LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-21-2004, 05:40 PM   #1
superhausi
LQ Newbie
 
Registered: Jul 2004
Posts: 4

Rep: Reputation: 0
Post [Postfix/SMTPD] Getting no AUTH from server; open relay


Hi all

I was searching the web for some hours on this problem now, but it seems that I'm just overlooking something really stupid...

I have a postfix server running on my server, which should be configured to need AUTH. When I telnet to my server, I just get the following:
Code:
hawk root # telnet localhost 25
Trying 127.0.0.1...
Connected to hawk.patriar.ch.
Escape character is '^]'.
220 hawk.patriar.ch ESMTP Postfix
EHLO localhost
250-hawk.patriar.ch
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250 8BITMIME
^]
telnet> quit
Connection closed.
hawk root #
The problem is, that I get no 250-AUTH PLAIN LOGIN, thus being an open relay. I checked my configuration against about 10 guides on the net which configure Postfix to use AUTH and TLS, but got only TLS working.

I really just don't see any problem in my configuration, so I thought, I'd just post here and maybe someone can help me...

Software in use:
Kernel: 2.6.9-gentoo-r4
Postfix: 2.1.5-r1
Cyrus-SASL: 2.1.20

And now for my config files:
/etc/postfix/main.cf
Code:
#Directories
queue_directory = /var/spool/postfix
program_directory = /usr/lib/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
home_mailbox = .maildir/

#General Settings
mail_owner = postfix
default_privs = nobody
notify_classes = resource, software, bounce, policy

#Network settings
myhostname = hawk.patriar.ch
mydomain = patriar.ch
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, $mydomain, localhost.$mydomain
relayhost = firefist.ch
mynetworks = 192.168.2.0/24, 127.0.0.0/8

#Mail settings
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
#home_mailbox = .maildir/
mailbox_command = /usr/bin/procmail -Y -a $DOMAIN
#relay_domains = $mydestination, /etc/postfix/relay-domains
local_destination_concurrency_limit = 2
default_destination_concurrency_limit = 10

#SMTP Settings (sasl)
#smtpd_sasl_auth_enable = yes
#smtpd_sasl2_auth_enable = yes
#smtpd_sasl_security_options = noanonymous
#broken_sasl_auth_clients = yes
#smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

#SMTP Settings (TLS)
smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/newreq.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes

#SMTP Settings (Misc)
smtpd_soft_error_limit = 3
smtpd_soft_error_limit = 12
smtpd_recipient_limit = 16
smtpd_helo_required = yes
#smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, check_relay_domains
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains
smtpd_client_restrictions = reject_rbl_client bl.spamcop.net, reject_rbl_client sbl.spamhaus.org, reject_rbl_client relays.ordb.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org, reject_rbl_client cbl.abuseat.org

#Misc settings
debug_peer_level = 5
#debugger_command = /usr/bin/strace -p $process_id -o /tmp/smtpd.$process_id & sleep 5
/etc/postfix/master.cf
Code:
#==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd -v
#submission inet n      -       n       -       -       smtpd
#	-o smtpd_etrn_restrictions=reject
#smtps    inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission   inet    n       -       n       -       -       smtpd
#  -o smtpd_etrn_restrictions=reject
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
#tlsmgr   fifo  -       -       n       300     1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
/etc/sasl2/smtpd.conf (Symlinked to /var/lib/sasl2/smtpd.conf)
Code:
log_level: 5
pwcheck_method: saslauthd
mech_list: plain login
My log shows nothing really interesting:
Code:
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: mynetworks ~? debug_peer_list
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: mynetworks ~? fast_flush_domains
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: mynetworks ~? mynetworks
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? debug_peer_list
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? fast_flush_domains
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? mynetworks
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? permit_mx_backup_networks
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? qmqpd_authorized_clients
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? relay_domains
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: permit_mx_backup_networks ~? debug_peer_list
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: permit_mx_backup_networks ~? fast_flush_domains
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: permit_mx_backup_networks ~? mynetworks
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: permit_mx_backup_networks ~? permit_mx_backup_networks
Nov 21 23:27:24 hawk postfix/smtpd[8912]: connect to subsystem private/proxymap
Nov 21 23:27:24 hawk postfix/smtpd[8912]: send attr request = open
Nov 21 23:27:24 hawk postfix/smtpd[8912]: send attr table = unix:passwd.byname
Nov 21 23:27:24 hawk postfix/smtpd[8912]: send attr flags = 64
Nov 21 23:27:24 hawk postfix/smtpd[8912]: private/proxymap socket: wanted attribute: status
Nov 21 23:27:24 hawk postfix/smtpd[8912]: input attribute name: status
Nov 21 23:27:24 hawk postfix/smtpd[8912]: input attribute value: 0
Nov 21 23:27:24 hawk postfix/smtpd[8912]: private/proxymap socket: wanted attribute: flags
Nov 21 23:27:24 hawk postfix/smtpd[8912]: input attribute name: flags
Nov 21 23:27:24 hawk postfix/smtpd[8912]: input attribute value: 80
Nov 21 23:27:24 hawk postfix/smtpd[8912]: private/proxymap socket: wanted attribute: (list terminator)
Nov 21 23:27:24 hawk postfix/smtpd[8912]: input attribute name: (end)
Nov 21 23:27:24 hawk postfix/smtpd[8912]: dict_proxy_open: connect to map=unix:passwd.byname status=0 server_flags=0120
Nov 21 23:27:24 hawk postfix/smtpd[8912]: dict_open: proxy:unix:passwd.byname
Nov 21 23:27:24 hawk postfix/smtpd[8912]: dict_open: hash:/etc/postfix/aliases
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: smtpd_access_maps ~? debug_peer_list
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: smtpd_access_maps ~? fast_flush_domains
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: smtpd_access_maps ~? mynetworks
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: smtpd_access_maps ~? permit_mx_backup_networks
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: smtpd_access_maps ~? qmqpd_authorized_clients
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: smtpd_access_maps ~? relay_domains
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: smtpd_access_maps ~? smtpd_access_maps
Nov 21 23:27:24 hawk postfix/smtpd[8912]: warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled in
Nov 21 23:27:24 hawk postfix/smtpd[8912]: starting TLS engine
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: fast_flush_domains ~? debug_peer_list
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: fast_flush_domains ~? fast_flush_domains
Nov 21 23:27:24 hawk postfix/smtpd[8912]: watchdog_create: 0x80a7468 18000
Nov 21 23:27:24 hawk postfix/smtpd[8912]: watchdog_stop: 0x80a7468
Nov 21 23:27:24 hawk postfix/smtpd[8912]: watchdog_start: 0x80a7468
Nov 21 23:27:24 hawk postfix/smtpd[8912]: connection established
Nov 21 23:27:24 hawk postfix/smtpd[8912]: master_notify: status 0
Nov 21 23:27:24 hawk postfix/smtpd[8912]: name_mask: resource
Nov 21 23:27:24 hawk postfix/smtpd[8912]: name_mask: software
Nov 21 23:27:24 hawk postfix/smtpd[8912]: name_mask: bounce
Nov 21 23:27:24 hawk postfix/smtpd[8912]: name_mask: policy
Nov 21 23:27:24 hawk postfix/smtpd[8912]: connect from hawk.patriar.ch[127.0.0.1]
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_list_match: hawk.patriar.ch: no match
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_list_match: 127.0.0.1: no match
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_list_match: hawk.patriar.ch: no match
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_list_match: 127.0.0.1: no match
Nov 21 23:27:24 hawk postfix/smtpd[8912]: > hawk.patriar.ch[127.0.0.1]: 220 hawk.patriar.ch ESMTP Postfix
Nov 21 23:27:24 hawk postfix/smtpd[8912]: watchdog_pat: 0x80a7468
Nov 21 23:27:32 hawk postfix/smtpd[8912]: < hawk.patriar.ch[127.0.0.1]: EHLO localhost
Nov 21 23:27:32 hawk postfix/smtpd[8912]: > hawk.patriar.ch[127.0.0.1]: 250-hawk.patriar.ch
Nov 21 23:27:32 hawk postfix/smtpd[8912]: > hawk.patriar.ch[127.0.0.1]: 250-PIPELINING
Nov 21 23:27:32 hawk postfix/smtpd[8912]: > hawk.patriar.ch[127.0.0.1]: 250-SIZE 10240000
Nov 21 23:27:32 hawk postfix/smtpd[8912]: > hawk.patriar.ch[127.0.0.1]: 250-VRFY
Nov 21 23:27:32 hawk postfix/smtpd[8912]: > hawk.patriar.ch[127.0.0.1]: 250-ETRN
Nov 21 23:27:32 hawk postfix/smtpd[8912]: > hawk.patriar.ch[127.0.0.1]: 250-STARTTLS
Nov 21 23:27:32 hawk postfix/smtpd[8912]: match_list_match: hawk.patriar.ch: no match
Nov 21 23:27:32 hawk postfix/smtpd[8912]: match_list_match: 127.0.0.1: no match
Nov 21 23:27:32 hawk postfix/smtpd[8912]: > hawk.patriar.ch[127.0.0.1]: 250 8BITMIME
Nov 21 23:27:32 hawk postfix/smtpd[8912]: watchdog_pat: 0x80a7468
Nov 21 23:27:35 hawk postfix/smtpd[8912]: smtp_get: EOF
Nov 21 23:27:35 hawk postfix/smtpd[8912]: lost connection after EHLO from hawk.patriar.ch[127.0.0.1]
Nov 21 23:27:35 hawk postfix/smtpd[8912]: disconnect from hawk.patriar.ch[127.0.0.1]
Nov 21 23:27:35 hawk postfix/smtpd[8912]: master_notify: status 1
Nov 21 23:27:35 hawk postfix/smtpd[8912]: connection closed
Nov 21 23:27:35 hawk postfix/smtpd[8912]: watchdog_stop: 0x80a7468
Nov 21 23:27:35 hawk postfix/smtpd[8912]: watchdog_start: 0x80a7468
Nov 21 23:29:04 hawk postfix/smtpd[8912]: proxymap stream disconnect
Nov 21 23:29:04 hawk postfix/smtpd[8912]: watchdog_stop: 0x80a7468
Nov 21 23:29:04 hawk postfix/smtpd[8912]: watchdog_start: 0x80a7468
Nov 21 23:29:15 hawk postfix/smtpd[8912]: idle timeout -- exiting
Thanks for anyone trying to help... I just don't get it any more...

[Edit]
- Taken out the comments in master.cf (too much space for nothing valuable)

P.S: Whenever I have a commented out line in my main.cf, I tried both of them...
[/Edit]

Last edited by superhausi; 11-21-2004 at 05:44 PM.
 
Old 11-22-2004, 12:00 AM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Just because you don't have SMTP auth enabled doesn't mean you're an open relay. You don't have any relay policies specified, so it just falls back to default. Just look at your log file:
Quote:
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? debug_peer_list
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? fast_flush_domains
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? mynetworks
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? permit_mx_backup_networks
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? qmqpd_authorized_clients
Nov 21 23:27:24 hawk postfix/smtpd[8912]: match_string: relay_domains ~? relay_domains
As to why AUTH isn't available, look at your log again:
Quote:
Nov 21 23:27:24 hawk postfix/smtpd[8912]: warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled in
You either need to install a package that has SASL2 support compiled in, or you need to download the source yourself and build it from scratch.
 
Old 11-19-2008, 06:37 PM   #3
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 546

Rep: Reputation: 30
Question [Postfix/SMTPD] Getting no AUTH from server; open relay

Have you commented out tlsmgr in master.cf on purpose ?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Spam, PostFix, OPen Relay question linchat Linux - Software 1 09-15-2005 04:22 PM
Relay Server<-> GatewayServer<->filtering server: PostFix, amavis,spamassassin, cyrus admore Linux - General 0 11-02-2004 09:46 AM
closing a postfix open relay behind a NAT mishunimi Linux - Networking 2 02-05-2004 07:32 PM
Postfix - Open relay or not? darklogik_org Linux - Software 2 01-29-2004 06:30 AM
How to avoid making postfix setup an open relay??! lucastic Linux - Software 16 11-11-2003 12:38 PM


All times are GMT -5. The time now is 11:14 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration