[Dovecot] unable to send mails via postfix/dovecot SASL
Hello,
I have a freshly setup postfix/dovecot mail server (after a server upgrade I decided to change my sendmail/popper conf to something more modern :)
It mostly works, there is no problem in sending/receiving mails in local network, both using text clients like mutt or pine dealing with the incoming/outcoming mail directly. Also dovecot works fine with SSL authentication from the outside world (home computers etc) but only for reading the mail.
I have been struggling for several days already to get postfix/dovecot/SSL trio to work for sending (relaying) mail from the home computers (but also from local network) via my server to the final recipients, using authenticated connections. I followed http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL hints for the configuration of postfix and dovecot (see output of dovecot -n and postconf -n commands below). I also uncommented "smtps" line in /etc/postfix/master.cf file (otherwise postfix was refusing any connections to secure SMTP port). For a while, I uncommented also "submission" line there but to no success either.
Now when I try to send a mail from my home PC, using Thuinderbird 2.0.0.21, with SSL connection configured for outgoing smtp server (port 465), using username/password, it shows "Connected to server..." message but after a minute or so, it fails saying that the connection to SMTP server failed.
The server log shows: 11:51:24 sirius postfix/smtpd[15126]: connect from my_home_pc_name/ip Jun 11 11:52:25 sirius postfix/smtpd[15126]: lost connection after UNKNOWN from from my_home_pc_name/ip Jun 11 11:52:25 sirius postfix/smtpd[15126]: disconnect from my_home_pc_name/ip
There are no dovecot-related messages in the log regarding such an attempt.
I am not sure whether this is dovecot or postfix problem but, being no expert on either of those, I am asking help to resolve this annoying problem.
with best regards, Michal.
-------------- dovecon -n --------------------------
1.0.7: /etc/dovecot.conf
ssl_cert_file: /etc/pki/dovecot/certs/sirius.pem ssl_key_file: /etc/pki/dovecot/private/sirius.key login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login mail_location: mbox:~/Mail:INBOX=/var/spool/mail/%u mmap_disable: yes mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib64/dovecot/imap mail_plugin_dir(imap): /usr/lib64/dovecot/imap mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3 imap_client_workarounds(default): delay-newmail outlook-idle netscape-eoh imap_client_workarounds(imap): delay-newmail outlook-idle netscape-eoh imap_client_workarounds(pop3): outlook-idle pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh auth default: mechanisms: plain login verbose: yes passdb: driver: pam userdb: driver: passwd socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix
----------------- postconf -n ---------------------------- alias_database = hash:/etc/mail/aliases alias_maps = hash:/etc/mail/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 header_checks = regexp:/etc/postfix/header_checks html_directory = no inet_interfaces = all mail_owner = postfix mailbox_command = /usr/bin/procmail mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man masquerade_domains = astrouw.edu.pl mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain, www.$mydomain, ftp.$mydomain, /etc/mail/local-host-names myhostname = sirius.astrouw.edu.pl newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_generic_maps = hash:/etc/postfix/generic smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/access, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot unknown_local_recipient_reject_code = 550
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On 6/11/2009, Michal Szymanski (msz@astrouw.edu.pl) wrote:
(after a server upgrade I decided to change my sendmail/popper conf to something more modern :)
Then why install a version that is well over a year old?
1.1.16 is the current stable version, but 1.2 is at rc5 stage and release is imminent... I'd start with that.
--
Best regards,
Charles
On Thu, Jun 11, 2009 at 06:27:23AM -0400, Charles Marcus wrote:
Well, that was what the repositories for my CentOS 5.3 (Final) were offering. I found the 1.1.16 RPM in atrpms (advertised as "testing package" - strangely enough as it is "stable" fot RHEL/CentOS 4) so I upgraded but did not help. I am not sure, however, if the settings for "auth default" are now compatible with the (apparently new) way the authentication is done now (auth, auth-worker).
The current 'dovecot -n' output below.
regards, Michal.
1.1.16: /etc/dovecot.conf
OS: Linux 2.6.18-128.1.6.el5 x86_64 CentOS release 5.3 (Final)
ssl_cert_file: /etc/pki/dovecot/certs/sirius.pem ssl_key_file: /etc/pki/dovecot/private/sirius.key login_dir: /var/run/dovecot/login login_executable(default): /usr/libexec/dovecot/imap-login login_executable(imap): /usr/libexec/dovecot/imap-login login_executable(pop3): /usr/libexec/dovecot/pop3-login mail_location: mbox:~/Mail:INBOX=/var/spool/mail/%u mmap_disable: yes mail_executable(default): /usr/libexec/dovecot/imap mail_executable(imap): /usr/libexec/dovecot/imap mail_executable(pop3): /usr/libexec/dovecot/pop3 mail_plugin_dir(default): /usr/lib64/dovecot/imap mail_plugin_dir(imap): /usr/lib64/dovecot/imap mail_plugin_dir(pop3): /usr/lib64/dovecot/pop3 imap_client_workarounds(default): delay-newmail outlook-idle netscape-eoh imap_client_workarounds(imap): delay-newmail outlook-idle netscape-eoh imap_client_workarounds(pop3): pop3_client_workarounds(default): pop3_client_workarounds(imap): pop3_client_workarounds(pop3): outlook-no-nuls oe-ns-eoh auth default: mechanisms: plain login debug: yes passdb: driver: pam userdb: driver: passwd socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On Thu, Jun 11, 2009 at 5:02 AM, Michal Szymanski<msz@astrouw.edu.pl> wrote:
This looks as if you didn't enable SSL wrappermode in postfix's master.cf for port 465.
In postfix master.cf, make sure the section for port 465/smtps contains -o smtpd_tls_wrappermode=yes
With a modern email client like TBird, it's generally preferred to use STARTTLS (that's the TLS button in TBird) on the "submission" port 587.
-- Noel Jones
I don't see any references to tls in your postconf -n output. Has postfix been built with openssl?
I guess so. 'ldd /usr/sbin/postfix' gives, amoung others:
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00002b71e8eea000)
libssl.so.6 => /lib64/libssl.so.6 (0x00002b71e9103000)I did not put any 'tls' options into main.cf (nor the -o smtpd_tls_wrappermode option in master.cf) as the postfix/dovecot/SASL howto on dovecot's wiki does not mention it at all. So I thought that TLS is not required to make SASL authetication. Am I wrong?
I have actually enabled the smtpd_tls_wrappermode option for a while while trying to make it work but it resulted in immediate postfix failure (probably this would require other tls options enabled, too), so I backed off.
I have the SMTP outgoing server in T'bird set to SSL which makes the default port 465 to be used. When I change this to TLS, the default seems to be the "plain" port #25.
Also, postfix 2.3 is quite old, for a new installation consider a more recent version.
Well, that may be worth trying but I guess (as it has already happened with dovecot update from 1.0.6 to 1.1.16 version) that, although it may be a good idea in general, it will not help with my current problem. I think that properly configured postfix/dovecot (in versions generally available for RHEL/CentOS 5.3) should work with authentication.
regards, Michal.
-- Michal Szymanski (msz at astrouw dot edu dot pl) Warsaw University Observatory, Warszawa, POLAND
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On Thu, Jun 11, 2009 at 10:36 AM, Michal Szymanski<msz@astrouw.edu.pl> wrote:
TLS is not required for SASL, but is highly recommended to protect plain-text credentials from eavesdroppers.
At any rate, don't configure TBird to submit mail to postfix via TLS/SSL unless you enable TLS/SSL in postfix.
For easy setup of postfix TLS, see http://www.postfix.org/TLS_README.html#quick-start (but be sure to read the whole document, not just the quick-start section).
-- Noel Jones
On Thu, Jun 11, 2009 at 12:48:29PM -0500, Noel Jones wrote:
Thanks a lot! It has worked, finally!
Maybe it would be worth adding to that Postfix/Dovecot/SASL HowTo that apart from the configuration changes it lists, one has to configure Postfix to accept authenticated connections. It would save newbies like me many headaches.
regards, Michal.
-- Michal Szymanski (msz at astrouw dot edu dot pl) Warsaw University Observatory, Warszawa, POLAND
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
participants (3)
-
Charles Marcus
-
Michal Szymanski
-
Noel Jones