SMTP authentication issue with Outlook 2007

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SMTP authentication issue with Outlook 2007

Henrik Larsson-2
Hi All

I'm a little confused here, and I'm not sure if this is a postfix, SASL
or just a Microsoft compatibility issue.

I got SMTP authentication working for all my users, even the latest
Outlook 2007 user. The problem is that every time the Outlook 2007 user
authenticates, I see this message in the log:
May 23 00:28:45 web02 postfix/smtpd[31767]: connect from
79.138.250.228.bredband.3.dk[79.138.250.228]
May 23 00:28:47 web02 postfix/smtpd[31767]: warning: SASL authentication
failure: realm changed: authentication aborted
May 23 00:28:47 web02 postfix/smtpd[31767]: warning:
79.138.250.228.bredband.3.dk[79.138.250.228]: SASL DIGEST-MD5
authentication failed: authentication failure
May 23 00:28:47 web02 postfix/smtpd[31767]: B4E662DA668:
client=79.138.250.228.bredband.3.dk[79.138.250.228], sasl_method=LOGIN,
sasl_username=[hidden email]


It seems like the client tries out DIGEST-MD5 first but this failes
because of "realm changed", and then the client falls back to LOGIN with
success. Is there any way to solve this?

Any solution will actually do here, a configuration change for postfix
or SASL or even a solution for Outlook 2007 would do ;o)


Below is output from saslfinger and postfinger for your refference:

# ./saslfinger -s
saslfinger - postfix Cyrus sasl configuration fre 23 maj 2008 20:30:59 CEST
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.5.1
System: FreeBSD 6.3-STABLE (WEB02) #0: Thu Apr 24 11:10:47 CEST 2008


-- smtpd is linked to --
        libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x28352000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/ssl/mail.larsson.it.crt
smtpd_tls_key_file = /etc/ssl/mail.larsson.it.key
smtpd_tls_loglevel = 0
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes


-- listing of /usr/local/lib/sasl2 --
total 822
drwxr-xr-x   2 root  wheel   1024 14 nov  2007 .
drwxr-xr-x  14 root  wheel   4096 21 apr 10:53 ..
-rwxr-xr-x   1 root  wheel    736 14 nov  2007 libanonymous.la
-rwxr-xr-x   1 root  wheel  44655 14 nov  2007 libanonymous.so
-rwxr-xr-x   1 root  wheel  44655 14 nov  2007 libanonymous.so.2
-rwxr-xr-x   1 root  wheel    724 14 nov  2007 libcrammd5.la
-rwxr-xr-x   1 root  wheel  49216 14 nov  2007 libcrammd5.so
-rwxr-xr-x   1 root  wheel  49216 14 nov  2007 libcrammd5.so.2
-rwxr-xr-x   1 root  wheel    745 14 nov  2007 libdigestmd5.la
-rwxr-xr-x   1 root  wheel  95905 14 nov  2007 libdigestmd5.so
-rwxr-xr-x   1 root  wheel  95905 14 nov  2007 libdigestmd5.so.2
-rwxr-xr-x   1 root  wheel    712 14 nov  2007 liblogin.la
-rwxr-xr-x   1 root  wheel  45946 14 nov  2007 liblogin.so
-rwxr-xr-x   1 root  wheel  45946 14 nov  2007 liblogin.so.2
-rwxr-xr-x   1 root  wheel    712 14 nov  2007 libplain.la
-rwxr-xr-x   1 root  wheel  45240 14 nov  2007 libplain.so
-rwxr-xr-x   1 root  wheel  45240 14 nov  2007 libplain.so.2
-rwxr-xr-x   1 root  wheel    732 14 nov  2007 libsasldb.la
-rwxr-xr-x   1 root  wheel  57521 14 nov  2007 libsasldb.so
-rwxr-xr-x   1 root  wheel  57521 14 nov  2007 libsasldb.so.2
-rwxr-xr-x   1 root  wheel    744 14 nov  2007 libsql.la
-rwxr-xr-x   1 root  wheel  61509 14 nov  2007 libsql.so
-rwxr-xr-x   1 root  wheel  61509 14 nov  2007 libsql.so.2
-rw-rw----   1 root  wheel    258 14 dec 14:55 smtpd.conf




-- content of /usr/local/lib/sasl2/smtpd.conf --
pwcheck_method: auxprop
auxprop_plugin: sql
log_level: 0

sql_user: --- replaced ---
sql_passwd: --- replaced ---
sql_hostnames: localhost
sql_database: mail
sql_select: select clearpass from mailbox where user = '%u@%r' and login
= 1 and disablesmtp != 1
sql_verbose: 0



-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
        -o fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
127.0.0.1:10025 inet n  -       n       -       -       smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-o local_header_rewrite_clients=
amavis-lmtp    unix  -  -       n        -      2       lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
proxywrite unix -       -       n       -       1       proxymap

-- mechanisms on localhost --
250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5


-- end of saslfinger output --



# postfinger
postfinger - postfix configuration on Fri May 23 21:06:29 CEST 2008
version: 1.30

Warning: postfinger output may show private configuration information,
such as ip addresses and/or domain names which you do not want to show
to the public.  If this is the case it is your responsibility to modify
the output to hide this private information.  [Remove this warning with
the --nowarn option.]

--System Parameters--
mail_version = 2.5.1
hostname = web02.larsson.it
uname = FreeBSD web02.larsson.it 6.3-STABLE FreeBSD 6.3-STABLE #0: Thu
Apr 24 11:10:47 CEST 2008
[hidden email]:/usr/obj/usr/src/sys/WEB02  i386

--Packaging information--
looks like this postfix comes from BSD package:

--main.cf non-default parameters--
biff = no
broken_sasl_auth_clients = yes
content_filter = amavis-lmtp:[127.0.0.1]:10024
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/checks_header.regexp
mailq_path = /usr/libexec/postfix/mailq
message_size_limit = 25600000
mydestination = web02.larsson.it
myhostname = mail.larsson.it
mynetworks = 127.0.0.0/8
myorigin = web02.larsson.it
newaliases_path = /usr/libexec/postfix/newaliases
notify_classes = bounce, 2bounce, delay, resource, software
owner_request_special = no
parent_domain_matches_subdomains =
proxy_interfaces = 213.185.13.10
queue_directory = /home/mail/postfix
readme_directory = /etc/postfix/readme
recipient_delimiter = +
sample_directory = /etc/postfix/sample
sendmail_path = /usr/libexec/postfix/sendmail
show_user_unknown_table_name = no
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_client_access
mysql:/etc/postfix/access_client.mysql
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
check_helo_access mysql:/etc/postfix/access_helo.mysql
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_recipient,
reject_unauth_pipelining, check_recipient_access
mysql:/etc/postfix/access_recipient.mysql, check_recipient_access
mysql:/etc/postfix/access_aliases.mysql, reject
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access
mysql:/etc/postfix/access_sender.mysql, check_sender_access
regexp:/etc/postfix/access_sender.regexp
smtpd_soft_error_limit = 2
smtpd_tls_cert_file = /etc/ssl/mail.larsson.it.crt
smtpd_tls_key_file = /etc/ssl/mail.larsson.it.key
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_exchange_name = /var/lib/postfix/prng_exch
transport_maps = mysql:/etc/postfix/maps_transport.mysql
virtual_alias_maps = mysql:/etc/postfix/maps_aliases.mysql
virtual_gid_maps = mysql:/etc/postfix/maps_virtualid.mysql
virtual_mailbox_base = /
virtual_mailbox_maps = mysql:/etc/postfix/maps_mailbox.mysql
virtual_uid_maps = mysql:/etc/postfix/maps_virtualid.mysql

--master.cf--
smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
        -o fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
127.0.0.1:10025 inet n  -       n       -       -       smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-o local_header_rewrite_clients=
amavis-lmtp    unix  -  -       n        -      2       lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
proxywrite unix -       -       n       -       1       proxymap

-- end of postfinger output --


Best regards
Henrik

Reply | Threaded
Open this post in threaded view
|

Re: SMTP authentication issue with Outlook 2007

Brian Evans - Postfix List
Henrik Larsson wrote:

> Hi All
>
> I'm a little confused here, and I'm not sure if this is a postfix, SASL
> or just a Microsoft compatibility issue.
>
> I got SMTP authentication working for all my users, even the latest
> Outlook 2007 user. The problem is that every time the Outlook 2007 user
> authenticates, I see this message in the log:
> May 23 00:28:45 web02 postfix/smtpd[31767]: connect from
> 79.138.250.228.bredband.3.dk[79.138.250.228]
> May 23 00:28:47 web02 postfix/smtpd[31767]: warning: SASL authentication
> failure: realm changed: authentication aborted
> May 23 00:28:47 web02 postfix/smtpd[31767]: warning:
> 79.138.250.228.bredband.3.dk[79.138.250.228]: SASL DIGEST-MD5
> authentication failed: authentication failure
> May 23 00:28:47 web02 postfix/smtpd[31767]: B4E662DA668:
> client=79.138.250.228.bredband.3.dk[79.138.250.228], sasl_method=LOGIN,
> sasl_username=[hidden email]
>
>
> It seems like the client tries out DIGEST-MD5 first but this failes
> because of "realm changed", and then the client falls back to LOGIN with
> success. Is there any way to solve this?
It's commonly noted that DIGEST-MD5 should not be offered in a mech list
for general purpose unless you specifically implement it.
(Usually for LDAP lookups, but there are probably other cases.)
Try limiting your mechs to "plain login" as the documentation says.

Brian

>
> Any solution will actually do here, a configuration change for postfix
> or SASL or even a solution for Outlook 2007 would do ;o)
>
>
> Below is output from saslfinger and postfinger for your refference:
>
> # ./saslfinger -s
> saslfinger - postfix Cyrus sasl configuration fre 23 maj 2008 20:30:59
> CEST
> version: 1.0.2
> mode: server-side SMTP AUTH
>
> -- basics --
> Postfix: 2.5.1
> System: FreeBSD 6.3-STABLE (WEB02) #0: Thu Apr 24 11:10:47 CEST 2008
>
>
> -- smtpd is linked to --
>        libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x28352000)
>
> -- active SMTP AUTH and TLS parameters for smtpd --
> broken_sasl_auth_clients = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_tls_cert_file = /etc/ssl/mail.larsson.it.crt
> smtpd_tls_key_file = /etc/ssl/mail.larsson.it.key
> smtpd_tls_loglevel = 0
> smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
>
>
> -- listing of /usr/local/lib/sasl2 --
> total 822
> drwxr-xr-x   2 root  wheel   1024 14 nov  2007 .
> drwxr-xr-x  14 root  wheel   4096 21 apr 10:53 ..
> -rwxr-xr-x   1 root  wheel    736 14 nov  2007 libanonymous.la
> -rwxr-xr-x   1 root  wheel  44655 14 nov  2007 libanonymous.so
> -rwxr-xr-x   1 root  wheel  44655 14 nov  2007 libanonymous.so.2
> -rwxr-xr-x   1 root  wheel    724 14 nov  2007 libcrammd5.la
> -rwxr-xr-x   1 root  wheel  49216 14 nov  2007 libcrammd5.so
> -rwxr-xr-x   1 root  wheel  49216 14 nov  2007 libcrammd5.so.2
> -rwxr-xr-x   1 root  wheel    745 14 nov  2007 libdigestmd5.la
> -rwxr-xr-x   1 root  wheel  95905 14 nov  2007 libdigestmd5.so
> -rwxr-xr-x   1 root  wheel  95905 14 nov  2007 libdigestmd5.so.2
> -rwxr-xr-x   1 root  wheel    712 14 nov  2007 liblogin.la
> -rwxr-xr-x   1 root  wheel  45946 14 nov  2007 liblogin.so
> -rwxr-xr-x   1 root  wheel  45946 14 nov  2007 liblogin.so.2
> -rwxr-xr-x   1 root  wheel    712 14 nov  2007 libplain.la
> -rwxr-xr-x   1 root  wheel  45240 14 nov  2007 libplain.so
> -rwxr-xr-x   1 root  wheel  45240 14 nov  2007 libplain.so.2
> -rwxr-xr-x   1 root  wheel    732 14 nov  2007 libsasldb.la
> -rwxr-xr-x   1 root  wheel  57521 14 nov  2007 libsasldb.so
> -rwxr-xr-x   1 root  wheel  57521 14 nov  2007 libsasldb.so.2
> -rwxr-xr-x   1 root  wheel    744 14 nov  2007 libsql.la
> -rwxr-xr-x   1 root  wheel  61509 14 nov  2007 libsql.so
> -rwxr-xr-x   1 root  wheel  61509 14 nov  2007 libsql.so.2
> -rw-rw----   1 root  wheel    258 14 dec 14:55 smtpd.conf
>
>
>
>
> -- content of /usr/local/lib/sasl2/smtpd.conf --
> pwcheck_method: auxprop
> auxprop_plugin: sql
> log_level: 0
>
> sql_user: --- replaced ---
> sql_passwd: --- replaced ---
> sql_hostnames: localhost
> sql_database: mail
> sql_select: select clearpass from mailbox where user = '%u@%r' and login
> = 1 and disablesmtp != 1
> sql_verbose: 0
>
>
>
> -- active services in /etc/postfix/master.cf --
> # service type  private unpriv  chroot  wakeup  maxproc command + args
> #               (yes)   (yes)   (yes)   (never) (100)
> smtp      inet  n       -       n       -       -       smtpd
> submission inet n       -       n       -       -       smtpd
>  -o smtpd_enforce_tls=yes
>  -o smtpd_sasl_auth_enable=yes
>  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> smtps     inet  n       -       n       -       -       smtpd
>  -o smtpd_tls_wrappermode=yes
>  -o smtpd_sasl_auth_enable=yes
>  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> pickup    fifo  n       -       n       60      1       pickup
> cleanup   unix  n       -       n       -       0       cleanup
> qmgr      fifo  n       -       n       300     1       qmgr
> tlsmgr    unix  -       -       n       1000?   1       tlsmgr
> rewrite   unix  -       -       n       -       -       trivial-rewrite
> bounce    unix  -       -       n       -       0       bounce
> defer     unix  -       -       n       -       0       bounce
> trace     unix  -       -       n       -       0       bounce
> verify    unix  -       -       n       -       1       verify
> flush     unix  n       -       n       1000?   0       flush
> proxymap  unix  -       -       n       -       -       proxymap
> smtp      unix  -       -       n       -       -       smtp
> relay     unix  -       -       n       -       -       smtp
>        -o fallback_relay=
> showq     unix  n       -       n       -       -       showq
> error     unix  -       -       n       -       -       error
> retry     unix  -       -       n       -       -       error
> discard   unix  -       -       n       -       -       discard
> local     unix  -       n       n       -       -       local
> virtual   unix  -       n       n       -       -       virtual
> lmtp      unix  -       -       n       -       -       lmtp
> anvil     unix  -       -       n       -       1       anvil
> scache    unix  -       -       n       -       1       scache
> 127.0.0.1:10025 inet n  -       n       -       -       smtpd
> -o content_filter=
> -o smtpd_delay_reject=no
> -o smtpd_client_restrictions=permit_mynetworks,reject
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o smtpd_data_restrictions=reject_unauth_pipelining
> -o smtpd_end_of_data_restrictions=
> -o smtpd_restriction_classes=
> -o mynetworks=127.0.0.0/8
> -o smtpd_error_sleep_time=0
> -o smtpd_soft_error_limit=1001
> -o smtpd_hard_error_limit=1000
> -o smtpd_client_connection_count_limit=0
> -o smtpd_client_connection_rate_limit=0
> -o
> receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
>
> -o local_header_rewrite_clients=
> amavis-lmtp    unix  -  -       n        -      2       lmtp
> -o lmtp_data_done_timeout=1200
> -o lmtp_send_xforward_command=yes
> -o disable_dns_lookups=yes
> -o max_use=20
> proxywrite unix -       -       n       -       1       proxymap
>
> -- mechanisms on localhost --
> 250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
> 250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5
>
>
> -- end of saslfinger output --
>
>
>
> # postfinger
> postfinger - postfix configuration on Fri May 23 21:06:29 CEST 2008
> version: 1.30
>
>
> Warning: postfinger output may show private configuration information,
> such as ip addresses and/or domain names which you do not want to show
> to the public.  If this is the case it is your responsibility to modify
> the output to hide this private information.  [Remove this warning with
> the --nowarn option.]
>
> --System Parameters--
> mail_version = 2.5.1
> hostname = web02.larsson.it
> uname = FreeBSD web02.larsson.it 6.3-STABLE FreeBSD 6.3-STABLE #0: Thu
> Apr 24 11:10:47 CEST 2008
> [hidden email]:/usr/obj/usr/src/sys/WEB02  i386
>
> --Packaging information--
> looks like this postfix comes from BSD package:
>
> --main.cf non-default parameters--
> biff = no
> broken_sasl_auth_clients = yes
> content_filter = amavis-lmtp:[127.0.0.1]:10024
> disable_vrfy_command = yes
> header_checks = regexp:/etc/postfix/checks_header.regexp
> mailq_path = /usr/libexec/postfix/mailq
> message_size_limit = 25600000
> mydestination = web02.larsson.it
> myhostname = mail.larsson.it
> mynetworks = 127.0.0.0/8
> myorigin = web02.larsson.it
> newaliases_path = /usr/libexec/postfix/newaliases
> notify_classes = bounce, 2bounce, delay, resource, software
> owner_request_special = no
> parent_domain_matches_subdomains =
> proxy_interfaces = 213.185.13.10
> queue_directory = /home/mail/postfix
> readme_directory = /etc/postfix/readme
> recipient_delimiter = +
> sample_directory = /etc/postfix/sample
> sendmail_path = /usr/libexec/postfix/sendmail
> show_user_unknown_table_name = no
> smtpd_client_restrictions = permit_mynetworks,
> permit_sasl_authenticated, check_client_access
> mysql:/etc/postfix/access_client.mysql
> smtpd_hard_error_limit = 5
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
> check_helo_access mysql:/etc/postfix/access_helo.mysql
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated, reject_non_fqdn_recipient,
> reject_unauth_pipelining, check_recipient_access
> mysql:/etc/postfix/access_recipient.mysql, check_recipient_access
> mysql:/etc/postfix/access_aliases.mysql, reject
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sender_restrictions = permit_mynetworks,
> permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access
> mysql:/etc/postfix/access_sender.mysql, check_sender_access
> regexp:/etc/postfix/access_sender.regexp
> smtpd_soft_error_limit = 2
> smtpd_tls_cert_file = /etc/ssl/mail.larsson.it.crt
> smtpd_tls_key_file = /etc/ssl/mail.larsson.it.key
> smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
> smtpd_use_tls = yes
> strict_rfc821_envelopes = yes
> tls_random_exchange_name = /var/lib/postfix/prng_exch
> transport_maps = mysql:/etc/postfix/maps_transport.mysql
> virtual_alias_maps = mysql:/etc/postfix/maps_aliases.mysql
> virtual_gid_maps = mysql:/etc/postfix/maps_virtualid.mysql
> virtual_mailbox_base = /
> virtual_mailbox_maps = mysql:/etc/postfix/maps_mailbox.mysql
> virtual_uid_maps = mysql:/etc/postfix/maps_virtualid.mysql
>
> --master.cf--
> smtp      inet  n       -       n       -       -       smtpd
> submission inet n       -       n       -       -       smtpd
>  -o smtpd_enforce_tls=yes
>  -o smtpd_sasl_auth_enable=yes
>  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> smtps     inet  n       -       n       -       -       smtpd
>  -o smtpd_tls_wrappermode=yes
>  -o smtpd_sasl_auth_enable=yes
>  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> pickup    fifo  n       -       n       60      1       pickup
> cleanup   unix  n       -       n       -       0       cleanup
> qmgr      fifo  n       -       n       300     1       qmgr
> tlsmgr    unix  -       -       n       1000?   1       tlsmgr
> rewrite   unix  -       -       n       -       -       trivial-rewrite
> bounce    unix  -       -       n       -       0       bounce
> defer     unix  -       -       n       -       0       bounce
> trace     unix  -       -       n       -       0       bounce
> verify    unix  -       -       n       -       1       verify
> flush     unix  n       -       n       1000?   0       flush
> proxymap  unix  -       -       n       -       -       proxymap
> smtp      unix  -       -       n       -       -       smtp
> relay     unix  -       -       n       -       -       smtp
>        -o fallback_relay=
> showq     unix  n       -       n       -       -       showq
> error     unix  -       -       n       -       -       error
> retry     unix  -       -       n       -       -       error
> discard   unix  -       -       n       -       -       discard
> local     unix  -       n       n       -       -       local
> virtual   unix  -       n       n       -       -       virtual
> lmtp      unix  -       -       n       -       -       lmtp
> anvil     unix  -       -       n       -       1       anvil
> scache    unix  -       -       n       -       1       scache
> 127.0.0.1:10025 inet n  -       n       -       -       smtpd
> -o content_filter=
> -o smtpd_delay_reject=no
> -o smtpd_client_restrictions=permit_mynetworks,reject
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o smtpd_data_restrictions=reject_unauth_pipelining
> -o smtpd_end_of_data_restrictions=
> -o smtpd_restriction_classes=
> -o mynetworks=127.0.0.0/8
> -o smtpd_error_sleep_time=0
> -o smtpd_soft_error_limit=1001
> -o smtpd_hard_error_limit=1000
> -o smtpd_client_connection_count_limit=0
> -o smtpd_client_connection_rate_limit=0
> -o
> receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
>
> -o local_header_rewrite_clients=
> amavis-lmtp    unix  -  -       n        -      2       lmtp
> -o lmtp_data_done_timeout=1200
> -o lmtp_send_xforward_command=yes
> -o disable_dns_lookups=yes
> -o max_use=20
> proxywrite unix -       -       n       -       1       proxymap
>
> -- end of postfinger output --
>
>
> Best regards
> Henrik
>
Reply | Threaded
Open this post in threaded view
|

Re: SMTP authentication issue with Outlook 2007

Jorey Bump
Brian Evans wrote, at 05/23/2008 04:07 PM:
> Henrik Larsson wrote:
>>
>> It seems like the client tries out DIGEST-MD5 first but this failes
>> because of "realm changed", and then the client falls back to LOGIN with
>> success. Is there any way to solve this?
> It's commonly noted that DIGEST-MD5 should not be offered in a mech list
> for general purpose unless you specifically implement it.
> (Usually for LDAP lookups, but there are probably other cases.)
> Try limiting your mechs to "plain login" as the documentation says.

You can do this by adding the following to smtpd.conf:

mech_list: PLAIN LOGIN

>> -- content of /usr/local/lib/sasl2/smtpd.conf --
>> pwcheck_method: auxprop
>> auxprop_plugin: sql
>> log_level: 0
>>
>> sql_user: --- replaced ---
>> sql_passwd: --- replaced ---
>> sql_hostnames: localhost
>> sql_database: mail
>> sql_select: select clearpass from mailbox where user = '%u@%r' and login
>> = 1 and disablesmtp != 1
>> sql_verbose: 0

Without specifying a mech_list, I believe the default behaviour is to
offer whatever SASL mechanisms you have installed:

>> -- mechanisms on localhost --
>> 250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
>> 250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5

Ignore any bad advice you encounter suggesting that you delete the
unwanted mechanism files. This is unnecessary when you can specify what
you want to use in mech_list.

Or are you looking for a solution that allows you to support DIGEST-MD5?

Reply | Threaded
Open this post in threaded view
|

Re: SMTP authentication issue with Outlook 2007

Henrik Larsson-2

> You can do this by adding the following to smtpd.conf:
>
> mech_list: PLAIN LOGIN

This is working, thank you :o)


> Or are you looking for a solution that allows you to support DIGEST-MD5?

Not in the first place, but now you mention it, could you tell me if it
would be a good idea to support DIGEST-MD5, and point me in direction of
a solution?


Best regards
Henrik

Reply | Threaded
Open this post in threaded view
|

Re: SMTP authentication issue with Outlook 2007

Jorey Bump
Henrik Larsson wrote, at 05/23/2008 04:42 PM:

>
>> You can do this by adding the following to smtpd.conf:
>>
>> mech_list: PLAIN LOGIN
>
> This is working, thank you :o)
>
>
>> Or are you looking for a solution that allows you to support DIGEST-MD5?
>
> Not in the first place, but now you mention it, could you tell me if it
> would be a good idea to support DIGEST-MD5, and point me in direction of
> a solution?

There are two advantages to offering CRAM-MD5 and DIGEST-MD5 in addition
to PLAIN & LOGIN:

1. Some rare clients can use CRAM-MD5 and DIGEST-MD5 but cannot use TLS.
  This will at least allow more secure logins, if not entire message
encryption.

2. Offering multiple authentication mechanisms can reduce support needs
for click-happy users or self-configuring clients. For the former, they
are bound to hit a working configuration, and the latter are more likely
to choose the most secure mechanism before falling back to a less secure
one (as you saw with Outlook).

Your settings for submission and smtps look good in master.cf. But if
you plan on allowing submission via port 25 (smtp), you should harden
things a bit to prevent your users from authenticating with PLAIN or
LOGIN on unencrypted connections. Replace your existing setting with
this in main.cf:

smtpd_sasl_security_options = noanonymous, noplaintext

and add this:

smtpd_sasl_tls_security_options = noanonymous

This is usually enough to support most clients. You obviously have the
other mechanisms installed, but are unable to take advantage of them
with your current configuration. Since I don't use sql plugin, I can't
offer much advice. However, I use sasldb2 for my backend and all logins
share the same realm, regardless of the user's virtual domain. This
means my users have unique logins using a bare username, not
username@realm. In main.cf I have set the default realm:

smtpd_sasl_local_domain = mail.example.net

This causes postfix to pass [hidden email] to my sasldb2
backend. If you are attempting a similar approach, you may only need to
add this directive with your default realm to get your backend to work.
But I don't use the sql plugin, and you're already having success with
PLAIN & LOGIN, so YMMV. Your setup might not allow shared secret mechanisms.