no sasl listener on 587 clients can't send mail

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

no sasl listener on 587 clients can't send mail

fugeeohu
I can't get postfix to listen on 587 so clients can't send mail

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

#smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_banner=$myhostname ESMTP Hi, I'm a Mail-in-a-Box (Ubuntu/Postfix; see https://mailinabox.email/)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
delay_warning_time=3h

readme_directory = no

# TLS parameters
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_cert_file=/home/user-data/ssl/ssl_certificate.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_key_file=/home/user-data/ssl/ssl_private_key.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
myhostname = mail.servicemouse.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtp_bind_address=45.79.79.188
smtp_bind_address6=2600:3c01::f03c:91ff:fe3e:9c37
maximal_queue_lifetime=2d
bounce_queue_lifetime=1d
smtpd_tls_security_level=encrypt
smtpd_tls_auth_only=yes
smtpd_tls_dh1024_param_file=/home/user-data/ssl/dh2048.pem
smtpd_tls_protocols=!SSLv2,!SSLv3
smtpd_tls_ciphers=medium
smtpd_tls_exclude_ciphers=aNULL,RC4
smtpd_tls_received_header=yes
smtp_tls_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_ciphers=medium
smtp_tls_exclude_ciphers=aNULL,RC4
smtp_tls_security_level=may
smtp_dns_support_level=dnssec
smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
smtp_tls_loglevel=2
virtual_transport=lmtp:[127.0.0.1]:10025
smtpd_sender_restrictions=reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_rbl_client zen.spamhaus.org,reject_unlisted_recipient,check_policy_service inet:127.0.0.1:10023
message_size_limit=134217728
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth
smtpd_sasl_auth_enable=yes
smtpd_sender_login_maps=sqlite:/etc/postfix/sender-login-maps.cf
virtual_alias_domains = somedomain.com, someotherdomain.com
#virtual_mailbox_maps=sqlite:/etc/postfix/virtual-mailbox-maps.cf
virtual_alias_maps=hash:/etc/postfix/virtual
local_recipient_maps=$virtual_mailbox_maps
smtpd_milters=inet:127.0.0.1:8891 inet:127.0.0.1:8893
non_smtpd_milters=$smtpd_milters
milter_default_action=accept

home_mailbox = Maildir/


# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_milters=inet:127.0.0.1:8891
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_ciphers=high
  -o smtpd_tls_exclude_ciphers=aNULL,DES,3DES,MD5,DES+MD5,RC4
  -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
  -o cleanup_service_name=authclean
# -o syslog_name=postfix/submission
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_path=private/auth
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    unix  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

authclean unix  n       -       -       -       0       cleanup
          -o header_checks=pcre:/etc/postfix/outgoing_mail_header_filters
-o nested_header_checks=

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: no sasl listener on 587 clients can't send mail

Wietse Venema
fugeeohu:
> I can't get postfix to listen on 587 so clients can't send mail

Look in your LOGS.
http://www.postfix.org/DEBUG_README.html#logging

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: no sasl listener on 587 clients can't send mail

fugeeohu
The log only says timeout after connect from <remote>

On Sun, Jul 30, 2017 at 10:34 AM, Wietse Venema [via Postfix]
<[hidden email]> wrote:

> fugeeohu:
>> I can't get postfix to listen on 587 so clients can't send mail
>
> Look in your LOGS.
> http://www.postfix.org/DEBUG_README.html#logging
>
>         Wietse
>
>
> ________________________________
> If you reply to this email, your message will be added to the discussion
> below:
> http://postfix.1071664.n5.nabble.com/no-sasl-listener-on-587-clients-can-t-send-mail-tp91609p91610.html
> To unsubscribe from no sasl listener on 587 clients can't send mail, click
> here.
> NAML
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: no sasl listener on 587 clients can't send mail

Wietse Venema
fugeeohu:
> The log only says timeout after connect from <remote>

Although the actual logging details may make no sense to you, they
make all the difference for people trying to help.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: no sasl listener on 587 clients can't send mail

fugeeohu
Jul 30 11:32:13 mail postfix/submission/smtpd[5039]: connect from msg.sys5.org[5.45.103.173]
Jul 30 11:32:13 mail dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth
Jul 30 11:32:13 mail dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat
Jul 30 11:32:13 mail dovecot: auth: Debug: auth client connected (pid=0)
Jul 30 11:32:32 mail postfix/submission/smtpd[5039]: lost connection after EHLO from msg.sys5.org[5.45.103.173]
Jul 30 11:32:32 mail postfix/submission/smtpd[5039]: disconnect from msg.sys5.org[5.45.103.173]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: no sasl listener on 587 clients can't send mail

Wietse Venema
fugeeohu:

> Jul 30 11:32:13 mail postfix/submission/smtpd[5039]: connect from
> msg.sys5.org[5.45.103.173]
> Jul 30 11:32:13 mail dovecot: auth: Debug: Loading modules from directory:
> /usr/lib/dovecot/modules/auth
> Jul 30 11:32:13 mail dovecot: auth: Debug: Read auth token secret from
> /var/run/dovecot/auth-token-secret.dat
> Jul 30 11:32:13 mail dovecot: auth: Debug: auth client connected (pid=0)
> Jul 30 11:32:32 mail postfix/submission/smtpd[5039]: lost connection after
> EHLO from msg.sys5.org[5.45.103.173]
> Jul 30 11:32:32 mail postfix/submission/smtpd[5039]: disconnect from
> msg.sys5.org[5.45.103.173]

The client connects, sends an EHLO command, and goes away withuot
sending any other command.

Try:

1) Execute shell command: telnet address-of-server 587

2) Wait for the '220' server greeting

3) Send SMTP command: ehlo whatever

And report the response to the ehlo command.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: no sasl listener on 587 clients can't send mail

fugeeohu
hlo whatever
250-mail.whatever.com
250-PIPELINING
250-SIZE 134217728
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: no sasl listener on 587 clients can't send mail

/dev/rob0
On Sun, Jul 30, 2017 at 02:17:15PM -0700, fugeeohu wrote:
> hlo whatever
> 250-mail.whatever.com
> 250-PIPELINING
> 250-SIZE 134217728
> 250-VRFY
> 250-ETRN
> 250-STARTTLS

And found in your OP:

>> smtpd_tls_auth_only=yes

See http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only
and "man s_client".

> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN

--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: no sasl listener on 587 clients can't send mail

Wietse Venema
/dev/rob0:

> On Sun, Jul 30, 2017 at 02:17:15PM -0700, fugeeohu wrote:
> > hlo whatever
> > 250-mail.whatever.com
> > 250-PIPELINING
> > 250-SIZE 134217728
> > 250-VRFY
> > 250-ETRN
> > 250-STARTTLS
>
> And found in your OP:
>
> >> smtpd_tls_auth_only=yes
>
> See http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only
> and "man s_client".
>
> > 250-ENHANCEDSTATUSCODES
> > 250-8BITMIME
> > 250 DSN

Yes, looks like his client wants to use SASL AUTH (or at least
see the AUTH server announcement) before sending STARTTLS.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: no sasl listener on 587 clients can't send mail

fugeeohu
In reply to this post by /dev/rob0
What's wrong smtpd_tls_auth_only=yes I see the default is no The explanation is that it refuses to accept sasl authentication over an insecure connection I dunno what means I thought sasl makes an insecure connection secure but I could care less The default is no but "Mail-In-a-Box" installer must have set this to yes Set it back to no? Please explain
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: no sasl listener on 587 clients can't send mail

Wietse Venema
fugeeohu:
> What's wrong smtpd_tls_auth_only=yes I see the default is no The explanation
> is that it refuses to accept sasl authentication over an insecure connection
> I dunno what means I thought sasl makes an insecure connection secure but I
> could care less The default is no but "Mail-In-a-Box" installer must have
> set this to yes Set it back to no? Please explain

This setting is the probable cause why some client cannot use SASL.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: no sasl listener on 587 clients can't send mail

Matus UHLAR - fantomas
In reply to this post by fugeeohu
On 30.07.17 15:17, fugeeohu wrote:
>What's wrong smtpd_tls_auth_only=yes I see the default is no The explanation
>is that it refuses to accept sasl authentication over an insecure connection
>I dunno what means I thought sasl makes an insecure connection secure but I

sasl is just authentication layer. SSL makes connection secure (or at
least "secure").

>could care less The default is no but "Mail-In-a-Box" installer must have
>set this to yes Set it back to no? Please explain

force your clients to use SSL.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: no sasl listener on 587 clients can't send mail

Bastian Blank-3
In reply to this post by Wietse Venema
On Mon, Jul 31, 2017 at 04:46:36AM -0700, fugeeohu wrote:
> I had to remove permit_sasl_authenticated from smtpd_sender_restrictions
> The new error is 4.3.0 Error: queue file write error

Who told you that you are not allowed to look into the logs?

There will be some more information.

Bastian

--
        "Get back to your stations!"
        "We're beaming down to the planet, sir."
                -- Kirk and Mr. Leslie, "This Side of Paradise",
                   stardate 3417.3
Loading...