LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   [Postfix/SMTPD] Getting no AUTH from server; open relay (http://www.linuxquestions.org/questions/linux-security-4/%5Bpostfix-smtpd%5D-getting-no-auth-from-server%3B-open-relay-257703/)

superhausi 11-21-2004 05:40 PM

[Postfix/SMTPD] Getting no AUTH from server; open relay
 
Hi all

I was searching the web for some hours on this problem now, but it seems that I'm just overlooking something really stupid... :(

I have a postfix server running on my server, which should be configured to need AUTH. When I telnet to my server, I just get the following:
Code:

hawk root # telnet localhost 25
Trying 127.0.0.1...
Connected to hawk.patriar.ch.
Escape character is '^]'.
220 hawk.patriar.ch ESMTP Postfix
EHLO localhost
250-hawk.patriar.ch
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250 8BITMIME
^]
telnet> quit
Connection closed.
hawk root #

The problem is, that I get no 250-AUTH PLAIN LOGIN, thus being an open relay. I checked my configuration against about 10 guides on the net which configure Postfix to use AUTH and TLS, but got only TLS working.

I really just don't see any problem in my configuration, so I thought, I'd just post here and maybe someone can help me...

Software in use:
Kernel: 2.6.9-gentoo-r4
Postfix: 2.1.5-r1
Cyrus-SASL: 2.1.20

And now for my config files:
/etc/postfix/main.cf
Code:

#Directories
queue_directory = /var/spool/postfix
program_directory = /usr/lib/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
home_mailbox = .maildir/

#General Settings
mail_owner = postfix
default_privs = nobody
notify_classes = resource, software, bounce, policy

#Network settings
myhostname = hawk.patriar.ch
mydomain = patriar.ch
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, $mydomain, localhost.$mydomain
relayhost = firefist.ch
mynetworks = 192.168.2.0/24, 127.0.0.0/8

#Mail settings
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
#home_mailbox = .maildir/
mailbox_command = /usr/bin/procmail -Y -a $DOMAIN
#relay_domains = $mydestination, /etc/postfix/relay-domains
local_destination_concurrency_limit = 2
default_destination_concurrency_limit = 10

#SMTP Settings (sasl)
#smtpd_sasl_auth_enable = yes
#smtpd_sasl2_auth_enable = yes
#smtpd_sasl_security_options = noanonymous
#broken_sasl_auth_clients = yes
#smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

#SMTP Settings (TLS)
smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/newreq.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes

#SMTP Settings (Misc)
smtpd_soft_error_limit = 3
smtpd_soft_error_limit = 12
smtpd_recipient_limit = 16
smtpd_helo_required = yes
#smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, check_relay_domains
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains
smtpd_client_restrictions = reject_rbl_client bl.spamcop.net, reject_rbl_client sbl.spamhaus.org, reject_rbl_client relays.ordb.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org, reject_rbl_client cbl.abuseat.org

#Misc settings
debug_peer_level = 5
#debugger_command = /usr/bin/strace -p $process_id -o /tmp/smtpd.$process_id & sleep 5

/etc/postfix/master.cf
Code:

#==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#              (yes)  (yes)  (yes)  (never) (100)
# ==========================================================================
smtp      inet  n      -      n      -      -      smtpd -v
#submission inet n      -      n      -      -      smtpd
#        -o smtpd_etrn_restrictions=reject
#smtps    inet  n      -      n      -      -      smtpd
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission  inet    n      -      n      -      -      smtpd
#  -o smtpd_etrn_restrictions=reject
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628      inet  n      -      n      -      -      qmqpd
pickup    fifo  n      -      n      60      1      pickup
cleanup  unix  n      -      n      -      0      cleanup
qmgr      fifo  n      -      n      300    1      qmgr
#qmgr    fifo  n      -      n      300    1      oqmgr
#tlsmgr  fifo  -      -      n      300    1      tlsmgr
rewrite  unix  -      -      n      -      -      trivial-rewrite
bounce    unix  -      -      n      -      0      bounce
defer    unix  -      -      n      -      0      bounce
trace    unix  -      -      n      -      0      bounce
verify    unix  -      -      n      -      1      verify
flush    unix  n      -      n      1000?  0      flush
proxymap  unix  -      -      n      -      -      proxymap
smtp      unix  -      -      n      -      -      smtp
relay    unix  -      -      n      -      -      smtp
#      -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq    unix  n      -      n      -      -      showq
error    unix  -      -      n      -      -      error
local    unix  -      n      n      -      -      local
virtual  unix  -      n      n      -      -      virtual
lmtp      unix  -      -      n      -      -      lmtp
anvil    unix  -      -      n      -      1      anvil
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop  unix  -      n      n      -      -      pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix  -      n      n      -      -      pipe
  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus    unix  -      n      n      -      -      pipe
  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp      unix  -      n      n      -      -      pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -      n      n      -      -      pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp    unix  -      n      n      -      -      pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

/etc/sasl2/smtpd.conf (Symlinked to /var/lib/sasl2/smtpd.conf)
Code:

log_level: 5
pwcheck_method: saslauthd
mech_list: plain login

My log shows nothing really interesting:
Code:

Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: mynetworks ~? debug_peer_list
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: mynetworks ~? fast_flush_domains
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: mynetworks ~? mynetworks
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? debug_peer_list
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? fast_flush_domains
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? mynetworks
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? permit_mx_backup_networks
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? qmqpd_authorized_clients
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? relay_domains
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: permit_mx_backup_networks ~? debug_peer_list
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: permit_mx_backup_networks ~? fast_flush_domains
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: permit_mx_backup_networks ~? mynetworks
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: permit_mx_backup_networks ~? permit_mx_backup_networks
Nov 21 23:27:24 hawk postfix/smtpd[8912]: connect to subsystem private/proxymap
Nov 21 23:27:24 hawk postfix/smtpd[8912]: send attr request = open
Nov 21 23:27:24 hawk postfix/smtpd[8912]: send attr table = unix:passwd.byname
Nov 21 23:27:24 hawk postfix/smtpd[8912]: send attr flags = 64
Nov 21 23:27:24 hawk postfix/smtpd[8912]: private/proxymap socket: wanted attribute: status
Nov 21 23:27:24 hawk postfix/smtpd[8912]: input attribute name: status
Nov 21 23:27:24 hawk postfix/smtpd[8912]: input attribute value: 0
Nov 21 23:27:24 hawk postfix/smtpd[8912]: private/proxymap socket: wanted attribute: flags
Nov 21 23:27:24 hawk postfix/smtpd[8912]: input attribute name: flags
Nov 21 23:27:24 hawk postfix/smtpd[8912]: input attribute value: 80
Nov 21 23:27:24 hawk postfix/smtpd[8912]: private/proxymap socket: wanted attribute: (list terminator)
Nov 21 23:27:24 hawk postfix/smtpd[8912]: input attribute name: (end)
Nov 21 23:27:24 hawk postfix/smtpd[8912]: dict_proxy_open: connect to map=unix:passwd.byname status=0 server_flags=0120
Nov 21 23:27:24 hawk postfix/smtpd[8912]: dict_open: proxy:unix:passwd.byname
Nov 21 23:27:24 hawk postfix/smtpd[8912]: dict_open: hash:/etc/postfix/aliases
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: smtpd_access_maps ~? debug_peer_list
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: smtpd_access_maps ~? fast_flush_domains
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: smtpd_access_maps ~? mynetworks
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: smtpd_access_maps ~? permit_mx_backup_networks
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: smtpd_access_maps ~? qmqpd_authorized_clients
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: smtpd_access_maps ~? relay_domains
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: smtpd_access_maps ~? smtpd_access_maps
Nov 21 23:27:24 hawk postfix/smtpd[8912]: warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled in
Nov 21 23:27:24 hawk postfix/smtpd[8912]: starting TLS engine
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: fast_flush_domains ~? debug_peer_list
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: fast_flush_domains ~? fast_flush_domains
Nov 21 23:27:24 hawk postfix/smtpd[8912]: watchdog_create: 0x80a7468 18000
Nov 21 23:27:24 hawk postfix/smtpd[8912]: watchdog_stop: 0x80a7468
Nov 21 23:27:24 hawk postfix/smtpd[8912]: watchdog_start: 0x80a7468
Nov 21 23:27:24 hawk postfix/smtpd[8912]: connection established
Nov 21 23:27:24 hawk postfix/smtpd[8912]: master_notify: status 0
Nov 21 23:27:24 hawk postfix/smtpd[8912]: name_mask: resource
Nov 21 23:27:24 hawk postfix/smtpd[8912]: name_mask: software
Nov 21 23:27:24 hawk postfix/smtpd[8912]: name_mask: bounce
Nov 21 23:27:24 hawk postfix/smtpd[8912]: name_mask: policy
Nov 21 23:27:24 hawk postfix/smtpd[8912]: connect from hawk.patriar.ch[127.0.0.1]
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_list_match: hawk.patriar.ch: no match
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_list_match: 127.0.0.1: no match
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_list_match: hawk.patriar.ch: no match
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_list_match: 127.0.0.1: no match
Nov 21 23:27:24 hawk postfix/smtpd[8912]: > hawk.patriar.ch[127.0.0.1]: 220 hawk.patriar.ch ESMTP Postfix
Nov 21 23:27:24 hawk postfix/smtpd[8912]: watchdog_pat: 0x80a7468
Nov 21 23:27:32 hawk postfix/smtpd[8912]: < hawk.patriar.ch[127.0.0.1]: EHLO localhost
Nov 21 23:27:32 hawk postfix/smtpd[8912]: > hawk.patriar.ch[127.0.0.1]: 250-hawk.patriar.ch
Nov 21 23:27:32 hawk postfix/smtpd[8912]: > hawk.patriar.ch[127.0.0.1]: 250-PIPELINING
Nov 21 23:27:32 hawk postfix/smtpd[8912]: > hawk.patriar.ch[127.0.0.1]: 250-SIZE 10240000
Nov 21 23:27:32 hawk postfix/smtpd[8912]: > hawk.patriar.ch[127.0.0.1]: 250-VRFY
Nov 21 23:27:32 hawk postfix/smtpd[8912]: > hawk.patriar.ch[127.0.0.1]: 250-ETRN
Nov 21 23:27:32 hawk postfix/smtpd[8912]: > hawk.patriar.ch[127.0.0.1]: 250-STARTTLS
Nov 21 23:27:32 hawk postfix/smtpd[8912]: match_list_match: hawk.patriar.ch: no match
Nov 21 23:27:32 hawk postfix/smtpd[8912]: match_list_match: 127.0.0.1: no match
Nov 21 23:27:32 hawk postfix/smtpd[8912]: > hawk.patriar.ch[127.0.0.1]: 250 8BITMIME
Nov 21 23:27:32 hawk postfix/smtpd[8912]: watchdog_pat: 0x80a7468
Nov 21 23:27:35 hawk postfix/smtpd[8912]: smtp_get: EOF
Nov 21 23:27:35 hawk postfix/smtpd[8912]: lost connection after EHLO from hawk.patriar.ch[127.0.0.1]
Nov 21 23:27:35 hawk postfix/smtpd[8912]: disconnect from hawk.patriar.ch[127.0.0.1]
Nov 21 23:27:35 hawk postfix/smtpd[8912]: master_notify: status 1
Nov 21 23:27:35 hawk postfix/smtpd[8912]: connection closed
Nov 21 23:27:35 hawk postfix/smtpd[8912]: watchdog_stop: 0x80a7468
Nov 21 23:27:35 hawk postfix/smtpd[8912]: watchdog_start: 0x80a7468
Nov 21 23:29:04 hawk postfix/smtpd[8912]: proxymap stream disconnect
Nov 21 23:29:04 hawk postfix/smtpd[8912]: watchdog_stop: 0x80a7468
Nov 21 23:29:04 hawk postfix/smtpd[8912]: watchdog_start: 0x80a7468
Nov 21 23:29:15 hawk postfix/smtpd[8912]: idle timeout -- exiting

Thanks for anyone trying to help... I just don't get it any more... :(

[Edit]
- Taken out the comments in master.cf (too much space for nothing valuable)

P.S: Whenever I have a commented out line in my main.cf, I tried both of them...
[/Edit]

chort 11-22-2004 12:00 AM

Just because you don't have SMTP auth enabled doesn't mean you're an open relay. You don't have any relay policies specified, so it just falls back to default. Just look at your log file:
Quote:

Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? debug_peer_list
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? fast_flush_domains
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? mynetworks
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? permit_mx_backup_networks
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? qmqpd_authorized_clients
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? relay_domains
As to why AUTH isn't available, look at your log again:
Quote:

Nov 21 23:27:24 hawk postfix/smtpd[8912]: warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled in
You either need to install a package that has SASL2 support compiled in, or you need to download the source yourself and build it from scratch.

gabsik 11-19-2008 06:37 PM

[Postfix/SMTPD] Getting no AUTH from server; open relay
 
Have you commented out tlsmgr in master.cf on purpose ?


All times are GMT -5. The time now is 11:45 AM.