# Need help: Postfix SMTP authenticated relay

## pvgentoo

OK - so I've had postfix working fine for a long while.  When out an about, my wife uses squirrelmail.  I just got a laptop for some long term travelling and wish to use a more robust mail client like thunderbird and sylpheed to access my mail via IMAP.  I run Postfix and Courier.  

I've got the laptop going on an outside network for testing.  I can obtain and read my mail via secure imap.  That's where the problems start.  At various points in this process I've received relay errors due to having the default, secure postfix setup.  TLS appears to work locally on sylpheed, but fails from outside with a "server doesn't offer STARTTLS In EHLO response" error - so I think it's just giving me a pass locally.  However, both machines seem to see and accept the certs.  In my research, it appeared that SASL was a necessary mechanism in my quest, but that's no joy, too.

I've read several FAQs and am quite confused.  

Most every SASL howto for Postfix uses Cyrus and Postgres.  I have mysql and a dirth of DB knowledge.  Some of the howtos setup a system that uses sasldb2 and not saslauthd.    

My gut tells me that it can't all be this complicated.  I wish I could use the laptop's postfix to send mail, but it will likely be in XP land some of the time - and my wife uses a mac.

Any ideas?  

Any preferred order for solving this problem?Last edited by pvgentoo on Mon May 22, 2006 8:49 pm; edited 1 time in total

----------

## magic919

Use OpenVPN for the connection 'home' from the laptop.  Give the laptop an IP on the LAN for the VPN.  Job done.  I do my remote SMTP and IMAP over a VPN.

----------

## pvgentoo

 *magic919 wrote:*   

> Use OpenVPN for the connection 'home' from the laptop.  Give the laptop an IP on the LAN for the VPN.  Job done.  I do my remote SMTP and IMAP over a VPN.

 

It's an interesting idea.  I'll be in Japan on DHCP most likely.  Will that complicate things?

----------

## pvgentoo

OK, I'm going to give a more clear idea of where I'm at:

I followed http://gentoo-wiki.com/HOWTO_Email_System_for_the_Home_Network in order to setup my system.

Locally, on linux, sylpheed claws is fine.  I have sylpheed setup with IMAP and

SMPT TLS Auth.  The trick is that I don't know if my machine is faking

me out.  When I go to the XP laptop, I have to use Thunderbird for IMAP

Maildir access.  

Under Thunderbird in XP - outside the network I get this:

I can read mail if I switch from TLS to "SSL w/o authentication."

In terms of sending... no dice.

I start with TLS  + user / pw.  

Say I attempt to send to yahoo.  I get a window acknowledging the

detection of an encrypted email connection.   This seems like a good sign. 

I OK then the send fails a la:  

"Error - unable to connect to SMTP server mail.philsdomain.com via STARTTLS

since it doesn't offer STARTTLS in EHLO response."

So, I change SMTP settings in T-bird to SSL.  Hey, it worked for reading mail... 

"Error - maybe the server is down or misconfigured."

With smtp set to 'no secure connection' I get a relay error.  I guess that's a good thing.

However, if I use this setting in an email to my domain, it does go through.  That's the only permutation that is able to send.

----------

## pvgentoo

Some more info:

$ telnet mail.philsdomain.com 25

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 mail.philsdomain.com ESMTP Postfix

EHLO philsdomain.com

250-mail.philsdomain.com

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250 8BITMIME

STARTTLS

220 Ready to start TLS

^]

I find this odd, considering the error states that STARTTLS isn't offered.

----------

## magic919

 *pvgentoo wrote:*   

>  *magic919 wrote:*   Use OpenVPN for the connection 'home' from the laptop.  Give the laptop an IP on the LAN for the VPN.  Job done.  I do my remote SMTP and IMAP over a VPN. 
> 
> It's an interesting idea.  I'll be in Japan on DHCP most likely.  Will that complicate things?

 

Only when chatting to the locals  :Smile: 

----------

## nobspangle

SASL and TLS don't need to be implemented together, you can have one without the other. However, in the interest of security it's worth using both.

To switch on SASL you need

```
smtpd_sasl_auth_enable = yes

smtpd_sasl2_auth_enable = yes
```

In your main.cf and you need

```
permit_sasl_authenticated
```

in your smtpd restrictions

You can force sasl on your local machine by removing 

```
permit_my_networks
```

One tip for you, don't bother using smtpd_client_restrictions or smtpd_sender_restrictions, just put everything in smtpd_recipient_restrictions, this makes the process easier to follow.

----------

## pvgentoo

 *nobspangle wrote:*   

> 
> 
> To switch on SASL you need
> 
> ```
> ...

 

^ This I did not have.

 *Quote:*   

> 
> 
> One tip for you, don't bother using smtpd_client_restrictions or smtpd_sender_restrictions, just put everything in smtpd_recipient_restrictions, this makes the process easier to follow.

 

done.

I restarted postfix, but am still getting the same EHLO error.

Here are parts of my main.cf:

----------------------------------

```

inet_interfaces = all

mydestination = $myhostname, localhost.$mydomain $mydomain

unknown_local_recipient_reject_code = 450

mynetworks_style = host

smtpd_recipient_restrictions =

        permit_mynetworks,

        permit_sasl_authenticated,

        reject_unauth_destination,

        reject_invalid_hostname,

        reject_non_fqdn_hostname,

        reject_non_fqdn_sender,

        reject_non_fqdn_recipient,

        reject_unknown_sender_domain,

        reject_unknown_recipient_domain,

        reject_rbl_client relays.ordb.org,

        reject_rbl_client opm.blitzed.org,

        reject_rbl_client list.dsbl.org,

        reject_rbl_client sbl.spamhaus.org,

        reject_rbl_client cbl.abuseat.org,

        check_relay_domains,

        permit

smtpd_data_restrictions =

        reject_unauth_pipelining,

        permit

smtpd_use_tls=yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_CAfile = /etc/ssl/postfix/server.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

smtp_use_tls = yes

smtp_enforce_tls = yes

smtp_tls_note_starttls_offer = yes

# SASL

smtpd_sasl_auth_enable = yes

smtpd_sasl2_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes
```

===================

$ cat master.cf

```

# ==========================================================================

# service type  private unpriv  chroot  wakeup  maxproc command + args

#               (yes)   (yes)   (yes)   (never) (100)

# ==========================================================================

smtp      inet  n       -       n       -       -       smtpd -v

#submission inet n      -       n       -       -       smtpd

#       -o smtpd_etrn_restrictions=reject

#       -o smtpd_client_restrictions=permit_sasl_authenticated,reject

# Phil SMTPD AUTH 2006.05.22

smtps    inet  n       -       n       -       -       smtpd

#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

#submission   inet    n       -       n       -       -       smtpd

#  -o smtpd_etrn_restrictions=reject

#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

#628      inet  n       -       n       -       -       qmqpd

pickup    fifo  n       -       n       60      1       pickup

cleanup   unix  n       -       n       -       0       cleanup

qmgr      fifo  n       -       n       300     1       qmgr

#qmgr     fifo  n       -       n       300     1       oqmgr

tlsmgr    unix  -       -       n       1000?   1       tlsmgr

rewrite   unix  -       -       n       -       -       trivial-rewrite

bounce    unix  -       -       n       -       0       bounce

defer     unix  -       -       n       -       0       bounce

trace     unix  -       -       n       -       0       bounce

verify    unix  -       -       n       -       1       verify

flush     unix  n       -       n       1000?   0       flush

proxymap  unix  -       -       n       -       -       proxymap

smtp      unix  -       -       n       -       -       smtp

# When relaying mail as backup MX, disable fallback_relay to avoid MX loops

relay     unix  -       -       n       -       -       smtp

        -o fallback_relay=

#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5

showq     unix  n       -       n       -       -       showq

error     unix  -       -       n       -       -       error

discard   unix  -       -       n       -       -       discard

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual

lmtp      unix  -       -       n       -       -       lmtp

anvil     unix  -       -       n       -       1       anvil

scache    unix  -       -       n       -       1       scache

maildrop  unix  -       n       n       -       -       pipe

  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

#

# The Cyrus deliver program has changed incompatibly, multiple times.

#

old-cyrus unix  -       n       n       -       -       pipe

  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}

# Cyrus 2.1.5 (Amos Gouaux)

# Also specify in main.cf: cyrus_destination_recipient_limit=1

cyrus     unix  -       n       n       -       -       pipe

  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}

#

# See the Postfix UUCP_README file for configuration details.

#

uucp      unix  -       n       n       -       -       pipe

  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)#

# Other external delivery methods.

#

ifmail    unix  -       n       n       -       -       pipe

  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)

bsmtp     unix  -       n       n       -       -       pipe

  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
```

=================

$ cat /etc/pam.d/imap

```
# PAM setup for

auth       required     pam_nologin.so

auth       required     pam_stack.so service=system-auth

account    required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth

# OLD

#auth       required     pam_nologin.so

#auth       include      system-auth

#account    include      system-auth

#session    include      system-auth
```

==================

$cat ../conf.d/saslauthd

```
# Phil 2006.05.22

# http://gentoo-wiki.com/HOWTO_Email_System_for_the_Home_Network#Sending_Email

SASLAUTH_MECH=shadow

SASL_RIMAP_HOSTNAME=""

SASL_TIME_OF_DAY_LOGIN_RESTRICTIONS=yes

SASLAUTHD_OPTS="-a ${SASLAUTH_MECH}"
```

================

$ cd ../courier-imap/

$ diff imapd-ssl imapd-ssl.2006.05.22.bak

82c82

< IMAP_TLS_REQUIRED=1

---

> IMAP_TLS_REQUIRED=0

===================

$ cat /etc/sasl2/smtpd.conf

```
# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.sasl,v 1.2 2004/07/18 03:26:56 dragonheart Exp $

# Phil 2006.05.22

#http://gentoo-wiki.com/HOWTO_Email_System_for_the_Home_Network#Sending_Email

pwcheck_method:saslauthd

mech_list: plain login
```

==================

Sorry to dump all this.  I'm just trying to give the big picture.

Thank you very very much.

Phil

----------

## pvgentoo

Note that mailman was politely ignoring mail, so I tweaked a couple lines back in main.cf as I suspected they might be the cause:

```
smtpd_client_restrictions =

        check_client_access hash:/etc/postfix/access

#smtp_enforce_tls = yes
```

Just so, we're on the same page.

P

----------

## pvgentoo

The hits keep coming.  Squirrelmail apparently doesn't like the changes:

Bad request: The IMAP server is reporting that plain text logins are disabled. Using CRAM-MD5 or DIGEST-MD5 authentication instead may work. Also, the use of TLS may allow SquirrelMail to login. Please contact your system administrator and report this error.

----------

## Teardrop

any update on this one? i got the exact same problem with thunderbird and tls for smtp auth since spring 06. haven't solved the problem yet. mail is working when i delete "tls_only". else it gives me the error message about "doesn't offer starttls". funny thing is: when i telnet on port 25 from a linux station i get the starttls after EHLO domain.com but from a windows xp station i don't get it!!!

any help on this one?

thx a lot

Teardrop

----------

