Email System For The Home Network - Version 2.1

[beowulf]

First let me appologize for taking so long to get back to you... things are hectic lately for me... sorry...

BlueEar

RE relay host: i didn't include it in my conf file... since sasl should determine where to send the email...

RE grep output: I gather you aren't using SSL (TLS)? When you compiled Cyrus-SASL, did your use flags have SSL in it? I'm not sure what side effects occur when sasl is compiled for SSL but not used... If on the other hand you intended to use SSL, then you're /etc/postfix/main.cf file is missing the appropriate lines... Depending on which way you're going (IE: No ssl), you may wish to try SSL hehe and get it working as it should, then work on taking SSL out of the picture...

--

taskara

Great that fcron is working
1 & 2: I believe the problems to be related...
Can you follow this code block, matching output with yours... except for username specific stuff..:

Code: Select all

root@server # sasl2dblistuser
beowulf@odin.beowulf.bounceme.net: cmusaslsecretOTP
beowulf@odin.beowulf.bounceme.net: userPassword
root@server # grep -v ^# /usr/lib/sasl2/smtpd.conf | grep pwcheck
pwcheck_method:sasldb
root@server # /etc/init.d/saslauthd status
 * status:  stopped
root@server # grep -v ^# /etc/postfix/saslpass
smtp.isp.some.server.com          isp_smtp_user:isp_smtp_pass
root@server # ls -l /etc/sasl2/sasldb2
-rw-------    1 postfix  root        12288 May 23 21:44 sasldb2
root@server # postfix check
root@server # grep -v ^# /etc/postfix/main.cf | grep smtp
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/newreq.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpass
smtp_sasl_security_options =
root@server # 

Also, what error do you get when you send to your work email address?

3: What's not working with SSL? I appologize, as i know you're getting frustrated with this guide and me... but i need a bit more to go on... is authenticating with SSL not working? If that's the case, did you compile the software with the USE flag ssl? What errors are you getting? Still the same log error about socket not existing? Is it when sending an email over SSL it is failing? Are your ssl cert files in /etc/postfix world readable? Again, sorry... but just a touch more info would be most helpful in solving this re-occuring problem...

4: Yep... you need your SSL key generated by someone like Thawte, Verisign or one of those other people that charge $100 for a year... It's a home network so who really cares if your SSL cert isn't verified... but if you do, http://www.verisign.com & http://www.thawte.com

--

hope this helps... if not, post back and try to give as much detail as you can... hears to hoping the problems will be solved soon

[jcummins]

I had the same problem with CA.pl asking me for a passphrase as well. For some reason, executing the CA.pl script, the -nodes switch wasn't being used. Even after checking the CA.pl to make sure I added the switch in the correct places, it still didn't work. I bet this is the same problem taskara was having.

I noticed that on the HOWTO, it said to run the command:
./CA.pl -newca

however, the HOWTO says to add the -nodes switch in the -newcert area. So I ran ./CA.ok -newcert, and it didn't prompt me for the passphrase.

[jcummins]

I am having a slight problem with my setup. The setup and configuration went (semi) smoothly. I am able to connect to the gentoo box and get my IMAP mail. However, I am unable to send email. When I try, my e-mail client (Outlook Express) fails with this error:

Code: Select all

Unable to establish a SSL connection with the server. Account: '192.168.1.101', Server: '192.168.1.101', Protocol: SMTP, Server Response: '454 TLS not available due to temporary reason', Port: 25, Secure(SSL): Yes, Server Error: 454, Error Number: 0x800CCC7F

here is the output of /var/log/messages:

Code: Select all

Jul  1 09:26:25 drunkenmonkey imapd-ssl: Connection, ip=[192.168.1.100]
Jul  1 09:26:25 drunkenmonkey imapd-ssl: LOGIN, user=jcummins, ip=[192.168.1.100]
Jul  1 09:26:25 drunkenmonkey imapd-ssl: couriertls: read: Connection reset by peer
Jul  1 09:26:25 drunkenmonkey imapd-ssl: DISCONNECTED, user=jcummins, ip=[192.168.1.100], headers=0, body=0

Any Ideas?[/code]

[taskara]

I had this same problem..

in your /etc/postfix/main.cf file what do you have for relay_domains?

relay_domains = $mydestination

P.S - did you get squirrelmail working ?

[taskara]

First let me appologize for taking so long to get back to you... things are hectic lately for me... sorry...

--

taskara

Great that fcron is working
1 & 2: I believe the problems to be related...
Can you follow this code block, matching output with yours... except for username specific stuff..:

Code: Select all

root@server # sasl2dblistuser
beowulf@odin.beowulf.bounceme.net: cmusaslsecretOTP
beowulf@odin.beowulf.bounceme.net: userPassword
root@server # grep -v ^# /usr/lib/sasl2/smtpd.conf | grep pwcheck
pwcheck_method:sasldb
root@server # /etc/init.d/saslauthd status
 * status:  stopped
root@server # grep -v ^# /etc/postfix/saslpass
smtp.isp.some.server.com          isp_smtp_user:isp_smtp_pass
root@server # ls -l /etc/sasl2/sasldb2
-rw-------    1 postfix  root        12288 May 23 21:44 sasldb2
root@server # postfix check
root@server # grep -v ^# /etc/postfix/main.cf | grep smtp
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/newreq.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpass
smtp_sasl_security_options =
root@server # 

Also, what error do you get when you send to your work email address?

3: What's not working with SSL? I appologize, as i know you're getting frustrated with this guide and me... but i need a bit more to go on... is authenticating with SSL not working? If that's the case, did you compile the software with the USE flag ssl? What errors are you getting? Still the same log error about socket not existing? Is it when sending an email over SSL it is failing? Are your ssl cert files in /etc/postfix world readable? Again, sorry... but just a touch more info would be most helpful in solving this re-occuring problem...

4: Yep... you need your SSL key generated by someone like Thawte, Verisign or one of those other people that charge $100 for a year... It's a home network so who really cares if your SSL cert isn't verified... but if you do, http://www.verisign.com & http://www.thawte.com

--

hope this helps... if not, post back and try to give as much detail as you can... hears to hoping the problems will be solved soon

MATE, no problems! I have been making leaps and bounds since I posted last.

I have fetchmail working well through fcron as local user (not root), I have courier imap working with ssl, I have squirrelmail working, I have postfix working (and sending to any address I want - the problem was in my main.cf, where I had

relay_domains = $mydomain

instead of

relay_domains = $mydestination

I think I have postfix working with ssl, here is the output of the port

Code: Select all

root@server / # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 server.taskara.dyndns.org ESMTP Postfix
EHLO taskara.dyndns.org
250-server.taskara.dyndns.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-XVERP
250 8BITMIME

u can see 250-STARTTLS there.. I think that should mean it's running tls, but you can see there is NO refernce to AUTH

I guess the question is - will it still transmit emails withOUT ssl? I assumed it wasn't working, because I could send an email withOUT ssl

SO the only thing that I don't have working now is Authentication on my mail server. atm anyone can send out an email

ahh here is the output of everything you requested

Code: Select all

root@server chris # sasldblistusers2
chris@server.taskara.dyndns.org: cmusaslsecretOTP
chris@server.taskara.dyndns.org: userPassword
root@server chris # grep -v ^# /usr/lib/sasl2/smtpd.conf | grep pwcheck
pwcheck_method: sasldb
root@server chris # /etc/init.d/saslauthd status
 * status:  stopped
root@server chris # grep -v ^# /etc/postfix/saslpass
mail.internode.on.net :
root@server chris # ls -l /etc/sasl2/sasldb2
-rw-------    1 postfix  root        12288 Jun 25 22:32 /etc/sasl2/sasldb2
root@server chris # postfix check
root@server chris # grep -v ^# /etc/postfix/main.cf | grep smtp
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpass
smtp_sasl_security_options =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/newreq.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
root@server chris #

I think everything is the same as yours, except that my isp does not require auth to send email

so I don't know why auth isn't working.. any other ideas?

cheers!

Chris

[taskara]

some developments:

I ran some tests and here are the results.

I CAN send email:
WITH auth only
withOUT auth
withOUT auth and with SSL

I could NOT send email:
with auth and with ssl

but I COULD send emails:
with auth and ssl with secure password.


so what I would like is to ONLY be able to send an email with auth ssl and secure password.

so that if ANYONE tries to send an email with out auth or without ssl, then it is rejected.

that's the plan

thanks guys, any thoughts?

[usingloser]

sasl says that there isnt a secret in my database, any help?

[Proteus]

Did you delete the existing saslsb file before you tried to follow the steps in the guide?

[usingloser]

yes, i deleted the database before i created a new one by adding a new user

[Proteus]

Can you please retry that specific section of the guide and post any errors. Normally this should work flawlessly. We need more info to be able to help you.

[tekM]

Ok,

First off.....GREAT GUIDE.

I got everything going with one exception. Im useing postfix, sasl, tls, impa_ssl squirrelmail, kmail etc. Im not relaying to my isp and just want secure password require over tls smtp services. Imap over SSL works flawlessly...squirrelmail isalso flawless.

My problem is with Kmail sending to my new smtp service. I tell it to use authentication and under security I tell it to use TLS and Digest-md5.....first time around cert popped up and i accepted and said continue etc. then delivery fails saying this:

Sending failed:
Authentication failed.
Most likely the password is wrong.
The server responded: "Error: authentication failed "

Ive re-run through step 3.3 in the guide 4 times now....making sure to delete sasldb2 each time of course. No matter what I do I keep getting that "Authentication failed" When Ive got authentication and TLS selected.

Here is what does work. Authentication with None for encryption and no authentication with none for encryption. Which is bad cause I only want smtp to work when its athenticated to. Ive also telnet into my server and did an EHLO example.com followed by a starttls......that worked and server responded tls ready or somthing to that effect.

Here is a copy of my main.cf. Any help would be enormously appreciated:

command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
inet_interfaces = $myhostname, localhost
mydestination = $myhostname, localhost.$mydomain, $mydomain
alias_maps = hash:/etc/mail/aliases
alias_database = hash:/etc/mail/aliases
home_mailbox = .maildir/
relay_domains = $mydestination
mynetworks = 192.168.2.0/24,127.0.0.0/8

smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/newreq.pem
smtpd_tls_cert_file = /etc/postfix/ssl/newcert.pem
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options =
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains

[taskara]

Sending failed:
Authentication failed.
Most likely the password is wrong.
The server responded: "Error: authentication failed "

Ive re-run through step 3.3 in the guide 4 times now....making sure to delete sasldb2 each time of course. No matter what I do I keep getting that "Authentication failed" When Ive got authentication and TLS selected.

Here is what does work. Authentication with None for encryption and no authentication with none for encryption. Which is bad cause I only want smtp to work when its athenticated to. Ive also telnet into my server and did an EHLO example.com followed by a starttls......that worked and server responded tls ready or somthing to that effect.

hey.. I have the same problem, where by u can send withOUT auth

the problem u have should be able to be resolved if you use secure password authentication... it did for me anyway.

as u can see from my post above, sending withOUT auth works (which I dont' want it to) sending WITH auth works, sending WITH tsl and NO auth works, sending WITH tsl and WITH auth FAILS, but sending WITH tsl and WITH auth through secure password authentication WORKS.

bizaare..

[tekM]

Ok....Ive got an update. After clearing my head and thinking about it for a second, Im realizing that I can send outgoing smtp from Kmail unauthenticated simply because Im on $mynetworks...duh for me . So that leaves the TLS issue + auth issue. Here is where Im at:

SMTP with NO auth and NO tls works because of $mynetworks
SMTP WITH auth and NO tls works
SMTP WITH auth and WITH tls does NOT work ("Error: Authentication Failed")

The last one seems to be my only problem here. In the main.cf the command "smtpd_tls_auth_only = yes" should force postfix to only allow smtp auth to occur once a good tls has been established. TLS works.....SASL auth works....but they wont play together for some reason. Im not sure where its failing.

[tekM]

Ok, a little bit more info for anyone with any ideas.

SMTP with NO auth and NO tls works because of $mynetworks
SMTP WITH auth and NO tls works
SMTP with NO auth and WITH tls works

all good

SMTP WITH auth and WITH tls set to PLAIN fails with "Server doesnt allow PLAIN" (IS THIS THE PROBLEM??)

SMTP WITH auth and WITH tls set to LOGIN, CRAM-MD5, or DIGEST-MD5 all fail with "Authentication failed"

[Proteus]

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

Maybe that's what is missing? Seems that postfix doesn't know where to lookup the saslpasses...

Also, this line:

smtp_use_tls = yes

ist not included in my conf. Seems that it is not required.

Maybe you just want to use

smtpd_use_tls=yes

(it's in your conf already)

[taskara]

hmm I have that there in my main.cf... any other ideas?

maybe some others can test this to see if their machines are working properly.

[Proteus]

It just seems to be the case that tekM has it not included. Maybe it's helpfull for him.
Sorry that it does not apply to you, taskara.

(And apologies to tekM if this does not help him, too...)

[taskara]

gr00vy

[Quint]

I've followed the guide to a T, but I get this error when starting postfix

root@linux eric # /etc/init.d/postfix start
* Could not get dependency info for "postfix"!
* Could not get dependency info for "postfix"!
* Starting postfix... [ ok

I'm not sure what I did wrong, All help appreciated

thanks in advance
eric

[BlueEar]

Beowulf, you were right, I did not enable TLS. Mostly, because my /etc/ssl/openssl.cnf does not have the lines you mention (the one ending in _default). I see commonName, but no commonName_default. Here is the grep result:

Code: Select all

# fgrep _default /etc/ssl/openssl.cnf
default_ca      = CA_default            # The default ca section
[ CA_default ]
countryName_default             = AU
stateOrProvinceName_default     = Some-State
0.organizationName_default      = Internet Widgits Pty Ltd
#1.organizationName_default     = World Wide Web Pty Ltd
#organizationalUnitName_default =

I am using openssl-0.9.6i-r2:

Code: Select all

 # emerge -s openssl 
Searching...
[ Results for search key : openssl ]
[ Applications found : 5 ]
  
*  dev-libs/openssl
      Latest version available: 0.9.6i-r2
      Latest version installed: 0.9.6i-r2

I take it, something must have changed between different versions. So unless you have a quick fix, I need to wait with TLS support until I read through openssl documentation ...

[beowulf]

jcummins

Do you by chance have Norton Antivirus running on the box that has Outlook Express? Or perhaps another antivirus that is scanning outgoing mail? What happens if you disable scanning outgoing mail and try sending again?

taskara

Sending without auth works: Try changing this line in your main.cf and see if it solves it:

Code: Select all

smtpd_recipient_restrictions = permit_sasl_authenticated, check_relay_domains

So what you did was get rid of the condition that allows any host in mynetworks to send email.... I should've mentioned this earlier... never even enterd my head before tekM mentioned it...

Sending with TLS and no Auth: See above

Sending with tls and Auth fails: I assume you mean authenticating in a plain manner does not work? IE: using PLAIN as the auth method? It shouldn't work like that... Your email client should send the password as CRAM-MD5 i believe...

tekM

Proteus wrote what i would've... how'd it work out with that change?

Thanks proteus

Quint

Hmm... something may be wrong with your init file? Here's what mine looks like, and perhaps you can check yours to see if ours differ:

Code: Select all

depend() {
        need net
        use logger dns
        provide mta
}

PIDFILE=/var/spool/postfix/pid/master.pid

start() {
        ebegin "Starting postfix"
        /usr/sbin/postfix start &>/dev/null
        eend $?
}

stop() {
        ebegin "Stopping postfix"
        /usr/sbin/postfix stop &>/dev/null
        eend $?
}

Other than that, I'm not sure what would cause that issue... If the problem is not that file, it's one of the dependancies that aren't reporting correctly...

BlueEar

Hmm... things might have changed... Perhaps you could add the necessary lines? Maybe that'll work?

Code: Select all

default_ca      = CA_default            # The default ca section
[ CA_default ]
countryName_default             = CA 
stateOrProvinceName_default     = Province
localityName_default            = City
0.organizationName_default      = Beowulf Inc. 
#1.organizationName_default     = World Wide Web Pty Ltd
#organizationalUnitName_default =
commonName_default              = Beowulf
emailAddress_default            = root@localhost

I've updated my Openssl, but config_protect kept my older conf file... Maybe you could try adding those lines and then generating it?

--

Hope all this helps... sorry for taking so long again... i will try to be more prompt in my responses...

[tekM]

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

I thought that was only for relaying to an external isp etc.??? Is that hash etc required if you just want a standalone smtp server? In the guide, when you created saslpass you put your isp domain, user, and pass. If Im doing a standalone setup, what should I put in there?

Also, I cant get external hosts to authenticate via sasl (using outlook express). So, my guess is that Ive definately got a sasl issue. The server is denying them the relay though thankfully.

Thanks

[beowulf]

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

I thought that was only for relaying to an external isp etc.??? Is that hash etc required if you just want a standalone smtp server? In the guide, when you created saslpass you put your isp domain, user, and pass. If Im doing a standalone setup, what should I put in there?

Also, I cant get external hosts to authenticate via sasl (using outlook express). So, my guess is that Ive definately got a sasl issue. The server is denying them the relay though thankfully.

Thanks

In section 3.3 of the postfix section, we created a file which holds the authentication information that a client would use to connect to the smtp server. This information is used when you want to send email.... Here's how it works:

Outlook -> sasldb2 [3.3] -> Postfix -> saslpass[3.2] -> Internet SMTP server -> Internet

Now, if you're doing a standalone server... where you want to skip the Internet SMTP server... IE:
Outlook -> sasldb2 [3.3] -> Postfix -> Internet
...Then i don't really know... I don't have a name server running, don't have mx records, so i could never test this out...

[taskara]

taskara

Sending without auth works: Try changing this line in your main.cf and see if it solves it:

Code: Select all

smtpd_recipient_restrictions = permit_sasl_authenticated, check_relay_domains

So what you did was get rid of the condition that allows any host in mynetworks to send email.... I should've mentioned this earlier... never even enterd my head before tekM mentioned it...

Sending with TLS and no Auth: See above

Sending with tls and Auth fails: I assume you mean authenticating in a plain manner does not work? IE: using PLAIN as the auth method? It shouldn't work like that... Your email client should send the password as CRAM-MD5 i believe...

I changed that file in my main.cf but it made no difference.

I can still send emails through my mail server without auth (even from my machine at work). I can also still send an email with Auth (and NO tsl). I can send an email with tsl (and NO auth).

I basically want to make sure people NEED auth or it won't send. At the moment it is sort of the opposite!

could you do me a favour, telnet to port 25 on your mail server and type

Code: Select all

EHLO [servername]

and post the results? I would like to compare them to mine

here is an example from my server

root@server chris # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 server.taskara.dyndns.org ESMTP Postfix
250 EHLO taskara.dyndns.org
250-server.taskara.dyndns.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-XVERP
250 8BITMIME
quit
221 Bye
Connection closed by foreign host.
root@server chris #

thanks!

[tekM]

Ive been doing a bunch more research, and it seems that all I need to do is have sasl working in PLAIN auth mode. Which should be ok since Im using TLS. This makes sense because if I tell KMail to use PLAIN + TLS for smtp auth it fails telling me that PLAIN is not supported on my smtp server. So basically I have to figure out how to add/turn on PLAIN support.

Anyone have any ideas on this?