Morning everyone...

Well, I wont even begin to tell you the complexities I have experienced recently with postfix and Red Hat. All I can say is that im tired of Red Hat...really makes life difficult.

In a nutshell, I had to redo my entire postfix install and setup because RH 9.0 decided they were going to change were certain libraries are which screws up my need for SMTP AUTh...

This is what I did:
Downloaded the source from postfix
untarred it into a directory
removed my old postfix (Kept config files)
make (added some features for libssl support)
make upgrade

Everything appeard to go well. I was able to start it up and it showed that postfix was running.

However, when I telnet to localhost 25, it's not doing what it used to:

[code:1:eae9c42095][root@corpmail postfix]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
[/code:1:eae9c42095]

I cant throw commands at it like ehlo or what not and something is missing. I know it has to be small and a quick change, but I cant figure it out...
Being that I have been up for almost 26 hours probably does not help, but I need to get this setup done ASAP...

Anyone have any ideas what im missing?

Thanks.

Tarballed

Never mind...its working now. :)

Tarballed

Anyone here pretty familiar with SASL on postfix?

I keep getting this error when im sending email and I cant figure out wtf the problem is:

[code:1:3ff0681732]
Aug 22 11:36:16 corpmail postfix/smtpd[10685]: connect from jwilliams[192.168.1.90]
Aug 22 11:36:16 corpmail postfix/smtpd[10685]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Aug 22 11:36:16 corpmail postfix/smtpd[10685]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Aug 22 11:36:16 corpmail postfix/smtpd[10685]: warning: SASL authentication failure: no secret in database
Aug 22 11:36:16 corpmail postfix/smtpd[10685]: warning: jwilliams[192.168.1.90]: SASL CRAM-MD5 authentication failed
[/code:1:3ff0681732]

There is a /etc/sasldb2 with data in it:

[code:1:3ff0681732][root@corpmail etc]# sasldblistusers2
jwilliams@corpmail: userPassword
[/code:1:3ff0681732]

This is driving me nuts and I cant figure out what the problem is...

Tarballed

minion is a sasl expert!


Go on minion show him the way! ;)

Ok...just figured out that bastard of a problem. :)

Problem was that the sasldb2 it was referring to was in /etc, which is ok.
BUT, I am running postfix smtp in a chroot jail and the location for that is:

/var/spool/postfix/etc

DOH!

Got that one fixed...still getting a small problem though:

[code:1:5ecb304f8e]
Aug 22 11:53:28 corpmail postfix/smtpd[10790]: connect from jwilliams[192.168.1.90]
Aug 22 11:53:28 corpmail postfix/smtpd[10790]: warning: SASL authentication failure: no secret in database
Aug 22 11:53:28 corpmail postfix/smtpd[10790]: warning: jwilliams[192.168.1.90]: SASL CRAM-MD5 authentication failed
Aug 22 11:53:29 corpmail postfix/smtpd[10790]: 4E0CE474C3: client=jwilliams[192.168.1.90]
[/code:1:5ecb304f8e]

Almost there...trying to tame the beast.

Tarballed

It's probably reading the wrong realm you may need to specify the realm in saslpasswd2 before it will authenticate properly.

Saslpasswd2 -h (maybe) is what you want... create your users per realm, unfortunately SASL uses realms

gee thx elmore :roll:

sasldb? Ugly! Is this internal or external? What OS?

My guess is you're failing on the CRAM MD5. When you built SASL which encryption options did you enable? CRAM MD5, plain, digest etc? What do you clients support?

As I recall, there are a few other options that can be gotchas, particularly on *BSD. pwcheck is one, the symlink of (I'm guessing here --> elmore would be better able to tell you since he's still got access to the last host I set this up on!) /usr/lib/sasl2 to /usr/local/lib/sasl2, and there is the /usr/lib/sasl/smtpd.conf file as well.

sasldb? Ugly! Is this internal or external? What OS?

Yes, im wondering now. :)

It's on my internal mail server and it is running, *coughRH9.0cough*...



My guess is you're failing on the CRAM MD5. When you built SASL which encryption options did you enable? CRAM MD5, plain, digest etc? What do you clients support?

I should have all of them installed:

cyrus-sasl-md5-2.1.10-4
cyrus-sasl-plain-2.1.10-4
cyrus-sasl-2.1.10-4
cyrus-sasl-devel-2.1.10-4
cyrus-sasl-gssapi-2.1.10-4

Except maybe CRAM?

Yes, I setup a symlink from /usr/lib/sasl2 to /usr/local/lib/sasl2
as well as setup my smtpd.conf with the following:

pwcheck_method: auxprop

Maybe I should just go with saslauthd? I think I could get that up and running quicker than sasldb2...

Tarballed

You're running it internally? So why use sasldb? Makes for more work on your part. I assume there is a local password file (master.passwd) on the RH box with all your users in it? Then just use pam, it can use the local password file.

These were also based on openbsd


Create a user
[code:1:72bbf5ac9c]saslpasswd2 -c -f /etc/sasldb.db Foo_Daddy[/code:1:72bbf5ac9c]

Parts of postfix's main.cf

then in your postfix main.cf

[code:1:72bbf5ac9c]

#TLS
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/post.pem
smtpd_tls_cert_file = /etc/postfix/ssl/post.pem
smtpd_tls_CAfile = /etc/postfix/ssl/post.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

enable_sasl_authentication = yes

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
[/code:1:72bbf5ac9c]

and add this in your recepient restrictions
[code:1:72bbf5ac9c]
permit_sasl_authenticated,
[/code:1:72bbf5ac9c]

Create postfix SSL Stuff
[code:1:72bbf5ac9c]
mkdir /usr/local/etc/postfix/ssl
chmod 700 /usr/local/etc/postfix/ssl
[/code:1:72bbf5ac9c]

Make your SSL Certs

then cd into that dir..

now make a file called pst.cnf

[code:1:72bbf5ac9c]
RANDFILE = /etc/postfix/ssl/post.rand

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=countryName Two letters!
ST=stateOrProvinceName
L=localityName
O=organizationName
OU=OrganizationalUnitName
CN=commonName
emailAddress=emailAddress

[ cert_type ]
nsCertType = server
[/code:1:72bbf5ac9c]

[code:1:72bbf5ac9c]
dd if=/dev/urandom of=/etc/postfix/ssl/post.rand count=1 2>/dev/null
/usr/sbin/openssl req -new -x509 -days 365 -nodes \
-config /etc/postfix/ssl/pst.cnf -out /etc/postfix/ssl/post.pem \
-keyout /etc/postfix/ssl/post.pem

/usr/sbin/openssl gendh -rand /etc/postfix/ssl/post.rand 512 \
>>/etc/postfix/ssl/post.pem

/usr/sbin/openssl x509 -subject -dates -fingerprint -noout -in \
/etc/postfix/ssl/post.pem
[/code:1:72bbf5ac9c]


now cd to /usr/lib/sasl2
vi smtpd.conf

[code:1:72bbf5ac9c]
pwcheck_method: saslauthd
mech_list: plain login
[/code:1:72bbf5ac9c]

(Start the daemon - i'm using the getpwent auth mechanizm)
saslauthd -a getpwent


btw i absolutely love that sig minion

i was going to make a amendium to my howto about this... but some people could not wait... joking..

so did you get this working?

Just came back from a long weekend. (much needed)

Starting up on it today.

The problem I think im running into here is Red Hat 9.0. It is all screwed up really. I think im going to have to reinstall with Red Hat 7.3 as it is the more stable release at this time...

Tarballed

any particular reason why your using red crap?

At this point, it is up to management. I've tried and tried to convince them to let me use something else. So far, no dice.

I even asked if I could put up the server using Slackware or Debian, but they want to stick with Red Hat, because Red Hat is the 'market winner' right now...

I know its frustrating, but at least they allowed me to put up a OpenBSD box...I think this could be the start that I need. Once I can get one or two *BSD boxes up, show them the difference, that could be the start I need...

Tarballed

I was curious about IMAP protocols:

What is the preferred software to use for IMAP?

Cyrus-ImapD
Courier-Imap
UWImap

Anyone have experiences with these?
Pros?
Cons?

I was just trying to gather some documentation...and experiences...

Tarballed

Ok...making some good progress here.
Installed Cyrus-sasl-2.1.10 as well as postfix-2.0.14 on my server...

Just a couple quick questions:
I setup sasl to use PAM and created the necessary files.
I can send mail fine, but there are some messages in my mail logs that I am trying to find out what the problem is and how to fix it:

[code:1:1afc48f5e0]
Aug 27 15:33:01 corpmail postfix/smtpd[2169]: connect from unknown[192.168.1.90]
Aug 27 15:33:01 corpmail postfix/smtpd[2169]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Aug 27 15:33:01 corpmail postfix/smtpd[2169]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Aug 27 15:33:01 corpmail postfix/smtpd[2169]: warning: SASL authentication failure: no secret in database
Aug 27 15:33:01 corpmail postfix/smtpd[2169]: warning: unknown[192.168.1.90]: SASL CRAM-MD5 authentication failed
Aug 27 15:33:02 corpmail postfix/smtpd[2169]: CAD84AB543: client=unknown[192.168.1.90]
Aug 27 15:33:02 corpmail postfix/cleanup[2171]: CAD84AB543: message-id=<5.2.1.1.0.20030827153213.00a41d38@pop.courtesy mortgage.com>
Aug 27 15:33:02 corpmail postfix/smtpd[2169]: disconnect from unknown[192.168.1.90]
Aug 27 15:33:02 corpmail postfix/qmgr[2129]: CAD84AB543: from=<jwilliams@courtesymortgage.com>, size=610, nrcpt=1 (queue active)
Aug 27 15:33:03 corpmail postfix/smtp[2173]: CAD84AB543: to=<tarballed@yahoo.com>, relay=mx1.mail.yahoo.com[64.156.215.5], delay=1, status=sent (250 ok dirdel)
[/code:1:1afc48f5e0]

Im not sure why it is looking for /etc/sasldb2 when Im not even using it. I specified in my smtpd.conf file: pwcheck_method: saslauthd

Also, before when I was testing, it was showing the clients name, but not it is showing 'unknown'. Any idea what that is as well?

Thanks guys.

Tarballed[/quote]

you didnt compile postfix to support PCRE, SASL2, DB3, TLS

Ok...I am not sure what I have done today, but something happened that I did not mean for it to happen and im not sure what I did....hehehe

sounds wierd eh? read on...this is a good one

Ok...I rebuilt this dam red hat server...installed postfix, courier-imap.

I can send email fine...I WAS able to send myself a test message to my account on the server (by telnetting to port 25) and the message would be accepted for delivery (Maildir setup here)

So im cruising, thinking finally, im getting somewhere...
So I start working with postfix to start locking down stuff...access file, spam controls etc...then this funky thing happens

I fire up my Netscape client, configured for my server and IMAP...tail the mail log and send out a test message to my account...before, it would be accepted for local delivery...but what does it do:

[code:1:8c4ad53b42]Aug 28 16:43:48 corpmail postfix/smtpd[29172]: connect from corpmail[127.0.0.1]
Aug 28 16:43:57 corpmail postfix/smtpd[29172]: BA6F7AB544: client=corpmail[127.0.0.1]
Aug 28 16:44:06 corpmail postfix/cleanup[29174]: BA6F7AB544: message-id=<20030828234357.BA6F7AB544@corpmail.courtesymor tgage.com>
Aug 28 16:44:06 corpmail postfix/qmgr[3494]: BA6F7AB544: from=<jwilliams@courtesymortgage.com>, size=400, nrcpt=1 (queue active)
Aug 28 16:44:06 corpmail postfix/smtp[29176]: BA6F7AB544: to=<jwilliams@courtesymortgage.com>, relay=www.courtesymortgage.com[209.126.174.148], delay=9, status=sent (250 2.0.0 h7SNimm22666 Message accepted for delivery)
Aug 28 16:44:09 corpmail postfix/smtpd[29172]: disconnect from corpmail[127.0.0.1]
[/code:1:8c4ad53b42]

It relays through my freaking ISP server!!!
So instead of me getting the message through my netscape client, it comes to my KMAIL client...which is setup with my ISP!

OK!!!
First, what it the world caused it to do that? Why all the sudden the change?

Secondly: In a way this is good. Because now I can setup my users to use our email server for outgoing purposes while I work on the rest of the server...

Im so baffled right now...does anyone have any idea? I'll post a postconf -n output:

[code:1:8c4ad53b42]alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 10
default_privs = nobody
empty_address_recipient = MAILER-DAEMON
home_mailbox = Maildir/
inet_interfaces = all
local_destination_concurrency_limit = 2
local_destination_recipient_limit = 300
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_domains = $mydomain
masquerade_exceptions = root
message_size_limit = 35000000
mydestination = $myhostname, localhost.$mydomain
mydomain = courtesymortgage.com
myhostname = corpmail.courtesymortgage.com
mynetworks = 192.168.1.0/24, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
queue_minfree = 8000000
readme_directory = /etc/postfix/README_FILES
relay_domains = $mydestination
sample_directory = /etc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, reject_unauth_destination, permit
smtpd_sender_restrictions = hash:/etc/postfix/access
unknown_local_recipient_reject_code = 450
[/code:1:8c4ad53b42]

Any ideas?

Tarballed

go openbsd!!!! This will be much easier!

I wish...at least im putting them on the *BSD track. :)

What the hell is up with that? Shouldn't it do a local delivery?

What am I missing?

Dammmm!

Tarballed

you had this working ok the other day, why did you change it?

Hrrrmmm..... Is this your external gateway?

Think I figured it out...

Check this out:

mydestination = $myhostname, localhost.$mydomain

That's how it was set when I started having this funky azz problemo...

Now, with the good help of -vv logging :)

This is what it should be for local delivery...

mydestination = $myhostname, localhost.$mydomain, $mydomain

That fixed it...now it delivers local...

Im out of work man..im dog tired and need some beer.

Tarballed

yep...

that was it..just tested and verified...

Tarballed

BTW, I do have them really stirred up about *BSD...they want to put up a FreeBSD samba server in a test environment...how would openbsd do?