} so I found a couple pages on the gentoo site http://www.gentoo.org/doc/en/virt-mail-howto.xml and http://gentoo-wiki.com/HOWTO_Email_System_for_the_Home_Network however I have tried going through the parts related to what I want to do on both of them and still get the same msg.  I don`t want to send out through smtp on my server so I did not do any of the parts about smtpd also I don`t want to setup a mysql server on the mail servers computer.  Any idea what I am doing wrong?

Thanks,

Gokee2

----------

## steveb

 *Quote:*   

> postfix/smtp[31555]: warning: smtp_sasl_auth_enable is true, but SASL support is not compiled in

 This indicates that you enabled SASL for the client inside Postfix but your Postfix installation is not compiled that way that it supports SASL. To get Postfix to use SASL you need to enable the "sasl" or "dovecot-sasl" USE flag.

Can you check with "equery u postfix" if SASL is active on your Postfix?

What Postfix version are you using?

// Steve

----------

## Gokee2

I am using version 2.2.10.  WHat is a USE flag and were do I enable it?

Thanks

----------

## steveb

USE flags

----------

## Gokee2

I looked at the site and edited /etc/portage/package.use to have "mail-mta/postfix sasl" Next I did "emerge postfix" (well I tried pretend before that to make sure it did not want to install the whole world) but it failed.  Here is what is said:

Calculating dependencies

Parse Error reading PROVIDE and USE in '/var/db/pkg/x11-base/xorg-x11-6.8.2-r2'

Possibly Invalid: 'virtual/x11 opengl? virtual/opengl opengl? virtual/glu virtual/xft'

Exception: Conditional without parenthesis: 'opengl?'

... done!

>>> Verifying ebuild Manifests...

>>> Emerging (1 of 1) mail-mta/postfix-2.3.6 to /

>>> Downloading 'http://distfiles.gentoo.org/distfiles/postfix-2.3.6.tar.gz'

--11:29:53--  http://distfiles.gentoo.org/distfiles/postfix-2.3.6.tar.gz

           => `/usr/portage/distfiles/postfix-2.3.6.tar.gz'

Resolving distfiles.gentoo.org... 64.50.236.52, 64.50.238.52, 216.165.129.135, ...

Connecting to distfiles.gentoo.org[64.50.236.52]:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 2,783,743 [application/x-gzip]

100%[====================================================>] 2,783,743     74.35K/s    ETA 00:00

11:30:31 (72.99 KB/s) - `/usr/portage/distfiles/postfix-2.3.6.tar.gz' saved [2,783,743/2,783,743]

 * checking ebuild checksums  :Wink:  ...                                                      [ ok ]

 * checking auxfile checksums  :Wink:  ...                                                     [ ok ]

 * checking miscfile checksums  :Wink:  ...                                                    [ ok ]

 * checking postfix-2.3.6.tar.gz  :Wink:  ...                                                  [ ok ]

 * You are upgrading from a incompatible version.

 * You MUST stop postfix BEFORE install it to your system.

 * If you want a minimal downtime, emerge postfix with:

 * `FORCE_UPGRADE=1 emerge --buildpkgonly postfix`; then

 * `/etc/init.d/postfix stop && emerge --usepkgonly postfix`

 * run etc-update or dispatch-conf and merge the configuration files.

 * Next /etc/init.d/postfix start

!!! ERROR: mail-mta/postfix-2.3.6 failed.

Call stack:

  ebuild.sh, line 1654:   Called dyn_setup

  ebuild.sh, line 714:   Called qa_call 'pkg_setup'

  ebuild.sh, line 44:   Called pkg_setup

  postfix-2.3.6.ebuild, line 98:   Called die

!!! upgrade from an incompatible version!

!!! If you need support, post the topmost build error, and the call stack if relevant.

!!! A complete build log is located at '/var/tmp/portage/mail-mta/postfix-2.3.6/temp/build.log'.

What went wrong here?

Thanks,

Gokee2

----------

## Veldrin

normal "problem". you cannot upgrade/downgrade/reinstall/.. postfix while it's running.

stop postfix, using

```
/etc/init.d/postfix stop
```

do your upgrade/reinstall - wait till it is completed - , and start postfix again with

```
/etc/init.d/postfix start
```

cheers

V.

----------

## Gokee2

I have to stop it while compiling?  Ouch, that would really hurt on a real mail server!  I should have thought of that, I guess I am too used to Debian stopping and starting it for me once its done with the upgrade.  Anyway thanks for the info its emerging great now.  :Smile: 

----------

## Veldrin

Agreed, there are some inconveniences in gentoo....

otherwise just read the error output, the alternative is displayed there...

```
* `FORCE_UPGRADE=1 emerge --buildpkgonly postfix`; then

* `/etc/init.d/postfix stop && emerge --usepkgonly postfix` 

* run etc-update or dispatch-conf and merge the configuration files.

* Next /etc/init.d/postfix start 
```

cheers

V.

----------

## Gokee2

Hmm I like the simple way of stopping the server  :Smile:   But only because this server does not get or receive much mail. Its only really used for one mailing list and only for outgoing mail (basically using mailman to manage and send out a weekly mailing without allowing any posting from the people receiving the mailing).  Hmm emerge is done already?  Let me go check on that.

----------

## Gokee2

Ok that took care of the "postfix/smtp[31555]: warning: smtp_sasl_auth_enable is true, but SASL support is not compiled in" now I have in mail.info

Sep  6 12:26:24 grond postfix/pickup[10949]: 5FEA947ACC9: uid=81 from=<apache>

Sep  6 12:26:24 grond postfix/cleanup[11128]: 5FEA947ACC9: message-id=<20070906192624.5FEA947ACC9@skagitattic.no-ip.org>

Sep  6 12:26:24 grond postfix/qmgr[10950]: 5FEA947ACC9: from=<apache@skagitattic.no-ip.org>, size=298, nrcpt=1 (queue active)

Sep  6 12:26:24 grond postfix/smtp[11129]: 5FEA947ACC9: to=<something@gmail.com>, relay=smtp.gmail.com[209.85.199.111]:587, delay=0.29, delays=0.06/0.01/0.18/0.04, dsn=5.7.0, status=bounced (host smtp.gmail.com[209.85.199.111] said: 530 5.7.0 Must issue a STARTTLS command first b8sm12142871rvf (in reply to MAIL FROM command))

And I received an email back from postfix with the following

Return-Path: <>

X-Original-To: apache@skagitattic.no-ip.org

Delivered-To: apache@skagitattic.no-ip.org

Received: by skagitattic.no-ip.org (Postfix)

        id A72B447ACCA; Thu,  6 Sep 2007 12:26:24 -0700 (PDT)

Date: Thu,  6 Sep 2007 12:26:24 -0700 (PDT)

From: MAILER-DAEMON@skagitattic.no-ip.org (Mail Delivery System)

Subject: Undelivered Mail Returned to Sender

To: apache@skagitattic.no-ip.org

Auto-Submitted: auto-replied

MIME-Version: 1.0

Content-Type: multipart/report; report-type=delivery-status;

        boundary="5FEA947ACC9.1189106784/skagitattic.no-ip.org"

Message-Id: <20070906192624.A72B447ACCA@skagitattic.no-ip.org>

This is a MIME-encapsulated message.

--5FEA947ACC9.1189106784/skagitattic.no-ip.org

Content-Description: Notification

Content-Type: text/plain; charset=us-ascii

This is the mail system at host skagitattic.no-ip.org.

I'm sorry to have to inform you that your message could not

be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can

delete your own text from the attached returned message.

                   The mail system

<something@gmail.com>: host smtp.gmail.com[209.85.199.111] said: 530 5.7.0 Must

    issue a STARTTLS command first b8sm12142871rvf (in reply to MAIL FROM

    command)

--5FEA947ACC9.1189106784/skagitattic.no-ip.org

Content-Description: Delivery report

Content-Type: message/delivery-status

Reporting-MTA: dns; skagitattic.no-ip.org

X-Postfix-Queue-ID: 5FEA947ACC9

X-Postfix-Sender: rfc822; apache@skagitattic.no-ip.org

Arrival-Date: Thu,  6 Sep 2007 12:26:24 -0700 (PDT)

Final-Recipient: rfc822; something@gmail.com

Action: failed

Status: 5.7.0

Remote-MTA: dns; smtp.gmail.com

Diagnostic-Code: smtp; 530 5.7.0 Must issue a STARTTLS command first

    b8sm12142871rvf

--5FEA947ACC9.1189106784/skagitattic.no-ip.org

Content-Description: Undelivered Message

Content-Type: message/rfc822

Received: by skagitattic.no-ip.org (Postfix, from userid 81)

        id 5FEA947ACC9; Thu,  6 Sep 2007 12:26:24 -0700 (PDT)

From: somethingelse@gmail.com

To: something@gmail.com

Subject: Grr

Message-Id: <20070906192624.5FEA947ACC9@skagitattic.no-ip.org>

Date: Thu,  6 Sep 2007 12:26:24 -0700 (PDT)

Hi

--5FEA947ACC9.1189106784/skagitattic.no-ip.org--

Whats going on now?

Thanks,

Gokee2

Note:  something and somethingelse are real accounts on gmail replaced with something and somethingelse so any bots surfing the net would not find them.

----------

## steveb

This is the problem:

```
Diagnostic-Code: smtp; 530 5.7.0 Must issue a STARTTLS command first

b8sm12142871rvf
```

Basically Google wants your server to use STARTTLS for mail transfer. Could it be that you relay outbound mail over Google?

Please post your Postfix configuration as it is easier to help you when knowing the configuration.

// SteveB

----------

## Gokee2

Yes I am trying to relay mail over gmail.

Here is the smtp part of main.cf

 *Quote:*   

> #Add remote smtp server access
> 
> #Find what servers to use it for
> 
> transport_maps = hash:/etc/postfix/transport
> ...

 

The full main.cf is at http://pastebin.com/m29a38208

In transport I have 

 *Quote:*   

> something@gmail.com    smtp:smtp.gmail.com:587

 

I think this means if mail is going to "something@gmail.com" relay through gmail server.

Then in sasl_passwd I have

 *Quote:*   

> gmail.com              somethingelse@gmail.com:something_elses_password

 

So next I send mail to something@gmail.com in hopes it will get relayed through somethingelse@gmail.com`s account.

I ran

 *Quote:*   

> postmap /etc/postfix/transport
> 
> postmap hash:/etc/postfix/sasl_passwd

 

After making the files transport and sasl_passwd

Any files with config you need I missed?

----------

## steveb

Are you using Postfix 2.2.10? What version are you using?

----------

## Gokee2

After the emerge I am now using 2.3.6

----------

## steveb

Okay. Good. Do you want to relay ALL mail over Google or just the one for something@gmail.com?

Why are you using the submission port when sending to Google? Why not simple SMTP?

----------

## Gokee2

submission port?  EDIT: I get it you mean port 587.  Thats what is in my Thunderbird config that works for the account so I was just copying the config settings.

I have a few servers like juno that I want to relay mail through a different server for because they don`t like my dynamic ip.  I am using gmail as a test server the real server will be a different server that is a little unreliable at times so I thought using gmail for testing would work better.  As soon as it starts working my transport is going to grow nice and big  :Smile: 

So yes for now I want just something@gmail.com to relay through somethingelse@gmail

----------

## steveb

 *Gokee2 wrote:*   

> So yes for now I want just something@gmail.com to relay through somethingelse@gmail

 something@gmail.com to somethingelse@gmail.com? Why? Why not sending all the @google.com mails to Google directly? Do you really want to rewrite something@gmail.com to somethingelse@gmail.com?

The setup below will enforce any mail to google.com to be forced into TLS mode:

Add this to your /etc/postfix/main.cf:

```
smtp_tls_policy_maps = hash:$config_directory/tls_policy
```

Create a file with the name /etc/postfix/tls_policy and add:

```
gmail.com encrypt

.gmail.com encrypt
```

Execute:

```
postmap /etc/postfix/tls_policy
```

Restart Postfix:

```
/etc/init.d/postfix restart
```

Check now if it is working. Watch the log for TLS errors.

Correct me if I am wrong but is the situation not like this:

You have an account at Google mail. This account is called somethingelse@gmail.com. Now you want to send any outbound mail leaving your system over the mail infrastructure from Google by using your somethingelse@gmail.com account. Is that right?

Or do you just want to send mail to something@google.com over the google server in TLS mode? I don't think that this is needed. If your server would send a mail to Google, then it will do a MX lookup and send to one of the MX servers the mail in plain old SMTP. No need to switch into TLS and as well no need to use SASL. But if you want to relay all the mail over Google, then I think you need to authenticate and this is where SASL comes into play.

Can you somehow try to clear things up or try to explain me what exactly you are trying to do? (sorry. English is not my native language).

// SteveB

----------

## Gokee2

The problem

Well, my problem I am trying to fix is emails going to places like juno:

 *Quote:*   

> <woof@netzero.com>: connect to mx.dca.untd.com[64.136.44.37]: server
> 
>     refused to talk to me: 550 Access
> 
>     denied:...07c4114d844d4040d1e59520cde091e1e0adc0b0b11d35b1b46d5019f05951b585f98d24041d0451c9940140802db9a465400df51d94213d153d40f4559534cd8964304534e520155571a0a1a0348580f1d58d7949149dd575c9a18044fd90fdd5f5cdb4e00d3d2540794521c4458555e9557104ada46d6170f1c0b0f1f9b0f9a94924fd...
> ...

 

To do this I want to relay all mail going to places that reject my mail directly through a "real" mail server.  This server is going to be 2rbetter.org.

Current setup

I would go right through the server 2rbetter.org but that server is rather flaky at times and I am not sure on the right username/password right now.

So instead I am making smtp work by going out through email.  As this is a test I am only making it go through the server for my 2nd address.  My server can send to gmail just find right now but I don`t have a juno account or any account for that matter that is on a server that rejects mine.  As soon as this setup works I will be editing the transport file to change it all around.

That clearer?

I will go and do what you say to do in your last post and come say how it goes in a few minutes

----------

## Gokee2

Same problem

Diagnostic-Code: smtp; 530 5.7.0 Must issue a STARTTLS command first

    f42sm163532rvb

 *Quote:*   

> Sep  6 16:12:54 grond postfix/smtp[12130]: 1A81A47ACCB: to=<something@gmail.com>, relay=smtp.gmail.com[209.85.199.109]:587, delay=0.35, delays=0.02/0.11/0.18/0.04, dsn=5.7.0, status=bounced (host smtp.gmail.com[209.85.199.109] said: 530 5.7.0 Must issue a STARTTLS command first f42sm163532rvb (in reply to MAIL FROM command))
> 
> Sep  6 16:12:54 grond postfix/cleanup[12129]: 78CA947ACCD: message-id=<20070906231254.78CA947ACCD@skagitattic.no-ip.org>
> 
> Sep  6 16:12:54 grond postfix/qmgr[12119]: 78CA947ACCD: from=<>, size=2255, nrcpt=1 (queue active)
> ...

 

I did everything in your last post.

----------

## steveb

You need to enable TLS in you main.cf. This part needs to be active:

```
#smtp_use_tls = yes

#smtp_tls_note_starttls_offer = yes

#smtpd_use_tls = yes

##smtpd_tls_auth_only = yes

##smtpd_tls_key_file = /etc/postfix/newkey.pem

##smtpd_tls_cert_file = /etc/postfix/newcert.pem

##smtpd_tls_CAfile = /etc/postfix/cacert.pem

#smtpd_tls_loglevel = 3

#smtpd_tls_received_header = yes

#smtpd_tls_session_cache_timeout = 3600s

#tls_random_source = dev:/dev/urandom
```

----------

## Gokee2

Just the non-smtpd stuff right? I made that section look like this:

 *Quote:*   

> smtp_use_tls = yes
> 
> smtp_tls_note_starttls_offer = yes
> 
> #smtpd_use_tls = yes
> ...

 

That ok?  I never made any certs so the smptd lines would make postfix yell at me  :Smile: 

I now have a diff error msg

 *Quote:*   

> Sep  6 16:31:51 grond postfix/qmgr[12214]: 5319947ACCB: from=<apache@skagitattic.no-ip.org>, size=304, nrcpt=1 (queue active)
> 
> Sep  6 16:31:51 grond postfix/smtp[12221]: certificate verification failed for smtp.gmail.com: num=20:unable to get local issuer certificate
> 
> Sep  6 16:31:51 grond postfix/smtp[12221]: certificate verification failed for smtp.gmail.com: num=27:certificate not trusted
> ...

 

Edit:  I was able to fix this, I did not have the right thing in sasl_passwd and postfix was not properly getting the username/password for gmail.  I have also fixed a bunch of other things that came up with the help of some people in #postfix on freenode and debug_peer_list.  If you are reading this and want more information this form will notify me of replies so if you post I should be able to see it.  Also I am almost always on the freenode irc server with the username of Gokee2.

Thanks for helping with this steveb and Veldrin.

Gokee2

----------

