Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have Postfix up and working perfect. It receives and sends email fine with no TLS and SASL but I installed Dovecot and then generated some self signed certificates using 'openssl' and for some reason I can't send from my IMAP server. I get this in my logs:
Code:
Mar 3 11:20:45 mail dovecot: imap-login: Login: user=<carlos>, method=PLAIN, rip=10.1.1.204, lip=192.168.0.200, TLS
Mar 3 11:21:20 mail postfix/smtpd[1386]: connect from tuna.mydomain.tld[10.1.1.204]
Mar 3 11:21:20 mail postfix/smtpd[1386]: setting up TLS connection from tuna.mydomain.tld[10.1.1.204]
Mar 3 11:21:20 mail postfix/smtpd[1386]: SSL_accept error from tuna.mydomain.tld[10.1.1.204]: 0
Mar 3 11:21:20 mail postfix/smtpd[1386]: warning: TLS library problem: 1386:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1061:SSL alert number 48:
Mar 3 11:21:20 mail postfix/smtpd[1386]: lost connection after STARTTLS from tuna.mydomain.tld[10.1.1.204]
Mar 3 11:21:20 mail postfix/smtpd[1386]: disconnect from tuna.mydomain.tld[10.1.1.204]
Does anyone know what could be causing this issue? I don't show any other errors in my logs but I am watching them over and over. Postfix receives mail perfect and I can send in plain text with no TLS enabled. Below is my output of 'postconf -n':
The error you are showing is a Postfix error - yet (assuming the domain info is correct in the output of postconf) there is no problem connecting in with TLS to your server - try it yourself:
Yes all domain is correct in my Postfix configuration. Everything was working perfect as far as receiving email and sending plain but since I enabled the TLS & SASL entries in my main.cf and dovecot.conf, I can't send email and errors are visible in the log!
I am getting the following in my mail logs and it's flooding them...
Code:
Mar 3 11:42:29 mail postfix/smtp[1409]: fatal: specify a password table via the `smtp_sasl_password_maps' configuration parameter
Mar 3 11:42:30 mail postfix/master[1146]: warning: process /usr/lib/postfix/smtp pid 1409 exit status 1
Mar 3 11:42:30 mail postfix/master[1146]: warning: /usr/lib/postfix/smtp: bad command startup -- throttling
I basically can't send email from my Thunderbird client when I configure SMTP and IMAP to use TLS.
Forget about IMAP for a moment - that is just for reading mail on a remote IMAP server - you cannot send mail by IMAP. That's the job of SMTP.
TLS is just about encryption - not authentication. I've been able to connect to your Postfix using STARTTLS with no problem, so you don't appear to have an issue there.
Is, from memory, one of two things (or both). First check you don't have a key that needs a passphrase - it's a common error when people generate their own using the CA.pl script. Before you do that, however, check the port. Dovecot uses 993 or 995 for IMAPS (which is what you have).
Either change the port in your client (don't forget the firewall) or try this from the cli:
Quote:
openssl s_client -connect yourip:993
OR
openssl s_client -connect yourip:995
(if you are blocking these ports do it from the server itself and use openssl s_client -connect 127.0.0.1:993 for a quick check)
OK I think I know the problem. My keys do require a pass-phrase when I generated them via 'openssl'. Should I delete them and regenerate the keys and force it not to generate a passphrase?
Generating the keys with openssl is usually OK. It's when you use the CA.pl script there is an issue. You would probably know if you used that. I'm not sure you did as Postfix can't cope with keys like that, and I can already STARTTLS to your server. I think it's nothing more than the port -or- your Dovecot is not looking in the right place for they key/cert.
Before doing anything, try this on the command line of the server running Dovecot:
Quote:
openssl s_client -connect 127.0.0.1:993
If you see lots of stuff, including your certificate whizz by, just change the port. If you see an error then that will need to be investigated.
OK I removed the passphrase from my certificate using this link and following 'step 3'.
I then went back into my main.cf on Postfix and only turned on the TLS configurations. I disabled the SASL stuff for now and I have no errors at all in my logs. My problem is that when I turn on SASL in Postfix, it then complains about:
Code:
Mar 3 13:23:56 mail postfix/master[1146]: warning: process /usr/lib/postfix/smtp pid 1720 exit status 1
Mar 3 13:23:56 mail postfix/master[1146]: warning: /usr/lib/postfix/smtp: bad command startup -- throttling
Mar 3 13:24:56 mail postfix/smtp[1722]: fatal: specify a password table via the `smtp_sasl_password_maps' configuration parameter
Mar 3 13:24:57 mail postfix/master[1146]: warning: process /usr/lib/postfix/smtp pid 1722 exit status 1
Mar 3 13:24:57 mail postfix/master[1146]: warning: /usr/lib/postfix/smtp: bad command startup -- throttling
Now with SASL enabled in Postfix, I don't understand what I am doing wrong or why it's complaining as you see in the logs up above...
I had to comment out all SASL sections in main.cf in order for this to work with only TLS.
This uses a simple set with 'talking' to Dovecot via a socket called 'auth' which should be found in /var/spool/postfix
/private/
This is set up inside to match inside the dovecot.conf file {ignore my MySQL parts}:
Quote:
auth default {
mechanisms = plain login
passdb sql {
# Path for SQL configuration file
args = /etc/dovecot/dovecot-sql.conf
}
userdb sql {
# Path for SQL configuration file
args = /etc/dovecot/dovecot-sql.conf
}
socket listen {
client {
#
path = /var/spool/postfix/private/
#yours should point to: /var/run/dovecot/auth-client
mode = 0660
user = postfix
group = postfix
}
}
}
I note you have: smtpd_sasl_path = /var/run/dovecot/auth-client so I guess your dovecot.conf matches that? Given that the Postfix smtpd process drops to a chroot (if your master.cf tells it to) be sure that it can actually reach '/var/run/dovecot/auth-client' when you run it.
To help with your fault finding, if you can log in to Dovecot (by pop or imap) then you know the authentication works. You just need to find out why your Postfix can't 'talk' to it.
Now I checked I do have a /var/run/dovecot/auth-client file which is owned by postfixostfix as you can see below:
Code:
[root@mail private]# cd /var/run/dovecot/
[root@mail dovecot]# ls -l
total 8
srw-rw---- 1 postfix postfix 0 Mar 3 13:13 auth-client
srw------- 1 root root 0 Mar 3 13:13 auth-worker.1677
srwxrwxrwx 1 root root 0 Mar 3 13:13 dict-server
lrwxrwxrwx 1 root root 25 Mar 3 13:13 dovecot.conf -> /etc/dovecot/dovecot.conf
drwxr-x--- 2 root dovecot 4096 Mar 3 13:13 login
-rw------- 1 root root 5 Mar 3 13:13 master.pid
So now I guess I am wondering what I should do? Should I simply un-comment all the SASL stuff I showed you above in main.cf and adjust my 'dovecot.conf' file?
I *think* {==guess} your issue is going to be related to where Postfix can look for the socket. I suspect it cannot reach '/var/run/dovecot/auth-client'
I would suggest setting your dovecot.conf to this:
I guess I need to test SASL and make sure it's actually working (I will Google this). I just wanted to say again thank you extremely for your time and assistance! Super helpful!!!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.