# can't connect to smtp server

## Fenixoid

Hello,

I'm usign virtual mail system: postfix + courier-imap + courier-authlib + postfixadmin + cyrus-sasl2 + mysql.

All users are in mysql, ant courier-authlib identifies trhem by their email and passowrd (crypt).

But identification fails, when I try to send mail (use smtp). Any ideas about that? I need, that users could use smtp server from anywhere, using their emails and password to login.

```
box / # cat /etc/sasl2/smtpd.conf

# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.sasl,v 1.2 2004/0                                              7/18 03:26:56 dragonheart Exp $

sasl2_pwcheck_method: saslauthd authdaemond

log_level: 3

sasl_auxprop_method: auxprop

sasl_auxprop_plugin: mysql

srp_mda: md5

mech_list: login plain

#cram-md5 digest-md5

authdaemond_path:/var/lib/courier/authdaemon/socket

password_format: crypt

sql_engine: mysql

sql_hostnames: 127.0.0.1

sql_database: postfix

sql_user: postfix

sql_passwd: my_password

sql_select: SELECT password FROM mailbox WHERE username='%u@%r' AND active='1' LIMIT 1

#sql_select: SELECT password FROM mailbox WHERE username='%u' and domain='%r'

#sql_update: UPDATE mailbox SET password='%v' WHERE username='%u@%r' AND active='1' LIMIT 1

sql_usessl: no
```

In some place I saw, that the sql line is incorrect. Does anyone know about this?

Postfix code:

```
# SASL settings

smtpd_sasl_auth_enable = yes

smtpd_sasl2_auth_enable = yes

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_sasl_local_domain =

virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf

virtual_gid_maps = static:207

virtual_mailbox_base = /var/vmail/

virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf

virtual_mailbox_limit = 102400000

virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf

virtual_minimum_uid = 207

virtual_transport = virtual

virtual_uid_maps = static:207

smtpd_recipient_restrictions =

       reject_invalid_hostname,

       reject_non_fqdn_recipient,

       reject_non_fqdn_sender,

       reject_unknown_sender_domain,

       reject_unknown_recipient_domain,

       reject_unauth_pipelining,

       permit_mynetworks,

       permit_sasl_authenticated,

       reject_unlisted_recipient,

       check_policy_service inet:127.0.0.1:10030,

       reject_unauth_destination,

       permit
```

----------

## Mr.C.

Show the errors from your postfix logs that indicate the failure.

----------

## overkll

This could be the issue:

```
smtpd_recipient_restrictions =

       permit_mynetworks

       permit_sasl_authenticated,

       reject_unauth_destination,

       reject_invalid_hostname,

       reject_non_fqdn_recipient,

       reject_non_fqdn_sender,

       reject_unknown_sender_domain,

       reject_unknown_recipient_domain,

       reject_unauth_pipelining,

       reject_unlisted_recipient,

       check_policy_service inet:127.0.0.1:10030,
```

Per posfix docs: (the last paragraph is especially important)

```
  Dangerous use of smtpd_recipient_restrictions

By now the reader may wonder why we need smtpd client, helo or sender restrictions, when their evaluation is postponed until the RCPT TO or ETRN command. Some people recommend placing ALL the access restrictions in the smtpd_recipient_restrictions list. Unfortunately, this can result in too permissive access. How is this possible?

The purpose of the smtpd_recipient_restrictions feature is to control how Postfix replies to the RCPT TO command. If the restriction list evaluates to REJECT or DEFER, the recipient address is rejected; no surprises here. If the result is PERMIT, then the recipient address is accepted. And this is where surprises can happen.

Here is an example that shows when a PERMIT result can result in too much access permission:

1 /etc/postfix/main.cf:

2     smtpd_recipient_restrictions = 

3         permit_mynetworks

4         check_helo_access hash:/etc/postfix/helo_access

5         reject_unknown_helo_hostname

6         reject_unauth_destination

7 

8 /etc/postfix/helo_access:

9     localhost.localdomain PERMIT

Line 5 rejects mail from hosts that don't specify a proper hostname in the HELO command (with Postfix < 2.3, specify reject_unknown_hostname). Lines 4 and 9 make an exception to allow mail from some machine that announces itself with "HELO localhost.localdomain".

The problem with this configuration is that smtpd_recipient_restrictions evaluates to PERMIT for EVERY host that announces itself as "localhost.localdomain", making Postfix an open relay for all such hosts.

In order to avoid surprises like these with smtpd_recipient_restrictions, you should place non-recipient restrictions AFTER the reject_unauth_destination restriction, not before. In the above example, the HELO based restrictions should be placed AFTER reject_unauth_destination, or better, the HELO based restrictions should be placed under smtpd_helo_restrictions where they can do no harm.
```

Try these access rules:

```
smtpd_recipient_restrictions =

       permit_mynetworks,

       permit_sasl_authenticated,

       reject_unauth_destination,

       reject_invalid_hostname,

       reject_non_fqdn_recipient,

       reject_non_fqdn_sender,

       reject_unknown_sender_domain,

       reject_unknown_recipient_domain,

       reject_unauth_pipelining,

       reject_unlisted_recipient,

       check_policy_service inet:127.0.0.1:10030
```

----------

## robodeath

I tried to get this same thing working, fought it for about a week.  I ended up telling postfix to use pam_mysql, so there's always that option.

----------

## Fenixoid

 *overkll wrote:*   

> 
> 
> Try these access rules:
> 
> ```
> ...

 

Does not help.

Log says:

 *Quote:*   

> Mar  8 02:39:29 serveris postfix/smtpd[5613]: xsasl_cyrus_server_first: sasl_method PLAIN, init_response AHRlc3RhcwB0ZXN0YXM=
> 
> Mar  8 02:39:29 serveris postfix/smtpd[5613]: xsasl_cyrus_server_first: decoded initial response 
> 
> Mar  8 02:39:29 serveris postfix/smtpd[5613]: warning: SASL authentication failure: Password verification failed
> ...

 

----------

## Fenixoid

And this:

 *Quote:*   

> Mar  8 02:57:37 serveris postfix/smtpd[6186]: generic_checks: name=permit_mynetworks status=0
> 
> Mar  8 02:57:37 serveris postfix/smtpd[6186]: generic_checks: name=permit_sasl_authenticated
> 
> Mar  8 02:57:37 serveris postfix/smtpd[6186]: generic_checks: name=permit_sasl_authenticated status=0
> ...

 

Without any of smtp restrictions I get mail to my mailbox

----------

## Mr.C.

The two sets of rule for smtpd_recipient_restrictions posted by identical.  This, of course, could not resolve any issues.

There is no open relay issue, as  reject_unauth_destination preceeds all other restrictions, for which the posted warning refers.

This is not a rules problem - those rules are fine. They allow permit_sasl_authenticated users.  The problem is that the OP's postfix is failing to authenticate. 

The SASL configuration is not functional.

Use the mysql command line too to connect to your database.  You can verify that your SQL select line is doing what you think.

Common misconfigurations are wrong authentication type or methods.  Review and understand these.  There is no point in trying to setup authentication or security if you don't understand the security implications, nor the basic error messages being returned.

Before you attempt to use SASL, TLS, or an SQL backend, you should know how to configure postfix generically.

MrC

----------

## overkll

 *Mr.C." wrote:*   

> The two sets of rule for smtpd_recipient_restrictions posted by identical. This, of course, could not resolve any issues. 

 

You're right.  I think I must have confused this thread with another postfix thread.

----------

