Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
postfix SMTP authentication
View unanswered posts
View posts from last 24 hours

Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message

Joined: 10 Aug 2009
Posts: 173

PostPosted: Wed Nov 24, 2010 1:38 am    Post subject: postfix SMTP authentication Reply with quote

Hi. Recently I have been trying to set up a new e-mail server (my first attempt) with postfix for SMTP and courier-imap. I can receive e-mail at the server just fine, and I can access it remotely with IMAP. However, I am having some issues with sending e-mail.

I can send e-mail just fine, but only if I use an anonymous SMTP login. For days I have been scouring the documentation and playing with the settings, but this does not change. This is problematic because I am not trying to set up a public SMTP server, but I only want a few authenticated people to be able to use it.

If I telnet in, the server tells me that authentication is not enabled: (I've "snipped" out identifying information.)

$ telnet [snip] 25
Trying [snip]...
Connected to [snip].
Escape character is '^]'.
220 [snip] ESMTP Postfix
EHLO [snip]
250-SIZE 10240000
250 DSN
503 5.5.1 Error: authentication not enabled

My has changed a lot as I have played with it (making sure to use postfix reload, BTW) but here is the latest settings:

# postconf -n
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = //usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 10
home_mailbox = .maildir/
html_directory = /usr/share/doc/postfix-2.7.1/html
inet_interfaces = all
local_destination_concurrency_limit = 2
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
myhostname = [snip]
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/readme
relayhost =
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,  permit_mynetworks,  reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = cyrus
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/server.crt
smtpd_tls_key_file = /etc/postfix/server.key
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550

Postfix is installed. Cyrus-sasl is installed. Here's other configs, though I'm not entirely clear on how important they are:

# cat /etc/sasl2/smtpd.conf
# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.sasl,v 1.2 2004/07/18 03:26:56 dragonheart Exp $

# cat /etc/pam.d/smtp
# File autogenerated by pamd_mimic in pam eclass

auth   include      system-auth
account   include      system-auth

Also, I am not sure if this is related or no, but another quirky behavior is that postfix won't let me use an outright TLS connection on port 465, as I thought this was supposed to be possible. To get TLS, my connections have to come in unencrypted on port 25 and then STARTTLS into encrypted mode.

# emerge --info postfix
Portage (default/linux/x86/10.0/server, gcc-4.4.4, glibc-2.11.2-r3, 2.6.34-gentoo-r6 i686)
                        System Settings
System uname: Linux-2.6.34-gentoo-r6-i686-Intel-R-_Celeron-R-_CPU_2.40GHz-with-gentoo-1.12.14
Timestamp of tree: Tue, 23 Nov 2010 05:00:01 +0000
app-shells/bash:     4.1_p7
dev-lang/python:     2.6.5-r3, 3.1.2-r4
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 1.12.14-r1
sys-apps/sandbox:    2.3-r1
sys-devel/autoconf:  2.65-r1
sys-devel/automake:  1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.4-r2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.30-r1
CFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -pipe"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -pipe"
FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
USE="acl berkdb bzip2 cli cracklib crypt cups cxx dri emacs fortran gdbm gpm iconv ipv6 mmx modules mudflap ncurses nls nptl nptlonly openmp pam pcre pppd readline session snmp sse sse2 ssl sysfs tcpd truetype unicode x86 xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

                        Package Settings

mail-mta/postfix-2.7.1 was built with the following:
USE="ipv6 pam sasl ssl -cdb -dovecot-sasl -hardened -ldap -mbox -mysql -nis -postgres (-selinux) -vda"
Back to top
View user's profile Send private message

Joined: 24 Nov 2010
Posts: 212
Location: AU

PostPosted: Wed Nov 24, 2010 3:32 am    Post subject: Reply with quote

I'm not really sure, but in my config I set the username and password with:
smtp_sasl_password_maps = hash:/etc/postfix/saslpass
/etc/postfix/saslpass has stuff like:
[mail.somedomain]:port username:password
where port is a number
anyway you seem lucky that your isp offers starttls, mine does not, so I am forced to instead set it to:
localhost:5000 username:password
and then configure stunnel to listen to that port in order to establish the connection with SSL.
Back to top
View user's profile Send private message

Joined: 29 Dec 2007
Posts: 208

PostPosted: Wed Nov 24, 2010 10:54 pm    Post subject: Reply with quote

I notice you didn't list it out, did you configure cyrus sasl and turn the daemon on (rc-update add saslauthd default && /etc/init.d/saslauthd start) ?

You should post up /etc/conf.d/saslauthd as well

edit: noticed some options you probably want turned on in postfix as well

smtpd_sasl2_auth_enable = yes
smtp_tls_note_starttls_offer = yes
smtpd_use_tls = yes
smtpd_tls_auth_only = yes

If you don't get it working, shoot me a PM (so I get an email notice) and I'll compare it to my working config when I get home, sounds like the setup you're trying to do is nearly identical to mine. (simple auth using PAM, with enforced encryption)
Back to top
View user's profile Send private message

Joined: 21 Sep 2003
Posts: 686
Location: Winnipeg, Canada

PostPosted: Thu Nov 25, 2010 6:27 am    Post subject: Reply with quote

Considering your working with a familiar configuration you might find this gentoo wiki guide very useful
Compiling Gentoo since version 1.4
Thousands of Gentoo Installs Completed
Emerged on every continent but Antarctica
Compile long and Prosper!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum